Merge branch 'master' into priorityClass-esIndexCleaner

CONTRIBUTING.md

@@ -31,7 +31,8 @@ NOTE: Make sure to read the documentation to learn the performance switches that
 Once minikube has finished starting, get the Operator running:
 
 ```
-make run
+make cert-manager
+IMG=docker.io/$USER/jaeger-operator:latest make generate bundle docker push deploy
 ```
 
 At this point, a Jaeger instance can be installed:

Dockerfile

@@ -1,7 +1,6 @@
 # Build the manager binary
 FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.16 as builder
 
-
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -33,22 +32,9 @@ ARG TARGETARCH
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -ldflags="-X ${VERSION_PKG}.version=${VERSION} -X ${VERSION_PKG}.buildDate=${VERSION_DATE} -X ${VERSION_PKG}.defaultJaeger=${JAEGER_VERSION}" -a -o jaeger-operator main.go
 
-FROM registry.access.redhat.com/ubi8/ubi
-
-ENV USER_UID=1001 \
-    USER_NAME=jaeger-operator
-
-RUN INSTALL_PKGS="openssl" && \
-    yum install -y $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS && \
-    yum clean all && \
-    mkdir /tmp/_working_dir && \
-    chmod og+w /tmp/_working_dir
-
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/jaeger-operator .
-COPY scripts/ scripts/
-
-USER ${USER_UID}:${USER_UID}
+USER 65532:65532
 
 ENTRYPOINT ["/jaeger-operator"]

Makefile

@@ -30,9 +30,6 @@ STORAGE_NAMESPACE ?= "${shell kubectl get sa default -o jsonpath='{.metadata.nam
 KAFKA_NAMESPACE ?= "kafka"
 KAFKA_EXAMPLE ?= "https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/0.23.0/examples/kafka/kafka-persistent-single.yaml"
 KAFKA_YAML ?= "https://github.com/strimzi/strimzi-kafka-operator/releases/download/0.23.0/strimzi-cluster-operator-0.23.0.yaml"
-ES_OPERATOR_NAMESPACE ?= openshift-logging
-ES_OPERATOR_BRANCH ?= release-4.4
-ES_OPERATOR_IMAGE ?= quay.io/openshift/origin-elasticsearch-operator:4.4
 # Istio binary path and version
 ISTIO_VERSION ?= 1.11.2
 ISTIO_PATH = ./tests/_build/
@@ -41,10 +38,17 @@ GOPATH ?= "$(HOME)/go"
 GOROOT ?= "$(shell go env GOROOT)"
 ECHO ?= @echo $(echo_prefix)
 SED ?= "sed"
+CERTMANAGER_VERSION ?= 1.6.1
 
 PROMETHEUS_OPERATOR_TAG ?= v0.39.0
 PROMETHEUS_BUNDLE ?= https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/${PROMETHEUS_OPERATOR_TAG}/bundle.yaml
 
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
 
 LD_FLAGS ?= "-X $(VERSION_PKG).version=$(VERSION) -X $(VERSION_PKG).buildDate=$(VERSION_DATE) -X $(VERSION_PKG).defaultJaeger=$(JAEGER_VERSION)"
 
@@ -140,15 +144,6 @@ unit-tests: envtest
 	@echo Running unit tests...
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ${GOTEST_OPTS} ./... -cover -coverprofile=cover.out -ldflags $(LD_FLAGS)
 
-.PHONY: run
-run: manifests generate format vet
-	$(VECHO)rm -rf /tmp/_cert*
-	$(VECHO)go run -ldflags ${LD_FLAGS} ./main.go start ${CLI_FLAGS}
-
-.PHONY: run-debug
-run-debug: run
-run-debug: CLI_FLAGS = --log-level=debug --tracing-enabled=true
-
 .PHONY: set-max-map-count
 set-max-map-count:
 	# This is not required in OCP 4.1. The node tuning operator configures the property automatically
@@ -161,31 +156,22 @@ set-node-os-linux:
 	# Elasticsearch requires labeled nodes. These labels are by default present in OCP 4.2
 	$(VECHO)kubectl label nodes --all kubernetes.io/os=linux --overwrite
 
