From f320b592471e18721b5d99eabb42ee3914dfb975 Mon Sep 17 00:00:00 2001 From: Danil Grigorev Date: Mon, 4 Mar 2024 11:57:09 +0100 Subject: [PATCH] Release and RBAC fixes Signed-off-by: Danil Grigorev --- .github/workflows/release.yaml | 35 +++++++++++--- Dockerfile | 1 + Makefile | 2 +- config/default/manager_image_patch.yaml | 2 +- config/default/manager_pull_policy.yaml | 2 +- config/rbac/auth_proxy_service.yaml | 4 +- config/rbac/role.yaml | 46 +++++++++++++++++++ internal/controller/generic_controller.go | 3 ++ .../veleroinstallation_controller.go | 4 ++ 9 files changed, 87 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 17079e3..c8ac1b8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ permissions: jobs: build: - name: create draft release + name: build and push release images runs-on: ubuntu-latest env: REGISTRY: ghcr.io/${{ github.actor }} @@ -38,15 +38,36 @@ jobs: echo "OWNER=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV echo "REGISTRY=$(echo $REGISTRY | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV - name: Build docker image - run: make docker-build + run: make docker-build-all - name: Push docker image - run: make docker-push - - name: generate release artifacts + run: make docker-push-all + + publish: + name: Publish the draft release + runs-on: ubuntu-latest + needs: + - build + env: + REGISTRY: ghcr.io/${{ github.actor }} + steps: + - name: Set env + run: echo "RELEASE_TAG=${GITHUB_REF:10}" >> $GITHUB_ENV + - name: checkout code + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # tag=v3.3.0 + with: + fetch-depth: 0 + - name: Install go + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # tag=v3.5.0 + with: + go-version: '^1.22' + - name: Convert actor name to lowercase and store in the env run: | - make release + echo "OWNER=$(echo $GITHUB_ACTOR | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV + echo "REGISTRY=$(echo $REGISTRY | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV + - name: generate release artifacts + run: make release - name: generate release notes - run: | - make release-notes + run: make release-notes - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v1 with: diff --git a/Dockerfile b/Dockerfile index a48973e..87376e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,7 @@ RUN go mod download COPY cmd/main.go cmd/main.go COPY api/ api/ COPY internal/controller/ internal/controller/ +COPY internal/plugin/ internal/plugin/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command diff --git a/Makefile b/Makefile index db1539f..3985044 100644 --- a/Makefile +++ b/Makefile @@ -189,7 +189,7 @@ GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)) # Define Docker related variables. Releases should modify and double check these vars. # REGISTRY ?= gcr.io/$(shell gcloud config get-value project) REGISTRY ?= ghcr.io/danil-grigorev -PROD_REGISTRY ?= registry.k8s.io/cluster-api-helm +PROD_REGISTRY ?= ghcr.io/danil-grigorev STAGING_REGISTRY ?= gcr.io/k8s-staging-cluster-api-velero STAGING_BUCKET ?= artifacts.k8s-staging-cluster-api-velero.appspot.com diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml index 9538d72..c7b7c35 100644 --- a/config/default/manager_image_patch.yaml +++ b/config/default/manager_image_patch.yaml @@ -7,5 +7,5 @@ spec: template: spec: containers: - - image: ghcr.io/danil-grigorev/cluster-api-velero-controller-amd64:dev + - image: ghcr.io/danil-grigorev/cluster-api-velero-controller:dev name: manager diff --git a/config/default/manager_pull_policy.yaml b/config/default/manager_pull_policy.yaml index 74a0879..cd7ae12 100644 --- a/config/default/manager_pull_policy.yaml +++ b/config/default/manager_pull_policy.yaml @@ -8,4 +8,4 @@ spec: spec: containers: - name: manager - imagePullPolicy: Always + imagePullPolicy: IfNotPresent diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index 39c3cc5..46a998d 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -4,12 +4,12 @@ metadata: labels: control-plane: controller-manager app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/instance: metrics-service app.kubernetes.io/component: kube-rbac-proxy app.kubernetes.io/created-by: cluster-api-addon-provider-velero app.kubernetes.io/part-of: cluster-api-addon-provider-velero app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service + name: metrics-service namespace: system spec: ports: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a60b880..f7dbc9a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,6 +4,38 @@ kind: ClusterRole metadata: name: manager-role rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - addons.cluster.x-k8s.io + resources: + - helmchartproxies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - addons.cluster.x-k8s.io + resources: + - helmchartproxies/finalizers + verbs: + - update +- apiGroups: + - addons.cluster.x-k8s.io + resources: + - helmchartproxies/status + verbs: + - get - apiGroups: - addons.cluster.x-k8s.io resources: @@ -108,3 +140,17 @@ rules: - get - patch - update +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters/status + verbs: + - get diff --git a/internal/controller/generic_controller.go b/internal/controller/generic_controller.go index a0a9580..c5e9751 100644 --- a/internal/controller/generic_controller.go +++ b/internal/controller/generic_controller.go @@ -45,6 +45,9 @@ const ( finalizer = "addons.cluster.x-k8s.io/velero" ) +//+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch +//+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters/status,verbs=get + // GenericReconciler is a generic interface for velero objects reconciler type GenericReconciler[P veleroaddonv1.VeleroProxy[V], V veleroaddonv1.VeleroOrigin] interface { client.Client diff --git a/internal/controller/veleroinstallation_controller.go b/internal/controller/veleroinstallation_controller.go index f31d1ef..1040f4b 100644 --- a/internal/controller/veleroinstallation_controller.go +++ b/internal/controller/veleroinstallation_controller.go @@ -41,6 +41,10 @@ type VeleroInstallationReconciler struct { //+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=veleroinstallations,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=veleroinstallations/status,verbs=get;update;patch //+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=veleroinstallations/finalizers,verbs=update +//+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=helmchartproxies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=helmchartproxies/status,verbs=get +//+kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=helmchartproxies/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.