From 5769b17e065682eb719ad21d601f3d726884682c Mon Sep 17 00:00:00 2001 From: Elliott Baron Date: Thu, 10 Oct 2024 14:17:11 -0400 Subject: [PATCH] feat(insights): use separate deployment for Insights --- Makefile | 27 +++++--- ...yostat-operator.clusterserviceversion.yaml | 6 +- config/insights/deployment.yaml | 67 +++++++++++++++++++ config/insights/insights_patch.yaml | 17 ----- config/insights/kustomization.yaml | 42 +++++++++++- config/insights/leader_election_role.yaml | 44 ++++++++++++ .../leader_election_role_binding.yaml | 18 +++++ config/insights/role.yaml | 65 ++++++++++++++++++ config/insights/role_binding.yaml | 39 +++++++++++ config/insights/service_account.yaml | 5 ++ config/manager/manager.yaml | 4 -- config/overlays/insights/insights_patch.yaml | 38 +++++++++++ config/overlays/insights/kustomization.yaml | 6 ++ go.mod | 1 - go.sum | 2 - hack/insights_patch.yaml.in | 29 ++++++-- internal/main.go | 19 +++--- 17 files changed, 376 insertions(+), 53 deletions(-) create mode 100644 config/insights/deployment.yaml delete mode 100644 config/insights/insights_patch.yaml create mode 100644 config/insights/leader_election_role.yaml create mode 100644 config/insights/leader_election_role_binding.yaml create mode 100644 config/insights/role.yaml create mode 100644 config/insights/role_binding.yaml create mode 100644 config/insights/service_account.yaml create mode 100644 config/overlays/insights/insights_patch.yaml create mode 100644 config/overlays/insights/kustomization.yaml diff --git a/Makefile b/Makefile index 4bf2ed26..8c373cf8 100644 --- a/Makefile +++ b/Makefile @@ -102,7 +102,7 @@ CERT_MANAGER_VERSION ?= 1.11.5 CERT_MANAGER_MANIFEST ?= \ https://github.com/cert-manager/cert-manager/releases/download/v$(CERT_MANAGER_VERSION)/cert-manager.yaml -KUSTOMIZE_VERSION ?= 3.8.7 +KUSTOMIZE_VERSION ?= 4.5.7 CONTROLLER_TOOLS_VERSION ?= 0.14.0 GOLICENSE_VERSION ?= 1.29.0 OPM_VERSION ?= 1.23.0 @@ -142,17 +142,23 @@ ifneq ("$(wildcard $(GINKGO))","") GO_TEST="$(GINKGO)" -cover -output-dir=. endif +KUSTOMIZE_DIR ?= config/default # Optional Red Hat Insights integration ENABLE_INSIGHTS ?= false ifeq ($(ENABLE_INSIGHTS), true) -KUSTOMIZE_DIR ?= config/insights -INSIGHTS_PROXY_NAMESPACE ?= quay.io/3scale -INSIGHTS_PROXY_NAME ?= apicast -INSIGHTS_PROXY_VERSION ?= insights-01 +KUSTOMIZE_BUNDLE_DIR ?= config/overlays/insights +INSIGHTS_PROXY_NAMESPACE ?= registry.redhat.io/3scale-amp2 +INSIGHTS_PROXY_NAME ?= apicast-gateway-rhel8 +INSIGHTS_PROXY_VERSION ?= 3scale2.14 export INSIGHTS_PROXY_IMG ?= $(INSIGHTS_PROXY_NAMESPACE)/$(INSIGHTS_PROXY_NAME):$(INSIGHTS_PROXY_VERSION) export INSIGHTS_BACKEND ?= console.redhat.com +RUNTIMES_INVENTORY_NAMESPACE ?= registry.redhat.io/insights-runtimes-tech-preview +RUNTIMES_INVENTORY_NAME ?= runtimes-inventory-rhel8-operator +RUNTIMES_INVENTORY_VERSION ?= latest +RUNTIMES_INVENTORY_IMG ?= $(RUNTIMES_INVENTORY_NAMESPACE)/$(RUNTIMES_INVENTORY_NAME):$(RUNTIMES_INVENTORY_VERSION) +BUNDLE_GEN_FLAGS += --extra-service-accounts cryostat-operator-insights else -KUSTOMIZE_DIR ?= config/default +KUSTOMIZE_BUNDLE_DIR ?= config/manifests endif # Specify which scorecard tests/suites to run @@ -329,10 +335,13 @@ catalog-build: opm ## Build a catalog image. bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. $(OPERATOR_SDK) generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(OPERATOR_IMG) +ifeq ($(ENABLE_INSIGHTS), true) + cd config/insights && $(KUSTOMIZE) edit set image insights=$(RUNTIMES_INVENTORY_IMG) +endif ifeq ($(BUNDLE_MODE), ocp) - cd config/manifests && $(KUSTOMIZE) edit add base ../openshift + cd $(KUSTOMIZE_BUNDLE_DIR) && $(KUSTOMIZE) edit add base ../openshift endif - $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(KUSTOMIZE) build $(KUSTOMIZE_BUNDLE_DIR) | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) # Workaround for: https://issues.redhat.com/browse/OCPBUGS-34901 yq -i '.spec.customresourcedefinitions.owned |= reverse' bundle/manifests/cryostat-operator.clusterserviceversion.yaml $(OPERATOR_SDK) bundle validate ./bundle @@ -349,7 +358,7 @@ manifests: controller-gen ## Generate manifests e.g. CRD, RBAC, etc. envsubst < hack/image_tag_patch.yaml.in > config/default/image_tag_patch.yaml envsubst < hack/image_pull_patch.yaml.in > config/default/image_pull_patch.yaml ifeq ($(ENABLE_INSIGHTS), true) - envsubst < hack/insights_patch.yaml.in > config/insights/insights_patch.yaml + envsubst < hack/insights_patch.yaml.in > config/overlays/insights/insights_patch.yaml endif .PHONY: fmt diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml index 5f2ab412..9aa26834 100644 --- a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml +++ b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml @@ -30,7 +30,7 @@ metadata: capabilities: Seamless Upgrades categories: Monitoring, Developer Tools containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev - createdAt: "2024-10-04T18:55:09Z" + createdAt: "2024-10-10T18:16:26Z" description: JVM monitoring and profiling tool operatorframework.io/initialization-resource: |- { @@ -1024,10 +1024,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace image: quay.io/cryostat/cryostat-operator:4.0.0-dev imagePullPolicy: Always livenessProbe: diff --git a/config/insights/deployment.yaml b/config/insights/deployment.yaml new file mode 100644 index 00000000..08d7a5d8 --- /dev/null +++ b/config/insights/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: insights + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + annotations: + kubectl.kubernetes.io/default-container: insights + spec: + serviceAccountName: insights + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: insights + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=0" # Metrics disabled + - "--leader-elect" + image: registry.redhat.io/insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + env: + - name: WATCH_NAMESPACE + value: "" + - name: OPERATOR_NAME + value: placeholder + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSIGHTS_ENABLED + value: "true" + resources: + limits: + cpu: 1000m + memory: 256Mi + requests: + cpu: 100m + memory: 64Mi + terminationGracePeriodSeconds: 10 diff --git a/config/insights/insights_patch.yaml b/config/insights/insights_patch.yaml deleted file mode 100644 index 3f144243..00000000 --- a/config/insights/insights_patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller - namespace: system -spec: - template: - spec: - containers: - - name: manager - env: - - name: RELATED_IMAGE_INSIGHTS_PROXY - value: "quay.io/3scale/apicast:insights-01" - - name: INSIGHTS_ENABLED - value: "true" - - name: INSIGHTS_BACKEND_DOMAIN - value: "console.redhat.com" diff --git a/config/insights/kustomization.yaml b/config/insights/kustomization.yaml index cf37b360..743f8225 100644 --- a/config/insights/kustomization.yaml +++ b/config/insights/kustomization.yaml @@ -1,5 +1,41 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Adds namespace to all resources. +namespace: cryostat-operator-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: cryostat-operator- + +# Labels to add to all resources and selectors. +commonLabels: + app.kubernetes.io/name: cryostat-operator-insights + resources: -- ../default +- deployment.yaml +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml + +replacements: +- source: + fieldPath: metadata.name + kind: Deployment + name: insights + targets: + - fieldPaths: + - spec.template.spec.containers.[name=insights].env.