From 294fad1a1d8b12859ac80250df77693f44faf479 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Wed, 10 Jan 2024 19:44:03 +0100 Subject: [PATCH] OSSM-5416 Building multi-platform container image (#1522) * OSSM-5416 Building multi-platform container image * Enable multi-platform image build in integration tests * Remove ifndef * Revert missing space * Fix BUILDX definition issue * Change BUILDX_TAGS to BUILDX_ADDITIONAL_TAGS * Add any OS compatibility * Revert project-v4-builder --- Dockerfile | 4 +- Makefile.core.mk | 99 ++++++++------ README.md | 4 +- bundle/README.md | 2 +- ...o-operator-metrics-service_v1_service.yaml | 2 +- ...c.authorization.k8s.io_v1_clusterrole.yaml | 2 +- .../sailoperator.clusterserviceversion.yaml | 112 ++++++++-------- chart/.helmignore | 23 ++++ chart/Chart.yaml | 6 + .../extensions.istio.io_wasmplugins.yaml | 0 .../networking.istio.io_destinationrules.yaml | 0 .../networking.istio.io_envoyfilters.yaml | 0 .../crds}/networking.istio.io_gateways.yaml | 0 .../networking.istio.io_proxyconfigs.yaml | 0 .../networking.istio.io_serviceentries.yaml | 0 .../crds}/networking.istio.io_sidecars.yaml | 0 .../networking.istio.io_virtualservices.yaml | 0 .../networking.istio.io_workloadentries.yaml | 0 .../networking.istio.io_workloadgroups.yaml | 0 .../operator.istio.io_istiorevisions.yaml | 0 .../crds}/operator.istio.io_istios.yaml | 0 ...curity.istio.io_authorizationpolicies.yaml | 0 ...security.istio.io_peerauthentications.yaml | 0 ...urity.istio.io_requestauthentications.yaml | 0 .../crds}/telemetry.istio.io_telemetries.yaml | 0 .../samples/gwControllerMode.yaml | 0 .../samples/ingress-gateway.yaml | 0 .../samples/istio-sample-kubernetes.yaml | 0 .../samples/istio-sample-openshift.yaml | 0 chart/templates/auth_proxy_service.yaml | 23 ++++ chart/templates/deployment.yaml | 121 ++++++++++++++++++ chart/templates/namespace.yaml | 10 ++ .../templates/olm/clusterserviceversion.yaml | 40 +++--- chart/templates/olm/samples.yaml | 5 + .../templates/olm/scorecard.yaml | 54 +++++--- .../rbac/auth_proxy_client_clusterrole.yaml | 4 +- .../templates}/rbac/auth_proxy_role.yaml | 6 +- .../rbac/auth_proxy_role_binding.yaml | 12 +- .../templates}/rbac/leader_election_role.yaml | 2 +- .../rbac/leader_election_role_binding.yaml | 6 +- {config => chart/templates}/rbac/role.yaml | 2 +- .../templates}/rbac/role_binding.yaml | 12 +- chart/templates/rbac/service_account.yaml | 10 ++ chart/values.yaml | 40 ++++++ config/crd/kustomization.yaml | 39 ------ config/crd/kustomizeconfig.yaml | 19 --- config/crd/patches/cainjection_in_istios.yaml | 7 - config/crd/patches/webhook_in_istios.yaml | 16 --- config/default/kustomization.yaml | 45 ------- config/default/manager_auth_proxy_patch.yaml | 54 -------- config/default/manager_config_patch.yaml | 10 -- config/manager/kustomization.yaml | 13 -- config/manager/manager.yaml | 110 ---------------- config/manifests/kustomization.yaml | 30 ----- .../default_overlay_profile_patch.yaml | 3 - config/openshift/kustomization.yaml | 10 -- config/prometheus/kustomization.yaml | 10 -- config/prometheus/monitor.yaml | 24 ---- config/rbac/auth_proxy_service.yaml | 19 --- config/rbac/istio_editor_role.yaml | 29 ----- config/rbac/istio_viewer_role.yaml | 25 ---- config/rbac/kustomization.yaml | 26 ---- config/rbac/service_account.yaml | 10 -- config/samples/kustomization.yaml | 6 - config/scorecard/bases/config.yaml | 7 - config/scorecard/kustomization.yaml | 19 --- config/scorecard/patches/basic.config.yaml | 10 -- hack/copy-crds.sh | 27 +--- hack/patch-istio-crd.sh | 2 +- .../common-operator-integ-suite.sh | 4 +- tools/update_deps.sh | 6 +- 71 files changed, 452 insertions(+), 729 deletions(-) create mode 100644 chart/.helmignore create mode 100644 chart/Chart.yaml rename {config/crd/bases => chart/crds}/extensions.istio.io_wasmplugins.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_destinationrules.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_envoyfilters.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_gateways.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_proxyconfigs.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_serviceentries.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_sidecars.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_virtualservices.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_workloadentries.yaml (100%) rename {config/crd/bases => chart/crds}/networking.istio.io_workloadgroups.yaml (100%) rename {config/crd/bases => chart/crds}/operator.istio.io_istiorevisions.yaml (100%) rename {config/crd/bases => chart/crds}/operator.istio.io_istios.yaml (100%) rename {config/crd/bases => chart/crds}/security.istio.io_authorizationpolicies.yaml (100%) rename {config/crd/bases => chart/crds}/security.istio.io_peerauthentications.yaml (100%) rename {config/crd/bases => chart/crds}/security.istio.io_requestauthentications.yaml (100%) rename {config/crd/bases => chart/crds}/telemetry.istio.io_telemetries.yaml (100%) rename {config => chart}/samples/gwControllerMode.yaml (100%) rename {config => chart}/samples/ingress-gateway.yaml (100%) rename {config => chart}/samples/istio-sample-kubernetes.yaml (100%) rename {config => chart}/samples/istio-sample-openshift.yaml (100%) create mode 100644 chart/templates/auth_proxy_service.yaml create mode 100644 chart/templates/deployment.yaml create mode 100644 chart/templates/namespace.yaml rename config/manifests/bases/sailoperator.clusterserviceversion.yaml => chart/templates/olm/clusterserviceversion.yaml (68%) create mode 100644 chart/templates/olm/samples.yaml rename config/scorecard/patches/olm.config.yaml => chart/templates/olm/scorecard.yaml (50%) rename {config => chart/templates}/rbac/auth_proxy_client_clusterrole.yaml (67%) rename {config => chart/templates}/rbac/auth_proxy_role.yaml (72%) rename {config => chart/templates}/rbac/auth_proxy_role_binding.yaml (51%) rename {config => chart/templates}/rbac/leader_election_role.yaml (93%) rename {config => chart/templates}/rbac/leader_election_role_binding.yaml (76%) rename {config => chart/templates}/rbac/role.yaml (98%) rename {config => chart/templates}/rbac/role_binding.yaml (52%) create mode 100644 chart/templates/rbac/service_account.yaml create mode 100644 chart/values.yaml delete mode 100644 config/crd/kustomization.yaml delete mode 100644 config/crd/kustomizeconfig.yaml delete mode 100644 config/crd/patches/cainjection_in_istios.yaml delete mode 100644 config/crd/patches/webhook_in_istios.yaml delete mode 100644 config/default/kustomization.yaml delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/default/manager_config_patch.yaml delete mode 100644 config/manager/kustomization.yaml delete mode 100644 config/manager/manager.yaml delete mode 100644 config/manifests/kustomization.yaml delete mode 100644 config/openshift/default_overlay_profile_patch.yaml delete mode 100644 config/openshift/kustomization.yaml delete mode 100644 config/prometheus/kustomization.yaml delete mode 100644 config/prometheus/monitor.yaml delete mode 100644 config/rbac/auth_proxy_service.yaml delete mode 100644 config/rbac/istio_editor_role.yaml delete mode 100644 config/rbac/istio_viewer_role.yaml delete mode 100644 config/rbac/kustomization.yaml delete mode 100644 config/rbac/service_account.yaml delete mode 100644 config/samples/kustomization.yaml delete mode 100644 config/scorecard/bases/config.yaml delete mode 100644 config/scorecard/kustomization.yaml delete mode 100644 config/scorecard/patches/basic.config.yaml diff --git a/Dockerfile b/Dockerfile index e04a8464c4..4a5a2e84f2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,9 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest # gcr.io/distroless/static:nonroot -ADD bin/manager /manager +ARG TARGETOS TARGETARCH + +ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/manager /manager ADD resources /var/lib/istio-operator/resources USER 65532:65532 diff --git a/Makefile.core.mk b/Makefile.core.mk index 403d66eef3..42b50c8438 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -152,8 +152,7 @@ test.integration.kind: ##@ Build .PHONY: build -build: ## Build manager binary. - CGO_ENABLED=0 go build -o bin/manager -ldflags '${LD_FLAGS}' cmd/main.go +build: build-amd64 ## Build manager binary. .PHONY: run run: gen ## Run a controller from your host. @@ -175,6 +174,23 @@ docker-push-nightly: docker-build docker tag ${IMAGE} $(HUB)/$(IMAGE_BASE):$(MINOR_VERSION)-latest docker push $(HUB)/$(IMAGE_BASE):$(MINOR_VERSION)-latest +# NIGHTLY defines if the nightly image should be pushed or not +NIGHTLY ?