change gitops-operator namespace, add artifacts needed for openshift-monitoring

Signed-off-by: Jaideep Rao <[email protected]>

Author: jaideepr97

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= ""
+VERSION ?= "1.9.0-ocp-metrics-5"
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable")
@@ -27,7 +27,7 @@ endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
 # IMAGE defines the base image to be used for operator, bundle and catalog.
-IMAGE ?= quay.io/redhat-developer/gitops-operator
+IMAGE ?= quay.io/jrao/gitops-operator
 
 # IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images.
 # This variable is used to construct full image tags for bundle and catalog images.

bundle.Dockerfile

@@ -7,7 +7,7 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=gitops-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=latest,gitops-1.8
 LABEL operators.operatorframework.io.bundle.channel.default.v1=latest
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.10.0+git
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.1
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
 

bundle/manifests/gitops-operator-controller-manager-metrics-service_v1_service.yaml

@@ -137,6 +137,8 @@ metadata:
     containerImage: quay.io/redhat-developer/gitops-operator
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
+    operatorframework.io/cluster-monitoring: "true"
+    operatorframework.io/suggested-namespace: openshift-gitops-operator
     operators.openshift.io/infrastructure-features: '["disconnected"]'
     operators.operatorframework.io/builder: operator-sdk-v1.10.0+git
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -865,22 +867,56 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
-        serviceAccountName: gitops-operator-controller-manager
+        serviceAccountName: openshift-gitops-operator-controller-manager
       deployments:
-      - name: gitops-operator-controller-manager
+      - label:
+          control-plane: gitops-operator
+        name: openshift-gitops-operator-controller-manager
         spec:
           replicas: 1
           selector:
             matchLabels:
-              control-plane: argocd-operator
+              control-plane: gitops-operator
           strategy: {}
           template:
             metadata:
               labels:
-                control-plane: argocd-operator
+                control-plane: gitops-operator
             spec:
               containers:
-              - command:
+              - args:
+                - --secure-listen-address=0.0.0.0:8443
+                - --upstream=http://127.0.0.1:8080
+                - --tls-cert-file=/etc/tls/private/tls.crt
+                - --tls-private-key-file=/etc/tls/private/tls.key
+                - --logtostderr=true
+                - --allow-paths=/metrics
+                image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:da5d5061dbc2ec5082cf14b6c600fb5400b83cf91d7ccebfa80680a238d275db
+                name: kube-rbac-proxy
+                ports:
+                - containerPort: 8443
+                  name: metrics
+                resources:
+                  limits:
+                    cpu: 500m
+                    memory: 128Mi
+                  requests:
+                    cpu: 1m
+                    memory: 15Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
+                volumeMounts:
+                - mountPath: /etc/tls/private
+                  name: kube-rbac-proxy-tls
+                  readOnly: true
+              - args:
+                - --health-probe-bind-address=:8081
+                - --metrics-bind-address=127.0.0.1:8080
+                - --leader-elect
+                command:
                 - /usr/local/bin/manager
                 env:
                 - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
@@ -911,8 +947,12 @@ spec:
                   runAsNonRoot: true
               securityContext:
                 runAsNonRoot: true
-              serviceAccountName: gitops-operator-controller-manager
+              serviceAccountName: openshift-gitops-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: kube-rbac-proxy-tls
+                secret:
+                  secretName: kube-rbac-proxy-tls
       permissions:
       - rules:
         - apiGroups:
@@ -946,7 +986,7 @@ spec:
           verbs:
           - create
           - patch
-        serviceAccountName: gitops-operator-controller-manager
+        serviceAccountName: openshift-gitops-operator-controller-manager
     strategy: deployment
   installModes:
   - supported: false

bundle/manifests/gitops-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -14,4 +14,4 @@ data:
       resourceName: 2b63967d.openshift.io
 kind: ConfigMap
 metadata:
-  name: gitops-operator-manager-config
+  name: openshift-gitops-operator-manager-config

bundle/manifests/gitops-operator.clusterserviceversion.yaml

@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    control-plane: gitops-operator
+  name: openshift-gitops-operator-metrics-monitor
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    path: /metrics
+    port: metrics
+    scheme: https
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
+  selector:
+    matchLabels:
+      control-plane: gitops-operator

bundle/manifests/gitops-operator-manager-config_v1_configmap.yaml renamed to bundle/manifests/openshift-gitops-operator-manager-config_v1_configmap.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls
+  creationTimestamp: null
+  labels:
+    control-plane: gitops-operator
+  name: openshift-gitops-operator-metrics-service
+spec:
+  ports:
+  - name: metrics
+    port: 8443
+    targetPort: metrics
+  selector:
+    control-plane: gitops-operator
+  type: ClusterIP
+status:
+  loadBalancer: {}

bundle/manifests/openshift-gitops-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: openshift-gitops-operator-prometheus
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch

bundle/manifests/openshift-gitops-operator-metrics-service_v1_service.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: openshift-gitops-operator-prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-gitops-operator-prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-monitoring

bundle/manifests/openshift-gitops-operator-prometheus_rbac.authorization.k8s.io_v1_role.yaml

@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: gitops-operator-system
+namespace: openshift-gitops-operator
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: gitops-operator-
+namePrefix: openshift-gitops-operator-
 
 # Labels to add to all resources and selectors.
 #commonLabels:
@@ -22,13 +22,13 @@ bases:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
+- ../prometheus
 
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-#- manager_auth_proxy_patch.yaml
+- manager_auth_proxy_patch.yaml
 
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type

bundle/manifests/openshift-gitops-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -6,21 +6,50 @@ metadata:
   name: controller-manager
   namespace: system
 spec:
+  selector:
+    matchLabels:
+      control-plane: gitops-operator
   template:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+        image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:da5d5061dbc2ec5082cf14b6c600fb5400b83cf91d7ccebfa80680a238d275db
         args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=10"
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:8080
+        - --tls-cert-file=/etc/tls/private/tls.crt
+        - --tls-private-key-file=/etc/tls/private/tls.key
+        - --logtostderr=true
+        - --allow-paths=/metrics
         ports:
         - containerPort: 8443
-          name: https
+          name: metrics
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 1m
+            memory: 15Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /etc/tls/private
+          name: kube-rbac-proxy-tls
+          readOnly: true
       - name: manager
         args:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
+      volumes:
+        # Secret created by the service CA operator.
+        # We assume that the Kubernetes service exposing the application's pods has the
+        # "service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls"
+        # annotation.
+        - name: kube-rbac-proxy-tls
+          secret:
+            secretName: kube-rbac-proxy-tls

config/default/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   labels:
-    control-plane: argocd-operator
+    control-plane: gitops-operator
   name: system
 ---
 apiVersion: apps/v1
@@ -11,16 +11,16 @@ metadata:
   name: controller-manager
   namespace: system
   labels:
-    control-plane: argocd-operator
+    control-plane: gitops-operator
 spec:
   selector:
     matchLabels:
-      control-plane: argocd-operator
+      control-plane: gitops-operator
   replicas: 1
   template:
     metadata:
       labels:
-        control-plane: argocd-operator
+        control-plane: gitops-operator
     spec:
       securityContext:
         runAsNonRoot: true

config/default/manager_auth_proxy_patch.yaml

@@ -7,6 +7,8 @@ metadata:
     containerImage: quay.io/redhat-developer/gitops-operator
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
+    operatorframework.io/cluster-monitoring: "true"
+    operatorframework.io/suggested-namespace: openshift-gitops-operator
     operators.openshift.io/infrastructure-features: '["disconnected"]'
     repository: https://github.com/redhat-developer/gitops-operator
     support: Red Hat

config/manager/manager.yaml

@@ -1,2 +1,4 @@
 resources:
 - monitor.yaml
+- role.yaml
+- rolebinding.yaml

config/manifests/bases/gitops-operator.clusterserviceversion.yaml

@@ -4,17 +4,19 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
-    control-plane: argocd-operator
-  name: controller-manager-metrics-monitor
+    control-plane: gitops-operator
+  name: metrics-monitor
   namespace: system
 spec:
   endpoints:
-    - path: /metrics
-      port: https
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      path: /metrics
+      interval: 30s
+      port: metrics
       scheme: https
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
-        insecureSkipVerify: true
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: openshift-gitops-operator-metrics-service.openshift-gitops-operator.svc
   selector:
     matchLabels:
-      control-plane: argocd-operator
+      control-plane: gitops-operator