diff --git a/pkg/manager/agent-manifests/cluster-auth/Chart.yaml b/pkg/manager/agent-manifests/cluster-auth/Chart.yaml
index 7f5a96a2..7d749267 100755
--- a/pkg/manager/agent-manifests/cluster-auth/Chart.yaml
+++ b/pkg/manager/agent-manifests/cluster-auth/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
description: Cluster Auth Agent
name: cluster-auth-agent
-version: v2024.8.9
-appVersion: v0.0.4
+version: v2024.9.30
+appVersion: v0.0.5
home: https://github.com/kluster-manager/cluster-auth
icon: https://cdn.appscode.com/images/products/searchlight/icons/android-icon-192x192.png
sources:
diff --git a/pkg/manager/agent-manifests/cluster-auth/README.md b/pkg/manager/agent-manifests/cluster-auth/README.md
index 30869653..51311318 100644
--- a/pkg/manager/agent-manifests/cluster-auth/README.md
+++ b/pkg/manager/agent-manifests/cluster-auth/README.md
@@ -7,8 +7,8 @@
```bash
$ helm repo add appscode https://charts.appscode.com/stable
$ helm repo update
-$ helm search repo appscode/cluster-auth-agent --version=v2024.2.25
-$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.2.25
+$ helm search repo appscode/cluster-auth-agent --version=v2024.9.30
+$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.9.30
```
## Introduction
@@ -24,7 +24,7 @@ This chart deploys an Cluster Auth Agent on a [Kubernetes](http://kubernetes.io)
To install/upgrade the chart with the release name `cluster-auth`:
```bash
-$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.2.25
+$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.9.30
```
The command deploys an Cluster Auth Agent on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -71,17 +71,20 @@ The following table lists the configurable parameters of the `cluster-auth-agent
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | prometheus.io/operator |
| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} |
+| apiServer.healthcheck.enabled | | false |
+| hubKubeconfigSecretName | Name of OCM Hub Kubeconfig secret | "" |
+| clusterName | We need to pass the cluster name because the OCM-MC host cluster doesn't have Klusterlet object. | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
```bash
-$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.2.25 --set replicaCount=1
+$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.9.30 --set replicaCount=1
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```bash
-$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.2.25 --values values.yaml
+$ helm upgrade -i cluster-auth appscode/cluster-auth-agent -n open-cluster-management-cluster-auth --create-namespace --version=v2024.9.30 --values values.yaml
```
diff --git a/pkg/manager/agent-manifests/cluster-auth/crds/monitoring.coreos.com_servicemonitors.yaml b/pkg/manager/agent-manifests/cluster-auth/crds/monitoring.coreos.com_servicemonitors.yaml
index 2ec0b594..85aca445 100644
--- a/pkg/manager/agent-manifests/cluster-auth/crds/monitoring.coreos.com_servicemonitors.yaml
+++ b/pkg/manager/agent-manifests/cluster-auth/crds/monitoring.coreos.com_servicemonitors.yaml
@@ -2,8 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
- operator.prometheus.io/version: 0.71.2
+ controller-gen.kubebuilder.io/version: v0.15.0
+ operator.prometheus.io/version: 0.75.1
name: servicemonitors.monitoring.coreos.com
spec:
group: monitoring.coreos.com
@@ -24,40 +24,64 @@ spec:
description: ServiceMonitor defines monitoring for a set of services.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
- description: Specification of desired Service selection for target discovery
- by Prometheus.
+ description: |-
+ Specification of desired Service selection for target discovery by
+ Prometheus.
properties:
attachMetadata:
- description: "`attachMetadata` defines additional metadata which is
- added to the discovered targets. \n It requires Prometheus >= v2.37.0."
+ description: |-
+ `attachMetadata` defines additional metadata which is added to the
+ discovered targets.
+
+
+ It requires Prometheus >= v2.37.0.
properties:
node:
- description: When set to true, Prometheus must have the `get`
- permission on the `Nodes` objects.
