Issue 65065

Makefile

@@ -21,7 +21,10 @@
 BUILD_LOCALLY ?= 1
 
 # The namespace that operator will be deployed in
-NAMESPACE=ibm-common-services
+CONTROL_NS ?= ibm-common-services
+DATA_NS ?= $(CONTROL_NS)
+WATCH_NS ?= $(DATA_NS)
+
 GIT_COMMIT_ID=$(shell git rev-parse --short HEAD)
 GIT_REMOTE_URL=$(shell git config --get remote.origin.url)
 IMAGE_BUILD_OPTS=--build-arg "VCS_REF=$(GIT_COMMIT_ID)" --build-arg "VCS_URL=$(GIT_REMOTE_URL)"
@@ -180,7 +183,7 @@ ifeq (,$(shell which go 2>/dev/null))
  exit 1; \
  }
 endif
- test -s $(LOCALBIN)/go$(GO_VERSION) && $(LOCALBIN)/go$(GO_VERSION) version | grep -q $(GO_VERSION) || \
+ @test -s $(LOCALBIN)/go$(GO_VERSION) && $(LOCALBIN)/go$(GO_VERSION) version | grep -q $(GO_VERSION) || \
  GOSUMDB=sum.golang.org GOBIN=$(LOCALBIN) go install golang.org/dl/go$(GO_VERSION)@latest && $(LOCALBIN)/go$(GO_VERSION) download
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
@@ -326,34 +329,42 @@ catalog-build: opm ## Build a catalog image.
 bundle-build: ## Build the bundle image.
  docker build -f $(BUNDLE_DOCKERFILE) -t $(BUNDLE_IMG) .
 
-build-image-amd64: $(GO) $(CONFIG_DOCKER_TARGET) licenses-dir ## Build the Operator for Linux on amd64.
- CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GO) build -a -o build/_output/bin/manager main.go
- DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/amd64 $(CONTAINER_CLI) build ${IMAGE_BUILD_OPTS} -t $(REGISTRY)/$(IMG)-amd64:$(GIT_COMMIT_ID) -f ./Dockerfile .
- $(CONTAINER_CLI) inspect $(REGISTRY)/$(IMG)-amd64:$(GIT_COMMIT_ID)
- @rm -f build/_output/bin/manager
- @if [ $(BUILD_LOCALLY) -ne 1 ]; then $(CONTAINER_CLI) push $(REGISTRY)/$(IMG)-amd64:$(GIT_COMMIT_ID); fi
-
-build-image-ppc64le: $(GO) $(CONFIG_DOCKER_TARGET) licenses-dir ## Build the Operator for Linux on ppc64le.
- CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le $(GO) build -a -o build/_output/bin/manager main.go
- DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/ppc64le $(CONTAINER_CLI) build ${IMAGE_BUILD_OPTS} -t $(REGISTRY)/$(IMG)-ppc64le:$(GIT_COMMIT_ID) -f ./Dockerfile .
- $(CONTAINER_CLI) inspect $(REGISTRY)/$(IMG)-ppc64le:$(GIT_COMMIT_ID)
- @\rm -f build/_output/bin/manager
- @if [ $(BUILD_LOCALLY) -ne 1 ]; then $(CONTAINER_CLI) push $(REGISTRY)/$(IMG)-ppc64le:$(GIT_COMMIT_ID); fi
-
-build-image-s390x: $(GO) $(CONFIG_DOCKER_TARGET) licenses-dir ## Build the Operator for Linux on s390x.
- CGO_ENABLED=0 GOOS=linux GOARCH=s390x $(GO) build -a -o build/_output/bin/manager main.go
- DOCKER_BUILDKIT=1 DOCKER_DEFAULT_PLATFORM=linux/s390x $(CONTAINER_CLI) build ${IMAGE_BUILD_OPTS} -t $(REGISTRY)/$(IMG)-s390x:$(GIT_COMMIT_ID) -f ./Dockerfile .
- $(CONTAINER_CLI) inspect $(REGISTRY)/$(IMG)-s390x:$(GIT_COMMIT_ID)
+TARGET_ARCH=$(LOCAL_ARCH)
+
+build-image: $(GO) $(CONFIG_DOCKER_TARGET) licenses-dir ## Build the Operator manager image
+ @echo "Building manager binary for linux/$(TARGET_ARCH)"
+ @CGO_ENABLED=0 GOOS=linux GOARCH=$(TARGET_ARCH) $(GO) build -a -o build/_output/bin/manager main.go
+ @echo "Building manager image for linux/$(TARGET_ARCH)"
+ @DOCKER_BUILDKIT=1 $(CONTAINER_CLI) build --platform=linux/$(TARGET_ARCH) ${IMAGE_BUILD_OPTS} -t $(REGISTRY)/$(IMG)-$(TARGET_ARCH):$(GIT_COMMIT_ID) -f ./Dockerfile .
+ @echo "Inspect built image $(REGISTRY)/$(IMG)-$(TARGET_ARCH):$(GIT_COMMIT_ID)"
+ $(CONTAINER_CLI) inspect $(REGISTRY)/$(IMG)-$(TARGET_ARCH):$(GIT_COMMIT_ID)
+ @echo "Clean up binary"
  @rm -f build/_output/bin/manager
- @if [ $(BUILD_LOCALLY) -ne 1 ]; then $(CONTAINER_CLI) push $(REGISTRY)/$(IMG)-s390x:$(GIT_COMMIT_ID); fi
+ @if [ $(BUILD_LOCALLY) -ne 1 ]; then \
+ echo "Pushing $(REGISTRY)/$(IMG)-$(TARGET_ARCH):$(GIT_COMMIT_ID)"; \
+ $(CONTAINER_CLI) push $(REGISTRY)/$(IMG)-$(TARGET_ARCH):$(GIT_COMMIT_ID); \
+ echo "Done"; \
+ fi
 
