diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index e2e972306..89e3c7d8e 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -23,12 +23,20 @@ import ( ) const ( - InstrumentorServiceName = "instrumentor" - InstrumentorDeploymentName = "odigos-instrumentor" - InstrumentorAppLabelValue = "odigos-instrumentor" - InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" - InstrumentorWebhookVolumeName = "webhook-cert" + InstrumentorOtelServiceName = "instrumentor" + InstrumentorDeploymentName = "odigos-instrumentor" + InstrumentorAppLabelValue = InstrumentorDeploymentName + InstrumentorServiceName = InstrumentorDeploymentName + InstrumentorServiceAccountName = InstrumentorDeploymentName + InstrumentorRoleName = InstrumentorDeploymentName + InstrumentorRoleBindingName = InstrumentorDeploymentName + InstrumentorClusterRoleName = InstrumentorDeploymentName + InstrumentorClusterRoleBindingName = InstrumentorDeploymentName + InstrumentorCertificateName = InstrumentorDeploymentName + InstrumentorMutatingWebhookName = "mutating-webhook-configuration" + InstrumentorContainerName = "manager" + InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookVolumeName = "webhook-cert" ) func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { @@ -38,7 +46,7 @@ func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: InstrumentorDeploymentName, + Name: InstrumentorServiceAccountName, Namespace: ns, }, } @@ -57,7 +65,7 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, }, }, RoleRef: rbacv1.RoleRef{ @@ -68,6 +76,71 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { } } +func NewInstrumentorRole(ns string) *rbacv1.Role { + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + Kind: "Role", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleName, + Namespace: ns, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + ResourceNames: []string{"odigos-config"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups/status"}, + Verbs: []string{"get", "list", "watch"}, + }, + { // Needed for odigos own telemetry events reporting. Consider moving to scheduler + APIGroups: []string{"odigos.io"}, + Resources: []string{"destinations"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"instrumentationrules"}, + Verbs: []string{"get", "list", "watch"}, + }, + }, + } +} + +func NewInstrumentorRoleBinding(ns string) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + Kind: "RoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleBindingName, + Namespace: ns, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: InstrumentorServiceAccountName, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: InstrumentorRoleName, + }, + } +} + func NewInstrumentorClusterRole() *rbacv1.ClusterRole { return &rbacv1.ClusterRole{ TypeMeta: metav1.TypeMeta{ @@ -75,124 +148,49 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, Rules: []rbacv1.PolicyRule{ - { + { // Used in events reporting for own telemetry APIGroups: []string{""}, Resources: []string{"nodes"}, Verbs: []string{"list", "watch", "get"}, }, - { + { // Read instrumentation labels from namespaces APIGroups: []string{""}, Resources: []string{"namespaces"}, Verbs: []string{"list", "watch", "get"}, }, - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { + { // Read instrumentation labels from daemonsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"daemonsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/status"}, - Verbs: []string{"get"}, - }, - { + { // Read instrumentation labels from deployments and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"deployments"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/status"}, - Verbs: []string{"get"}, - }, - { + { // Read instrumentation labels from statefulsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/status"}, - Verbs: []string{"get"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/status"}, - Verbs: []string{"get", "patch", "update"}, - }, - { + { // React to runtime detection in user workloads in all namespaces APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + Verbs: []string{"delete", "get", "list", "watch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentedapplications/finalizers"}, - Verbs: []string{"update"}, - }, - { + { // Update the status of the instrumented applications after device injection APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications/status"}, Verbs: []string{"get", "patch", "update"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/status"}, - Verbs: []string{"get", "patch", "update"}, - }, { APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentationconfigs"}, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentationrules"}, - Verbs: []string{"get", "list", "watch"}, - }, }, } } @@ -204,19 +202,19 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleBindingName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, Namespace: ns, }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, } } @@ -294,7 +292,7 @@ func NewInstrumentorService(ns string) *corev1.Service { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, }, Spec: corev1.ServiceSpec{ @@ -319,10 +317,10 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis APIVersion: "admissionregistration.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "mutating-webhook-configuration", + Name: InstrumentorMutatingWebhookName, Labels: map[string]string{ "app.kubernetes.io/name": "pod-mutating-webhook", - "app.kubernetes.io/instance": "mutating-webhook-configuration", + "app.kubernetes.io/instance": InstrumentorMutatingWebhookName, "app.kubernetes.io/component": "webhook", "app.kubernetes.io/created-by": "instrumentor", "app.kubernetes.io/part-of": "odigos", @@ -333,7 +331,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis Name: "pod-mutating-webhook.odigos.io", ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, Path: ptrString("/mutate--v1-pod"), Port: intPtr(9443), @@ -359,7 +357,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis TimeoutSeconds: intPtr(10), ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ - "odigos.io/inject-instrumentation": "true", + consts.OdigosInjectInstrumentationLabel: "true", }, }, AdmissionReviewVersions: []string{ @@ -425,7 +423,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, APIVersion: "apps/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorDeploymentName, Namespace: ns, Labels: map[string]string{ "app.kubernetes.io/name": InstrumentorAppLabelValue, @@ -459,7 +457,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, Env: []corev1.EnvVar{ { Name: "OTEL_SERVICE_NAME", - Value: InstrumentorServiceName, + Value: InstrumentorOtelServiceName, }, { Name: "CURRENT_NS", @@ -531,7 +529,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, }, }, TerminationGracePeriodSeconds: ptrint64(10), - ServiceAccountName: "odigos-instrumentor", + ServiceAccountName: InstrumentorServiceAccountName, SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptrbool(true), }, @@ -591,6 +589,8 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er resources := []kube.Object{ NewInstrumentorServiceAccount(a.ns), NewInstrumentorLeaderElectionRoleBinding(a.ns), + NewInstrumentorRole(a.ns), + NewInstrumentorRoleBinding(a.ns), NewInstrumentorClusterRole(), NewInstrumentorClusterRoleBinding(a.ns), NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage), @@ -604,14 +604,14 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er }, resources...) } else { - ca, err := crypto.GenCA("odigos-instrumentor", 365) + ca, err := crypto.GenCA(InstrumentorCertificateName, 365) if err != nil { return fmt.Errorf("failed to generate CA: %w", err) } altNames := []string{ - fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns), - fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns), + fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns), + fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns), } cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca) diff --git a/frontend/go.mod b/frontend/go.mod index 9076933b6..13a1258e5 100644 --- a/frontend/go.mod +++ b/frontend/go.mod @@ -21,7 +21,7 @@ require ( go.opentelemetry.io/collector/pdata v1.12.0 go.opentelemetry.io/collector/receiver/otlpreceiver v0.106.1 go.opentelemetry.io/otel v1.29.0 - golang.org/x/sync v0.7.0 + golang.org/x/sync v0.10.0 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 k8s.io/client-go v0.31.0 @@ -132,12 +132,12 @@ require ( go.opentelemetry.io/collector/pdata/pprofile v0.106.1 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect golang.org/x/arch v0.3.0 // indirect - golang.org/x/crypto v0.25.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/protobuf v1.34.2 // indirect diff --git a/frontend/go.sum b/frontend/go.sum index a6ed52ff1..7ae38cb33 100644 --- a/frontend/go.sum +++ b/frontend/go.sum @@ -338,8 +338,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -356,8 +356,8 @@ golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -368,16 +368,16 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/helm/odigos/templates/instrumentor/clusterrole.yaml b/helm/odigos/templates/instrumentor/clusterrole.yaml index 1c558fcf8..d1d479f72 100644 --- a/helm/odigos/templates/instrumentor/clusterrole.yaml +++ b/helm/odigos/templates/instrumentor/clusterrole.yaml @@ -6,102 +6,75 @@ rules: - apiGroups: - "" resources: - - namespaces - nodes verbs: - - get - list - watch + - get - apiGroups: - - apps + - "" resources: - - daemonsets - - deployments - - statefulsets + - namespaces verbs: - - create - - get - list - - patch - - update - watch + - get - apiGroups: - - "" + - apps resources: - - configmaps + - daemonsets verbs: - - create - - delete - get - list - - patch - - update - watch + - update + - patch - apiGroups: - apps resources: - - daemonsets/finalizers - - deployments/finalizers - - statefulsets/finalizers + - deployments verbs: + - get + - list + - watch - update + - patch - apiGroups: - apps resources: - - daemonsets/status - - deployments/status - - statefulsets/status + - statefulsets verbs: - get + - list + - watch + - update + - patch - apiGroups: - odigos.io resources: - - collectorsgroups - instrumentedapplications - - destinations verbs: - - create - delete - get - list - - patch - - update - watch - apiGroups: - odigos.io resources: - - collectorsgroups/finalizers - - instrumentedapplications/finalizers - - destinations/finalizers + - instrumentedapplications/status verbs: + - get + - patch - update - apiGroups: - odigos.io resources: - - collectorsgroups/status - - instrumentedapplications/status - - destinations/status + - instrumentationconfigs verbs: + - create + - delete - get + - list - patch - update - - apiGroups: - - odigos.io - resources: - - instrumentationconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - odigos.io - resources: - - instrumentationrules - verbs: - - get - - list - - watch + - watch diff --git a/helm/odigos/templates/instrumentor/role.yaml b/helm/odigos/templates/instrumentor/role.yaml new file mode 100644 index 000000000..05e6908a6 --- /dev/null +++ b/helm/odigos/templates/instrumentor/role.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resourceNames: + - odigos-config + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups/status + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - destinations + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - instrumentationrules + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/helm/odigos/templates/instrumentor/rolebinding.yaml b/helm/odigos/templates/instrumentor/rolebinding.yaml new file mode 100644 index 000000000..7d3bc38ab --- /dev/null +++ b/helm/odigos/templates/instrumentor/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: odigos-instrumentor +subjects: +- kind: ServiceAccount + name: odigos-instrumentor diff --git a/instrumentor/main.go b/instrumentor/main.go index beb2b6855..131c9d2f2 100644 --- a/instrumentor/main.go +++ b/instrumentor/main.go @@ -20,6 +20,7 @@ import ( "flag" "os" + "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/k8sutils/pkg/env" "github.com/odigos-io/odigos/instrumentor/controllers/instrumentationconfig" @@ -38,7 +39,7 @@ import ( "github.com/go-logr/zapr" bridge "github.com/odigos-io/opentelemetry-zap-bridge" - v1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" + odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" "github.com/odigos-io/odigos/common" "github.com/odigos-io/odigos/instrumentor/controllers/deleteinstrumentedapplication" @@ -48,6 +49,7 @@ import ( // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. + "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -69,7 +71,7 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - utilruntime.Must(v1.AddToScheme(scheme)) + utilruntime.Must(odigosv1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -97,6 +99,11 @@ func main() { logger := zapr.NewLogger(zapLogger) ctrl.SetLogger(logger) + odigosNs := env.GetCurrentNamespace() + nsSelector := client.InNamespace(odigosNs).AsSelector() + odigosConfigNameSelector := fields.OneTermEqualSelector("metadata.name", consts.OdigosConfigurationName) + odigosConfigSelector := fields.AndSelectors(nsSelector, odigosConfigNameSelector) + mgrOptions := ctrl.Options{ Scheme: scheme, Metrics: metricsserver.Options{ @@ -111,7 +118,16 @@ func main() { // Currently, instrumentor only need the labels and the .spec.template.spec field of the workloads. ByObject: map[client.Object]cache.ByObject{ &corev1.ConfigMap{}: { - Field: client.InNamespace(env.GetCurrentNamespace()).AsSelector(), + Field: odigosConfigSelector, + }, + &odigosv1.CollectorsGroup{}: { + Field: nsSelector, + }, + &odigosv1.Destination{}: { + Field: nsSelector, + }, + &odigosv1.InstrumentationRule{}: { + Field: nsSelector, }, }, },