From 1b538a8d32109849610d99e4da1ad41898b02f30 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Thu, 6 Mar 2025 14:25:35 +0000 Subject: [PATCH] Split configmaps for thanos operator --- magefiles/operator.go | 62 +++++++++++++++---- .../services/bundle/staging/operator.yaml | 23 ++++++- 2 files changed, 71 insertions(+), 14 deletions(-) diff --git a/magefiles/operator.go b/magefiles/operator.go index caba8af821..53d45ff1bd 100644 --- a/magefiles/operator.go +++ b/magefiles/operator.go @@ -151,7 +151,7 @@ func (l Local) Operator() { } func operatorResources(namespace string, m TemplateMaps) []runtime.Object { - return []runtime.Object{ + objs := []runtime.Object{ &corev1.ServiceAccount{ TypeMeta: metav1.TypeMeta{ APIVersion: "v1", @@ -797,12 +797,24 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object { }, }, operatorDeployment(namespace, m), - operatorServingCertConfigMap(namespace), } + for _, cm := range operatorServingCertConfigMaps(namespace) { + objs = append(objs, cm) + } + return objs } -func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap { - return &corev1.ConfigMap{ +func operatorServingCertConfigMaps(namespace string) []*corev1.ConfigMap { + labels := map[string]string{ + "app.kubernetes.io/component": "manager", + "app.kubernetes.io/created-by": "thanos-operator", + "app.kubernetes.io/instance": "controller-manager", + "app.kubernetes.io/managed-by": "rhobs", + "app.kubernetes.io/name": "configmap", + "app.kubernetes.io/part-of": "thanos-operator", + } + + serviceCert := &corev1.ConfigMap{ TypeMeta: metav1.TypeMeta{ APIVersion: "v1", Kind: "ConfigMap", @@ -810,18 +822,24 @@ func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap { ObjectMeta: metav1.ObjectMeta{ Name: "thanos-operator-serving-cert", Namespace: namespace, - Labels: map[string]string{ - "app.kubernetes.io/component": "manager", - "app.kubernetes.io/created-by": "thanos-operator", - "app.kubernetes.io/instance": "controller-manager", - "app.kubernetes.io/managed-by": "rhobs", - "app.kubernetes.io/name": "configmap", - "app.kubernetes.io/part-of": "thanos-operator", - }, + Labels: labels, Annotations: map[string]string{ "service.beta.openshift.io/inject-cabundle": "true", }, }, + Data: map[string]string{}, + } + + rbacConfig := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "thanos-operator-rbac-config", + Namespace: namespace, + Labels: labels, + }, Data: map[string]string{ "config.yaml": `"authorization": "static": @@ -832,6 +850,7 @@ func operatorServingCertConfigMap(namespace string) *corev1.ConfigMap { "verb": "get"`, }, } + return []*corev1.ConfigMap{serviceCert, rbacConfig} } func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment { @@ -893,7 +912,7 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment { "--tls-cert-file=/etc/tls/private/tls.crt", "--tls-private-key-file=/etc/tls/private/tls.key", "--client-ca-file=/etc/service-ca/service-ca.crt", - "--config-file=/etc/service-ca/config.yaml", + "--config-file=/etc/config/config.yaml", }, VolumeMounts: []corev1.VolumeMount{ { @@ -906,6 +925,11 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment { MountPath: "/etc/service-ca", ReadOnly: true, }, + { + Name: "config", + MountPath: "/etc/config", + ReadOnly: true, + }, }, Ports: []corev1.ContainerPort{ { @@ -994,6 +1018,18 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment { }, }, }, + { + Name: "config", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "thanos-operator-rbac-config", + }, + DefaultMode: ptr.To(int32(420)), + Optional: ptr.To(false), + }, + }, + }, }, ServiceAccountName: "thanos-operator-controller-manager", TerminationGracePeriodSeconds: ptr.To(int64(10)), diff --git a/resources/services/bundle/staging/operator.yaml b/resources/services/bundle/staging/operator.yaml index c111d9653d..84876cb392 100755 --- a/resources/services/bundle/staging/operator.yaml +++ b/resources/services/bundle/staging/operator.yaml @@ -71,7 +71,7 @@ objects: - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key - --client-ca-file=/etc/service-ca/service-ca.crt - - --config-file=/etc/service-ca/config.yaml + - --config-file=/etc/config/config.yaml image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:98455d503b797b6b02edcfd37045c8fab0796b95ee5cf4cfe73b221a07e805f0 imagePullPolicy: IfNotPresent name: kube-rbac-proxy @@ -98,6 +98,9 @@ objects: - mountPath: /etc/service-ca name: service-ca readOnly: true + - mountPath: /etc/config + name: config + readOnly: true - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 @@ -156,6 +159,11 @@ objects: name: openshift-service-ca.crt optional: false name: service-ca + - configMap: + defaultMode: 420 + name: thanos-operator-rbac-config + optional: false + name: config status: {} - apiVersion: v1 kind: ServiceAccount @@ -450,6 +458,19 @@ objects: "name": "system:serviceaccount:openshift-customer-monitoring:prometheus-k8s" "verb": "get" kind: ConfigMap + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: thanos-operator + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/managed-by: rhobs + app.kubernetes.io/name: configmap + app.kubernetes.io/part-of: thanos-operator + name: thanos-operator-rbac-config + namespace: rhobs-stage +- apiVersion: v1 + kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true"