From bf2cddfeb1f7d6eea3ce8eb696fb9771b8994583 Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Thu, 25 Jul 2024 09:26:57 +0200 Subject: [PATCH 01/17] Remove Redundancy and duplication, check for same naming pattern --- .github/workflows/test-smoke.yml | 2 +- Makefile | 4 +-- .../adjust_resources_in_deployment.yaml | 2 +- .../patches/secured_manager_auth_proxy.yaml | 2 +- .../patches/service_monitor.yaml | 2 +- .../patches/unique_manager_webhook_patch.yaml | 2 +- config/default/manager_webhook_patch.yaml | 2 +- config/istio/ap.yaml | 2 +- .../istio/patches/exclude_webhook_port.yaml | 2 +- config/load_test/manager_webhook_patch.yaml | 2 +- .../adjust_resources_in_deployment.yaml | 2 +- config/manager/kustomization.yaml | 3 +- config/manager/manager.yaml | 4 +-- config/prometheus/monitor.yaml | 2 +- .../cluster_bindings/clusterrole_binding.yaml | 4 +-- .../manifest_clusterrole_binding.yaml | 11 ------- .../metrics_clusterrole_binding.yaml | 6 ++-- config/rbac/common/crd_clusterrole.yaml | 2 +- .../rbac/common/crd_clusterrole_binding.yaml | 4 +-- config/rbac/common/kustomization.yaml | 2 -- config/rbac/common/leader_election_role.yaml | 2 +- .../common/leader_election_role_binding.yaml | 6 ++-- config/rbac/common/manifest_clusterrole.yaml | 31 ------------------- config/rbac/common/metrics_clusterrole.yaml | 2 +- config/rbac/common/role.yaml | 29 ++++++++++++++++- config/rbac/common/service_account.yaml | 2 +- .../namespace_bindings/kustomization.yaml | 2 -- .../manifest_role_binding.yaml | 12 ------- .../metrics_role_binding.yaml | 6 ++-- .../rbac/namespace_bindings/role_binding.yaml | 19 ++++++------ config/watcher_local_test/kustomization.yaml | 2 +- .../adjust_resources_for_local_setup.yaml | 2 +- .../patches/servicemonitor_delete.yaml | 2 +- .../01-10-control-plane-quick-start.md | 2 +- internal/controller/manifest/controller.go | 4 +++ pkg/testutils/klm.go | 2 +- 36 files changed, 80 insertions(+), 107 deletions(-) delete mode 100644 config/rbac/cluster_bindings/manifest_clusterrole_binding.yaml delete mode 100644 config/rbac/common/manifest_clusterrole.yaml delete mode 100644 config/rbac/namespace_bindings/manifest_role_binding.yaml diff --git a/.github/workflows/test-smoke.yml b/.github/workflows/test-smoke.yml index cb08239ccb..8f39c8600a 100644 --- a/.github/workflows/test-smoke.yml +++ b/.github/workflows/test-smoke.yml @@ -128,7 +128,7 @@ jobs: name: kyma-cli-provisioned-wildcard subjects: - kind: ServiceAccount - name: lifecycle-manager-controller-manager + name: lifecycle-manager-controller namespace: kcp-system EOF kubectl apply -f tests/moduletemplates/moduletemplate_template_operator_v1_regular.yaml diff --git a/Makefile b/Makefile index 22942ec5f4..6be0f8d527 100644 --- a/Makefile +++ b/Makefile @@ -46,7 +46,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:dir=config/rbac/common + $(CONTROLLER_GEN) rbac:roleName=controller-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:dir=config/rbac/common .PHONY: test-crd test-crd: controller-gen ## Generate crd for test @@ -123,7 +123,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default | kubectl apply -f - + $(KUSTOMIZE) build config/default > lifecycle-manager.yaml .PHONY: lt-deploy lt-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. diff --git a/config/control-plane/patches/adjust_resources_in_deployment.yaml b/config/control-plane/patches/adjust_resources_in_deployment.yaml index bc1694d98f..cba730fd36 100644 --- a/config/control-plane/patches/adjust_resources_in_deployment.yaml +++ b/config/control-plane/patches/adjust_resources_in_deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/control-plane/patches/secured_manager_auth_proxy.yaml b/config/control-plane/patches/secured_manager_auth_proxy.yaml index b1dd3ca9bb..2966a26297 100644 --- a/config/control-plane/patches/secured_manager_auth_proxy.yaml +++ b/config/control-plane/patches/secured_manager_auth_proxy.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/control-plane/patches/service_monitor.yaml b/config/control-plane/patches/service_monitor.yaml index e409401221..eda4253869 100644 --- a/config/control-plane/patches/service_monitor.yaml +++ b/config/control-plane/patches/service_monitor.yaml @@ -3,7 +3,7 @@ kind: ServiceMonitor metadata: labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io - name: controller-manager-metrics-monitor + name: controller-metrics-monitor spec: endpoints: - path: /metrics diff --git a/config/control-plane/patches/unique_manager_webhook_patch.yaml b/config/control-plane/patches/unique_manager_webhook_patch.yaml index d4de566451..f9a0d6ca15 100644 --- a/config/control-plane/patches/unique_manager_webhook_patch.yaml +++ b/config/control-plane/patches/unique_manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index 9c5b1237d2..eb1d18a35e 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/istio/ap.yaml b/config/istio/ap.yaml index da9ce357e3..d63b31ef66 100644 --- a/config/istio/ap.yaml +++ b/config/istio/ap.yaml @@ -1,7 +1,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: controller-manager + name: controller spec: action: ALLOW rules: diff --git a/config/istio/patches/exclude_webhook_port.yaml b/config/istio/patches/exclude_webhook_port.yaml index e48fcbb17b..d004c4075e 100644 --- a/config/istio/patches/exclude_webhook_port.yaml +++ b/config/istio/patches/exclude_webhook_port.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: metadata: diff --git a/config/load_test/manager_webhook_patch.yaml b/config/load_test/manager_webhook_patch.yaml index 9c5b1237d2..eb1d18a35e 100644 --- a/config/load_test/manager_webhook_patch.yaml +++ b/config/load_test/manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/load_test/patches/adjust_resources_in_deployment.yaml b/config/load_test/patches/adjust_resources_in_deployment.yaml index 521371ed8c..ba03105d15 100644 --- a/config/load_test/patches/adjust_resources_in_deployment.yaml +++ b/config/load_test/patches/adjust_resources_in_deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 00ae86ff75..6688e018d8 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -10,5 +10,4 @@ generatorOptions: images: - name: controller - newName: europe-docker.pkg.dev/kyma-project/prod/lifecycle-manager - newTag: latest + newName: /lifecycle-manager diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index fcaf5dae0b..41fb492d06 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io spec: @@ -52,6 +52,6 @@ spec: requests: cpu: 10m memory: 64Mi - serviceAccountName: controller-manager + serviceAccountName: controller terminationGracePeriodSeconds: 10 --- diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 4f5956b9c1..a5824ec7bc 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -5,7 +5,7 @@ kind: ServiceMonitor metadata: labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io - name: controller-manager-metrics-monitor + name: controller-metrics-monitor spec: endpoints: - path: /metrics diff --git a/config/rbac/cluster_bindings/clusterrole_binding.yaml b/config/rbac/cluster_bindings/clusterrole_binding.yaml index 542a0738c3..37c0e5934b 100644 --- a/config/rbac/cluster_bindings/clusterrole_binding.yaml +++ b/config/rbac/cluster_bindings/clusterrole_binding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: controller-role subjects: - kind: ServiceAccount - name: controller-manager + name: controller diff --git a/config/rbac/cluster_bindings/manifest_clusterrole_binding.yaml b/config/rbac/cluster_bindings/manifest_clusterrole_binding.yaml deleted file mode 100644 index f02414adba..0000000000 --- a/config/rbac/cluster_bindings/manifest_clusterrole_binding.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding-manifest -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role-manifest -subjects: - - kind: ServiceAccount - name: controller-manager diff --git a/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml b/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml index 3ce46652b0..5b8a16bb31 100644 --- a/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml +++ b/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: metrics-rolebinding + name: controller-rolebinding-metrics roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: metrics-reader + name: controller-role-metrics subjects: - kind: ServiceAccount - name: controller-manager + name: controller diff --git a/config/rbac/common/crd_clusterrole.yaml b/config/rbac/common/crd_clusterrole.yaml index ba7e1d8c34..4cfe2239aa 100644 --- a/config/rbac/common/crd_clusterrole.yaml +++ b/config/rbac/common/crd_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role-crd + name: controller-role-crd rules: - apiGroups: - apiextensions.k8s.io diff --git a/config/rbac/common/crd_clusterrole_binding.yaml b/config/rbac/common/crd_clusterrole_binding.yaml index df6bba4f85..9e95c1c71a 100644 --- a/config/rbac/common/crd_clusterrole_binding.yaml +++ b/config/rbac/common/crd_clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding-crd + name: controller-rolebinding-crd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: manager-role-crd subjects: - kind: ServiceAccount - name: controller-manager + name: manager diff --git a/config/rbac/common/kustomization.yaml b/config/rbac/common/kustomization.yaml index c7a8829553..c78c855e57 100644 --- a/config/rbac/common/kustomization.yaml +++ b/config/rbac/common/kustomization.yaml @@ -12,7 +12,5 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml - metrics_clusterrole.yaml - # Comment the following to disable manifest integration - - manifest_clusterrole.yaml - crd_clusterrole.yaml - crd_clusterrole_binding.yaml \ No newline at end of file diff --git a/config/rbac/common/leader_election_role.yaml b/config/rbac/common/leader_election_role.yaml index 4190ec8059..7daff6f45d 100644 --- a/config/rbac/common/leader_election_role.yaml +++ b/config/rbac/common/leader_election_role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: controller-role-leader-election rules: - apiGroups: - "" diff --git a/config/rbac/common/leader_election_role_binding.yaml b/config/rbac/common/leader_election_role_binding.yaml index df9defbf7a..cda502b746 100644 --- a/config/rbac/common/leader_election_role_binding.yaml +++ b/config/rbac/common/leader_election_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: leader-election-rolebinding + name: controller-rolebinding-leader-election roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: controller-leader-election-role subjects: - kind: ServiceAccount - name: controller-manager + name: controller diff --git a/config/rbac/common/manifest_clusterrole.yaml b/config/rbac/common/manifest_clusterrole.yaml deleted file mode 100644 index 98a4618a72..0000000000 --- a/config/rbac/common/manifest_clusterrole.