From 887621754d20c77ead431989f3a2f1f32ae1dd76 Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Fri, 15 Dec 2023 10:21:46 +0100 Subject: [PATCH 01/10] Add configurable certificate in Helm chart Signed-off-by: Vasilis Remmas --- .../templates/certificate.yaml | 71 +++++++++++++++++++ .../templates/operator.yaml | 25 ++++++- deployment/sriov-network-operator/values.yaml | 49 ++++++++++++- 3 files changed, 142 insertions(+), 3 deletions(-) create mode 100644 deployment/sriov-network-operator/templates/certificate.yaml diff --git a/deployment/sriov-network-operator/templates/certificate.yaml b/deployment/sriov-network-operator/templates/certificate.yaml new file mode 100644 index 000000000..add29a9be --- /dev/null +++ b/deployment/sriov-network-operator/templates/certificate.yaml @@ -0,0 +1,71 @@ +{{- if .Values.operator.admissionControllers.enabled }} +{{- if and (.Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.certManager.generateSelfSigned) }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - operator-webhook-service.{{ .Release.Namespace }}.svc + - operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: operator-webhook-selfsigned-issuer + secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: operator-webhook-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - network-resources-injector-service.{{ .Release.Namespace }}.svc + - network-resources-injector-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: network-resources-injector-selfsigned-issuer + secretName: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: network-resources-injector-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- else if and (not .Values.operator.admissionControllers.certificates.certManager.enabled) (.Values.operator.admissionControllers.certificates.custom.enabled) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.caCrt | b64enc | b64enc | quote }} + tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsCrt | b64enc | quote }} + tls.key: {{ .Values.operator.admissionControllers.certificates.custom.operator.tlsKey | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ca.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.caCrt | b64enc | b64enc | quote }} + tls.crt: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsCrt | b64enc | quote }} + tls.key: {{ .Values.operator.admissionControllers.certificates.custom.injector.tlsKey | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/deployment/sriov-network-operator/templates/operator.yaml b/deployment/sriov-network-operator/templates/operator.yaml index eb75be182..4de1ab74d 100644 --- a/deployment/sriov-network-operator/templates/operator.yaml +++ b/deployment/sriov-network-operator/templates/operator.yaml @@ -68,8 +68,6 @@ spec: value: {{ .Values.images.webhook }} - name: RESOURCE_PREFIX value: {{ .Values.operator.resourcePrefix }} - - name: ENABLE_ADMISSION_CONTROLLER - value: {{ .Values.operator.enableAdmissionController | quote }} - name: IMAGE_PULL_SECRETS value: {{ join "," .Values.imagePullSecrets }} - name: NAMESPACE @@ -90,3 +88,26 @@ spec: value: {{ .Values.operator.cniBinPath }} - name: CLUSTER_TYPE value: {{ .Values.operator.clusterType }} + - name: ADMISSION_CONTROLLERS__ENABLED + value: {{ .Values.operator.admissionControllers.enabled | quote }} + {{- if .Values.operator.admissionControllers.enabled }} + - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME + value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME + value: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + {{- if .Values.operator.admissionControllers.certificates.certManager.enabled }} + - name: ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED + value: {{ .Values.operator.admissionControllers.certificates.certManager.enabled | quote }} + {{- else }} + - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT + valueFrom: + secretKeyRef: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} + key: ca.crt + - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT + valueFrom: + secretKeyRef: + name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} + key: ca.crt + {{- end }} + {{- end }} diff --git a/deployment/sriov-network-operator/values.yaml b/deployment/sriov-network-operator/values.yaml index 1bb01bc54..348572dc8 100644 --- a/deployment/sriov-network-operator/values.yaml +++ b/deployment/sriov-network-operator/values.yaml @@ -25,9 +25,56 @@ operator: nameOverride: "" fullnameOverride: "" resourcePrefix: "openshift.io" - enableAdmissionController: false cniBinPath: "/opt/cni/bin" clusterType: "kubernetes" + admissionControllers: + enabled: false + certificates: + secretNames: + operator: "operator-webhook-cert" + injector: "network-resources-injector-cert" + certManager: + # When enabled, makes use of certificates managed by cert-manager. + enabled: false + # When enabled, certificates are generated via cert-manager and then name will match the name of the secrets + # defined above + generateSelfSigned: false + # If not specified, no secret is created and secrets with the names defined above are expected to exist in the + # cluster. In that case, the ca.crt must be base64 encoded twice since it ends up being an env variable. + custom: + enabled: false + # operator: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- + # injector: + # caCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsCrt: | + # -----BEGIN CERTIFICATE----- + # MIIMIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G + # ... + # -----END CERTIFICATE----- + # tlsKey: | + # -----BEGIN EC PRIVATE KEY----- + # MHcl4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= + # ... + # -----END EC PRIVATE KEY----- # Image URIs for sriov-network-operator components images: From 2a419f08df330cae23ccd8acb405378d72d69475 Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Wed, 20 Dec 2023 21:18:03 +0100 Subject: [PATCH 02/10] Rename ENV variable related to admission controllers This commit changes the ENV variable that turns on the admission controllers to enable bundling of additional webhook related settings via the same prefix like certificate mode, CA etc. This is a cosmetic change. Signed-off-by: Vasilis Remmas --- Makefile | 4 ++-- controllers/sriovoperatorconfig_controller.go | 2 +- controllers/suite_test.go | 2 +- deploy/operator.yaml | 4 ++-- doc/quickstart.md | 4 ++-- hack/env.sh | 2 +- hack/run-e2e-conformance-virtual-cluster.sh | 2 +- hack/run-e2e-conformance-virtual-ocp.sh | 2 +- hack/run-e2e-test-kind.sh | 2 +- hack/virtual-cluster-redeploy.sh | 2 +- main.go | 2 +- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 9a9fb7d57..5a2a3f645 100644 --- a/Makefile +++ b/Makefile @@ -171,7 +171,7 @@ skopeo: fakechroot: if ! which fakechroot; then if [ -f /etc/redhat-release ]; then dnf -y install fakechroot; elif [ -f /etc/lsb-release ]; then sudo apt-get -y update; sudo apt-get -y install fakechroot; fi; fi -deploy-setup: export ENABLE_ADMISSION_CONTROLLER?=false +deploy-setup: export ADMISSION_CONTROLLERS__ENABLED?=false deploy-setup: skopeo install hack/deploy-setup.sh $(NAMESPACE) @@ -215,7 +215,7 @@ test-%: generate vet manifests envtest KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir=/tmp -p path)" HOME="$(shell pwd)" go test ./$*/... -coverprofile cover-$*.out -coverpkg ./... -v # deploy-setup-k8s: export NAMESPACE=sriov-network-operator -# deploy-setup-k8s: export ENABLE_ADMISSION_CONTROLLER=false +# deploy-setup-k8s: export ADMISSION_CONTROLLERS__ENABLED=false # deploy-setup-k8s: export CNI_BIN_PATH=/opt/cni/bin # test-e2e-k8s: test-e2e diff --git a/controllers/sriovoperatorconfig_controller.go b/controllers/sriovoperatorconfig_controller.go index 65727fa2b..d0db4b14f 100644 --- a/controllers/sriovoperatorconfig_controller.go +++ b/controllers/sriovoperatorconfig_controller.go @@ -69,7 +69,7 @@ func (r *SriovOperatorConfigReconciler) Reconcile(ctx context.Context, req ctrl. logger.Info("Reconciling SriovOperatorConfig") - enableAdmissionController := os.Getenv("ENABLE_ADMISSION_CONTROLLER") == "true" + enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == "true" if !enableAdmissionController { logger.Info("SR-IOV Network Resource Injector and Operator Webhook are disabled.") } diff --git a/controllers/suite_test.go b/controllers/suite_test.go index c3eda1a90..3857556ed 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -145,7 +145,7 @@ var _ = BeforeSuite(func(done