diff --git a/.github/workflows/build-next-images.yaml b/.github/workflows/build-next-images.yaml deleted file mode 100644 index f9076da80..000000000 --- a/.github/workflows/build-next-images.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# -# Copyright (c) 2019-2021 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -name: Build next images - -on: - # manual trigger if required - workflow_dispatch: - inputs: - reason: - description: 'Reason to trigger a build' - required: false - push: - branches: - - main -jobs: - build-images: - runs-on: ubuntu-20.04 - steps: - - name: Checkout source code - uses: actions/checkout@v2 - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to quay.io - uses: docker/login-action@v1 - with: - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - registry: quay.io - - name: Build and push images to quay.io - uses: docker/build-push-action@v2 - with: - file: Dockerfile - platforms: linux/amd64,linux/ppc64le - push: true - tags: quay.io/eclipse/che-operator:next diff --git a/.github/workflows/release-next-catalog-and-operator-image.yaml b/.github/workflows/release-next-catalog-and-operator-image.yaml new file mode 100644 index 000000000..f50b33f8a --- /dev/null +++ b/.github/workflows/release-next-catalog-and-operator-image.yaml @@ -0,0 +1,50 @@ +# +# Copyright (c) 2019-2021 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +name: Release next catalog +on: + # manual trigger if required + workflow_dispatch: + inputs: + reason: + description: 'Reason to trigger a build' + required: false + push: + branches: + - main +jobs: + build-images: + runs-on: ubuntu-20.04 + steps: + - name: Checkout source code + uses: actions/checkout@v2 + - name: Install yq + run: sudo pip install yq + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Login to quay.io + uses: docker/login-action@v1 + with: + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_PASSWORD }} + registry: quay.io + - name: Build operator image + uses: docker/build-push-action@v2 + with: + file: Dockerfile + platforms: linux/amd64,linux/ppc64le + push: true + tags: quay.io/eclipse/che-operator:next + - name: Build catalog source + run: ${GITHUB_WORKSPACE}/build/scripts/olm/release-catalog.sh --channel 'next' --catalog-image quay.io/eclipse/eclipse-che-olm-catalog:next diff --git a/.github/workflows/release-next-catalog.yaml b/.github/workflows/release-next-catalog.yaml deleted file mode 100644 index d942f8d43..000000000 --- a/.github/workflows/release-next-catalog.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# -# Copyright (c) 2019-2021 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -name: Release next catalog -on: - # manual trigger if required - workflow_dispatch: - inputs: - reason: - description: 'Reason to trigger a build' - required: false - push: - branches: - - main -jobs: - release-next-catalog: - name: Build - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: Install yq - run: sudo pip install yq - - name: Docker login - uses: azure/docker-login@v1 - with: - login-server: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} - - name: Release next catalog - run: ${GITHUB_WORKSPACE}/build/scripts/olm/release-catalog.sh --channel 'next' --catalog-image quay.io/eclipse/eclipse-che-olm-catalog:next diff --git a/Makefile b/Makefile index 9a6183c71..d17f41228 100644 --- a/Makefile +++ b/Makefile @@ -392,8 +392,8 @@ download-gateway-resources: # Store `che-operator-webhook-server-cert` secret locally store_tls_cert: mkdir -p /tmp/k8s-webhook-server/serving-certs/ - $(K8S_CLI) get secret che-operator-webhook-server-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.crt"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.crt - $(K8S_CLI) get secret che-operator-webhook-server-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.key"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.key + $(K8S_CLI) get secret che-operator-service-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.crt"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.crt + $(K8S_CLI) get secret che-operator-service-cert -n $(ECLIPSE_CHE_NAMESPACE) -o json | jq -r '.data["tls.key"]' | base64 -d > /tmp/k8s-webhook-server/serving-certs/tls.key ##@ OLM catalog diff --git a/build/scripts/olm/test-catalog-from-sources.sh b/build/scripts/olm/test-catalog-from-sources.sh index e52396364..2efd329ff 100755 --- a/build/scripts/olm/test-catalog-from-sources.sh +++ b/build/scripts/olm/test-catalog-from-sources.sh @@ -85,8 +85,6 @@ exposeOpenShiftRegistry() { oc policy add-role-to-user system:image-builder system:anonymous -n "${NAMESPACE}" oc policy add-role-to-user system:image-builder system:unauthenticated -n "${NAMESPACE}" - oc policy add-role-to-user system:image-builder system:anonymous -n "openshift-marketplace" - oc policy add-role-to-user system:image-builder system:unauthenticated -n "openshift-marketplace" } buildOperatorFromSources() { @@ -154,7 +152,7 @@ run() { make create-operatorgroup NAME=eclipse-che NAMESPACE="${NAMESPACE}" VERBOSE=${VERBOSE} fi make create-subscription \ - NAME=eclipse-che-subscription \ + NAME=eclipse-che \ NAMESPACE="${NAMESPACE}" \ PACKAGE_NAME="${ECLIPSE_CHE_PACKAGE_NAME}" \ SOURCE="${ECLIPSE_CHE_CATALOG_SOURCE_NAME}" \ diff --git a/build/scripts/release/buildDigestMap.sh b/build/scripts/release/buildDigestMap.sh index 399e272a6..7086bd40b 100755 --- a/build/scripts/release/buildDigestMap.sh +++ b/build/scripts/release/buildDigestMap.sh @@ -39,7 +39,7 @@ excludedImages=( usage () { echo "Usage: $0 [-w WORKDIR] -c [/path/to/csv.yaml] -t [IMAGE_TAG]" - echo "Example: $0 -w $(pwd) -c $(pwd)/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml -t 7.26.0" + echo "Example: $0 -w $(pwd) -c $(pwd)/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml -t 7.26.0" } setImagesFromDeploymentEnv() { diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml index cabe4aa04..27970240c 100644 --- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml @@ -77,7 +77,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che.v7.57.0-729.next + name: eclipse-che.v7.57.0-736.next namespace: placeholder spec: apiservicedefinitions: {} @@ -994,21 +994,12 @@ spec: - ALL privileged: false readOnlyRootFilesystem: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: webhook-tls-certs - readOnly: true hostIPC: false hostNetwork: false hostPID: false restartPolicy: Always serviceAccountName: che-operator terminationGracePeriodSeconds: 20 - volumes: - - name: webhook-tls-certs - secret: - defaultMode: 420 - secretName: che-operator-webhook-server-cert permissions: - rules: - apiGroups: @@ -1241,7 +1232,7 @@ spec: minKubeVersion: 1.19.0 provider: name: Eclipse Foundation - version: 7.57.0-729.next + version: 7.57.0-736.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 0460d8d2f..2e62157fd 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -44,4 +44,4 @@ spec: issuerRef: kind: Issuer name: che-operator-selfsigned-issuer - secretName: che-operator-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize + secretName: che-operator-service-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/kubernetes/kustomization.yaml b/config/kubernetes/kustomization.yaml index 1c49b131f..e0b74aba8 100644 --- a/config/kubernetes/kustomization.yaml +++ b/config/kubernetes/kustomization.yaml @@ -22,6 +22,7 @@ resources: patchesStrategicMerge: - patches/cainjection_in_checlusters.yaml - patches/cainjection_in_webhook.yaml + - patches/service_cert_patch.yaml - patches/manager_pod_security_context.yaml vars: diff --git a/config/kubernetes/patches/service_cert_patch.yaml b/config/kubernetes/patches/service_cert_patch.yaml new file mode 100644 index 000000000..f943a346d --- /dev/null +++ b/config/kubernetes/patches/service_cert_patch.yaml @@ -0,0 +1,31 @@ +# +# Copyright (c) 2019-2021 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: che-operator + namespace: eclipse-che +spec: + template: + spec: + containers: + - name: che-operator + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-tls-certs + readOnly: true + volumes: + - name: webhook-tls-certs + secret: + defaultMode: 420 + secretName: che-operator-service-cert diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 0a005305f..e68ace85c 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -14,7 +14,7 @@ resources: - manager.yaml patchesStrategicMerge: -- patches/manager_webhook_patch.yaml +- patches/manager_webhook_service_patch.yaml generatorOptions: disableNameSuffixHash: true diff --git a/config/manager/patches/manager_webhook_patch.yaml b/config/manager/patches/manager_webhook_service_patch.yaml similarity index 67% rename from config/manager/patches/manager_webhook_patch.yaml rename to config/manager/patches/manager_webhook_service_patch.yaml index 64145782b..724b2135c 100644 --- a/config/manager/patches/manager_webhook_patch.yaml +++ b/config/manager/patches/manager_webhook_service_patch.yaml @@ -24,12 +24,3 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: webhook-tls-certs - readOnly: true - volumes: - - name: webhook-tls-certs - secret: - defaultMode: 420 - secretName: che-operator-webhook-server-cert diff --git a/config/openshift/patches/cainjection_in_webhook.yaml b/config/openshift/patches/cainjection_in_webhook.yaml index 174906293..8f4a9cb67 100644 --- a/config/openshift/patches/cainjection_in_webhook.yaml +++ b/config/openshift/patches/cainjection_in_webhook.yaml @@ -9,10 +9,17 @@ # Contributors: # Red Hat, Inc. - initial API and implementation # - +--- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: org.eclipse.che annotations: - service.beta.openshift.io/inject-cabundle: "true" \ No newline at end of file + service.beta.openshift.io/inject-cabundle: "true" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: org.eclipse.che + annotations: + service.beta.openshift.io/inject-cabundle: "true" diff --git