v1.6.0

(ansible/v1, helm/v1) Optional: configure ansible-operator and helm-operator with a component config.

To add this option your project you will need to:

  1. generatorOptions:
  2. disableNameSuffixHash: true
  3. configMapGenerator:
  4. - files:
  5. - controller_manager_config.yaml
  6. name: manager-config
  7. apiVersion: kustomize.config.k8s.io/v1beta1
  8. kind: Kustomization
  9. images:
  10. - name: controller
  11. newName: quay.io/example/memcached-operator
  12. newTag: v0.0.1

See #4701 for more details.

(ansible/v1, helm/v1) Add Role rules for leader election.

Add the rule for the apiGroups coordination.k8s.io and the resource leases in config/rbac/leader_election_role.yaml:

  1. rules:
  2. - apiGroups:
  3. - ""
  4. - coordination.k8s.io
  5. resources:
  6. - configmaps
  7. - leases

See #4701 for more details.

(ansible/v1) Update Ansible collections

In your requirements.yml, change the version field for community.kubernetes to 1.2.1, and the version field for operator_sdk.util to 0.2.0.

See #4734 for more details.

(helm/v1) Replace deprecated leader election and metrics address flags

Replace deprecated flags --enable-leader-election and --metrics-addr with --leader-elect and --metrics-bind-address, respectively.

See #4654 for more details.

(helm/v1) Explicitly set --health-probe-bind-address in the manager’s auth proxy patch.

Add the arg --health-probe-bind-address=:8081 to the config/default/manager_auth_proxy_patch.yaml:

  1. spec:
  2. template:
  3. spec:
  4. containers:
  5. - name: manager
  6. args:
  7. - "--health-probe-bind-address=:8081"
  8. ...

See #4654 for more details.

(ansible/v1) Explicitly set --health-probe-bind-address in the manager’s auth proxy patch.

Add the arg --health-probe-bind-address=:6789 to the config/default/manager_auth_proxy_patch.yaml:

  1. spec:
  2. template:
  3. spec:
  4. containers:
  5. - name: manager
  6. args:
  7. - "--health-probe-bind-address=:6789"
  8. ...

See #4654 for more details.

(helm/v1, ansible/v1) Add help target to Makefile.

Ansible/Helm projects now provide a Makefile help target, similar to a --help flag. You can copy and paste this target from the relevant sample’s Makefile (helm, ansible).

See #4660 for more details.

(ansible/v1, helm/v1) Add securityContext‘s to your manager’s Deployment.

In config/manager/manager.yaml, add the following security contexts:

  1. spec:
  2. ...
  3. template:
  4. ...
  5. spec:
  6. securityContext:
  7. runAsNonRoot: true
  8. containers:
  9. - name: manager
  10. securityContext:
  11. allowPrivilegeEscalation: false

See #4655 for more details.

(manifests/v2) Add a kustomize patch to remove the cert-manager volume/volumeMount from your CSV

OLM does not yet support cert-manager, so a JSON patch was added to remove this volume and mount such that OLM can itself create and manage certs for your Operator. In config/manifests/kustomization.yaml, add the following:

  1. #patchesJson6902:
  2. #- target:
  3. # group: apps
  4. # version: v1
  5. # kind: Deployment
  6. # name: controller-manager
  7. # namespace: system
  8. # patch: |-
  9. # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
  10. # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
  11. # - op: remove
  12. # path: /spec/template/spec/containers/1/volumeMounts/0
  13. # # Remove the "cert" volume, since OLM will create and mount a set of certs.
  14. # # Update the indices in this path if adding or removing volumes in the manager's Deployment.
  15. # - op: remove
  16. # path: /spec/template/spec/volumes/0

If you have configured your operator to use webhooks, add this YAML block uncommented.

See #4623 for more details.

(go/v2, go/v3, ansible/v1, helm/v1) Add scheme, token, and TLS config to the Prometheus ServiceMonitor metrics endpoint.

The /metrics endpoint, while specifying the https port on the manager Pod, was not actually configured to serve over https because no tlsConfig was set. Since kube-rbac-proxy secures this endpoint as a manager sidecar, using the service account token mounted into the Pod by default corrects this problem. The changes should look like:

  1. # config/prometheus/monitor.yaml
  2. spec:
  3. endpoints:
  4. - path: /metrics
  5. port: https
  6. + scheme: https
  7. + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
  8. + tlsConfig:
  9. + insecureSkipVerify: true
  10. selector:
  11. matchLabels:
  12. control-plane: controller-manager

Note: if you have removed kube-rbac-proxy from your project, make sure to secure the /metrics endpoint using a proper TLS configuration.

See #4680 for more details.

