Add Redhat Openshift support (#912)

* feat(mgr,wh,srv): changed port (443->)9443 RHOS requires ports to be over 1024. * chore(chart): updated service to use port names To decouple service ports from container ports. * feat(ctrlr,crd): added/extd finalizer RBAC gen So finalizer RBACs would be covered for create, delete, patch, update. Required for RHOS. After changing the controller markers the manifests were regenerated using `make manifests`. * chore(container): updated base image To an advertised tag. * feat(kcl): passed envoyConfig.PodSecurityContext RHOS requires the propagation of the envoy config podSecurityContext to set uid/gid. * chore(dep): upped api 2 v0.25.0 for podSecContext Required to be able to use the envoy podSecurityContext. --------- Co-authored-by: Patrik Egyed <[email protected]>
banzaicloud · Apr 4, 2023 · 5c78148 · 5c78148
1 parent 78055db
commit 5c78148
Show file tree

Hide file tree

Showing 14 changed files with 101 additions and 37 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static-debian11:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 ENTRYPOINT ["/manager"]
diff --git a/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml b/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml
@@ -213,7 +213,7 @@ spec:
           {{- end }}
           ports:
           {{- if .Values.webhook.enabled }}
-            - containerPort: {{ .Values.webhook.serverPort | default 443 }}
+            - containerPort: {{ .Values.webhook.serverPort | default 9443 }}
               name: webhook-server
               protocol: TCP
           {{- end }}

diff --git a/charts/kafka-operator/templates/operator-rbac.yaml b/charts/kafka-operator/templates/operator-rbac.yaml
@@ -115,6 +115,63 @@ rules:
   - get
   - update
   - patch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkaclusters/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkausers/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkatopics/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -234,33 +291,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations/status
-  verbs:
-  - get
-  - patch
-  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/kafka-operator/templates/operator-service.yaml b/charts/kafka-operator/templates/operator-service.yaml
@@ -28,9 +28,9 @@ spec:
   ports:
   - name: https
     port: 443
-    targetPort: {{ (.Values.webhook).serverPort | default 443 }}
+    targetPort: webhook-server
   {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
   - name: metrics
     port: 8080
-    targetPort: {{ (.Values.metricEndpoint).port | default 8080 }}
+    targetPort: metrics
   {{- end }}
diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml
@@ -178,6 +178,9 @@ rules:
   resources:
   - cruisecontroloperations/finalizers
   verbs:
+  - create
+  - delete
+  - patch
   - update
 - apiGroups:
   - kafka.banzaicloud.io
@@ -199,6 +202,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkaclusters/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
@@ -220,6 +232,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkatopics/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
@@ -241,6 +262,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkausers/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:

diff --git a/config/base/webhook/service.yaml b/config/base/webhook/service.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager
diff --git a/controllers/cruisecontroloperation_controller.go b/controllers/cruisecontroloperation_controller.go
@@ -70,7 +70,7 @@ type CruiseControlOperationReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=update
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=create;update;patch;delete
 
 //nolint:gocyclo
 func (r *CruiseControlOperationReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {

diff --git a/controllers/kafkacluster_controller.go b/controllers/kafkacluster_controller.go
@@ -79,6 +79,7 @@ type KafkaClusterReconciler struct {
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/finalizers,verbs=create;update;patch;delete
 // +kubebuilder:rbac:groups=servicemesh.cisco.com,resources=istiomeshgateways,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=networking.istio.io,resources=*,verbs=*
 

diff --git a/controllers/kafkatopic_controller.go b/controllers/kafkatopic_controller.go
@@ -71,6 +71,7 @@ type KafkaTopicReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/finalizers,verbs=create;update;patch;delete
 
 // Reconcile reconciles the kafka topic
 func (r *KafkaTopicReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {

diff --git a/controllers/kafkauser_controller.go b/controllers/kafkauser_controller.go
@@ -154,6 +154,7 @@ type KafkaUserReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/finalizers,verbs=create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=clusterissuers,verbs=get;list;watch;create;update;patch;delete

