fix: resolves ns in init-job

odh-common/base/kustomization.yaml

@@ -11,6 +11,7 @@ commonLabels:
 configMapGenerator:
 - name: odh-common-config
   env: params.env
+
 generatorOptions:
   disableNameSuffixHash: true
 

odh-dashboard/overlays/service-mesh/job-role.yaml

@@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: init-job-role
-# We have this role/binding for our init-job to create authconfig
-# and to patch the odhdashboardconfig in the KfDef namespace.
+# We have this roles for our init-job to create authconfig
+# in the KfDef namespace from istio namespace
 rules:
   - apiGroups:
       - authorino.kuadrant.io
@@ -14,17 +14,5 @@ rules:
       - delete
       - get
       - list
-      - patch
       - update
-      - watch
-  - apiGroups:
-      - opendatahub.io
-    resources:
-      - odhdashboardconfigs
-    verbs:
-      - get
-      - create
-      - list
-      - update
-      - patch
-      - watch
+      - patch

service-mesh/control-plane/base/control-plane.yaml

@@ -16,19 +16,7 @@ spec:
             memory: 128Mi
           limits:
             cpu: 500m
-            memory: 129Mi
-  tracing:
-    type: Jaeger
-    sampling: 10000
-  addons:
-    jaeger:
-      name: jaeger
-      install:
-        storage:
-          type: Memory
-    kiali:
-      enabled: true
-      name: kiali
+            memory: 128Mi
   gateways:
     # no need to use IOR -
     # To be deprecated and we create the route manually

service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml

@@ -1,13 +1,35 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: init-job-clusterrolebinding
-  namespace: istio-system
+  name: init-job-creator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: init-job-role
+  name: init-job-create
+subjects:
+  - kind: ServiceAccount
+    name: init-job-executor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: init-job-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: init-job-read
+subjects:
+  - kind: ServiceAccount
+    name: init-job-executor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: init-job-pod-executor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: init-job-pod-operations
 subjects:
   - kind: ServiceAccount
     name: init-job-executor
-    namespace: istio-system

service-mesh/control-plane/base/init-job-rbac/job-sa.yaml

@@ -2,4 +2,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: init-job-executor
-  namespace: istio-system

service-mesh/control-plane/base/init-job-rbac/pod-executor-roles.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: init-job-pod-operations
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+      - pods/exec
+    verbs:
+      - get
+      - list
+      - create
+      - delete

service-mesh/control-plane/base/init-job-rbac/resource-create-roles.yaml

@@ -0,0 +1,48 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: init-job-create
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - namespaces
+    verbs:
+      - create
+      - delete
+      - update
+      - patch
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - envoyfilters
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - security.istio.io
+    resources:
+      - authorizationpolicies
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+      - routes/custom-host
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - oauth.openshift.io 
+    resources:
+      - oauthclients
+    verbs:
+      - create
+      - update
+      - patch

service-mesh/control-plane/base/init-job-rbac/job-cluster-role.yaml → service-mesh/control-plane/base/init-job-rbac/resource-read-roles.yaml

@@ -1,32 +1,32 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: init-job-role
+  name: init-job-read
 rules:
   - apiGroups:
       - ""
     resources:
       - configmaps
       - pods
-      - pods/log
-      - pods/exec
-      - secrets
       - namespaces
     verbs:
-      - create
-      - delete
       - get
       - list
-      - patch
-      - update
       - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - get
+      - list
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - list
       - get
+      - list
   - apiGroups: 
       - config.openshift.io
     resources:
@@ -38,41 +38,26 @@ rules:
     resources:
       - envoyfilters
     verbs:
-      - create
       - get
-      - update
   - apiGroups:
       - security.istio.io
     resources:
       - authorizationpolicies
     verbs:
-      - create
       - get
-      - update
   - apiGroups:
-      - route.openshift.io
+      - oauth.openshift.io 
     resources:
-      - routes
-      - routes/custom-host
+      - oauthclients
     verbs:
-      - get
-      - list
-      - watch
       - create
-      - update
-      - patch
+      - get
   - apiGroups:
-      - oauth.openshift.io 
+      - route.openshift.io
     resources:
-      - oauthclients
+      - routes
     verbs:
-      - create
-      - delete
       - get
-      - list
-      - patch
-      - update
-      - watch
   - apiGroups:
       - apps
     resources:
@@ -87,4 +72,4 @@ rules:
     verbs:
       - get
       - watch
-      - list
+      - list

service-mesh/control-plane/base/init-job.yaml

@@ -20,6 +20,9 @@ spec:
             curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o /tmp/bin/envsubst && chmod +x /tmp/bin/envsubst
             export PATH=/tmp/bin:$PATH
 
