diff --git a/.env.template b/.env.template index c148c38..8617f2d 100644 --- a/.env.template +++ b/.env.template @@ -5,7 +5,6 @@ # # The file `.env` is ignored by git. Note: DO NOT COMMIT your personal data. -# It is necessary to set the stage to `development` when developing locally (optional) -#export STAGE=development +export STAGE=development export LOG_LEVEL=debug export NAMESPACE=$(shell kubectl config view --minify -o jsonpath='{..namespace}') \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 8eafc7a..b608bd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [v1.2.0] - 2024-11-29 +### Changed +- [#37] Refactor rbac permissions to be more clear and better match the use cases + +### Removed +- [#37] Leader election and leader election rbac permissions +- [#37] Metrics rbac permissions + +### Fixed +- Do not abort restore when maintenance mode cannot be activated + ## [v1.1.1] - 2024-10-29 ### Fixed - [#35] Use correct helm dependency constraint for `backup-operator-crd`. diff --git a/Dockerfile b/Dockerfile index 6ff5d32..4111c23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN make compile-generic FROM gcr.io/distroless/static:nonroot LABEL maintainer="hello@cloudogu.com" \ NAME="k8s-backup-operator" \ - VERSION="1.1.1" + VERSION="1.2.0" WORKDIR / COPY --from=builder /workspace/target/k8s-backup-operator . diff --git a/Makefile b/Makefile index 0d08808..b8740ab 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Set these to the desired values ARTIFACT_ID=k8s-backup-operator -VERSION=1.1.1 +VERSION=1.2.0 IMAGE=cloudogu/${ARTIFACT_ID}:${VERSION} GOTAG?=1.23 LINT_VERSION=v1.61.0 @@ -26,9 +26,8 @@ CRD_BACKUP_SOURCE = ${HELM_CRD_SOURCE_DIR}/templates/k8s.cloudogu.com_backups.ya CRD_RESTORE_SOURCE = ${HELM_CRD_SOURCE_DIR}/templates/k8s.cloudogu.com_restores.yaml CRD_SCHEDULE_SOURCE = ${HELM_CRD_SOURCE_DIR}/templates/k8s.cloudogu.com_backupschedules.yaml PRE_COMPILE=generate-deepcopy -HELM_PRE_APPLY_TARGETS=template-stage template-log-level template-image-pull-policy HELM_PRE_GENERATE_TARGETS = helm-values-update-image-version -HELM_POST_GENERATE_TARGETS = helm-values-replace-image-repo +HELM_POST_GENERATE_TARGETS = helm-values-replace-image-repo template-stage template-log-level template-image-pull-policy CRD_POST_MANIFEST_TARGETS = crd-add-labels crd-add-backup-labels CHECK_VAR_TARGETS=check-all-vars IMAGE_IMPORT_TARGET=image-import diff --git a/docs/development/installation_de.md b/docs/development/installation_de.md index 4e5d22d..337da93 100644 --- a/docs/development/installation_de.md +++ b/docs/development/installation_de.md @@ -22,6 +22,8 @@ und einen Access Key `longhorn-test-key` mit dem Secret Key `longhorn-test-secre Des Weiteren müssen [k8s-snapshot-controller][snapshot-ctrl-repo] und [k8s-velero][velero-repo] als Komponenten installiert werden. Dazu die Repositories auschecken und darin folgende Befehle ausführen: ```shell +# nur in k8s-velero +cd k8s/helm/templates && helm dependency update # nur im snapshot-controller: make crd-component-apply # für snapshot-controller und velero: diff --git a/docs/development/installation_en.md b/docs/development/installation_en.md index d8cd77d..a8170bd 100644 --- a/docs/development/installation_en.md +++ b/docs/development/installation_en.md @@ -22,6 +22,8 @@ and an access key `longhorn-test-key` with the secret key `longhorn-test-secret- Furthermore, [k8s-snapshot-controller][snapshot-ctrl-repo] and [k8s-velero][velero-repo] have to be installed as components. To do this, check out the repositories and execute the following commands inside: ```shell +# only in k8s-velero +cd k8s/helm/templates && helm dependency update # only in the snapshot-controller: make crd-component-apply # for snapshot-controller and velero: diff --git a/docs/operations/scheduled_backups_en.md b/docs/operations/scheduled_backups_en.md index 48547f9..1ffc5ce 100644 --- a/docs/operations/scheduled_backups_en.md +++ b/docs/operations/scheduled_backups_en.md @@ -5,12 +5,12 @@ This can be achieved with a `BackupSchedule` resource: ```yaml apiVersion: k8s.cloudogu.com/v1 -Type: BackupSchedule -Metadata: -name: backupschedule-sample +kind: BackupSchedule +metadata: + name: backupschedule-sample spec: -schedule: "0 0 * *" # the cron pattern according to which the backups should be executed. -provider: "velero" # only velero and "" (velero by default) are supported. + schedule: "0 0 * *" # the cron pattern according to which the backups should be executed. + provider: "velero" # only velero and "" (velero by default) are supported. ``` `schedule` is a cron pattern as defined in [Kubernetes CronJob Syntax](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax). \ No newline at end of file diff --git a/k8s-samples/k8s-backup-operator-dependencies.yaml b/k8s-samples/k8s-backup-operator-dependencies.yaml new file mode 100644 index 0000000..b2059be --- /dev/null +++ b/k8s-samples/k8s-backup-operator-dependencies.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +data: + cloud: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPWxvbmdob3JuLXRlc3Qta2V5CmF3c19zZWNyZXRfYWNjZXNzX2tleT1sb25naG9ybi10ZXN0LXNlY3JldC1rZXkK +kind: Secret +metadata: + name: velero-backup-target + namespace: ecosystem +type: Opaque +--- +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-velero + namespace: ecosystem +spec: + name: k8s-velero + namespace: k8s + version: 5.0.2-7 + valuesYamlOverwrite: | + velero: + credentials: + useSecret: true + existingSecret: "velero-backup-target" + configuration: + backupStorageLocation: + - name: default + provider: aws + bucket: velero + accessMode: ReadWrite + config: + region: minio-default + s3ForcePathStyle: true + s3Url: http://192.168.56.1:9000 + publicUrl: http://localhost:9000 +--- +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: bG9uZ2hvcm4tdGVzdC1rZXk= + AWS_ENDPOINTS: aHR0cDovLzE5Mi4xNjguNTYuMTo5MDAw + AWS_SECRET_ACCESS_KEY: bG9uZ2hvcm4tdGVzdC1zZWNyZXQta2V5 +kind: Secret +metadata: + name: longhorn-backup-target + namespace: longhorn-system +type: Opaque +--- +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-longhorn + namespace: ecosystem +spec: + deployNamespace: longhorn-system + name: k8s-longhorn + namespace: k8s + version: 1.5.1-8 + valuesYamlOverwrite: | + longhorn: + defaultSettings: + backupTarget: s3://longhorn@dummyregion/ + backupTargetCredentialSecret: longhorn-backup-target +--- +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-snapshot-controller-crd + namespace: ecosystem +spec: + name: k8s-snapshot-controller-crd + namespace: k8s + version: 5.0.1-7 +--- +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-snapshot-controller + namespace: ecosystem +spec: + name: k8s-snapshot-controller + namespace: k8s + version: 5.0.1-7 \ No newline at end of file diff --git a/k8s-samples/k8s-backup-operator.yaml b/k8s-samples/k8s-backup-operator.yaml new file mode 100644 index 0000000..d0a1fe8 --- /dev/null +++ b/k8s-samples/k8s-backup-operator.yaml @@ -0,0 +1,23 @@ +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-backup-operator-crd + namespace: ecosystem +spec: + name: k8s-backup-operator-crd + namespace: k8s + version: 1.1.1 +--- +apiVersion: k8s.cloudogu.com/v1 +kind: Component +metadata: + labels: + app: ces + name: k8s-backup-operator + namespace: ecosystem +spec: + name: k8s-backup-operator + namespace: k8s + version: 1.1.1 \ No newline at end of file diff --git a/k8s-samples/test-scheduled-backup.yaml b/k8s-samples/test-scheduled-backup.yaml new file mode 100644 index 0000000..71f97de --- /dev/null +++ b/k8s-samples/test-scheduled-backup.yaml @@ -0,0 +1,7 @@ +apiVersion: k8s.cloudogu.com/v1 +kind: BackupSchedule +metadata: + name: backupschedule-sample +spec: + schedule: "20 11 * * *" + provider: "velero" \ No newline at end of file diff --git a/k8s-samples/testbackup.yaml b/k8s-samples/testbackup.yaml new file mode 100644 index 0000000..f2c3dd0 --- /dev/null +++ b/k8s-samples/testbackup.yaml @@ -0,0 +1,6 @@ +apiVersion: k8s.cloudogu.com/v1 +kind: Backup +metadata: + name: backup-sample +spec: + provider: velero \ No newline at end of file diff --git a/k8s-samples/testrestore.yaml b/k8s-samples/testrestore.yaml