diff --git a/magefiles/operator.go b/magefiles/operator.go
index caba8af821..53d45ff1bd 100644
--- a/magefiles/operator.go
+++ b/magefiles/operator.go
@@ -151,7 +151,7 @@ func (l Local) Operator() {
}
func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
- return []runtime.Object{
+ objs := []runtime.Object{
&corev1.ServiceAccount{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
@@ -797,12 +797,24 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
},
},
operatorDeployment(namespace, m),
- operatorServingCertConfigMap(namespace),
}
+ for _, cm := range operatorServingCertConfigMaps(namespace) {
+ objs = append(objs, cm)
+ }
+ return objs
}
-func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
- return &corev1.ConfigMap{
+func operatorServingCertConfigMaps(namespace string) []*corev1.ConfigMap {
+ labels := map[string]string{
+ "app.kubernetes.io/component": "manager",
+ "app.kubernetes.io/created-by": "thanos-operator",
+ "app.kubernetes.io/instance": "controller-manager",
+ "app.kubernetes.io/managed-by": "rhobs",
+ "app.kubernetes.io/name": "configmap",
+ "app.kubernetes.io/part-of": "thanos-operator",
+ }
+
+ serviceCert := &corev1.ConfigMap{
TypeMeta: metav1.TypeMeta{
APIVersion: "v1",
Kind: "ConfigMap",
@@ -810,18 +822,24 @@ func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
ObjectMeta: metav1.ObjectMeta{
Name: "thanos-operator-serving-cert",
Namespace: namespace,
- Labels: map[string]string{
- "app.kubernetes.io/component": "manager",
- "app.kubernetes.io/created-by": "thanos-operator",
- "app.kubernetes.io/instance": "controller-manager",
- "app.kubernetes.io/managed-by": "rhobs",
- "app.kubernetes.io/name": "configmap",
- "app.kubernetes.io/part-of": "thanos-operator",
- },
+ Labels: labels,
Annotations: map[string]string{
"service.beta.openshift.io/inject-cabundle": "true",
},
},
+ Data: map[string]string{},
+ }
+
+ rbacConfig := &corev1.ConfigMap{
+ TypeMeta: metav1.TypeMeta{
+ APIVersion: "v1",
+ Kind: "ConfigMap",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "thanos-operator-rbac-config",
+ Namespace: namespace,
+ Labels: labels,
+ },
Data: map[string]string{
"config.yaml": `"authorization":
"static":
@@ -832,6 +850,7 @@ func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap {
"verb": "get"`,
},
}
+ return []*corev1.ConfigMap{serviceCert, rbacConfig}
}
func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
@@ -893,7 +912,7 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
"--tls-cert-file=/etc/tls/private/tls.crt",
"--tls-private-key-file=/etc/tls/private/tls.key",
"--client-ca-file=/etc/service-ca/service-ca.crt",
- "--config-file=/etc/service-ca/config.yaml",
+ "--config-file=/etc/config/config.yaml",
},
VolumeMounts: []corev1.VolumeMount{
{
@@ -906,6 +925,11 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
MountPath: "/etc/service-ca",
ReadOnly: true,
},
+ {
+ Name: "config",
+ MountPath: "/etc/config",
+ ReadOnly: true,
+ },
},
Ports: []corev1.ContainerPort{
{
@@ -994,6 +1018,18 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
},
},
},
+ {
+ Name: "config",
+ VolumeSource: corev1.VolumeSource{
+ ConfigMap: &corev1.ConfigMapVolumeSource{
+ LocalObjectReference: corev1.LocalObjectReference{
+ Name: "thanos-operator-rbac-config",
+ },
+ DefaultMode: ptr.To(int32(420)),
+ Optional: ptr.To(false),
+ },
+ },
+ },
},
ServiceAccountName: "thanos-operator-controller-manager",
TerminationGracePeriodSeconds: ptr.To(int64(10)),
diff --git a/resources/services/bundle/staging/operator.yaml b/resources/services/bundle/staging/operator.yaml
index c111d9653d..84876cb392 100755
--- a/resources/services/bundle/staging/operator.yaml
+++ b/resources/services/bundle/staging/operator.yaml
@@ -71,7 +71,7 @@ objects:
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --client-ca-file=/etc/service-ca/service-ca.crt
- - --config-file=/etc/service-ca/config.yaml
+ - --config-file=/etc/config/config.yaml
image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:98455d503b797b6b02edcfd37045c8fab0796b95ee5cf4cfe73b221a07e805f0
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
@@ -98,6 +98,9 @@ objects:
- mountPath: /etc/service-ca
name: service-ca
readOnly: true
+ - mountPath: /etc/config
+ name: config
+ readOnly: true
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
@@ -156,6 +159,11 @@ objects:
name: openshift-service-ca.crt
optional: false
name: service-ca
+ - configMap:
+ defaultMode: 420
+ name: thanos-operator-rbac-config
+ optional: false
+ name: config
status: {}
- apiVersion: v1
kind: ServiceAccount
@@ -450,6 +458,19 @@ objects:
"name": "system:serviceaccount:openshift-customer-monitoring:prometheus-k8s"
"verb": "get"
kind: ConfigMap
+ metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/component: manager
+ app.kubernetes.io/created-by: thanos-operator
+ app.kubernetes.io/instance: controller-manager
+ app.kubernetes.io/managed-by: rhobs
+ app.kubernetes.io/name: configmap
+ app.kubernetes.io/part-of: thanos-operator
+ name: thanos-operator-rbac-config
+ namespace: rhobs-stage
+- apiVersion: v1
+ kind: ConfigMap
metadata:
annotations:
service.beta.openshift.io/inject-cabundle: "true"