+            export ISTIO_NAMESPACE=$(kubectl get jobs -o jsonpath='{.items[?(@.metadata.name=="odh-ossm-init-job")].metadata.namespace}')
+            export ODH_NAMESPACE=$(kubectl get configmap --all-namespaces -o json | jq -r '.items[] | select(.metadata.name == "odh-common-config") | .metadata.namespace')
+
             export CLIENT_SECRET=$(openssl rand -hex 32)
             export HMAC_SECRET=$(openssl rand -hex 32)
             export DOMAIN=$(kubectl get ingress.config.openshift.io cluster -o 'jsonpath={.spec.domain}')
@@ -39,27 +42,28 @@ spec:
 
               case "$filename" in
                 "/etc/cluster-resources/authconfig.yaml")
-                  namespace="opendatahub"
+                  namespace="${ODH_NAMESPACE}"
                   ;;
                 *)
-                  namespace="istio-system"
+                  namespace="${ISTIO_NAMESPACE}"
                   ;;
               esac
 
               cat "$filename" | envsubst | kubectl apply -n $namespace -f -
             }
 
-            # create secrets for oauth2 (formerly configmap)
-            kubectl create secret generic istio-odh-oauth2 -n istio-system \
+            # recreate secrets for oauth2
+            kubectl delete secret istio-odh-oauth2 -n ${ISTIO_NAMESPACE} --ignore-not-found
+            kubectl create secret generic istio-odh-oauth2 -n ${ISTIO_NAMESPACE} \
                 --from-file=token-secret.yaml=<(envsubst < $TOKEN_FILEPATH) \
                 --from-file=hmac-secret.yaml=<(envsubst < $HMAC_FILEPATH)
 
             # add annotation to the root namespace (hardcoded pre-plugin)
-            kubectl annotate namespace opendatahub opendatahub.io/service-mesh=true
+            kubectl annotate namespace ${ODH_NAMESPACE} opendatahub.io/service-mesh=true
 
             # wait for app to be ready
             echo "waiting for SMCP to be ready"
-            kubectl -n istio-system wait --for=condition=Ready smcp/basic --timeout=180s          
+            kubectl -n ${ISTIO_NAMESPACE} wait --for=condition=Ready smcp/basic --timeout=180s          
 
             # iterate over all files in the subdirectory
             for filename in /etc/cluster-resources/*
@@ -68,16 +72,20 @@ spec:
             done
 
             # Ensure secrets are mounted in ingress-gateway. If not, restart the pod.
-            kubectl wait pods -l app=istio-ingressgateway --for condition=ready -n istio-system
+            kubectl wait pods -l app=istio-ingressgateway --for condition=ready -n ${ISTIO_NAMESPACE}
+
+            INGRESS_POD=$(kubectl get pods -n ${ISTIO_NAMESPACE} -l app=istio-ingressgateway -o jsonpath='{.items[0].metadata.name}')
+            EXEC_OUTPUT=$(kubectl exec $INGRESS_POD -n ${ISTIO_NAMESPACE} -c istio-proxy -- ls -al /etc/istio/odh-oauth2/{token-secret.yaml,hmac-secret.yaml} 2>&1)
+            EXEC_EXIT_STATUS=$?
 
-            if kubectl exec $(kubectl get pods -n istio-system \
-              -l app=istio-egressgateway \
-              -o jsonpath='{.items[*].metadata.name}') \
-              -n istio-system \
-              -c istio-proxy -- ls -al /etc/istio/odh-oauth2 2>&1 | grep -q 'No such file or directory'; then
+            if echo $EXEC_OUTPUT | grep -q 'No such file or directory'; then
               # If we don't see the secrets mounted, restart deployment.
-              kubectl rollout restart deployment -n istio-system istio-ingressgateway
+              kubectl rollout restart deployment -n ${ISTIO_NAMESPACE} istio-ingressgateway
+            elif [[ $EXEC_EXIT_STATUS -ne 0 ]]; then
+              echo "Failed with: $EXEC_OUTPUT"
+              exit 1
             fi
+
             exit 0
 
         volumeMounts:

service-mesh/control-plane/base/kustomization.yaml

@@ -6,7 +6,9 @@ resources:
 - namespace.yaml
 - control-plane.yaml
 - init-job.yaml
-- init-job-rbac/job-cluster-role.yaml
+- init-job-rbac/resource-read-roles.yaml
+- init-job-rbac/resource-create-roles.yaml
+- init-job-rbac/pod-executor-roles.yaml
 - init-job-rbac/job-rolebinding.yaml
 - init-job-rbac/job-sa.yaml
 - cert-secret.yaml

service-mesh/control-plane/base/resource-templates/authconfig.yaml

@@ -19,7 +19,7 @@ spec:
         valueFrom: { authJSON: auth.identity.username }
       resourceAttributes:
         namespace:
-          value: opendatahub # TODO:HARDCODED
+          value: $ODH_NAMESPACE
         group:
           value: ""
         resource: