diff --git a/Makefile b/Makefile index 8d107a3c4bf..2ec6dce4fe4 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,8 @@ +PUBLIC_REPO=mcr.microsoft.com/k8s/azureserviceoperator +PLACEHOLDER_IMAGE=controller:latest + # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= $(PLACEHOLDER_IMAGE) # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -175,11 +178,11 @@ validate-cainjection-files: # Generate manifests for helm and package them up .PHONY: helm-chart-manifests -helm-chart-manifests: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest | jq .tag_name | sed 's/"//g') +helm-chart-manifests: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest | jq '.tag_name' --raw-output ) helm-chart-manifests: generate @echo "Latest released tag is $(LATEST_TAG)" # substitute released tag into values file. - perl -pi -e 's,repository: mcr.microsoft.com/k8s/azureserviceoperator:\K.*,$(LATEST_TAG),' ./charts/azure-service-operator/values.yaml + perl -pi -e 's,repository: $(PUBLIC_REPO):\K.*,$(LATEST_TAG),' ./charts/azure-service-operator/values.yaml # remove generated files rm -rf charts/azure-service-operator/templates/generated/ rm -rf charts/azure-service-operator/crds @@ -339,12 +342,16 @@ else chmod +x operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu && sudo mkdir -p /usr/local/bin/ && sudo cp operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu /usr/local/bin/operator-sdk && rm operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu endif -# Current operator version -VERSION ?= 0.37.0 - +.PHONY: generate-operator-bundle +generate-operator-bundle: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest | jq '.tag_name' --raw-output ) generate-operator-bundle: manifests - kustomize build config/manifests | operator-sdk generate bundle --version $(VERSION) --channels stable --default-channel stable --overwrite + rm -r bundle + @echo "Latest released tag is $(LATEST_TAG)" + kustomize build config/operator-bundle | operator-sdk generate bundle --version $(LATEST_TAG) --channels stable --default-channel stable --overwrite --kustomize-dir config/operator-bundle # This is only needed until CRD conversion support is released in OpenShift 4.6.x/Operator Lifecycle Manager 0.16.x scripts/add-openshift-cert-handling.sh - # Rather than modify config/rbac manifests, replace CSV's default serviceAccount with azure-service-operator - sed -i 's/serviceAccountName: default/serviceAccountName: azure-service-operator/g' bundle/manifests/azure-service-operator.clusterserviceversion.yaml + # Inject the container reference into the bundle. + scripts/inject-container-reference.sh "$(PUBLIC_REPO)@$(LATEST_TAG)" + # Rename files so they're easy to add to the community-operators repo for a PR + mv bundle/manifests bundle/$(LATEST_TAG) + mv bundle/$(LATEST_TAG)/azure-service-operator.clusterserviceversion.yaml bundle/$(LATEST_TAG)/azure-service-operator.v$(LATEST_TAG).clusterserviceversion.yaml diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml deleted file mode 100644 index ec2c16556ed..00000000000 --- a/config/manifests/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: -- ../default -- ../samples diff --git a/config/manifests/bases/azure-service-operator.clusterserviceversion.yaml b/config/operator-bundle/bases/azure-service-operator.clusterserviceversion.yaml similarity index 58% rename from config/manifests/bases/azure-service-operator.clusterserviceversion.yaml rename to config/operator-bundle/bases/azure-service-operator.clusterserviceversion.yaml index 863b3622a26..5df6ad45432 100644 --- a/config/manifests/bases/azure-service-operator.clusterserviceversion.yaml +++ b/config/operator-bundle/bases/azure-service-operator.clusterserviceversion.yaml @@ -165,6 +165,14 @@ spec: kind: KeyVault name: keyvaults.azure.microsoft.com version: v1alpha1 + - description: Add an AAD user to an existing MySQL database. + kind: MySQLAADUser + name: mysqlaadusers.azure.microsoft.com + version: v1alpha2 + - description: Add an AAD user to an existing MySQL database. + kind: MySQLAADUser + name: mysqlaadusers.azure.microsoft.com + version: v1alpha1 - description: Deploys a database under the given Azure Database for MySQL server displayName: MySQLDatabase kind: MySQLDatabase @@ -175,6 +183,10 @@ spec: kind: MySQLFirewallRule name: mysqlfirewallrules.azure.microsoft.com version: v1alpha1 + - description: Create an AAD-based admininistrative user in a MySQL server. + kind: MySQLServerAdministrator + name: mysqlserveradministrators.azure.microsoft.com + version: v1alpha1 - description: Deploys an Azure Database for MySQL server given the Location, Resource Group and other properties. Also helps creating read replicas for MySQL server. displayName: MySQLServer kind: MySQLServer @@ -185,6 +197,10 @@ spec: kind: MySQLServer name: mysqlservers.azure.microsoft.com version: v1alpha1 + - description: Add a new user to an existing MySQL database. + kind: MySQLUser + name: mysqlusers.azure.microsoft.com + version: v1alpha2 - description: Add a new user to an existing MySQL database. displayName: MySQLUser kind: MySQLUser @@ -255,7 +271,160 @@ spec: kind: VirtualNetwork name: virtualnetworks.azure.microsoft.com version: v1alpha1 - description: "## Overview\n\nThe Azure Service Operator comprises of:\n\n- The Custom Resource Definitions (CRDs) for each of the Azure services a Kubernetes user can provision.\n- The Kubernetes controller that watches for requests to create Custom Resources for each of these CRDs and creates them.\n\nThe project was built using [Kubebuilder](https://book.kubebuilder.io/).\n\nCurious to see how it all works? Check out our [control flow diagrams](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/controlflow.md).\n\n**Note**: The current version of Azure Service Operator only supports watching all namespaces in the cluster.\n\n## Supported Azure Services\n\n- [Resource Group](https://github.com/Azure/azure-service-operator/tree/master/docs/services/resourcegroup/resourcegroup.md)\n- [Event Hubs](https://github.com/Azure/azure-service-operator/tree/master/docs/services/eventhub/eventhub.md)\n- [Azure SQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/azuresql/azuresql.md)\n- [Azure Database for PostgreSQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/postgresql/postgresql.md)\n- [Azure Database for MySQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/mysql/mysql.md)\n- [Azure Key Vault](https://github.com/Azure/azure-service-operator/tree/master/docs/services/keyvault/keyvault.md)\n- [Azure Cache for Redis](https://github.com/Azure/azure-service-operator/tree/master/docs/services/rediscache/rediscache.md)\n- [Storage Account](https://github.com/Azure/azure-service-operator/tree/master/docs/services/storage/storageaccount.md)\n- [Blob Storage](https://github.com/Azure/azure-service-operator/tree/master/docs/services/storage/blobcontainer.md)\n- [Virtual Network](https://github.com/Azure/azure-service-operator/tree/master/docs/services/virtualnetwork/virtualnetwork.md)\n- [Application Insights](https://github.com/Azure/azure-service-operator/tree/master/docs/services/appinsights/appinsights.md)\n- [API Management](https://github.com/Azure/azure-service-operator/tree/master/docs/services/apimgmt/apimgmt.md)\n- [Cosmos DB](https://github.com/Azure/azure-service-operator/tree/master/docs/services/cosmosdb/cosmosdb.md)\n- [Virtual Machine](https://github.com/Azure/azure-service-operator/tree/master/docs/services/virtualmachine/virtualmachine.md)\n- [Virtual Machine Scale Set](https://github.com/Azure/azure-service-operator/tree/master/docs/services/vmscaleset/vmscaleset.md)\n\n## Quickstart\n\nBefore you begin, verify you're running the Azure CLI version 2.0.53 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).\n\n1. Create an Azure Service Principal. You'll need this to grant Azure Service Operator permissions to create resources in your subscription.\n\n First, set the following environment variables to your Azure Tenant ID and Subscription ID with your values:\n ```yaml\n AZURE_TENANT_ID=\n AZURE_SUBSCRIPTION_ID=\n ```\n\n You can find these values by using the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest):\n ```sh\n az account show\n ```\n\n2. Next, we'll create a Service Principal with Contributor permissions for your subscription, so ASO can create resources in your subscription on your behalf. Note that the [ServicePrincipal](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli) you pass to the command below needs to have access to create resources in your subscription. If you'd like to use Managed Identity for authorization instead, check out instructions [here](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/managedidentity.md).\n\n ```sh\n az ad sp create-for-rbac -n \"azure-service-operator\" --role contributor \\\n --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID\n ```\n\n This should give you output like the following:\n ```sh\n \"appId\": \"xxxxxxxxxx\",\n \"displayName\": \"azure-service-operator\",\n \"name\": \"http://azure-service-operator\",\n \"password\": \"xxxxxxxxxxx\",\n \"tenant\": \"xxxxxxxxxxxxx\"\n ```\n\n3. Once you have created a Service Principal, gather the following values:\n \n `AZURE_TENANT_ID` is the Tenant ID from Step 1. \n\n `AZURE_SUBSCRIPTION_ID` is the Subscription ID from Step 1. \n\n `AZURE_CLIENT_ID` is the appID from the Service Principal created in Step 2. \n\n `AZURE_CLIENT_SECRET` is the password from the service Principal we created in Step 2. \n\n `AZURE_CLOUD_ENV` is the Azure Environment you'd like to use, i.e. AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. \n\n4. Set those values in a `Secret` called `azureoperatorsettings` within the `openshift-operators` Project/Namespace:\n ```yaml\n apiVersion: v1\n kind: Secret\n metadata:\n name: azureoperatorsettings\n namespace: openshift-operators\n data:\n AZURE_TENANT_ID=\n AZURE_SUBSCRIPTION_ID:\n AZURE_CLIENT_ID=\n AZURE_CLIENT_SECRET=\n AZURE_CLOUD_ENV=\n ```\n\n5. Install the Azure Service Operator to the `openshift-operators` Project/Namespace. You should now see the Azure Service Operator pod running in your cluster:\n\n ```console\n $ kubectl get pods -n openshift-operators\n NAME READY STATUS RESTARTS AGE\n azureoperator-controller-manager-7dd75bbd97-mk4s9 2/2 Running 0 35s\n ```\n\n## About the project\n\nThis project maintains [releases of the Azure Service Operator](https://github.com/Azure/azure-service-operator/releases).\n\nPlease see the [FAQ](https://github.com/Azure/azure-service-operator/blob/master/docs/faq.md) for answers to commonly asked questions about the Azure Service Operator.\n\nHave more questions? Feel free to consult our documentation [here](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/contents.md).\n\n## Contributing\n\nThe [contribution guide](https://github.com/Azure/azure-service-operator/blob/master/CONTRIBUTING.md) covers everything you need to know about how you can contribute to Azure Service Operators. The [developer guide](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/contents.md#developing-azure-service-operator) will help you onboard as a developer.\n\n## Support\n\nAzure Service Operator is an open source project that is **not** covered by the [Microsoft Azure support policy](https://support.microsoft.com/en-us/help/2941892/support-for-linux-and-open-source-technology-in-azure). Please search open issues [here](https://github.com/Azure/azure-service-operator/issues). If your issue isn't already represented, please [open a new one](https://github.com/Azure/azure-service-operator/issues/new/choose). The Azure Service Operator project maintainers will respond to the best of their abilities.\n\n## Code of conduct\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n" + description: | + ## Overview + + The Azure Service Operator comprises of: + + - The Custom Resource Definitions (CRDs) for each of the Azure services a Kubernetes user can provision. + - The Kubernetes controller that watches for requests to create Custom Resources for each of these CRDs and creates them. + + The project was built using [Kubebuilder](https://book.kubebuilder.io/). + + Curious to see how it all works? Check out our [control flow diagrams](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/controlflow.md). + + **Note**: The current version of Azure Service Operator only supports watching all namespaces in the cluster. + + ## Supported Azure Services + + - [Resource Group](https://github.com/Azure/azure-service-operator/tree/master/docs/services/resourcegroup/resourcegroup.md) + - [Event Hubs](https://github.com/Azure/azure-service-operator/tree/master/docs/services/eventhub/eventhub.md) + - [Azure SQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/azuresql/azuresql.md) + - [Azure Database for PostgreSQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/postgresql/postgresql.md) + - [Azure Database for MySQL](https://github.com/Azure/azure-service-operator/tree/master/docs/services/mysql/mysql.md) + - [Azure Key Vault](https://github.com/Azure/azure-service-operator/tree/master/docs/services/keyvault/keyvault.md) + - [Azure Cache for Redis](https://github.com/Azure/azure-service-operator/tree/master/docs/services/rediscache/rediscache.md) + - [Storage Account](https://github.com/Azure/azure-service-operator/tree/master/docs/services/storage/storageaccount.md) + - [Blob Storage](https://github.com/Azure/azure-service-operator/tree/master/docs/services/storage/blobcontainer.md) + - [Virtual Network](https://github.com/Azure/azure-service-operator/tree/master/docs/services/virtualnetwork/virtualnetwork.md) + - [Application Insights](https://github.com/Azure/azure-service-operator/tree/master/docs/services/appinsights/appinsights.md) + - [API Management](https://github.com/Azure/azure-service-operator/tree/master/docs/services/apimgmt/apimgmt.md) + - [Cosmos DB](https://github.com/Azure/azure-service-operator/tree/master/docs/services/cosmosdb/cosmosdb.md) + - [Virtual Machine](https://github.com/Azure/azure-service-operator/tree/master/docs/services/virtualmachine/virtualmachine.md) + - [Virtual Machine Scale Set](https://github.com/Azure/azure-service-operator/tree/master/docs/services/vmscaleset/vmscaleset.md) + + ## Instructions - Please read before installing + + Before you begin, verify you're running the Azure CLI version 2.0.53 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli). + + 1. Azure Service Operator requires self-signed certificates for CRD Conversion Webhooks. We can generate these self-signed certificates by installing the [cert-manager](https://cert-manager.io/docs/installation/kubernetes/) project into our cluster by running the following command: + ```sh + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml + ``` + You can use the below command to check if the cert-manager pods are ready. The cert-manager pods should be running before proceeding to the next step. + ```sh + kubectl rollout status -n cert-manager deploy/cert-manager-webhook + ``` + + 2. After cert-manager has been successfully installed, create the `Issuer` and `Certificate` cert-manager resources: + + ```yaml + apiVersion: cert-manager.io/v1alpha2 + kind: Issuer + metadata: + name: azureoperator-selfsigned-issuer + namespace: operators + spec: + selfSigned: {} + --- + apiVersion: cert-manager.io/v1alpha2 + kind: Certificate + metadata: + name: azureoperator-serving-cert + namespace: operators + spec: + dnsNames: + - azureoperator-webhook-service.operators.svc + - azureoperator-webhook-service.operators.svc.cluster.local + issuerRef: + kind: Issuer + name: azureoperator-selfsigned-issuer + secretName: webhook-server-cert + ``` + 3. Create an Azure Service Principal. You'll need this to grant Azure Service Operator permissions to create resources in your subscription. + + First, set the following environment variables to your Azure Tenant ID and Subscription ID with your values: + ```yaml + AZURE_TENANT_ID= + AZURE_SUBSCRIPTION_ID= + ``` + + You can find these values by using the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest): + ```sh + az account show + ``` + + 4. Next, we'll create a Service Principal with Contributor permissions for your subscription, so ASO can create resources in your subscription on your behalf. Note that the [ServicePrincipal](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli) you pass to the command below needs to have access to create resources in your subscription. If you'd like to use Managed Identity for authorization instead, check out instructions [here](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/managedidentity.md). + + ```sh + az ad sp create-for-rbac -n "azure-service-operator" --role contributor \ + --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID + ``` + + This should give you output like the following: + ```sh + "appId": "xxxxxxxxxx", + "displayName": "azure-service-operator", + "name": "http://azure-service-operator", + "password": "xxxxxxxxxxx", + "tenant": "xxxxxxxxxxxxx" + ``` + + 5. Once you have created a Service Principal, gather the following values: + + `AZURE_TENANT_ID` is the Tenant ID from Step 1. + + `AZURE_SUBSCRIPTION_ID` is the Subscription ID from Step 1. + + `AZURE_CLIENT_ID` is the appID from the Service Principal created in Step 2. + + `AZURE_CLIENT_SECRET` is the password from the service Principal we created in Step 2. + + `AZURE_CLOUD_ENV` is the Azure Environment you'd like to use, i.e. AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + + 6. Set those values in a `Secret` called `azureoperatorsettings` within the `operators` Namespace: + ```yaml + apiVersion: v1 + kind: Secret + metadata: + name: azureoperatorsettings + namespace: operators + stringData: + AZURE_TENANT_ID: + AZURE_SUBSCRIPTION_ID: + AZURE_CLIENT_ID: + AZURE_CLIENT_SECRET: + AZURE_CLOUD_ENV: + ``` + + 7. Now you can proceed to install the Azure Service Operator to the `operators` Namespace via the Install button on the top right of this page. After the operator is installed, you will then see the Azure Service Operator pod running in your cluster: + + ```console + $ kubectl get pods -n operators + NAME READY STATUS RESTARTS AGE + azureoperator-controller-manager-7dd75bbd97-mk4s9 2/2 Running 0 35s + ``` + + ## About the project + + This project maintains [releases of the Azure Service Operator](https://github.com/Azure/azure-service-operator/releases). + + Please see the [FAQ](https://github.com/Azure/azure-service-operator/blob/master/docs/faq.md) for answers to commonly asked questions about the Azure Service Operator. + + Have more questions? Feel free to consult our documentation [here](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/contents.md). + + ## Contributing + + The [contribution guide](https://github.com/Azure/azure-service-operator/blob/master/CONTRIBUTING.md) covers everything you need to know about how you can contribute to Azure Service Operators. The [developer guide](https://github.com/Azure/azure-service-operator/blob/master/docs/howto/contents.md#developing-azure-service-operator) will help you onboard as a developer. + + ## Support + + Azure Service Operator is an open source project that is **not** covered by the [Microsoft Azure support policy](https://support.microsoft.com/en-us/help/2941892/support-for-linux-and-open-source-technology-in-azure). Please search open issues [here](https://github.com/Azure/azure-service-operator/issues). If your issue isn't already represented, please [open a new one](https://github.com/Azure/azure-service-operator/issues/new/choose). The Azure Service Operator project maintainers will respond to the best of their abilities. + + ## Code of conduct + + This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. + displayName: Azure Service Operator icon: - base64data: 'iVBORw0KGgoAAAANSUhEUgAAAZAAAAGQCAIAAAAP3aGbAAAACXBIWXMAAAsSAAALEgHS3X78AAAFg0lEQVR4nO3bsU0DQRBA0VvkFIkeqAVyYppxM8TkuBZ6QKKAoQMTWfK/e6+C3R3pa5JdM7MBFDyYElAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGaejjer37fkOTrFDj5/f1y91vqyjv9ENnF9md3e6xoYFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQIZgARmCBWQIFpCxZsa0gAQbFpAhWECGYAEZggVkCBaQIVhAhmABGYIFZAgWkCFYQMbpaKNaHz93cIodmvenfy71tY7+RrfweqyvdTYsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBjzYxpAQk2LCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECMgQLyBAsIEOwgAzBAjIEC8gQLCBDsIAMwQIyBAvIECwgQ7CADMECGrZt+wNsYxcZUVWjkAAAAABJRU5ErkJggg== ' @@ -265,108 +434,29 @@ spec: clusterPermissions: - rules: null serviceAccountName: azure-service-operator - deployments: - - name: azureoperator-controller-manager - spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - strategy: {} - template: - metadata: - labels: - aadpodidbinding: aso_manager_binding - control-plane: controller-manager - spec: - containers: - - args: - - --metrics-addr=127.0.0.1:8080 - command: - - /manager - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - key: AZURE_CLIENT_ID - name: azureoperatorsettings - optional: true - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: AZURE_CLIENT_SECRET - name: azureoperatorsettings - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - key: AZURE_TENANT_ID - name: azureoperatorsettings - optional: true - - name: AZURE_SUBSCRIPTION_ID - valueFrom: - secretKeyRef: - key: AZURE_SUBSCRIPTION_ID - name: azureoperatorsettings - optional: true - - name: AZURE_USE_MI - valueFrom: - secretKeyRef: - key: AZURE_USE_MI - name: azureoperatorsettings - optional: true - - name: AZURE_OPERATOR_KEYVAULT - valueFrom: - secretKeyRef: - key: AZURE_OPERATOR_KEYVAULT - name: azureoperatorsettings - optional: true - - name: AZURE_CLOUD_ENV - valueFrom: - secretKeyRef: - key: AZURE_CLOUD_ENV - name: azureoperatorsettings - optional: true - - name: REQUEUE_AFTER - value: "30" - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8081 - name: liveness-port - protocol: TCP - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 200m - memory: 256Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: {} - serviceAccountName: azure-service-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert + deployments: [] permissions: - - rules: null + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch serviceAccountName: azure-service-operator strategy: deployment installModes: @@ -379,9 +469,7 @@ spec: - supported: true type: AllNamespaces keywords: - - azure - - microsoft - - cloud service broker + - azure, microsoft, cloud service broker links: - name: Azure Service Operator url: https://github.com/Azure/azure-service-operator diff --git a/config/operator-bundle/kustomization.yaml b/config/operator-bundle/kustomization.yaml new file mode 100644 index 00000000000..f4edc42bf5a --- /dev/null +++ b/config/operator-bundle/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - ../default + - ../samples + +patches: + - patches/serviceaccountname_in_deployment.yaml + - patches/serviceaccountname_in_rolebindings.yaml diff --git a/config/operator-bundle/patches/serviceaccountname_in_deployment.yaml b/config/operator-bundle/patches/serviceaccountname_in_deployment.yaml new file mode 100644 index 00000000000..d20d265ec53 --- /dev/null +++ b/config/operator-bundle/patches/serviceaccountname_in_deployment.yaml @@ -0,0 +1,12 @@ +# This sets the controller-manager deployment to use a non-default +# service account on its pods, since installing the operator with OLM +# puts it into the `operators` namespace alongside other operators. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: azureoperator-controller-manager + namespace: azureoperator-system +spec: + template: + spec: + serviceAccountName: azure-service-operator diff --git a/config/operator-bundle/patches/serviceaccountname_in_rolebindings.yaml b/config/operator-bundle/patches/serviceaccountname_in_rolebindings.yaml new file mode 100644 index 00000000000..b5509643731 --- /dev/null +++ b/config/operator-bundle/patches/serviceaccountname_in_rolebindings.yaml @@ -0,0 +1,31 @@ +# This updates the different rolebindings to refer to the +# azure-service-operator service account on its pods, since installing +# the operator with OLM puts it into the `operators` namespace +# alongside other operators. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: azureoperator-leader-election-rolebinding + namespace: azureoperator-system +subjects: + - kind: ServiceAccount + name: azure-service-operator + namespace: azureoperator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azureoperator-manager-rolebinding +subjects: + - kind: ServiceAccount + name: azure-service-operator + namespace: azureoperator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azureoperator-proxy-rolebinding +subjects: + - kind: ServiceAccount + name: azure-service-operator + namespace: azureoperator-system diff --git a/scripts/add-openshift-cert-handling.sh b/scripts/add-openshift-cert-handling.sh index 2900f4652ec..e9f0a810b16 100755 --- a/scripts/add-openshift-cert-handling.sh +++ b/scripts/add-openshift-cert-handling.sh @@ -7,7 +7,7 @@ set -euo pipefail for fname in $(grep cert-manager.io bundle/manifests/* -l); do sed -i '/cert-manager.io\/inject-ca-from/a\ service.beta.openshift.io/inject-cabundle: "true"' $fname done -cat < bundle/manifests/service.yaml +cat < bundle/manifests/azureoperator-webhook-service.yaml kind: Service metadata: name: azureoperator-webhook-service diff --git a/scripts/inject-container-reference.sh b/scripts/inject-container-reference.sh new file mode 100755 index 00000000000..384bb8dad34 --- /dev/null +++ b/scripts/inject-container-reference.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -euo pipefail + +container_reference="$1" +now="$(date --rfc-3339=seconds)" +cluster_version_file="bundle/manifests/azure-service-operator.clusterserviceversion.yaml" + +# Replace the controller:latest reference in the deployment (embedded +# in the CSV) with the SHA one. +sed -i "s!controller:latest!${container_reference}!g" $cluster_version_file + +# Insert containerImage and createdAt into metadata.annotations. +yq eval -i ".metadata.annotations.containerImage = \"${container_reference}\" | .metadata.annotations.createdAt = \"${now}\"" $cluster_version_file