draft: add namespace scoped operator mode

This adds automation and docs for restricting the operator scope from cluster wide to namespace restricted. Signed-off-by: NymanRobin <[email protected]>
metal3-io · Aug 21, 2024 · 97bf046 · 97bf046
1 parent efae71e
commit 97bf046
Show file tree

Hide file tree

Showing 33 changed files with 1,876 additions and 115 deletions.
diff --git a/Makefile b/Makefile
@@ -209,6 +209,10 @@ manifests-generate: $(CONTROLLER_GEN)
 manifests-kustomize: $(KUSTOMIZE)
 	$< build config/default > config/render/capm3.yaml
 
+.PHONY: manifests-namespaced
+manifests-namespaced: manifests-generate $(KUSTOMIZE)
+	$(KUSTOMIZE) build config/overlays/namespaced --enable-alpha-plugins > config/render/capm3.yaml
+
 .PHONY: set-manifest-image-bmo
 set-manifest-image-bmo: $(KUSTOMIZE) manifests
 	$(info Updating container image for BMO to use ${MANIFEST_IMG}:${MANIFEST_TAG})

diff --git a/config/namespace/namespace.yaml b/config/namespace/namespace.yaml
@@ -3,4 +3,4 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
-  name: baremetal-operator-system
+  name: baremetal-operator-system
diff --git a/config/overlays/namespaced-e2e/kustomization.yaml b/config/overlays/namespaced-e2e/kustomization.yaml
@@ -0,0 +1,47 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../e2e
+
+# The subjects and roleRef needs to be update here otherwise we lose name-prefix
+# This is of course not ideal if the name-prefix changes
+patchesStrategicMerge:
+  - namespaced-manager-patch.yaml
+  - |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: baremetal-operator-manager-rolebinding
+    roleRef:
+      kind: Role
+      name: baremetal-operator-manager-role
+    subjects:
+    - kind: ServiceAccount
+      name: baremetal-operator-controller-manager
+      namespace: baremetal-operator-system
+
+patches:
+- patch: |
+    # Add a namespace to watch
+    - op: replace
+      path: /kind
+      value: RoleBinding
+
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: baremetal-operator-manager-rolebinding
+
+- patch: |
+    # Add a namespace to watch
+    - op: replace
+      path: /kind
+      value: Role
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: baremetal-operator-manager-role
+
+transformers:
+- roles-ns-annotator.yaml
diff --git a/config/overlays/namespaced-e2e/namespaced-manager-patch.yaml b/config/overlays/namespaced-e2e/namespaced-manager-patch.yaml
@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: WATCH_NAMESPACE
+          value: basic-ops-test,external-inspection-test,inspection-test,live-iso-ops-test,provisioning-ops-test,re-inspection-test
+        name: manager
diff --git a/config/overlays/namespaced-e2e/roles-ns-annotator.yaml b/config/overlays/namespaced-e2e/roles-ns-annotator.yaml
@@ -0,0 +1,14 @@
+apiVersion: transformers.example.co/v1
+kind: ValueAnnotator
+metadata:
+  annotations:
+    config.kubernetes.io/function: "container:\n  image: bmo/roleannotator:1.0.0\
+      \      \n"
+  name: notImportantHere
+values:
+- basic-ops-test
+- external-inspection-test
+- inspection-test
+- live-iso-ops-test
+- provisioning-ops-test
+- re-inspection-test
diff --git a/config/overlays/namespaced/kustomization.yaml b/config/overlays/namespaced/kustomization.yaml
@@ -0,0 +1,47 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../default
+
+# The subjects and roleRef needs to be update here otherwise we lose name-prefix
+# This is of course not ideal if the name-prefix changes
+patchesStrategicMerge:
+  - namespaced-manager-patch.yaml
+  - |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: baremetal-operator-manager-rolebinding
+    roleRef:
+      kind: Role
+      name: baremetal-operator-manager-role
+    subjects:
+    - kind: ServiceAccount
+      name: baremetal-operator-controller-manager
+      namespace: baremetal-operator-system
+
+patches:
+- patch: |
+    # Add a namespace to watch
+    - op: replace
+      path: /kind
+      value: RoleBinding
+
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: baremetal-operator-manager-rolebinding
+
+- patch: |
+    # Add a namespace to watch
+    - op: replace
+      path: /kind
+      value: Role
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: baremetal-operator-manager-role
+
+transformers:
+- roles-ns-annotator.yaml
diff --git a/config/overlays/namespaced/namespaced-manager-patch.yaml b/config/overlays/namespaced/namespaced-manager-patch.yaml
@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: WATCH_NAMESPACE
+          value: basic-ops-test,external-inspection-test,inspection-test,live-iso-ops-test,provisioning-ops-test,re-inspection-test
+        name: manager
diff --git a/config/overlays/namespaced/roles-ns-annotator.yaml b/config/overlays/namespaced/roles-ns-annotator.yaml
@@ -0,0 +1,14 @@
+apiVersion: transformers.example.co/v1
+kind: ValueAnnotator
+metadata:
+  annotations:
+    config.kubernetes.io/function: "container:\n  image: bmo/roleannotator:1.0.0\
+      \      \n"
+  name: notImportantHere
+values:
+- basic-ops-test
+- external-inspection-test
+- inspection-test
+- live-iso-ops-test
+- provisioning-ops-test
+- re-inspection-test