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role-manifest -rules: - - apiGroups: - - operator.kyma-project.io - resources: - - manifests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - operator.kyma-project.io - resources: - - manifests/finalizers - verbs: - - update - - apiGroups: - - operator.kyma-project.io - resources: - - manifests/status - verbs: - - get - - patch - - update diff --git a/config/rbac/common/metrics_clusterrole.yaml b/config/rbac/common/metrics_clusterrole.yaml index 51a75db47a..beb7b03d28 100644 --- a/config/rbac/common/metrics_clusterrole.yaml +++ b/config/rbac/common/metrics_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: metrics-reader + name: controller-role-metrics rules: - nonResourceURLs: - "/metrics" diff --git a/config/rbac/common/role.yaml b/config/rbac/common/role.yaml index 60d7689345..5e06d77c4f 100644 --- a/config/rbac/common/role.yaml +++ b/config/rbac/common/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: controller-role rules: - apiGroups: - "" @@ -123,6 +123,33 @@ rules: - patch - update - watch +- apiGroups: + - operator.kyma-project.io + resources: + - manifests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.kyma-project.io + resources: + - manifests/finalizers + verbs: + - update +- apiGroups: + - operator.kyma-project.io + resources: + - manifests/status + verbs: + - get + - patch + - update + - watch - apiGroups: - operator.kyma-project.io resources: diff --git a/config/rbac/common/service_account.yaml b/config/rbac/common/service_account.yaml index 69ece2e4c3..34c88b4b2a 100644 --- a/config/rbac/common/service_account.yaml +++ b/config/rbac/common/service_account.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: controller-manager + name: controller diff --git a/config/rbac/namespace_bindings/kustomization.yaml b/config/rbac/namespace_bindings/kustomization.yaml index 757f2366c3..1fe0e66f7b 100644 --- a/config/rbac/namespace_bindings/kustomization.yaml +++ b/config/rbac/namespace_bindings/kustomization.yaml @@ -12,5 +12,3 @@ resources: # subjects if changing service account names. - role_binding.yaml - metrics_role_binding.yaml - # Comment the following to disable manifest integration - - manifest_role_binding.yaml diff --git a/config/rbac/namespace_bindings/manifest_role_binding.yaml b/config/rbac/namespace_bindings/manifest_role_binding.yaml deleted file mode 100644 index bde8caaab8..0000000000 --- a/config/rbac/namespace_bindings/manifest_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: manager-rolebinding-manifest - namespace: kcp-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role-manifest -subjects: - - kind: ServiceAccount - name: controller-manager \ No newline at end of file diff --git a/config/rbac/namespace_bindings/metrics_role_binding.yaml b/config/rbac/namespace_bindings/metrics_role_binding.yaml index 44b9b303a5..0001544a1e 100644 --- a/config/rbac/namespace_bindings/metrics_role_binding.yaml +++ b/config/rbac/namespace_bindings/metrics_role_binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: metrics-rolebinding + name: controller-rolebinding-metrics namespace: kyma-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: metrics-reader + name: controller-role-metrics subjects: - kind: ServiceAccount - name: controller-manager \ No newline at end of file + name: controller \ No newline at end of file diff --git a/config/rbac/namespace_bindings/role_binding.yaml b/config/rbac/namespace_bindings/role_binding.yaml index d9a1c2a6e4..86a9034ac0 100644 --- a/config/rbac/namespace_bindings/role_binding.yaml +++ b/config/rbac/namespace_bindings/role_binding.yaml @@ -1,37 +1,38 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: manager-rolebinding-kcp-system + name: controller-rolebinding-kcp-system + namespace: kcp-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: controller-role subjects: - kind: ServiceAccount - name: controller-manager + name: controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: manager-rolebinding-kyma-system + name: controller-rolebinding-kyma-system namespace: kyma-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: controller-role subjects: - kind: ServiceAccount - name: controller-manager + name: controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: manager-rolebinding-istio-system + name: controller-rolebinding-istio-system namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: controller-role subjects: - kind: ServiceAccount - name: controller-manager \ No newline at end of file + name: controller \ No newline at end of file diff --git a/config/watcher_local_test/kustomization.yaml b/config/watcher_local_test/kustomization.yaml index 9a4ba12033..3c332dad1b 100644 --- a/config/watcher_local_test/kustomization.yaml +++ b/config/watcher_local_test/kustomization.yaml @@ -51,7 +51,7 @@ patches: group: security.istio.io version: v1beta1 kind: AuthorizationPolicy - name: controller-manager + name: controller - patch: |- - op: replace path: /spec/servers/0/hosts/0 diff --git a/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml b/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml index 013818ff9b..b82b4eb303 100644 --- a/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml +++ b/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller spec: template: spec: diff --git a/config/watcher_local_test/patches/servicemonitor_delete.yaml b/config/watcher_local_test/patches/servicemonitor_delete.yaml index 891488c75d..6f3b36697c 100644 --- a/config/watcher_local_test/patches/servicemonitor_delete.yaml +++ b/config/watcher_local_test/patches/servicemonitor_delete.yaml @@ -2,4 +2,4 @@ $patch: delete apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: controller-manager-metrics-monitor \ No newline at end of file + name: controller-metrics-monitor \ No newline at end of file diff --git a/docs/user-tutorials/01-10-control-plane-quick-start.md b/docs/user-tutorials/01-10-control-plane-quick-start.md index 8cc8354d40..974885a735 100644 --- a/docs/user-tutorials/01-10-control-plane-quick-start.md +++ b/docs/user-tutorials/01-10-control-plane-quick-start.md @@ -58,7 +58,7 @@ We recommend deploying Lifecycle Manager with the KCP kustomize profile. You mus If the deployment was successful, you should see all the required resources. For example: -* The `klm-controller-manager` Pod in the `kcp-system` Namespace +* The `klm-controller` Pod in the `kcp-system` Namespace * A Kyma CR that uses the `regular` channel but without any module configured, sync disabled, named `default-kyma` under `kyma-system` Namespace ### Manage Modules in the Control-Plane Mode diff --git a/internal/controller/manifest/controller.go b/internal/controller/manifest/controller.go index 90fff1792c..fde90ab933 100644 --- a/internal/controller/manifest/controller.go +++ b/internal/controller/manifest/controller.go @@ -9,6 +9,10 @@ import ( "github.com/kyma-project/lifecycle-manager/pkg/queue" ) +// +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests/status,verbs=get;update;patch;watch +// +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests/finalizers,verbs=update + func NewReconciler(mgr manager.Manager, requeueIntervals queue.RequeueIntervals, manifestMetrics *metrics.ManifestMetrics, diff --git a/pkg/testutils/klm.go b/pkg/testutils/klm.go index f317ecef16..77695cf6d7 100644 --- a/pkg/testutils/klm.go +++ b/pkg/testutils/klm.go @@ -20,7 +20,7 @@ import ( const ( ControlPlaneNamespace = "kcp-system" watcherPodContainer = "server" - KLMPodPrefix = "klm-controller-manager" + KLMPodPrefix = "klm-controller" KLMPodContainer = "manager" RemoteNamespace = "kyma-system" ) From c2815a76bf3d6ac306ee87c45602640a33ad4efa Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Thu, 25 Jul 2024 17:33:38 +0200 Subject: [PATCH 02/17] Revert makefile change --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 6be0f8d527..9ac17f9b72 100644 --- a/Makefile +++ b/Makefile @@ -123,7 +123,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default > lifecycle-manager.yaml + $(KUSTOMIZE) build config/default | kubectl apply -f - .PHONY: lt-deploy lt-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. From e3d11b4ee725b8d2ae5325de0360ffdc91c2aa83 Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 16:04:36 +0200 Subject: [PATCH 03/17] Remove duplicated manifest file --- config/rbac/cluster_bindings/kustomization.