Clean up exposecontroller configuration

Configure exposecontroller to watch services only in current namespace as its own serviceaccount, removing setup-time configuration for which namespace will be watched. This is preparation for bundling the operator for operator catalogs, so that yaml definitions do not contain any "REPLACE_IMAGE" or "REPLACE_PROJECT" type variables to be run through sed.
cryostatio · Oct 16, 2019 · 4308095 · 4308095
1 parent 8ce2357
commit 4308095
Show file tree

Hide file tree

Showing 11 changed files with 140 additions and 29 deletions.
diff --git a/Makefile b/Makefile
@@ -16,24 +16,25 @@ clean:
 
 .PHONY: deploy
 deploy: undeploy
-	oc create -f deploy/service_account.yaml
-	oc create -f deploy/role.yaml
-	oc create -f deploy/role_binding.yaml
+	oc create -f deploy/operator_service_account.yaml
+	oc create -f deploy/exposecontroller_service_account.yaml
+	oc create -f deploy/operator_role.yaml
+	oc create -f deploy/exposecontroller_role.yaml
+	oc create -f deploy/operator_role_binding.yaml
+	oc create -f deploy/exposecontroller_role_binding.yaml
 	oc create -f deploy/crds/rhjmc_v1alpha1_flightrecorder_crd.yaml
 	oc create -f deploy/crds/rhjmc_v1alpha1_containerjfr_crd.yaml
 	oc create -f deploy/containerjfr_grafana_config_map.yaml
 	oc create -f deploy/containerjfr_jfr_datasource_config_map.yaml
 	oc create -f deploy/containerjfr_command_config_map.yaml
 	oc create -f deploy/containerjfr_config_map.yaml
-	sed -e 's|REPLACE_IMAGE|$(IMAGE_TAG)|g' deploy/operator.yaml | oc create -f -
+	sed -e 's|REPLACE_IMAGE|$(IMAGE_TAG)|g' deploy/dev_operator.yaml | oc create -f -
 	oc create -f deploy/crds/rhjmc_v1alpha1_containerjfr_cr.yaml
-	oc create -f deploy/exposecontroller_config_map.yaml
-	sed -e 's|REPLACE_PROJECT|$(shell oc project -q)|g' deploy/exposecontroller.yaml | oc create -f -
+	oc create -f deploy/exposecontroller.yaml
 
 .PHONY: undeploy
 undeploy: undeploy_sample_app
 	- oc delete deployment exposecontroller
-	- oc delete configmap exposecontroller
 	- oc delete all -l project=exposecontroller
 	- oc delete routes -l generator=exposecontroller
 	- oc delete deployment container-jfr-operator
@@ -45,8 +46,13 @@ undeploy: undeploy_sample_app
 	- oc delete persistentvolumes -l app=containerjfr
 	- oc delete configmaps -l app=containerjfr
 	- oc delete role container-jfr-operator
+	- oc delete role exposecontroller
 	- oc delete rolebinding container-jfr-operator
+	- oc delete rolebinding exposecontroller
+	- oc delete clusterrolebinding exposecontroller-cluster-admin
+	- oc delete clusterrolebinding serviceaccounts-cluster-reader
 	- oc delete serviceaccount container-jfr-operator
+	- oc delete serviceaccount exposecontroller
 	- oc delete crd flightrecorders.rhjmc.redhat.com
 	- oc delete crd containerjfrs.rhjmc.redhat.com
 

