diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py index 88fe113b7f..93dadf5d44 100644 --- a/buildchain/buildchain/salt_tree.py +++ b/buildchain/buildchain/salt_tree.py @@ -350,6 +350,9 @@ def task(self) -> types.TaskDict: Path("salt/metalk8s/addons/olm/catalogd/deployed/init.sls"), Path("salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls"), Path("salt/metalk8s/addons/olm/catalogd/deployed/webhook.sls"), + Path("salt/metalk8s/addons/olm/common/deployed/cert.sls"), + Path("salt/metalk8s/addons/olm/common/deployed/init.sls"), + Path("salt/metalk8s/addons/olm/common/deployed/namespace.sls"), Path("salt/metalk8s/addons/olm/operator-controller/deployed/cert.sls"), Path("salt/metalk8s/addons/olm/operator-controller/deployed/crds.sls"), Path("salt/metalk8s/addons/olm/operator-controller/deployed/init.sls"), diff --git a/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls b/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls index 5205bbdf6c..8b6df873a4 100644 --- a/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls +++ b/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls @@ -1,25 +1,5 @@ #!jinja | metalk8s_kubernetes ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: olmv1-ca - namespace: metalk8s-certs -spec: - commonName: olmv1-ca - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: self-sign-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: olmv1-ca - secretTemplate: - annotations: - cert-manager.io/allow-direct-injection: "true" --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -39,19 +19,3 @@ spec: algorithm: ECDSA size: 256 secretName: catalogd-service-cert-v1.0.0 ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: olmv1-ca -spec: - ca: - secretName: olmv1-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: self-sign-issuer - namespace: metalk8s-certs -spec: - selfSigned: {} diff --git a/salt/metalk8s/addons/olm/catalogd/deployed/init.sls b/salt/metalk8s/addons/olm/catalogd/deployed/init.sls index ae4955e927..635b3b8363 100644 --- a/salt/metalk8s/addons/olm/catalogd/deployed/init.sls +++ b/salt/metalk8s/addons/olm/catalogd/deployed/init.sls @@ -1,4 +1,5 @@ include: + - ...common.deployed - .crds - .rbac - .cert @@ -15,6 +16,7 @@ Wait for the Catalogd Controller Manager deployment to be Ready: - retry: attempts: 30 - require: + - test: Deploy common OLMv1 components - sls: metalk8s.addons.olm.catalogd.deployed.crds - sls: metalk8s.addons.olm.catalogd.deployed.rbac - sls: metalk8s.addons.olm.catalogd.deployed.cert diff --git a/salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls b/salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls index 139cd02b15..bb1bfd88c6 100644 --- a/salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls +++ b/salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls @@ -1,16 +1,5 @@ #!jinja | metalk8s_kubernetes ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: baseline - pod-security.kubernetes.io/enforce-version: latest - name: olmv1-system - annotations: - scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/bootstrap"}, {"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/infra"}]' --- apiVersion: v1 kind: ServiceAccount diff --git a/salt/metalk8s/addons/olm/common/deployed/cert.sls b/salt/metalk8s/addons/olm/common/deployed/cert.sls new file mode 100644 index 0000000000..9df69f8655 --- /dev/null +++ b/salt/metalk8s/addons/olm/common/deployed/cert.sls @@ -0,0 +1,38 @@ +#!jinja | metalk8s_kubernetes + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: olmv1-ca + namespace: metalk8s-certs +spec: + commonName: olmv1-ca + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: self-sign-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: olmv1-ca + secretTemplate: + annotations: + cert-manager.io/allow-direct-injection: "true" +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: olmv1-ca +spec: + ca: + secretName: olmv1-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: self-sign-issuer + namespace: metalk8s-certs +spec: + selfSigned: {} diff --git a/salt/metalk8s/addons/olm/common/deployed/init.sls b/salt/metalk8s/addons/olm/common/deployed/init.sls new file mode 100644 index 0000000000..badf177810 --- /dev/null +++ b/salt/metalk8s/addons/olm/common/deployed/init.sls @@ -0,0 +1,9 @@ +include: + - .namespace + - .cert + +Deploy common OLMv1 components: + test.succeed_without_changes: + - require: + - sls: metalk8s.addons.olm.common.deployed.namespace + - sls: metalk8s.addons.olm.common.deployed.cert diff --git a/salt/metalk8s/addons/olm/common/deployed/namespace.sls b/salt/metalk8s/addons/olm/common/deployed/namespace.sls new file mode 100644 index 0000000000..e4a33bfdd8 --- /dev/null +++ b/salt/metalk8s/addons/olm/common/deployed/namespace.sls @@ -0,0 +1,13 @@ +#!jinja | metalk8s_kubernetes + +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/part-of: olm + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: latest + name: olmv1-system + annotations: + scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/bootstrap"}, {"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/infra"}]' diff --git a/salt/metalk8s/addons/olm/operator-controller/deployed/cert.sls b/salt/metalk8s/addons/olm/operator-controller/deployed/cert.sls index d5d1fed77d..6757541340 100644 --- a/salt/metalk8s/addons/olm/operator-controller/deployed/cert.sls +++ b/salt/metalk8s/addons/olm/operator-controller/deployed/cert.sls @@ -1,22 +1,5 @@ #!jinja | metalk8s_kubernetes ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: olmv1-ca - namespace: metalk8s-certs -spec: - commonName: olmv1-ca - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: self-sign-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: olmv1-ca --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -35,19 +18,3 @@ spec: algorithm: ECDSA size: 256 secretName: olmv1-cert ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: olmv1-ca -spec: - ca: - secretName: olmv1-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: self-sign-issuer - namespace: metalk8s-certs -spec: - selfSigned: {} diff --git a/salt/metalk8s/addons/olm/operator-controller/deployed/init.sls b/salt/metalk8s/addons/olm/operator-controller/deployed/init.sls index 3a0c2dcf6c..140a7143ce 100644 --- a/salt/metalk8s/addons/olm/operator-controller/deployed/init.sls +++ b/salt/metalk8s/addons/olm/operator-controller/deployed/init.sls @@ -1,4 +1,5 @@ include: + - ...common.deployed - ...catalogd.deployed - .crds - .rbac @@ -15,6 +16,7 @@ Wait for the Operator Controller Controller Manager Deployment to be Ready: - retry: attempts: 30 - require: + - test: Deploy common OLMv1 components - test: Wait for the Catalogd Controller Manager deployment to be Ready - sls: metalk8s.addons.olm.operator-controller.deployed.crds - sls: metalk8s.addons.olm.operator-controller.deployed.rbac diff --git a/salt/metalk8s/addons/olm/operator-controller/deployed/rbac.sls b/salt/metalk8s/addons/olm/operator-controller/deployed/rbac.sls index bfad5a06bc..07cf629a03 100644 --- a/salt/metalk8s/addons/olm/operator-controller/deployed/rbac.sls +++ b/salt/metalk8s/addons/olm/operator-controller/deployed/rbac.sls @@ -1,15 +1,5 @@ #!jinja | metalk8s_kubernetes ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest - name: olmv1-system - annotations: - scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/bootstrap"}, {"operator": "Exists", "effect": "NoSchedule", "key": "node-role.kubernetes.io/infra"}]' --- apiVersion: v1 kind: ServiceAccount