+ description: |-
+ When set to true, Prometheus must have the `get` permission on the
+ `Nodes` objects.
type: boolean
type: object
+ bodySizeLimit:
+ description: |-
+ When defined, bodySizeLimit specifies a job level limit on the size
+ of uncompressed response body that will be accepted by Prometheus.
+
+
+ It requires Prometheus >= v2.28.0.
+ pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$
+ type: string
endpoints:
description: List of endpoints part of this ServiceMonitor.
items:
- description: Endpoint defines an endpoint serving Prometheus metrics
- to be scraped by Prometheus.
+ description: |-
+ Endpoint defines an endpoint serving Prometheus metrics to be scraped by
+ Prometheus.
properties:
authorization:
- description: "`authorization` configures the Authorization header
- credentials to use when scraping the target. \n Cannot be
- set at the same time as `basicAuth`, or `oauth2`."
+ description: |-
+ `authorization` configures the Authorization header credentials to use when
+ scraping the target.
+
+
+ Cannot be set at the same time as `basicAuth`, or `oauth2`.
properties:
credentials:
description: Selects a key of a Secret in the namespace
@@ -68,8 +92,15 @@ spec:
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -80,27 +111,43 @@ spec:
type: object
x-kubernetes-map-type: atomic
type:
- description: "Defines the authentication type. The value
- is case-insensitive. \n \"Basic\" is not a supported value.
- \n Default: \"Bearer\""
+ description: |-
+ Defines the authentication type. The value is case-insensitive.
+
+
+ "Basic" is not a supported value.
+
+
+ Default: "Bearer"
type: string
type: object
basicAuth:
- description: "`basicAuth` configures the Basic Authentication
- credentials to use when scraping the target. \n Cannot be
- set at the same time as `authorization`, or `oauth2`."
+ description: |-
+ `basicAuth` configures the Basic Authentication credentials to use when
+ scraping the target.
+
+
+ Cannot be set at the same time as `authorization`, or `oauth2`.
properties:
password:
- description: '`password` specifies a key of a Secret containing
- the password for authentication.'
+ description: |-
+ `password` specifies a key of a Secret containing the password for
+ authentication.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -111,16 +158,24 @@ spec:
type: object
x-kubernetes-map-type: atomic
username:
- description: '`username` specifies a key of a Secret containing
- the username for authentication.'
+ description: |-
+ `username` specifies a key of a Secret containing the username for
+ authentication.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -132,23 +187,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
bearerTokenFile:
- description: "File to read bearer token for scraping the target.
- \n Deprecated: use `authorization` instead."
+ description: |-
+ File to read bearer token for scraping the target.
+
+
+ Deprecated: use `authorization` instead.
type: string
bearerTokenSecret:
- description: "`bearerTokenSecret` specifies a key of a Secret
- containing the bearer token for scraping targets. The secret
- needs to be in the same namespace as the ServiceMonitor object
- and readable by the Prometheus Operator. \n Deprecated: use
- `authorization` instead."
+ description: |-
+ `bearerTokenSecret` specifies a key of a Secret containing the bearer
+ token for scraping targets. The secret needs to be in the same namespace
+ as the ServiceMonitor object and readable by the Prometheus Operator.
+
+
+ Deprecated: use `authorization` instead.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -163,43 +230,62 @@ spec:
scraping the target.'
type: boolean
filterRunning:
- description: "When true, the pods which are not running (e.g.
- either in Failed or Succeeded state) are dropped during the
- target discovery. \n If unset, the filtering is enabled. \n
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
+ description: |-
+ When true, the pods which are not running (e.g. either in Failed or
+ Succeeded state) are dropped during the target discovery.
+
+
+ If unset, the filtering is enabled.
+
+
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase
type: boolean
followRedirects:
- description: '`followRedirects` defines whether the scrape requests
- should follow HTTP 3xx redirects.'
+ description: |-
+ `followRedirects` defines whether the scrape requests should follow HTTP
+ 3xx redirects.
type: boolean
honorLabels:
- description: When true, `honorLabels` preserves the metric's
- labels when they collide with the target's labels.
+ description: |-
+ When true, `honorLabels` preserves the metric's labels when they collide
+ with the target's labels.
type: boolean
honorTimestamps:
- description: '`honorTimestamps` controls whether Prometheus
- preserves the timestamps when exposed by the target.'
