Skip to content

Commit

Permalink
Add support for creating secrets and roles for es-operator
Browse files Browse the repository at this point in the history
Signed-off-by: Pavol Loffay <[email protected]>
pavolloffay committed Feb 8, 2019
1 parent 0439aa5 commit 1228805
Showing 52 changed files with 1,877 additions and 1,168 deletions.
12 changes: 6 additions & 6 deletions Gopkg.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ IMPORT_LOG=import.log
FMT_LOG=fmt.log

OPERATOR_NAME ?= jaeger-operator
NAMESPACE ?= "$(USER)"
NAMESPACE ?= jaegertracing
BUILD_IMAGE ?= "$(NAMESPACE)/$(OPERATOR_NAME):latest"
OUTPUT_BINARY ?= "$(BIN_DIR)/$(OPERATOR_NAME)"
VERSION_PKG ?= "github.com/jaegertracing/jaeger-operator/pkg/version"
@@ -48,7 +48,7 @@ build: format
@${GO_FLAGS} go build -o $(OUTPUT_BINARY) -ldflags $(LD_FLAGS)

.PHONY: docker
docker:
docker: build
@docker build --file build/Dockerfile -t "$(BUILD_IMAGE)" .

.PHONY: push
@@ -62,7 +62,7 @@ unit-tests:
@go test $(PACKAGES) -cover -coverprofile=cover.out

.PHONY: e2e-tests
e2e-tests: cassandra es crd build docker push
e2e-tests: cassandra es crd build docker
@mkdir -p deploy/test
@echo Running end-to-end tests...

12 changes: 11 additions & 1 deletion build/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
FROM alpine:3.8
FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base

RUN INSTALL_PKGS=" \
openssl \
" && \
yum install -y $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
yum clean all && \
mkdir /tmp/_working_dir && \
chmod og+w /tmp/_working_dir
COPY scripts/* /usr/bin/scripts/

USER nobody

17 changes: 12 additions & 5 deletions deploy/examples/simple-prod-with-volumes.yaml
Original file line number Diff line number Diff line change
@@ -9,10 +9,17 @@ spec:
type: elasticsearch
options:
es:
server-urls: http://elasticsearch:9200
server-urls: https://elasticsearch:9200
tls.ca: "/sec/ca"
token-file-path: /var/run/secrets/kubernetes.io/serviceaccount/token
es-archive:
server-urls: https://elasticsearch:9200
tls.ca: "/sec/ca"
token-file-path: /var/run/secrets/kubernetes.io/serviceaccount/token
volumeMounts:
- name: elastic-data
mountPath: /usr/share/elasticsearch/data
- name: es-secrets
mountPath: "/sec"
volumes:
- name: elastic-data
emptyDir: {}
- name: es-secrets
secret:
secretName: jaeger-elasticsearch
4 changes: 2 additions & 2 deletions deploy/operator-openshift.yaml
Original file line number Diff line number Diff line change
@@ -15,12 +15,12 @@ spec:
serviceAccountName: jaeger-operator
containers:
- name: jaeger-operator
image: jaegertracing/jaeger-operator:1.9.1
image: jaegertracing/jaeger-operator:latest
ports:
- containerPort: 60000
name: metrics
args: ["start", "--platform=openshift"]
imagePullPolicy: Always
imagePullPolicy: IfNotPresent
env:
- name: WATCH_NAMESPACE
valueFrom:
2 changes: 1 addition & 1 deletion deploy/operator.yaml
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@ spec:
serviceAccountName: jaeger-operator
containers:
- name: jaeger-operator
image: jaegertracing/jaeger-operator:1.9.1
image: jaegertracing/jaeger-operator:latest
ports:
- containerPort: 60000
name: metrics
13 changes: 13 additions & 0 deletions deploy/role.yaml
Original file line number Diff line number Diff line change
@@ -58,3 +58,16 @@ rules:
- routes
verbs:
- "*"
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- elasticsearch.jaegertracing.io
resources:
- jaeger
verbs:
- 'get'
2 changes: 1 addition & 1 deletion jaeger.version
Original file line number Diff line number Diff line change
@@ -2,4 +2,4 @@
# by default with the Jaeger Operator. This would usually be the latest
# stable Jaeger version. When you update this file, make sure to update the
# the docs as well.
1.9
token
28 changes: 27 additions & 1 deletion pkg/account/main.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
package account

import (
"fmt"

"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
)
@@ -12,5 +15,28 @@ func Get(jaeger *v1alpha1.Jaeger) []*v1.ServiceAccount {
if jaeger.Spec.Ingress.Security == v1alpha1.IngressSecurityOAuthProxy {
accounts = append(accounts, OAuthProxy(jaeger))
}
return accounts
return append(accounts, getMain(jaeger))
}

func getMain(jaeger *v1alpha1.Jaeger) *v1.ServiceAccount {
trueVar := true
return &v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: JaegerServiceAccountFor(jaeger),
Namespace: jaeger.Namespace,
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: jaeger.APIVersion,
Kind: jaeger.Kind,
Name: jaeger.Name,
UID: jaeger.UID,
Controller: &trueVar,
},
},
},
}
}

func JaegerServiceAccountFor(jaeger *v1alpha1.Jaeger) string {
return fmt.Sprintf("%s", jaeger.Name)
}
16 changes: 12 additions & 4 deletions pkg/account/main_test.go
Original file line number Diff line number Diff line change
@@ -11,19 +11,27 @@ import (
func TestWithSecurityNil(t *testing.T) {
jaeger := v1alpha1.NewJaeger("TestWithOAuthProxyNil")
assert.Equal(t, v1alpha1.IngressSecurityNone, jaeger.Spec.Ingress.Security)
assert.Len(t, Get(jaeger), 0)
sas := Get(jaeger)
assert.Len(t, sas, 1)
assert.Equal(t, getMain(jaeger), sas[0])
}

func TestWithSecurityNone(t *testing.T) {
jaeger := v1alpha1.NewJaeger("TestWithOAuthProxyFalse")
jaeger.Spec.Ingress.Security = v1alpha1.IngressSecurityNone

assert.Len(t, Get(jaeger), 0)
sas := Get(jaeger)
assert.Len(t, sas, 1)
assert.Equal(t, getMain(jaeger), sas[0])
}

func TestWithSecurityOAuthProxy(t *testing.T) {
jaeger := v1alpha1.NewJaeger("TestWithOAuthProxyTrue")
jaeger.Spec.Ingress.Security = v1alpha1.IngressSecurityOAuthProxy

assert.Len(t, Get(jaeger), 1)
assert.Len(t, Get(jaeger), 2)
}

func TestJaegerName(t *testing.T) {
jaeger := v1alpha1.NewJaeger("foo")
assert.Equal(t, "foo", JaegerServiceAccountFor(jaeger))
}
1 change: 1 addition & 0 deletions pkg/controller/jaeger/jaeger_controller.go
Original file line number Diff line number Diff line change
@@ -139,6 +139,7 @@ func (r *ReconcileJaeger) handleCreate(str strategy.S) (bool, error) {
objs := str.Create()
created := false
for _, obj := range objs {

err := r.client.Create(context.Background(), obj)
if err != nil && !apierrors.IsAlreadyExists(err) {
log.WithError(err).Error("failed to create")
4 changes: 3 additions & 1 deletion pkg/deployment/all-in-one.go
Original file line number Diff line number Diff line change
@@ -10,6 +10,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"

"github.com/jaegertracing/jaeger-operator/pkg/account"
"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
"github.com/jaegertracing/jaeger-operator/pkg/config/sampling"
"github.com/jaegertracing/jaeger-operator/pkg/config/ui"
@@ -157,7 +158,8 @@ func (a *AllInOne) Get() *appsv1.Deployment {
},
Resources: commonSpec.Resources,
}},
Volumes: commonSpec.Volumes,
Volumes: commonSpec.Volumes,
ServiceAccountName: account.JaegerServiceAccountFor(a.jaeger),
},
},
},
4 changes: 3 additions & 1 deletion pkg/deployment/collector.go
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"

