cryostatio · ebaron · Oct 15, 2024 · Oct 10, 2024
diff --git a/Makefile b/Makefile
@@ -102,7 +102,7 @@ CERT_MANAGER_VERSION ?= 1.11.5
 CERT_MANAGER_MANIFEST ?= \
 	https://github.com/cert-manager/cert-manager/releases/download/v$(CERT_MANAGER_VERSION)/cert-manager.yaml
 
-KUSTOMIZE_VERSION ?= 3.8.7
+KUSTOMIZE_VERSION ?= 4.5.7
 CONTROLLER_TOOLS_VERSION ?= 0.14.0
 GOLICENSE_VERSION ?= 1.29.0
 OPM_VERSION ?= 1.23.0
@@ -142,17 +142,23 @@ ifneq ("$(wildcard $(GINKGO))","")
 GO_TEST="$(GINKGO)" -cover -output-dir=.
 endif
 
+KUSTOMIZE_DIR ?= config/default
 # Optional Red Hat Insights integration
 ENABLE_INSIGHTS ?= false
 ifeq ($(ENABLE_INSIGHTS), true)
-KUSTOMIZE_DIR ?= config/insights
-INSIGHTS_PROXY_NAMESPACE ?= quay.io/3scale
-INSIGHTS_PROXY_NAME ?= apicast
-INSIGHTS_PROXY_VERSION ?= insights-01
+KUSTOMIZE_BUNDLE_DIR ?= config/overlays/insights
+INSIGHTS_PROXY_NAMESPACE ?= registry.redhat.io/3scale-amp2
+INSIGHTS_PROXY_NAME ?= apicast-gateway-rhel8
+INSIGHTS_PROXY_VERSION ?= 3scale2.14
 export INSIGHTS_PROXY_IMG ?= $(INSIGHTS_PROXY_NAMESPACE)/$(INSIGHTS_PROXY_NAME):$(INSIGHTS_PROXY_VERSION)
 export INSIGHTS_BACKEND ?= console.redhat.com
+RUNTIMES_INVENTORY_NAMESPACE ?= registry.redhat.io/insights-runtimes-tech-preview
+RUNTIMES_INVENTORY_NAME ?= runtimes-inventory-rhel8-operator
+RUNTIMES_INVENTORY_VERSION ?= latest
+RUNTIMES_INVENTORY_IMG ?= $(RUNTIMES_INVENTORY_NAMESPACE)/$(RUNTIMES_INVENTORY_NAME):$(RUNTIMES_INVENTORY_VERSION)
+BUNDLE_GEN_FLAGS += --extra-service-accounts cryostat-operator-insights
 else
-KUSTOMIZE_DIR ?= config/default
+KUSTOMIZE_BUNDLE_DIR ?= config/manifests
 endif
 
 # Specify which scorecard tests/suites to run
@@ -329,10 +335,13 @@ catalog-build: opm ## Build a catalog image.
 bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(OPERATOR_IMG)
+ifeq ($(ENABLE_INSIGHTS), true)
+	cd config/insights && $(KUSTOMIZE) edit set image insights=$(RUNTIMES_INVENTORY_IMG)
+endif
 ifeq ($(BUNDLE_MODE), ocp)
-	cd config/manifests && $(KUSTOMIZE) edit add base ../openshift
+	cd $(KUSTOMIZE_BUNDLE_DIR) && $(KUSTOMIZE) edit add base ../openshift
 endif
-	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
+	$(KUSTOMIZE) build $(KUSTOMIZE_BUNDLE_DIR) | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS)
 # Workaround for: https://issues.redhat.com/browse/OCPBUGS-34901
 	yq -i '.spec.customresourcedefinitions.owned |= reverse' bundle/manifests/cryostat-operator.clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./bundle
@@ -349,7 +358,7 @@ manifests: controller-gen ## Generate manifests e.g. CRD, RBAC, etc.
 	envsubst < hack/image_tag_patch.yaml.in > config/default/image_tag_patch.yaml
 	envsubst < hack/image_pull_patch.yaml.in > config/default/image_pull_patch.yaml
 ifeq ($(ENABLE_INSIGHTS), true)
-	envsubst < hack/insights_patch.yaml.in > config/insights/insights_patch.yaml
+	envsubst < hack/insights_patch.yaml.in > config/overlays/insights/insights_patch.yaml
 endif
 