Done) { os.Setenv("RESOURCE_PREFIX", "openshift.io") os.Setenv("NAMESPACE", "openshift-sriov-network-operator") - os.Setenv("ENABLE_ADMISSION_CONTROLLER", "true") + os.Setenv("ADMISSION_CONTROLLERS__ENABLED", "true") os.Setenv("SRIOV_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_INFINIBAND_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_DEVICE_PLUGIN_IMAGE", "mock-image") diff --git a/deploy/operator.yaml b/deploy/operator.yaml index c076d4c1a..04f86ba9b 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -66,8 +66,8 @@ spec: value: $SRIOV_NETWORK_WEBHOOK_IMAGE - name: RESOURCE_PREFIX value: $RESOURCE_PREFIX - - name: ENABLE_ADMISSION_CONTROLLER - value: "$ENABLE_ADMISSION_CONTROLLER" + - name: ADMISSION_CONTROLLERS__ENABLED + value: "$ADMISSION_CONTROLLERS__ENABLED" - name: DEV_MODE value: "$DEV_MODE" - name: NAMESPACE diff --git a/doc/quickstart.md b/doc/quickstart.md index bd28a33dd..82e463c9e 100644 --- a/doc/quickstart.md +++ b/doc/quickstart.md @@ -38,7 +38,7 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct kubectl create ns sriov-network-operator kubectl -n sriov-network-operator create secret tls operator-webhook-service --cert=cert.pem --key=key.pem kubectl -n sriov-network-operator create secret tls network-resources-injector-secret --cert=cert.pem --key=key.pem - export ENABLE_ADMISSION_CONTROLLER=true + export ADMISSION_CONTROLLERS__ENABLED=true export WEBHOOK_CA_BUNDLE=$(base64 -w 0 < cacert.pem) make deploy-setup-k8s ``` @@ -88,7 +88,7 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct And then deploy the operator: ```bash - export ENABLE_ADMISSION_CONTROLLER=true + export ADMISSION_CONTROLLERS__ENABLED=true make deploy-setup-k8s ``` diff --git a/hack/env.sh b/hack/env.sh index 40828e778..962990997 100755 --- a/hack/env.sh +++ b/hack/env.sh @@ -19,7 +19,7 @@ fi export RELEASE_VERSION=4.7.0 export OPERATOR_NAME=sriov-network-operator export RESOURCE_PREFIX=${RESOURCE_PREFIX:-openshift.io} -export ENABLE_ADMISSION_CONTROLLER=${ENABLE_ADMISSION_CONTROLLER:-"true"} +export ADMISSION_CONTROLLERS__ENABLED=${ADMISSION_CONTROLLERS__ENABLED:-"true"} export CLUSTER_TYPE=${CLUSTER_TYPE:-openshift} export NAMESPACE=${NAMESPACE:-"openshift-sriov-network-operator"} export WEBHOOK_CA_BUNDLE=${WEBHOOK_CA_BUNDLE:-""} diff --git a/hack/run-e2e-conformance-virtual-cluster.sh b/hack/run-e2e-conformance-virtual-cluster.sh index 1dadef5f6..efa249c7c 100755 --- a/hack/run-e2e-conformance-virtual-cluster.sh +++ b/hack/run-e2e-conformance-virtual-cluster.sh @@ -314,7 +314,7 @@ do done -export ENABLE_ADMISSION_CONTROLLER=true +export ADMISSION_CONTROLLERS__ENABLED=true export SKIP_VAR_SET="" export NAMESPACE="sriov-network-operator" export OPERATOR_NAMESPACE="sriov-network-operator" diff --git a/hack/run-e2e-conformance-virtual-ocp.sh b/hack/run-e2e-conformance-virtual-ocp.sh index 076a0aa05..a9344b660 100755 --- a/hack/run-e2e-conformance-virtual-ocp.sh +++ b/hack/run-e2e-conformance-virtual-ocp.sh @@ -177,7 +177,7 @@ EOF kubectl patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true,"storage":{"emptyDir": null,"pvc":{"claim":"registry-pv-claim"}},"topologySpreadConstraints":[],"rolloutStrategy":"Recreate","tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]}}' --type=merge -export ENABLE_ADMISSION_CONTROLLER=true +export ADMISSION_CONTROLLERS__ENABLED=true export SKIP_VAR_SET="" export NAMESPACE="openshift-sriov-network-operator" export OPERATOR_NAMESPACE=$NAMESPACE diff --git a/hack/run-e2e-test-kind.sh b/hack/run-e2e-test-kind.sh index def0162a6..53f06c84f 100755 --- a/hack/run-e2e-test-kind.sh +++ b/hack/run-e2e-test-kind.sh @@ -136,7 +136,7 @@ else export TEST_NETNS_PATH="${netns_path}" fi echo "## disabling webhooks" -export ENABLE_ADMISSION_CONTROLLER=false +export ADMISSION_CONTROLLERS__ENABLED=false echo "## deploying SRIOV Network Operator" make --directory "${root}" deploy-setup-k8s echo "## wait for sriov-network-config-daemon to be ready" diff --git a/hack/virtual-cluster-redeploy.sh b/hack/virtual-cluster-redeploy.sh index 87c248e43..6d3d2e96f 100644 --- a/hack/virtual-cluster-redeploy.sh +++ b/hack/virtual-cluster-redeploy.sh @@ -40,7 +40,7 @@ else export SRIOV_NETWORK_WEBHOOK_IMAGE="$controller_ip:5000/sriov-network-operator-webhook:latest" fi -export ENABLE_ADMISSION_CONTROLLER=true +export ADMISSION_CONTROLLERS__ENABLED=true export SKIP_VAR_SET="" export OPERATOR_NAMESPACE=$NAMESPACE export OPERATOR_EXEC=kubectl diff --git a/main.go b/main.go index 04c4ad25f..4af53bc66 100644 --- a/main.go +++ b/main.go @@ -261,7 +261,7 @@ func createDefaultOperatorConfig(c client.Client) error { return fmt.Errorf("couldn't get cluster single node status: %s", err) } - enableAdmissionController := os.Getenv("ENABLE_ADMISSION_CONTROLLER") == "true" + enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == "true" config := &sriovnetworkv1.SriovOperatorConfig{ Spec: sriovnetworkv1.SriovOperatorConfigSpec{ EnableInjector: func() *bool { b := enableAdmissionController; return &b }(), From 3e960cbcaed929368593641180f538f471442971 Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Fri, 15 Dec 2023 10:26:18 +0100 Subject: [PATCH 03/10] Use new environment variables in manifest rendering This commit starts to make use of the new ADMISSION_CONTROLLERS__* environment variables when rendering manifests. It also adjusts the logic with which cert-manager related annotation is used. Signed-off-by: Vasilis Remmas --- .../operator-webhook/001-service.yaml | 2 +- .../operator-webhook/003-webhook.yaml | 22 +++++++++++-------- .../manifests/operator-webhook/server.yaml | 2 +- bindata/manifests/webhook/001-service.yaml | 2 +- bindata/manifests/webhook/003-webhook.yaml | 10 +++++---- bindata/manifests/webhook/server.yaml | 2 +- controllers/helper.go | 1 + controllers/sriovoperatorconfig_controller.go | 9 ++++++-- controllers/suite_test.go | 2 ++ 9 files changed, 33 insertions(+), 19 deletions(-) diff --git a/bindata/manifests/operator-webhook/001-service.yaml b/bindata/manifests/operator-webhook/001-service.yaml index 9c2588e6e..a636209e8 100644 --- a/bindata/manifests/operator-webhook/001-service.yaml +++ b/bindata/manifests/operator-webhook/001-service.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{.Namespace}} annotations: {{- if eq .ClusterType "openshift" }} - service.alpha.openshift.io/serving-cert-secret-name: operator-webhook-service + service.alpha.openshift.io/serving-cert-secret-name: {{.OperatorWebhookSecretName}} {{- end }} spec: ports: diff --git a/bindata/manifests/operator-webhook/003-webhook.yaml b/bindata/manifests/operator-webhook/003-webhook.yaml index b725e466f..87a18cebc 100644 --- a/bindata/manifests/operator-webhook/003-webhook.yaml +++ b/bindata/manifests/operator-webhook/003-webhook.yaml @@ -6,8 +6,10 @@ metadata: annotations: {{- if eq .ClusterType "openshift" }} service.beta.openshift.io/inject-cabundle: "true" - {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }} - cert-manager.io/inject-ca-from: {{.Namespace}}/operator-webhook-service + {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }} + # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with + # more variables. + cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}} {{- end }} webhooks: - name: operator-webhook.sriovnetwork.openshift.io @@ -19,9 +21,9 @@ webhooks: name: operator-webhook-service namespace: {{.Namespace}} path: "/mutating-custom-resource" - {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }} - caBundle: "{{.CaBundle}}" - {{- end}} + {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }} + caBundle: "{{.OperatorWebhookCA}}" + {{- end }} rules: - operations: [ "CREATE", "UPDATE" ] apiGroups: ["sriovnetwork.openshift.io"] @@ -36,8 +38,10 @@ metadata: annotations: {{- if eq .ClusterType "openshift" }} service.beta.openshift.io/inject-cabundle: "true" - {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }} - cert-manager.io/inject-ca-from: {{.Namespace}}/operator-webhook-service + {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }} + # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with + # more variables. + cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}} {{- end }} webhooks: - name: operator-webhook.sriovnetwork.openshift.io @@ -49,8 +53,8 @@ webhooks: name: operator-webhook-service namespace: {{.Namespace}} path: "/validating-custom-resource" - {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }} - caBundle: "{{.CaBundle}}" + {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }} + caBundle: "{{.OperatorWebhookCA}}" {{- end }} rules: - operations: [ "CREATE", "UPDATE", "DELETE" ] diff --git a/bindata/manifests/operator-webhook/server.yaml b/bindata/manifests/operator-webhook/server.yaml index 9efe35c99..41cfe6917 100644 --- a/bindata/manifests/operator-webhook/server.yaml +++ b/bindata/manifests/operator-webhook/server.yaml @@ -86,4 +86,4 @@ spec: volumes: - name: tls secret: - secretName: operator-webhook-service + secretName: {{.OperatorWebhookSecretName}} diff --git a/bindata/manifests/webhook/001-service.yaml b/bindata/manifests/webhook/001-service.yaml index a443ec61d..008a47f8a 100644 --- a/bindata/manifests/webhook/001-service.yaml +++ b/bindata/manifests/webhook/001-service.