-images: $(CONFIG_DOCKER_TARGET) build-image-amd64 build-image-ppc64le build-image-s390x ## Build the multi-arch manifest.
+build-image-amd64: TARGET_ARCH=amd64
+build-image-amd64: build-image
+
+build-image-ppc64le: TARGET_ARCH=ppc64le
+build-image-ppc64le: build-image
+
+build-image-s390x: TARGET_ARCH=s390x
+build-image-s390x: build-image
+
+images: $(CONFIG_DOCKER_TARGET) ## Build the multi-arch manifest.
+ ${MAKE} build-image-amd64
+ ${MAKE} build-image-ppc64le
+ ${MAKE} build-image-s390x
  @DOCKER_BUILDKIT=1 MAX_PULLING_RETRY=20 RETRY_INTERVAL=30 common/scripts/multiarch_image.sh $(REGISTRY) $(IMG) $(GIT_COMMIT_ID) $(VERSION)
 
 ##@ Deployment
 
-ifndef ignore-not-found
- ignore-not-found = false
+ifndef IGNORE_NOT_FOUND
+ IGNORE_NOT_FOUND = false
 endif
 
 .PHONY: install
@@ -362,23 +373,32 @@ install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
- $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+ $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -f -
 
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
- cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
- $(KUSTOMIZE) build config/default | kubectl apply -f -
- - oc apply -f config/samples/bases/operator_v1alpha1_authentication.yaml -n ${NAMESPACE}
+ kubectl get namespace $(CONTROL_NS) || kubectl create namespace $(CONTROL_NS)
+ kubectl get namespace $(DATA_NS) || kubectl create namespace $(DATA_NS)
+ cd config/manager/overlays/$(MODE) && $(KUSTOMIZE) edit set image controller=$(IMAGE_TAG_BASE):$(VERSION)
+ #@ 
+ WATCH_NS=$(WATCH_NS) $(YQ) -i 'with(.[] | select(.value.name == "WATCH_NAMESPACE") ; .value.value |= env(WATCH_NS))' \
+ config/manager/overlays/$(MODE)/image_env_vars_patch.yaml
+ $(KUSTOMIZE) build config/default/overlays/$(MODE) | kubectl apply -n $(CONTROL_NS) -f -
+ $(KUSTOMIZE) build config/samples/overlays/$(MODE) | kubectl apply -n $(DATA_NS) -f -
+
+cncf: manifests kustomize ## Generate manifests for use on CNCF clusters.
+ cd config/manager/overlays/cncf && $(KUSTOMIZE) edit set image controller=$(IMAGE_TAG_BASE):$(VERSION)
+ WATCH_NS=$(WATCH_NS) $(YQ) -i 'with(.[] | select(.value.name == "WATCH_NAMESPACE") ; .value.value |= env(WATCH_NS))' \
+ config/manager/overlays/cncf/image_env_vars_patch.yaml
+ $(KUSTOMIZE) build config/default/overlays/cncf > default.yml
+ $(KUSTOMIZE) build config/samples/overlays/cncf > authentication.yml
 
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
- - oc delete -f config/samples/bases/operator_v1alpha1_authentication.yaml -n ${NAMESPACE}
- $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
-
-build-image: build ## Build image using local architecture.
- @echo "Building ibm-iam-operator dev image for $(LOCAL_ARCH)"
- $(CONTAINER_CLI) build ${IMAGE_BUILD_OPTS} -t $(REGISTRY)/$(IMG)-$(LOCAL_ARCH):$(VERSION) -f Dockerfile .
- @if [ $(BUILD_LOCALLY) -ne 1 ]; then $(CONTAINER_CLI) push $(REGISTRY)/$(IMG)-$(LOCAL_ARCH):$(GIT_COMMIT_ID); fi
+ $(KUSTOMIZE) build config/samples/overlays/$(MODE) | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -n $(DATA_NS) -f -
+ $(KUSTOMIZE) build config/default/overlays/$(MODE) | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -n $(CONTROL_NS) -f -
+ kubectl delete namespace $(DATA_NS)
+ [[ $(CONTROL_NS) == $(DATA_NS) ]] || kubectl delete namespace $(CONTROL_NS)
 
 .PHONY: bundle-push
 bundle-push: ## Push the bundle image.

apis/operator/v1alpha1/authentication_types.go

@@ -255,10 +255,6 @@ type AuthenticationList struct {
  Items []Authentication `json:"items"`
 }
 
-func init() {
- SchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
-}
-
 const AnnotationAuthMigrationComplete string = "authentication.operator.ibm.com/migration-complete"
 const AnnotationAuthRetainMigrationArtifacts string = "authentication.operator.ibm.com/retain-migration-artifacts"
 const AnnotationAuthDBSchemaVersion string = "authentication.operator.ibm.com/db-schema-version"
@@ -298,3 +294,8 @@ func (a *Authentication) HasDBSchemaVersion() bool {
 func (a *Authentication) HasNoDBSchemaVersion() bool {
  return !a.HasDBSchemaVersion()
 }
+
+func init() {
+ SchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
+ ODLMEnabledSchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
+}

apis/operator/v1alpha1/groupversion_info.go

@@ -33,4 +33,9 @@ var (
 
  // AddToScheme adds the types in this group-version to the given scheme.
  AddToScheme = SchemeBuilder.AddToScheme
+
+ // The following is a dedicated scheme for when ODLM is available on the cluster; it shares the same
+ // GroupVersion as Authentication
+ ODLMEnabledSchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+ AddODLMEnabledToScheme = ODLMEnabledSchemeBuilder.AddToScheme
 )

