Fix Operator RBAC

README.md

@@ -99,3 +99,30 @@ $ go run main.go
 ```sh
 $ go test -v ./...
 ```
+
+**Building custom `CatalogSource`**:
+
+1. Build and push the Quay Operator container:
+
+```sh
+$ docker build -t quay.io/<namespace>/quay-operator:dev .
+$ docker push quay.io/<namespace>/quay-operator:dev
+```
+
+2. Replace the `image` field in `deploy/manifests/quay-operator/0.0.1/quay-operator.clusterserviceversion.yaml` with the image above.
+
+3. Build and push the Quay Operator `CatalogSource` container:
+
+```sh
+$ cd deploy
+$ docker build -t quay.io/<namespace>/quay-operator-catalog:dev .
+$ docker push quay.io/<namespace>/quay-operator-catalog:dev
+```
+
+4. Replace the `spec.image` field in `deploy/quay-operator.catalogsource.yaml` with the image above.
+
+5. Create the custom `CatalogSource`:
+
+```sh
+$ kubectl create -n openshift-marketplace -f ./deploy/quay-operator.catalogsource.yaml
+```

deploy/manifests/quay-operator/0.0.1/quay-operator.clusterserviceversion.yaml

@@ -4,7 +4,7 @@ metadata:
   annotations:
     capabilities: Full Lifecycle
     categories: Integration & Delivery
-    containerImage: quay.io/projectquay/quay-operator@sha256:a80a19cdf70e37a0c4e4a1ee0434098cceaaddf43825d2c6d9b202300531b74f
+    containerImage: quay.io/projectquay/quay-operator@sha256:4f88b7231dcac284893e7c6371ee631fccf592b553d0df76e624068bc9bb7553
     createdAt: 2020-08-24 00:00:00
     description: Opinionated deployment of Quay on Kubernetes.
     repository: https://github.com/quay/quay-operator
@@ -23,7 +23,9 @@ metadata:
               {"kind": "clair", "managed": true},
               {"kind": "postgres", "managed": true},
               {"kind": "objectstorage", "managed": true},
-              {"kind": "redis", "managed": true}
+              {"kind": "redis", "managed": true},
+              {"kind": "horizontalpodautoscaler", "managed": true},
+              {"kind": "route", "managed": true}
             ]
           }
         }
@@ -49,6 +51,7 @@ spec:
         - kind: Route
         - kind: Role
         - kind: Rolebinding
+        - kind: HorizontalPodAutoscaler
       specDescriptors:
         - path: configBundleSecret
           displayName: Config Bundle Secret
@@ -107,9 +110,18 @@ spec:
                   valueFrom:
                     fieldRef:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
-                image: quay.io/projectquay/quay-operator@sha256:a80a19cdf70e37a0c4e4a1ee0434098cceaaddf43825d2c6d9b202300531b74f
+                image: quay.io/projectquay/quay-operator@sha256:4f88b7231dcac284893e7c6371ee631fccf592b553d0df76e624068bc9bb7553
                 name: quay-operator
+                # FIXME(alecmerdler): Kustomize panics because of the extra "magic" `..data/` directories that k8s adds to mounted volumes...
+                # volumeMounts:
+                # - mountPath: /workspace/kustomize/overlays/upstream/dev
+                #   name: quay-dev-kustomize
               serviceAccountName: quay-operator
+              # volumes:
+              # - name: quay-dev-kustomize
+              #   configMap:
+              #     name: quay-dev-kustomize
+              #     optional: true
       permissions:
       - rules:
         - apiGroups:
@@ -149,6 +161,12 @@ spec:
           - routes
           verbs:
           - '*'
+        - apiGroups:
+          - autoscaling
+          resources:
+          - horizontalpodautoscalers
+          verbs:
+          - '*'
         - apiGroups:
           - objectbucket.io
           resources:

deploy/quay-operator.catalogsource.yaml

@@ -4,4 +4,4 @@ metadata:
   name: quay-operator
 spec:
   sourceType: grpc
-  image: quay.io/projectquay/quay-operator-catalog@sha256:d1aa83948a404616aef974e902e66086e140a2898b464b372bc0a1db6013c2f9
+  image: quay.io/projectquay/quay-operator-catalog@sha256:217e9e6acbc7bf0a66796070f352b25aea2a2a7696ce6c478e4454298f6d280d

