Bump operator-sdk, ansible-operator, and OPM binaries to align with
the OCP 4.20 / AAP 2.7 target. Replace the deprecated kube-rbac-proxy
sidecar (removed in operator-sdk v1.38.0) with controller-runtime's
built-in WithAuthenticationAndAuthorization for metrics endpoint
protection.
Changes:
- Makefile: operator-sdk v1.36.1 → v1.40.0, OPM v1.26.0 → v1.55.0
- Dockerfile: ansible-operator base image v1.36.1 → v1.40.0
- Remove kube-rbac-proxy sidecar and auth_proxy_* RBAC manifests
- Add metrics_auth_role, metrics_reader, and metrics_service resources
- Add --metrics-secure, --metrics-require-rbac, --metrics-bind-address
flags via JSON patch to serve metrics directly from the manager on
port 8443 with TLS and RBAC authentication
Ref: AAP-65254
Authored By: Christian M. Adams <chadams@redhat.com>
Assisted By: Claude
Support external execution nodes
- Allow receptor.conf to be editable at runtime
- Create CA cert and key as a k8s secret
- Create work signing RSA keypair as a k8s secret
- Setup volume mounts for containers to have access to the needed
Receptor keys / certs to facilitate generating the install bundle
for a new execution node
- added firewall rule, work signing and tls cert configuration to default receptor.conf
The volume mount changes in this PR fulfill the following:
- `receptor.conf` need to be shared between task container and ee container
- **task** container writes the `receptor.conf`
- **ee** consume the `receptor.conf`
- receptor ca cert/key need to be mounted by both ee container and web container
- **ee** container need the ca cert
- **web** container will need the ca key to sign client cert for remote execution node
- **web** container will need the ca cert to generate install bundle for remote execution node
- receptor work private/public key need to be mounted by both ee container and web container
- **ee** container need to private key to sign the work
- **web** container need the public key to generate install bundle for remote execution node
- **task** container need the private key to sign the work
Signed-off-by: Hao Liu <haoli@redhat.com>
Co-Authored-By: Seth Foster <fosterbseth@gmail.com>
Co-Authored-By: Shane McDonald <me@shanemcd.com>
Signed-off-by: Hao Liu <haoli@redhat.com>
Co-authored-by: Shane McDonald <me@shanemcd.com>
Co-authored-by: Seth Foster <fosterbseth@gmail.com>