+ description: |-
+ `honorTimestamps` controls whether Prometheus preserves the timestamps
+ when exposed by the target.
type: boolean
interval:
- description: "Interval at which Prometheus scrapes the metrics
- from the target. \n If empty, Prometheus uses the global scrape
- interval."
+ description: |-
+ Interval at which Prometheus scrapes the metrics from the target.
+
+
+ If empty, Prometheus uses the global scrape interval.
pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
type: string
metricRelabelings:
- description: '`metricRelabelings` configures the relabeling
- rules to apply to the samples before ingestion.'
+ description: |-
+ `metricRelabelings` configures the relabeling rules to apply to the
+ samples before ingestion.
items:
- description: "RelabelConfig allows dynamic rewriting of the
- label set for targets, alerts, scraped samples and remote
- write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config"
+ description: |-
+ RelabelConfig allows dynamic rewriting of the label set for targets, alerts,
+ scraped samples and remote write samples.
+
+
+ More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
properties:
action:
default: replace
- description: "Action to perform based on the regex matching.
- \n `Uppercase` and `Lowercase` actions require Prometheus
- >= v2.36.0. `DropEqual` and `KeepEqual` actions require
- Prometheus >= v2.41.0. \n Default: \"Replace\""
+ description: |-
+ Action to perform based on the regex matching.
+
+
+ `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.
+ `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.
+
+
+ Default: "Replace"
enum:
- replace
- Replace
@@ -225,9 +311,11 @@ spec:
- DropEqual
type: string
modulus:
- description: "Modulus to take of the hash of the source
- label values. \n Only applicable when the action is
- `HashMod`."
+ description: |-
+ Modulus to take of the hash of the source label values.
+
+
+ Only applicable when the action is `HashMod`.
format: int64
type: integer
regex:
@@ -235,42 +323,56 @@ spec:
value is matched.
type: string
replacement:
- description: "Replacement value against which a Replace
- action is performed if the regular expression matches.
- \n Regex capture groups are available."
+ description: |-
+ Replacement value against which a Replace action is performed if the
+ regular expression matches.
+
+
+ Regex capture groups are available.
type: string
separator:
description: Separator is the string between concatenated
SourceLabels.
type: string
sourceLabels:
- description: The source labels select values from existing
- labels. Their content is concatenated using the configured
- Separator and matched against the configured regular
- expression.
+ description: |-
+ The source labels select values from existing labels. Their content is
+ concatenated using the configured Separator and matched against the
+ configured regular expression.
items:
- description: LabelName is a valid Prometheus label name
- which may only contain ASCII letters, numbers, as
- well as underscores.
+ description: |-
+ LabelName is a valid Prometheus label name which may only contain ASCII
+ letters, numbers, as well as underscores.
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
type: string
type: array
targetLabel:
- description: "Label to which the resulting string is written
- in a replacement. \n It is mandatory for `Replace`,
- `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and
- `DropEqual` actions. \n Regex capture groups are available."
+ description: |-
+ Label to which the resulting string is written in a replacement.
+
+
+ It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,
+ `KeepEqual` and `DropEqual` actions.
+
+
+ Regex capture groups are available.
type: string
type: object
type: array
oauth2:
- description: "`oauth2` configures the OAuth2 settings to use
- when scraping the target. \n It requires Prometheus >= 2.27.0.
- \n Cannot be set at the same time as `authorization`, or `basicAuth`."
+ description: |-
+ `oauth2` configures the OAuth2 settings to use when scraping the target.
+
+
+ It requires Prometheus >= 2.27.0.
+
+
+ Cannot be set at the same time as `authorization`, or `basicAuth`.
properties:
clientId:
- description: '`clientId` specifies a key of a Secret or
- ConfigMap containing the OAuth2 client''s ID.'
+ description: |-
+ `clientId` specifies a key of a Secret or ConfigMap containing the
+ OAuth2 client's ID.
properties:
configMap:
description: ConfigMap containing data to use for the
@@ -280,9 +382,15 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap or its
@@ -300,9 +408,15 @@ spec:
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key
@@ -314,16 +428,24 @@ spec:
x-kubernetes-map-type: atomic
type: object
clientSecret:
- description: '`clientSecret` specifies a key of a Secret
- containing the OAuth2 client''s secret.'
+ description: |-
+ `clientSecret` specifies a key of a Secret containing the OAuth2
+ client's secret.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -336,8 +458,9 @@ spec:
endpointParams:
additionalProperties:
type: string
- description: '`endpointParams` configures the HTTP parameters
- to append to the token URL.'
+ description: |-
+ `endpointParams` configures the HTTP parameters to append to the token
+ URL.
type: object
scopes:
description: '`scopes` defines the OAuth2 scopes used for
@@ -363,35 +486,56 @@ spec:
description: params define optional HTTP URL parameters.
type: object
path:
- description: "HTTP path from which to scrape for metrics. \n
- If empty, Prometheus uses the default value (e.g. `/metrics`)."
+ description: |-
+ HTTP path from which to scrape for metrics.
+
+
+ If empty, Prometheus uses the default value (e.g. `/metrics`).
type: string
port:
- description: "Name of the Service port which this endpoint refers
- to. \n It takes precedence over `targetPort`."
+ description: |-
+ Name of the Service port which this endpoint refers to.
+
+
+ It takes precedence over `targetPort`.
type: string
proxyUrl:
- description: '`proxyURL` configures the HTTP Proxy URL (e.g.
- "http://proxyserver:2195") to go through when scraping the
- target.'
+ description: |-
+ `proxyURL` configures the HTTP Proxy URL (e.g.
+ "http://proxyserver:2195") to go through when scraping the target.
type: string
relabelings:
- description: "`relabelings` configures the relabeling rules
- to apply the target's metadata labels. \n The Operator automatically
- adds relabelings for a few standard Kubernetes fields. \n
- The original scrape job's name is available via the `__tmp_prometheus_job_name`
- label. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config"
+ description: |-
+ `relabelings` configures the relabeling rules to apply the target's
+ metadata labels.
+
+
+ The Operator automatically adds relabelings for a few standard Kubernetes fields.
+
+
+ The original scrape job's name is available via the `__tmp_prometheus_job_name` label.
+
+
+ More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
items:
- description: "RelabelConfig allows dynamic rewriting of the
- label set for targets, alerts, scraped samples and remote
- write samples. \n More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config"
+ description: |-
+ RelabelConfig allows dynamic rewriting of the label set for targets, alerts,
+ scraped samples and remote write samples.
+
+
+ More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
properties:
action:
default: replace
- description: "Action to perform based on the regex matching.
- \n `Uppercase` and `Lowercase` actions require Prometheus
- >= v2.36.0. `DropEqual` and `KeepEqual` actions require
- Prometheus >= v2.41.0. \n Default: \"Replace\""
+ description: |-
+ Action to perform based on the regex matching.
+
+
+ `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0.
+ `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0.
+
+
+ Default: "Replace"
enum:
- replace
- Replace
@@ -417,9 +561,11 @@ spec:
- DropEqual
type: string
modulus:
- description: "Modulus to take of the hash of the source
- label values. \n Only applicable when the action is
- `HashMod`."
+ description: |-
+ Modulus to take of the hash of the source label values.
+
+
+ Only applicable when the action is `HashMod`.
format: int64
type: integer
regex:
@@ -427,57 +573,72 @@ spec:
value is matched.
type: string
replacement:
- description: "Replacement value against which a Replace
- action is performed if the regular expression matches.
- \n Regex capture groups are available."
+ description: |-
+ Replacement value against which a Replace action is performed if the
+ regular expression matches.
+
+
+ Regex capture groups are available.
type: string
separator:
description: Separator is the string between concatenated
SourceLabels.
type: string
sourceLabels:
- description: The source labels select values from existing
- labels. Their content is concatenated using the configured
- Separator and matched against the configured regular
- expression.
