Merge remote-tracking branch 'origin/master' into v2.0.x

cloudfoundry-incubator · Feb 3, 2020 · 3dce81d · 3dce81d
2 parents 0132203 + d8caf30
commit 3dce81d
Show file tree

Hide file tree

Showing 86 changed files with 1,596 additions and 849 deletions.
diff --git a/bin/gen-fakes b/bin/gen-fakes
@@ -8,13 +8,13 @@ counterfeiter -o pkg/kube/controllers/fakes/client.go vendor/sigs.k8s.io/control
 counterfeiter -o pkg/kube/controllers/fakes/status_writer.go vendor/sigs.k8s.io/controller-runtime/pkg/client StatusWriter
 
 counterfeiter -o pkg/kube/controllers/fakes/bpm_converter.go pkg/kube/controllers/boshdeployment BPMConverter
+counterfeiter -o pkg/kube/controllers/fakes/desired_manifest.go pkg/kube/controllers/boshdeployment DesiredManifest
+counterfeiter -o pkg/kube/controllers/fakes/interpolator.go pkg/kube/util/withops Interpolator
 counterfeiter -o pkg/kube/controllers/fakes/job_factory.go pkg/kube/controllers/boshdeployment/ JobFactory
-counterfeiter -o pkg/kube/controllers/fakes/resolver.go pkg/kube/controllers/boshdeployment Resolver
 counterfeiter -o pkg/kube/controllers/fakes/variables_converter.go pkg/kube/controllers/boshdeployment VariablesConverter
+counterfeiter -o pkg/kube/controllers/fakes/withops.go pkg/kube/controllers/boshdeployment WithOps
 
-counterfeiter -o pkg/bosh/converter/fakes/container_factory.go pkg/bosh/converter/ ContainerFactory
-counterfeiter -o pkg/bosh/converter/fakes/interpolator.go pkg/bosh/converter/ Interpolator
-counterfeiter -o pkg/bosh/converter/fakes/release_image_provider.go pkg/bosh/converter/ ReleaseImageProvider
-counterfeiter -o pkg/bosh/converter/fakes/volume_factory.go pkg/bosh/converter/ VolumeFactory
-counterfeiter -o pkg/bosh/manifest/fakes/desired_manifest.go pkg/bosh/converter/ DesiredManifest
+counterfeiter -o pkg/bosh/converter/fakes/container_factory.go pkg/bosh/bpmconverter/ ContainerFactory
+counterfeiter -o pkg/bosh/converter/fakes/release_image_provider.go pkg/bosh/manifest/ ReleaseImageProvider
+counterfeiter -o pkg/bosh/converter/fakes/volume_factory.go pkg/bosh/bpmconverter/ VolumeFactory
 counterfeiter -o pkg/credsgen/fakes/generator.go pkg/credsgen/ Generator
diff --git a/bin/include/dependencies b/bin/include/dependencies
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-git_sha="6a177e8"
+git_sha="62fcf84"
 quarks_job_release="v0.0.0-0.g$git_sha"
 
 # QUARKS_JOB_IMAGE_TAG is used for integration tests

diff --git a/cmd/internal/instance_group.go b/cmd/internal/instance_group.go
@@ -14,6 +14,7 @@ import (
 
 	"code.cloudfoundry.org/cf-operator/pkg/bosh/converter"
 	"code.cloudfoundry.org/cf-operator/pkg/bosh/manifest"
+	"code.cloudfoundry.org/cf-operator/pkg/kube/util/boshdns"
 	"code.cloudfoundry.org/quarks-utils/pkg/cmd"
 )
 
@@ -80,10 +81,15 @@ Also calculates and prints the BPM configurations for all BOSH jobs of that inst
 
 		m, err := manifest.LoadYAML(boshManifestBytes)
 		if err != nil {
-			return errors.Wrapf(err, "%s Loading bosh manifest file failed. Please check the file contents and try again.", igFailedMessage)
+			return errors.Wrapf(err, "%s Loading BOSH manifest file failed. Please check the file contents and try again.", igFailedMessage)
 		}
 
-		igr, err := manifest.NewInstanceGroupResolver(afero.NewOsFs(), baseDir, *m, instanceGroupName)
+		dns, err := boshdns.NewDNS(*m)
+		if err != nil {
+			return errors.Wrapf(err, "%s Loading DNS for BOSH manifest failed.", igFailedMessage)
+		}
+
+		igr, err := manifest.NewInstanceGroupResolver(afero.NewOsFs(), baseDir, *m, instanceGroupName, dns)
 		if err != nil {
 			return errors.Wrap(err, igFailedMessage)
 		}

diff --git a/cmd/internal/root.go b/cmd/internal/root.go
@@ -17,8 +17,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 
 	"code.cloudfoundry.org/cf-operator/pkg/bosh/converter"
-	"code.cloudfoundry.org/cf-operator/pkg/bosh/manifest"
 	"code.cloudfoundry.org/cf-operator/pkg/kube/operator"
+	"code.cloudfoundry.org/cf-operator/pkg/kube/util/boshdns"
 	"code.cloudfoundry.org/cf-operator/version"
 	"code.cloudfoundry.org/quarks-utils/pkg/cmd"
 	"code.cloudfoundry.org/quarks-utils/pkg/config"
@@ -66,8 +66,8 @@ var rootCmd = &cobra.Command{
 
 		watchNamespace := cmd.Namespaces(cfg, log, namespaceArg)
 
-		manifest.SetBoshDNSDockerImage(viper.GetString("bosh-dns-docker-image"))
-		manifest.SetClusterDomain(viper.GetString("cluster-domain"))
+		boshdns.SetBoshDNSDockerImage(viper.GetString("bosh-dns-docker-image"))
+		boshdns.SetClusterDomain(viper.GetString("cluster-domain"))
 
 		log.Infof("Starting cf-operator %s with namespace %s", version.Version, watchNamespace)
 		log.Infof("cf-operator docker image: %s", config.GetOperatorDockerImage())

diff --git a/deploy/helm/cf-operator/templates/_helpers.tpl b/deploy/helm/cf-operator/templates/_helpers.tpl
@@ -41,3 +41,21 @@ Create the name of the cf-operator service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Name of the role of cf-operator.
+*/}}
+{{- define "cf-operator.role-name" -}}
+{{- printf "%s-%s" .Chart.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Namespace of the cf-operator role.
+*/}}
+{{- define "cf-operator.roleNamespace" -}}
+{{- if .Values.global.operator.watchNamespace }}
+  namespace: {{ .Values.global.operator.watchNamespace }}
+{{- else}}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end -}}
diff --git a/deploy/helm/cf-operator/templates/cluster-role.yaml b/deploy/helm/cf-operator/templates/cluster-role.yaml
@@ -10,11 +10,46 @@ items:
       name: {{ template "cf-operator.fullname" . }}
     rules:
     - apiGroups:
-      - '*'
+      - certificates.k8s.io
       resources:
-      - '*'
+      - certificatesigningrequests
       verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - watch
+    - apiGroups:
+      - certificates.k8s.io
+      resources:
+      - certificatesigningrequests/approval
+      verbs:
+      - create
+      - update
+    - apiGroups:
+      - apiextensions.k8s.io
+      resources:
+      - customresourcedefinitions
+      verbs:
+      - create
+      - get
+      - update
+    - apiGroups:
+      - ""
+      resources:
+      - namespaces
+      verbs:
+      - get
+      - update
+    - apiGroups:
+      - admissionregistration.k8s.io
+      resources:
+      - validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+      verbs:
+      - create
+      - delete
+      - update
   - kind: ClusterRoleBinding
     apiVersion: rbac.authorization.k8s.io/v1
     metadata:

diff --git a/deploy/helm/cf-operator/templates/role-binding.yaml b/deploy/helm/cf-operator/templates/role-binding.yaml
@@ -2,13 +2,30 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cf-operator
+  name: {{ template "cf-operator.fullname" . }}
+  {{- template "cf-operator.roleNamespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "cf-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "cf-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- if .Values.global.operator.watchNamespace }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cf-operator.role-name" . }}
   namespace: {{ .Release.Namespace }}
 subjects:
 - kind: ServiceAccount
-  name: cf-operator
+  name: {{ template "cf-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
-  name: cf-operator
+  name: {{ template "cf-operator.role-name" . }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- end }}
diff --git a/deploy/helm/cf-operator/templates/role.yaml b/deploy/helm/cf-operator/templates/role.yaml
@@ -1,51 +1,126 @@
 {{- if .Values.global.rbac.create }}
+{{- if .Values.global.operator.watchNamespace }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   creationTimestamp: null
-  name: cf-operator
+  name: {{ template "cf-operator.role-name" . }}
   namespace: {{ .Release.Namespace }}
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - update
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: {{ template "cf-operator.fullname" . }}
+  {{- template "cf-operator.roleNamespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
   - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
   - configmaps
-  - secrets
-  - namespaces
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
 - apiGroups:
   - apps
   resources:
   - deployments
-  - daemonsets
-  - replicasets
   - statefulsets
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
-  - monitoring.coreos.com
+  - apps
   resources:
-  - servicemonitors
+  - replicasets
   verbs:
   - get
+  - list
+- apiGroups: 
+  - quarks.cloudfoundry.org
+  resources:
+  - quarksjobs
+  verbs:
   - create
-- apiGroups:
+  - get
+  - list
+  - update
+  - watch
+- apiGroups: 
   - quarks.cloudfoundry.org
   resources:
-  - '*'
   - boshdeployments
+  - quarksstatefulsets
+  - quarkssecrets
   verbs:
-  - '*'
-- apiGroups:
-  - batch
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups: 
+  - quarks.cloudfoundry.org
   resources:
-  - jobs
+  - boshdeployments/status
+  - quarkssecrets/status
+  - quarksstatefulsets/status
   verbs:
-  - '*'
+  - create
+  - patch
+  - update
 {{- end }}