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/rbac/cluster_bindings/kustomization.yaml b/config/rbac/cluster_bindings/kustomization.yaml index d4dbdd7abe..70e3bb3228 100644 --- a/config/rbac/cluster_bindings/kustomization.yaml +++ b/config/rbac/cluster_bindings/kustomization.yaml @@ -12,5 +12,3 @@ resources: # subjects if changing service account names. - clusterrole_binding.yaml - metrics_clusterrole_binding.yaml - # Comment the following to disable manifest integration - - manifest_clusterrole_binding.yaml From 2e01665a8b08931d00ba1d03ca69f7fb5977eda1 Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 16:08:49 +0200 Subject: [PATCH 04/17] Adapt E2E test --- tests/e2e/rbac_privileges_test.go | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index 6e05fa669a..e3f58514e4 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -11,7 +11,7 @@ import ( var _ = Describe("RBAC Privileges", func() { Context("Given KCP Cluster with KLM Service Account", func() { It("Then KLM Service Account has the correct ClusterRoleBindings", func() { - klmClusterRoleBindings, err := ListKlmClusterRoleBindings(controlPlaneClient, ctx, "klm-controller-manager") + klmClusterRoleBindings, err := ListKlmClusterRoleBindings(controlPlaneClient, ctx, "klm-controller") Expect(err).ToNot(HaveOccurred()) Expect(klmClusterRoleBindings.Items).To(HaveLen(1)) @@ -31,7 +31,7 @@ var _ = Describe("RBAC Privileges", func() { klmClusterRoleBindings)).To(Equal(crdRoleRules)) By("And KLM Service Account has the correct RoleBindings in kcp-system namespaces") - kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", + kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", "kcp-system") Expect(err).ToNot(HaveOccurred()) Expect(kcpSystemKlmRoleBindings.Items).To(HaveLen(3)) @@ -53,7 +53,8 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"create", "patch"}, }, } - Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient, "klm-leader-election-role", "kcp-system", + Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role-leader-election", + "kcp-system", kcpSystemKlmRoleBindings)).To(Equal(leaderElectionRoleRules)) klmManagerRoleRules := []apirbacv1.PolicyRule{ @@ -147,11 +148,6 @@ var _ = Describe("RBAC Privileges", func() { Resources: []string{"watchers/status"}, Verbs: []string{"get", "patch", "update"}, }, - } - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role", - kcpSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) - - manifestRoleRules := []apirbacv1.PolicyRule{ { APIGroups: []string{"operator.kyma-project.io"}, Resources: []string{"manifests"}, @@ -168,25 +164,25 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"get", "patch", "update"}, }, } - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role-manifest", - kcpSystemKlmRoleBindings)).To(Equal(manifestRoleRules)) + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", + kcpSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) By("And KLM Service Account has the correct RoleBindings in istio-system namespaces") - istioSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", + istioSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", "istio-system") Expect(err).ToNot(HaveOccurred()) Expect(istioSystemKlmRoleBindings.Items).To(HaveLen(1)) - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", istioSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) By("And KLM Service Account has the correct RoleBindings in kyma-system namespaces") - kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", + kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", "kyma-system") Expect(err).ToNot(HaveOccurred()) Expect(kymaSystemKlmRoleBindings.Items).To(HaveLen(2)) - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", kymaSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) metricsReaderRoleRules := []apirbacv1.PolicyRule{ @@ -195,7 +191,7 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"get"}, }, } - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-metrics-reader", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role-metrics", kymaSystemKlmRoleBindings)).To(Equal(metricsReaderRoleRules)) }) }) From a2e0a55f656ee2e829130fbfd8a9176637a60085 Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 17:00:00 +0200 Subject: [PATCH 05/17] Adapt E2E test --- config/rbac/common/role.yaml | 1 - internal/controller/manifest/controller.go | 2 +- tests/e2e/rbac_privileges_test.go | 24 +++++++++++----------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/config/rbac/common/role.yaml b/config/rbac/common/role.yaml index 5e06d77c4f..850213df1a 100644 --- a/config/rbac/common/role.yaml +++ b/config/rbac/common/role.yaml @@ -149,7 +149,6 @@ rules: - get - patch - update - - watch - apiGroups: - operator.kyma-project.io resources: diff --git a/internal/controller/manifest/controller.go b/internal/controller/manifest/controller.go index fde90ab933..1e20b2330f 100644 --- a/internal/controller/manifest/controller.go +++ b/internal/controller/manifest/controller.go @@ -10,7 +10,7 @@ import ( ) // +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests/status,verbs=get;update;patch;watch +// +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests/status,verbs=get;update;patch // +kubebuilder:rbac:groups=operator.kyma-project.io,resources=manifests/finalizers,verbs=update func NewReconciler(mgr manager.Manager, diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index e3f58514e4..42f176affb 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -27,7 +27,7 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"update"}, }, } - Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-manager-role-crd", + Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-controller-role-crd", klmClusterRoleBindings)).To(Equal(crdRoleRules)) By("And KLM Service Account has the correct RoleBindings in kcp-system namespaces") @@ -125,42 +125,42 @@ var _ = Describe("RBAC Privileges", func() { }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"moduletemplates"}, + Resources: []string{"manifests"}, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"moduletemplates/finalizers"}, + Resources: []string{"manifests/finalizers"}, Verbs: []string{"update"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"watchers"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + Resources: []string{"manifests/status"}, + Verbs: []string{"get", "patch", "update"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"watchers/finalizers"}, - Verbs: []string{"update"}, + Resources: []string{"moduletemplates"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"watchers/status"}, - Verbs: []string{"get", "patch", "update"}, + Resources: []string{"moduletemplates/finalizers"}, + Verbs: []string{"update"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"manifests"}, + Resources: []string{"watchers"}, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"manifests/finalizers"}, + Resources: []string{"watchers/finalizers"}, Verbs: []string{"update"}, }, { APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"manifests/status"}, + Resources: []string{"watchers/status"}, Verbs: []string{"get", "patch", "update"}, }, } From 81d676635aa98ebf93ac569e39e724f225b8a1aa Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 17:37:34 +0200 Subject: [PATCH 06/17] Fix clusterrolebinding name --- config/rbac/common/crd_clusterrole_binding.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/rbac/common/crd_clusterrole_binding.yaml b/config/rbac/common/crd_clusterrole_binding.yaml index 9e95c1c71a..a610a3d24c 100644 --- a/config/rbac/common/crd_clusterrole_binding.yaml +++ b/config/rbac/common/crd_clusterrole_binding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role-crd + name: klm-controller-role-crd subjects: - kind: ServiceAccount - name: manager + name: controller From b657d0cf2d7f95e40d930f76fb773630dab25038 Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 17:55:12 +0200 Subject: [PATCH 07/17] Fix count in e2e test --- tests/e2e/rbac_privileges_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index 42f176affb..dc91a379a5 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -34,7 +34,7 @@ var _ = Describe("RBAC Privileges", func() { kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", "kcp-system") Expect(err).ToNot(HaveOccurred()) - Expect(kcpSystemKlmRoleBindings.Items).To(HaveLen(3)) + Expect(kcpSystemKlmRoleBindings.Items).To(HaveLen(2)) leaderElectionRoleRules := []apirbacv1.PolicyRule{ { From 691dd32eb40e3031207d23aa4e343cf31615c8be Mon Sep 17 00:00:00 2001 From: jeremyharisch Date: Fri, 26 Jul 2024 18:14:04 +0200 Subject: [PATCH 08/17] Fix rolebinding misnaming --- config/rbac/common/leader_election_role_binding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rbac/common/leader_election_role_binding.yaml b/config/rbac/common/leader_election_role_binding.yaml index cda502b746..94707dc272 100644 --- a/config/rbac/common/leader_election_role_binding.yaml +++ b/config/rbac/common/leader_election_role_binding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: controller-leader-election-role + name: klm-controller-role-leader-election subjects: - kind: ServiceAccount name: controller From b54f358a81613e78867c117afa4056eb1804c2f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Wed, 31 Jul 2024 09:24:51 +0200 Subject: [PATCH 09/17] control-plane names --- .../deploy-lifecycle-manager-e2e/action.yaml | 4 +- Makefile | 2 +- config/certmanager/certificate.yaml | 6 +-- config/control-plane/kustomization.yaml | 4 +- .../adjust_resources_in_deployment.yaml | 2 +- .../patches/secured_manager_auth_proxy.yaml | 2 +- .../patches/service_monitor.yaml | 2 +- .../patches/unique_certificate_name.yaml | 2 +- .../patches/unique_manager_webhook_patch.yaml | 2 +- config/default/manager_webhook_patch.yaml | 2 +- config/grafana/overview.json | 48 +++++++++---------- config/istio/ap.yaml | 2 +- .../istio/patches/exclude_webhook_port.yaml | 2 +- config/load_test/kustomization.yaml | 8 ++-- config/load_test/manager_webhook_patch.yaml | 2 +- .../adjust_resources_in_deployment.yaml | 2 +- config/manager/kustomization.yaml | 3 +- config/manager/manager.yaml | 4 +- config/manager/metrics_service.yaml | 2 +- config/prometheus/monitor.yaml | 2 +- .../cluster_bindings/clusterrole_binding.yaml | 6 +-- .../metrics_clusterrole_binding.yaml | 6 +-- config/rbac/common/crd_clusterrole.yaml | 2 +- .../rbac/common/crd_clusterrole_binding.yaml | 6 +-- config/rbac/common/leader_election_role.yaml | 2 +- .../common/leader_election_role_binding.yaml | 6 +-- config/rbac/common/metrics_clusterrole.yaml | 2 +- config/rbac/common/role.yaml | 2 +- config/rbac/common/service_account.yaml | 2 +- .../metrics_role_binding.yaml | 6 +-- .../rbac/namespace_bindings/role_binding.yaml | 18 +++---- .../samples/tests/istio-test-resources.yaml | 2 +- config/watcher/certificate_setup.yaml | 8 ++-- config/watcher/gateway.yaml | 2 +- config/watcher/operator_v1beta2_watcher.yaml | 6 +-- config/watcher_local_test/kustomization.yaml | 8 ++-- .../adjust_resources_for_local_setup.yaml | 2 +- .../patches/servicemonitor_delete.yaml | 2 +- .../01-10-control-plane-quick-start.md | 2 +- internal/pkg/flags/flags.go | 4 +- internal/pkg/flags/flags_test.go | 4 +- pkg/testutils/klm.go | 2 +- tests/e2e/ca_certificate_rotation_test.go | 2 +- tests/e2e/rbac_privileges_test.go | 18 +++---- tests/e2e/watcher_test.go | 2 +- .../controller/withwatcher/suite_test.go | 4 +- .../watcher_controller_helper_test.go | 2 +- tests/integration/watcher/certificate_test.go | 2 +- 48 files changed, 117 insertions(+), 116 deletions(-) diff --git a/.github/actions/deploy-lifecycle-manager-e2e/action.yaml b/.github/actions/deploy-lifecycle-manager-e2e/action.yaml index 8e65400435..df28f52868 100644 --- a/.github/actions/deploy-lifecycle-manager-e2e/action.yaml +++ b/.github/actions/deploy-lifecycle-manager-e2e/action.yaml @@ -72,7 +72,7 @@ runs: path: /spec/duration value: 1h">> certificate_renewal.yaml cat certificate_renewal.yaml - kustomize edit add patch --path certificate_renewal.yaml --kind Certificate --group cert-manager.io --version v1 --name watcher-serving-cert + kustomize edit add patch --path certificate_renewal.yaml --kind Certificate --group cert-manager.io --version v1 --name watcher-serving popd - name: Deploy LM local testing kustomize uses: ./lifecycle-manager/.github/actions/deploy-lifecycle-manager @@ -88,4 +88,4 @@ runs: }} shell: bash run: | - kubectl patch svc klm-metrics-service -p '{"spec": {"type": "LoadBalancer"}}' -n kcp-system + kubectl patch svc klm-controller-manager-metrics -p '{"spec": {"type": "LoadBalancer"}}' -n kcp-system diff --git a/Makefile b/Makefile index 9ac17f9b72..40dbb8da65 100644 --- a/Makefile +++ b/Makefile @@ -46,7 +46,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=controller-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:dir=config/rbac/common + $(CONTROLLER_GEN) rbac:roleName=controller-manager crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:dir=config/rbac/common .PHONY: test-crd test-crd: controller-gen ## Generate crd for test diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 421f715f96..3d233e7a7d 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -4,14 +4,14 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: selfsigned-issuer + name: controller-manager-selfsigned spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + name: controller-manager-webhook-serving # this name should match the one appeared in kustomizeconfig.yaml spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize dnsNames: @@ -19,5 +19,5 @@ spec: - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local issuerRef: kind: Issuer - name: selfsigned-issuer + name: controller-manager-selfsigned secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/control-plane/kustomization.yaml b/config/control-plane/kustomization.yaml index 67023bbc08..5675a1e39d 100644 --- a/config/control-plane/kustomization.yaml +++ b/config/control-plane/kustomization.yaml @@ -110,7 +110,7 @@ transformers: metadata: name: add-ca-inject-annotation annotations: - cert-manager.io/inject-ca-from: kcp-system/klm-serving-cert + cert-manager.io/inject-ca-from: kcp-system/klm-controller-manager-webhook-serving fieldSpecs: - kind: CustomResourceDefinition path: metadata/annotations @@ -164,7 +164,7 @@ transformers: patch: '[{"op": "replace", "path": "/spec/dnsNames/0", "value": "klm-webhook-service.kcp-system.svc"}, {"op": "replace", "path": "/spec/dnsNames/1", "value": "klm-webhook-service.kcp-system.svc.cluster.local"}]' target: kind: Certificate - name: klm-serving-cert + name: klm-controller-manager-webhook-serving version: v1 group: cert-manager.io - |- diff --git a/config/control-plane/patches/adjust_resources_in_deployment.yaml b/config/control-plane/patches/adjust_resources_in_deployment.yaml index cba730fd36..bc1694d98f 100644 --- a/config/control-plane/patches/adjust_resources_in_deployment.yaml +++ b/config/control-plane/patches/adjust_resources_in_deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/control-plane/patches/secured_manager_auth_proxy.yaml b/config/control-plane/patches/secured_manager_auth_proxy.yaml index 2966a26297..b1dd3ca9bb 100644 --- a/config/control-plane/patches/secured_manager_auth_proxy.yaml +++ b/config/control-plane/patches/secured_manager_auth_proxy.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/control-plane/patches/service_monitor.yaml b/config/control-plane/patches/service_monitor.yaml index eda4253869..583940460e 100644 --- a/config/control-plane/patches/service_monitor.yaml +++ b/config/control-plane/patches/service_monitor.yaml @@ -3,7 +3,7 @@ kind: ServiceMonitor metadata: labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io - name: controller-metrics-monitor + name: controller-manager-metrics spec: endpoints: - path: /metrics diff --git a/config/control-plane/patches/unique_certificate_name.yaml b/config/control-plane/patches/unique_certificate_name.yaml index e7a516b960..48cafba3d1 100644 --- a/config/control-plane/patches/unique_certificate_name.yaml +++ b/config/control-plane/patches/unique_certificate_name.yaml @@ -1,6 +1,6 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + name: controller-manager-webhook-serving # this name should match the one appeared in kustomizeconfig.yaml spec: secretName: lifecycle-manager-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize \ No newline at end of file diff --git a/config/control-plane/patches/unique_manager_webhook_patch.yaml b/config/control-plane/patches/unique_manager_webhook_patch.yaml index f9a0d6ca15..d4de566451 100644 --- a/config/control-plane/patches/unique_manager_webhook_patch.yaml +++ b/config/control-plane/patches/unique_manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index eb1d18a35e..9c5b1237d2 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/grafana/overview.json b/config/grafana/overview.json index 44e18e72f7..e8bea48b09 100644 --- a/config/grafana/overview.json +++ b/config/grafana/overview.json @@ -92,7 +92,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(rest_client_requests_total{job=\"klm-metrics-service\", code=~\"2..\"}[$__rate_interval]))", + "expr": "sum(rate(rest_client_requests_total{job=\"klm-controller-manager-metrics\", code=~\"2..\"}[$__rate_interval]))", "format": "time_series", "interval": "", "intervalFactor": 2, @@ -105,7 +105,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(rest_client_requests_total{job=\"klm-metrics-service\", code=~\"3..\"}[$__rate_interval]))", + "expr": "sum(rate(rest_client_requests_total{job=\"klm-controller-manager-metrics\", code=~\"3..\"}[$__rate_interval]))", "format": "time_series", "interval": "", "intervalFactor": 2, @@ -118,7 +118,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(rest_client_requests_total{job=\"klm-metrics-service\", code=~\"4..\"}[$__rate_interval]))", + "expr": "sum(rate(rest_client_requests_total{job=\"klm-controller-manager-metrics\", code=~\"4..\"}[$__rate_interval]))", "format": "time_series", "interval": "", "intervalFactor": 2, @@ -131,7 +131,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(rest_client_requests_total{job=\"klm-metrics-service\", code=~\"5..\"}[$__rate_interval]))", + "expr": "sum(rate(rest_client_requests_total{job=\"klm-controller-manager-metrics\", code=~\"5..