diff --git a/api/v1/cbcontainersagent_types.go b/api/v1/cbcontainersagent_types.go index 84263102..e3ae0c59 100644 --- a/api/v1/cbcontainersagent_types.go +++ b/api/v1/cbcontainersagent_types.go @@ -30,7 +30,13 @@ type CBContainersAgentSpec struct { ClusterName string `json:"clusterName,required"` Version string `json:"version,required"` Gateways CBContainersGatewaysSpec `json:"gateways,required"` + // The field below remains to avoid moving the CRD from v1 to v2. + // It MUST not be used as agent namespace should be controlled outside the operator itself. + // This is because a custom namespace in the CRD requires high privileges by the operator across the whole cluster to be able to "switch" namespaces on demand. + // +kubebuilder:default:="cbcontainers-dataplane" + // Namespace is deprecated and the value has no effect. Do not use. + // Deprecated: The operator and agent always run in the same namespace. See documentation for ways to customize this namespace. Namespace string `json:"namespace,omitempty"` // +kubebuilder:default:="cbcontainers-access-token" AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"` diff --git a/cbcontainers/state/components/cluster_configmap.go b/cbcontainers/state/components/cluster_configmap.go index 940b1001..155cd218 100644 --- a/cbcontainers/state/components/cluster_configmap.go +++ b/cbcontainers/state/components/cluster_configmap.go @@ -17,9 +17,9 @@ type ConfigurationK8sObject struct { Namespace string } -func NewConfigurationK8sObject() *ConfigurationK8sObject { +func NewConfigurationK8sObject(namespace string) *ConfigurationK8sObject { return &ConfigurationK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -35,12 +35,11 @@ func (obj *ConfigurationK8sObject) MutateK8sObject(k8sObject client.Object, agen return fmt.Errorf("expected ConfigMap K8s object") } - configMap.Namespace = agentSpec.Namespace configMap.Data = map[string]string{ commonState.DataPlaneConfigmapAccountKey: agentSpec.Account, commonState.DataPlaneConfigmapClusterKey: agentSpec.ClusterName, commonState.DataPlaneConfigmapAgentVersionKey: agentSpec.Version, - commonState.DataPlaneConfigmapDataplaneNamespaceKey: agentSpec.Namespace, + commonState.DataPlaneConfigmapDataplaneNamespaceKey: obj.Namespace, commonState.DataPlaneConfigmapApiSchemeKey: agentSpec.Gateways.ApiGateway.Scheme, commonState.DataPlaneConfigmapApiHostKey: agentSpec.Gateways.ApiGateway.Host, commonState.DataPlaneConfigmapApiPortKey: strconv.Itoa(agentSpec.Gateways.ApiGateway.Port), diff --git a/cbcontainers/state/components/enforcer_deployment.go b/cbcontainers/state/components/enforcer_deployment.go index 00803cde..5e629d62 100644 --- a/cbcontainers/state/components/enforcer_deployment.go +++ b/cbcontainers/state/components/enforcer_deployment.go @@ -42,9 +42,9 @@ type EnforcerDeploymentK8sObject struct { Namespace string } -func NewEnforcerDeploymentK8sObject() *EnforcerDeploymentK8sObject { +func NewEnforcerDeploymentK8sObject(namespace string) *EnforcerDeploymentK8sObject { return &EnforcerDeploymentK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -84,8 +84,6 @@ func (obj *EnforcerDeploymentK8sObject) MutateK8sObject(k8sObject client.Object, if objectsDiffer(deployment.Spec.Template.Spec.ImagePullSecrets, desiredImagePullSecrets) { deployment.Spec.Template.Spec.ImagePullSecrets = desiredImagePullSecrets } - obj.Namespace = agentSpec.Namespace - deployment.Namespace = agentSpec.Namespace obj.mutateAnnotations(deployment, enforcer) obj.mutateVolumes(&deployment.Spec.Template.Spec) obj.mutateAffinityAndNodeSelector(&deployment.Spec.Template.Spec, enforcer) diff --git a/cbcontainers/state/components/enforcer_mutating_webhook.go