-.PHONY: deploy-es-operator
-deploy-es-operator: set-node-os-linux set-max-map-count deploy-prometheus-operator
-ifeq ($(OLM),true)
-	$(ECHO) Skipping es-operator deployment, assuming it has been installed via OperatorHub
-else
-	$(VECHO)kubectl create namespace ${ES_OPERATOR_NAMESPACE} 2>&1 | grep -v "already exists" || true
-	$(VECHO)kubectl apply -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/01-service-account.yaml -n ${ES_OPERATOR_NAMESPACE}
-	$(VECHO)kubectl apply -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/02-role.yaml
-	$(VECHO)kubectl apply -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/03-role-bindings.yaml
-	$(VECHO)kubectl apply -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/04-crd.yaml -n ${ES_OPERATOR_NAMESPACE}
-	$(VECHO)kubectl apply -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/05-deployment.yaml -n ${ES_OPERATOR_NAMESPACE}
-	$(VECHO)kubectl set image deployment/elasticsearch-operator elasticsearch-operator=${ES_OPERATOR_IMAGE} -n ${ES_OPERATOR_NAMESPACE}
-endif
+cert-manager: cmctl
+	# Consider using cmctl to install the cert-manager once install command is not experimental
+	kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v${CERTMANAGER_VERSION}/cert-manager.yaml
+	cmctl check api --wait=5m
 
-.PHONY: undeploy-es-operator
-undeploy-es-operator:
-ifeq ($(OLM),true)
-	$(ECHO) Skipping es-operator undeployment, as it should have been installed via OperatorHub
+cmctl:
+ifeq (, $(shell which cmctl))
+	@{ \
+	curl -L -o /tmp/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/download/v$(CERTMANAGER_VERSION)/cmctl-`go env GOOS`-`go env GOARCH`.tar.gz ;\
+	cd /tmp ;\
+	tar xzf cmctl.tar.gz ;\
+	mv cmctl $(GOBIN) ;\
+	}
+CTL=$(GOBIN)/cmctl
 else
-	$(VECHO)kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/05-deployment.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
-	$(VECHO)kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/04-crd.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
-	$(VECHO)kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/03-role-bindings.yaml --ignore-not-found=true || true
-	$(VECHO)kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/02-role.yaml --ignore-not-found=true || true
-	$(VECHO)kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/01-service-account.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
-	$(VECHO)kubectl delete namespace ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true 2>&1 || true
+CTL=$(shell which cmctl)
 endif
 
 .PHONY: es

PROJECT

@@ -16,4 +16,8 @@ resources:
   kind: Jaeger
   path: github.com/jaegertracing/jaeger-operator/apis/v1
   version: v1
+  webhooks:
+    defaulting: true
+    validation: true
+    webhookVersion: v1
 version: "3"

apis/v1/jaeger_types.go

@@ -510,8 +510,16 @@ type JaegerStorageSpec struct {
 	GRPCPlugin GRPCPluginSpec `json:"grpcPlugin,omitempty"`
 }
 
-// ElasticsearchSpec represents the ES configuration options that we pass down to the Elasticsearch operator
+// ElasticsearchSpec represents the ES configuration options that we pass down to the OpenShift Elasticsearch operator.
 type ElasticsearchSpec struct {
+	// Name of the OpenShift Elasticsearch instance. Defaults to elasticsearch.
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Whether Elasticsearch should be provisioned or not.
+	// +optional
+	DoNotProvision bool `json:"doNotProvision,omitempty"`
+
 	// +optional
 	Image string `json:"image,omitempty"`
 

