Merge branch 'open-cluster-management-io:main' into main

.github/workflows/go-presubmit.yml

@@ -128,8 +128,14 @@ jobs:
           kind load docker-image quay.io/open-cluster-management/managed-serviceaccount:latest --name chart-testing
       - name: Install latest managed-serviceaccount
         run: |
-          kubectl create namespace loopback --dry-run=client -o yaml | kubectl apply -f -
-          kubectl apply -R -f deploy
+          helm install \
+            -n open-cluster-management-addon --create-namespace \
+            managed-serviceaccount charts/managed-serviceaccount/ \
+            --set tag=latest \
+            --set featureGates.ephemeralIdentity=true \
+            --set enableAddOnDeploymentConfig=true \
+            --set hubDeployMode=AddOnTemplate \
+            --set targetCluster=loopback
       - name: Run e2e test
         run: |
           make test-e2e GENKGO_ARGS='--ginkgo.label-filter='\''!ephemeral&&!install'\'''

charts/managed-serviceaccount/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: managed-serviceaccount
 description: A Helm chart for Managed ServiceAccount Addon
 type: application
-version: 0.3.0
+version: 0.4.0
 appVersion: 1.0.0

charts/managed-serviceaccount/templates/addon-manager-clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+# grant permission to addon-manager-controller-sa to create rolebindings
+# in the managed cluster for the managed-serviceaccount addon agent
+{{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: open-cluster-management-addon-manager-managed-serviceaccount
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: managed-serviceaccount-addon-agent
+subjects:
+  - kind: ServiceAccount
+    name: addon-manager-controller-sa
+    namespace: open-cluster-management-hub
+{{- end }}

charts/managed-serviceaccount/templates/addondeploymentconfig.yaml

@@ -0,0 +1,10 @@
+# TODO: uncomment when the agentInstallNamespace field is added to the ocm repo
+# {{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+# apiVersion: addon.open-cluster-management.io/v1alpha1
+# kind: AddOnDeploymentConfig
+# metadata:
+#   name: managed-serviceaccount-addon-deploy-config
+#   namespace: {{ .Release.Namespace }}
+# spec:
+#   agentInstallNamespace: open-cluster-management-agent-addon
+# {{- end }}

charts/managed-serviceaccount/templates/addontemplate.yaml

@@ -0,0 +1,137 @@
+{{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+apiVersion: addon.open-cluster-management.io/v1alpha1
+kind: AddOnTemplate
+metadata:
+  name: {{ .Values.addOnTemplateName | default (print "managed-serviceaccount-" .Chart.Version) }}
+spec:
+  addonName: managed-serviceaccount
+  agentSpec:
+    workload:
+      manifests:
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+        rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+        subjects:
+        - kind: ServiceAccount
+          name: managed-serviceaccount
+          namespace: open-cluster-management-agent-addon
+      - apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: managed-serviceaccount-addon-agent
+          namespace: open-cluster-management-agent-addon
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              addon-agent: managed-serviceaccount
+          template:
+            metadata:
+              labels:
+                addon-agent: managed-serviceaccount
+            spec:
+              containers:
+              - args:
+                - --leader-elect=true
+                - --cluster-name={{ `{{CLUSTER_NAME}}` }}          # escape double curly brackets, option 1
+                - --kubeconfig={{ "{{" }}HUB_KUBECONFIG{{ "}}" }}  # escape double curly brackets, option 2
+                - --feature-gates=EphemeralIdentity=true
+                command:
+                - /agent
+                image: {{ .Values.image }}:{{ .Values.tag | default (print "v" .Chart.Version) }}
+                imagePullPolicy: IfNotPresent
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 8000
+                  initialDelaySeconds: 2
+                  periodSeconds: 10
+                name: addon-agent
+              serviceAccount: managed-serviceaccount
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        metadata:
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+          namespace: open-cluster-management-agent-addon
+        rules:
+        - apiGroups:
+          - ''
+          resources:
+          - events
+          verbs:
+          - create
+        - apiGroups:
+          - ''
+          resources:
+          - serviceaccounts
+          - serviceaccounts/token
+          verbs:
+          - get
+          - watch
+          - list
+          - create
+          - delete
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - get
+          - create
+          - update
+          - patch
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenrequests
+          verbs:
+          - get
+          - create
+          - update
+          - patch
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        metadata:
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+          namespace: open-cluster-management-agent-addon
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: Role
+          name: open-cluster-management:managed-serviceaccount:addon-agent
+        subjects:
+        - kind: ServiceAccount
+          name: managed-serviceaccount
+          namespace: open-cluster-management-agent-addon
+      - apiVersion: v1
+        imagePullSecrets:
+        - name: open-cluster-management-image-pull-credentials
+        kind: ServiceAccount
+        metadata:
+          name: managed-serviceaccount
+          namespace: open-cluster-management-agent-addon
+  registration:
+  - kubeClient:
+      hubPermissions:
+      - roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: managed-serviceaccount-addon-agent
+        type: CurrentCluster
+    type: KubeClient
+{{- end }}

