diff --git a/odh-common/base/kustomization.yaml b/odh-common/base/kustomization.yaml index a06da2fcc..97851ffcb 100644 --- a/odh-common/base/kustomization.yaml +++ b/odh-common/base/kustomization.yaml @@ -11,6 +11,7 @@ commonLabels: configMapGenerator: - name: odh-common-config env: params.env + generatorOptions: disableNameSuffixHash: true diff --git a/odh-dashboard/overlays/service-mesh/job-role.yaml b/odh-dashboard/overlays/service-mesh/job-role.yaml index 1baac20b6..4c81670a5 100644 --- a/odh-dashboard/overlays/service-mesh/job-role.yaml +++ b/odh-dashboard/overlays/service-mesh/job-role.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: init-job-role -# We have this role/binding for our init-job to create authconfig -# and to patch the odhdashboardconfig in the KfDef namespace. +# We have this roles for our init-job to create authconfig +# in the KfDef namespace from istio namespace rules: - apiGroups: - authorino.kuadrant.io @@ -14,17 +14,5 @@ rules: - delete - get - list - - patch - update - - watch - - apiGroups: - - opendatahub.io - resources: - - odhdashboardconfigs - verbs: - - get - - create - - list - - update - - patch - - watch \ No newline at end of file + - patch \ No newline at end of file diff --git a/service-mesh/control-plane/base/control-plane.yaml b/service-mesh/control-plane/base/control-plane.yaml index 6f511036c..65a2777cc 100644 --- a/service-mesh/control-plane/base/control-plane.yaml +++ b/service-mesh/control-plane/base/control-plane.yaml @@ -16,19 +16,7 @@ spec: memory: 128Mi limits: cpu: 500m - memory: 129Mi - tracing: - type: Jaeger - sampling: 10000 - addons: - jaeger: - name: jaeger - install: - storage: - type: Memory - kiali: - enabled: true - name: kiali + memory: 128Mi gateways: # no need to use IOR - # To be deprecated and we create the route manually diff --git a/service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml b/service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml index 47149b03d..cc7ebfae3 100644 --- a/service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml +++ b/service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml @@ -1,13 +1,35 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: init-job-clusterrolebinding - namespace: istio-system + name: init-job-creator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: init-job-role + name: init-job-create +subjects: + - kind: ServiceAccount + name: init-job-executor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: init-job-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: init-job-read +subjects: + - kind: ServiceAccount + name: init-job-executor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: init-job-pod-executor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: init-job-pod-operations subjects: - kind: ServiceAccount name: init-job-executor - namespace: istio-system \ No newline at end of file diff --git a/service-mesh/control-plane/base/init-job-rbac/job-sa.yaml b/service-mesh/control-plane/base/init-job-rbac/job-sa.yaml index 3b490591e..5a2ca0cd6 100644 --- a/service-mesh/control-plane/base/init-job-rbac/job-sa.yaml +++ b/service-mesh/control-plane/base/init-job-rbac/job-sa.yaml @@ -2,4 +2,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: init-job-executor - namespace: istio-system \ No newline at end of file diff --git a/service-mesh/control-plane/base/init-job-rbac/pod-executor-roles.yaml b/service-mesh/control-plane/base/init-job-rbac/pod-executor-roles.yaml new file mode 100644 index 000000000..deef01547 --- /dev/null +++ b/service-mesh/control-plane/base/init-job-rbac/pod-executor-roles.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: init-job-pod-operations +rules: + - apiGroups: + - "" + resources: + - pods/log + - pods/exec + verbs: + - get + - list + - create + - delete diff --git a/service-mesh/control-plane/base/init-job-rbac/resource-create-roles.yaml b/service-mesh/control-plane/base/init-job-rbac/resource-create-roles.yaml new file mode 100644 index 000000000..6a87b438e --- /dev/null +++ b/service-mesh/control-plane/base/init-job-rbac/resource-create-roles.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: init-job-create +rules: + - apiGroups: + - "" + resources: + - secrets + - namespaces + verbs: + - create + - delete + - update + - patch + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - create + - update + - patch + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - create + - update + - patch + - apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - create + - update + - patch + - apiGroups: + - oauth.openshift.io + resources: + - oauthclients + verbs: + - create + - update + - patch diff --git a/service-mesh/control-plane/base/init-job-rbac/job-cluster-role.yaml b/service-mesh/control-plane/base/init-job-rbac/resource-read-roles.yaml similarity index 76% rename from service-mesh/control-plane/base/init-job-rbac/job-cluster-role.yaml rename to service-mesh/control-plane/base/init-job-rbac/resource-read-roles.yaml index 96b021f68..33a632e3a 100644 --- a/service-mesh/control-plane/base/init-job-rbac/job-cluster-role.yaml +++ b/service-mesh/control-plane/base/init-job-rbac/resource-read-roles.yaml @@ -1,32 +1,32 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: init-job-role + name: init-job-read rules: - apiGroups: - "" resources: - configmaps - pods - - pods/log - - pods/exec - - secrets - namespaces verbs: - - create - - delete - get - list - - patch - - update - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - list - get + - list - apiGroups: - config.openshift.io resources: @@ -38,41 +38,26 @@ rules: resources: - envoyfilters verbs: - - create - get - - update - apiGroups: - security.istio.io resources: - authorizationpolicies verbs: - - create - get - - update - apiGroups: - - route.openshift.io + - oauth.openshift.io resources: - - routes - - routes/custom-host + - oauthclients verbs: - - get - - list - - watch - create - - update - - patch + - get - apiGroups: - - oauth.openshift.io + - route.openshift.io resources: - - oauthclients + - routes verbs: - - create - - delete - get - - list - - patch - - update - - watch - apiGroups: - apps resources: @@ -87,4 +72,4 @@ rules: verbs: - get - watch - - list \ No newline at end of file + - list diff --git a/service-mesh/control-plane/base/init-job.yaml b/service-mesh/control-plane/base/init-job.yaml index fa1c73dd1..c842727db 100644 --- a/service-mesh/control-plane/base/init-job.yaml +++ b/service-mesh/control-plane/base/init-job.yaml @@ -20,6 +20,9 @@ spec: curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o /tmp/bin/envsubst && chmod +x /tmp/bin/envsubst export PATH=/tmp/bin:$PATH + export ISTIO_NAMESPACE=$(kubectl get jobs -o jsonpath='{.items[?(@.metadata.name=="odh-ossm-init-job")].metadata.namespace}') + export ODH_NAMESPACE=$(kubectl get configmap --all-namespaces -o json | jq -r '.items[] | select(.metadata.name == "odh-common-config") | .metadata.namespace') + export CLIENT_SECRET=$(openssl rand -hex 32) export HMAC_SECRET=$(openssl rand -hex 32) export DOMAIN=$(kubectl get ingress.config.openshift.io cluster -o 'jsonpath={.spec.domain}') @@ -39,27 +42,28 @@ spec: case "$filename" in "/etc/cluster-resources/authconfig.yaml") - namespace="opendatahub" + namespace="${ODH_NAMESPACE}" ;; *) - namespace="istio-system" + namespace="${ISTIO_NAMESPACE}" ;; esac cat "$filename" | envsubst | kubectl apply -n $namespace -f - } - # create secrets for oauth2 (formerly configmap) - kubectl create secret generic istio-odh-oauth2 -n istio-system \ + # recreate secrets for oauth2 + kubectl delete secret istio-odh-oauth2 -n ${ISTIO_NAMESPACE} --ignore-not-found + kubectl create secret generic istio-odh-oauth2 -n ${ISTIO_NAMESPACE} \ --from-file=token-secret.yaml=<(envsubst < $TOKEN_FILEPATH) \ --from-file=hmac-secret.yaml=<(envsubst < $HMAC_FILEPATH) # add annotation to the root namespace (hardcoded pre-plugin) - kubectl annotate namespace opendatahub opendatahub.io/service-mesh=true + kubectl annotate namespace ${ODH_NAMESPACE} opendatahub.io/service-mesh=true # wait for app to be ready echo "waiting for SMCP to be ready" - kubectl -n istio-system wait --for=condition=Ready smcp/basic --timeout=180s + kubectl -n ${ISTIO_NAMESPACE} wait --for=condition=Ready smcp/basic --timeout=180s # iterate over all files in the subdirectory for filename in /etc/cluster-resources/* @@ -68,16 +72,20 @@ spec: done # Ensure secrets are mounted in ingress-gateway. If not, restart the pod. - kubectl wait pods -l app=istio-ingressgateway --for condition=ready -n istio-system + kubectl wait pods -l app=istio-ingressgateway --for condition=ready -n ${ISTIO_NAMESPACE} + + INGRESS_POD=$(kubectl get pods -n ${ISTIO_NAMESPACE} -l app=istio-ingressgateway -o jsonpath='{.items[0].metadata.name}') + EXEC_OUTPUT=$(kubectl exec $INGRESS_POD -n ${ISTIO_NAMESPACE} -c istio-proxy -- ls -al /etc/istio/odh-oauth2/{token-secret.yaml,hmac-secret.yaml} 2>&1) + EXEC_EXIT_STATUS=$? - if kubectl exec $(kubectl get pods -n istio-system \ - -l app=istio-egressgateway \ - -o jsonpath='{.items[*].metadata.name}') \ - -n istio-system \ - -c istio-proxy -- ls -al /etc/istio/odh-oauth2 2>&1 | grep -q 'No such file or directory'; then + if echo $EXEC_OUTPUT | grep -q 'No such file or directory'; then # If we don't see the secrets mounted, restart deployment. - kubectl rollout restart deployment -n istio-system istio-ingressgateway + kubectl rollout restart deployment -n ${ISTIO_NAMESPACE} istio-ingressgateway + elif [[ $EXEC_EXIT_STATUS -ne 0 ]]; then + echo "Failed with: $EXEC_OUTPUT" + exit 1 fi + exit 0 volumeMounts: diff --git a/service-mesh/control-plane/base/kustomization.yaml b/service-mesh/control-plane/base/kustomization.yaml index 6727bf91b..30310f4cf 100644 --- a/service-mesh/control-plane/base/kustomization.yaml +++ b/service-mesh/control-plane/base/kustomization.yaml @@ -6,7 +6,9 @@ resources: - namespace.yaml - control-plane.yaml - init-job.yaml -- init-job-rbac/job-cluster-role.yaml +- init-job-rbac/resource-read-roles.yaml +- init-job-rbac/resource-create-roles.yaml +- init-job-rbac/pod-executor-roles.yaml - init-job-rbac/job-rolebinding.yaml - init-job-rbac/job-sa.yaml - cert-secret.yaml diff --git a/service-mesh/control-plane/base/resource-templates/authconfig.yaml b/service-mesh/control-plane/base/resource-templates/authconfig.yaml index 59a606bb9..630bd12bf 100644 --- a/service-mesh/control-plane/base/resource-templates/authconfig.yaml +++ b/service-mesh/control-plane/base/resource-templates/authconfig.yaml @@ -19,7 +19,7 @@ spec: valueFrom: { authJSON: auth.identity.username } resourceAttributes: namespace: - value: opendatahub # TODO:HARDCODED + value: $ODH_NAMESPACE group: value: "" resource: