From 93a55b45778cbc13afe86c17b0e2fb3ca07389e7 Mon Sep 17 00:00:00 2001 From: Kartikey Mamgain Date: Tue, 17 May 2022 17:11:41 +0530 Subject: [PATCH] Add service binding operator (#1132) Signed-off-by: Kartikey Mamgain --- charts/service-binding-operator/.helmignore | 23 ++ charts/service-binding-operator/Chart.yaml | 25 ++ charts/service-binding-operator/LICENSE.md | 201 ++++++++++ charts/service-binding-operator/README.md | 105 ++++++ ...blekinds.binding.operators.coreos.com.yaml | 55 +++ ...bindings.binding.operators.coreos.com.yaml | 242 ++++++++++++ .../servicebindings.servicebinding.io.yaml | 214 +++++++++++ .../templates/_helpers.tpl | 62 ++++ .../templates/certificate.yaml | 14 + .../templates/clusterrole.yaml | 343 ++++++++++++++++++ .../templates/clusterrolebinding.yaml | 40 ++ .../templates/configMap.yaml | 19 + .../templates/deployment.yaml | 66 ++++ .../templates/issuer.yaml | 8 + .../templates/role.yaml | 39 ++ .../templates/rolebinding.yaml | 14 + .../templates/service-account.yaml | 6 + .../templates/service.yaml | 13 + ...t-service-binding-operator-connection.yaml | 37 ++ .../templates/webhook.yaml | 100 +++++ .../values.schema.json | 32 ++ charts/service-binding-operator/values.yaml | 6 + .../pages/installing-service-binding.adoc | 185 +++++++++- .../service-binding-operator/Dockerfile | 31 ++ .../service-binding-operator/application.yaml | 39 ++ test/charts/service-binding-operator/sbo.yaml | 14 + .../service-binding-operator/secret.yaml | 8 + .../test-entrypoint.sh | 38 ++ 28 files changed, 1976 insertions(+), 3 deletions(-) create mode 100644 charts/service-binding-operator/.helmignore create mode 100644 charts/service-binding-operator/Chart.yaml create mode 100644 charts/service-binding-operator/LICENSE.md create mode 100644 charts/service-binding-operator/README.md create mode 100644 charts/service-binding-operator/crds/bindablekinds.binding.operators.coreos.com.yaml create mode 100644 charts/service-binding-operator/crds/servicebindings.binding.operators.coreos.com.yaml create mode 100644 charts/service-binding-operator/crds/servicebindings.servicebinding.io.yaml create mode 100644 charts/service-binding-operator/templates/_helpers.tpl create mode 100644 charts/service-binding-operator/templates/certificate.yaml create mode 100644 charts/service-binding-operator/templates/clusterrole.yaml create mode 100644 charts/service-binding-operator/templates/clusterrolebinding.yaml create mode 100644 charts/service-binding-operator/templates/configMap.yaml create mode 100644 charts/service-binding-operator/templates/deployment.yaml create mode 100644 charts/service-binding-operator/templates/issuer.yaml create mode 100644 charts/service-binding-operator/templates/role.yaml create mode 100644 charts/service-binding-operator/templates/rolebinding.yaml create mode 100644 charts/service-binding-operator/templates/service-account.yaml create mode 100644 charts/service-binding-operator/templates/service.yaml create mode 100644 charts/service-binding-operator/templates/tests/test-service-binding-operator-connection.yaml create mode 100644 charts/service-binding-operator/templates/webhook.yaml create mode 100644 charts/service-binding-operator/values.schema.json create mode 100644 charts/service-binding-operator/values.yaml create mode 100644 test/charts/service-binding-operator/Dockerfile create mode 100644 test/charts/service-binding-operator/application.yaml create mode 100644 test/charts/service-binding-operator/sbo.yaml create mode 100644 test/charts/service-binding-operator/secret.yaml create mode 100755 test/charts/service-binding-operator/test-entrypoint.sh diff --git a/charts/service-binding-operator/.helmignore b/charts/service-binding-operator/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/service-binding-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/service-binding-operator/Chart.yaml b/charts/service-binding-operator/Chart.yaml new file mode 100644 index 0000000000..2e16d5bc0d --- /dev/null +++ b/charts/service-binding-operator/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +name: service-binding-operator +description: A Helm chart to deploy service binding operator +type: application +version: 1.0.0 +appVersion: "1.0.1" +kubeVersion: ">= 1.19.2-0" +keywords: + - "" +links: + - name: Documentation + url: https://redhat-developer.github.io/service-binding-operator +maintainers: + - name: Kartikey-star + email: kmamgain@redhat.com + - name: pmacik + email: pmacik@redhat.com + - name: jasperchui + email: jchui@redhat.com + - name: dperaza4dustbit + email: dperaza@redhat.com +annotations: + charts.openshift.io/name: service-binding-operator + charts.openshift.io/provider: RedHat + charts.openshift.io/supportURL: https://github.com/redhat-developer/service-binding-operator.git \ No newline at end of file diff --git a/charts/service-binding-operator/LICENSE.md b/charts/service-binding-operator/LICENSE.md new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/service-binding-operator/LICENSE.md @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/service-binding-operator/README.md b/charts/service-binding-operator/README.md new file mode 100644 index 0000000000..74fe519b0e --- /dev/null +++ b/charts/service-binding-operator/README.md @@ -0,0 +1,105 @@ + +# Service Binding Operator Helm Chart + +This Helm chart defines the Service Binding Operator. You can install Service Binding Operators using this Helm chart. + +Installing the Service Binding Operator Helm chart creates the following custom resource definitions (CRDs): +- bindablekinds.binding.operators.coreos.com +- servicebindings.binding.operators.coreos.com +- servicebindings.servicebinding.io + +The resources required for the Service Binding Operator will also be installed. + +## Introduction + +The values.yaml file contains the following values that can be customized when installing the chart: + +- `image.pullPolicy` +- `image.repository` +- `image.testRepository` +- `keepTestResources` + +A user can define values for the image PullPolicy. +A user can define values for `image.repository` and `image.testRepository`. If user is not able to pull image from quay.io registry, they can copy the image to their own container registry. +As part of Helm test we delete the deploymemt,service binding resource and secret used for testing. If a user is interested to view them, then he has to install the chart with keepTestResources set to `true`. + + +## Helm Chart Installation + +The Helm chart installation involves the following steps: +1. Adding the `service-binding-operator-helm-chart` repository. +2. Installing the Service Binding Operator chart. +3. Running a Helm test. + +**Note:** If you are not installing the Service Binding Operator through Operator Lifecycle Manager (OLM), you must install cert-manager on the cluster. Installing the cert-manager automates TLS certificates for Kubernetes and OpenShift workloads. Cert-manager ensures that the certificates are valid and up-to-date, and attempts to renew certificates at a configured time before expiry. You can install cert-manager by running the following command: + +kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml + +### Adding the Helm chart repository +You need to add our helm repository to your local repository. Name the repository as per your convenience. + +``` +helm repo add service-binding-operator-helm-chart https://redhat-developer.github.io/service-binding-operator-helm-chart/ +``` + +### Installing the Helm chart +In order to install the chart you need to search the repository, with the following command: + +``` +helm search repo service-binding-operator-helm-chart +``` +``` +helm install service-binding-operator-release \ +service-binding-operator-helm-chart/service-binding-operator \ +--namespace service-binding-operator --create-namespace +``` +Remove --namespace and --create-namespace flag if you wish to install the chart on default namespace. + +In order to view the resources created on helm test , set the keepTestResources to true. + +``` +helm install service-binding-operator-release \ +service-binding-operator-helm-chart/service-binding-operator \ +--namespace service-binding-operator --create-namespace \ +--set keepTestResources=true +``` + +You can check whether the chart is succesfully installed by running the following command + +``` +kubectl get pods --namespace service-binding-operator +``` + +### Helm test + +In order to test the chart the user is expected to create a secret (specify the namespace if applicable), named my-k-config from his kubeconfig . + +**NOTE**: +In case you are installing the chart on AWS eks cluster then you need to modify the aws-auth configmap. +``` +kubectl edit -n kube-system cm/aws-auth +``` +Please add -system:masters to mapRoles and save. +After editing the config map you need to update the eks kubeconfig +``` +aws eks update-kubeconfig --name +``` +Then Continue with the following steps. + +``` +kubectl create secret generic my-k-config --from-file=kubeconfig= -namespace service-binding-operator +``` + +Run the Helm test (specify the namespace if applicable) using : + +``` +helm test service-binding-operator-release --namespace service-binding-operator +``` + +Please ensure to delete the secret (specify the namespace if applicable) created : +``` +kubectl delete secret my-k-config --namespace service-binding-operator +``` + +## Additional Help +Please reach out to us for any additional queries by creating an issue on https://github.com/redhat-developer/service-binding-operator/issues. diff --git a/charts/service-binding-operator/crds/bindablekinds.binding.operators.coreos.com.yaml b/charts/service-binding-operator/crds/bindablekinds.binding.operators.coreos.com.yaml new file mode 100644 index 0000000000..fb0cdaf1d5 --- /dev/null +++ b/charts/service-binding-operator/crds/bindablekinds.binding.operators.coreos.com.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: bindablekinds.binding.operators.coreos.com +spec: + group: binding.operators.coreos.com + names: + kind: BindableKinds + listKind: BindableKindsList + plural: bindablekinds + singular: bindablekinds + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: BindableKinds is the Schema for the bindablekinds API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + items: + description: BindableKindsStatus defines the observed state of BindableKinds + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + type: array + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/service-binding-operator/crds/servicebindings.binding.operators.coreos.com.yaml b/charts/service-binding-operator/crds/servicebindings.binding.operators.coreos.com.yaml new file mode 100644 index 0000000000..83d7a4e602 --- /dev/null +++ b/charts/service-binding-operator/crds/servicebindings.binding.operators.coreos.com.yaml @@ -0,0 +1,242 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: service-binding-operator/service-binding-service-cert + controller-gen.kubebuilder.io/version: v0.8.0 + name: servicebindings.binding.operators.coreos.com +spec: + group: binding.operators.coreos.com + names: + kind: ServiceBinding + listKind: ServiceBindingList + plural: servicebindings + shortNames: + - sbr + - sbrs + singular: servicebinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceBindingSpec defines the desired state of ServiceBinding. + properties: + application: + description: Application identifies the application connecting to the backing service. + properties: + bindingPath: + description: BindingPath refers to the paths in the application workload's schema where the binding workload would be referenced. If BindingPath is not specified, then the default path locations are used. The default location for ContainersPath is "spec.template.spec.containers". If SecretPath is not specified, then the name of the secret object does not need to be specified. + properties: + containersPath: + description: ContainersPath defines the path to the corev1.Containers reference. If BindingPath is not specified, the default location is "spec.template.spec.containers". + type: string + secretPath: + description: 'SecretPath defines the path to a string field where the name of the secret object is going to be assigned. Note: The name of the secret object is same as that of the name of service binding custom resource (metadata.name).' + type: string + type: object + group: + description: Group of the referent. + type: string + kind: + description: Kind of the referent. + type: string + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: Name of the referent. + type: string + resource: + description: Resource of the referent. + type: string + version: + description: Version of the referent. + type: string + required: + - group + - version + type: object + bindAsFiles: + default: true + description: BindAsFiles makes the binding values available as files in the application's container. By default, values are mounted under the path "/bindings"; this can be changed by setting the SERVICE_BINDING_ROOT environment variable. + type: boolean + detectBindingResources: + description: DetectBindingResources is a flag that, when set to true, will cause SBO to search for binding information in the owned resources of the specified services. If this binding information exists, then the application is bound to these subresources. + type: boolean + mappings: + description: Mappings specifies custom mappings. + items: + description: ServiceBindingMapping defines a new binding from a set of existing bindings. + properties: + name: + description: Name is the name of new binding. + type: string + value: + description: Value specificies a go template that will be rendered and injected into the application. + type: string + required: + - name + - value + type: object + type: array + name: + description: Name is the name of the service as projected into the workload container. Defaults to .metadata.name. + maxLength: 253 + pattern: ^[a-z0-9\-\.]*$ + type: string + namingStrategy: + description: 'NamingStrategy defines custom string template for preparing binding names. It can be set to pre-defined strategies: `none`, `lowercase`, or `uppercase`. Otherwise, it is treated as a custom go template, and it is handled accordingly.' + type: string + services: + description: Services indicates the backing services to be connected to by an application. At least one service must be specified. + items: + description: Service defines the selector based on resource name, version, and resource kind. + properties: + group: + description: Group of the referent. + type: string + id: + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent. If unspecified, assumes the same namespace as ServiceBinding. + type: string + resource: + description: Resource of the referent. + type: string + version: + description: Version of the referent. + type: string + required: + - group + - version + type: object + minItems: 1 + type: array + required: + - application + - services + type: object + status: + description: ServiceBindingStatus defines the observed state of ServiceBinding. + properties: + conditions: + description: Conditions describes the state of the operator's reconciliation functionality. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + secret: + description: Secret indicates the name of the binding secret. + type: string + required: + - secret + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/service-binding-operator/crds/servicebindings.servicebinding.io.yaml b/charts/service-binding-operator/crds/servicebindings.servicebinding.io.yaml new file mode 100644 index 0000000000..dd544fb642 --- /dev/null +++ b/charts/service-binding-operator/crds/servicebindings.servicebinding.io.yaml @@ -0,0 +1,214 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicebindings.servicebinding.io +spec: + group: servicebinding.io + names: + kind: ServiceBinding + listKind: ServiceBindingList + plural: servicebindings + singular: servicebinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: ServiceBinding is the Schema for the servicebindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceBindingSpec defines the desired state of ServiceBinding + properties: + env: + description: Env is the collection of mappings from Secret entries to environment variables + items: + description: EnvMapping defines a mapping from the value of a Secret entry to an environment variable + properties: + key: + description: Key is the key in the Secret that will be exposed + type: string + name: + description: Name is the name of the environment variable + type: string + required: + - key + - name + type: object + type: array + name: + description: Name is the name of the service as projected into the workload container. Defaults to .metadata.name. + maxLength: 253 + pattern: ^[a-z0-9\-\.]