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -192,7 +192,7 @@ metadata:
  categories: Security
  certified: "false"
  containerImage: icr.io/cpopen/ibm-iam-operator:4.9.0
- createdAt: "2024-09-19T14:56:56Z"
+ createdAt: "2024-10-10T17:06:40Z"
  description: The IAM operator provides a simple Kubernetes CRD-Based API to manage the lifecycle of IAM services. With this operator, you can simply deploy and upgrade the IAM services
  olm.skipRange: <4.9.0
  operators.operatorframework.io/builder: operator-sdk-v1.37.0
@@ -334,11 +334,6 @@ spec:
  - command:
  - ibm-iam-operator
  env:
- - name: WATCH_NAMESPACE
- valueFrom:
- configMapKeyRef:
- name: namespace-scope
- key: namespaces
  - name: POD_NAME
  valueFrom:
  fieldRef:
@@ -360,6 +355,11 @@ spec:
  value: icr.io/cpopen/cpfs/icp-identity-manager:4.9.0
  - name: IM_INITCONTAINER_IMAGE
  value: icr.io/cpopen/cpfs/im-initcontainer:4.9.0
+ - name: WATCH_NAMESPACE
+ valueFrom:
+ configMapKeyRef:
+ name: namespace-scope
+ key: namespaces
  image: icr.io/cpopen/ibm-iam-operator:4.9.0
  imagePullPolicy: IfNotPresent
  name: ibm-iam-operator
@@ -386,32 +386,6 @@ spec:
  serviceAccountName: ibm-iam-operator
  permissions:
  - rules:
- - apiGroups:
- - route.openshift.io
- resources:
- - routes
- verbs:
- - get
- - list
- - watch
- - create
- - delete
- - update
- - patch
- - apiGroups:
- - route.openshift.io
- resources:
- - routes/custom-host
- verbs:
- - create
- - apiGroups:
- - route.openshift.io
- resources:
- - routes/status
- verbs:
- - get
- - list
- - watch
  - apiGroups:
  - ""
  resources:
@@ -460,13 +434,6 @@ spec:
  - patch
  - update
  - watch
- - apiGroups:
- - monitoring.coreos.com
- resources:
- - servicemonitors
- verbs:
- - get
- - create
  - apiGroups:
  - apps
  resourceNames:
@@ -523,26 +490,6 @@ spec:
  - get
  - list
  - create
- - apiGroups:
- - operator.ibm.com
- resources:
- - operandrequests
- verbs:
- - create
- - get
- - list
- - patch
- - watch
- - update
- - delete
- - apiGroups:
- - operator.ibm.com
- resources:
- - operandrequests/status
- verbs:
- - watch
- - get
- - list
  - apiGroups:
  - cert-manager.io
  resources:
@@ -622,6 +569,52 @@ spec:
  - patch
  - update
  - watch
+ - apiGroups:
+ - route.openshift.io
+ resources:
+ - routes
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+ - update
+ - patch
+ - apiGroups:
+ - route.openshift.io
+ resources:
+ - routes/custom-host
+ verbs:
+ - create
+ - apiGroups:
+ - route.openshift.io
+ resources:
+ - routes/status
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - operator.ibm.com
+ resources:
+ - operandrequests
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - watch
+ - update
+ - delete
+ - apiGroups:
+ - operator.ibm.com
+ resources:
+ - operandrequests/status
+ verbs:
+ - watch
+ - get
+ - list
  serviceAccountName: ibm-iam-operator
  strategy: deployment
  installModes:

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -262,6 +262,8 @@ spec:
  - wlpClientRegistrationSecret
  - wlpClientSecret
  type: object
+ enableInstanaMetricCollection:
+ type: boolean
  identityManager:
  properties:
  imageName:
@@ -385,8 +387,6 @@ spec:
  - imageRegistry
  - imageTag
  type: object
- enableInstanaMetricCollection:
- type: boolean
  labels:
  additionalProperties:
  type: string

config/crd/kustomization.yaml

@@ -6,7 +6,6 @@ resources:
 - bases/operator.ibm.com_authentications.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_clients.yaml
@@ -22,3 +21,5 @@ patchesStrategicMerge:
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

config/default/overlays/cncf/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../crd
+- ../../../rbac/overlays/cncf
+- ../../../manager/overlays/cncf

config/default/overlays/prod/kustomization.yaml

@@ -1,4 +1,6 @@
-bases:
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
 - ../../../crd
-- ../../../rbac
+- ../../../rbac/overlays/prod
 - ../../../manager/overlays/prod