\"}[$__rate_interval]))", "format": "time_series", "interval": "", "intervalFactor": 2, @@ -230,7 +230,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "process_resident_memory_bytes{job=\"klm-metrics-service\"}", + "expr": "process_resident_memory_bytes{job=\"klm-controller-manager-metrics\"}", "hide": false, "interval": "", "legendFormat": "Lifecycle Manager", @@ -330,7 +330,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(process_cpu_seconds_total{job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(process_cpu_seconds_total{job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "{{job}}", "refId": "A" @@ -460,7 +460,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(controller_runtime_reconcile_total{controller=~\"kyma|watcher|purge|manifest|mandatory-module-installation|mandatory-module-deletion\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(controller_runtime_reconcile_total{controller=~\"kyma|watcher|purge|manifest|mandatory-module-installation|mandatory-module-deletion\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "hide": false, "instant": false, "interval": "", @@ -547,7 +547,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(controller_runtime_reconcile_errors_total{controller=~\"kyma|watcher|purge|manifest|mandatory-module-installation|mandatory-module-deletion\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(controller_runtime_reconcile_errors_total{controller=~\"kyma|watcher|purge|manifest|mandatory-module-installation|mandatory-module-deletion\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "{{controller}}", "refId": "A" @@ -714,7 +714,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(controller_runtime_reconcile_time_seconds_sum{controller=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\nrate(controller_runtime_reconcile_time_seconds_count{controller=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(controller_runtime_reconcile_time_seconds_sum{controller=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\nrate(controller_runtime_reconcile_time_seconds_count{controller=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "{{controller}}", "refId": "A" @@ -725,7 +725,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(controller_runtime_reconcile_time_seconds_sum{controller=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\nrate(controller_runtime_reconcile_time_seconds_count{controller=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(controller_runtime_reconcile_time_seconds_sum{controller=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\nrate(controller_runtime_reconcile_time_seconds_count{controller=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "hide": false, "interval": "", "legendFormat": "{{controller}}", @@ -920,7 +920,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "controller_runtime_active_workers{controller=\"kyma\",job=\"klm-metrics-service\"}", + "expr": "controller_runtime_active_workers{controller=\"kyma\",job=\"klm-controller-manager-metrics\"}", "interval": "", "legendFormat": "{{controller}}", "refId": "A" @@ -931,7 +931,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "controller_runtime_active_workers{controller=\"manifest\",job=\"klm-metrics-service\"}", + "expr": "controller_runtime_active_workers{controller=\"manifest\",job=\"klm-controller-manager-metrics\"}", "hide": false, "interval": "", "legendFormat": "{{controller}}", @@ -1033,7 +1033,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "workqueue_longest_running_processor_seconds{job=\"klm-metrics-service\"}", + "expr": "workqueue_longest_running_processor_seconds{job=\"klm-controller-manager-metrics\"}", "interval": "", "legendFormat": "{{job}}", "refId": "A" @@ -1116,7 +1116,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "workqueue_unfinished_work_seconds{job=\"klm-metrics-service\"}", + "expr": "workqueue_unfinished_work_seconds{job=\"klm-controller-manager-metrics\"}", "hide": false, "interval": "", "legendFormat": "{{job}}", @@ -1182,7 +1182,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": " rate(workqueue_queue_duration_seconds_sum{name=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\n rate(workqueue_queue_duration_seconds_count{name=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": " rate(workqueue_queue_duration_seconds_sum{name=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\n rate(workqueue_queue_duration_seconds_count{name=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "{{name}}", "refId": "A" @@ -1193,7 +1193,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": " rate(workqueue_queue_duration_seconds_sum{name=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\n rate(workqueue_queue_duration_seconds_count{name=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": " rate(workqueue_queue_duration_seconds_sum{name=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\n rate(workqueue_queue_duration_seconds_count{name=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "hide": false, "interval": "", "legendFormat": "{{name}}", @@ -1292,7 +1292,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(workqueue_work_duration_seconds_sum{name=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\nrate(workqueue_work_duration_seconds_count{name=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(workqueue_work_duration_seconds_sum{name=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\nrate(workqueue_work_duration_seconds_count{name=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "{{name}}", "refId": "A" @@ -1303,7 +1303,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "rate(workqueue_work_duration_seconds_sum{name=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])\n/\nrate(workqueue_work_duration_seconds_count{name=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(workqueue_work_duration_seconds_sum{name=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])\n/\nrate(workqueue_work_duration_seconds_count{name=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])", "hide": false, "interval": "", "legendFormat": "{{name}}", @@ -1402,7 +1402,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "workqueue_depth{name=\"manifest\",job=\"klm-metrics-service\"}", + "expr": "workqueue_depth{name=\"manifest\",job=\"klm-controller-manager-metrics\"}", "interval": "", "legendFormat": "{{name}}", "refId": "A" @@ -1413,7 +1413,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "workqueue_depth{name=\"kyma\",job=\"klm-metrics-service\"}", + "expr": "workqueue_depth{name=\"kyma\",job=\"klm-controller-manager-metrics\"}", "hide": false, "interval": "", "legendFormat": "{{name}}", @@ -1515,7 +1515,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(workqueue_adds_total{name=\"manifest\",job=\"klm-metrics-service\"}[$__rate_interval])) by (name)", + "expr": "sum(rate(workqueue_adds_total{name=\"manifest\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])) by (name)", "format": "time_series", "interval": "", "intervalFactor": 2, @@ -1528,7 +1528,7 @@ "uid": "P1809F7CD0C75ACF3" }, "exemplar": true, - "expr": "sum(rate(workqueue_adds_total{name=\"kyma\",job=\"klm-metrics-service\"}[$__rate_interval])) by (name)", + "expr": "sum(rate(workqueue_adds_total{name=\"kyma\",job=\"klm-controller-manager-metrics\"}[$__rate_interval])) by (name)", "hide": false, "interval": "", "legendFormat": "{{name}}", @@ -1633,7 +1633,7 @@ "targets": [ { "exemplar": true, - "expr": "lifecycle_mgr_self_signed_cert_not_renew{service=\"klm-metrics-service\"}", + "expr": "lifecycle_mgr_self_signed_cert_not_renew{service=\"klm-controller-manager-metrics\"}", "interval": "", "legendFormat": "{{kyma_name}}", "refId": "A" @@ -1837,7 +1837,7 @@ "targets": [ { "exemplar": true, - "expr": "rate(lifecycle_mgr_purgectrl_requests_total{service=\"klm-metrics-service\"}[$__rate_interval])", + "expr": "rate(lifecycle_mgr_purgectrl_requests_total{service=\"klm-controller-manager-metrics\"}[$__rate_interval])", "interval": "", "legendFormat": "", "refId": "A" diff --git a/config/istio/ap.yaml b/config/istio/ap.yaml index d63b31ef66..da9ce357e3 100644 --- a/config/istio/ap.yaml +++ b/config/istio/ap.yaml @@ -1,7 +1,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: controller + name: controller-manager spec: action: ALLOW rules: diff --git a/config/istio/patches/exclude_webhook_port.yaml b/config/istio/patches/exclude_webhook_port.yaml index d004c4075e..e48fcbb17b 100644 --- a/config/istio/patches/exclude_webhook_port.yaml +++ b/config/istio/patches/exclude_webhook_port.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: metadata: diff --git a/config/load_test/kustomization.yaml b/config/load_test/kustomization.yaml index 5695a91c78..a1327855aa 100644 --- a/config/load_test/kustomization.yaml +++ b/config/load_test/kustomization.yaml @@ -26,7 +26,7 @@ replacements: # substitutes CERTIFICATE_NAMESPACE, the namespace of the certificate CR - source: kind: Certificate - name: serving-cert # this name should match the one in certificate.yaml + name: controller-manager-webhook-serving # this name should match the one in certificate.yaml fieldPath: metadata.namespace targets: - select: @@ -47,7 +47,7 @@ replacements: # substitutes CERTIFICATE_NAME, the name of the certificate CR - source: kind: Certificate - name: serving-cert # this name should match the one in certificate.yaml + name: controller-manager-webhook-serving # this name should match the one in certificate.yaml fieldPath: metadata.name targets: - select: @@ -76,7 +76,7 @@ replacements: group: cert-manager.io version: v1 kind: Certificate - name: serving-cert + name: controller-manager-webhook-serving fieldpaths: - spec.dnsNames.0 - spec.dnsNames.1 @@ -94,7 +94,7 @@ replacements: group: cert-manager.io version: v1 kind: Certificate - name: serving-cert + name: controller-manager-webhook-serving fieldpaths: - spec.dnsNames.0 - spec.dnsNames.1 diff --git a/config/load_test/manager_webhook_patch.yaml b/config/load_test/manager_webhook_patch.yaml index eb1d18a35e..9c5b1237d2 100644 --- a/config/load_test/manager_webhook_patch.yaml +++ b/config/load_test/manager_webhook_patch.