From d2f31aab03ef3aeaf63a516363d200bb801db9cb Mon Sep 17 00:00:00 2001 From: Zhiwei Yin Date: Fri, 17 Jan 2025 08:59:46 +0800 Subject: [PATCH] rename bootstrap sa name (#466) Signed-off-by: Zhiwei Yin --- go.mod | 2 +- go.sum | 4 ++-- pkg/cmd/accept/exec.go | 16 ++++++++-------- pkg/config/env.go | 8 ++++---- vendor/modules.txt | 2 +- .../templates/bootstrap_cluster_role.yaml | 2 +- .../bootstrap_cluster_role_binding.yaml | 4 ++-- .../cluster-manager/templates/bootstrap_sa.yaml | 2 +- .../bootstrap_sa_cluster_role_binding.yaml | 6 +++--- .../templates/cluster_manager.yaml | 2 +- .../cluster-manager/templates/cluster_role.yaml | 2 +- .../ocm/pkg/operator/helpers/chart/config.go | 4 ++-- 12 files changed, 27 insertions(+), 27 deletions(-) diff --git a/go.mod b/go.mod index 6064822f6..4bd6133e9 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43 open-cluster-management.io/cluster-proxy v0.4.0 open-cluster-management.io/managed-serviceaccount v0.6.0 - open-cluster-management.io/ocm v0.15.1-0.20250110031959-11896ccda197 + open-cluster-management.io/ocm v0.15.1-0.20250116085531-34275ef1eac8 open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f sigs.k8s.io/apiserver-network-proxy v0.29.0 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 diff --git a/go.sum b/go.sum index 42542faf9..a9d0f0fbd 100644 --- a/go.sum +++ b/go.sum @@ -563,8 +563,8 @@ open-cluster-management.io/cluster-proxy v0.4.0 h1:rm0UDaDWe3/P3xLzwqdHtqNksKwSz open-cluster-management.io/cluster-proxy v0.4.0/go.mod h1:gTvfDHAhGezhdg4BD3ECBn6jbg2Y5PbHhV2ceW5nrB0= open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw= open-cluster-management.io/managed-serviceaccount v0.6.0/go.mod h1:G4LUTbZiyrB8c0+rqi/xnDmGlsg7Rdr4T7MPLCWhyQI= -open-cluster-management.io/ocm v0.15.1-0.20250110031959-11896ccda197 h1:ECwQuYbtUxDbKUKHfnmQYwLG2cV3i7OwsU4dJP/XrDg= -open-cluster-management.io/ocm v0.15.1-0.20250110031959-11896ccda197/go.mod h1:daPkqFxkVqKb4O8UTX+7jCyEcJWarGOG7uDie9rFfck= +open-cluster-management.io/ocm v0.15.1-0.20250116085531-34275ef1eac8 h1:IDjk8EeKajwqezVM1eDNYPHyaJx4V0N/sZoSAVhIUJk= +open-cluster-management.io/ocm v0.15.1-0.20250116085531-34275ef1eac8/go.mod h1:daPkqFxkVqKb4O8UTX+7jCyEcJWarGOG7uDie9rFfck= open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f h1:zeC7QrFNarfK2zY6jGtd+mX+yDrQQmnH/J8A7n5Nh38= open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f/go.mod h1:fi5WBsbC5K3txKb8eRLuP0Sim/Oqz/PHX18skAEyjiA= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= diff --git a/pkg/cmd/accept/exec.go b/pkg/cmd/accept/exec.go index 1b1133600..026f72d0b 100644 --- a/pkg/cmd/accept/exec.go +++ b/pkg/cmd/accept/exec.go @@ -27,7 +27,7 @@ import ( const ( groupNameBootstrap = "system:bootstrappers:managedcluster" userNameSignatureBootstrapPrefix = "system:bootstrap:" - userNameSignatureSA = "system:serviceaccount:open-cluster-management:cluster-bootstrap" + userNameSignatureSA = "system:serviceaccount:open-cluster-management:agent-registration-bootstrap" groupNameSA = "system:serviceaccounts:open-cluster-management" clusterLabel = "open-cluster-management.io/cluster-name" ) @@ -124,12 +124,12 @@ func (o *Options) approveCSR(kubeClient *kubernetes.Clientset, clusterName strin passedCSRs = csrs.Items } else { for _, item := range csrs.Items { - //Does not have the correct name prefix + // Does not have the correct name prefix if !strings.HasPrefix(item.Spec.Username, userNameSignatureBootstrapPrefix) && !strings.HasPrefix(item.Spec.Username, userNameSignatureSA) { continue } - //Check groups + // Check groups groups := sets.NewString(item.Spec.Groups...) if !groups.Has(groupNameBootstrap) && !groups.Has(groupNameSA) { @@ -173,14 +173,14 @@ func (o *Options) approveCSR(kubeClient *kubernetes.Clientset, clusterName strin fmt.Fprintf(o.Streams.Out, "CSR %s with requester %s is not in the approve list\n", passedCSR.Name, cn) continue } - //Check if already approved or denied + // Check if already approved or denied approved, denied := GetCertApprovalCondition(&passedCSR.Status) - //if already denied, then nothing to do + // if already denied, then nothing to do if denied { fmt.Fprintf(o.Streams.Out, "CSR %s already denied\n", passedCSR.Name) continue } - //if already approved, then nothing to do + // if already approved, then nothing to do if approved { fmt.Fprintf(o.Streams.Out, "CSR %s already approved\n", passedCSR.Name) hasApproved = true @@ -189,7 +189,7 @@ func (o *Options) approveCSR(kubeClient *kubernetes.Clientset, clusterName strin csrToApprove = append(csrToApprove, passedCSR) } - //no csr found + // no csr found if len(csrToApprove) == 0 { if waitMode { fmt.Fprintf(o.Streams.Out, "no CSR to approve for cluster %s\n", clusterName) @@ -197,7 +197,7 @@ func (o *Options) approveCSR(kubeClient *kubernetes.Clientset, clusterName strin return hasApproved, nil } - //if dry-run don't approve + // if dry-run don't approve if o.ClusteradmFlags.DryRun { return hasApproved, nil } diff --git a/pkg/config/env.go b/pkg/config/env.go index ecd6d36bf..380fe88f9 100644 --- a/pkg/config/env.go +++ b/pkg/config/env.go @@ -4,10 +4,10 @@ package config const ( OpenClusterManagementNamespace = "open-cluster-management" - BootstrapSAName = "cluster-bootstrap" - BootstrapClusterRoleBindingName = "cluster-bootstrap" - BootstrapClusterRoleBindingSAName = "cluster-bootstrap-sa" - BootstrapClusterRoleName = "system:open-cluster-management:bootstrap" + BootstrapSAName = "agent-registration-bootstrap" + BootstrapClusterRoleBindingName = "open-cluster-management:bootstrap:agent-registration" + BootstrapClusterRoleBindingSAName = "agent-registration-bootstrap" + BootstrapClusterRoleName = "open-cluster-management:bootstrap" ClusterManagerName = "cluster-manager" LabelApp = "app" BootstrapSecretPrefix = "bootstrap-token-" diff --git a/vendor/modules.txt b/vendor/modules.txt index 3149fc75a..642687d12 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1282,7 +1282,7 @@ open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versio open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/scheme open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/typed/authentication/v1alpha1 open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/typed/authentication/v1beta1 -# open-cluster-management.io/ocm v0.15.1-0.20250110031959-11896ccda197 +# open-cluster-management.io/ocm v0.15.1-0.20250116085531-34275ef1eac8 ## explicit; go 1.22.5 open-cluster-management.io/ocm/deploy/cluster-manager/chart open-cluster-management.io/ocm/deploy/klusterlet/chart diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role.yaml index eec51cb13..0aacd086f 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:bootstrap + name: open-cluster-management:bootstrap rules: - apiGroups: - "" diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role_binding.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role_binding.yaml index 60a261a31..b31545052 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role_binding.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role_binding.yaml @@ -2,11 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-bootstrap + name: open-cluster-management:bootstrap:managedcluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:bootstrap + name: open-cluster-management:bootstrap subjects: - kind: Group apiGroup: rbac.authorization.k8s.io diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa.yaml index f97cda884..2edf9cf48 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: cluster-bootstrap + name: agent-registration-bootstrap namespace: {{ .Release.Namespace }} {{- end }} diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa_cluster_role_binding.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa_cluster_role_binding.yaml index e299bb38d..e6f2340cb 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa_cluster_role_binding.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_sa_cluster_role_binding.yaml @@ -2,13 +2,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-bootstrap-sa + name: open-cluster-management:bootstrap:agent-registration roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:bootstrap + name: open-cluster-management:bootstrap subjects: - kind: ServiceAccount - name: cluster-bootstrap + name: agent-registration-bootstrap namespace: {{ .Release.Namespace }} {{- end }} diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_manager.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_manager.yaml index 7f330c977..14172e71a 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_manager.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_manager.yaml @@ -22,7 +22,7 @@ spec: - system:bootstrap:bootstrap-token-ocmhub {{- end }} {{- if .Values.createBootstrapSA }} - - system:serviceaccount:open-cluster-management:cluster-bootstrap + - system:serviceaccount:{{ .Release.Namespace }}:agent-registration-bootstrap {{- end }} {{- end }} {{- with .Values.clusterManager.registrationConfiguration.featureGates }} diff --git a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml index 4f6dab7bf..3ba2c25dd 100644 --- a/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml +++ b/vendor/open-cluster-management.io/ocm/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml @@ -10,7 +10,7 @@ rules: - apiGroups: [""] resources: ["serviceaccounts/token"] resourceNames: - - "cluster-bootstrap" + - "agent-registration-bootstrap" verbs: ["get", "create"] - apiGroups: [""] resources: ["pods"] diff --git a/vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/config.go b/vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/config.go index fd7721ad7..db536125e 100644 --- a/vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/config.go +++ b/vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/config.go @@ -20,7 +20,7 @@ type ClusterManagerChartConfig struct { // Resources is the resource requirements of the operator deployment Resources corev1.ResourceRequirements `json:"resources,omitempty"` // NodeSelector is the nodeSelector of the operator deployment - NodeSelector corev1.NodeSelector `json:"nodeSelector,omitempty"` + NodeSelector *corev1.NodeSelector `json:"nodeSelector,omitempty"` // Tolerations is the tolerations of the operator deployment Tolerations []corev1.Toleration `json:"tolerations,omitempty"` // Affinity is the affinity of the operator deployment @@ -47,7 +47,7 @@ type KlusterletChartConfig struct { // Resources is the resource requirements of the operator deployment Resources corev1.ResourceRequirements `json:"resources,omitempty"` // NodeSelector is the nodeSelector of the operator deployment - NodeSelector corev1.NodeSelector `json:"nodeSelector,omitempty"` + NodeSelector *corev1.NodeSelector `json:"nodeSelector,omitempty"` // Tolerations is the tolerations of the operator deployment Tolerations []corev1.Toleration `json:"tolerations,omitempty"` // Affinity is the affinity of the operator deployment