initial refactoring

Author: joelanford

Makefile

@@ -7,6 +7,16 @@ SHELL := /usr/bin/env bash -o pipefail
 .SHELLFLAGS := -ec
 export ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
+# attempt to generate the VERSION attribute for certificates
+# fail if it is unset afterwards, since the side effects are indirect
+ifeq ($(strip $(VERSION)),)
+VERSION := $(shell git describe --tags --always --dirty)
+endif
+export VERSION
+ifeq ($(strip $(VERSION)),)
+	$(error undefined VERSION; resulting certs will be invalid)
+endif
+
 GOLANG_VERSION := $(shell sed -En 's/^go (.*)$$/\1/p' "go.mod")
 # Image URL to use all building/pushing image targets
 ifeq ($(origin IMAGE_REGISTRY), undefined)
@@ -25,7 +35,7 @@ endif
 export CATD_IMAGE_REPO
 
 ifeq ($(origin IMAGE_TAG), undefined)
-IMAGE_TAG := devel
+IMAGE_TAG := $(VERSION)
 endif
 export IMAGE_TAG
 
@@ -77,7 +87,7 @@ else
 $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!)
 endif
 
-KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager
+KUSTOMIZE_BUILD_DIR := config-new/overlays/community
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -248,12 +258,11 @@ image-registry: ## Build the testdata catalog used for e2e tests and push it to
 # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e
 .PHONY: test-e2e
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
-test-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/e2e
+test-e2e: KUSTOMIZE_BUILD_DIR := config-new/overlays/community-e2e
 test-e2e: GO_BUILD_EXTRA_FLAGS := -cover
 test-e2e: run image-registry e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 
 .PHONY: extension-developer-e2e
-extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager
 extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e
 extension-developer-e2e: export INSTALL_DEFAULT_CATALOGS := false
 extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean #EXHELP Run extension-developer e2e on local kind cluster
@@ -291,7 +300,7 @@ kind-load: $(KIND) #EXHELP Loads the currently constructed images into the KIND
 kind-deploy: export MANIFEST := ./operator-controller.yaml
 kind-deploy: export DEFAULT_CATALOG := ./config/catalogs/clustercatalogs/default-catalogs.yaml
 kind-deploy: manifests $(KUSTOMIZE)
-	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | sed "s/cert-git-version/cert-$(VERSION)/g" > $(MANIFEST)
+	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | envsubst '$$VERSION' > operator-controller.yaml
 	envsubst '$$DEFAULT_CATALOG,$$CERT_MGR_VERSION,$$INSTALL_DEFAULT_CATALOGS,$$MANIFEST' < scripts/install.tpl.sh | bash -s
 
 .PHONY: kind-cluster
@@ -306,16 +315,6 @@ kind-clean: $(KIND) #EXHELP Delete the kind cluster.
 
 #SECTION Build
 
-# attempt to generate the VERSION attribute for certificates
-# fail if it is unset afterwards, since the side effects are indirect
-ifeq ($(strip $(VERSION)),)
-VERSION := $(shell git describe --tags --always --dirty)
-endif
-export VERSION
-ifeq ($(strip $(VERSION)),)
-	$(error undefined VERSION; resulting certs will be invalid)
-endif
-
 ifeq ($(origin CGO_ENABLED), undefined)
 CGO_ENABLED := 0
 endif
@@ -384,7 +383,7 @@ release: $(GORELEASER) #EXHELP Runs goreleaser for the operator-controller. By d
 quickstart: export MANIFEST := https://github.com/operator-framework/operator-controller/releases/download/$(VERSION)/operator-controller.yaml
 quickstart: export DEFAULT_CATALOG := "https://github.com/operator-framework/operator-controller/releases/download/$(VERSION)/default-catalogs.yaml"
 quickstart: $(KUSTOMIZE) manifests #EXHELP Generate the unified installation release manifests and scripts.
-	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | sed "s/cert-git-version/cert-$(VERSION)/g" | sed "s/:devel/:$(VERSION)/g" > operator-controller.yaml
+	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | envsubst '$$VERSION' > operator-controller.yaml
 	envsubst '$$DEFAULT_CATALOG,$$CERT_MGR_VERSION,$$INSTALL_DEFAULT_CATALOGS,$$MANIFEST' < scripts/install.tpl.sh > install.sh
 