[name=OPERATOR_NAME].value + select: + kind: Deployment + name: insights -patchesStrategicMerge: -- insights_patch.yaml +images: +- name: insights + newName: registry.redhat.io/insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator + newTag: latest diff --git a/config/insights/leader_election_role.yaml b/config/insights/leader_election_role.yaml new file mode 100644 index 00000000..121000a7 --- /dev/null +++ b/config/insights/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: insights-leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: runtimes-inventory-operator + app.kubernetes.io/part-of: runtimes-inventory-operator + app.kubernetes.io/managed-by: kustomize + name: insights-leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/insights/leader_election_role_binding.yaml b/config/insights/leader_election_role_binding.yaml new file mode 100644 index 00000000..6317aed2 --- /dev/null +++ b/config/insights/leader_election_role_binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: insights-leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: runtimes-inventory-operator + app.kubernetes.io/part-of: runtimes-inventory-operator + app.kubernetes.io/managed-by: kustomize + name: insights-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: insights-leader-election-role +subjects: +- kind: ServiceAccount + name: insights diff --git a/config/insights/role.yaml b/config/insights/role.yaml new file mode 100644 index 00000000..819a4c5f --- /dev/null +++ b/config/insights/role.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: insights-role +rules: +- apiGroups: + - "" + resourceNames: + - pull-secret + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - clusterversions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: insights-role + namespace: system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - create + - get + - list + - update + - watch diff --git a/config/insights/role_binding.yaml b/config/insights/role_binding.yaml new file mode 100644 index 00000000..faa38593 --- /dev/null +++ b/config/insights/role_binding.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: insights-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: runtimes-inventory-operator + app.kubernetes.io/part-of: runtimes-inventory-operator + app.kubernetes.io/managed-by: kustomize + name: insights-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: insights-role +subjects: +- kind: ServiceAccount + name: insights +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: insights-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: runtimes-inventory-operator + app.kubernetes.io/part-of: runtimes-inventory-operator + app.kubernetes.io/managed-by: kustomize + name: insights-rolebinding + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: insights-role +subjects: +- kind: ServiceAccount + name: insights diff --git a/config/insights/service_account.yaml b/config/insights/service_account.yaml new file mode 100644 index 00000000..3f74c660 --- /dev/null +++ b/config/insights/service_account.yaml @@ -0,0 +1,5 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: insights diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 4dac0ddd..4e3456da 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -49,10 +49,6 @@ spec: env: - name: WATCH_NAMESPACE value: "" - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace resources: limits: cpu: 1000m diff --git a/config/overlays/insights/insights_patch.yaml b/config/overlays/insights/insights_patch.yaml new file mode 100644 index 00000000..811e1caf --- /dev/null +++ b/config/overlays/insights/insights_patch.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: insights + namespace: system +spec: + template: + spec: + containers: + - name: insights + env: + - name: RELATED_IMAGE_INSIGHTS_PROXY + value: "registry.redhat.io/3scale-amp2/apicast-gateway-rhel8:3scale2.14" + - name: INSIGHTS_BACKEND_DOMAIN + value: "console.redhat.com" + - name: USER_AGENT_PREFIX + value: "cryostat-operator/4.0.0-dev" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller + namespace: system +spec: + template: + spec: + containers: + - name: manager + env: + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSIGHTS_ENABLED + value: "true" + - name: INSIGHTS_URL + value: "http://insights-proxy.$(OPERATOR_NAMESPACE).svc.cluster.local:8080" diff --git a/config/overlays/insights/kustomization.yaml b/config/overlays/insights/kustomization.yaml new file mode 100644 index 00000000..fc5b1676 --- /dev/null +++ b/config/overlays/insights/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- ../../manifests +- ../../insights + +patchesStrategicMerge: +- insights_patch.yaml diff --git a/go.mod b/go.mod index 68163cdf..09c1cf77 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,6 @@ module github.com/cryostatio/cryostat-operator go 1.21 require ( - github.com/RedHatInsights/runtimes-inventory-operator v0.0.0-20240327135922-5705da62073c github.com/blang/semver/v4 v4.0.0 github.com/cert-manager/cert-manager v1.13.6 github.com/go-logr/logr v1.4.2 diff --git a/go.sum b/go.sum index d602422e..0fbaf53e 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,3 @@ -github.com/RedHatInsights/runtimes-inventory-operator v0.0.0-20240327135922-5705da62073c h1:Dl3eCF6o2IUMzIi+V0RpZIii2nOUFPWI3gB/ZE2TcZY= -github.com/RedHatInsights/runtimes-inventory-operator v0.0.0-20240327135922-5705da62073c/go.mod h1:DhoPtaJhm/8OOJjp8lrDJAmdMsjo4mDJBzHYvChegnM= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= diff --git a/hack/insights_patch.yaml.in b/hack/insights_patch.yaml.in index af011e7e..2af867b1 100644 --- a/hack/insights_patch.yaml.in +++ b/hack/insights_patch.yaml.in @@ -1,17 +1,38 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: insights namespace: system spec: template: spec: containers: - - name: manager + - name: insights env: - name: RELATED_IMAGE_INSIGHTS_PROXY value: "${INSIGHTS_PROXY_IMG}" - - name: INSIGHTS_ENABLED - value: "true" - name: INSIGHTS_BACKEND_DOMAIN value: "${INSIGHTS_BACKEND}" + - name: USER_AGENT_PREFIX + value: "cryostat-operator/${OPERATOR_VERSION}" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller + namespace: system +spec: + template: + spec: + containers: + - name: manager + env: + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSIGHTS_ENABLED + value: "true" + - name: INSIGHTS_URL + value: "http://insights-proxy.$(OPERATOR_NAMESPACE).svc.cluster.local:8080" diff --git a/internal/main.go b/internal/main.go index 611b474a..4ea9cc95 100644 --- a/internal/main.go +++ b/internal/main.go @@ -20,6 +20,7 @@ import ( "fmt" "net/url" "os" + "strings" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. @@ -39,12 +40,10 @@ import ( metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" - "github.com/RedHatInsights/runtimes-inventory-operator/pkg/insights" operatorv1beta1 "github.com/cryostatio/cryostat-operator/api/v1beta1" operatorv1beta2 "github.com/cryostatio/cryostat-operator/api/v1beta2" "github.com/cryostatio/cryostat-operator/internal/controllers" "github.com/cryostatio/cryostat-operator/internal/controllers/common" - "github.com/cryostatio/cryostat-operator/internal/controllers/constants" "github.com/cryostatio/cryostat-operator/internal/webhooks" // +kubebuilder:scaffold:imports ) @@ -163,14 +162,18 @@ func main() { } // Optionally enable Insights integration. Will only be enabled if INSIGHTS_ENABLED is true - operatorNamespace := os.Getenv("OPERATOR_NAMESPACE") - userAgentPrefix := fmt.Sprintf("cryostat-operator/%s", controllers.OperatorVersion) var insightsURL *url.URL if openShift { - insightsURL, err = insights.NewInsightsIntegration(mgr, constants.OperatorDeploymentName, - operatorNamespace, userAgentPrefix, &setupLog).Setup() - if err != nil { - setupLog.Error(err, "failed to set up Insights integration") + insightsEnabledEnv := os.Getenv("INSIGHTS_ENABLED") + if strings.ToLower(insightsEnabledEnv) == "true" { + insightsURLEnv := os.Getenv("INSIGHTS_URL") + if len(insightsURLEnv) > 0 { + insightsURL, err = url.Parse(insightsURLEnv) + if err != nil { + setupLog.Error(err, "INSIGHTS_URL is invalid") + os.Exit(1) + } + } } }