"github.com/jaegertracing/jaeger-operator/pkg/account"
"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
"github.com/jaegertracing/jaeger-operator/pkg/config/sampling"
"github.com/jaegertracing/jaeger-operator/pkg/service"
@@ -147,7 +148,8 @@ func (c *Collector) Get() *appsv1.Deployment {
},
Resources: commonSpec.Resources,
}},
Volumes: commonSpec.Volumes,
Volumes: commonSpec.Volumes,
ServiceAccountName: account.JaegerServiceAccountFor(c.jaeger),
},
},
},
4 changes: 3 additions & 1 deletion pkg/deployment/ingester.go
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"

"github.com/jaegertracing/jaeger-operator/pkg/account"
"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
"github.com/jaegertracing/jaeger-operator/pkg/storage"
"github.com/jaegertracing/jaeger-operator/pkg/util"
@@ -133,7 +134,8 @@ func (i *Ingester) Get() *appsv1.Deployment {
},
Resources: commonSpec.Resources,
}},
Volumes: commonSpec.Volumes,
Volumes: commonSpec.Volumes,
ServiceAccountName: account.JaegerServiceAccountFor(i.jaeger),
},
},
},
4 changes: 3 additions & 1 deletion pkg/deployment/query.go
Original file line number Diff line number Diff line change
@@ -10,6 +10,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"

"github.com/jaegertracing/jaeger-operator/pkg/account"
"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
"github.com/jaegertracing/jaeger-operator/pkg/config/ui"
"github.com/jaegertracing/jaeger-operator/pkg/service"
@@ -132,7 +133,8 @@ func (q *Query) Get() *appsv1.Deployment {
},
Resources: commonSpec.Resources,
}},
Volumes: commonSpec.Volumes,
Volumes: commonSpec.Volumes,
ServiceAccountName: account.JaegerServiceAccountFor(q.jaeger),
},
},
},
54 changes: 54 additions & 0 deletions pkg/storage/elasticsearch_role.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package storage

import (
"fmt"

rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"

"github.com/jaegertracing/jaeger-operator/pkg/apis/io/v1alpha1"
)

func GetESRoles(jaeger *v1alpha1.Jaeger, sas ...string) []runtime.Object {
roleName := fmt.Sprintf("%s-elasticsearch", jaeger.Name)
r := &rbacv1.Role{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{rbacv1.AutoUpdateAnnotationKey: "true"},
Name: roleName,
Namespace: jaeger.Namespace,
OwnerReferences: []metav1.OwnerReference{asOwner(jaeger)},
},
Rules: []rbacv1.PolicyRule{
{
// These values are virtual and defined in SearchGuard sg_config.yml under subjectAccessReviews
// The SG invokes this API to allow the request
// TOKEN=$(oc serviceaccounts get-token jaeger-simple-prod)
// curl -k -v -XPOST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" https://127.0.0.1:8443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews -d '{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"group":"jaeger.openshift.io","verb":"get","resource":"jaeger"}}}'
APIGroups: []string{"elasticsearch.jaegertracing.io"},
Resources: []string{"jaeger"},
Verbs: []string{"get"},
},
},
}
rb := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: roleName,
Namespace: jaeger.Namespace,
OwnerReferences: []metav1.OwnerReference{asOwner(jaeger)},
},
RoleRef: rbacv1.RoleRef{
Kind: "Role",
Name: roleName,
},
}
for _, sa := range sas {
sb := rbacv1.Subject{
Kind: rbacv1.ServiceAccountKind,
Namespace: jaeger.Namespace,
Name: sa,
}
rb.Subjects = append(rb.Subjects, sb)
}
return []runtime.Object{r, rb}
}
Loading

0 comments on commit 1228805

Please sign in to comment.