charts/managed-serviceaccount/templates/agent-registration-clusterrole.yaml

@@ -0,0 +1,36 @@
+{{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: managed-serviceaccount-addon-agent
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+- apiGroups:
+  - authentication.open-cluster-management.io
+  resources:
+  - managedserviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - authentication.open-cluster-management.io
+  resources:
+  - managedserviceaccounts/status
+  verbs:
+  - get
+  - update
+  - patch
+{{- end }}

charts/managed-serviceaccount/templates/clustermanagementaddon.yaml

@@ -2,6 +2,10 @@ apiVersion: addon.open-cluster-management.io/v1alpha1
 kind: ClusterManagementAddOn
 metadata:
   name: managed-serviceaccount
+{{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+  annotations:
+    addon.open-cluster-management.io/lifecycle: "addon-manager"
+{{- end }}
 spec:
   addOnMeta:
     displayName: managed-serviceaccount
@@ -11,3 +15,13 @@ spec:
   - group: addon.open-cluster-management.io
     resource: addondeploymentconfigs
 {{- end }}
+{{- if eq .Values.hubDeployMode "AddOnTemplate" }}
+# TODO: uncomment when the agentInstallNamespace field is added to the ocm repo
+    # defaultConfig:
+    #   namespace: {{ .Release.Namespace }}
+    #   name: managed-serviceaccount-addon-deploy-config
+  - group: addon.open-cluster-management.io
+    resource: addontemplates
+    defaultConfig:
+      name: {{ .Values.addOnTemplateName | default (print "managed-serviceaccount-" .Chart.Version) }}
+{{- end }}

charts/managed-serviceaccount/templates/clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if ne .Values.hubDeployMode "AddOnTemplate" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -147,3 +148,4 @@ rules:
       - create
       - update
       - patch
+{{- end }}

charts/managed-serviceaccount/templates/clusterrolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if ne .Values.hubDeployMode "AddOnTemplate" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -10,3 +11,4 @@ subjects:
   - kind: ServiceAccount
     name: managed-serviceaccount
     namespace: {{ .Release.Namespace }}
+{{- end }}

charts/managed-serviceaccount/templates/managedclusteraddon.yaml

@@ -5,5 +5,9 @@ metadata:
   name: managed-serviceaccount
   namespace: {{ .Values.targetCluster }}
 spec:
+{{ if eq .Values.hubDeployMode "AddOnTemplate" }}
+  installNamespace: "open-cluster-management-agent-addon"
+{{ else }}
   installNamespace: "open-cluster-management-managed-serviceaccount"
-{{ end }}
+{{ end }}
+{{ end }}

charts/managed-serviceaccount/templates/manager-deployment.yaml

@@ -1,3 +1,4 @@
+{{- if ne .Values.hubDeployMode "AddOnTemplate" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -30,3 +31,4 @@ spec:
             {{- if .Values.agentImagePullSecret }}
             - --agent-image-pull-secret={{ .Values.agentImagePullSecret }}
             {{- end}}
+{{- end }}

charts/managed-serviceaccount/templates/serviceaccount.yaml

@@ -1,5 +1,7 @@
+{{- if ne .Values.hubDeployMode "AddOnTemplate" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: managed-serviceaccount
   namespace: {{ .Release.Namespace }}
+{{- end }}

charts/managed-serviceaccount/values.yaml

@@ -12,3 +12,9 @@ featureGates:
   ephemeralIdentity: false
 
 agentImagePullSecret: ""
+
+# Hub deploy mode: AddOnTemplate or Deployment
+hubDeployMode: Deployment
+
+# Name of the managed service-account addon template, only used when hubDeployMode is AddOnTemplate
+# addOnTemplateName: managed-serviceaccount

e2e/install/install.go

@@ -43,7 +43,7 @@ var _ = Describe("Addon Installation Test", Label("install"),
 		})
 
 		It("Addon should can be configured with AddOnDeployMentConfig", func() {
-			deployConfigName := "deploy-config"
+			deployConfigName := "tolerations-deploy-config"
 			nodeSelector := map[string]string{"kubernetes.io/os": "linux"}
 			tolerations := []corev1.Toleration{{Key: "node-role.kubernetes.io/infra", Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoSchedule}}