b/cbcontainers/state/components/enforcer_mutating_webhook.go index 6711eeaa..44c5085e 100644 --- a/cbcontainers/state/components/enforcer_mutating_webhook.go +++ b/cbcontainers/state/components/enforcer_mutating_webhook.go @@ -34,10 +34,10 @@ type EnforcerMutatingWebhookK8sObject struct { ServiceNamespace string } -func NewEnforcerMutatingWebhookK8sObject(kubeletVersion string) *EnforcerMutatingWebhookK8sObject { +func NewEnforcerMutatingWebhookK8sObject(serviceNamespace, kubeletVersion string) *EnforcerMutatingWebhookK8sObject { return &EnforcerMutatingWebhookK8sObject{ kubeletVersion: kubeletVersion, - ServiceNamespace: commonState.DataPlaneNamespaceName, + ServiceNamespace: serviceNamespace, } } @@ -65,10 +65,10 @@ func (obj *EnforcerMutatingWebhookK8sObject) MutateK8sObject(k8sObject client.Ob enforcer := &agentSpec.Components.Basic.Enforcer obj.mutateWebhookConfigurationLabels(webhookConfiguration, enforcer) - return obj.mutateWebhooks(webhookConfiguration, enforcer, agentSpec.Namespace) + return obj.mutateWebhooks(webhookConfiguration, enforcer) } -func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec, serviceNamespace string) error { +func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec) error { var resourcesWebhookObj adapters.WebhookAdapter initializeWebhooks := false @@ -93,7 +93,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration resourcesWebhookObj = updatedWebhooks[0] } - obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy, serviceNamespace) + obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy) return nil } @@ -107,7 +107,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) findWebhookByName(webhooks []adapte return nil, false } -func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy, serviceNamespace string) { +func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy string) { resourcesWebhook.SetName(MutatingWebhookName) resourcesWebhook.SetFailurePolicy(failurePolicy) resourcesWebhook.SetSideEffects(MutatingWebhookSideEffect) @@ -123,7 +123,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWeb } resourcesWebhook.SetCABundle(obj.tlsSecretValues.CaCert) resourcesWebhook.SetServiceName(EnforcerName) - resourcesWebhook.SetServiceNamespace(serviceNamespace) + resourcesWebhook.SetServiceNamespace(obj.ServiceNamespace) resourcesWebhook.SetServicePath(&MutatingWebhookPath) } diff --git a/cbcontainers/state/components/enforcer_service.go b/cbcontainers/state/components/enforcer_service.go index 336241f3..21819796 100644 --- a/cbcontainers/state/components/enforcer_service.go +++ b/cbcontainers/state/components/enforcer_service.go @@ -4,7 +4,6 @@ import ( "fmt" cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1" - commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common" coreV1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" @@ -21,9 +20,9 @@ type EnforcerServiceK8sObject struct { Namespace string } -func NewEnforcerServiceK8sObject() *EnforcerServiceK8sObject { +func NewEnforcerServiceK8sObject(namespace string) *EnforcerServiceK8sObject { return &EnforcerServiceK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -45,7 +44,6 @@ func (obj *EnforcerServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag service.Labels = enforcer.Labels service.Spec.Type = coreV1.ServiceTypeClusterIP - service.Namespace = agentSpec.Namespace service.Spec.Selector = map[string]string{ EnforcerLabelKey: EnforcerName, } diff --git a/cbcontainers/state/components/enforcer_tls_secret.go b/cbcontainers/state/components/enforcer_tls_secret.go index 91ddb73f..b4bed8bd 100644 --- a/cbcontainers/state/components/enforcer_tls_secret.go +++ b/cbcontainers/state/components/enforcer_tls_secret.go @@ -5,7 +5,6 @@ import ( cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1" "github.com/vmware/cbcontainers-operator/cbcontainers/models" - commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common" coreV1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" @@ -26,10 +25,10 @@ type EnforcerTlsK8sObject struct { Namespace string } -func NewEnforcerTlsK8sObject(tlsSecretsValuesCreator TlsSecretsValuesCreator) *EnforcerTlsK8sObject { +func NewEnforcerTlsK8sObject(namespace string, tlsSecretsValuesCreator TlsSecretsValuesCreator) *EnforcerTlsK8sObject { return &EnforcerTlsK8sObject{ tlsSecretsValuesCreator: tlsSecretsValuesCreator, - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -47,7 +46,6 @@ func (obj *EnforcerTlsK8sObject) MutateK8sObject(k8sObject client.Object, spec * return fmt.Errorf("expected Secret K8s object") } - secret.Namespace = spec.Namespace tlsSecretValues, err := obj.tlsSecretsValuesCreator.CreateTlsSecretsValues(types.NamespacedName{Name: EnforcerName, Namespace: obj.Namespace}) if err != nil { return err diff --git a/cbcontainers/state/components/enforcer_validating_webhook.go b/cbcontainers/state/components/enforcer_validating_webhook.go index 1e855f1e..acaeaf14 100644 --- a/cbcontainers/state/components/enforcer_validating_webhook.go +++ b/cbcontainers/state/components/enforcer_validating_webhook.go @@ -7,7 +7,6 @@ import ( cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1" "github.com/vmware/cbcontainers-operator/cbcontainers/models" "github.com/vmware/cbcontainers-operator/cbcontainers/state/adapters" - commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common" "github.com/vmware/cbcontainers-operator/cbcontainers/utils" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -36,10 +35,10 @@ type EnforcerValidatingWebhookK8sObject struct { ServiceNamespace string } -func NewEnforcerValidatingWebhookK8sObject(kubeletVersion string) *EnforcerValidatingWebhookK8sObject { +func NewEnforcerValidatingWebhookK8sObject(serviceNamespace, kubeletVersion string) *EnforcerValidatingWebhookK8sObject { return &EnforcerValidatingWebhookK8sObject{ kubeletVersion: kubeletVersion, - ServiceNamespace: commonState.DataPlaneNamespaceName, + ServiceNamespace: serviceNamespace, } } diff --git a/cbcontainers/state/components/image_scanning_reporter_deployment.go b/cbcontainers/state/components/image_scanning_reporter_deployment.go index f6c9f509..4d9b25d6 100644 --- a/cbcontainers/state/components/image_scanning_reporter_deployment.go +++ b/cbcontainers/state/components/image_scanning_reporter_deployment.go @@ -34,9 +34,9 @@ type ImageScanningReporterDeploymentK8sObject struct { Namespace string } -func NewImageScanningReporterDeploymentK8sObject() *ImageScanningReporterDeploymentK8sObject { +func NewImageScanningReporterDeploymentK8sObject(namespace string) *ImageScanningReporterDeploymentK8sObject { return &ImageScanningReporterDeploymentK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -55,7 +55,6 @@ func (obj *ImageScanningReporterDeploymentK8sObject) MutateK8sObject(k8sObject c } clusterScanning := &agentSpec.Components.ClusterScanning - deployment.Namespace = agentSpec.Namespace imageScanningReporter := &clusterScanning.ImageScanningReporter obj.initiateDeployment(deployment, agentSpec) obj.mutateLabels(deployment, imageScanningReporter) diff --git a/cbcontainers/state/components/image_scanning_reporter_service.go b/cbcontainers/state/components/image_scanning_reporter_service.go index 83e97926..2f7dbce6 100644 --- a/cbcontainers/state/components/image_scanning_reporter_service.go +++ b/cbcontainers/state/components/image_scanning_reporter_service.go @@ -4,7 +4,6 @@ import ( "fmt" cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1" - commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common" coreV1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" @@ -21,9 +20,9 @@ type ImageScanningReporterServiceK8sObject struct { Namespace string } -func NewImageScanningReporterServiceK8sObject() *ImageScanningReporterServiceK8sObject { +func NewImageScanningReporterServiceK8sObject(namespace string) *ImageScanningReporterServiceK8sObject { return &ImageScanningReporterServiceK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -43,7 +42,6 @@ func (obj *ImageScanningReporterServiceK8sObject) MutateK8sObject(k8sObject clie imageScanningReporter := &agentSpec.Components.ClusterScanning.ImageScanningReporter - service.Namespace = agentSpec.Namespace service.Labels = imageScanningReporter.Labels service.Spec.Type = coreV1.ServiceTypeClusterIP service.Spec.Selector = map[string]string{ diff --git a/cbcontainers/state/components/monitor_deployment.go b/cbcontainers/state/components/monitor_deployment.go index c887def4..809895ba 100644 --- a/cbcontainers/state/components/monitor_deployment.go +++ b/cbcontainers/state/components/monitor_deployment.go @@ -37,9 +37,9 @@ type MonitorDeploymentK8sObject struct { Namespace string } -func NewMonitorDeploymentK8sObject() *MonitorDeploymentK8sObject { +func NewMonitorDeploymentK8sObject(namespace string) *MonitorDeploymentK8sObject { return &MonitorDeploymentK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -76,7 +76,6 @@ func (obj *MonitorDeploymentK8sObject) MutateK8sObject(k8sObject client.Object, deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string) } - deployment.Namespace = agentSpec.Namespace deployment.Spec.Replicas = &MonitorReplicas deployment.ObjectMeta.Labels = desiredLabels deployment.Spec.Selector.MatchLabels = desiredLabels diff --git a/cbcontainers/state/components/registry_secret.go b/cbcontainers/state/components/registry_secret.go index a8083643..845ef397 100644 --- a/cbcontainers/state/components/registry_secret.go +++ b/cbcontainers/state/components/registry_secret.go @@ -18,9 +18,9 @@ type RegistrySecretK8sObject struct { Namespace string } -func NewRegistrySecretK8sObject() *RegistrySecretK8sObject { +func NewRegistrySecretK8sObject(namespace string) *RegistrySecretK8sObject { return &RegistrySecretK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -46,7 +46,6 @@ func (obj *RegistrySecretK8sObject) MutateK8sObject(k8sObject client.Object, spe secret.Type = obj.registrySecretValues.Type secret.Data = obj.registrySecretValues.Data - secret.Namespace = spec.Namespace return nil } diff --git a/cbcontainers/state/components/resolver_service.go b/cbcontainers/state/components/resolver_service.go index 94b8ea17..935889d6 100644 --- a/cbcontainers/state/components/resolver_service.go +++ b/cbcontainers/state/components/resolver_service.go @@ -4,7 +4,6 @@ import ( "fmt" cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1" - commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common" coreV1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" @@ -20,9 +19,9 @@ type ResolverServiceK8sObject struct { Namespace string } -func NewResolverServiceK8sObject() *ResolverServiceK8sObject { +func NewResolverServiceK8sObject(namespace string) *ResolverServiceK8sObject { return &ResolverServiceK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -46,7 +45,6 @@ func (obj *ResolverServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag service.Spec.Type = coreV1.ServiceTypeClusterIP service.Spec.ClusterIP = coreV1.ClusterIPNone - service.Namespace = agentSpec.Namespace service.Spec.Selector = map[string]string{ resolverLabelKey: ResolverName, } diff --git a/cbcontainers/state/components/runtime_resolver_deployment.go b/cbcontainers/state/components/runtime_resolver_deployment.go index 3f9dd247..9be0d68b 100644 --- a/cbcontainers/state/components/runtime_resolver_deployment.go +++ b/cbcontainers/state/components/runtime_resolver_deployment.go @@ -36,9 +36,9 @@ type ResolverDeploymentK8sObject struct { APIReader client.Reader } -func NewResolverDeploymentK8sObject(apiReader client.Reader) *ResolverDeploymentK8sObject { +func NewResolverDeploymentK8sObject(namespace string, apiReader client.Reader) *ResolverDeploymentK8sObject { return &ResolverDeploymentK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, APIReader: apiReader, } } @@ -89,7 +89,6 @@ func (obj *ResolverDeploymentK8sObject) MutateK8sObject(k8sObject client.Object, } } - deployment.Namespace = agentSpec.Namespace deployment.Spec.Replicas = replicasCount deployment.ObjectMeta.Labels = desiredLabels deployment.Spec.Selector.MatchLabels = desiredLabels diff --git a/cbcontainers/state/components/sensor_daemon_set.go b/cbcontainers/state/components/sensor_daemon_set.go index cab75b69..27889e76 100644 --- a/cbcontainers/state/components/sensor_daemon_set.go +++ b/cbcontainers/state/components/sensor_daemon_set.go @@ -95,9 +95,9 @@ type SensorDaemonSetK8sObject struct { Namespace string } -func NewSensorDaemonSetK8sObject() *SensorDaemonSetK8sObject { +func NewSensorDaemonSetK8sObject(namespace string) *SensorDaemonSetK8sObject { return &SensorDaemonSetK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -131,7 +131,6 @@ func (obj *SensorDaemonSetK8sObject) MutateK8sObject(k8sObject client.Object, ag daemonSet.Spec.Template.Spec.HostPID = false } - daemonSet.Namespace = agentSpec.Namespace obj.mutateLabels(daemonSet, agentSpec) obj.mutateAnnotations(daemonSet, agentSpec) obj.mutateVolumes(daemonSet, agentSpec) diff --git a/cbcontainers/state/components/state_reporter_deployment.go b/cbcontainers/state/components/state_reporter_deployment.go index d1d00d35..b090b06d 100644 --- a/cbcontainers/state/components/state_reporter_deployment.go +++ b/cbcontainers/state/components/state_reporter_deployment.go @@ -32,9 +32,9 @@ type StateReporterDeploymentK8sObject struct { Namespace string } -func NewStateReporterDeploymentK8sObject() *StateReporterDeploymentK8sObject { +func NewStateReporterDeploymentK8sObject(namespace string) *StateReporterDeploymentK8sObject { return &StateReporterDeploymentK8sObject{ - Namespace: commonState.DataPlaneNamespaceName, + Namespace: namespace, } } @@ -72,7 +72,6 @@ func (obj *StateReporterDeploymentK8sObject) MutateK8sObject(k8sObject client.Ob deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string) } - deployment.Namespace = agentSpec.Namespace deployment.Spec.Replicas = &StateReporterReplicas deployment.ObjectMeta.Labels = desiredLabels deployment.Spec.Selector.MatchLabels = desiredLabels diff --git a/cbcontainers/state/state_applier.go b/cbcontainers/state/state_applier.go index 6cbc6741..35ebc408 100644 --- a/cbcontainers/state/state_applier.go +++ b/cbcontainers/state/state_applier.go @@ -41,23 +41,23 @@ type StateApplier struct { log logr.Logger } -func NewStateApplier(apiReader client.Reader, agentComponentApplier AgentComponentApplier, k8sVersion string, tlsSecretsValuesCreator components.TlsSecretsValuesCreator, log logr.Logger) *StateApplier { +func NewStateApplier(apiReader client.Reader, agentComponentApplier AgentComponentApplier, k8sVersion, agentNamespace string, tlsSecretsValuesCreator components.TlsSecretsValuesCreator, log logr.Logger) *StateApplier { return &StateApplier{ - desiredConfigMap: components.NewConfigurationK8sObject(), - desiredRegistrySecret: components.NewRegistrySecretK8sObject(), + desiredConfigMap: components.NewConfigurationK8sObject(agentNamespace), + desiredRegistrySecret: components.NewRegistrySecretK8sObject(agentNamespace), desiredPriorityClass: components.NewPriorityClassK8sObject(k8sVersion), - desiredMonitorDeployment: components.NewMonitorDeploymentK8sObject(), - enforcerTlsSecret: components.NewEnforcerTlsK8sObject(tlsSecretsValuesCreator), - enforcerDeployment: components.NewEnforcerDeploymentK8sObject(), - enforcerService: components.NewEnforcerServiceK8sObject(), - enforcerValidatingWebhook: components.NewEnforcerValidatingWebhookK8sObject(k8sVersion), - enforcerMutatingWebhook: components.NewEnforcerMutatingWebhookK8sObject(k8sVersion), - stateReporterDeployment: components.NewStateReporterDeploymentK8sObject(), - resolverDeployment: components.NewResolverDeploymentK8sObject(apiReader), - resolverService: components.NewResolverServiceK8sObject(), - sensorDaemonSet: components.NewSensorDaemonSetK8sObject(), - imageScanningReporterDeployment: components.NewImageScanningReporterDeploymentK8sObject(), - imageScanningReporterService: components.NewImageScanningReporterServiceK8sObject(), + desiredMonitorDeployment: components.NewMonitorDeploymentK8sObject(agentNamespace), + enforcerTlsSecret: components.NewEnforcerTlsK8sObject(agentNamespace, tlsSecretsValuesCreator), + enforcerDeployment: components.NewEnforcerDeploymentK8sObject(agentNamespace), + enforcerService: components.NewEnforcerServiceK8sObject(agentNamespace), + enforcerValidatingWebhook: components.NewEnforcerValidatingWebhookK8sObject(agentNamespace, k8sVersion), + enforcerMutatingWebhook: components.NewEnforcerMutatingWebhookK8sObject(agentNamespace, k8sVersion), + stateReporterDeployment: components.NewStateReporterDeploymentK8sObject(agentNamespace), + resolverDeployment: components.NewResolverDeploymentK8sObject(agentNamespace, apiReader), + resolverService: components.NewResolverServiceK8sObject(agentNamespace), + sensorDaemonSet: components.NewSensorDaemonSetK8sObject(agentNamespace), + imageScanningReporterDeployment: components.NewImageScanningReporterDeploymentK8sObject(agentNamespace), + imageScanningReporterService: components.NewImageScanningReporterServiceK8sObject(agentNamespace), applier: agentComponentApplier, log: log, } @@ -70,13 +70,6 @@ func (c *StateApplier) GetPriorityClassEmptyK8sObject() client.Object { func (c *StateApplier) ApplyDesiredState(ctx context.Context, agentSpec *cbcontainersv1.CBContainersAgentSpec, registrySecret *models.RegistrySecretValues, setOwner applymentOptions.OwnerSetter) (bool, error) { applyOptions := applymentOptions.NewApplyOptions().SetOwnerSetter(setOwner) - // The namespace field of the agent spec should always be populated, because it has a default value - // but just in case include this check here in case it turns out to be empty in the future. - // By default all objects have the "cbcontainers-dataplane" as namespace. - if agentSpec.Namespace != "" { - c.setNamespace(agentSpec.Namespace) - } - coreMutated, err := c.applyCoreComponents(ctx, agentSpec, registrySecret, applyOptions) if err != nil { return false, err @@ -143,24 +136,6 @@ func (c *StateApplier) ApplyDesiredState(ctx context.Context, agentSpec *cbconta return coreMutated || mutatedEnforcer || mutatedStateReporter || mutatedRuntimeResolver || mutatedComponentsDaemonSet || runtimeResolverDeleted || mutatedImageScanningReporter || imageScanningReporterDeleted || componentsDamonSetDeleted, nil } -// setNamespace sets the namespace to all