= false + +# BUILDX_OUTPUT defines the buildx output +# --load builds locally the container image +# --push builds and pushes the container image to a registry +BUILDX_OUTPUT ?= --push + +# BUILDX_ADDITIONAL_TAGS are the additional --tag flags passed to the docker buildx build command. +BUILDX_ADDITIONAL_TAGS = +ifeq ($(NIGHTLY),true) +BUILDX_ADDITIONAL_TAGS += --tag $(HUB)/$(IMAGE_BASE):$(MINOR_VERSION)-nightly-$(TODAY) +endif + +# BUILDX_BUILD_ARGS are the additional --build-arg flags passed to the docker buildx build command. +BUILDX_BUILD_ARGS = --build-arg TARGETOS=$(TARGET_OS) + # PLATFORMS defines the target platforms for the manager image be build to provide support to multiple # architectures. (i.e. make docker-buildx IMAGE=myregistry/mypoperator:0.0.1). To use this option you need to: # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ @@ -182,13 +198,29 @@ docker-push-nightly: docker-build # - be able to push the image for your registry (i.e. if you do not inform a valid value via IMAGE=> then the export will fail) # To properly provided solutions that supports more than one platform you should use this option. PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORM_ARCHITECTURES = $(shell echo ${PLATFORMS} | sed -e 's/,/\ /g' -e 's/linux\///g') + +ifndef BUILDX +define BUILDX +.PHONY: build-$(1) +build-$(1): ## Build manager binary for specific architecture. + GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/manager cmd/main.go + +.PHONY: build-all +build-all: build-$(1) +endef + +$(foreach arch,$(PLATFORM_ARCHITECTURES),$(eval $(call BUILDX,$(arch)))) +undefine BUILDX +endif + .PHONY: docker-buildx -docker-buildx: test ## Build and push docker image for the manager for cross-platform support +docker-buildx: test build-all ## Build and push (by default) docker image for the manager for cross-platform support # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - docker buildx create --name project-v4-builder docker buildx use project-v4-builder - - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMAGE} -f Dockerfile.cross . + - docker buildx build $(BUILDX_OUTPUT) --platform=$(PLATFORMS) --tag ${IMAGE} $(BUILDX_ADDITIONAL_TAGS) $(BUILDX_BUILD_ARGS) -f Dockerfile.cross . - docker buildx rm project-v4-builder rm Dockerfile.cross @@ -199,35 +231,31 @@ ifndef ignore-not-found endif .PHONY: install -install: gen-manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. +install: gen-manifests ## Install CRDs into the K8s cluster specified in ~/.kube/config. kubectl create ns ${NAMESPACE} || echo "namespace ${NAMESPACE} already exists" - $(KUSTOMIZE) build config/crd | kubectl apply -f - + kubectl apply -f chart/crds .PHONY: uninstall -uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +uninstall: ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + kubectl delete --ignore-not-found=$(ignore-not-found) -f chart/crds .PHONY: deploy -deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. +deploy: helm ## Deploy controller to the K8s cluster specified in ~/.kube/config. $(info NAMESPACE: $(NAMESPACE)) $(MAKE) -s deploy-yaml | kubectl apply -f - .PHONY: deploy-yaml -deploy-yaml: kustomize ## Outputs YAML manifests needed to deploy the controller - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMAGE} - cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE} - $(KUSTOMIZE) build config/default +deploy-yaml: helm ## Outputs YAML manifests needed to deploy the controller + $(HELM) template chart chart --namespace ${NAMESPACE} --include-crds --set image="${IMAGE}" .PHONY: deploy-openshift # TODO: remove this target and use deploy-olm instead (when we fix the internal registry TLS issues when using operator-sdk run bundle) -deploy-openshift: kustomize ## Deploy controller to OpenShift via YAML manifests +deploy-openshift: helm ## Deploy controller to OpenShift via YAML manifests $(info NAMESPACE: $(NAMESPACE)) $(MAKE) -s deploy-yaml-openshift | kubectl apply -f - .PHONY: deploy-yaml-openshift -deploy-yaml-openshift: kustomize ## Outputs YAML manifests needed to deploy the controller in OpenShift - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMAGE} - cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE} - $(KUSTOMIZE) build config/openshift +deploy-yaml-openshift: helm ## Outputs YAML manifests needed to deploy the controller in OpenShift + $(HELM) template chart chart --namespace ${NAMESPACE} --include-crds --set image="${IMAGE}" --set platform="OpenShift" .PHONY: deploy-olm deploy-olm: bundle bundle-build bundle-push ## Builds and pushes the operator OLM bundle and then deploys the operator using OLM @@ -250,18 +278,18 @@ deploy-example: deploy-example-openshift .PHONY: deploy-example-openshift deploy-example-openshift: ## Deploy an example Istio resource on OpenShift kubectl create ns istio-system || echo "namespace istio-system already exists" - kubectl apply -n istio-system -f config/samples/istio-sample-openshift.yaml + kubectl apply -n istio-system -f chart/samples/istio-sample-openshift.yaml .PHONY: deploy-example-kubernetes deploy-example-kubernetes: ## Deploy an example Istio resource on Kubernetes kubectl create ns istio-system || echo "namespace istio-system already exists" - kubectl apply -n istio-system -f config/samples/istio-sample-kubernetes.yaml + kubectl apply -n istio-system -f chart/samples/istio-sample-kubernetes.yaml ##@ Generated Code & Resources .PHONY: gen-manifests -gen-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases +gen-manifests: controller-gen ## Generate WebhookConfiguration and CustomResourceDefinition objects. + $(CONTROLLER_GEN) crd webhook paths="./..." output:crd:artifacts:config=chart/crds .PHONY: gen-code gen-code: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @@ -311,25 +339,25 @@ $(LOCALBIN): ## Tool Binaries OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk -KUSTOMIZE ?= $(LOCALBIN)/kustomize +HELM ?= $(LOCALBIN)/helm CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest OPM ?= $(LOCALBIN)/opm ## Tool Versions OPERATOR_SDK_VERSION ?= v1.33.0 - KUSTOMIZE_VERSION ?= v5.3.0 + HELM_VERSION ?= v3.13.3 CONTROLLER_TOOLS_VERSION ?= v0.13.0 OPM_VERSION ?= v1.34.0 -.PHONY: kustomize $(KUSTOMIZE) -kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. -$(KUSTOMIZE): $(LOCALBIN) - @if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION) > /dev/stderr; then \ - echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing." > /dev/stderr; \ - rm -rf $(LOCALBIN)/kustomize; \ +.PHONY: helm $(HELM) +helm: $(HELM) ## Download helm locally if necessary. If wrong version is installed, it will be removed before downloading. +$(HELM): $(LOCALBIN) + @if test -x $(LOCALBIN)/helm && ! $(LOCALBIN)/helm version | grep -q $(shell v='$(HELM_VERSION)'; echo "$${v%.*}") > /dev/stderr; then \ + echo "$(LOCALBIN)/helm version is not expected $(HELM_VERSION). Removing it before installing." > /dev/stderr; \ + rm -rf $(LOCALBIN)/helm; \ fi - @test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) > /dev/stderr + @test -s $(LOCALBIN)/helm || GOBIN=$(LOCALBIN) GO111MODULE=on go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION) > /dev/stderr .PHONY: operator-sdk $(OPERATOR_SDK) operator-sdk: $(OPERATOR_SDK) operator-sdk: OS=$(shell go env GOOS) @@ -355,11 +383,8 @@ $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest .PHONY: bundle -bundle: gen kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. - $(OPERATOR_SDK) generate kustomize manifests -q - cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMAGE) - sed -i "s|^\( containerImage:\).*$$|\1 ${IMAGE}|g" config/manifests/bases/${OPERATOR_NAME}.clusterserviceversion.yaml - $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) +bundle: gen helm operator-sdk ## Generate bundle manifests and metadata, then validate generated files. + $(HELM) template chart chart --include-crds --set platform=openshift --set image="${IMAGE}" --set bundleGeneration=true | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) # check if the only change in the CSV is the createdAt timestamp; if so, revert the change @csvPath="bundle/manifests/${OPERATOR_NAME}.clusterserviceversion.yaml"; \ @@ -454,6 +479,6 @@ lint: lint-scripts lint-copyright-banner lint-go lint-yaml lint-helm lint-bundle .PHONY: format format: format-go tidy-go ## Auto formats all code. This should be run before sending a PR. -.SILENT: kustomize $(KUSTOMIZE) $(LOCALBIN) deploy-yaml +.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml include common/Makefile.common.mk diff --git a/README.md b/README.md index 67a9a28a31..2753a8e61f 100644 --- a/README.md +++ b/README.md @@ -28,13 +28,13 @@ Make sure that the `HUB` and `TAG` environment variables point to your container 2. Create an instance of the Istio resource to install the Istio Control Plane: ```sh -kubectl apply -f config/samples/istio-sample-openshift.yaml +kubectl apply -f chart/samples/istio-sample-openshift.yaml ``` or ```sh -kubectl apply -f config/samples/istio-sample-kubernetes.yaml +kubectl apply -f chart/samples/istio-sample-kubernetes.yaml ``` diff --git a/bundle/README.md b/bundle/README.md index 1fd4d65f50..f843a275b9 100644 --- a/bundle/README.md +++ b/bundle/README.md @@ -171,7 +171,7 @@ You can deploy gateways using either the Gateway API or Gateway Injection method Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). -To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../config/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed: +To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed: 1. Create the `istio-ingressgateway` deployment and service: diff --git a/bundle/manifests/istio-operator-metrics-service_v1_service.yaml b/bundle/manifests/istio-operator-metrics-service_v1_service.yaml index c49715f8a7..2a502b5ab3 100644 --- a/bundle/manifests/istio-operator-metrics-service_v1_service.yaml +++ b/bundle/manifests/istio-operator-metrics-service_v1_service.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/component: kube-rbac-proxy app.kubernetes.io/created-by: sailoperator app.kubernetes.io/instance: istio-operator-metrics-service - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm app.kubernetes.io/name: service app.kubernetes.io/part-of: sailoperator control-plane: istio-operator diff --git a/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml index be18123164..2364173d98 100644 --- a/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/component: kube-rbac-proxy app.kubernetes.io/created-by: sailoperator app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: sailoperator name: metrics-reader diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 2618bec91d..03ab8a16c7 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -23,7 +23,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/istio-operator:3.0-latest - createdAt: "2024-01-09T03:07:52Z" + createdAt: "2024-01-12T13:46:06Z" description: Experimental operator for installing Istio service mesh operators.operatorframework.io/builder: operator-sdk-v1.33.0 operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' @@ -36,12 +36,9 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: - - kind: AuthorizationPolicy - name: authorizationpolicies.security.istio.io - version: v1 - - kind: AuthorizationPolicy - name: authorizationpolicies.security.istio.io - version: v1beta1 + - kind: WasmPlugin + name: wasmplugins.extensions.istio.io + version: v1alpha1 - kind: DestinationRule name: destinationrules.networking.istio.io version: v1alpha3 @@ -57,6 +54,39 @@ spec: - kind: Gateway name: gateways.networking.istio.io version: v1beta1 + - kind: ProxyConfig + name: proxyconfigs.networking.istio.io + version: v1beta1 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1alpha3 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1beta1 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1alpha3 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1beta1 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1alpha3 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1beta1 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1alpha3 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1beta1 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1alpha3 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1beta1 - description: IstioRevision represents a single revision of an Istio Service Mesh deployment. Users shouldn't create IstioRevision objects directly. Instead, they should create an Istio object and allow the Istio operator to create @@ -165,54 +195,24 @@ spec: displayName: Helm Values path: values version: v1alpha1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1beta1 - kind: PeerAuthentication name: peerauthentications.security.istio.io version: v1beta1 - - kind: ProxyConfig - name: proxyconfigs.networking.istio.io - version: v1beta1 - kind: RequestAuthentication name: requestauthentications.security.istio.io version: v1 - kind: RequestAuthentication name: requestauthentications.security.istio.io version: v1beta1 - - kind: ServiceEntry - name: serviceentries.networking.istio.io - version: v1alpha3 - - kind: ServiceEntry - name: serviceentries.networking.istio.io - version: v1beta1 - - kind: Sidecar - name: sidecars.networking.istio.io - version: v1alpha3 - - kind: Sidecar - name: sidecars.networking.istio.io - version: v1beta1 - kind: Telemetry name: telemetries.telemetry.istio.io version: v1alpha1 - - kind: VirtualService - name: virtualservices.networking.istio.io - version: v1alpha3 - - kind: VirtualService - name: virtualservices.networking.istio.io - version: v1beta1 - - kind: WasmPlugin - name: wasmplugins.extensions.istio.io - version: v1alpha1 - - kind: WorkloadEntry - name: workloadentries.networking.istio.io - version: v1alpha3 - - kind: WorkloadEntry - name: workloadentries.networking.istio.io - version: v1beta1 - - kind: WorkloadGroup - name: workloadgroups.networking.istio.io - version: v1alpha3 - - kind: WorkloadGroup - name: workloadgroups.networking.istio.io - version: v1beta1 description: |- This is an experimental operator for installing Istio service mesh. @@ -233,6 +233,18 @@ spec: spec: clusterPermissions: - rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - "" resources: @@ -360,25 +372,13 @@ spec: - securitycontextconstraints verbs: - use - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create serviceAccountName: istio-operator deployments: - label: app.kubernetes.io/component: manager app.kubernetes.io/created-by: sailoperator app.kubernetes.io/instance: istio-operator - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm app.kubernetes.io/name: deployment app.kubernetes.io/part-of: sailoperator control-plane: istio-operator diff --git a/chart/.helmignore b/chart/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/chart/Chart.yaml b/chart/Chart.yaml new file mode 100644 index 0000000000..2ceea3c0cb --- /dev/null +++ b/chart/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: istio-operator +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "3.0.0" diff --git a/config/crd/bases/extensions.istio.io_wasmplugins.yaml b/chart/crds/extensions.istio.io_wasmplugins.yaml similarity index 100% rename from config/crd/bases/extensions.istio.io_wasmplugins.yaml rename to chart/crds/extensions.istio.io_wasmplugins.yaml diff --git a/config/crd/bases/networking.istio.io_destinationrules.yaml b/chart/crds/networking.istio.io_destinationrules.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_destinationrules.yaml rename to chart/crds/networking.istio.io_destinationrules.yaml diff --git a/config/crd/bases/networking.istio.io_envoyfilters.yaml b/chart/crds/networking.istio.io_envoyfilters.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_envoyfilters.yaml rename to chart/crds/networking.istio.io_envoyfilters.yaml diff --git a/config/crd/bases/networking.istio.io_gateways.yaml b/chart/crds/networking.istio.io_gateways.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_gateways.yaml rename to chart/crds/networking.istio.io_gateways.yaml diff --git a/config/crd/bases/networking.istio.io_proxyconfigs.yaml b/chart/crds/networking.istio.io_proxyconfigs.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_proxyconfigs.yaml rename to chart/crds/networking.istio.io_proxyconfigs.yaml diff --git a/config/crd/bases/networking.istio.io_serviceentries.yaml b/chart/crds/networking.istio.io_serviceentries.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_serviceentries.yaml rename to chart/crds/networking.istio.io_serviceentries.yaml diff --git a/config/crd/bases/networking.istio.io_sidecars.yaml b/chart/crds/networking.istio.io_sidecars.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_sidecars.yaml rename to chart/crds/networking.istio.io_sidecars.yaml diff --git a/config/crd/bases/networking.istio.io_virtualservices.yaml b/chart/crds/networking.istio.io_virtualservices.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_virtualservices.yaml rename to chart/crds/networking.istio.io_virtualservices.yaml diff --git a/config/crd/bases/networking.istio.io_workloadentries.yaml b/chart/crds/networking.istio.io_workloadentries.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_workloadentries.yaml rename to chart/crds/networking.istio.io_workloadentries.yaml diff --git a/config/crd/bases/networking.istio.io_workloadgroups.yaml b/chart/crds/networking.istio.io_workloadgroups.yaml similarity index 100% rename from config/crd/bases/networking.istio.io_workloadgroups.yaml rename to chart/crds/networking.istio.io_workloadgroups.yaml diff --git a/config/crd/bases/operator.istio.io_istiorevisions.yaml b/chart/crds/operator.istio.io_istiorevisions.yaml similarity index 100% rename from config/crd/bases/operator.istio.io_istiorevisions.yaml rename to chart/crds/operator.istio.io_istiorevisions.yaml diff --git a/config/crd/bases/operator.istio.io_istios.yaml b/chart/crds/operator.istio.io_istios.yaml similarity index 100% rename from config/crd/bases/operator.istio.io_istios.yaml rename to chart/crds/operator.istio.io_istios.yaml diff --git a/config/crd/bases/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml similarity index 100% rename from config/crd/bases/security.istio.io_authorizationpolicies.yaml rename to chart/crds/security.istio.io_authorizationpolicies.yaml diff --git a/config/crd/bases/security.istio.io_peerauthentications.yaml b/chart/crds/security.istio.io_peerauthentications.yaml similarity index 100% rename from config/crd/bases/security.istio.io_peerauthentications.yaml rename to chart/crds/security.istio.io_peerauthentications.yaml diff --git a/config/crd/bases/security.istio.io_requestauthentications.yaml b/chart/crds/security.istio.io_requestauthentications.yaml similarity index 100% rename from config/crd/bases/security.istio.io_requestauthentications.yaml rename to chart/crds/security.istio.io_requestauthentications.yaml diff --git a/config/crd/bases/telemetry.istio.io_telemetries.yaml b/chart/crds/telemetry.istio.io_telemetries.yaml similarity index 100% rename from config/crd/bases/telemetry.istio.io_telemetries.yaml rename to chart/crds/telemetry.istio.io_telemetries.yaml diff --git a/config/samples/gwControllerMode.yaml b/chart/samples/gwControllerMode.yaml similarity index 100% rename from config/samples/gwControllerMode.yaml rename to chart/samples/gwControllerMode.yaml diff --git a/config/samples/ingress-gateway.yaml b/chart/samples/ingress-gateway.yaml similarity index 100% rename from config/samples/ingress-gateway.yaml rename to chart/samples/ingress-gateway.yaml diff --git a/config/samples/istio-sample-kubernetes.yaml b/chart/samples/istio-sample-kubernetes.yaml similarity index 100% rename from config/samples/istio-sample-kubernetes.yaml rename to chart/samples/istio-sample-kubernetes.yaml diff --git a/config/samples/istio-sample-openshift.yaml b/chart/samples/istio-sample-openshift.yaml similarity index 100% rename from config/samples/istio-sample-openshift.yaml rename to chart/samples/istio-sample-openshift.yaml diff --git a/chart/templates/auth_proxy_service.yaml b/chart/templates/auth_proxy_service.yaml new file mode 100644 index 0000000000..acbe8467ed --- /dev/null +++ b/chart/templates/auth_proxy_service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: {{ .Values.name }} + app.kubernetes.io/instance: {{ .Values.deploymentName }}-metrics-service + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: service + app.kubernetes.io/part-of: {{ .Values.name }} + control-plane: {{ .Values.deploymentName }} + name: {{ .Values.deploymentName }}-metrics-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/created-by: {{ .Values.name }} + app.kubernetes.io/part-of: {{ .Values.name }} + control-plane: {{ .Values.deploymentName }} diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml new file mode 100644 index 0000000000..1322ef8a76 --- /dev/null +++ b/chart/templates/deployment.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: {{ .Values.name }} + app.kubernetes.io/instance: {{ .Values.deploymentName }} + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: {{ .Values.name }} + control-plane: {{ .Values.deploymentName }} + name: {{ .Values.deploymentName }} + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/created-by: {{ .Values.name }} + app.kubernetes.io/part-of: {{ .Values.name }} + control-plane: {{ .Values.deploymentName }} + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/created-by: {{ .Values.name }} + app.kubernetes.io/part-of: {{ .Values.name }} + control-plane: {{ .Values.deploymentName }} + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 +{{- if eq .Values.platform "openshift" }} + - --default-profiles=default,openshift +{{- end }} + command: + - /manager + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /etc/istio-operator + name: operator-config + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: {{ .Values.serviceAccountName }} + terminationGracePeriodSeconds: 10 + volumes: + - downwardAPI: + defaultMode: 420 + items: + - fieldRef: + fieldPath: metadata.annotations + path: config.properties + name: operator-config diff --git a/chart/templates/namespace.yaml b/chart/templates/namespace.yaml new file mode 100644 index 0000000000..fe31a5eae5 --- /dev/null +++ b/chart/templates/namespace.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: {{ .Values.deploymentName }} + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: {{ .Release.Namespace }} + app.kubernetes.io/component: manager + app.kubernetes.io/managed-by: helm + name: {{ .Release.Namespace }} diff --git a/config/manifests/bases/sailoperator.clusterserviceversion.yaml b/chart/templates/olm/clusterserviceversion.yaml similarity index 68% rename from config/manifests/bases/sailoperator.clusterserviceversion.yaml rename to chart/templates/olm/clusterserviceversion.yaml index 893b02d7f9..9d15311a72 100644 --- a/config/manifests/bases/sailoperator.clusterserviceversion.yaml +++ b/chart/templates/olm/clusterserviceversion.yaml @@ -1,16 +1,18 @@ +# We only include the CSV template +{{ if .Values.bundleGeneration }} apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: annotations: alm-examples: '[]' - capabilities: Seamless Upgrades - categories: OpenShift Optional, Integration & Delivery, Networking, Security - containerImage: quay.io/maistra-dev/istio-operator:3.0-latest - description: Experimental operator for installing Istio service mesh + capabilities: {{ .Values.csv.capabilities }} + categories: {{ .Values.csv.categories }} + containerImage: {{ .Values.image }} + description: {{ .Values.csv.description }} operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' repository: https://github.com/maistra/istio-operator/tree/maistra-3.0 - support: Community based - name: sailoperator.v3.0.0 + support: {{ .Values.csv.support }} + name: {{ .Values.name }}.v{{ .Values.csv.version }} namespace: placeholder spec: apiservicedefinitions: {} @@ -125,21 +127,11 @@ spec: path: values version: v1alpha1 description: |- - This is an experimental operator for installing Istio service mesh. - - This version of the operator supports the following Istio versions: - - - v1.20.1 - - v1.20.0 - - v1.19.5 - - latest (e6756e19) - - gwAPIControllerMode - - [See this page](https://github.com/maistra/istio-operator/blob/maistra-3.0/bundle/README.md) for instructions on how to use it. +{{ indent 4 .Values.csv.longDescription }} displayName: Sail Operator icon: - - base64data: iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAACXBIWXMAAAFiAAABYgFfJ9BTAAAHL0lEQVR4nO2du24bRxSGz5LL+01kaMuX2HShnmlSi2VUBM4bKG/gdGFnl+rsBwggvUHUsTT9AIGdnoWCIIWNIJZNWKLM5Uww1K4sC6JEQrP7z8yeDyDYCHuG3F/nNmeWnpSSTMXvD3tE9Ey9gp3e0NiFWkzGgqVvEtFLvz/c8/vDNQPW4xQ2CCBim4gO/P7wFzOW4wY2CUDRIKLnfn/4xu8PvzNgPdZjmwAiukT02u8Pn5mxHHuxVQART9kb3AzbBUDsDW6GFgEMRuNHwM8QobzBkCuF1dDlAfYGo/GeAULYDCuFHngd1qAzBKgy7c1gNEa74kbYN+CQsAS6cwD15T8djMZKCOj/QhUS9jkkXE1cSaBKzF4ORuMXg9EYeQMeE9GQq4TFxF0FPAnDAtIbdEMRcF5wCUmUgZ3QGyBjcpQX/Axcg5Ek2QeIcgNkpbDLyeHXJN0I6oYh4aeE7Z5HJYd7QPtGgegEKnf8OzgkbLMITkG2glVI2AdWCXMRpL1MRO8FzMs0pAjCCiG1IjBhM0jlBQeD0RhVq3fTLAJTdgMboSeAigBkG4pJ28FKBK8HozGqVu+mMTE0cR5gFyiC1FUHpg6EsAgSwuSJoN3t7+//ALK9nZbpY6NHwh7drf8qG+VjkPnnadg7MFoA+bxPYn2tBBTBrutbyVYMhc5FUMihzDs9T2DNVLB42D4GiUCVp862jO0ZC/e8knjYnlAGsmTVKHKyMrDrXIDnFWedW/+BRPDYxVkC+w6G5LItca/5L8i6miVAzjJox8qTQbJcaIt2/QPIvMoHTDgIowVrj4bJVrUhq8UjgGmVFO4D7MaC1WcDxd2mR7kswrTaOHqBMKwbuw+Hel5p9m0blRQ+cWHU3P7TwSopvFVHJYXWnzxy4Xg4yUa5DcwHrO4POCEAOs0HMsD+gLWloTMCUE0i8eAbVCiwtlXsjgBUKCjk2rJZnQBMWxsKnBKAQrRrAlQaWhkKnBMAeV5Z3GtxKFgS9wQQhQLMEIkKBVY1iJwUgELcbnigqmDbpgaRswKYVwV31t6CrFvjBdwVgAoF1eK6LBcQpru2TBU7LQCFuLOGSgif2ZAQOi8A8rOcEF6B+wLAJ4RGTxSnQgDzhLBVRU0QGe0F0iEAlRA2KzlQh3DT5LIwNQKYdwhvNbgsvEB6BBCWhcARMiPPGaZKAAqgFzDyTEHqBAD0Ah0TvUDqBEDsBb4ilQJgL/CFVAqA2AuckVoBsBc4JbUCUIhGBdUdNMYLpFoAslnJg/YIOqbMD6ZaAOpomawVUc8fMmJeIN0CmE8R1z+DTBuxR5B6AVA2o46Zo6zDk0EWwOmzBv4Gmd5GP2yCBaAEUMw/AJWEhPYCLIAQYEkITQZZACFyrSxAphvIxhALICKTaaYxGWQBnEM2yqhkcBM1PMoCOIesFB+AOoOEygVYABcAdgYhrWEWwAVEq4YSACQZZAFcJJdtAXsCiXsBFsAlyFrpPcj046Q7gyyASxBrlRnQfKJegAVwGX62nZbWMAtgAcAw0E2yJ8ACWIColxFPHo1IzAuwABaR9+8Dm0KJ5QEsgCsANoU6SYUBFsAVyGoR9XgZSioMsACuQP00DdB8ImGABXAVamoY94OViYQBFsA1yHoJdYRMEfvUMAvgGmSlGADNx54HsACuA1sOduPeG2ABLIEs55HmYw0DLIAlkNXiP0DzsVYDLIAlkKU8Mg9gDwAn53eAS2jEeYaQBbAkoKeOR7AA0MhKAdkPiC0PYAEsSymPOkZOYTkYy6PnWQBLon6HCLyEWMIAC2BZPK8EHBMjFoABADeGiAVgALJc+Au4iljyABbAKhRz6O9LuxdgAayAzPtV8BK0zwewAFYhk2mCV8AeAA24I7ip+4IsgFXJZVGTwnN0j4mxAFZEFnLvwEtgAUBxrBJgAayIzGZQTxOLYA8Axc/eAa+gq/Nivs6LOUMwe0tCBt7RSUBSFr1PJ+vqo3lHJ+oNWgZQmAgGO703Wq6l4yLWoW6wlBPv+LMf3ugOCUneZEok5h5+3fCPpMIAC2AhQrynmfjofQ4yNJ0J72R6m6azkjcNiKbzh3+YfoOvQ9uouJ0CkPKYgtk7byYyNJkKL5jVaTJt0kyQdzJVf9EMX66irRIwWQCv3n+ctLzDT/WzOPzlBpfU2Tn8EmE44QH+JKLDMJadvW9t1IbRH/z42x+9DNFL4BpNRZv44xSA2js/OPc6u9FbG7XDGO2mAjUqHuz0hjf9rLoEsBe+5jd8a6N2oOm6zGK0DIdoEcDWRm1Px3WYlVCl4P5NvzLuBNqLFg/AArAXLXsC3Ao2m0srJfUe7PS0JNIsACwXK6WzV7DTSySRZgHEy4fL/nuTvMHXwQK4Oa/CKwzP32hdu3VxwwK4notxeN580dGEMQEWwJc4HFuiZTJpEEAUh2GJlsm4IIBFiZY1cRiJLQI4n2iRa3EYBhH9D18eNW58bi76AAAAAElFTkSuQmCC - mediatype: image/png + - base64data: {{ .Values.csv.icon.base64data }} + mediatype: {{ .Values.csv.icon.mediatype }} install: spec: deployments: null @@ -154,10 +146,9 @@ spec: - supported: true type: AllNamespaces keywords: - - istio - - maistra - - servicemesh - - envoy +{{- range .Values.csv.keywords }} + - {{ . }} +{{- end }} links: - name: Istio Project url: https://istio.io @@ -167,4 +158,5 @@ spec: maturity: alpha provider: name: Red Hat, Inc. - version: 3.0.0 + version: {{ .Values.csv.version }} +{{ end }} \ No newline at end of file diff --git a/chart/templates/olm/samples.yaml b/chart/templates/olm/samples.yaml new file mode 100644 index 0000000000..c7d6568032 --- /dev/null +++ b/chart/templates/olm/samples.yaml @@ -0,0 +1,5 @@ +{{ if and .Values.bundleGeneration (eq .Values.platform "openshift") }} +{{ .Files.Get "samples/istio-sample-openshift.yaml" }} +{{ else if .Values.bundleGeneration }} +{{ .Files.Get "samples/istio-sample-kubernetes.yaml" }} +{{ end }} diff --git a/config/scorecard/patches/olm.config.yaml b/chart/templates/olm/scorecard.yaml similarity index 50% rename from config/scorecard/patches/olm.config.yaml rename to chart/templates/olm/scorecard.yaml index aa3d6024e4..2203765e55 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/chart/templates/olm/scorecard.yaml @@ -1,40 +1,62 @@ -- op: add - path: /stages/0/tests/- - value: - entrypoint: +{{ if .Values.bundleGeneration }} +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.33.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: - scorecard-test - olm-bundle-validation image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-bundle-validation-test -- op: add - path: /stages/0/tests/- - value: - entrypoint: + storage: + spec: + mountPath: {} + - entrypoint: - scorecard-test - olm-crds-have-validation image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-crds-have-validation-test -- op: add - path: /stages/0/tests/- - value: - entrypoint: + storage: + spec: + mountPath: {} + - entrypoint: - scorecard-test - olm-spec-descriptors image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-spec-descriptors-test -- op: add - path: /stages/0/tests/- - value: - entrypoint: + storage: + spec: + mountPath: {} + - entrypoint: - scorecard-test - olm-status-descriptors image: quay.io/operator-framework/scorecard-test:v1.33.0 labels: suite: olm test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {} +{{ end }} diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/chart/templates/rbac/auth_proxy_client_clusterrole.yaml similarity index 67% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to chart/templates/rbac/auth_proxy_client_clusterrole.yaml index e3f4461e48..9a59fddf8e 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/chart/templates/rbac/auth_proxy_client_clusterrole.yaml @@ -2,10 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: + app.kubernetes.io/created-by: {{ .Values.name }} app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: metrics-reader app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm + app.kubernetes.io/part-of: {{ .Values.name }} name: metrics-reader rules: - nonResourceURLs: diff --git a/config/rbac/auth_proxy_role.yaml b/chart/templates/rbac/auth_proxy_role.yaml similarity index 72% rename from config/rbac/auth_proxy_role.yaml rename to chart/templates/rbac/auth_proxy_role.yaml index e9922e7bc0..c2de8b000b 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/chart/templates/rbac/auth_proxy_role.