*$ + type: string + provider: + description: Provider is the provider of the service as projected into the workload container + type: string + service: + description: Service is a reference to an object that fulfills the ProvisionedService duck type + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - apiVersion + - kind + - name + type: object + type: + description: Type is the type of the service as projected into the workload container + type: string + workload: + description: Workload is a reference to an object + properties: + apiVersion: + description: API version of the referent. + type: string + containers: + description: Containers describes which containers in a Pod should be bound to + items: + type: string + type: array + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + selector: + description: Selector is a query that selects the workload or workloads to bind the service to + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + required: + - apiVersion + - kind + type: object + required: + - service + - workload + type: object + status: + description: ServiceBindingStatus defines the observed state of ServiceBinding + properties: + binding: + description: Binding exposes the projected secret for this ServiceBinding + properties: + name: + description: 'Name of the referent secret. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + conditions: + description: Conditions are the conditions of this ServiceBinding + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the 'Generation' of the ServiceBinding that was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/service-binding-operator/templates/_helpers.tpl b/charts/service-binding-operator/templates/_helpers.tpl new file mode 100644 index 0000000000..d8ebea80fe --- /dev/null +++ b/charts/service-binding-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "service-binding-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "service-binding-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "service-binding-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "service-binding-operator.labels" -}} +helm.sh/chart: {{ include "service-binding-operator.chart" . }} +{{ include "service-binding-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "service-binding-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "service-binding-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "service-binding-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "service-binding-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/service-binding-operator/templates/certificate.yaml b/charts/service-binding-operator/templates/certificate.yaml new file mode 100644 index 0000000000..d8e73fe54b --- /dev/null +++ b/charts/service-binding-operator/templates/certificate.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: service-binding-service-cert + namespace: {{.Release.Namespace}} +spec: + dnsNames: + - service-binding-webhook-service.service-binding-operator.svc + - service-binding-webhook-service.service-binding-operator.svc.cluster.local + issuerRef: + kind: Issuer + name: service-binding-selfsigned-issuer + secretName: service-binding-operator-service-cert \ No newline at end of file diff --git a/charts/service-binding-operator/templates/clusterrole.yaml b/charts/service-binding-operator/templates/clusterrole.yaml new file mode 100644 index 0000000000..a9a989c0ed --- /dev/null +++ b/charts/service-binding-operator/templates/clusterrole.yaml @@ -0,0 +1,343 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: service-binding-bindablekinds-viewer-role +rules: +- apiGroups: + - binding.operators.coreos.com + resources: + - bindablekinds + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-cloud-native-postgres-viewer-role +rules: +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters + verbs: + - get + - list +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + servicebinding.io/controller: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: service-binding-controller-role +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-crunchy-postgres-viewer-role +rules: +- apiGroups: + - postgres-operator.crunchydata.com + resources: + - postgresclusters + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: service-binding-editor-role +rules: +- apiGroups: + - binding.operators.coreos.com + - servicebinding.io + resources: + - servicebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - binding.operators.coreos.com + - servicebinding.io + resources: + - servicebindings/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: service-binding-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - pods + - secrets + - services + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - patch + - update +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - patch + - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - binding.operators.coreos.com + resources: + - bindablekinds + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - binding.operators.coreos.com + resources: + - bindablekinds/finalizers + verbs: + - update +- apiGroups: + - binding.operators.coreos.com + resources: + - bindablekinds/status + verbs: + - get + - patch + - update +- apiGroups: + - binding.operators.coreos.com + resources: + - servicebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - binding.operators.coreos.com + resources: + - servicebindings/finalizers + verbs: + - update +- apiGroups: + - binding.operators.coreos.com + resources: + - servicebindings/status + verbs: + - get + - patch + - update +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + verbs: + - get + - list +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +- apiGroups: + - servicebinding.io + resources: + - servicebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - servicebinding.io + resources: + - servicebindings/finalizers + verbs: + - update +- apiGroups: + - servicebinding.io + resources: + - servicebindings/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-opstree-redis-viewer-role +rules: +- apiGroups: + - redis.redis.opstreelabs.in + resources: + - redis + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-percona-mongodb-view +rules: +- apiGroups: + - psmdb.percona.com + resources: + - perconaservermongodbs + - perconaservermongodbs/status + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-percona-mysql-viewer-role +rules: +- apiGroups: + - pxc.percona.com + resources: + - perconaxtradbclusters + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: service-binding-rabbitmq-operator-viewer-role +rules: +- apiGroups: + - rabbitmq.com + resources: + - rabbitmqclusters + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: service-binding-viewer-role +rules: +- apiGroups: + - binding.operators.coreos.com + - servicebinding.io + resources: + - servicebindings + verbs: + - get + - list + - watch +- apiGroups: + - binding.operators.coreos.com + - servicebinding.io + resources: + - servicebindings/status + verbs: + - get +--- \ No newline at end of file diff --git a/charts/service-binding-operator/templates/clusterrolebinding.yaml b/charts/service-binding-operator/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..60ada1d419 --- /dev/null +++ b/charts/service-binding-operator/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: service-binding-bindablekinds-viewer-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: service-binding-bindablekinds-viewer-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: service-binding-controller-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: service-binding-controller-role +subjects: +- kind: ServiceAccount + name: service-binding-operator + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: service-binding-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: service-binding-manager-role +subjects: +- kind: ServiceAccount + name: service-binding-operator + namespace: {{.Release.Namespace}} +--- \ No newline at end of file diff --git a/charts/service-binding-operator/templates/configMap.yaml b/charts/service-binding-operator/templates/configMap.yaml new file mode 100644 index 0000000000..2244337145 --- /dev/null +++ b/charts/service-binding-operator/templates/configMap.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 8fa65150.coreos.com +kind: ConfigMap +metadata: + name: service-binding-manager-config + namespace: {{.Release.Namespace}} \ No newline at end of file diff --git a/charts/service-binding-operator/templates/deployment.yaml b/charts/service-binding-operator/templates/deployment.yaml new file mode 100644 index 0000000000..0fae142c13 --- /dev/null +++ b/charts/service-binding-operator/templates/deployment.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: service-binding-controller-manager + name: service-binding-operator + namespace: {{.Release.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: service-binding-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: service-binding-controller-manager + spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - args: + - --leader-elect + - --zap-encoder=json + - --zap-log-level=info + command: + - /manager + image: "{{.Values.image.repository}}/servicebinding-operator@sha256:de1881753e82c51b31e958fcf383cb35b0f70f6ec99d402d42243e595d00c6dd" + imagePullPolicy: {{.Values.image.pullPolicy}} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + serviceAccountName: service-binding-operator + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: service-binding-operator-service-cert \ No newline at end of file diff --git a/charts/service-binding-operator/templates/issuer.yaml b/charts/service-binding-operator/templates/issuer.yaml new file mode 100644 index 0000000000..71ce286739 --- /dev/null +++ b/charts/service-binding-operator/templates/issuer.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: service-binding-selfsigned-issuer + namespace: {{.Release.Namespace}} +spec: + selfSigned: {} \ No newline at end of file diff --git a/charts/service-binding-operator/templates/role.yaml b/charts/service-binding-operator/templates/role.yaml new file mode 100644 index 0000000000..71bbedba5a --- /dev/null +++ b/charts/service-binding-operator/templates/role.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: service-binding-leader-election-role + namespace: {{.Release.Namespace}} +rules: +- apiGroups: + - "" + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/charts/service-binding-operator/templates/rolebinding.yaml b/charts/service-binding-operator/templates/rolebinding.yaml new file mode 100644 index 0000000000..8b85fc52ea --- /dev/null +++ b/charts/service-binding-operator/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: service-binding-leader-election-rolebinding + namespace: {{.Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: service-binding-leader-election-role +subjects: +- kind: ServiceAccount + name: service-binding-operator + namespace: {{.Release.Namespace}} \ No newline at end of file diff --git a/charts/service-binding-operator/templates/service-account.yaml b/charts/service-binding-operator/templates/service-account.yaml new file mode 100644 index 0000000000..7fcb73fb81 --- /dev/null +++ b/charts/service-binding-operator/templates/service-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-binding-operator + namespace: {{.Release.Namespace}} \ No newline at end of file diff --git a/charts/service-binding-operator/templates/service.yaml b/charts/service-binding-operator/templates/service.yaml new file mode 100644 index 0000000000..e396f575fd --- /dev/null +++ b/charts/service-binding-operator/templates/service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: service-binding-webhook-service + namespace: {{.Release.Namespace}} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: service-binding-controller-manager \ No newline at end of file diff --git a/charts/service-binding-operator/templates/tests/test-service-binding-operator-connection.yaml b/charts/service-binding-operator/templates/tests/test-service-binding-operator-connection.yaml new file mode 100644 index 0000000000..195f60c0d5 --- /dev/null +++ b/charts/service-binding-operator/templates/tests/test-service-binding-operator-connection.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-test" + namespace: {{.Release.Namespace}} + annotations: + "helm.sh/hook": test-success +spec: + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + containers: + - name: "{{ .Release.Name }}-test" + image: "{{.Values.image.testRepository}}/helm-chart-test@sha256:c050d71294c14b1a61ba9b71122bc82dd5f5cbf20a68c7ac07677e781a0b69a0" + imagePullPolicy: "Always" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + env: + - name: KUBECONFIG + value: /k-cfg/kubeconfig + - name: TEST_NAMESPACE + value: {{.Release.Namespace}} + - name: KEEP_TEST_RESOURCES + value: "{{.Values.keepTestResources}}" + volumeMounts: + - name: k-config + mountPath: /k-cfg + restartPolicy: Never + volumes: + - name: k-config + secret: + secretName: my-k-config \ No newline at end of file diff --git a/charts/service-binding-operator/templates/webhook.yaml b/charts/service-binding-operator/templates/webhook.yaml new file mode 100644 index 0000000000..0d256f708e --- /dev/null +++ b/charts/service-binding-operator/templates/webhook.yaml @@ -0,0 +1,100 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/managed-by: Helm + annotations: + cert-manager.io/inject-ca-from: service-binding-operator/service-binding-service-cert + name: service-binding-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: service-binding-webhook-service + namespace: {{.Release.Namespace}} + path: /mutate-servicebinding + failurePolicy: Fail + name: mservicebinding.kb.io + rules: + - apiGroups: + - binding.operators.coreos.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: service-binding-webhook-service + namespace: {{.Release.Namespace}} + path: /mutate-servicebinding + failurePolicy: Fail + name: mspec-servicebinding.kb.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/managed-by: Helm + annotations: + cert-manager.io/inject-ca-from: service-binding-operator/service-binding-service-cert + name: service-binding-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: service-binding-webhook-service + namespace: {{.Release.Namespace}} + path: /validate-binding-operators-coreos-com-v1alpha1-servicebinding + failurePolicy: Fail + name: vservicebinding.kb.io + rules: + - apiGroups: + - binding.operators.coreos.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: service-binding-webhook-service + namespace: {{.Release.Namespace}} + path: /validate-servicebinding-io-v1alpha3-servicebinding + failurePolicy: Fail + name: vspecservicebinding.kb.io + rules: + - apiGroups: + - servicebinding.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - servicebindings + sideEffects: None diff --git a/charts/service-binding-operator/values.schema.json b/charts/service-binding-operator/values.schema.json new file mode 100644 index 0000000000..73994a9753 --- /dev/null +++ b/charts/service-binding-operator/values.schema.json @@ -0,0 +1,32 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "image": { + "type": "object", + "required": [ + "pullPolicy", + "repository", + "testRepository" + ], + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "testRepository": { + "type": "string" + } + } + }, + "keepTestResources":{ + "type": "boolean" + } + } + } + \ No newline at end of file diff --git a/charts/service-binding-operator/values.yaml b/charts/service-binding-operator/values.yaml new file mode 100644 index 0000000000..c0b033bde4 --- /dev/null +++ b/charts/service-binding-operator/values.yaml @@ -0,0 +1,6 @@ +image: + pullPolicy: IfNotPresent + repository: quay.io/redhat-developer + testRepository: quay.io/service-binding +keepTestResources: false +# As part of helm test we clear up the deploymemt,service binding resource and secret created. If a user is interested to view them , then he has to install the chart with keepTestResources set to true. \ No newline at end of file diff --git a/docs/userguide/modules/getting-started/pages/installing-service-binding.adoc b/docs/userguide/modules/getting-started/pages/installing-service-binding.adoc index 1616edd7f4..5c088c2d0c 100644 --- a/docs/userguide/modules/getting-started/pages/installing-service-binding.adoc +++ b/docs/userguide/modules/getting-started/pages/installing-service-binding.adoc @@ -19,20 +19,22 @@ methods: https://operatorhub.io/operator/service-binding-operator[OperatorHub.io]. .. Click on the blue