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{.Namespace}} annotations: {{- if eq .ClusterType "openshift" }} - service.alpha.openshift.io/serving-cert-secret-name: network-resources-injector-secret + service.alpha.openshift.io/serving-cert-secret-name: {{.InjectorWebhookSecretName}} {{- end }} spec: ports: diff --git a/bindata/manifests/webhook/003-webhook.yaml b/bindata/manifests/webhook/003-webhook.yaml index bfda77805..557351daf 100644 --- a/bindata/manifests/webhook/003-webhook.yaml +++ b/bindata/manifests/webhook/003-webhook.yaml @@ -6,8 +6,10 @@ metadata: annotations: {{- if eq .ClusterType "openshift" }} service.beta.openshift.io/inject-cabundle: "true" - {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }} - cert-manager.io/inject-ca-from: {{.Namespace}}/network-resources-injector-secret + {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }} + # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with + # more variables. + cert-manager.io/inject-ca-from: {{.Namespace}}/{{.InjectorWebhookSecretName}} {{- end }} webhooks: - name: network-resources-injector-config.k8s.io @@ -19,8 +21,8 @@ webhooks: name: network-resources-injector-service namespace: {{.Namespace}} path: "/mutate" - {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }} - caBundle: "{{.CaBundle}}" + {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }} + caBundle: "{{.InjectorWebhookCA}}" {{- end }} rules: - operations: [ "CREATE" ] diff --git a/bindata/manifests/webhook/server.yaml b/bindata/manifests/webhook/server.yaml index 2bf3810a7..bf5739ac7 100644 --- a/bindata/manifests/webhook/server.yaml +++ b/bindata/manifests/webhook/server.yaml @@ -86,4 +86,4 @@ spec: volumes: - name: tls secret: - secretName: network-resources-injector-secret + secretName: {{.InjectorWebhookSecretName}} diff --git a/controllers/helper.go b/controllers/helper.go index 1da3e626f..f36ce44bc 100644 --- a/controllers/helper.go +++ b/controllers/helper.go @@ -36,6 +36,7 @@ const ( mutatingWebhookConfigurationCRDName = "MutatingWebhookConfiguration" validatingWebhookConfigurationCRDName = "ValidatingWebhookConfiguration" machineConfigCRDName = "MachineConfig" + trueString = "true" ) var namespace = os.Getenv("NAMESPACE") diff --git a/controllers/sriovoperatorconfig_controller.go b/controllers/sriovoperatorconfig_controller.go index d0db4b14f..7187cc396 100644 --- a/controllers/sriovoperatorconfig_controller.go +++ b/controllers/sriovoperatorconfig_controller.go @@ -20,6 +20,7 @@ import ( "context" "fmt" "os" + "strings" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -69,7 +70,7 @@ func (r *SriovOperatorConfigReconciler) Reconcile(ctx context.Context, req ctrl. logger.Info("Reconciling SriovOperatorConfig") - enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == "true" + enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == trueString if !enableAdmissionController { logger.Info("SR-IOV Network Resource Injector and Operator Webhook are disabled.") } @@ -251,9 +252,13 @@ func (r *SriovOperatorConfigReconciler) syncWebhookObjs(ctx context.Context, dc data.Data["SriovNetworkWebhookImage"] = os.Getenv("SRIOV_NETWORK_WEBHOOK_IMAGE") data.Data["ReleaseVersion"] = os.Getenv("RELEASEVERSION") data.Data["ClusterType"] = utils.ClusterType - data.Data["CaBundle"] = os.Getenv("WEBHOOK_CA_BUNDLE") data.Data["DevMode"] = os.Getenv("DEV_MODE") data.Data["ImagePullSecrets"] = GetImagePullSecrets() + data.Data["CertManagerEnabled"] = strings.ToLower(os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED")) == trueString + data.Data["OperatorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME") + data.Data["OperatorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT") + data.Data["InjectorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME") + data.Data["InjectorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT") data.Data["ExternalControlPlane"] = false if r.OpenshiftContext.IsOpenshiftCluster() { diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 3857556ed..0f9c4d7f3 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -146,6 +146,8 @@ var _ = BeforeSuite(func(done Done) { os.Setenv("RESOURCE_PREFIX", "openshift.io") os.Setenv("NAMESPACE", "openshift-sriov-network-operator") os.Setenv("ADMISSION_CONTROLLERS__ENABLED", "true") + os.Setenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME", "operator-webhook-cert") + os.Setenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME", "network-resources-injector-cert") os.Setenv("SRIOV_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_INFINIBAND_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_DEVICE_PLUGIN_IMAGE", "mock-image") From 3a73855096ba11677341fb2f1235fe8a306d951a Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Fri, 15 Dec 2023 10:29:18 +0100 Subject: [PATCH 04/10] Adjust manifests used for development purposes This commit adjusts the manifests to use the new ADMISSION_CONTROLLERS__* environment variables and also adjusts the relevant documentation files to reflect the new changes. Signed-off-by: Vasilis Remmas --- deploy/operator.yaml | 12 ++++++++++-- doc/quickstart.md | 20 +++++++++++--------- hack/env.sh | 6 +++++- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 04f86ba9b..81d74fc60 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -88,5 +88,13 @@ spec: value: $CNI_BIN_PATH - name: CLUSTER_TYPE value: $CLUSTER_TYPE - - name: WEBHOOK_CA_BUNDLE - value: "$WEBHOOK_CA_BUNDLE" + - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME + value: $ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME + - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME + value: $ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME + - name: ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED + value: "$ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED" + - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT + value: $ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT + - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT + value: $ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT diff --git a/doc/quickstart.md b/doc/quickstart.md index 82e463c9e..8415468da 100644 --- a/doc/quickstart.md +++ b/doc/quickstart.md @@ -16,7 +16,7 @@ Clone this GitHub repository. go get github.com/k8snetworkplumbingwg/sriov-network-operator ``` -Deploy the operator. +Deploy the operator. If you are running an Openshift cluster: @@ -36,10 +36,11 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct For example, given `cacert.pem`, `key.pem` and `cert.pem`: ```bash kubectl create ns sriov-network-operator - kubectl -n sriov-network-operator create secret tls operator-webhook-service --cert=cert.pem --key=key.pem - kubectl -n sriov-network-operator create secret tls network-resources-injector-secret --cert=cert.pem --key=key.pem + kubectl -n sriov-network-operator create secret tls operator-webhook-cert --cert=cert.pem --key=key.pem + kubectl -n sriov-network-operator create secret tls network-resources-injector-cert --cert=cert.pem --key=key.pem export ADMISSION_CONTROLLERS__ENABLED=true - export WEBHOOK_CA_BUNDLE=$(base64 -w 0 < cacert.pem) + export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=$(base64 -w 0 < cacert.pem) + export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=$(base64 -w 0 < cacert.pem) make deploy-setup-k8s ``` @@ -63,10 +64,10 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: operator-webhook-service + name: operator-webhook-cert namespace: sriov-network-operator spec: - secretName: operator-webhook-service + secretName: operator-webhook-cert dnsNames: - operator-webhook-service.sriov-network-operator.svc issuerRef: @@ -75,10 +76,10 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: network-resources-injector-service + name: network-resources-injector-cert namespace: sriov-network-operator spec: - secretName: network-resources-injector-secret + secretName: network-resources-injector-cert dnsNames: - network-resources-injector-service.sriov-network-operator.svc issuerRef: @@ -89,6 +90,7 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct And then deploy the operator: ```bash export ADMISSION_CONTROLLERS__ENABLED=true + export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true make deploy-setup-k8s ``` @@ -229,7 +231,7 @@ metadata: name: example-sriovnetwork namespace: sriov-network-operator spec: - ipam: | + ipam: | { "type": "host-local", "subnet": "10.56.217.0/24", diff --git a/hack/env.sh b/hack/env.sh index 962990997..7bbe6a281 100755 --- a/hack/env.sh +++ b/hack/env.sh @@ -22,5 +22,9 @@ export RESOURCE_PREFIX=${RESOURCE_PREFIX:-openshift.io} export ADMISSION_CONTROLLERS__ENABLED=${ADMISSION_CONTROLLERS__ENABLED:-"true"} export CLUSTER_TYPE=${CLUSTER_TYPE:-openshift} export NAMESPACE=${NAMESPACE:-"openshift-sriov-network-operator"} -export WEBHOOK_CA_BUNDLE=${WEBHOOK_CA_BUNDLE:-""} +export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME=${ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME:-"operator-webhook-cert"} +export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME=${ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME:-"network-resources-injector-cert"} +export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=${ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED:-"false"} +export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=${ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT:-""} +export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=${ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT:-""} export DEV_MODE=${DEV_MODE:-"FALSE"} From f840b0dcd624ce957425c96968a03242cf9199df Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Fri, 15 Dec 2023 15:23:17 +0100 Subject: [PATCH 05/10] Use new ENV variables in k8s conformance tests Signed-off-by: Vasilis Remmas --- hack/run-e2e-conformance-virtual-cluster.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hack/run-e2e-conformance-virtual-cluster.sh b/hack/run-e2e-conformance-virtual-cluster.sh index efa249c7c..ab14e31b2 100755 --- a/hack/run-e2e-conformance-virtual-cluster.sh +++ b/hack/run-e2e-conformance-virtual-cluster.sh @@ -315,6 +315,7 @@ done export ADMISSION_CONTROLLERS__ENABLED=true +export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true export SKIP_VAR_SET="" export NAMESPACE="sriov-network-operator" export OPERATOR_NAMESPACE="sriov-network-operator" @@ -341,7 +342,7 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: network-resources-injector-secret + name: network-resources-injector-cert namespace: ${NAMESPACE} spec: commonName: network-resources-injector-service.svc @@ -351,12 +352,12 @@ spec: issuerRef: kind: Issuer name: selfsigned-issuer - secretName: network-resources-injector-secret + secretName: network-resources-injector-cert --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: operator-webhook-service + name: operator-webhook-cert namespace: ${NAMESPACE} spec: commonName: operator-webhook-service.svc @@ -366,7 +367,7 @@ spec: issuerRef: kind: Issuer name: selfsigned-issuer - secretName: operator-webhook-service + secretName: operator-webhook-cert EOF From 75d4ad2ea87d0c35625028fa6d9b96a0c1a84817 Mon Sep 17 00:00:00 2001 From: Vasilis Remmas Date: Wed, 20 Dec 2023 21:18:33 +0100 Subject: [PATCH 06/10] Replace double underscores with underscores for ENV variables Replace double underscores with underscores of admission controller related ENV variables to address feedback on the PR. Signed-off-by: Vasilis Remmas --- Makefile | 4 ++-- controllers/sriovoperatorconfig_controller.go | 12 +++++----- controllers/suite_test.go | 6 ++--- deploy/operator.yaml | 24 +++++++++---------- .../templates/operator.yaml | 12 +++++----- doc/quickstart.md | 10 ++++---- hack/env.sh | 14 ++++++----- hack/run-e2e-conformance-virtual-cluster.sh | 4 ++-- hack/run-e2e-conformance-virtual-ocp.sh | 2 +- hack/run-e2e-test-kind.sh | 2 +- hack/virtual-cluster-redeploy.sh | 2 +- main.go | 2 +- 12 files changed, 48 insertions(+), 46 deletions(-) diff --git a/Makefile b/Makefile index 5a2a3f645..63f2b754d 100644 --- a/Makefile +++ b/Makefile @@ -171,7 +171,7 @@ skopeo: fakechroot: if ! which fakechroot; then if [ -f /etc/redhat-release ]; then dnf -y install fakechroot; elif [ -f /etc/lsb-release ]; then sudo apt-get -y update; sudo apt-get -y install fakechroot; fi; fi -deploy-setup: export ADMISSION_CONTROLLERS__ENABLED?=false +deploy-setup: export ADMISSION_CONTROLLERS_ENABLED?=false deploy-setup: skopeo install hack/deploy-setup.sh $(NAMESPACE) @@ -215,7 +215,7 @@ test-%: generate vet manifests envtest KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir=/tmp -p path)" HOME="$(shell pwd)" go test ./$*/... -coverprofile cover-$*.out -coverpkg ./... -v # deploy-setup-k8s: export NAMESPACE=sriov-network-operator -# deploy-setup-k8s: export ADMISSION_CONTROLLERS__ENABLED=false +# deploy-setup-k8s: export ADMISSION_CONTROLLERS_ENABLED=false # deploy-setup-k8s: export CNI_BIN_PATH=/opt/cni/bin # test-e2e-k8s: test-e2e diff --git a/controllers/sriovoperatorconfig_controller.go b/controllers/sriovoperatorconfig_controller.go index 7187cc396..4c453b6de 100644 --- a/controllers/sriovoperatorconfig_controller.go +++ b/controllers/sriovoperatorconfig_controller.go @@ -70,7 +70,7 @@ func (r *SriovOperatorConfigReconciler) Reconcile(ctx context.Context, req ctrl. logger.Info("Reconciling SriovOperatorConfig") - enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == trueString + enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS_ENABLED") == trueString if !enableAdmissionController { logger.Info("SR-IOV Network Resource Injector and Operator Webhook are disabled.") } @@ -254,11 +254,11 @@ func (r *SriovOperatorConfigReconciler) syncWebhookObjs(ctx context.Context, dc data.Data["ClusterType"] = utils.ClusterType data.Data["DevMode"] = os.Getenv("DEV_MODE") data.Data["ImagePullSecrets"] = GetImagePullSecrets() - data.Data["CertManagerEnabled"] = strings.ToLower(os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED")) == trueString - data.Data["OperatorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME") - data.Data["OperatorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT") - data.Data["InjectorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME") - data.Data["InjectorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT") + data.Data["CertManagerEnabled"] = strings.ToLower(os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED")) == trueString + data.Data["OperatorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME") + data.Data["OperatorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT") + data.Data["InjectorWebhookSecretName"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME") + data.Data["InjectorWebhookCA"] = os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT") data.Data["ExternalControlPlane"] = false if r.OpenshiftContext.IsOpenshiftCluster() { diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 0f9c4d7f3..4fe8a3eb8 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -145,9 +145,9 @@ var _ = BeforeSuite(func(done Done) { os.Setenv("RESOURCE_PREFIX", "openshift.io") os.Setenv("NAMESPACE", "openshift-sriov-network-operator") - os.Setenv("ADMISSION_CONTROLLERS__ENABLED", "true") - os.Setenv("ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME", "operator-webhook-cert") - os.Setenv("ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME", "network-resources-injector-cert") + os.Setenv("ADMISSION_CONTROLLERS_ENABLED", "true") + os.Setenv("ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME", "operator-webhook-cert") + os.Setenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME", "network-resources-injector-cert") os.Setenv("SRIOV_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_INFINIBAND_CNI_IMAGE", "mock-image") os.Setenv("SRIOV_DEVICE_PLUGIN_IMAGE", "mock-image") diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 81d74fc60..29cdb85d6 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -66,8 +66,8 @@ spec: value: $SRIOV_NETWORK_WEBHOOK_IMAGE - name: RESOURCE_PREFIX value: $RESOURCE_PREFIX - - name: ADMISSION_CONTROLLERS__ENABLED - value: "$ADMISSION_CONTROLLERS__ENABLED" + - name: ADMISSION_CONTROLLERS_ENABLED + value: "$ADMISSION_CONTROLLERS_ENABLED" - name: DEV_MODE value: "$DEV_MODE" - name: NAMESPACE @@ -88,13 +88,13 @@ spec: value: $CNI_BIN_PATH - name: CLUSTER_TYPE value: $CLUSTER_TYPE - - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME - value: $ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME - - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME - value: $ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME - - name: ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED - value: "$ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED" - - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT - value: $ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT - - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT - value: $ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: $ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: $ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + - name: ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED + value: "$ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED" + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT + value: $ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT + value: $ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT diff --git a/deployment/sriov-network-operator/templates/operator.yaml b/deployment/sriov-network-operator/templates/operator.yaml index 4de1ab74d..cadd2e44e 100644 --- a/deployment/sriov-network-operator/templates/operator.yaml +++ b/deployment/sriov-network-operator/templates/operator.yaml @@ -88,23 +88,23 @@ spec: value: {{ .Values.operator.cniBinPath }} - name: CLUSTER_TYPE value: {{ .Values.operator.clusterType }} - - name: ADMISSION_CONTROLLERS__ENABLED + - name: ADMISSION_CONTROLLERS_ENABLED value: {{ .Values.operator.admissionControllers.enabled | quote }} {{- if .Values.operator.admissionControllers.enabled }} - - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME value: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} - - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME value: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} {{- if .Values.operator.admissionControllers.certificates.certManager.enabled }} - - name: ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED + - name: ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED value: {{ .Values.operator.admissionControllers.certificates.certManager.enabled | quote }} {{- else }} - - name: ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT valueFrom: secretKeyRef: name: {{ .Values.operator.admissionControllers.certificates.secretNames.operator }} key: ca.crt - - name: ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT valueFrom: secretKeyRef: name: {{ .Values.operator.admissionControllers.certificates.secretNames.injector }} diff --git a/doc/quickstart.md b/doc/quickstart.md index 8415468da..f3f352bb5 100644 --- a/doc/quickstart.md +++ b/doc/quickstart.md @@ -38,9 +38,9 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct kubectl create ns sriov-network-operator kubectl -n sriov-network-operator create secret tls operator-webhook-cert --cert=cert.pem --key=key.pem kubectl -n sriov-network-operator create secret tls network-resources-injector-cert --cert=cert.pem --key=key.pem - export ADMISSION_CONTROLLERS__ENABLED=true - export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=$(base64 -w 0 < cacert.pem) - export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=$(base64 -w 0 < cacert.pem) + export ADMISSION_CONTROLLERS_ENABLED=true + export ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT=$(base64 -w 0 < cacert.pem) + export ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT=$(base64 -w 0 < cacert.pem) make deploy-setup-k8s ``` @@ -89,8 +89,8 @@ Webhooks are disabled when deploying on a Kubernetes cluster as per the instruct And then deploy the operator: ```bash - export ADMISSION_CONTROLLERS__ENABLED=true - export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true + export ADMISSION_CONTROLLERS_ENABLED=true + export ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED=true make deploy-setup-k8s ``` diff --git a/hack/env.sh b/hack/env.sh index 7bbe6a281..1dccb157e 100755 --- a/hack/env.sh +++ b/hack/env.sh @@ -16,15 +16,17 @@ else [ -z $SRIOV_NETWORK_OPERATOR_IMAGE ] && echo "SRIOV_NETWORK_OPERATOR_IMAGE is empty but SKIP_VAR_SET is set" && exit 1 fi +set -x + export RELEASE_VERSION=4.7.0 export OPERATOR_NAME=sriov-network-operator export RESOURCE_PREFIX=${RESOURCE_PREFIX:-openshift.io} -export ADMISSION_CONTROLLERS__ENABLED=${ADMISSION_CONTROLLERS__ENABLED:-"true"} +export ADMISSION_CONTROLLERS_ENABLED=${ADMISSION_CONTROLLERS_ENABLED:-"true"} export CLUSTER_TYPE=${CLUSTER_TYPE:-openshift} export NAMESPACE=${NAMESPACE:-"openshift-sriov-network-operator"} -export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME=${ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__SECRET_NAME:-"operator-webhook-cert"} -export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME=${ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__SECRET_NAME:-"network-resources-injector-cert"} -export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=${ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED:-"false"} -export ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT=${ADMISSION_CONTROLLERS__CERTIFICATES__OPERATOR__CA_CRT:-""} -export ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT=${ADMISSION_CONTROLLERS__CERTIFICATES__INJECTOR__CA_CRT:-""} +export ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME=${ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME:-"operator-webhook-cert"} +export ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME=${ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME:-"network-resources-injector-cert"} +export ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED=${ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED:-"false"} +export ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT=${ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_CA_CRT:-""} +export ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT=${ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT:-""} export DEV_MODE=${DEV_MODE:-"FALSE"} diff --git a/hack/run-e2e-conformance-virtual-cluster.sh b/hack/run-e2e-conformance-virtual-cluster.sh index ab14e31b2..8c276fb4e 100755 --- a/hack/run-e2e-conformance-virtual-cluster.sh +++ b/hack/run-e2e-conformance-virtual-cluster.sh @@ -314,8 +314,8 @@ do done -export ADMISSION_CONTROLLERS__ENABLED=true -export ADMISSION_CONTROLLERS__CERTIFICATES__CERT_MANAGER__ENABLED=true +export ADMISSION_CONTROLLERS_ENABLED=true +export ADMISSION_CONTROLLERS_CERTIFICATES_CERT_MANAGER_ENABLED=true export SKIP_VAR_SET="" export NAMESPACE="sriov-network-operator" export OPERATOR_NAMESPACE="sriov-network-operator" diff --git a/hack/run-e2e-conformance-virtual-ocp.sh b/hack/run-e2e-conformance-virtual-ocp.sh index a9344b660..0cd188c19 100755 --- a/hack/run-e2e-conformance-virtual-ocp.sh +++ b/hack/run-e2e-conformance-virtual-ocp.sh @@ -177,7 +177,7 @@ EOF kubectl patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true,"storage":{"emptyDir": null,"pvc":{"claim":"registry-pv-claim"}},"topologySpreadConstraints":[],"rolloutStrategy":"Recreate","tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]}}' --type=merge -export ADMISSION_CONTROLLERS__ENABLED=true +export ADMISSION_CONTROLLERS_ENABLED=true export SKIP_VAR_SET="" export NAMESPACE="openshift-sriov-network-operator" export OPERATOR_NAMESPACE=$NAMESPACE diff --git a/hack/run-e2e-test-kind.sh b/hack/run-e2e-test-kind.sh index 53f06c84f..5cb7750c7 100755 --- a/hack/run-e2e-test-kind.sh +++ b/hack/run-e2e-test-kind.sh @@ -136,7 +136,7 @@ else export TEST_NETNS_PATH="${netns_path}" fi echo "## disabling webhooks" -export ADMISSION_CONTROLLERS__ENABLED=false +export ADMISSION_CONTROLLERS_ENABLED=false echo "## deploying SRIOV Network Operator" make --directory "${root}" deploy-setup-k8s echo "## wait for sriov-network-config-daemon to be ready" diff --git a/hack/virtual-cluster-redeploy.sh b/hack/virtual-cluster-redeploy.sh index 6d3d2e96f..0bf1d9d0e 100644 --- a/hack/virtual-cluster-redeploy.sh +++ b/hack/virtual-cluster-redeploy.sh @@ -40,7 +40,7 @@ else export SRIOV_NETWORK_WEBHOOK_IMAGE="$controller_ip:5000/sriov-network-operator-webhook:latest" fi -export ADMISSION_CONTROLLERS__ENABLED=true +export ADMISSION_CONTROLLERS_ENABLED=true export SKIP_VAR_SET="" export OPERATOR_NAMESPACE=$NAMESPACE export OPERATOR_EXEC=kubectl diff --git a/main.go b/main.go index 4af53bc66..7d62af130 100644 --- a/main.go +++ b/main.go @@ -261,7 +261,7 @@ func createDefaultOperatorConfig(c client.Client) error { return fmt.Errorf("couldn't get cluster single node status: %s", err) } - enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS__ENABLED") == "true" + enableAdmissionController := os.Getenv("ADMISSION_CONTROLLERS_ENABLED") == "true" config := &sriovnetworkv1.SriovOperatorConfig{ Spec: sriovnetworkv1.SriovOperatorConfigSpec{ EnableInjector: func() *bool { b := enableAdmissionController; return &b }(), From a6085807913d2518ed4c0e411cf6f7772ab9c0bb Mon Sep 17 00:00:00 2001 From: adrianc Date: Mon, 25 Dec 2023 18:33:55 +0200 Subject: [PATCH 07/10] image build target additions - Add webhook to image build target - use APP_NAME var in image name for consistency Signed-off-by: adrianc --- Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 9a9fb7d57..372b9dfab 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ IMAGE_BUILDER?