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role + app.kubernetes.io/instance: {{ .Values.name }}-proxy-role app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/managed-by: kustomize - name: proxy-role + app.kubernetes.io/managed-by: helm + name: {{ .Values.name }}-proxy-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/rbac/auth_proxy_role_binding.yaml b/chart/templates/rbac/auth_proxy_role_binding.yaml similarity index 51% rename from config/rbac/auth_proxy_role_binding.yaml rename to chart/templates/rbac/auth_proxy_role_binding.yaml index cffde551ce..fbed10fa85 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/chart/templates/rbac/auth_proxy_role_binding.yaml @@ -3,15 +3,15 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/instance: {{ .Values.name }}-proxy-rolebinding app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding + app.kubernetes.io/managed-by: helm + name: {{ .Values.name }}-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: {{ .Values.name }}-proxy-role subjects: - kind: ServiceAccount - name: istio-operator - namespace: system + name: {{ .Values.deploymentName }} + namespace: {{ .Release.Namespace }} diff --git a/config/rbac/leader_election_role.yaml b/chart/templates/rbac/leader_election_role.yaml similarity index 93% rename from config/rbac/leader_election_role.yaml rename to chart/templates/rbac/leader_election_role.yaml index cc39ddd011..cd140bb795 100644 --- a/config/rbac/leader_election_role.yaml +++ b/chart/templates/rbac/leader_election_role.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/name: role app.kubernetes.io/instance: leader-election-role app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm name: leader-election-role rules: - apiGroups: diff --git a/config/rbac/leader_election_role_binding.yaml b/chart/templates/rbac/leader_election_role_binding.yaml similarity index 76% rename from config/rbac/leader_election_role_binding.yaml rename to chart/templates/rbac/leader_election_role_binding.yaml index d0c420a51c..16400dd71e 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/chart/templates/rbac/leader_election_role_binding.yaml @@ -5,7 +5,7 @@ metadata: app.kubernetes.io/name: rolebinding app.kubernetes.io/instance: leader-election-rolebinding app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/managed-by: helm name: leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io @@ -13,5 +13,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: istio-operator - namespace: system + name: {{ .Values.deploymentName }} + namespace: {{ .Release.Namespace }} diff --git a/config/rbac/role.yaml b/chart/templates/rbac/role.yaml similarity index 98% rename from config/rbac/role.yaml rename to chart/templates/rbac/role.yaml index ca204d6bf9..1169a58115 100644 --- a/config/rbac/role.yaml +++ b/chart/templates/rbac/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: {{ .Values.name }}-role rules: - apiGroups: - "" diff --git a/config/rbac/role_binding.yaml b/chart/templates/rbac/role_binding.yaml similarity index 52% rename from config/rbac/role_binding.yaml rename to chart/templates/rbac/role_binding.yaml index 845148b3c3..3e918e1afd 100644 --- a/config/rbac/role_binding.yaml +++ b/chart/templates/rbac/role_binding.yaml @@ -3,15 +3,15 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/instance: {{ .Values.name }}-rolebinding app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize - name: manager-rolebinding + app.kubernetes.io/managed-by: helm + name: {{ .Values.name }}-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: {{ .Values.name }}-role subjects: - kind: ServiceAccount - name: istio-operator - namespace: system + name: {{ .Values.deploymentName }} + namespace: {{ .Release.Namespace }} diff --git a/chart/templates/rbac/service_account.yaml b/chart/templates/rbac/service_account.yaml new file mode 100644 index 0000000000..1deb8c2b84 --- /dev/null +++ b/chart/templates/rbac/service_account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: {{ .Values.serviceAccountName }} + app.kubernetes.io/component: rbac + app.kubernetes.io/managed-by: helm + name: {{ .Values.serviceAccountName }} + namespace: {{ .Release.Namespace }} diff --git a/chart/values.yaml b/chart/values.yaml new file mode 100644 index 0000000000..d3a703f4ba --- /dev/null +++ b/chart/values.yaml @@ -0,0 +1,40 @@ +name: sailoperator +deploymentName: istio-operator +service: + port: 8443 +serviceAccountName: istio-operator + +csv: + categories: OpenShift Optional, Integration & Delivery, Networking, Security + capabilities: Seamless Upgrades + description: Experimental operator for installing Istio service mesh + longDescription: |- + This is an experimental operator for installing Istio service mesh. + + This version of the operator supports the following Istio versions: + + - v1.20.1 + - v1.20.0 + - v1.19.5 + - latest (e6756e19) + - gwAPIControllerMode + + [See this page](https://github.com/maistra/istio-operator/blob/maistra-3.0/bundle/README.md) for instructions on how to use it. + support: Community based + version: 3.0.0 + icon: + base64data: iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAACXBIWXMAAAFiAAABYgFfJ9BTAAAHL0lEQVR4nO2du24bRxSGz5LL+01kaMuX2HShnmlSi2VUBM4bKG/gdGFnl+rsBwggvUHUsTT9AIGdnoWCIIWNIJZNWKLM5Uww1K4sC6JEQrP7z8yeDyDYCHuG3F/nNmeWnpSSTMXvD3tE9Ey9gp3e0NiFWkzGgqVvEtFLvz/c8/vDNQPW4xQ2CCBim4gO/P7wFzOW4wY2CUDRIKLnfn/4xu8PvzNgPdZjmwAiukT02u8Pn5mxHHuxVQART9kb3AzbBUDsDW6GFgEMRuNHwM8QobzBkCuF1dDlAfYGo/GeAULYDCuFHngd1qAzBKgy7c1gNEa74kbYN+CQsAS6cwD15T8djMZKCOj/QhUS9jkkXE1cSaBKzF4ORuMXg9EYeQMeE9GQq4TFxF0FPAnDAtIbdEMRcF5wCUmUgZ3QGyBjcpQX/Axcg5Ek2QeIcgNkpbDLyeHXJN0I6oYh4aeE7Z5HJYd7QPtGgegEKnf8OzgkbLMITkG2glVI2AdWCXMRpL1MRO8FzMs0pAjCCiG1IjBhM0jlBQeD0RhVq3fTLAJTdgMboSeAigBkG4pJ28FKBK8HozGqVu+mMTE0cR5gFyiC1FUHpg6EsAgSwuSJoN3t7+//ALK9nZbpY6NHwh7drf8qG+VjkPnnadg7MFoA+bxPYn2tBBTBrutbyVYMhc5FUMihzDs9T2DNVLB42D4GiUCVp862jO0ZC/e8knjYnlAGsmTVKHKyMrDrXIDnFWedW/+BRPDYxVkC+w6G5LItca/5L8i6miVAzjJox8qTQbJcaIt2/QPIvMoHTDgIowVrj4bJVrUhq8UjgGmVFO4D7MaC1WcDxd2mR7kswrTaOHqBMKwbuw+Hel5p9m0blRQ+cWHU3P7TwSopvFVHJYXWnzxy4Xg4yUa5DcwHrO4POCEAOs0HMsD+gLWloTMCUE0i8eAbVCiwtlXsjgBUKCjk2rJZnQBMWxsKnBKAQrRrAlQaWhkKnBMAeV5Z3GtxKFgS9wQQhQLMEIkKBVY1iJwUgELcbnigqmDbpgaRswKYVwV31t6CrFvjBdwVgAoF1eK6LBcQpru2TBU7LQCFuLOGSgif2ZAQOi8A8rOcEF6B+wLAJ4RGTxSnQgDzhLBVRU0QGe0F0iEAlRA2KzlQh3DT5LIwNQKYdwhvNbgsvEB6BBCWhcARMiPPGaZKAAqgFzDyTEHqBAD0Ah0TvUDqBEDsBb4ilQJgL/CFVAqA2AuckVoBsBc4JbUCUIhGBdUdNMYLpFoAslnJg/YIOqbMD6ZaAOpomawVUc8fMmJeIN0CmE8R1z+DTBuxR5B6AVA2o46Zo6zDk0EWwOmzBv4Gmd5GP2yCBaAEUMw/AJWEhPYCLIAQYEkITQZZACFyrSxAphvIxhALICKTaaYxGWQBnEM2yqhkcBM1PMoCOIesFB+AOoOEygVYABcAdgYhrWEWwAVEq4YSACQZZAFcJJdtAXsCiXsBFsAlyFrpPcj046Q7gyyASxBrlRnQfKJegAVwGX62nZbWMAtgAcAw0E2yJ8ACWIColxFPHo1IzAuwABaR9+8Dm0KJ5QEsgCsANoU6SYUBFsAVyGoR9XgZSioMsACuQP00DdB8ImGABXAVamoY94OViYQBFsA1yHoJdYRMEfvUMAvgGmSlGADNx54HsACuA1sOduPeG2ABLIEs55HmYw0DLIAlkNXiP0DzsVYDLIAlkKU8Mg9gDwAn53eAS2jEeYaQBbAkoKeOR7AA0MhKAdkPiC0PYAEsSymPOkZOYTkYy6PnWQBLon6HCLyEWMIAC2BZPK8EHBMjFoABADeGiAVgALJc+Au4iljyABbAKhRz6O9LuxdgAayAzPtV8BK0zwewAFYhk2mCV8AeAA24I7ip+4IsgFXJZVGTwnN0j4mxAFZEFnLvwEtgAUBxrBJgAayIzGZQTxOLYA8Axc/eAa+gq/Nivs6LOUMwe0tCBt7RSUBSFr1PJ+vqo3lHJ+oNWgZQmAgGO703Wq6l4yLWoW6wlBPv+LMf3ugOCUneZEok5h5+3fCPpMIAC2AhQrynmfjofQ4yNJ0J72R6m6azkjcNiKbzh3+YfoOvQ9uouJ0CkPKYgtk7byYyNJkKL5jVaTJt0kyQdzJVf9EMX66irRIwWQCv3n+ctLzDT/WzOPzlBpfU2Tn8EmE44QH+JKLDMJadvW9t1IbRH/z42x+9DNFL4BpNRZv44xSA2js/OPc6u9FbG7XDGO2mAjUqHuz0hjf9rLoEsBe+5jd8a6N2oOm6zGK0DIdoEcDWRm1Px3WYlVCl4P5NvzLuBNqLFg/AArAXLXsC3Ao2m0srJfUe7PS0JNIsACwXK6WzV7DTSySRZgHEy4fL/nuTvMHXwQK4Oa/CKwzP32hdu3VxwwK4notxeN580dGEMQEWwJc4HFuiZTJpEEAUh2GJlsm4IIBFiZY1cRiJLQI4n2iRa3EYBhH9D18eNW58bi76AAAAAElFTkSuQmCC + mediatype: image/png + keywords: + - istio + - maistra + - servicemesh + - envoy +image: quay.io/maistra-dev/istio-operator:3.0-latest +imagePullPolicy: Always + +# setting this to true will add resources required to generate the bundle using operator-sdk +bundleGeneration: false + +# can be either kubernetes or openshift +platform: kubernetes diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml deleted file mode 100644 index d05ae694ed..0000000000 --- a/config/crd/kustomization.