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/load_test/patches/adjust_resources_in_deployment.yaml b/config/load_test/patches/adjust_resources_in_deployment.yaml index ba03105d15..521371ed8c 100644 --- a/config/load_test/patches/adjust_resources_in_deployment.yaml +++ b/config/load_test/patches/adjust_resources_in_deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 6688e018d8..00ae86ff75 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -10,4 +10,5 @@ generatorOptions: images: - name: controller - newName: /lifecycle-manager + newName: europe-docker.pkg.dev/kyma-project/prod/lifecycle-manager + newTag: latest diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 41fb492d06..fcaf5dae0b 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io spec: @@ -52,6 +52,6 @@ spec: requests: cpu: 10m memory: 64Mi - serviceAccountName: controller + serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 --- diff --git a/config/manager/metrics_service.yaml b/config/manager/metrics_service.yaml index 78adb0bb8c..b09d64d9eb 100644 --- a/config/manager/metrics_service.yaml +++ b/config/manager/metrics_service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io - name: metrics-service + name: controller-manager-metrics spec: ports: - name: metrics diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index a5824ec7bc..5dfdd28705 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -5,7 +5,7 @@ kind: ServiceMonitor metadata: labels: app.kubernetes.io/component: lifecycle-manager.kyma-project.io - name: controller-metrics-monitor + name: controller-manager-metrics spec: endpoints: - path: /metrics diff --git a/config/rbac/cluster_bindings/clusterrole_binding.yaml b/config/rbac/cluster_bindings/clusterrole_binding.yaml index 37c0e5934b..bb7720d18e 100644 --- a/config/rbac/cluster_bindings/clusterrole_binding.yaml +++ b/config/rbac/cluster_bindings/clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding + name: controller-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role + name: controller-manager subjects: - kind: ServiceAccount - name: controller + name: controller-manager diff --git a/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml b/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml index 5b8a16bb31..89fdcd6dc8 100644 --- a/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml +++ b/config/rbac/cluster_bindings/metrics_clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: controller-rolebinding-metrics + name: controller-manager-metrics roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role-metrics + name: controller-manager-metrics subjects: - kind: ServiceAccount - name: controller + name: controller-manager diff --git a/config/rbac/common/crd_clusterrole.yaml b/config/rbac/common/crd_clusterrole.yaml index 4cfe2239aa..a8aba22c0c 100644 --- a/config/rbac/common/crd_clusterrole.yaml +++ b/config/rbac/common/crd_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: controller-role-crd + name: controller-manager-crd rules: - apiGroups: - apiextensions.k8s.io diff --git a/config/rbac/common/crd_clusterrole_binding.yaml b/config/rbac/common/crd_clusterrole_binding.yaml index a610a3d24c..eec3299528 100644 --- a/config/rbac/common/crd_clusterrole_binding.yaml +++ b/config/rbac/common/crd_clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: controller-rolebinding-crd + name: controller-manager-crd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: klm-controller-role-crd + name: controller-manager-crd subjects: - kind: ServiceAccount - name: controller + name: controller-manager diff --git a/config/rbac/common/leader_election_role.yaml b/config/rbac/common/leader_election_role.yaml index 7daff6f45d..cb31f01120 100644 --- a/config/rbac/common/leader_election_role.yaml +++ b/config/rbac/common/leader_election_role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: controller-role-leader-election + name: controller-manager-leader-election rules: - apiGroups: - "" diff --git a/config/rbac/common/leader_election_role_binding.yaml b/config/rbac/common/leader_election_role_binding.yaml index 94707dc272..688d94ed7f 100644 --- a/config/rbac/common/leader_election_role_binding.yaml +++ b/config/rbac/common/leader_election_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: controller-rolebinding-leader-election + name: controller-manager-leader-election roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: klm-controller-role-leader-election + name: controller-manager-leader-election subjects: - kind: ServiceAccount - name: controller + name: controller-manager diff --git a/config/rbac/common/metrics_clusterrole.yaml b/config/rbac/common/metrics_clusterrole.yaml index beb7b03d28..13e7c849dc 100644 --- a/config/rbac/common/metrics_clusterrole.yaml +++ b/config/rbac/common/metrics_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: controller-role-metrics + name: controller-manager-metrics rules: - nonResourceURLs: - "/metrics" diff --git a/config/rbac/common/role.yaml b/config/rbac/common/role.yaml index 850213df1a..7283131823 100644 --- a/config/rbac/common/role.yaml +++ b/config/rbac/common/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: controller-role + name: controller-manager rules: - apiGroups: - "" diff --git a/config/rbac/common/service_account.yaml b/config/rbac/common/service_account.yaml index 34c88b4b2a..69ece2e4c3 100644 --- a/config/rbac/common/service_account.yaml +++ b/config/rbac/common/service_account.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: controller + name: controller-manager diff --git a/config/rbac/namespace_bindings/metrics_role_binding.yaml b/config/rbac/namespace_bindings/metrics_role_binding.yaml index 0001544a1e..d1b8cee5d4 100644 --- a/config/rbac/namespace_bindings/metrics_role_binding.yaml +++ b/config/rbac/namespace_bindings/metrics_role_binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: controller-rolebinding-metrics + name: controller-manager-metrics namespace: kyma-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role-metrics + name: controller-manager-metrics subjects: - kind: ServiceAccount - name: controller \ No newline at end of file + name: controller-manager diff --git a/config/rbac/namespace_bindings/role_binding.yaml b/config/rbac/namespace_bindings/role_binding.yaml index 86a9034ac0..653c625b19 100644 --- a/config/rbac/namespace_bindings/role_binding.yaml +++ b/config/rbac/namespace_bindings/role_binding.yaml @@ -1,38 +1,38 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: controller-rolebinding-kcp-system + name: controller-manager namespace: kcp-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role + name: controller-manager subjects: - kind: ServiceAccount - name: controller + name: controller-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: controller-rolebinding-kyma-system + name: controller-manager-kyma-system namespace: kyma-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role + name: controller-manager subjects: - kind: ServiceAccount - name: controller + name: controller-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: controller-rolebinding-istio-system + name: controller-manager-istio-system namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-role + name: controller-manager subjects: - kind: ServiceAccount - name: controller \ No newline at end of file + name: controller-manager diff --git a/config/samples/tests/istio-test-resources.yaml b/config/samples/tests/istio-test-resources.yaml index 8733bd35ec..5e1c820225 100644 --- a/config/samples/tests/istio-test-resources.yaml +++ b/config/samples/tests/istio-test-resources.yaml @@ -1,7 +1,7 @@ apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: - name: klm-watcher-gateway + name: klm-watcher namespace: kcp-system labels: operator.kyma-project.io/watcher-gateway: default diff --git a/config/watcher/certificate_setup.yaml b/config/watcher/certificate_setup.yaml index 3cb07a69fc..30cc59ec20 100644 --- a/config/watcher/certificate_setup.yaml +++ b/config/watcher/certificate_setup.yaml @@ -5,14 +5,14 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: watcher-selfsigned-cluster-issuer + name: watcher-selfsigned spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: watcher-serving-cert + name: watcher-serving namespace: istio-system spec: dnsNames: @@ -26,14 +26,14 @@ spec: privateKey: algorithm: RSA issuerRef: - name: klm-watcher-selfsigned-cluster-issuer + name: klm-watcher-selfsigned kind: ClusterIssuer group: cert-manager.io --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: watcher-selfsigned-issuer + name: watcher-selfsigned namespace: istio-system labels: operator.kyma-project.io/purpose: "klm-watcher-cert-manager" diff --git a/config/watcher/gateway.yaml b/config/watcher/gateway.yaml index cfe4cb974d..1502c6d4c9 100644 --- a/config/watcher/gateway.yaml +++ b/config/watcher/gateway.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: - name: watcher-gateway + name: watcher labels: operator.kyma-project.io/watcher-gateway: default annotations: diff --git a/config/watcher/operator_v1beta2_watcher.yaml b/config/watcher/operator_v1beta2_watcher.yaml index 68b04622a8..a8cda8e2dd 100644 --- a/config/watcher/operator_v1beta2_watcher.yaml +++ b/config/watcher/operator_v1beta2_watcher.yaml @@ -1,7 +1,7 @@ apiVersion: operator.kyma-project.io/v1beta2 kind: Watcher metadata: - name: kyma-watcher + name: watcher labels: "operator.kyma-project.io/managed-by": "lifecycle-manager" spec: @@ -13,7 +13,7 @@ spec: resource: kymas field: "spec" serviceInfo: - name: klm-event-service + name: klm-controller-manager-events port: 8082 namespace: kcp-system gateway: @@ -24,7 +24,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: event-service + name: controller-manager-events spec: selector: app.kubernetes.io/name: lifecycle-manager diff --git a/config/watcher_local_test/kustomization.yaml b/config/watcher_local_test/kustomization.yaml index 3c332dad1b..6da759bc5a 100644 --- a/config/watcher_local_test/kustomization.yaml +++ b/config/watcher_local_test/kustomization.yaml @@ -51,7 +51,7 @@ patches: group: security.istio.io version: v1beta1 kind: AuthorizationPolicy - name: controller + name: controller-manager - patch: |- - op: replace path: /spec/servers/0/hosts/0 @@ -60,7 +60,7 @@ patches: group: networking.istio.io version: v1beta1 kind: Gateway - name: watcher-gateway + name: watcher - patch: |- - op: replace path: /spec/dnsNames/0 @@ -75,7 +75,7 @@ patches: group: cert-manager.io version: v1 kind: Certificate - name: watcher-serving-cert + name: watcher-serving apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization \ No newline at end of file +kind: Kustomization diff --git a/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml b/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml index b82b4eb303..013818ff9b 100644 --- a/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml +++ b/config/watcher_local_test/patches/adjust_resources_for_local_setup.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller + name: controller-manager spec: template: spec: diff --git a/config/watcher_local_test/patches/servicemonitor_delete.yaml b/config/watcher_local_test/patches/servicemonitor_delete.yaml index 6f3b36697c..5afd0848e2 100644 --- a/config/watcher_local_test/patches/servicemonitor_delete.yaml +++ b/config/watcher_local_test/patches/servicemonitor_delete.yaml @@ -2,4 +2,4 @@ $patch: delete apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: controller-metrics-monitor \ No newline at end of file + name: controller-manager-metrics diff --git a/docs/user-tutorials/01-10-control-plane-quick-start.md b/docs/user-tutorials/01-10-control-plane-quick-start.md index 974885a735..8cc8354d40 100644 --- a/docs/user-tutorials/01-10-control-plane-quick-start.md +++ b/docs/user-tutorials/01-10-control-plane-quick-start.md @@ -58,7 +58,7 @@ We recommend deploying Lifecycle Manager with the KCP kustomize profile. You mus If the deployment was successful, you should see all the required resources. For example: -* The `klm-controller` Pod in the `kcp-system` Namespace +* The `klm-controller-manager` Pod in the `kcp-system` Namespace * A Kyma CR that uses the `regular` channel but without any module configured, sync disabled, named `default-kyma` under `kyma-system` Namespace ### Manage Modules in the Control-Plane Mode diff --git a/internal/pkg/flags/flags.go b/internal/pkg/flags/flags.go index 8e2c327ce6..f701322ba7 100644 --- a/internal/pkg/flags/flags.go +++ b/internal/pkg/flags/flags.go @@ -37,10 +37,10 @@ const ( DefaultMaxConcurrentWatcherReconciles = 1 DefaultMaxConcurrentMandatoryModuleReconciles = 1 DefaultMaxConcurrentMandatoryModuleDeletionReconciles = 1 - DefaultIstioGatewayName = "klm-watcher-gateway" + DefaultIstioGatewayName = "klm-watcher" DefaultIstioGatewayNamespace = "kcp-system" DefaultIstioNamespace = "istio-system" - DefaultCaCertName = "klm-watcher-serving-cert" + DefaultCaCertName = "klm-watcher-serving" DefaultCaCertCacheTTL time.Duration = 1 * time.Hour DefaultSelfSignedCertDuration time.Duration = 90 * 24 * time.Hour DefaultSelfSignedCertRenewBefore time.Duration = 60 * 24 * time.Hour diff --git a/internal/pkg/flags/flags_test.go b/internal/pkg/flags/flags_test.go index 8f34ec5364..a916806aee 100644 --- a/internal/pkg/flags/flags_test.go +++ b/internal/pkg/flags/flags_test.go @@ -156,7 +156,7 @@ func Test_ConstantFlags(t *testing.T) { { constName: "DefaultIstioGatewayName", constValue: DefaultIstioGatewayName, - expectedValue: "klm-watcher-gateway", + expectedValue: "klm-watcher", }, { constName: "DefaultIstioGatewayNamespace", @@ -171,7 +171,7 @@ func Test_ConstantFlags(t *testing.T) { { constName: "DefaultCaCertName", constValue: DefaultCaCertName, - expectedValue: "klm-watcher-serving-cert", + expectedValue: "klm-watcher-serving", }, { constName: "DefaultCaCertCacheTTL", diff --git a/pkg/testutils/klm.go b/pkg/testutils/klm.go index 77695cf6d7..f317ecef16 100644 --- a/pkg/testutils/klm.go +++ b/pkg/testutils/klm.go @@ -20,7 +20,7 @@ import ( const ( ControlPlaneNamespace = "kcp-system" watcherPodContainer = "server" - KLMPodPrefix = "klm-controller" + KLMPodPrefix = "klm-controller-manager" KLMPodContainer = "manager" RemoteNamespace = "kyma-system" ) diff --git a/tests/e2e/ca_certificate_rotation_test.go b/tests/e2e/ca_certificate_rotation_test.go index 2fef5116be..a9e989840b 100644 --- a/tests/e2e/ca_certificate_rotation_test.go +++ b/tests/e2e/ca_certificate_rotation_test.go @@ -22,7 +22,7 @@ var _ = Describe("CA Certificate Rotation", Ordered, func() { CleanupKymaAfterAll(kyma) var caCertificate *certmanagerv1.Certificate - caCertName := "klm-watcher-serving-cert" + caCertName := "klm-watcher-serving" Context("Given KCP Cluster and rotated CA certificate", func() { kcpSecretName := types.NamespacedName{ diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index dc91a379a5..fb61fcf3ee 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -27,11 +27,11 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"update"}, }, } - Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-controller-role-crd", + Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-controller-manager-crd", klmClusterRoleBindings)).To(Equal(crdRoleRules)) By("And KLM Service Account has the correct RoleBindings in kcp-system namespaces") - kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", + kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", "kcp-system") Expect(err).ToNot(HaveOccurred()) Expect(kcpSystemKlmRoleBindings.Items).To(HaveLen(2)) @@ -53,7 +53,7 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"create", "patch"}, }, } - Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role-leader-election", + Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient, "klm-controller-manager-leader-election", "kcp-system", kcpSystemKlmRoleBindings)).To(Equal(leaderElectionRoleRules)) @@ -164,25 +164,25 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"get", "patch", "update"}, }, } - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-manager", kcpSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) By("And KLM Service Account has the correct RoleBindings in istio-system namespaces") - istioSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", + istioSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", "istio-system") Expect(err).ToNot(HaveOccurred()) Expect(istioSystemKlmRoleBindings.Items).To(HaveLen(1)) - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-manager", istioSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) By("And KLM Service Account has the correct RoleBindings in kyma-system namespaces") - kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller", + kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager", "kyma-system") Expect(err).ToNot(HaveOccurred()) Expect(kymaSystemKlmRoleBindings.Items).To(HaveLen(2)) - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-manager", kymaSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules)) metricsReaderRoleRules := []apirbacv1.PolicyRule{ @@ -191,7 +191,7 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"get"}, }, } - Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-role-metrics", + Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-controller-manager-metrics", kymaSystemKlmRoleBindings)).To(Equal(metricsReaderRoleRules)) }) }) diff --git a/tests/e2e/watcher_test.go b/tests/e2e/watcher_test.go index 1cd17a80f1..5baf001e77 100644 --- a/tests/e2e/watcher_test.go +++ b/tests/e2e/watcher_test.go @@ -22,7 +22,7 @@ import ( ) const ( - watcherCrName = "klm-kyma-watcher" + watcherCrName = "klm-watcher" ) var errWatcherDeploymentNotReady = errors.New("watcher Deployment is not ready") diff --git a/tests/integration/controller/withwatcher/suite_test.go b/tests/integration/controller/withwatcher/suite_test.go index 3241563bfa..d235d3b1a4 100644 --- a/tests/integration/controller/withwatcher/suite_test.go +++ b/tests/integration/controller/withwatcher/suite_test.go @@ -83,8 +83,8 @@ var ( const ( istioSystemNs = "istio-system" kcpSystemNs = "kcp-system" - gatewayName = "klm-watcher-gateway" - caCertificateName = "klm-watcher-serving-cert" + gatewayName = "klm-watcher" + caCertificateName = "klm-watcher-serving" ) var ( diff --git a/tests/integration/controller/withwatcher/watcher_controller_helper_test.go b/tests/integration/controller/withwatcher/watcher_controller_helper_test.go index 985b755312..ed39a9cd75 100644 --- a/tests/integration/controller/withwatcher/watcher_controller_helper_test.go +++ b/tests/integration/controller/withwatcher/watcher_controller_helper_test.go @@ -133,7 +133,7 @@ func createCaCertificate() *certmanagerv1.Certificate { APIVersion: certmanagerv1.SchemeGroupVersion.String(), }, ObjectMeta: apimetav1.ObjectMeta{ - Name: "klm-watcher-serving-cert", + Name: "klm-watcher-serving", Namespace: istioSystemNs, }, Spec: certmanagerv1.CertificateSpec{ diff --git a/tests/integration/watcher/certificate_test.go b/tests/integration/watcher/certificate_test.go index d5eaaa7542..20fcc169df 100644 --- a/tests/integration/watcher/certificate_test.go +++ b/tests/integration/watcher/certificate_test.go @@ -16,7 +16,7 @@ import ( ) var _ = Describe("Create Watcher Certificates", Ordered, func() { - const caCertName = "klm-watcher-serving-cert" + const caCertName = "klm-watcher-serving" tests := []struct { name string From 81a246754e9cb0db31b6bbb74e6cda03b250d20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Wed, 31 Jul 2024 10:49:29 +0200 Subject: [PATCH 10/17] klm namespace for default config --- config/default/kustomization.