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/banzaicloud/istio-client-go v0.0.17
 	github.com/banzaicloud/istio-operator/api/v2 v2.15.1
 	github.com/banzaicloud/k8s-objectmatcher v1.8.0
-	github.com/banzaicloud/koperator/api v0.24.0
+	github.com/banzaicloud/koperator/api v0.25.0
 	github.com/banzaicloud/koperator/properties v0.4.1
 	github.com/cert-manager/cert-manager v1.9.1
 	github.com/cisco-open/cluster-registry-controller/api v0.2.5

diff --git a/go.sum b/go.sum
@@ -100,8 +100,8 @@ github.com/banzaicloud/istio-operator/api/v2 v2.15.1 h1:BZg8COvoOJtfx/dgN7KpoOnc
 github.com/banzaicloud/istio-operator/api/v2 v2.15.1/go.mod h1:5qCpwWlIfxiLvBfTvT2mD2wp5RlFCDEt8Xql4sYPNBc=
 github.com/banzaicloud/k8s-objectmatcher v1.8.0 h1:Nugn25elKtPMTA2br+JgHNeSQ04sc05MDPmpJnd1N2A=
 github.com/banzaicloud/k8s-objectmatcher v1.8.0/go.mod h1:p2LSNAjlECf07fbhDyebTkPUIYnU05G+WfGgkTmgeMg=
-github.com/banzaicloud/koperator/api v0.24.0 h1:RwhKWy8umzpKhKEa0J6xgvv5wOU37ti3A9JqIjCHrDk=
-github.com/banzaicloud/koperator/api v0.24.0/go.mod h1:qvpewvjdELAnfO70vg9397CXZ4K4uHxpiWtf5fhKSrQ=
+github.com/banzaicloud/koperator/api v0.25.0 h1:cRfoWRUThrAEVnszeeXJkz42gNGezonl3+bGdvbxkNQ=
+github.com/banzaicloud/koperator/api v0.25.0/go.mod h1:qvpewvjdELAnfO70vg9397CXZ4K4uHxpiWtf5fhKSrQ=
 github.com/banzaicloud/koperator/properties v0.4.1 h1:SB2QgXlcK1Dc7Z1rg65PJifErDa8OQnoWCCJgmC7SGc=
 github.com/banzaicloud/koperator/properties v0.4.1/go.mod h1:TcL+llxuhW3UeQtVEDYEXGouFLF2P+LuZZVudSb6jyA=
 github.com/banzaicloud/operator-tools v0.28.0 h1:GSfc0qZr6zo7WrNxdgWZE1LcTChPU8QFYOTDirYVtIM=

diff --git a/main.go b/main.go
@@ -97,7 +97,7 @@ func main() {
 		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&webhookDisabled, "disable-webhooks", false, "Disable webhooks used to validate custom resources")
 	flag.StringVar(&webhookCertDir, "tls-cert-dir", "/etc/webhook/certs", "The directory with a tls.key and tls.crt for serving HTTPS requests")
-	flag.IntVar(&webhookServerPort, "webhook-server-port", 443, "The port that the webhook server serves at")
+	flag.IntVar(&webhookServerPort, "webhook-server-port", 9443, "The port that the webhook server serves at")
 	flag.BoolVar(&developmentLogging, "development", false, "Enable development logging")
 	flag.BoolVar(&verboseLogging, "verbose", false, "Enable verbose logging")
 	flag.BoolVar(&certManagerEnabled, "cert-manager-enabled", false, "Enable cert-manager integration")

diff --git a/pkg/resources/envoy/deployment.go b/pkg/resources/envoy/deployment.go
@@ -117,6 +117,7 @@ func (r *Reconciler) deployment(log logr.Logger, extListener v1beta1.ExternalLis
 							Resources:    *ingressConfig.EnvoyConfig.GetResources(),
 						},
 					},
+					SecurityContext:   ingressConfig.EnvoyConfig.GetPodSecurityContext(),
 					Volumes:           volumes,
 					PriorityClassName: ingressConfig.EnvoyConfig.GetPriorityClassName(),
 				},