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default -resources: -- bases/extensions.istio.io_wasmplugins.yaml -- bases/networking.istio.io_destinationrules.yaml -- bases/networking.istio.io_envoyfilters.yaml -- bases/networking.istio.io_gateways.yaml -- bases/networking.istio.io_proxyconfigs.yaml -- bases/networking.istio.io_serviceentries.yaml -- bases/networking.istio.io_sidecars.yaml -- bases/networking.istio.io_virtualservices.yaml -- bases/networking.istio.io_workloadentries.yaml -- bases/networking.istio.io_workloadgroups.yaml -- bases/operator.istio.io_istiorevisions.yaml -- bases/operator.istio.io_istios.yaml -- bases/security.istio.io_authorizationpolicies.yaml -- bases/security.istio.io_peerauthentications.yaml -- bases/security.istio.io_requestauthentications.yaml -- bases/telemetry.istio.io_telemetries.yaml -#+kubebuilder:scaffold:crdkustomizeresource - -patches: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_istios.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_istios.yaml -#+kubebuilder:scaffold:crdkustomizecainjectionpatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml deleted file mode 100644 index ec5c150a9d..0000000000 --- a/config/crd/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/name - -namespace: -- kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/namespace - create: false - -varReference: -- path: metadata/annotations diff --git a/config/crd/patches/cainjection_in_istios.yaml b/config/crd/patches/cainjection_in_istios.yaml deleted file mode 100644 index 159ae51272..0000000000 --- a/config/crd/patches/cainjection_in_istios.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: istios.operator.istio.io diff --git a/config/crd/patches/webhook_in_istios.yaml b/config/crd/patches/webhook_in_istios.yaml deleted file mode 100644 index b78d21684d..0000000000 --- a/config/crd/patches/webhook_in_istios.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istios.operator.istio.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml deleted file mode 100644 index 00d3021932..0000000000 --- a/config/default/kustomization.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -# Adds namespace to all resources. -namespace: istio-operator - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -# namePrefix: istiooperator- - -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -patches: -- path: manager_auth_proxy_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - -# the following config is for teaching kustomize how to do var substitution -resources: -- ../crd -- ../rbac -- ../manager diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 473c74b975..0000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-operator - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index d7106f4b85..0000000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-operator - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml deleted file mode 100644 index 9d88639a27..0000000000 --- a/config/manager/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -resources: -- manager.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: controller - newName: quay.io/maistra-dev/istio-operator - newTag: 3.0-latest -labels: -- includeSelectors: true - pairs: - app.kubernetes.io/created-by: sailoperator - app.kubernetes.io/part-of: sailoperator diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml deleted file mode 100644 index 99284ad45f..0000000000 --- a/config/manager/manager.yaml +++ /dev/null @@ -1,110 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: istio-operator - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/managed-by: kustomize - name: system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-operator - namespace: system - labels: - control-plane: istio-operator - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: istio-operator - app.kubernetes.io/component: manager - app.kubernetes.io/managed-by: kustomize -spec: - selector: - matchLabels: - control-plane: istio-operator - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: istio-operator - spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux - securityContext: - runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault - containers: - - command: - - /manager - args: [] - image: controller:latest - imagePullPolicy: Always - name: manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 10m - memory: 64Mi - volumeMounts: - - name: operator-config - mountPath: /etc/istio-operator - readOnly: true - serviceAccountName: istio-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: operator-config - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - fieldPath: metadata.annotations - path: config.properties diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml deleted file mode 100644 index fe9797911c..0000000000 --- a/config/manifests/kustomization.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -# These resources constitute the fully configured set of manifests -# used to generate the 'manifests/' directory in a bundle. -resources: -- bases/sailoperator.clusterserviceversion.yaml -- ../openshift -- ../samples -- ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: controller-manager -# namespace: system -# patch: |- -# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 -# # Remove the "cert" volume, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing volumes in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/volumes/0 diff --git a/config/openshift/default_overlay_profile_patch.yaml b/config/openshift/default_overlay_profile_patch.yaml deleted file mode 100644 index 1d4ab97bff..0000000000 --- a/config/openshift/default_overlay_profile_patch.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: add - path: /spec/template/spec/containers/1/args/- - value: --default-profiles=default,openshift diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml deleted file mode 100644 index 5437797dd0..0000000000 --- a/config/openshift/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- ../default - -patches: -- path: default_overlay_profile_patch.yaml - target: - kind: Deployment \ No newline at end of file diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml deleted file mode 100644 index 84388a65f9..0000000000 --- a/config/prometheus/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- monitor.yaml -labels: -- includeSelectors: true - pairs: - app.kubernetes.io/created-by: sailoperator - app.kubernetes.io/part-of: sailoperator diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml deleted file mode 100644 index 7317eae6a6..0000000000 --- a/config/prometheus/monitor.yaml +++ /dev/null @@ -1,24 +0,0 @@ - -# Prometheus Monitor Service (Metrics) -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - control-plane: istio-operator - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: istio-operator-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/managed-by: kustomize - name: istio-operator-metrics-monitor - namespace: system -spec: - endpoints: - - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true - selector: - matchLabels: - control-plane: istio-operator diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index dd0e9b3c6b..0000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: istio-operator - app.kubernetes.io/name: service - app.kubernetes.io/instance: istio-operator-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/managed-by: kustomize - name: istio-operator-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: istio-operator diff --git a/config/rbac/istio_editor_role.yaml b/config/rbac/istio_editor_role.yaml deleted file mode 100644 index 0e45a26f83..0000000000 --- a/config/rbac/istio_editor_role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# permissions for end users to edit istios. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: istio-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize - name: istio-editor-role -rules: -- apiGroups: - - operator.istio.io - resources: - - istios - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.istio.io - resources: - - istios/status - verbs: - - get diff --git a/config/rbac/istio_viewer_role.yaml b/config/rbac/istio_viewer_role.yaml deleted file mode 100644 index 6436bdf92a..0000000000 --- a/config/rbac/istio_viewer_role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# permissions for end users to view istios. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: istio-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize - name: istio-viewer-role -rules: -- apiGroups: - - operator.istio.io - resources: - - istios - verbs: - - get - - list - - watch -- apiGroups: - - operator.istio.io - resources: - - istios/status - verbs: - - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml deleted file mode 100644 index 6338773fa2..0000000000 --- a/config/rbac/kustomization.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. -- service_account.yaml -- role.yaml -- role_binding.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml -labels: -- includeSelectors: true - pairs: - app.kubernetes.io/created-by: sailoperator - app.kubernetes.io/part-of: sailoperator diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml deleted file mode 100644 index c817d9d3be..0000000000 --- a/config/rbac/service_account.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: istio-operator - app.kubernetes.io/component: rbac - app.kubernetes.io/managed-by: kustomize - name: istio-operator - namespace: system diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml deleted file mode 100644 index 5d712c3d6e..0000000000 --- a/config/samples/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -## Append samples you want in your CSV to this file as resources ## -resources: -- istio-sample-openshift.yaml -#+kubebuilder:scaffold:manifestskustomizesamples -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization diff --git a/config/scorecard/bases/config.yaml b/config/scorecard/bases/config.yaml deleted file mode 100644 index c77047841e..0000000000 --- a/config/scorecard/bases/config.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: scorecard.operatorframework.io/v1alpha3 -kind: Configuration -metadata: - name: config -stages: -- parallel: true - tests: [] diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml deleted file mode 100644 index e1db9e9de4..0000000000 --- a/config/scorecard/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- bases/config.yaml -patches: -- path: patches/basic.config.yaml - target: - group: scorecard.operatorframework.io - version: v1alpha3 - kind: Configuration - name: config -- path: patches/olm.config.yaml - target: - group: scorecard.operatorframework.io - version: v1alpha3 - kind: Configuration - name: config -#+kubebuilder:scaffold:patchesJson6902 diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml deleted file mode 100644 index a2f1589414..0000000000 --- a/config/scorecard/patches/basic.config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -- op: add - path: /stages/0/tests/- - value: - entrypoint: - - scorecard-test - - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.33.0 - labels: - suite: basic - test: basic-check-spec-test diff --git a/hack/copy-crds.sh b/hack/copy-crds.sh index 737147f817..0394caf6e8 100755 --- a/hack/copy-crds.sh +++ b/hack/copy-crds.sh @@ -20,45 +20,28 @@ set -euo pipefail SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT=$(dirname "${SCRIPT_DIR}") -CONFIG_DIR="${REPO_ROOT}/config" +OPERATOR_CHART_DIR="${REPO_ROOT}/chart" function copyCRDs() { # Split the YAML file into separate CRD files - csplit -s --suppress-matched -f "${CONFIG_DIR}/crd/bases/istio-crd" -z "${CHARTS_DIR}/base/crds/crd-all.gen.yaml" '/^---$/' '{*}' + csplit -s --suppress-matched -f "${OPERATOR_CHART_DIR}/crds/istio-crd" -z "${CHARTS_DIR}/base/crds/crd-all.gen.yaml" '/^---$/' '{*}' # To hide istio CRDs in the OpenShift Console, we add them to the intenral-objects annotation in the CSV internalObjects="" # Rename the split files to _.yaml - for file in "${CONFIG_DIR}/crd/bases/istio-crd"*; do + for file in "${OPERATOR_CHART_DIR}/crds/istio-crd"*; do # Extract the group and resource from each CRD group=$(grep -oP '^\s*group:\s*\K.*' "$file" | tr -d '[:space:]') resource=$(grep -oP '^\s*plural:\s*\K.*' "$file" | tr -d '[:space:]') # Add the CRD to the list of internal objects internalObjects+="\"${resource}.${group}\"," # Rename the file to _.yaml - mv "$file" "${CONFIG_DIR}/crd/bases/${group}_${resource}.yaml" + mv "$file" "${OPERATOR_CHART_DIR}/crds/${group}_${resource}.yaml" done - # Remove existing list of CRD files from kustomization.yaml - sed -i '/resources:/,/#+kubebuilder:scaffold:crdkustomizeresource/ { - /resources:/n - /#+kubebuilder:scaffold:crdkustomizeresource/!d - }' "${CONFIG_DIR}/crd/kustomization.yaml" - - # Create YAML snippet containing list of CRD files - pushd "${CONFIG_DIR}/crd" - { find "bases/"*.yaml | sed 's/^/- /'; } > "${CONFIG_DIR}/crd/crdfiles.yaml" - popd - - # Insert snippet into kustomization.yaml - sed -i '/resources:/r '"${CONFIG_DIR}/crd/crdfiles.yaml" "${CONFIG_DIR}/crd/kustomization.yaml" - - # Remove snippet file - rm "${CONFIG_DIR}/crd/crdfiles.yaml" - # Update internal-objects annotation in CSV - sed -i "/operators\.operatorframework\.io\/internal-objects/ c\ operators.operatorframework.io/internal-objects: '[${internalObjects%?}]'" "${CONFIG_DIR}/manifests/bases/sailoperator.clusterserviceversion.yaml" + sed -i "/operators\.operatorframework\.io\/internal-objects/ c\ operators.operatorframework.io/internal-objects: '[${internalObjects%?}]'" "${OPERATOR_CHART_DIR}/templates/olm/clusterserviceversion.yaml" } copyCRDs \ No newline at end of file diff --git a/hack/patch-istio-crd.sh b/hack/patch-istio-crd.sh index b2e854700a..6880da8aaa 100755 --- a/hack/patch-istio-crd.sh +++ b/hack/patch-istio-crd.sh @@ -21,7 +21,7 @@ CUR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" : "${YQ:=yq}" : "${API_VERSION:=v1alpha1}" : "${VERSIONS_FILE:=${CUR_DIR}/../versions.yaml}" -: "${CRD_FILE:=${CUR_DIR}/../config/crd/bases/operator.istio.io_istios.yaml}" +: "${CRD_FILE:=${CUR_DIR}/../chart/crds/operator.istio.io_istios.yaml}" values_yaml_path=".spec.versions.[] | select(.name == \"${API_VERSION}\") | .schema.openAPIV3Schema.properties.spec.properties.values" diff --git a/tests/integration/common-operator-integ-suite.sh b/tests/integration/common-operator-integ-suite.sh index aa1a024ef5..d348d380f5 100755 --- a/tests/integration/common-operator-integ-suite.sh +++ b/tests/integration/common-operator-integ-suite.sh @@ -70,9 +70,9 @@ initialize_variables() { echo "Using command: ${COMMAND}" if [ "${OCP}" == "true" ]; then - ISTIO_MANIFEST="${WD}/../../config/samples/istio-sample-openshift.yaml" + ISTIO_MANIFEST="${WD}/../../chart/samples/istio-sample-openshift.yaml" else - ISTIO_MANIFEST="${WD}/../../config/samples/istio-sample-kubernetes.yaml" + ISTIO_MANIFEST="${WD}/../../chart/samples/istio-sample-kubernetes.yaml" fi ISTIO_NAME=$(yq eval '.metadata.name' "$ISTIO_MANIFEST") diff --git a/tools/update_deps.sh b/tools/update_deps.sh index 3f9088bcf8..83f011a17b 100755 --- a/tools/update_deps.sh +++ b/tools/update_deps.sh @@ -42,9 +42,9 @@ OPERATOR_SDK_LATEST_VERSION=$(getLatestVersion operator-framework/operator-sdk) sed -i "s|OPERATOR_SDK_VERSION ?= .*|OPERATOR_SDK_VERSION ?= ${OPERATOR_SDK_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" find "${ROOTDIR}/config/scorecard" -type f -exec sed -i "s|quay.io/operator-framework/scorecard-test:.*|quay.io/operator-framework/scorecard-test:${OPERATOR_SDK_LATEST_VERSION}|" {} + -# Update kustomize -KUSTOMIZE_LATEST_VERSION=$(getLatestVersion kubernetes-sigs/kustomize | cut -d/ -f2) -sed -i "s|KUSTOMIZE_VERSION ?= .*|KUSTOMIZE_VERSION ?= ${KUSTOMIZE_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" +# Update helm +HELM_LATEST_VERSION=$(getLatestVersion helm/helm | cut -d/ -f2) +sed -i "s|HELM_VERSION ?= .*|HELM_VERSION ?= ${HELM_LATEST_VERSION}|" "${ROOTDIR}/Makefile.core.mk" # Update controller-tools CONTROLLER_TOOLS_LATEST_VERSION=$(getLatestVersion kubernetes-sigs/controller-tools)