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index e274465213..bad8dca329 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -6,7 +6,7 @@ kind: Kustomization # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: lifecycle-manager- +namePrefix: klm- # Labels to add to all resources and selectors. commonLabels: @@ -61,7 +61,7 @@ transformers: metadata: name: add-ca-inject-annotation annotations: - cert-manager.io/inject-ca-from: kcp-system/lifecycle-manager-serving-cert + cert-manager.io/inject-ca-from: kcp-system/klm-controller-manager-webhook-serving fieldSpecs: - kind: CustomResourceDefinition path: metadata/annotations @@ -72,10 +72,10 @@ transformers: kind: PatchTransformer metadata: name: fix-cert-dns-names - patch: '[{"op": "replace", "path": "/spec/dnsNames/0", "value": "lifecycle-manager-webhook-service.kcp-system.svc"}, {"op": "replace", "path": "/spec/dnsNames/1", "value": "lifecycle-manager-webhook-service.kcp-system.svc.cluster.local"}]' + patch: '[{"op": "replace", "path": "/spec/dnsNames/0", "value": "klm-webhook-service.kcp-system.svc"}, {"op": "replace", "path": "/spec/dnsNames/1", "value": "klm-webhook-service.kcp-system.svc.cluster.local"}]' target: kind: Certificate - name: lifecycle-manager-serving-cert + name: klm-controller-manager-webhook-serving version: v1 group: cert-manager.io - |- @@ -86,6 +86,6 @@ transformers: patch: '[{"op": "replace", "path": "/webhooks/0/clientConfig/service/namespace", "value": "kcp-system"}]' target: kind: ValidatingWebhookConfiguration - name: lifecycle-manager-validating-webhook-configuration + name: klm-validating-webhook-configuration version: v1 group: admissionregistration.k8s.io From a1c896aa983a2c147e65fe7d525a24796d2d9d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Wed, 31 Jul 2024 11:27:32 +0200 Subject: [PATCH 11/17] fix rbac_privileges_test --- tests/e2e/rbac_privileges_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index fb61fcf3ee..0ce5e7a2c8 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -11,7 +11,7 @@ import ( var _ = Describe("RBAC Privileges", func() { Context("Given KCP Cluster with KLM Service Account", func() { It("Then KLM Service Account has the correct ClusterRoleBindings", func() { - klmClusterRoleBindings, err := ListKlmClusterRoleBindings(controlPlaneClient, ctx, "klm-controller") + klmClusterRoleBindings, err := ListKlmClusterRoleBindings(controlPlaneClient, ctx, "klm-controller-manager") Expect(err).ToNot(HaveOccurred()) Expect(klmClusterRoleBindings.Items).To(HaveLen(1)) From 76758f0a88630080dc412f2bd878c0e1f71ce459 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Wed, 31 Jul 2024 13:10:24 +0200 Subject: [PATCH 12/17] fix wrong SA name in smoke test --- .github/workflows/test-smoke.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-smoke.yml b/.github/workflows/test-smoke.yml index 8f39c8600a..1a84c0a71b 100644 --- a/.github/workflows/test-smoke.yml +++ b/.github/workflows/test-smoke.yml @@ -128,7 +128,7 @@ jobs: name: kyma-cli-provisioned-wildcard subjects: - kind: ServiceAccount - name: lifecycle-manager-controller + name: klm-controller-manager namespace: kcp-system EOF kubectl apply -f tests/moduletemplates/moduletemplate_template_operator_v1_regular.yaml From d06959199369dfede1d0790d40d84ec7b93ea6ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Thu, 1 Aug 2024 14:51:02 +0200 Subject: [PATCH 13/17] fix webhook and watcher secret names --- config/certmanager/certificate.yaml | 2 +- config/control-plane/patches/unique_certificate_name.yaml | 2 +- .../control-plane/patches/unique_manager_webhook_patch.yaml | 2 +- config/watcher/certificate_setup.yaml | 4 ++-- config/watcher/gateway.yaml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 3d233e7a7d..7b39239937 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -20,4 +20,4 @@ spec: issuerRef: kind: Issuer name: controller-manager-selfsigned - secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: klm-controller-manager-webhook # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/control-plane/patches/unique_certificate_name.yaml b/config/control-plane/patches/unique_certificate_name.yaml index 48cafba3d1..bf53cdf233 100644 --- a/config/control-plane/patches/unique_certificate_name.yaml +++ b/config/control-plane/patches/unique_certificate_name.yaml @@ -3,4 +3,4 @@ kind: Certificate metadata: name: controller-manager-webhook-serving # this name should match the one appeared in kustomizeconfig.yaml spec: - secretName: lifecycle-manager-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize \ No newline at end of file + secretName: klm-controller-manager-webhook # this secret will not be prefixed, since it's not managed by kustomize \ No newline at end of file diff --git a/config/control-plane/patches/unique_manager_webhook_patch.yaml b/config/control-plane/patches/unique_manager_webhook_patch.yaml index d4de566451..314463f13a 100644 --- a/config/control-plane/patches/unique_manager_webhook_patch.yaml +++ b/config/control-plane/patches/unique_manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: lifecycle-manager-webhook-server-cert + secretName: klm-controller-manager-webhook diff --git a/config/watcher/certificate_setup.yaml b/config/watcher/certificate_setup.yaml index 30cc59ec20..f63733c373 100644 --- a/config/watcher/certificate_setup.yaml +++ b/config/watcher/certificate_setup.yaml @@ -19,7 +19,7 @@ spec: - 'listener.kyma.cloud.sap' # this dnsName should be overwritten based on deployment environment, i.e. listener.dev.kyma.cloud.sap isCA: true commonName: klm-watcher-selfsigned-ca - secretName: klm-watcher-root-secret # this secret will not be prefixed, since it's not managed by kustomize + secretName: klm-watcher # this secret will not be prefixed, since it's not managed by kustomize secretTemplate: labels: operator.kyma-project.io/managed-by: "lifecycle-manager" @@ -40,4 +40,4 @@ metadata: operator.kyma-project.io/managed-by: "lifecycle-manager" spec: ca: - secretName: klm-watcher-root-secret \ No newline at end of file + secretName: klm-watcher diff --git a/config/watcher/gateway.yaml b/config/watcher/gateway.yaml index 1502c6d4c9..3e32c6f810 100644 --- a/config/watcher/gateway.yaml +++ b/config/watcher/gateway.yaml @@ -20,5 +20,5 @@ spec: number: 443 protocol: HTTPS tls: - credentialName: klm-watcher-root-secret - mode: MUTUAL \ No newline at end of file + credentialName: klm-watcher + mode: MUTUAL From 51a47676033b08a212f89f3be9e17d983f585904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Fri, 2 Aug 2024 15:35:15 +0200 Subject: [PATCH 14/17] fix secretName in default profile --- config/default/manager_webhook_patch.yaml | 2 +- config/load_test/manager_webhook_patch.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index 9c5b1237d2..3cb73f1911 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: webhook-server-cert + secretName: controller-manager-webhook diff --git a/config/load_test/manager_webhook_patch.yaml b/config/load_test/manager_webhook_patch.yaml index 9c5b1237d2..3cb73f1911 100644 --- a/config/load_test/manager_webhook_patch.yaml +++ b/config/load_test/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: webhook-server-cert + secretName: controller-manager-webhook From 228950de46212fa34bec8d55a59352d51b13dec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Mon, 5 Aug 2024 08:05:25 +0200 Subject: [PATCH 15/17] fix wrong deploy secret name --- config/default/manager_webhook_patch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index 3cb73f1911..314463f13a 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -19,4 +19,4 @@ spec: - name: cert secret: defaultMode: 420 - secretName: controller-manager-webhook + secretName: klm-controller-manager-webhook From 12d78b6b780abfbbc0af7cc5ff31d16644558b2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Mon, 5 Aug 2024 15:30:22 +0200 Subject: [PATCH 16/17] crd -> crds --- config/rbac/common/crd_clusterrole.yaml | 2 +- config/rbac/common/crd_clusterrole_binding.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rbac/common/crd_clusterrole.yaml b/config/rbac/common/crd_clusterrole.yaml index a8aba22c0c..e483d9702c 100644 --- a/config/rbac/common/crd_clusterrole.yaml +++ b/config/rbac/common/crd_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: controller-manager-crd + name: controller-manager-crds rules: - apiGroups: - apiextensions.k8s.io diff --git a/config/rbac/common/crd_clusterrole_binding.yaml b/config/rbac/common/crd_clusterrole_binding.yaml index eec3299528..659ed94fdf 100644 --- a/config/rbac/common/crd_clusterrole_binding.yaml +++ b/config/rbac/common/crd_clusterrole_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: controller-manager-crd + name: controller-manager-crds roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: controller-manager-crd + name: controller-manager-crds subjects: - kind: ServiceAccount name: controller-manager From 0c5167110479a43312870f72586480ca8b5bdcb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20Schw=C3=A4gerl?= Date: Mon, 5 Aug 2024 16:08:50 +0200 Subject: [PATCH 17/17] fix rbac test --- tests/e2e/rbac_privileges_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index 3b456c4f1b..f0bb3637c7 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -28,7 +28,7 @@ var _ = Describe("RBAC Privileges", func() { Verbs: []string{"update"}, }, } - Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-controller-manager-crd", + Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-controller-manager-crds", klmClusterRoleBindings)).To(Equal(crdRoleRules)) By("And KLM Service Account has the correct RoleBindings in kcp-system namespace")