 ##@ Docs

config-new/base/catalogd/crd/bases/olm.operatorframework.io_clustercatalogs.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- bases/olm.operatorframework.io_clustercatalogs.yaml
+- mutating_webhook_configuration.yaml

config-new/base/catalogd/crd/kustomization.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: service
+        namespace: __NAMESPACE_PLACEHOLDER__
+        path: /mutate-olm-operatorframework-io-v1-clustercatalog
+        port: 9443
+    failurePolicy: Fail
+    matchConditions:
+      - expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)"
+        name: MissingOrIncorrectMetadataNameLabel
+    name: inject-metadata-name.olm.operatorframework.io
+    rules:
+      - apiGroups:
+          - olm.operatorframework.io
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clustercatalogs
+    sideEffects: None
+    timeoutSeconds: 10

config-new/base/catalogd/crd/mutating_webhook_configuration.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+  - pairs:
+      app.kubernetes.io/name: catalogd
+    includeTemplates: false
+    includeSelectors: false
+
+namePrefix: catalogd-
+
+resources:
+  - crd
+  - rbac
+  - manager
+

config-new/base/catalogd/kustomization.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: __NAMESPACE_PLACEHOLDER__
+  annotations:
+    kubectl.kubernetes.io/default-logs-container: manager
+spec:
+  replicas: 1
+  minReadySeconds: 5
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/arch
+                  operator: In
+                  values:
+                    - amd64
+                    - arm64
+                    - ppc64le
+                    - s390x
+                - key: kubernetes.io/os
+                  operator: In
+                  values:
+                    - linux
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - command:
+        - ./catalogd
+        args:
+        - --leader-elect
+        - --metrics-bind-address=:7443
+        - --external-address=catalogd-service.$(POD_NAMESPACE).svc
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        image: controller:latest
+        name: manager
+        volumeMounts:
+            - name: cache
+              mountPath: /var/cache/
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+      serviceAccountName: controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: cache
+          emptyDir: {}

config-new/base/catalogd/manager/deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- deployment.yaml
+- service.yaml
+
+labels:
+  - pairs:
+      control-plane: catalogd-controller-manager
+    includeSelectors: true
+    includeTemplates: true
+
+images:
+- name: controller
+  newName: quay.io/operator-framework/catalogd
+  newTag: ${VERSION}

config-new/base/catalogd/manager/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: service
+  namespace: __NAMESPACE_PLACEHOLDER__
+spec:
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 8443
+  - name: webhook
+    protocol: TCP
+    port: 9443
+    targetPort: 9443
+  - name: metrics
+    protocol: TCP
+    port: 7443
+    targetPort: 7443

config-new/base/catalogd/manager/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config-new/base/catalogd/rbac/auth_proxy_client_clusterrole.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config-new/base/catalogd/rbac/auth_proxy_role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: __NAMESPACE_PLACEHOLDER__

config-new/base/catalogd/rbac/auth_proxy_role_binding.yaml

@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
+
+# The following resources are pre-defined roles for editors and viewers
+# of APIs provided by this project.
+# TODO: CREATE AND ENABLE EDITOR/VIEWER CLUSTER ROLES FOR CATALOGD TO ALIGN WITH OPERATOR_CONTROLLER
+#- clustercatalog_editor_role.yaml
+#- clustercatalog_viewer_role.yaml

config-new/base/catalogd/rbac/kustomization.yaml

@@ -0,0 +1,37 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  -  coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

config-new/base/catalogd/rbac/leader_election_role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: __NAMESPACE_PLACEHOLDER__