(go/v2, go/v3, ansible/v1, helm/v1) Add opm and catalog-build Makefile targets

The opm and catalog-build Makefile targets were added so operator developers who want to create their own catalogs for their operator or add their operator’s bundle(s) to an existing catalog can do so. If this sounds like you, add the following lines to the bottom of your Makefile:

  1. .PHONY: opm
  2. OPM = ./bin/opm
  3. opm:
  4. ifeq (,$(wildcard $(OPM)))
  5. ifeq (,$(shell which opm 2>/dev/null))
  6. @{ \
  7. set -e ;\
  8. mkdir -p $(dir $(OPM)) ;\
  9. curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.19.1/$(OS)-$(ARCH)-opm ;\
  10. chmod +x $(OPM) ;\
  11. }
  12. else
  13. OPM = $(shell which opm)
  14. endif
  15. endif
  16. BUNDLE_IMGS ?= $(BUNDLE_IMG)
  17. CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) ifneq ($(origin CATALOG_BASE_IMG), undefined) FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) endif
  18. .PHONY: catalog-build
  19. catalog-build: opm
  20. $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)
  21. .PHONY: catalog-push
  22. catalog-push: ## Push the catalog image.
  23. $(MAKE) docker-push IMG=$(CATALOG_IMG)

If updating a Go operator project, additionally add the following Makefile variables:

  1. OS = $(shell go env GOOS)
  2. ARCH = $(shell go env GOARCH)

See #4406 for more details.

(go/v2, go/v3, ansible/v1, helm/v1) Changed BUNDLE_IMG and added IMAGE_TAG_BASE Makefile variables

The following Makefile changes were made to allow make bundle-build bundle-push catalog-build catalog-push and encode image repo/namespace information in the Makefile by default:

  1. +IMAGE_TAG_BASE ?= <registry>/<operator name>
  2. +
  3. -BUNDLE_IMG ?= controller-bundle:$(VERSION)
  4. +BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)

For example, if IMAGE_TAG_BASE ?= foo/bar-operator then running make bundle-build bundle-push catalog-build catalog-push would build foo/bar-operator-bundle:v0.0.1 and foo/bar-operator-catalog:v0.0.1 then push them to the docker.io/foo namespaced registry.

See #4406 for more details.

(ansible/v1, helm/v1) Add the controller-manager ServiceAccount to your project.

A non-default ServiceAccount controller-manager is scaffolded on operator-sdk init, to improve security for operators installed in shared namespaces. To add this ServiceAccount to your project, do the following:

  1. # Create the ServiceAccount.
  2. cat <<EOF > config/rbac/service_account.yaml apiVersion: v1
  3. kind: ServiceAccount
  4. metadata:
  5. name: controller-manager
  6. namespace: system
  7. EOF
  8. # Add it to the list of RBAC resources.
  9. echo "- service_account.yaml" >> config/rbac/kustomization.yaml
  10. # Update all RoleBinding and ClusterRoleBinding subjects that reference the operator's ServiceAccount.
  11. find config/rbac -name *_binding.yaml -exec sed -i -E 's/ name: default/ name: controller-manager/g' {} \; # Add the ServiceAccount name to the manager Deployment's spec.template.spec.serviceAccountName. sed -i -E 's/([ ]+)(terminationGracePeriodSeconds:)/\1serviceAccountName: controller-manager\n\1\2/g' config/manager/manager.yaml

The changes should look like:

  1. # config/manager/manager.yaml
  2. requests:
  3. cpu: 100m
  4. memory: 20Mi
  5. + serviceAccountName: controller-manager
  6. terminationGracePeriodSeconds: 10
  7. # config/rbac/auth_proxy_role_binding.yaml
  8. name: proxy-role
  9. subjects:
  10. - kind: ServiceAccount
  11. - name: default
  12. + name: controller-manager
  13. namespace: system
  14. # config/rbac/kustomization.yaml
  15. resources:
  16. +- service_account.yaml
  17. - role.yaml
  18. - role_binding.yaml
  19. - leader_election_role.yaml
  20. # config/rbac/leader_election_role_binding.yaml
  21. name: leader-election-role
  22. subjects:
  23. - kind: ServiceAccount
  24. - name: default
  25. + name: controller-manager
  26. namespace: system
  27. # config/rbac/role_binding.yaml
  28. name: manager-role
  29. subjects:
  30. - kind: ServiceAccount
  31. - name: default
  32. + name: controller-manager
  33. namespace: system
  34. # config/rbac/service_account.yaml
  35. +apiVersion: v1
  36. +kind: ServiceAccount
  37. +metadata:
  38. + name: controller-manager
  39. + namespace: system

See #4653 for more details.

Last modified December 21, 2021: Upgrade OPM version used (#5099) (dad3e83d)