btn:[Install] button. .. Follow the instructions to install the Service Binding Operator. +. Installing the Service Binding Operator using Helm chart . Installing the Service Binding Operator without OLM -If you do not have Operator Lifecycle Manager, you can install the -Operator using the released resources: +[Note] +If you do not have OLM, install the Operator using the released resources: [source,bash] .... kubectl apply -f https://github.com/redhat-developer/service-binding-operator/releases/latest/download/release.yaml .... + [#installing-the-service-binding-operator-from-the-openshift-container-platform-web-ui] == Installing the Service Binding Operator from the OpenShift Container Platform web UI -Prerequisites: +. Prerequisites: . https://docs.openshift.com/container-platform/4.8/welcome/index.html[Red Hat OpenShift Container Platform] installed. @@ -59,3 +61,180 @@ image:sbo_install_options.png[sbo_install_options] displayed with the Operator details. + image:sbo_post_install.png[sbo_post_install] + +[#installing-the-sbo-using-helm-chart] +== Installing the Service Binding Operator using Helm chart + +The helm chart installation involves the following steps: + +1. Adding the `service-binding-operator-helm-chart` repository. +2. Installing the Service Binding Operator Helm chart. +3. Running a Helm test. + +[Note] +If you are not installing the Service Binding Operator through Operator Lifecycle Manager (OLM), you must install cert-manager on the cluster. Installing the cert-manager automates +TLS certificates for Kubernetes and OpenShift workloads. Cert-manager ensures that the certificates are valid and up-to-date, and attempts to renew certificates at a configured time before expiry. +You can install cert-manager by running the following command: + +[source,bash] +---- +kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml +---- +.Prerequisites: + +. You have access to a Kubernetes or an OpenShift Container Platform cluster using an account with cluster-admin permissions. +. You have the cert-manager installed on the cluster if you are not installing the Service Binding Operator through Operator Lifecycle Manager (OLM). +. You have Helm CLI installed. +. You have installed the kubectl or oc CLI. + +[## Adding the Helm chart repository] +== Adding the Helm chart repository + +Add the `service-binding-operator-helm-chart` repository to your local repository and name the repository: + +[source,bash] +---- +helm repo add service-binding-operator-helm-chart https://redhat-developer.github.io/service-binding-operator-helm-chart/ +---- +.Example output +[source,terminal] +---- +"service-binding-operator-helm-chart" has been added to your repositories +---- + +Verify your Helm repository by listing it: + +[source,bash] +---- +helm repo list +---- +.Example output +[source,terminal] +---- +NAME URL +service-binding-operator-helm-chart https://redhat-developer.github.io/service-binding-operator-helm-chart/ +---- +The output verifies that the `service-binding-operator-helm-chart` repository is added to your local helm repository. + +[## Installing the Helm chart] +== Installing the Helm chart + +In order to install the chart you need to search the repository, with the following command: + +[source,bash] +---- +helm search repo service-binding-operator-helm-chart +---- + +.Example output +[source,terminal] +NAME CHART VERSION APP VERSION DESCRIPTION +service-binding-operator-helm-chart/service-binding-operator 1.0.0 1.0.1 A Helm chart to deploy service binding operator + +Create a Helm chart release and specify the namespace you will like to create with --create-namespace +flag. +[source,bash] +---- +helm install service-binding-operator-release \ +service-binding-operator-helm-chart/service-binding-operator \ +--namespace service-binding-operator --create-namespace +---- + +Remove --namespace and --create-namespace flag if you wish to install the chart on default namespace. + +As part of Helm test we delete the deploymemt,service binding resource and secret created for testing the operator. + +Optional: To view the resources created for testing, install the chart with the `keepTestResources` flag value set to `true`: +[source,bash] +---- +helm install service-binding-operator-release \ +service-binding-operator-helm-chart/service-binding-operator \ +--namespace service-binding-operator --create-namespace \ +--set keepTestResources=true +---- + +.Example output +[source,terminal] +NAME: service-binding-operator-release +LAST DEPLOYED: Mon May 16 09:15:16 2022 +NAMESPACE: service-binding-operator +STATUS: deployed +REVISION: 1 + +You can check whether the chart is succesfully installed by running the following command + +[source,bash] +---- +kubectl get pods --namespace service-binding-operator +---- + +[## Testing the chart] +== Testing the chart +In order to test the chart the user is expected to create a secret (specify the namespace if applicable), named my-k-config from his kubeconfig . + +NOTE: +In case you are installing the chart on AWS eks cluster then you need to modify the aws-auth configmap. +---- +kubectl edit -n kube-system cm/aws-auth +---- +. Add `-system:masters` to mapRoles and save. +. After editing the config map, update the eks kubeconfig: +---- +aws eks update-kubeconfig --name +---- + + +Then Continue with the following steps. + +---- +kubectl create secret generic my-k-config --from-file=kubeconfig= --namespace service-binding-operator +---- + +.Example output +[source,terminal] +---- +secret/my-k-config created +---- + +The previous output