=docker IMAGE_BUILD_OPTS?= DOCKERFILE?=Dockerfile DOCKERFILE_CONFIG_DAEMON?=Dockerfile.sriov-network-config-daemon +DOCKERFILE_WEBHOOK?=Dockerfile.webhook CRD_BASES=./config/crd/bases @@ -21,7 +22,8 @@ export APP_NAME?=sriov-network-operator TARGET=$(TARGET_DIR)/bin/$(APP_NAME) IMAGE_REPO?=ghcr.io/k8snetworkplumbingwg IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME):latest -CONFIG_DAEMON_IMAGE_TAG?=$(IMAGE_REPO)/sriov-network-config-daemon:latest +CONFIG_DAEMON_IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME)-config-daemon:latest +WEBHOOK_IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME)-webhook:latest MAIN_PKG=cmd/manager/main.go export NAMESPACE?=openshift-sriov-network-operator export WATCH_NAMESPACE?=openshift-sriov-network-operator @@ -68,9 +70,10 @@ clean: update-codegen: hack/update-codegen.sh -image: ; $(info Building image...) +image: ; $(info Building images...) $(IMAGE_BUILDER) build -f $(DOCKERFILE) -t $(IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS) $(IMAGE_BUILDER) build -f $(DOCKERFILE_CONFIG_DAEMON) -t $(CONFIG_DAEMON_IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS) + $(IMAGE_BUILDER) build -f $(DOCKERFILE_WEBHOOK) -t $(WEBHOOK_IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS) # Run tests test: generate vet manifests envtest From 3b52103f27a51b6e01f42879b6a6dec78d911f6f Mon Sep 17 00:00:00 2001 From: Andrea Panattoni Date: Tue, 2 Jan 2024 18:33:22 +0100 Subject: [PATCH 08/10] e2e: Print involved devices Show which device is used in every test case. This information is useful when certificating specific device vendor. Signed-off-by: Andrea Panattoni --- test/conformance/tests/test_sriov_operator.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/conformance/tests/test_sriov_operator.go b/test/conformance/tests/test_sriov_operator.go index 2102b367f..809a2c1bd 100644 --- a/test/conformance/tests/test_sriov_operator.go +++ b/test/conformance/tests/test_sriov_operator.go @@ -297,6 +297,7 @@ var _ = Describe("[sriov] operator", func() { WaitForSRIOVStable() sriovDevice, err = sriovInfos.FindOneSriovDevice(node) Expect(err).ToNot(HaveOccurred()) + By("Using device " + sriovDevice.Name + " on node " + node) Eventually(func() int64 { testedNode, err := clients.CoreV1Interface.Nodes().Get(context.Background(), node, metav1.GetOptions{}) @@ -946,6 +947,8 @@ var _ = Describe("[sriov] operator", func() { By("Create first Pod which consumes all available VFs") sriovDevice, err := sriovInfos.FindOneSriovDevice(node) Expect(err).ToNot(HaveOccurred()) + By("Using device " + sriovDevice.Name + " on node " + node) + ipam := ipamIpv6 err = network.CreateSriovNetwork(clients, sriovDevice, sriovNetworkName, namespaces.Test, operatorNamespace, resourceName, ipam) Expect(err).ToNot(HaveOccurred()) @@ -1057,6 +1060,7 @@ var _ = Describe("[sriov] operator", func() { vfioNode, vfioNic = sriovInfos.FindOneVfioSriovDevice() Expect(vfioNode).ToNot(Equal("")) + By("Using device " + vfioNic.Name + " on node " + vfioNode) }) It("Should be possible to create a vfio-pci resource", func() { @@ -1102,6 +1106,7 @@ var _ = Describe("[sriov] operator", func() { } vfioNode, vfioNic = sriovInfos.FindOneVfioSriovDevice() Expect(vfioNode).ToNot(Equal("")) + By("Using device " + vfioNic.Name + " on node " + vfioNode) }) It("Should be possible to partition the pf's vfs", func() { @@ -1201,6 +1206,7 @@ var _ = Describe("[sriov] operator", func() { node := sriovInfos.Nodes[0] intf, err := sriovInfos.FindOneSriovDevice(node) Expect(err).ToNot(HaveOccurred()) + By("Using device " + intf.Name + " on node " + node) _, err = network.CreateSriovPolicy(clients, "test-policy-", operatorNamespace, intf.Name+"#0-1", node, 5, testResourceName, "netdevice", func(policy *sriovv1.SriovNetworkNodePolicy) { policy.Spec.Mtu = newMtu @@ -1276,6 +1282,7 @@ var _ = Describe("[sriov] operator", func() { node := sriovInfos.Nodes[0] intf, err := sriovInfos.FindOneSriovDevice(node) Expect(err).ToNot(HaveOccurred()) + By("Using device " + intf.Name + " on node " + node) firstConfig := &sriovv1.SriovNetworkNodePolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -1348,6 +1355,8 @@ var _ = Describe("[sriov] operator", func() { if mainDeviceForNode == nil { Skip("Could not find pf used as gateway") } + By("Using device " + mainDeviceForNode.Name + " on node " + testNode) + createSriovPolicy(mainDeviceForNode.Name, testNode, 2, resourceName) } @@ -1389,6 +1398,9 @@ var _ = Describe("[sriov] operator", func() { Skip(err.Error()) } unusedSriovDevice = unusedSriovDevices[0] + + By("Using device " + unusedSriovDevice.Name + " on node " + testNode) + defer changeNodeInterfaceState(testNode, unusedSriovDevices[0].Name, true) Expect(err).ToNot(HaveOccurred()) createSriovPolicy(unusedSriovDevice.Name, testNode, 2, resourceName) @@ -1477,6 +1489,7 @@ var _ = Describe("[sriov] operator", func() { Skip(err.Error()) } intf = unusedSriovDevices[0] + By("Using device " + intf.Name + " on node " + node) mtuPolicy := &sriovv1.SriovNetworkNodePolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -1603,6 +1616,7 @@ var _ = Describe("[sriov] operator", func() { Expect(err).ToNot(HaveOccurred()) intf = unusedSriovDevices[0] + By("Using device " + intf.Name + " on node " + node) excludeTopologyTrueResourceXXX = &sriovv1.SriovNetworkNodePolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -1900,6 +1914,7 @@ var _ = Describe("[sriov] operator", func() { Skip(err.Error()) } intf = unusedSriovDevices[0] + By("Using device " + intf.Name + " on node " + node) mtuPolicy := &sriovv1.SriovNetworkNodePolicy{ ObjectMeta: metav1.ObjectMeta{ @@ -2011,6 +2026,7 @@ var _ = Describe("[sriov] operator", func() { execute.BeforeAll(func() { node, nic = sriovInfos.FindOneVfioSriovDevice() Expect(node).ToNot(Equal("")) + By("Using device " + nic.Name + " on node " + node) }) It("Should not allow to create a policy if there are no vfs configured", func() { From 0f146dc0d8efd44470036ac3a7071889052107c5 Mon Sep 17 00:00:00 2001 From: Andrea Panattoni Date: Fri, 5 Jan 2024 09:14:04 +0100 Subject: [PATCH 09/10] downstream only `ADMISSION_CONTROLLERS_ENABLED` PR [1] changed operator's environment variable `ENABLE_ADMISSION_CONTROLLER` to `ADMISSION_CONTROLLERS_ENABLED`. Also, the following environment variable have been introduced as a replacement of the constants: - `operator-webhook-service` -> `ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME` - `network-resources-injector-secret` -> `ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME` refs: [1] https://github.com/k8snetworkplumbingwg/sriov-network-operator/pull/561 Signed-off-by: Andrea Panattoni --- .../sriov-network-operator.clusterserviceversion.yaml | 8 ++++++-- config/manager/manager.yaml | 6 +++++- .../sriov-network-operator.clusterserviceversion.yaml | 6 +++++- .../sriov-network-operator.clusterserviceversion.yaml | 8 ++++++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml b/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml index 1a1262e81..aa2f194fa 100644 --- a/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml +++ b/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml @@ -100,7 +100,7 @@ metadata: categories: Networking certified: "false" containerImage: quay.io/openshift/origin-sriov-network-operator:4.15 - createdAt: "2023-11-24T18:31:22Z" + createdAt: "2024-01-04T18:00:12Z" description: An operator for configuring SR-IOV components and initializing SRIOV network devices in Openshift cluster. olm.skipRange: '>=4.3.0-0 <4.15.0' @@ -345,8 +345,12 @@ spec: value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 - name: RESOURCE_PREFIX value: openshift.io - - name: ENABLE_ADMISSION_CONTROLLER + - name: ADMISSION_CONTROLLERS_ENABLED value: "true" + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: operator-webhook-service + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: network-resources-injector-secret - name: NAMESPACE valueFrom: fieldRef: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 83d0999ed..e935451bc 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -72,8 +72,12 @@ spec: value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 - name: RESOURCE_PREFIX value: openshift.io - - name: ENABLE_ADMISSION_CONTROLLER + - name: ADMISSION_CONTROLLERS_ENABLED value: "true" + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: operator-webhook-service + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: network-resources-injector-secret - name: NAMESPACE valueFrom: fieldRef: diff --git a/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml b/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml index 7ab6d9d69..cb219e172 100644 --- a/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml @@ -127,8 +127,12 @@ spec: value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 - name: RESOURCE_PREFIX value: openshift.io - - name: ENABLE_ADMISSION_CONTROLLER + - name: ADMISSION_CONTROLLERS_ENABLED value: "true" + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: operator-webhook-service + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: network-resources-injector-secret - name: NAMESPACE valueFrom: fieldRef: diff --git a/manifests/stable/sriov-network-operator.clusterserviceversion.yaml b/manifests/stable/sriov-network-operator.clusterserviceversion.yaml index 1a1262e81..aa2f194fa 100644 --- a/manifests/stable/sriov-network-operator.clusterserviceversion.yaml +++ b/manifests/stable/sriov-network-operator.clusterserviceversion.yaml @@ -100,7 +100,7 @@ metadata: categories: Networking certified: "false" containerImage: quay.io/openshift/origin-sriov-network-operator:4.15 - createdAt: "2023-11-24T18:31:22Z" + createdAt: "2024-01-04T18:00:12Z" description: An operator for configuring SR-IOV components and initializing SRIOV network devices in Openshift cluster. olm.skipRange: '>=4.3.0-0 <4.15.0' @@ -345,8 +345,12 @@ spec: value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 - name: RESOURCE_PREFIX value: openshift.io - - name: ENABLE_ADMISSION_CONTROLLER + - name: ADMISSION_CONTROLLERS_ENABLED value: "true" + - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME + value: operator-webhook-service + - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME + value: network-resources-injector-secret - name: NAMESPACE valueFrom: fieldRef: From c6c97ba6912efa1cf850e9116d6f75b41c63c78b Mon Sep 17 00:00:00 2001 From: Andrea Panattoni Date: Fri, 5 Jan 2024 18:20:15 +0100 Subject: [PATCH 10/10] update version to 4.16 ``` find . -not -path "./vendor*" -type f -print0 | xargs -0 sed -i 's/4\.15/4.16/g' make -f Makefile.bundle bundle ``` Signed-off-by: Andrea Panattoni --- Makefile.bundle | 2 +- ...etwork-operator.clusterserviceversion.yaml | 28 +++++++++---------- config/manager/manager.yaml | 16 +++++------ ...etwork-operator.clusterserviceversion.yaml | 24 ++++++++-------- manifests/sriov-network-operator.package.yaml | 2 +- manifests/stable/image-references | 14 +++++----- ...etwork-operator.clusterserviceversion.yaml | 28 +++++++++---------- pkg/version/version.go | 4 +-- 8 files changed, 59 insertions(+), 59 deletions(-) diff --git a/Makefile.bundle b/Makefile.bundle index d94ccfd1c..ee2e5dee7 100644 --- a/Makefile.bundle +++ b/Makefile.bundle @@ -1,6 +1,6 @@ include Makefile # Current Operator version -VERSION ?= 4.15.0 +VERSION ?= 4.16.0 # Default bundle image tag BUNDLE_IMG ?= controller-bundle:$(VERSION) diff --git a/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml b/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml index aa2f194fa..64f334cb6 100644 --- a/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml +++ b/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml @@ -99,11 +99,11 @@ metadata: capabilities: Basic Install categories: Networking certified: "false" - containerImage: quay.io/openshift/origin-sriov-network-operator:4.15 - createdAt: "2024-01-04T18:00:12Z" + containerImage: quay.io/openshift/origin-sriov-network-operator:4.16 + createdAt: "2024-01-05T17:19:10Z" description: An operator for configuring SR-IOV components and initializing SRIOV network devices in Openshift cluster. - olm.skipRange: '>=4.3.0-0 <4.15.0' + olm.skipRange: '>=4.3.0-0 <4.16.0' operatorframework.io/suggested-namespace: openshift-sriov-network-operator operators.openshift.io/infrastructure-features: '["disconnected", "cni"]' operators.operatorframework.io/builder: operator-sdk-v1.31.0 @@ -114,7 +114,7 @@ metadata: labels: operatorframework.io/arch.amd64: supported operatorframework.io/arch.ppc64le: supported - name: sriov-network-operator.v4.15.0 + name: sriov-network-operator.v4.16.0 namespace: openshift-sriov-network-operator spec: apiservicedefinitions: {} @@ -330,19 +330,19 @@ spec: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: SRIOV_CNI_IMAGE - value: quay.io/openshift/origin-sriov-cni:4.15 + value: quay.io/openshift/origin-sriov-cni:4.16 - name: SRIOV_DEVICE_PLUGIN_IMAGE - value: quay.io/openshift/origin-sriov-network-device-plugin:4.15 + value: quay.io/openshift/origin-sriov-network-device-plugin:4.16 - name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15 + value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16 - name: OPERATOR_NAME value: sriov-network-operator - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: quay.io/openshift/origin-sriov-network-config-daemon:4.15 + value: quay.io/openshift/origin-sriov-network-config-daemon:4.16 - name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: quay.io/openshift/origin-sriov-network-webhook:4.15 + value: quay.io/openshift/origin-sriov-network-webhook:4.16 - name: SRIOV_INFINIBAND_CNI_IMAGE - value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 + value: quay.io/openshift/origin-sriov-infiniband-cni:4.16 - name: RESOURCE_PREFIX value: openshift.io - name: ADMISSION_CONTROLLERS_ENABLED @@ -364,8 +364,8 @@ spec: fieldRef: fieldPath: metadata.name - name: RELEASE_VERSION - value: 4.15.0 - image: quay.io/openshift/origin-sriov-network-operator:4.15 + value: 4.16.0 + image: quay.io/openshift/origin-sriov-network-operator:4.16 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -537,7 +537,7 @@ spec: - sriov labels: olm-owner-enterprise-app: sriov-network-operator - olm-status-descriptors: sriov-network-operator.v4.15.0 + olm-status-descriptors: sriov-network-operator.v4.16.0 links: - name: Source Code url: https://github.com/k8snetworkplumbingwg/sriov-network-operator @@ -546,4 +546,4 @@ spec: name: Red Hat provider: name: Red Hat - version: 4.15.0 + version: 4.16.0 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index e935451bc..1a07fe707 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -33,7 +33,7 @@ spec: operator: Exists containers: - name: sriov-network-operator - image: quay.io/openshift/origin-sriov-network-operator:4.15 + image: quay.io/openshift/origin-sriov-network-operator:4.16 command: - sriov-network-operator args: @@ -57,19 +57,19 @@ spec: fieldRef: fieldPath: metadata.namespace - name: SRIOV_CNI_IMAGE - value: quay.io/openshift/origin-sriov-cni:4.15 + value: quay.io/openshift/origin-sriov-cni:4.16 - name: SRIOV_DEVICE_PLUGIN_IMAGE - value: quay.io/openshift/origin-sriov-network-device-plugin:4.15 + value: quay.io/openshift/origin-sriov-network-device-plugin:4.16 - name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15 + value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16 - name: OPERATOR_NAME value: sriov-network-operator - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: quay.io/openshift/origin-sriov-network-config-daemon:4.15 + value: quay.io/openshift/origin-sriov-network-config-daemon:4.16 - name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: quay.io/openshift/origin-sriov-network-webhook:4.15 + value: quay.io/openshift/origin-sriov-network-webhook:4.16 - name: SRIOV_INFINIBAND_CNI_IMAGE - value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 + value: quay.io/openshift/origin-sriov-infiniband-cni:4.16 - name: RESOURCE_PREFIX value: openshift.io - name: ADMISSION_CONTROLLERS_ENABLED @@ -91,4 +91,4 @@ spec: fieldRef: fieldPath: metadata.name - name: RELEASE_VERSION - value: 4.15.0 + value: 4.16.0 diff --git a/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml b/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml index cb219e172..cb6edcd46 100644 --- a/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml @@ -6,11 +6,11 @@ metadata: capabilities: Basic Install categories: Networking certified: "false" - containerImage: quay.io/openshift/origin-sriov-network-operator:4.15 + containerImage: quay.io/openshift/origin-sriov-network-operator:4.16 createdAt: 2019/04/30 description: An operator for configuring SR-IOV components and initializing SRIOV network devices in Openshift cluster. - olm.skipRange: '>=4.3.0-0 <4.15.0' + olm.skipRange: '>=4.3.0-0 <4.16.0' operatorframework.io/suggested-namespace: openshift-sriov-network-operator operators.openshift.io/infrastructure-features: '["disconnected", "cni"]' repository: https://github.com/k8snetworkplumbingwg/sriov-network-operator @@ -112,19 +112,19 @@ spec: fieldRef: fieldPath: metadata.namespace - name: SRIOV_CNI_IMAGE - value: quay.io/openshift/origin-sriov-cni:4.15 + value: quay.io/openshift/origin-sriov-cni:4.16 - name: SRIOV_DEVICE_PLUGIN_IMAGE - value: quay.io/openshift/origin-sriov-network-device-plugin:4.15 + value: quay.io/openshift/origin-sriov-network-device-plugin:4.16 - name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15 + value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16 - name: OPERATOR_NAME value: sriov-network-operator - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: quay.io/openshift/origin-sriov-network-config-daemon:4.15 + value: quay.io/openshift/origin-sriov-network-config-daemon:4.16 - name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: quay.io/openshift/origin-sriov-network-webhook:4.15 + value: quay.io/openshift/origin-sriov-network-webhook:4.16 - name: SRIOV_INFINIBAND_CNI_IMAGE - value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 + value: quay.io/openshift/origin-sriov-infiniband-cni:4.16 - name: RESOURCE_PREFIX value: openshift.io - name: ADMISSION_CONTROLLERS_ENABLED @@ -142,8 +142,8 @@ spec: fieldRef: fieldPath: metadata.name - name: RELEASE_VERSION - value: 4.15.0 - image: quay.io/openshift/origin-sriov-network-operator:4.15 + value: 4.16.0 + image: quay.io/openshift/origin-sriov-network-operator:4.16 imagePullPolicy: IfNotPresent name: sriov-network-operator resources: {} @@ -170,7 +170,7 @@ spec: - sriov labels: olm-owner-enterprise-app: sriov-network-operator - olm-status-descriptors: sriov-network-operator.v4.15.0 + olm-status-descriptors: sriov-network-operator.v4.16.0 links: - name: Source Code url: https://github.com/k8snetworkplumbingwg/sriov-network-operator @@ -179,4 +179,4 @@ spec: name: Red Hat provider: name: Red Hat - version: 4.15.0 + version: 4.16.0 diff --git a/manifests/sriov-network-operator.package.yaml b/manifests/sriov-network-operator.package.yaml index c1caa813b..e48f48b69 100644 --- a/manifests/sriov-network-operator.package.yaml +++ b/manifests/sriov-network-operator.package.yaml @@ -1,4 +1,4 @@ packageName: sriov-network-operator channels: - name: "stable" - currentCSV: sriov-network-operator.v4.15.0 + currentCSV: sriov-network-operator.v4.16.0 diff --git a/manifests/stable/image-references b/manifests/stable/image-references index 98a9d2d2f..3f8095567 100644 --- a/manifests/stable/image-references +++ b/manifests/stable/image-references @@ -6,28 +6,28 @@ spec: - name: sriov-network-operator from: kind: DockerImage - name: quay.io/openshift/origin-sriov-network-operator:4.15 + name: quay.io/openshift/origin-sriov-network-operator:4.16 - name: sriov-network-config-daemon from: kind: DockerImage - name: quay.io/openshift/origin-sriov-network-config-daemon:4.15 + name: quay.io/openshift/origin-sriov-network-config-daemon:4.16 - name: sriov-cni from: kind: DockerImage - name: quay.io/openshift/origin-sriov-cni:4.15 + name: quay.io/openshift/origin-sriov-cni:4.16 - name: sriov-network-device-plugin from: kind: DockerImage - name: quay.io/openshift/origin-sriov-network-device-plugin:4.15 + name: quay.io/openshift/origin-sriov-network-device-plugin:4.16 - name: sriov-dp-admission-controller from: kind: DockerImage - name: quay.io/openshift/origin-sriov-dp-admission-controller:4.15 + name: quay.io/openshift/origin-sriov-dp-admission-controller:4.16 - name: sriov-network-webhook from: kind: DockerImage - name: quay.io/openshift/origin-sriov-network-webhook:4.15 + name: quay.io/openshift/origin-sriov-network-webhook:4.16 - name: sriov-infiniband-cni from: kind: DockerImage - name: quay.io/openshift/origin-sriov-infiniband-cni:4.15 + name: quay.io/openshift/origin-sriov-infiniband-cni:4.16 diff --git a/manifests/stable/sriov-network-operator.clusterserviceversion.yaml b/manifests/stable/sriov-network-operator.clusterserviceversion.yaml index aa2f194fa..64f334cb6 100644 --- a/manifests/stable/sriov-network-operator.clusterserviceversion.yaml +++ b/manifests/stable/sriov-network-operator.clusterserviceversion.yaml @@ -99,11 +99,11 @@ metadata: capabilities: Basic Install categories: Networking certified: "false" - containerImage: quay.io/openshift/origin-sriov-network-operator:4.15 - createdAt: "2024-01-04T18:00:12Z" + containerImage: quay.io/openshift/origin-sriov-network-operator:4.16 + createdAt: "2024-01-05T17:19:10Z" description: An operator for configuring SR-IOV components and initializing SRIOV network devices in Openshift cluster. - olm.skipRange: '>=4.3.0-0 <4.15.0' + olm.skipRange: '>=4.3.0-0 <4.16.0' operatorframework.io/suggested-namespace: openshift-sriov-network-operator operators.openshift.io/infrastructure-features: '["disconnected", "cni"]' operators.operatorframework.io/builder: operator-sdk-v1.31.0 @@ -114,7 +114,7 @@ metadata: labels: operatorframework.io/arch.amd64: supported operatorframework.io/arch.ppc64le: supported - name: sriov-network-operator.v4.15.0 + name: sriov-network-operator.v4.16.0 namespace: openshift-sriov-network-operator spec: apiservicedefinitions: {} @@ -330,19 +330,19 @@ spec: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: SRIOV_CNI_IMAGE - value: quay.io/openshift/origin-sriov-cni:4.15 + value: quay.io/openshift/origin-sriov-cni:4.16 - name: SRIOV_DEVICE_PLUGIN_IMAGE - value: quay.io/openshift/origin-sriov-network-device-plugin:4.15 + value: quay.io/openshift/origin-sriov-network-device-plugin:4.16 - name: NETWORK_RESOURCES_INJECTOR_IMAGE - value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15 + value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16 - name: OPERATOR_NAME value: sriov-network-operator - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE - value: quay.io/openshift/origin-sriov-network-config-daemon:4.15 + value: quay.io/openshift/origin-sriov-network-config-daemon:4.16 - name: SRIOV_NETWORK_WEBHOOK_IMAGE - value: quay.io/openshift/origin-sriov-network-webhook:4.15 + value: quay.io/openshift/origin-sriov-network-webhook:4.16 - name: SRIOV_INFINIBAND_CNI_IMAGE - value: quay.io/openshift/origin-sriov-infiniband-cni:4.15 + value: quay.io/openshift/origin-sriov-infiniband-cni:4.16 - name: RESOURCE_PREFIX value: openshift.io - name: ADMISSION_CONTROLLERS_ENABLED @@ -364,8 +364,8 @@ spec: fieldRef: fieldPath: metadata.name - name: RELEASE_VERSION - value: 4.15.0 - image: quay.io/openshift/origin-sriov-network-operator:4.15 + value: 4.16.0 + image: quay.io/openshift/origin-sriov-network-operator:4.16 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -537,7 +537,7 @@ spec: - sriov labels: olm-owner-enterprise-app: sriov-network-operator - olm-status-descriptors: sriov-network-operator.v4.15.0 + olm-status-descriptors: sriov-network-operator.v4.16.0 links: - name: Source Code url: https://github.com/k8snetworkplumbingwg/sriov-network-operator @@ -546,4 +546,4 @@ spec: name: Red Hat provider: name: Red Hat - version: 4.15.0 + version: 4.16.0 diff --git a/pkg/version/version.go b/pkg/version/version.go index cbdb5bf5a..00df1b2bb 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -10,10 +10,10 @@ import ( var ( // Raw is the string representation of the version. This will be replaced // with the calculated version at build time. - Raw = "v4.15.0" + Raw = "v4.16.0" // Version is semver representation of the version. - Version = semver.MustParse("4.15.0") + Version = semver.MustParse("4.16.0") // String is the human-friendly representation of the version. String = fmt.Sprintf("SriovNetworkConfigOperator %s", Raw)