kustomize/base/config.deployment.yaml

@@ -23,7 +23,7 @@ spec:
             name: cluster-service-ca
       containers:
         - name: quay-config-editor
-          image: quay.io/projectquay/config-tool@sha256:9aeff823414c93c3129eb98132affda14adce1d60af23b9e23ce481327591eaf
+          image: quay.io/projectquay/config-tool
           ports:
             - containerPort: 8080
               protocol: TCP

kustomize/base/quay.deployment.yaml

@@ -61,7 +61,7 @@ spec:
               command:
                 - curl
                 - '-k'
-                - 'https://localhost:8080/health/instance'
+                - 'https://localhost:8443/health/instance'
             initialDelaySeconds: 30
             timeoutSeconds: 20
             periodSeconds: 15

kustomize/base/upgrade.deployment.yaml

@@ -59,7 +59,7 @@ spec:
               command:
                 - curl
                 - '-k'
-                - 'http://localhost:8080/health/instance'
+                - 'https://localhost:8443/health/instance'
             initialDelaySeconds: 30
             timeoutSeconds: 20
             periodSeconds: 15

kustomize/components/objectstorage/quay-datastore.noobaa.yaml

@@ -6,9 +6,9 @@ metadata:
 spec:
  dbResources:
    requests:
-     cpu: 0.1
+     cpu: '0.1'
      memory: 1Gi
  coreResources:
    requests:
-     cpu: 0.1
+     cpu: '0.1'
      memory: 1Gi

kustomize/overlays/upstream/vader/kustomization.yaml

@@ -7,6 +7,9 @@ bases:
   - ../../../tmp
 images:
   - name: quay.io/projectquay/quay
+    # newTag: vader
+    digest: sha256:b05c0c8b419396307a54bef0b25fa51ea0e7b034e4c676f4cbdf48b7b2739e5b
+  - name: quay.io/projectquay/config-tool
     newTag: vader
   - name: quay.io/projectquay/clair
     # newTag: vader

kustomize/overlays/upstream/vader/upgrade/kustomization.yaml

@@ -11,6 +11,10 @@ patchesStrategicMerge:
   - ./upgrade.deployment.patch.yaml
 images:
   - name: quay.io/projectquay/quay
+    # newTag: vader
+    digest: sha256:b05c0c8b419396307a54bef0b25fa51ea0e7b034e4c676f4cbdf48b7b2739e5b
+  - name: quay.io/projectquay/config-tool
     newTag: vader
   - name: quay.io/projectquay/clair
-    newTag: vader
+    # newTag: vader
+    newTag: 4.0.0-rc.3

pkg/kustomize/secrets.go

@@ -204,14 +204,26 @@ func BaseConfig() map[string]interface{} {
 }
 
 // CustomTLSFor generates a TLS certificate/key pair for the Quay registry to use for secure communication with clients.
+// In addition to `SERVER_HOSTNAME`, it sets certificate subject alternative names
+// for the internal k8s service hostnames (i.e. `registry-quay-app.quay-enterprise.svc`).
 func CustomTLSFor(quay *v1.QuayRegistry, baseConfig map[string]interface{}) ([]byte, []byte, error) {
 	routeConfigFiles := configFilesFor("route", quay, baseConfig)
 	var fieldGroup hostsettings.HostSettingsFieldGroup
 	if err := yaml.Unmarshal(routeConfigFiles["route.config.yaml"], &fieldGroup); err != nil {
 		return nil, nil, err
 	}
 
-	return cert.GenerateSelfSignedCertKey(fieldGroup.ServerHostname, []net.IP{}, []string{})
+	svc := quay.GetName() + "-quay-app"
+
+	return cert.GenerateSelfSignedCertKey(
+		fieldGroup.ServerHostname,
+		[]net.IP{},
+		[]string{
+			svc,
+			strings.Join([]string{svc, quay.GetNamespace(), "svc"}, "."),
+			strings.Join([]string{svc, quay.GetNamespace(), "svc", "cluster", "local"}, "."),
+		},
+	)
 }
 
 func configFilesFor(component string, quay *v1.QuayRegistry, baseConfig map[string]interface{}) map[string][]byte {