+ description: |-
+ The source labels select values from existing labels. Their content is
+ concatenated using the configured Separator and matched against the
+ configured regular expression.
items:
- description: LabelName is a valid Prometheus label name
- which may only contain ASCII letters, numbers, as
- well as underscores.
+ description: |-
+ LabelName is a valid Prometheus label name which may only contain ASCII
+ letters, numbers, as well as underscores.
pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
type: string
type: array
targetLabel:
- description: "Label to which the resulting string is written
- in a replacement. \n It is mandatory for `Replace`,
- `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and
- `DropEqual` actions. \n Regex capture groups are available."
+ description: |-
+ Label to which the resulting string is written in a replacement.
+
+
+ It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`,
+ `KeepEqual` and `DropEqual` actions.
+
+
+ Regex capture groups are available.
type: string
type: object
type: array
scheme:
- description: "HTTP scheme to use for scraping. \n `http` and
- `https` are the expected values unless you rewrite the `__scheme__`
- label via relabeling. \n If empty, Prometheus uses the default
- value `http`."
+ description: |-
+ HTTP scheme to use for scraping.
+
+
+ `http` and `https` are the expected values unless you rewrite the
+ `__scheme__` label via relabeling.
+
+
+ If empty, Prometheus uses the default value `http`.
enum:
- http
- https
type: string
scrapeTimeout:
- description: "Timeout after which Prometheus considers the scrape
- to be failed. \n If empty, Prometheus uses the global scrape
- timeout unless it is less than the target's scrape interval
- value in which the latter is used."
+ description: |-
+ Timeout after which Prometheus considers the scrape to be failed.
+
+
+ If empty, Prometheus uses the global scrape timeout unless it is less
+ than the target's scrape interval value in which the latter is used.
pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$
type: string
targetPort:
anyOf:
- type: integer
- type: string
- description: "Name or number of the target port of the `Pod`
- object behind the Service, the port must be specified with
- container port property. \n Deprecated: use `port` instead."
+ description: |-
+ Name or number of the target port of the `Pod` object behind the
+ Service. The port must be specified with the container's port property.
x-kubernetes-int-or-string: true
tlsConfig:
description: TLS configuration to use when scraping the target.
@@ -494,9 +655,15 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap or its
@@ -514,9 +681,15 @@ spec:
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key
@@ -542,9 +715,15 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap or its
@@ -562,9 +741,15 @@ spec:
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key
@@ -595,8 +780,15 @@ spec:
be a valid secret key.
type: string
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ TODO: Add other useful fields. apiVersion, kind, uid?
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
@@ -611,51 +803,73 @@ spec:
type: string
type: object
trackTimestampsStaleness:
- description: "`trackTimestampsStaleness` defines whether Prometheus
- tracks staleness of the metrics that have an explicit timestamp
- present in scraped data. Has no effect if `honorTimestamps`
- is false. \n It requires Prometheus >= v2.48.0."
+ description: |-
+ `trackTimestampsStaleness` defines whether Prometheus tracks staleness of
+ the metrics that have an explicit timestamp present in scraped data.
+ Has no effect if `honorTimestamps` is false.
+
+
+ It requires Prometheus >= v2.48.0.
type: boolean
type: object
type: array
jobLabel:
- description: "`jobLabel` selects the label from the associated Kubernetes
- `Service` object which will be used as the `job` label for all metrics.
- \n For example if `jobLabel` is set to `foo` and the Kubernetes
- `Service` object is labeled with `foo: bar`, then Prometheus adds
- the `job=\"bar\"` label to all ingested metrics. \n If the value
- of this field is empty or if the label doesn't exist for the given
- Service, the `job` label of the metrics defaults to the name of
- the associated Kubernetes `Service`."
+ description: |-
+ `jobLabel` selects the label from the associated Kubernetes `Service`
+ object which will be used as the `job` label for all metrics.
+
+
+ For example if `jobLabel` is set to `foo` and the Kubernetes `Service`
+ object is labeled with `foo: bar`, then Prometheus adds the `job="bar"`
+ label to all ingested metrics.
+
+
+ If the value of this field is empty or if the label doesn't exist for
+ the given Service, the `job` label of the metrics defaults to the name
+ of the associated Kubernetes `Service`.
type: string
keepDroppedTargets:
- description: "Per-scrape limit on the number of targets dropped by
- relabeling that will be kept in memory. 0 means no limit. \n It
- requires Prometheus >= v2.47.0."
+ description: |-
+ Per-scrape limit on the number of targets dropped by relabeling
+ that will be kept in memory. 0 means no limit.
+
+
+ It requires Prometheus >= v2.47.0.
format: int64
type: integer
labelLimit:
- description: "Per-scrape limit on number of labels that will be accepted
- for a sample. \n It requires Prometheus >= v2.27.0."
+ description: |-
+ Per-scrape limit on number of labels that will be accepted for a sample.
+
+
+ It requires Prometheus >= v2.27.0.
format: int64
type: integer
labelNameLengthLimit:
- description: "Per-scrape limit on length of labels name that will
- be accepted for a sample. \n It requires Prometheus >= v2.27.0."
+ description: |-
+ Per-scrape limit on length of labels name that will be accepted for a sample.
+
+
+ It requires Prometheus >= v2.27.0.
format: int64
type: integer
labelValueLengthLimit:
- description: "Per-scrape limit on length of labels value that will
- be accepted for a sample. \n It requires Prometheus >= v2.27.0."
+ description: |-
+ Per-scrape limit on length of labels value that will be accepted for a sample.
+
+
+ It requires Prometheus >= v2.27.0.
format: int64
type: integer
namespaceSelector:
- description: Selector to select which namespaces the Kubernetes `Endpoints`
- objects are discovered from.
+ description: |-
+ Selector to select which namespaces the Kubernetes `Endpoints` objects
+ are discovered from.
properties:
any:
- description: Boolean describing whether all namespaces are selected
- in contrast to a list restricting them.
+ description: |-
+ Boolean describing whether all namespaces are selected in contrast to a
+ list restricting them.
type: boolean
matchNames:
description: List of namespace names to select from.
@@ -664,16 +878,48 @@ spec:
type: array
type: object
podTargetLabels:
- description: '`podTargetLabels` defines the labels which are transferred
- from the associated Kubernetes `Pod` object onto the ingested metrics.'
+ description: |-
+ `podTargetLabels` defines the labels which are transferred from the
+ associated Kubernetes `Pod` object onto the ingested metrics.
items:
type: string
type: array
sampleLimit:
- description: '`sampleLimit` defines a per-scrape limit on the number
- of scraped samples that will be accepted.'
+ description: |-
+ `sampleLimit` defines a per-scrape limit on the number of scraped samples
+ that will be accepted.
format: int64
type: integer
+ scrapeClass:
+ description: The scrape class to apply.
+ minLength: 1
+ type: string
+ scrapeProtocols:
+ description: |-
+ `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the
+ protocols supported by Prometheus in order of preference (from most to least preferred).
+
+
+ If unset, Prometheus uses its default value.
+
+
+ It requires Prometheus >= v2.49.0.
+ items:
+ description: |-
+ ScrapeProtocol represents a protocol used by Prometheus for scraping metrics.
+ Supported values are:
+ * `OpenMetricsText0.0.1`
+ * `OpenMetricsText1.0.0`
+ * `PrometheusProto`
+ * `PrometheusText0.0.4`
+ enum:
+ - PrometheusProto
+ - OpenMetricsText0.0.1
+ - OpenMetricsText1.0.0
+ - PrometheusText0.0.4
+ type: string
+ type: array
+ x-kubernetes-list-type: set
selector:
description: Label selector to select the Kubernetes `Endpoints` objects.
properties:
@@ -681,54 +927,56 @@ spec:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the key
- and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
- description: operator represents a key's relationship to
- a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
targetLabels:
- description: '`targetLabels` defines the labels which are transferred
- from the associated Kubernetes `Service` object onto the ingested
- metrics.'
+ description: |-
+ `targetLabels` defines the labels which are transferred from the
+ associated Kubernetes `Service` object onto the ingested metrics.
items:
type: string
type: array
targetLimit:
- description: '`targetLimit` defines a limit on the number of scraped
- targets that will be accepted.'
+ description: |-
+ `targetLimit` defines a limit on the number of scraped targets that will
+ be accepted.
format: int64
type: integer
required:
diff --git a/pkg/manager/agent-manifests/cluster-auth/values.openapiv3_schema.yaml b/pkg/manager/agent-manifests/cluster-auth/values.openapiv3_schema.yaml
index fa06b823..30d919bc 100644
--- a/pkg/manager/agent-manifests/cluster-auth/values.openapiv3_schema.yaml
+++ b/pkg/manager/agent-manifests/cluster-auth/values.openapiv3_schema.yaml
@@ -19,11 +19,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
items:
properties:
@@ -35,11 +37,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -50,6 +54,7 @@ properties:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
@@ -66,11 +71,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
items:
properties:
@@ -82,14 +89,17 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -115,11 +125,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -149,11 +161,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -164,6 +178,7 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
type: string
required:
@@ -177,6 +192,7 @@ properties:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
@@ -193,11 +209,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -227,11 +245,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -242,12 +262,14 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
properties:
@@ -269,11 +291,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -303,11 +327,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -318,6 +344,7 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
type: string
required:
@@ -331,6 +358,7 @@ properties:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
@@ -347,11 +375,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -381,11 +411,13 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
@@ -396,22 +428,40 @@ properties:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
type: string
required:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
annotations:
additionalProperties:
type: string
type: object
+ apiServer:
+ properties:
+ healthcheck:
+ properties:
+ enabled:
+ type: boolean
+ required:
+ - enabled
+ type: object
+ required:
+ - healthcheck
+ type: object
+ clusterName:
+ type: string
criticalAddon:
type: boolean
fullnameOverride:
type: string
+ hubKubeconfigSecretName:
+ type: string
image:
properties:
registry:
@@ -453,16 +503,27 @@ properties:
properties:
allowPrivilegeEscalation:
type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
capabilities:
properties:
add:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
type: boolean
@@ -557,6 +618,15 @@ properties:
type: object
podSecurityContext:
properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
format: int64
type: integer
@@ -595,6 +665,7 @@ properties:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
sysctls:
items:
properties:
@@ -607,6 +678,7 @@ properties:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
properties:
gmsaCredentialSpec:
@@ -654,6 +726,9 @@ properties:
type: object
type: array
required:
+- apiServer
+- clusterName
+- hubKubeconfigSecretName
- image
- imagePullPolicy
- monitoring
diff --git a/pkg/manager/controller/authentication/account_controller.go b/pkg/manager/controller/authentication/account_controller.go
index e60214f9..67856cc3 100644
--- a/pkg/manager/controller/authentication/account_controller.go
+++ b/pkg/manager/controller/authentication/account_controller.go
@@ -23,7 +23,6 @@ import (
authenticationv1alpha1 "github.com/kluster-manager/cluster-auth/apis/authentication/v1alpha1"
"github.com/kluster-manager/cluster-auth/pkg/common"
- "github.com/kluster-manager/cluster-auth/pkg/utils"
core "k8s.io/api/core/v1"
rbac "k8s.io/api/rbac/v1"
@@ -70,10 +69,6 @@ func (r *AccountReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
return reconcile.Result{}, r.setStatusFailed(ctx, acc, err)
}
- if err = r.createClusterRoleAndClusterRoleBindingToImpersonate(ctx, acc); err != nil {
- return reconcile.Result{}, r.setStatusFailed(ctx, acc, err)
- }
-
// Set the status to success after successful reconciliation
if acc.Status.Phase != authenticationv1alpha1.AccountPhaseCurrent {
if err := r.setStatusSuccess(ctx, acc, "Reconciliation completed successfully."); err != nil {
@@ -132,28 +127,13 @@ func (r *AccountReconciler) createServiceAccount(ctx context.Context, acc *authe
func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.Context, acc *authenticationv1alpha1.Account) error {
sub := []rbac.Subject{
{
- APIGroup: "",
- Kind: "User",
- Name: acc.Name,
+ APIGroup: "",
+ Kind: "ServiceAccount",
+ Name: acc.Name,
+ Namespace: common.AddonAgentInstallNamespace,
},
}
- if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
- name, namespace, err := utils.ExtractServiceAccountNameAndNamespace(acc.Spec.Username)
- if err != nil {
- return err
- }
-
- sub = []rbac.Subject{
- {
- APIGroup: "",
- Kind: "ServiceAccount",
- Name: name,
- Namespace: namespace,
- },
- }
- }
-
crb := rbac.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("ace.%s.proxy", acc.Spec.UID),
@@ -185,103 +165,6 @@ func (r *AccountReconciler) createGatewayClusterRoleBindingForUser(ctx context.C
return nil
}
-func (r *AccountReconciler) createClusterRoleAndClusterRoleBindingToImpersonate(ctx context.Context, acc *authenticationv1alpha1.Account) error {
- // impersonate clusterRole
- cr := rbac.ClusterRole{
- ObjectMeta: metav1.ObjectMeta{
- Name: fmt.Sprintf("ace.%s.impersonate", acc.Spec.UID),
- OwnerReferences: []metav1.OwnerReference{
- *metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")),
- },
- },
- Rules: []rbac.PolicyRule{
- {
- APIGroups: []string{""},
- Resources: []string{"users"},
- Verbs: []string{"impersonate"},
- ResourceNames: []string{acc.Name},
- },
- {
- APIGroups: []string{""},
- Resources: []string{"groups"},
- Verbs: []string{"impersonate"},
- ResourceNames: acc.Spec.Groups,
- },
- },
- }
-
- if strings.Contains(acc.Spec.Username, common.ServiceAccountPrefix) {
- name, _, err := utils.ExtractServiceAccountNameAndNamespace(acc.Spec.Username)
- if err != nil {
- return err
- }
-
- cr = rbac.ClusterRole{
- ObjectMeta: metav1.ObjectMeta{
- Name: fmt.Sprintf("ace.%s.impersonate", acc.Name),
- OwnerReferences: []metav1.OwnerReference{
- *metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")),
- },
- },
- Rules: []rbac.PolicyRule{
- {
- APIGroups: []string{""},
- Resources: []string{"serviceaccounts"},
- Verbs: []string{"impersonate"},
- ResourceNames: []string{name},
- },
- },
- }
- }
-
- _, err := cu.CreateOrPatch(ctx, r.Client, &cr, func(obj client.Object, createOp bool) client.Object {
- in := obj.(*rbac.ClusterRole)
- in.ObjectMeta = cr.ObjectMeta
- in.Rules = cr.Rules
- return in
- })
- if err != nil {
- return err
- }
-
- sub := []rbac.Subject{
- {
- APIGroup: "",
- Kind: "ServiceAccount",
- Name: acc.Name,
- Namespace: common.AddonAgentInstallNamespace,
- },
- }
-
- crb := rbac.ClusterRoleBinding{
- ObjectMeta: metav1.ObjectMeta{
- Name: cr.Name, // creating cluster-rolebinding name with the same name of cluster-role
- OwnerReferences: []metav1.OwnerReference{
- *metav1.NewControllerRef(acc, authenticationv1alpha1.GroupVersion.WithKind("Account")),
- },
- },
- Subjects: sub,
- RoleRef: rbac.RoleRef{
- APIGroup: rbac.GroupName,
- Kind: "ClusterRole",
- Name: cr.Name,
- },
- }
-
- _, err = cu.CreateOrPatch(context.Background(), r.Client, &crb, func(obj client.Object, createOp bool) client.Object {
- in := obj.(*rbac.ClusterRoleBinding)
- in.ObjectMeta = crb.ObjectMeta
- in.Subjects = crb.Subjects
- in.RoleRef = crb.RoleRef
- return in
- })
- if err != nil {
- return err
- }
-
- return nil
-}
-
// updateConditions adds or updates a condition in the conditions array.
func (r *AccountReconciler) updateConditions(conditions []kmapi.Condition, conditionType kmapi.ConditionType, message string) []kmapi.Condition {
now := metav1.Now()