a/config/openshift/patches/service_cert_patch.yaml b/config/openshift/patches/service_cert_patch.yaml index f111d2c72..c406cf569 100644 --- a/config/openshift/patches/service_cert_patch.yaml +++ b/config/openshift/patches/service_cert_patch.yaml @@ -16,4 +16,4 @@ metadata: name: che-operator-service namespace: eclipse-che annotations: - service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert + service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 0f29bb07e..1f92330c0 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -5849,7 +5849,7 @@ spec: - name: webhook-tls-certs secret: defaultMode: 420 - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -5868,7 +5868,7 @@ spec: issuerRef: kind: Issuer name: che-operator-selfsigned-issuer - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml b/deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml index 806958b6a..8b7dea8c9 100644 --- a/deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml @@ -27,4 +27,4 @@ spec: issuerRef: kind: Issuer name: che-operator-selfsigned-issuer - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert diff --git a/deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml b/deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml index 8a7f4878d..505448e4c 100644 --- a/deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml @@ -155,4 +155,4 @@ spec: - name: webhook-tls-certs secret: defaultMode: 420 - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 582bdafd6..a1cd78fc8 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -5691,7 +5691,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert + service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert labels: app.kubernetes.io/component: che-operator app.kubernetes.io/instance: che @@ -5834,25 +5834,18 @@ spec: - ALL privileged: false readOnlyRootFilesystem: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: webhook-tls-certs - readOnly: true hostIPC: false hostNetwork: false hostPID: false restartPolicy: Always serviceAccountName: che-operator terminationGracePeriodSeconds: 20 - volumes: - - name: webhook-tls-certs - secret: - defaultMode: 420 - secretName: che-operator-webhook-server-cert --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: che-operator app.kubernetes.io/instance: che diff --git a/deploy/deployment/openshift/objects/che-operator-service.Service.yaml b/deploy/deployment/openshift/objects/che-operator-service.Service.yaml index 731f4e5a1..d641d7d84 100644 --- a/deploy/deployment/openshift/objects/che-operator-service.Service.yaml +++ b/deploy/deployment/openshift/objects/che-operator-service.Service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: annotations: - service.beta.openshift.io/serving-cert-secret-name: che-operator-webhook-server-cert + service.beta.openshift.io/serving-cert-secret-name: che-operator-service-cert labels: app.kubernetes.io/component: che-operator app.kubernetes.io/instance: che diff --git a/deploy/deployment/openshift/objects/che-operator.Deployment.yaml b/deploy/deployment/openshift/objects/che-operator.Deployment.yaml index b5989839e..bc68236d5 100644 --- a/deploy/deployment/openshift/objects/che-operator.Deployment.yaml +++ b/deploy/deployment/openshift/objects/che-operator.Deployment.yaml @@ -138,18 +138,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: webhook-tls-certs - readOnly: true hostIPC: false hostNetwork: false hostPID: false restartPolicy: Always serviceAccountName: che-operator terminationGracePeriodSeconds: 20 - volumes: - - name: webhook-tls-certs - secret: - defaultMode: 420 - secretName: che-operator-webhook-server-cert diff --git a/deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml b/deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml index 9175ca21f..a537f9a91 100644 --- a/deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml +++ b/deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml @@ -13,6 +13,8 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" labels: app.kubernetes.io/component: che-operator app.kubernetes.io/instance: che diff --git a/helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml b/helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml index 806958b6a..8b7dea8c9 100644 --- a/helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml +++ b/helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml @@ -27,4 +27,4 @@ spec: issuerRef: kind: Issuer name: che-operator-selfsigned-issuer - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert diff --git a/helmcharts/next/templates/che-operator.Deployment.yaml b/helmcharts/next/templates/che-operator.Deployment.yaml index 8a7f4878d..505448e4c 100644 --- a/helmcharts/next/templates/che-operator.Deployment.yaml +++ b/helmcharts/next/templates/che-operator.Deployment.yaml @@ -155,4 +155,4 @@ spec: - name: webhook-tls-certs secret: defaultMode: 420 - secretName: che-operator-webhook-server-cert + secretName: che-operator-service-cert