Merge pull request #56 from arangodb/cluster-level-crd

Changed scope of ArangoLocalStorage to Cluster.

Author: ewoutp

Makefile

@@ -40,9 +40,14 @@ else
 	IMAGESUFFIX := :dev
 endif
 
+ifeq ($(MANIFESTSUFFIX),-)
+	# Release setting
+	MANIFESTSUFFIX :=
+else
 ifndef MANIFESTSUFFIX
 	MANIFESTSUFFIX := -dev
 endif
+endif
 MANIFESTPATHDEPLOYMENT := manifests/arango-deployment$(MANIFESTSUFFIX).yaml
 MANIFESTPATHSTORAGE := manifests/arango-storage$(MANIFESTSUFFIX).yaml
 ifndef DEPLOYMENTNAMESPACE

manifests/arango-deployment.yaml

@@ -0,0 +1,103 @@
+## deployment/rbac.yaml
+## Cluster role granting access to ArangoDeployment resources.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: arango-deployments
+rules:
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
+
+---
+
+## Cluster role granting access to all resources needed by the ArangoDeployment operator.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: arango-deployment-operator
+rules:
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list"]
+
+---
+
+## Bind the cluster role granting access to ArangoLocalStorage resources
+## to the default service account of the configured namespace.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: arango-deployments
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arango-deployments
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+
+---
+
+## Bind the cluster role granting access to all resources needed by 
+## the ArangoDeployment operator to the default service account
+## the is being used to run the operator deployment.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: arango-deployment-operator-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arango-deployment-operator
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+
+---
+
+## deployment/deployment.yaml
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: arango-deployment-operator
+  namespace: default
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: arango-deployment-operator
+    spec:
+      containers:
+      - name: operator
+        imagePullPolicy: IfNotPresent
+        image: arangodb/kube-arangodb@sha256:748421ba01fd52d9589cc1830c79b62c3a7af3f4366b9cba0247e09d0a7d6e19
+        args:
+          - --operator.deployment
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+

manifests/arango-storage.yaml

@@ -0,0 +1,115 @@
+## storage/rbac.yaml
+## Cluster role granting access to ArangoLocalStorage resources.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: arango-storages
+rules:
+- apiGroups: ["storage.arangodb.com"]
+  resources: ["arangolocalstorages"]
+  verbs: ["*"]
+
+---
+
+## Cluster role granting access to all resources needed by the ArangoLocalStorage operator.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: arango-storage-operator
+rules:
+- apiGroups: ["storage.arangodb.com"]
+  resources: ["arangolocalstorages"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["persistentvolumes", "persistentvolumeclaims", "endpoints", "events", "services"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["*"]
+
+---
+
+## Bind the cluster role granting access to ArangoLocalStorage resources
+## to the default service account of the configured namespace.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: arango-storages
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arango-storages
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+
+---
+
+## Bind the cluster role granting access to all resources needed by 
+## the ArangoLocalStorage operator to the default service account
+## the is being used to run the operator deployment.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: arango-storage-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: arango-storage-operator
+subjects:
+- kind: ServiceAccount
+  name: arango-storage-operator
+  namespace: kube-system
+
+---
+
+## storage/deployment.yaml
+## Service accounts
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: arango-storage-operator
+
+---
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: arango-storage-operator
+  namespace: kube-system
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        name: arango-storage-operator
+    spec:
+      serviceAccountName: arango-storage-operator
+      containers:
+      - name: operator
+        imagePullPolicy: IfNotPresent
+        image: arangodb/kube-arangodb@sha256:748421ba01fd52d9589cc1830c79b62c3a7af3f4366b9cba0247e09d0a7d6e19
+        args:
+        - --operator.storage
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+

manifests/crd.yaml

@@ -30,5 +30,5 @@ spec:
     shortNames:
     - arangostorage
     singular: arangolocalstorage
-  scope: Namespaced
+  scope: Cluster
   version: v1alpha

manifests/templates/deployment/deployment.yaml

@@ -2,14 +2,14 @@
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
-  name: {{ .Deployment.OperatorName }}
-  namespace: {{ .Deployment.Namespace }}
+  name: {{ .Deployment.OperatorDeploymentName }}
+  namespace: {{ .Deployment.Operator.Namespace }}
 spec:
   replicas: 1
   template:
     metadata:
       labels:
-        name: {{ .Deployment.OperatorName }}
+        name: {{ .Deployment.OperatorDeploymentName }}
     spec:
       containers:
       - name: operator

manifests/templates/deployment/rbac.yaml

@@ -1,59 +1,72 @@
 {{- if .RBAC -}}
+## Cluster role granting access to ArangoDeployment resources.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ .Deployment.ClusterRoleName }}
+  name: {{ .Deployment.User.RoleName }}
 rules:
-- apiGroups:
-  - database.arangodb.com
-  resources:
-  - arangodeployments
-  verbs:
-  - "*"
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
-  - secrets
-  verbs:
-  - "*"
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - "*"
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
 
 ---
 
+## Cluster role granting access to all resources needed by the ArangoDeployment operator.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ .Deployment.Operator.RoleName }}
+rules:
+- apiGroups: ["database.arangodb.com"]
+  resources: ["arangodeployments"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["*"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list"]
+
+---
+
+## Bind the cluster role granting access to ArangoLocalStorage resources
+## to the default service account of the configured namespace.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ .Deployment.User.RoleBindingName }}
+  namespace: {{ .Deployment.User.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Deployment.User.RoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Deployment.User.ServiceAccountName }}
+  namespace: {{ .Deployment.User.Namespace }}
+
+---
+
+## Bind the cluster role granting access to all resources needed by 
+## the ArangoDeployment operator to the default service account
+## the is being used to run the operator deployment.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Deployment.ClusterRoleBindingName }}
+  name: {{ .Deployment.Operator.RoleBindingName }}-{{ .Deployment.Operator.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Deployment.ClusterRoleName }}
+  name: {{ .Deployment.Operator.RoleName }}
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: {{ .Deployment.Namespace }}
+  name: {{ .Deployment.Operator.ServiceAccountName }}
+  namespace: {{ .Deployment.Operator.Namespace }}
 
 {{- end -}}