From 59103b1c2320a853287c218e9f04390b38d55b7f Mon Sep 17 00:00:00 2001 From: r0zbot Date: Wed, 30 Aug 2023 04:13:53 -0300 Subject: [PATCH 1/3] Add option to add a prefix to each generated access request username --- .dockerignore | 1 + .gitignore | 1 + api/v1alpha1/mongodbcluster_types.go | 3 +++ ...ock.cloud.rocket.chat_mongodbclusters.yaml | 4 ++++ ...airlock_v1alpha1_mongodbaccessrequest.yaml | 9 +++++++++ .../airlock_v1alpha1_mongodbcluster.yaml | 20 +++++++++++++++++-- .../mongodbaccessrequest_controller.go | 16 +++++++-------- 7 files changed, 44 insertions(+), 10 deletions(-) diff --git a/.dockerignore b/.dockerignore index 8e6fac7..0c762cc 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,4 @@ # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file # Ignore build and test binaries. testbin/ +*.ignore diff --git a/.gitignore b/.gitignore index 9780dc5..229dcde 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ test_replicaset.txt mongoValues.yaml db-secret.yaml db-cluster.yaml +*.ignore diff --git a/api/v1alpha1/mongodbcluster_types.go b/api/v1alpha1/mongodbcluster_types.go index f7d35f9..eaadc09 100644 --- a/api/v1alpha1/mongodbcluster_types.go +++ b/api/v1alpha1/mongodbcluster_types.go @@ -43,6 +43,9 @@ type MongoDBClusterSpec struct { // +kubebuilder:default=mongodb PrefixTemplate string `json:"prefixTemplate,omitempty"` + // Append this prefix to all default/generated usernames for this cluster. Will be overriden if "username" is specified. + UserNamePrefix string `json:"userNamePrefix,omitempty"` + // If this is set, Atlas API will be used instead of the regular mongo auth path. UseAtlasApi bool `json:"useAtlasApi,omitempty"` } diff --git a/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml b/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml index 9cc113f..1fe71b8 100644 --- a/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml +++ b/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml @@ -68,6 +68,10 @@ spec: description: If this is set, Atlas API will be used instead of the regular mongo auth path. type: boolean + userNamePrefix: + description: Append this prefix to all default/generated usernames + for this cluster. Will be overriden if "username" is specified. + type: string required: - connectionSecret - hostTemplate diff --git a/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml b/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml index f7f3de6..5fc1161 100644 --- a/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml +++ b/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml @@ -10,5 +10,14 @@ kind: MongoDBAccessRequest metadata: name: obrigado spec: + # In which cluster to create the user. clusterName: teste-atlas1 + # Optional. Username to be created in the cluster. If not provided, will be the same as the access request name. + # userName: obrigado + + # Optional. Database to be used for the user. If not provided, the user will have access to one that matches the access request name + # database: obrigado + + # Optional. Secret name where the credentials will be stored. If not provided, will be the same as the access request name. + # secretName: obrigado diff --git a/config/samples/airlock_v1alpha1_mongodbcluster.yaml b/config/samples/airlock_v1alpha1_mongodbcluster.yaml index a940d49..11a5965 100644 --- a/config/samples/airlock_v1alpha1_mongodbcluster.yaml +++ b/config/samples/airlock_v1alpha1_mongodbcluster.yaml @@ -14,12 +14,27 @@ kind: MongoDBCluster metadata: name: teste-atlas1 spec: - useAtlasApi: true + # The host with port that clients will receive when requesting credentials. hostTemplate: "cluster0.vpz0mct.mongodb.net" + + # Secret in which Airlock will look for a ConnectionString or Atlas credentials, that will be used to connect to the cluster. + connectionSecret: airlock-atlas-connection + + # Optional. If this is set, Atlas API will be used instead of the regular mongo auth path. + useAtlasApi: true + + # Optional. Extra connection string parameters that will be added to the connection string. optionsTemplate: ?retryWrites=true&w=majority + + # Optional. The prefix used when building the connection string. Defaults to "mongodb" prefixTemplate: mongodb+srv - connectionSecret: airlock-atlas-connection + + # Optional. Namespace where the connection secret is located. Defaults to "airlock-system" connectionSecretNamespace: airlock-system + + # Optional. Append this prefix to all default/generated usernames for this cluster. Will be ignored if "username" is already set on the access request. + userNamePrefix: test-use1- + --- apiVersion: v1 kind: Secret @@ -28,6 +43,7 @@ metadata: namespace: airlock-system type: Opaque stringData: + # It should have enough privileges to manage users and access. This is not gonna be used by the created users. connectionString: "mongodb://rcadmin:pamonha@mongodb.airlock-test/test?replicaSet=rs0" --- diff --git a/controllers/mongodbaccessrequest_controller.go b/controllers/mongodbaccessrequest_controller.go index f6261aa..4943f3b 100644 --- a/controllers/mongodbaccessrequest_controller.go +++ b/controllers/mongodbaccessrequest_controller.go @@ -98,28 +98,28 @@ func (r *MongoDBAccessRequestReconciler) Reconcile(ctx context.Context, req ctrl mongodbClusterCR := &airlockv1alpha1.MongoDBCluster{} - err = r.generateAttributes(ctx, mongodbAccessRequestCR) + err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR) if err != nil { meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions, metav1.Condition{ Type: "Ready", Status: metav1.ConditionFalse, - Reason: "AttributeGenerationFailed", + Reason: "GetMongoDBClusterFailed", LastTransitionTime: metav1.NewTime(time.Now()), - Message: fmt.Sprintf("Attribute generation failed with error: %s", err.Error()), + Message: fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()), }) return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)}) } - err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR) + err = r.generateAttributes(ctx, mongodbAccessRequestCR, mongodbClusterCR) if err != nil { meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions, metav1.Condition{ Type: "Ready", Status: metav1.ConditionFalse, - Reason: "GetMongoDBClusterFailed", + Reason: "AttributeGenerationFailed", LastTransitionTime: metav1.NewTime(time.Now()), - Message: fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()), + Message: fmt.Sprintf("Attribute generation failed with error: %s", err.Error()), }) return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)}) } @@ -374,7 +374,7 @@ func (r *MongoDBAccessRequestReconciler) reconcileSecret(ctx context.Context, re return nil } -func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest) error { +func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest, mongodbClusterCR *airlockv1alpha1.MongoDBCluster) error { changed := false if mongodbAccessRequestCR.Spec.Database == "" { @@ -383,7 +383,7 @@ func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, } if mongodbAccessRequestCR.Spec.UserName == "" { - mongodbAccessRequestCR.Spec.UserName = mongodbAccessRequestCR.Name + mongodbAccessRequestCR.Spec.UserName = mongodbClusterCR.Spec.UserNamePrefix + mongodbAccessRequestCR.Name changed = true } From 7a28946e9e1b87156687f82c6000c8e5ae58f5aa Mon Sep 17 00:00:00 2001 From: r0zbot Date: Wed, 30 Aug 2023 04:20:53 -0300 Subject: [PATCH 2/3] Remove unneeded production-aio targets --- Makefile | 6 - .../production/image_pull_secret_patch.yaml | 9 - config/production/kustomization.yaml | 7 - production/airlock-aio.yaml | 601 ------------------ 4 files changed, 623 deletions(-) delete mode 100644 config/production/image_pull_secret_patch.yaml delete mode 100644 config/production/kustomization.yaml delete mode 100644 production/airlock-aio.yaml diff --git a/Makefile b/Makefile index 0c30639..b1c50d9 100644 --- a/Makefile +++ b/Makefile @@ -171,12 +171,6 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - -.PHONY: production -production: generate manifests kustomize ## Generate everything including the final manifests for installation in production. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - mkdir -p production - $(KUSTOMIZE) build config/production > production/airlock-aio.yaml - ##@ Build Dependencies ## Location to install dependencies to diff --git a/config/production/image_pull_secret_patch.yaml b/config/production/image_pull_secret_patch.yaml deleted file mode 100644 index ea77223..0000000 --- a/config/production/image_pull_secret_patch.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager -spec: - template: - spec: - imagePullSecrets: - - name: rc-registry-cred \ No newline at end of file diff --git a/config/production/kustomization.yaml b/config/production/kustomization.yaml deleted file mode 100644 index f41624a..0000000 --- a/config/production/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -bases: -- ../default - -patches: -- path: image_pull_secret_patch.yaml - target: - kind: Deployment \ No newline at end of file diff --git a/production/airlock-aio.yaml b/production/airlock-aio.yaml deleted file mode 100644 index 4bee6d0..0000000 --- a/production/airlock-aio.yaml +++ /dev/null @@ -1,601 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: system - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: namespace - app.kubernetes.io/part-of: airlock - control-plane: controller-manager - name: airlock-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: mongodbaccessrequests.airlock.cloud.rocket.chat -spec: - group: airlock.cloud.rocket.chat - names: - kind: MongoDBAccessRequest - listKind: MongoDBAccessRequestList - plural: mongodbaccessrequests - singular: mongodbaccessrequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.clusterName - name: Cluster - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: MongoDBAccessRequest is the Schema for the mongodbaccessrequests API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: MongoDBAccessRequestSpec defines the desired state of MongoDBAccessRequest - properties: - clusterName: - description: In which cluster to create the user. - type: string - database: - description: Database to be used for the user. If not provided, the user will have access to one that matches the access request name - type: string - secretName: - description: Secret name where the credentials will be stored. If not provided, will be the same as the access request name. - type: string - userName: - description: Username to be created in the cluster. If not provided, will be the same as the access request name. - type: string - type: object - status: - description: MongoDBAccessRequestStatus defines the observed state of MongoDBAccessRequest - properties: - conditions: - description: Conditions is the list of status condition updates - items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - required: - - conditions - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: mongodbclusters.airlock.cloud.rocket.chat -spec: - group: airlock.cloud.rocket.chat - names: - kind: MongoDBCluster - listKind: MongoDBClusterList - plural: mongodbclusters - singular: mongodbcluster - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: MongoDBCluster is the Schema for the mongodbclusters API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - connectionSecret: - description: Secret in which Airlock will look for a ConnectionString or Atlas credentials, that will be used to connect to the cluster. It should have enough privileges to manage users and access. This is not gonna be used by the created users. - type: string - connectionSecretNamespace: - default: airlock-system - type: string - hostTemplate: - description: The host with port that clients will receive when requesting credentials. - type: string - optionsTemplate: - default: ?replicaSet=rs01 - description: Extra connection string parameters that will be added to the connection string. - type: string - prefixTemplate: - default: mongodb - description: The prefix used when building the connection string. Defaults to "mongodb" - type: string - useAtlasApi: - description: If this is set, Atlas API will be used instead of the regular mongo auth path. - type: boolean - required: - - connectionSecret - - hostTemplate - type: object - status: - description: MongoDBClusterStatus defines the observed state of MongoDBCluster - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - required: - - conditions - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/part-of: airlock - name: airlock-controller-manager - namespace: airlock-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: role - app.kubernetes.io/part-of: airlock - name: airlock-leader-election-role - namespace: airlock-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: airlock-manager-role -rules: -- apiGroups: - - "" - - apps - - networking.k8s.io - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbaccessrequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbaccessrequests/finalizers - verbs: - - update -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbaccessrequests/status - verbs: - - get - - patch - - update -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbclusters/finalizers - verbs: - - update -- apiGroups: - - airlock.cloud.rocket.chat - resources: - - mongodbclusters/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: airlock - name: airlock-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: airlock - name: airlock-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: rolebinding - app.kubernetes.io/part-of: airlock - name: airlock-leader-election-rolebinding - namespace: airlock-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: airlock-leader-election-role -subjects: -- kind: ServiceAccount - name: airlock-controller-manager - namespace: airlock-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: airlock - name: airlock-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: airlock-manager-role -subjects: -- kind: ServiceAccount - name: airlock-controller-manager - namespace: airlock-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: airlock - name: airlock-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: airlock-proxy-role -subjects: -- kind: ServiceAccount - name: airlock-controller-manager - namespace: airlock-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: airlock - control-plane: controller-manager - name: airlock-controller-manager-metrics-service - namespace: airlock-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: airlock - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: deployment - app.kubernetes.io/part-of: airlock - control-plane: controller-manager - name: airlock-controller-manager - namespace: airlock-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - image: dockerhub.com/airlock:0.1.0 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - imagePullSecrets: - - name: rc-registry-cred - securityContext: - runAsNonRoot: true - serviceAccountName: airlock-controller-manager - terminationGracePeriodSeconds: 10 From 63fbbb3210e50dabd7cf6c3db713defa8f8e80ff Mon Sep 17 00:00:00 2001 From: r0zbot Date: Wed, 30 Aug 2023 04:29:33 -0300 Subject: [PATCH 3/3] fix image tag base --- Makefile | 2 +- config/manager/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index b1c50d9..e49c181 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) # # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both # rocket.chat/airlock-bundle:$VERSION and rocket.chat/airlock-catalog:$VERSION. -IMAGE_TAG_BASE ?= dockerhub.com/airlock +IMAGE_TAG_BASE ?= rocketchat/airlock # BUNDLE_IMG defines the image:tag used for the bundle. # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 7b4bb5a..e3ac2cb 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: dockerhub.com/airlock + newName: rocketchat/airlock newTag: 0.1.0