the desired K8s objects which are namespaced. -func (c *StateApplier) setNamespace(namespace string) { - c.desiredConfigMap.Namespace = namespace - c.desiredRegistrySecret.Namespace = namespace - c.desiredMonitorDeployment.Namespace = namespace - c.enforcerTlsSecret.Namespace = namespace - c.enforcerDeployment.Namespace = namespace - c.enforcerService.Namespace = namespace - c.enforcerValidatingWebhook.ServiceNamespace = namespace - c.enforcerMutatingWebhook.ServiceNamespace = namespace - c.stateReporterDeployment.Namespace = namespace - c.resolverDeployment.Namespace = namespace - c.resolverService.Namespace = namespace - c.sensorDaemonSet.Namespace = namespace - c.imageScanningReporterDeployment.Namespace = namespace - c.imageScanningReporterService.Namespace = namespace -} - func (c *StateApplier) applyCoreComponents(ctx context.Context, agentSpec *cbcontainersv1.CBContainersAgentSpec, registrySecret *models.RegistrySecretValues, applyOptions *applymentOptions.ApplyOptions) (bool, error) { mutatedConfigmap, _, err := c.applier.Apply(ctx, c.desiredConfigMap, agentSpec, applyOptions) if err != nil { diff --git a/cbcontainers/state/state_applier_test.go b/cbcontainers/state/state_applier_test.go index 5ee90bb2..4a4b6140 100644 --- a/cbcontainers/state/state_applier_test.go +++ b/cbcontainers/state/state_applier_test.go @@ -148,7 +148,6 @@ func testStateApplier(t *testing.T, setup StateApplierTestSetup, k8sVersion, nam agentSpec := &cbcontainersv1.CBContainersAgentSpec{ Account: Account, ClusterName: Cluster, - Namespace: namespace, Gateways: cbcontainersv1.CBContainersGatewaysSpec{ ApiGateway: cbcontainersv1.CBContainersApiGatewaySpec{ Scheme: ApiGateWayScheme, @@ -190,7 +189,7 @@ func testStateApplier(t *testing.T, setup StateApplierTestSetup, k8sVersion, nam setup(mockObjects) - stateApplier := state.NewStateApplier(testUtilsMocks.NewMockReader(ctrl), mockObjects.componentApplier, k8sVersion, mockObjects.secretValuesCreator, logrTesting.NewTestLogger(t)) + stateApplier := state.NewStateApplier(testUtilsMocks.NewMockReader(ctrl), mockObjects.componentApplier, k8sVersion, namespace, mockObjects.secretValuesCreator, logrTesting.NewTestLogger(t)) return stateApplier.ApplyDesiredState(context.Background(), agentSpec, &models.RegistrySecretValues{}, nil) } diff --git a/charts/cbcontainers-agent/README.md b/charts/cbcontainers-agent/README.md index 2b654b34..aca3cf7a 100644 --- a/charts/cbcontainers-agent/README.md +++ b/charts/cbcontainers-agent/README.md @@ -21,15 +21,7 @@ There are 8 required fields that need to be provided by the user: | `spec.gateways.hardeningEventsGatewayHost` | The URL of the CBC Hardening events Gateway | | `spec.gateways.runtimeEventsGatewayHost` | The URL of the CBC Runtime events Gateway | -After setting these required fields in a `values.yaml` file you can install the chart from our repo: - -```sh -helm repo add vmware TODO-chart-repo/TODO-chart-name -f values.yaml -helm repo update -helm install cbcontainers-agent TODO-chart-repo/TODO-chart-name -f values.yaml --namespace cbcontainers-dataplane -``` - -or from source +After setting these required fields in a `values.yaml` file you can install the chart from source ```sh cd charts/cbcontainers-agent @@ -46,9 +38,14 @@ For all the possible values see +kubectl create namespace $NAMESPACE +kubectl label namespace $NAMESPACE control-plane=operator octarine=ignore +helm install cbcontainers-operator ./cbcontainers-operator-chart --set createOperatorNamespace=false,operatorNamespace=$NAMESPACE +``` + ### CRD Installation By default, installing the chart will also create the `CBContainersAgent` CRD. @@ -71,7 +73,7 @@ For more info see