 .PHONY: fmt

diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -30,7 +30,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2024-10-04T18:55:09Z"
+    createdAt: "2024-10-10T18:16:26Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -1024,10 +1024,6 @@ spec:
                         valueFrom:
                           fieldRef:
                             fieldPath: metadata.annotations['olm.targetNamespaces']
-                      - name: OPERATOR_NAMESPACE
-                        valueFrom:
-                          fieldRef:
-                            fieldPath: metadata.namespace
                     image: quay.io/cryostat/cryostat-operator:4.0.0-dev
                     imagePullPolicy: Always
                     livenessProbe:

diff --git a/config/insights/deployment.yaml b/config/insights/deployment.yaml
@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: insights
+  namespace: system
+  labels:
+    control-plane: controller-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+      annotations:
+        kubectl.kubernetes.io/default-container: insights
+    spec:
+      serviceAccountName: insights
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: insights
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0" # Metrics disabled
+        - "--leader-elect"
+        image: registry.redhat.io/insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        env:
+        - name: WATCH_NAMESPACE
+          value: ""
+        - name: OPERATOR_NAME
+          value: placeholder
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSIGHTS_ENABLED
+          value: "true"
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
+      terminationGracePeriodSeconds: 10
diff --git a/config/insights/insights_patch.yaml b/config/insights/insights_patch.yaml
diff --git a/config/insights/kustomization.yaml b/config/insights/kustomization.yaml
@@ -1,5 +1,41 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Adds namespace to all resources.
+namespace: cryostat-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: cryostat-operator-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  app.kubernetes.io/name: cryostat-operator-insights
+
 resources:
-- ../default
+- deployment.yaml
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+
+replacements:
+- source:
+    fieldPath: metadata.name
+    kind: Deployment
+    name: insights
+  targets:
+  - fieldPaths:
+    - spec.template.spec.containers.[name=insights].env.[name=OPERATOR_NAME].value
+    select:
+      kind: Deployment
+      name: insights
 
-patchesStrategicMerge:
-- insights_patch.yaml
+images:
+- name: insights
+  newName: registry.redhat.io/insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator
+  newTag: latest
diff --git a/config/insights/leader_election_role.yaml b/config/insights/leader_election_role.yaml
@@ -0,0 +1,44 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: insights-leader-election-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: runtimes-inventory-operator
+    app.kubernetes.io/part-of: runtimes-inventory-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: insights-leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
diff --git a/config/insights/leader_election_role_binding.yaml b/config/insights/leader_election_role_binding.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/instance: insights-leader-election-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: runtimes-inventory-operator
+    app.kubernetes.io/part-of: runtimes-inventory-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: insights-leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: insights-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: insights
diff --git a/config/insights/role.yaml b/config/insights/role.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: insights-role
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - pull-secret
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusterversions
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: insights-role
+  namespace: system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/finalizers
+  - secrets
+  - services
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - deployments/finalizers
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
diff --git a/config/insights/role_binding.yaml b/config/insights/role_binding.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: insights-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: runtimes-inventory-operator
+    app.kubernetes.io/part-of: runtimes-inventory-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: insights-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: insights-role
+subjects:
+- kind: ServiceAccount
+  name: insights
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/instance: insights-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: runtimes-inventory-operator
+    app.kubernetes.io/part-of: runtimes-inventory-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: insights-rolebinding
+  namespace: system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: insights-role
+subjects:
+- kind: ServiceAccount
+  name: insights
diff --git a/config/insights/service_account.yaml b/config/insights/service_account.yaml
@@ -0,0 +1,5 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: insights