apis/v1/jaeger_webhook.go

@@ -0,0 +1,58 @@
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+const (
+	defaultElasticsearchName = "elasticsearch"
+)
+
+// log is for logging in this package.
+var jaegerlog = logf.Log.WithName("jaeger-resource")
+
+// SetupWebhookWithManager adds Jaeger webook to the manager.
+func (j *Jaeger) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(j).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/mutate-jaegertracing-io-v1-jaeger,mutating=true,failurePolicy=fail,sideEffects=None,groups=jaegertracing.io,resources=jaegers,verbs=create;update,versions=v1,name=mjaeger.kb.io,admissionReviewVersions={v1,v1beta1}
+
+var _ webhook.Defaulter = &Jaeger{}
+
+// Default implements webhook.Defaulter so a webhook will be registered for the type
+func (j *Jaeger) Default() {
+	jaegerlog.Info("default", "name", j.Name)
+
+	if j.Spec.Storage.Elasticsearch.Name == "" {
+		j.Spec.Storage.Elasticsearch.Name = defaultElasticsearchName
+	}
+}
+
+// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
+//+kubebuilder:webhook:path=/validate-jaegertracing-io-v1-jaeger,mutating=false,failurePolicy=fail,sideEffects=None,groups=jaegertracing.io,resources=jaegers,verbs=create;update,versions=v1,name=vjaeger.kb.io,admissionReviewVersions={v1,v1beta1}
+
+var _ webhook.Validator = &Jaeger{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (j *Jaeger) ValidateCreate() error {
+	jaegerlog.Info("validate create", "name", j.Name)
+	return j.ValidateUpdate(nil)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (j *Jaeger) ValidateUpdate(_ runtime.Object) error {
+	jaegerlog.Info("validate update", "name", j.Name)
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (j *Jaeger) ValidateDelete() error {
+	jaegerlog.Info("validate delete", "name", j.Name)
+	return nil
+}

bundle/manifests/jaeger-operator-webhook-service_v1_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    name: jaeger-operator
+  name: jaeger-operator-webhook-service
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    name: jaeger-operator
+status:
+  loadBalancer: {}

bundle/manifests/jaeger-operator.clusterserviceversion.yaml

@@ -409,6 +409,10 @@ spec:
                   initialDelaySeconds: 15
                   periodSeconds: 20
                 name: jaeger-operator
+                ports:
+                - containerPort: 9443
+                  name: webhook-server
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -424,10 +428,19 @@ spec:
                     memory: 128Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                volumeMounts:
+                - mountPath: /tmp/k8s-webhook-server/serving-certs
+                  name: cert
+                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: jaeger-operator
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  defaultMode: 420
+                  secretName: jaeger-operator-webhook-server-cert
       permissions:
       - rules:
         - apiGroups:
@@ -490,3 +503,46 @@ spec:
     matchLabels:
       name: jaeger-operator
   version: 1.30.0
+  webhookdefinitions:
+  - admissionReviewVersions:
+    - v1
+    - v1beta1
+    containerPort: 443
+    deploymentName: jaeger-operator
+    failurePolicy: Fail
+    generateName: mjaeger.kb.io
+    rules:
+    - apiGroups:
+      - jaegertracing.io
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - jaegers
+    sideEffects: None
+    targetPort: 9443
+    type: MutatingAdmissionWebhook
+    webhookPath: /mutate-jaegertracing-io-v1-jaeger
+  - admissionReviewVersions:
+    - v1
+    - v1beta1
+    containerPort: 443
+    deploymentName: jaeger-operator
+    failurePolicy: Fail
+    generateName: vjaeger.kb.io
+    rules:
+    - apiGroups:
+      - jaegertracing.io
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - jaegers
+    sideEffects: None
+    targetPort: 9443
+    type: ValidatingAdmissionWebhook
+    webhookPath: /validate-jaegertracing-io-v1-jaeger

bundle/manifests/jaegertracing.io_jaegers.yaml

@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    cert-manager.io/inject-ca-from: observability/jaeger-operator-serving-cert
     controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
   labels:
@@ -9390,8 +9391,12 @@ spec:
                     type: object
                   elasticsearch:
                     properties:
+                      doNotProvision:
+                        type: boolean
                       image:
                         type: string
+                      name:
+                        type: string
                       nodeCount:
                         format: int32
                         type: integer

config/certmanager/certificate.yaml

@@ -0,0 +1,28 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: jaeger-operator-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
+  subject:
+    organizationalUnits:
+      - "jaeger-operator"