diff --git a/deploy/dev_operator.yaml b/deploy/dev_operator.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: container-jfr-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: container-jfr-operator
+  template:
+    metadata:
+      labels:
+        name: container-jfr-operator
+    spec:
+      serviceAccountName: container-jfr-operator
+      containers:
+        - name: container-jfr-operator
+          # Replace this with the built image name
+          image: REPLACE_IMAGE
+          command:
+          - container-jfr-operator
+          imagePullPolicy: Always
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: container-jfr-operator
diff --git a/deploy/exposecontroller.yaml b/deploy/exposecontroller.yaml
@@ -13,19 +13,14 @@ spec:
       labels:
         name: exposecontroller
     spec:
-      serviceAccountName: container-jfr-operator
+      serviceAccountName: exposecontroller
       containers:
-      - image: jenkinsxio/exposecontroller
-        name: exposecontroller
-        args:
-          - --v=8
-            # TODO investigate --watch-current-namespace flag
-          - --watch-namespace=REPLACE_PROJECT
-          - --http=true
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/exposecontroller
-      volumes:
-      - name: config-volume
-        configMap:
-          name: exposecontroller
+        - name: exposecontroller
+          image: jenkinsxio/exposecontroller:2.3.98
+          env:
+            - name: KUBERNETES_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          args:
+            - --http=true
diff --git a/deploy/exposecontroller_role.yaml b/deploy/exposecontroller_role.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: exposecontroller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - routes
+  - routes.route.openshift.io
+  - endpoints
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
diff --git a/deploy/exposecontroller_role_binding.yaml b/deploy/exposecontroller_role_binding.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: List
+metadata: {}
+items:
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: exposecontroller
+    subjects:
+    - kind: ServiceAccount
+      name: exposecontroller
+    roleRef:
+      kind: Role
+      name: exposecontroller
+      apiGroup: rbac.authorization.k8s.io
+  # TODO replace these clusterrolebindings with narrower set of permissions
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: exposecontroller-cluster-admin
+    subjects:
+    - kind: ServiceAccount
+      name: exposecontroller
+      namespace: default
+    roleRef:
+      kind: ClusterRole
+      name: cluster-admin
+      apigroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: serviceaccounts-cluster-reader
+    subjects:
+    - kind: Group
+      name: system:serviceaccounts
+    roleRef:
+      kind: ClusterRole
+      name: cluster-reader
+      apigroup: rbac.authorization.k8s.io
diff --git a/deploy/exposecontroller_service_account.yaml b/deploy/exposecontroller_service_account.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: exposecontroller
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -16,8 +16,7 @@ spec:
       serviceAccountName: container-jfr-operator
       containers:
         - name: container-jfr-operator
-          # Replace this with the built image name
-          image: REPLACE_IMAGE
+          image: quay.io/rh-jmc-team/container-jfr:0.4.7
           command:
           - container-jfr-operator
           imagePullPolicy: Always

diff --git a/deploy/role.yaml → deploy/operator_role.yaml b/deploy/role.yaml → deploy/operator_role.yaml
@@ -11,7 +11,6 @@ rules:
   - services
   - services/finalizers
   - routes
-  - routes.route.openshift.io
   - endpoints
   - persistentvolumeclaims
   - events

diff --git a/deploy/role_binding.yaml → deploy/operator_role_binding.yaml b/deploy/role_binding.yaml → deploy/operator_role_binding.yaml
diff --git a/deploy/service_account.yaml → deploy/operator_service_account.yaml b/deploy/service_account.yaml → deploy/operator_service_account.yaml
diff --git a/pkg/controller/containerjfr/resource_definitions/resource_definitions.go b/pkg/controller/containerjfr/resource_definitions/resource_definitions.go
@@ -63,7 +63,7 @@ func NewPodForCR(cr *rhjmcv1alpha1.ContainerJFR) *corev1.Pod {
 func NewCoreContainer(cr *rhjmcv1alpha1.ContainerJFR) corev1.Container {
 	return corev1.Container{
 		Name:  cr.Name,
-		Image: "quay.io/rh-jmc-team/container-jfr:0.4.6-debug",
+		Image: "quay.io/andrewazores/container-jfr:latest",
 		VolumeMounts: []corev1.VolumeMount{
 			{
 				Name:      cr.Name,
@@ -186,7 +186,8 @@ func NewExporterServiceForPod(cr *rhjmcv1alpha1.ContainerJFR) *corev1.Service {
 				"app": cr.Name,
 			},
 			Annotations: map[string]string{
-				"fabric8.io/expose": "true",
+				"fabric8.io/expose":     "true",
+				"fabric8.io/exposePort": "8181",
 			},
 		},
 		Spec: corev1.ServiceSpec{
@@ -219,7 +220,8 @@ func NewCommandChannelServiceForPod(cr *rhjmcv1alpha1.ContainerJFR) *corev1.Serv
 				"app": cr.Name,
 			},
 			Annotations: map[string]string{
-				"fabric8.io/expose": "true",
+				"fabric8.io/expose":     "true",
+				"fabric8.io/exposePort": "9090",
 			},
 		},
 		Spec: corev1.ServiceSpec{
@@ -248,7 +250,8 @@ func NewGrafanaServiceForPod(cr *rhjmcv1alpha1.ContainerJFR) *corev1.Service {
 				"component": "grafana",
 			},
 			Annotations: map[string]string{
-				"fabric8.io/expose": "true",
+				"fabric8.io/expose":     "true",
+				"fabric8.io/exposePort": "3000",
 			},
 		},
 		Spec: corev1.ServiceSpec{