diff --git a/Containerfile b/Containerfile index 9c90667..8bb9d7b 100644 --- a/Containerfile +++ b/Containerfile @@ -33,4 +33,3 @@ RUN cargo build -p operator $(if [ "$build_type" = release ]; then echo --releas FROM quay.io/fedora/fedora:42 ARG build_type COPY --from=builder "/build/target/$build_type/operator" /usr/bin -USER nobody diff --git a/Makefile b/Makefile index 096ff7c..bc24433 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,6 @@ release-tarball: manifests # OLM Bundle related variables BUNDLE_DIR := bundle BUNDLE_IMAGE := $(REGISTRY)/trusted-cluster-operator-bundle:$(TAG) -BUNDLE_PACKAGE ?= trusted-cluster-operator PREVIOUS_CSV ?= "" # optional previous CSV for OLM upgrades .PHONY: bundle bundle-image push-bundle @@ -114,7 +113,7 @@ bundle: manifests @OPERATOR_IMAGE=$(OPERATOR_IMAGE) \ COMPUTE_PCRS_IMAGE=$(COMPUTE_PCRS_IMAGE) \ REG_SERVER_IMAGE=$(REG_SERVER_IMAGE) \ - scripts/generate-bundle-prod.sh -v $(TAG) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV)) + scripts/generate-bundle-prod.sh -v $(TAG) -n $(NAMESPACE) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV)) bundle-image: bundle @echo "Building OLM bundle image..." diff --git a/README.md b/README.md index 912fe39..aa0b6f7 100644 --- a/README.md +++ b/README.md @@ -77,23 +77,15 @@ This operator can be packaged and deployed as an OLM bundle. This workflow suppo **1. Prerequisites** -* **Setup Cluster:** Ensure your `kubectl` context points to your target cluster. For local development, you can create a `kind` cluster by running: - ```bash - # Set RUNTIME=docker if using Docker instead of Podman. - make cluster-up - ``` - -* **Login to Registry:** - ```bash - # Login to your remote container registry (e.g., quay.io) - docker login quay.io - ``` - -* **Install OLM:** - ```bash - # Install OLM on your target cluster - (cd /tmp && operator-sdk olm install) - ``` +For local development (kind): +```bash +# Set RUNTIME=docker if using Docker instead of Podman +make cluster-up +# Login to your remote container registry (e.g., quay.io) +docker login quay.io +# Install OLM on your target cluster +(cd /tmp && operator-sdk olm install) +``` **2. Set Environment Variables** @@ -114,11 +106,6 @@ The `push-all` target builds all operator images, generates the bundle, builds t make push-all ``` -You can optionally validate the generated bundle manifests at any time after the `bundle` has been generated: -```bash -(cd ./bundle && operator-sdk bundle validate .) -``` - **4. Deploy the Bundle** Deploy the bundle to your cluster. We use `trusted-execution-clusters` as an example namespace. @@ -135,20 +122,21 @@ Once the operator is running, you need to create a `TrustedExecutionCluster` cus First, you must update the example CR with the correct public address for the Trustee service, which must be accessible from your worker nodes or VMs. ```bash -# Provide an address where your VMs can access the cluster. -# When using a local kind cluster, this is often the kind bridge IP. -$ ip route -... -192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 -... -$ export TRUSTEE_ADDR=192.168.122.1 - -# Use yq (or manually edit) to set the address in the CR. -# Note: yq is installed via 'make build-tools'. -$ yq -i '.spec.publicTrusteeAddr = "'$TRUSTEE_ADDR':8080"' config/deploy/trusted_execution_cluster_cr.yaml - -# Now, apply the configured CR -$ kubectl apply -f config/deploy/trusted_execution_cluster_cr.yaml +# Determine an address reachable by the VMs (for libvirt, usually the bridge IP) +ip route | grep virbr0 +# Example output: +# 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 +export TRUSTEE_ADDR=192.168.122.1 + +# Update the CR with the trustee address (yq is installed via `make build-tools`) +yq -i '.spec.publicTrusteeAddr = "'$TRUSTEE_ADDR':8080"' \ + config/deploy/trusted_execution_cluster_cr.yaml + +# Apply the configured CRs +kubectl apply -f config/deploy/trusted_execution_cluster_cr.yaml +kubectl apply -f config/deploy/approved_image_cr.yaml +kubectl apply -f kind/kbs-forward.yaml +kubectl apply -f kind/register-forward.yaml ``` #### **Cleaning Up the Bundle Deployment** @@ -166,7 +154,6 @@ To clean up your environment after running the non-OLM `Quick Start` method, exe make cluster-cleanup # Note: You must use the same RUNTIME environment variable for `cluster-down` # that you used for `cluster-up`. For example: -# # RUNTIME=docker make cluster-down make cluster-down make clean diff --git a/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml b/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml index 69adeee..909b745 100644 --- a/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml +++ b/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml @@ -72,7 +72,7 @@ spec: install: strategy: deployment spec: - permissions: + clusterPermissions: - serviceAccountName: trusted-cluster-operator # Rules are dynamically generated from config/rbac/role.yaml during the bundle build rules: [] diff --git a/compute-pcrs/Containerfile b/compute-pcrs/Containerfile index 2145c64..d1aa1e0 100644 --- a/compute-pcrs/Containerfile +++ b/compute-pcrs/Containerfile @@ -32,4 +32,3 @@ FROM quay.io/fedora/fedora:42 ARG build_type COPY --from=builder "/build/target/$build_type/compute-pcrs" /usr/bin COPY --from=builder /build/reference-values /reference-values -USER nobody diff --git a/register-server/Containerfile b/register-server/Containerfile index 237878e..5568638 100644 --- a/register-server/Containerfile +++ b/register-server/Containerfile @@ -29,6 +29,5 @@ RUN cargo build -p register-server $(if [ "$build_type" = release ]; then echo - FROM quay.io/fedora/fedora:42 ARG build_type COPY --from=builder "/build/target/$build_type/register-server" /usr/bin -USER nobody EXPOSE 3030 ENTRYPOINT ["/usr/bin/register-server"] diff --git a/scripts/generate-bundle-prod.sh b/scripts/generate-bundle-prod.sh index 8604edd..9dfacf8 100755 --- a/scripts/generate-bundle-prod.sh +++ b/scripts/generate-bundle-prod.sh @@ -8,12 +8,14 @@ set -euo pipefail BUNDLE_VERSION="" PREVIOUS_CSV="" +NAMESPACE="trusted-execution-clusters" -while getopts "v:p:" opt; do +while getopts "v:p:n:" opt; do case $opt in v) BUNDLE_VERSION="$OPTARG" ;; p) PREVIOUS_CSV="$OPTARG" ;; - *) echo "Usage: $0 -v [-p ]"; exit 1 ;; + n) NAMESPACE="$OPTARG" ;; + *) echo "Usage: $0 -v [-p ] [-n ]"; exit 1 ;; esac done @@ -39,6 +41,9 @@ mkdir -p "${BUNDLE_MANIFESTS}" "${BUNDLE_METADATA}" echo "=> Copying CRDs and static assets..." shopt -s nullglob cp "${PROJECT_ROOT}/config/crd"/*.yaml "${BUNDLE_MANIFESTS}/" +cp "${PROJECT_ROOT}/config/rbac"/*.yaml "${BUNDLE_MANIFESTS}/" +rm -f "${BUNDLE_MANIFESTS}/kustomization.yaml" +rm -f "${BUNDLE_MANIFESTS}/service_account.yaml" cp "$CSV_TEMPLATE" "${BUNDLE_MANIFESTS}/" cp "$ANNOTATIONS_TEMPLATE" "${BUNDLE_METADATA}/" @@ -59,7 +64,18 @@ for env_var in COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do done # Patch RBAC rules -yq -i ".spec.install.spec.permissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE" +yq -i ".spec.install.spec.clusterPermissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE" + +echo "=> Patching RBAC binding namespaces..." +for binding_file in role_binding.yaml metrics_auth_role_binding.yaml leader_election_role_binding.yaml; do + file_path="${BUNDLE_MANIFESTS}/${binding_file}" + if [ -f "$file_path" ]; then + echo "--> Patching ${binding_file}..." + yq -i ".subjects[0].namespace = \"${NAMESPACE}\"" "$file_path" + else + echo "WARN: Binding file ${binding_file} not found in bundle, skipping patch." + fi +done # Set .spec.replaces for automatic upgrades if provided if [[ -n "$PREVIOUS_CSV" ]]; then