verifies that the `my-k-config` secret is created. + +Run the Helm test (specify the namespace if applicable) using : + +``` +helm test service-binding-operator-release --namespace service-binding-operator +``` +.Example output +[source,terminal] +---- +NAME: service-binding-operator-release +LAST DEPLOYED: Mon May 16 10:44:53 2022 +NAMESPACE: service-binding-operator +STATUS: deployed +REVISION: 1 +TEST SUITE: service-binding-operator-release-test +Last Started: Mon May 16 11:01:10 2022 +Last Completed: Mon May 16 11:01:22 2022 +Phase: Succeeded +---- +The `Succeeded` phase from the output indicates that the Helm test has run successfully. + +Verify that the Helm test has run successfully: + +[source,bash] +---- +kubectl get pods --namespace service-binding-operator +---- + +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +service-binding-operator-release-test 0/1 Completed 0 4m28s +---- + +This implies that you have successfully installed the service binding operator using a Helm chart and are able to bind your workload to backing services. + +Please ensure to delete the secret (specify the namespace if applicable) created : +---- +kubectl delete secret my-k-config --namespace service-binding-operator +---- \ No newline at end of file diff --git a/test/charts/service-binding-operator/Dockerfile b/test/charts/service-binding-operator/Dockerfile new file mode 100644 index 0000000000..f4ecfb357b --- /dev/null +++ b/test/charts/service-binding-operator/Dockerfile @@ -0,0 +1,31 @@ +FROM registry.access.redhat.com/ubi8:8.5 + +ENV WORKSPACE /tmp/workspace +ENV KUBECONFIG_DIR /tmp +ENV KUBECONFIG ${KUBECONFIG_DIR}/kubeconfig +ENV TEST_NAMESPACE default +ENV KEEP_TESTS_RESOURCES false + +RUN yum -y --nodocs install git python3 python3-pip && \ + yum clean all +RUN pip3 install --upgrade pip +RUN pip3 --no-cache-dir install --upgrade awscli +RUN yum clean all +RUN curl -SL -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz && \ + tar -xvf oc.tar.gz && \ + chmod +x oc && \ + chmod +x kubectl && \ + mv -vf oc /usr/bin/oc && \ + mv -vf kubectl /usr/bin/kubectl && \ + rm -rf oc.tar.gz + +WORKDIR ${WORKSPACE} + +ENV PWD ${WORKSPACE} + +COPY secret.yaml ${WORKSPACE}/secret.yaml +COPY application.yaml ${WORKSPACE}/application.yaml +COPY sbo.yaml ${WORKSPACE}/sbo.yaml +COPY test-entrypoint.sh ${WORKSPACE}/test-entrypoint.sh + +ENTRYPOINT [ "/tmp/workspace/test-entrypoint.sh" ] \ No newline at end of file diff --git a/test/charts/service-binding-operator/application.yaml b/test/charts/service-binding-operator/application.yaml new file mode 100644 index 0000000000..1d9c2aadd0 --- /dev/null +++ b/test/charts/service-binding-operator/application.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-app + labels: + app: test-app +spec: + replicas: 1 + selector: + matchLabels: + app: test-app + template: + metadata: + labels: + app: test-app + spec: + containers: + - name: test-app + image: "quay.io/service-binding/generic-test-app:20220216" + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 8080 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: test-app + name: test-app +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: test-app \ No newline at end of file diff --git a/test/charts/service-binding-operator/sbo.yaml b/test/charts/service-binding-operator/sbo.yaml new file mode 100644 index 0000000000..cfc6b3728d --- /dev/null +++ b/test/charts/service-binding-operator/sbo.yaml @@ -0,0 +1,14 @@ +apiVersion: servicebinding.io/v1alpha3 +kind: ServiceBinding +metadata: + name: test-sbo-chart-binding +spec: + workload: + apiVersion: apps/v1 + kind: Deployment + name: test-app + service: + apiVersion: v1 + kind: Secret + name: provisioned-secret-1 +# end::service-binding[] \ No newline at end of file diff --git a/test/charts/service-binding-operator/secret.yaml b/test/charts/service-binding-operator/secret.yaml new file mode 100644 index 0000000000..13422f3ce1 --- /dev/null +++ b/test/charts/service-binding-operator/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: provisioned-secret-1 +stringData: + username: foo + password: bar + type: db \ No newline at end of file diff --git a/test/charts/service-binding-operator/test-entrypoint.sh b/test/charts/service-binding-operator/test-entrypoint.sh new file mode 100755 index 0000000000..661b9030e8 --- /dev/null +++ b/test/charts/service-binding-operator/test-entrypoint.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +set -x + +CLI="kubectl -n ${TEST_NAMESPACE}" +${CLI} apply -f ${WORKSPACE}/secret.yaml --wait +${CLI} apply -f ${WORKSPACE}/application.yaml --wait + +${CLI} rollout status -w deployment/test-app + +# get the .status.observedGeneration of test-app deployment + +${CLI} apply -f ${WORKSPACE}/sbo.yaml --wait +${CLI} wait --for=condition=Ready=True servicebindings.binding.operators.coreos.com/test-sbo-chart-binding --timeout=15s + +# wait for deployment to re-deploy +${CLI} rollout status -w deployment/test-app + +exit_code=0 + +# Assertions +binding_data=$(curl test-app.$TEST_NAMESPACE.svc.cluster.local:8080/bindings/test-sbo-chart-binding/username) +if [ "$binding_data" != "foo" ]; then + echo "Incorrect binding data ..." + exit_code=1 +fi + +# get the .status.observedGeneration of test-app deployment and it should be > original + +# Clean test resources +if [ "$KEEP_TEST_RESOURCES" != "true" ]; then +${CLI} delete -f ${WORKSPACE}/secret.yaml +${CLI} delete -f ${WORKSPACE}/application.yaml +${CLI} delete -f ${WORKSPACE}/sbo.yaml +fi + +# Exit with exit code +exit $exit_code \ No newline at end of file