internet/awx-operator
3
0
Fork 0
mirror of https://github.com/ansible/awx-operator.git synced 2026-03-27 05:43:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move to a per-namespace deployment approach

Browse Source 
* This increases security, the awx-operator SA has less cluster-wide
    access
  * This means one operator can only deploy to a single namespace
  * If AWX deployments are needed in multiple namespaces, multiple
    awx-operators can be deployed to accomplish this.

Signed-off-by: Christian M. Adams <chadams@redhat.com>
This commit is contained in:
Christian M. Adams
2021-09-15 15:54:09 -04:00
parent fcbf8b5715
commit 58c3ebf4b0
10 changed files with 20 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/deploy-operator.yml
View File

@@ -5,7 +5,7 @@
- name: Deploy Operator - name: Deploy Operator
hosts: localhost hosts: localhost
vars: vars:
k8s_namespace: "default" k8s_namespace: "{{ namespace | default('default') }}"
obliterate: no obliterate: no
collections: collections:

6
ansible/templates/operator.yml.j2
View File

@@ -22,9 +22,11 @@ spec:
- mountPath: /tmp/ansible-operator/runner - mountPath: /tmp/ansible-operator/runner
name: runner name: runner
env: env:
# Watch all namespaces (cluster-scoped). # Watch one namespace (namespace-scoped).
- name: WATCH_NAMESPACE - name: WATCH_NAMESPACE
value: "" valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:

3
ansible/templates/role.yml.j2
View File

@@ -1,6 +1,6 @@
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: Role
metadata: metadata:
creationTimestamp: null creationTimestamp: null
name: awx-operator name: awx-operator
@@ -95,7 +95,6 @@ rules:
- replicasets - replicasets
verbs: verbs:
- get - get
verbs:
- create - create
- apiGroups: - apiGroups:
- awx.ansible.com - awx.ansible.com

5
ansible/templates/role_binding.yml.j2
View File

@@ -1,13 +1,12 @@
--- ---
kind: ClusterRoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: awx-operator name: awx-operator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: awx-operator name: awx-operator
namespace: default
roleRef: roleRef:
kind: ClusterRole kind: Role
name: awx-operator name: awx-operator
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io

1
ansible/templates/service_account.yml.j2
View File

@@ -3,4 +3,3 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: awx-operator name: awx-operator
namespace: default

15
deploy/awx-operator.yaml
View File

@@ -610,7 +610,7 @@ spec:
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: Role
metadata: metadata:
creationTimestamp: null creationTimestamp: null
name: awx-operator name: awx-operator
@@ -705,7 +705,6 @@ rules:
- replicasets - replicasets
verbs: verbs:
- get - get
verbs:
- create - create
- apiGroups: - apiGroups:
- awx.ansible.com - awx.ansible.com
@@ -717,16 +716,15 @@ rules:
- '*' - '*'
--- ---
kind: ClusterRoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: awx-operator name: awx-operator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: awx-operator name: awx-operator
namespace: default
roleRef: roleRef:
kind: ClusterRole kind: Role
name: awx-operator name: awx-operator
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -735,7 +733,6 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: awx-operator name: awx-operator
namespace: default
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
@@ -761,9 +758,11 @@ spec:
- mountPath: /tmp/ansible-operator/runner - mountPath: /tmp/ansible-operator/runner
name: runner name: runner
env: env:
# Watch all namespaces (cluster-scoped). # Watch one namespace (namespace-scoped).
- name: WATCH_NAMESPACE - name: WATCH_NAMESPACE
value: "" valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:

4
deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
View File

@@ -755,11 +755,11 @@ spec:
installModes: installModes:
- supported: true - supported: true
type: OwnNamespace type: OwnNamespace
- supported: true - supported: false
type: SingleNamespace type: SingleNamespace
- supported: false - supported: false
type: MultiNamespace type: MultiNamespace
- supported: true - supported: false
type: AllNamespaces type: AllNamespaces
keywords: keywords:
- awx - awx

2
molecule/default/molecule.yml
View File

@@ -26,4 +26,4 @@ provisioner:
inventory: inventory:
group_vars: group_vars:
all: all:
operator_namespace: ${TEST_NAMESPACE:-default} operator_namespace: ${TEST_NAMESPACE:-example-awx}

2
molecule/test-minikube/molecule.yml
View File

@@ -19,7 +19,7 @@ provisioner:
inventory: inventory:
group_vars: group_vars:
all: all:
operator_namespace: ${TEST_NAMESPACE:-default} operator_namespace: ${TEST_NAMESPACE:-example-awx}
env: env:
ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
scenario: scenario:

2
scripts/okd-console.yaml
View File

@@ -1,6 +1,6 @@
### Don't run this deployment in production ### Don't run this deployment in production
### The current configuration will run the ### The current configuration will run the
### OKD console without any autentication!!!! ### OKD console without any authentication!!!!
### ###
### A prerequisite is to install the OLM ### A prerequisite is to install the OLM
### as instructed at https://olm.operatorframework.io/docs/getting-started/#install-released-olm ### as instructed at https://olm.operatorframework.io/docs/getting-started/#install-released-olm