new file mode 100644 index 0000000..45242bd --- /dev/null +++ b/k8s-samples/testrestore.yaml @@ -0,0 +1,7 @@ +apiVersion: k8s.cloudogu.com/v1 +kind: Restore +metadata: + name: restore-sample +spec: + provider: velero + backupName: backup-sample diff --git a/k8s/helm/component-patch-tpl.yaml b/k8s/helm/component-patch-tpl.yaml index 55c25fc..7d3f288 100644 --- a/k8s/helm/component-patch-tpl.yaml +++ b/k8s/helm/component-patch-tpl.yaml @@ -1,7 +1,7 @@ apiVersion: v1 values: images: - backupOperator: cloudogu/k8s-backup-operator:1.1.1 + backupOperator: cloudogu/k8s-backup-operator:1.2.0 kubeRbacProxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 patches: values.yaml: diff --git a/k8s/helm/templates/backup-editor-rbac.yaml b/k8s/helm/templates/backup-editor-role-binding.yaml similarity index 59% rename from k8s/helm/templates/backup-editor-rbac.yaml rename to k8s/helm/templates/backup-editor-role-binding.yaml index 0702f09..53012da 100644 --- a/k8s/helm/templates/backup-editor-rbac.yaml +++ b/k8s/helm/templates/backup-editor-role-binding.yaml @@ -1,39 +1,4 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-backup-editor-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - k8s.cloudogu.com - resources: - - backups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - k8s.cloudogu.com - resources: - - backups/finalizers - verbs: - - update -- apiGroups: - - k8s.cloudogu.com - resources: - - backups/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "k8s-backup-operator.name" . }}-backup-editor-role-binding diff --git a/k8s/helm/templates/backup-viewer-rbac.yaml b/k8s/helm/templates/backup-editor-role.yaml similarity index 55% rename from k8s/helm/templates/backup-viewer-rbac.yaml rename to k8s/helm/templates/backup-editor-role.yaml index 66c83cb..61b3949 100644 --- a/k8s/helm/templates/backup-viewer-rbac.yaml +++ b/k8s/helm/templates/backup-editor-role.yaml @@ -1,7 +1,8 @@ +# This role is necessary to create cloudogu backups apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "k8s-backup-operator.name" . }}-backup-viewer-role + name: {{ include "k8s-backup-operator.name" . }}-backup-editor-role labels: app.kubernetes.io/component: rbac {{- include "k8s-backup-operator.labels" . | nindent 4 }} @@ -11,12 +12,24 @@ rules: resources: - backups verbs: + - create + - delete - get - list + - patch + - update - watch +- apiGroups: + - k8s.cloudogu.com + resources: + - backups/finalizers + verbs: + - update - apiGroups: - k8s.cloudogu.com resources: - backups/status verbs: - - get \ No newline at end of file + - get + - patch + - update diff --git a/k8s/helm/templates/backupschedule-editor-role-binding.yaml b/k8s/helm/templates/backupschedule-editor-role-binding.yaml new file mode 100644 index 0000000..6a905a5 --- /dev/null +++ b/k8s/helm/templates/backupschedule-editor-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role-binding + labels: + app.kubernetes.io/component: rbac + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role' +subjects: + - kind: ServiceAccount + name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' diff --git a/k8s/helm/templates/backupschedule-editor-role.yaml b/k8s/helm/templates/backupschedule-editor-role.yaml new file mode 100644 index 0000000..4b72163 --- /dev/null +++ b/k8s/helm/templates/backupschedule-editor-role.yaml @@ -0,0 +1,47 @@ +# This role is necessary to create scheduled cloudogu backups +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role + labels: + app.kubernetes.io/component: rbac + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - k8s.cloudogu.com + resources: + - backupschedules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - k8s.cloudogu.com + resources: + - backupschedules/finalizers + verbs: + - update + - apiGroups: + - k8s.cloudogu.com + resources: + - backupschedules/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - cronjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/k8s/helm/templates/backupschedule-rbac.yaml b/k8s/helm/templates/backupschedule-rbac.yaml deleted file mode 100644 index 8699422..0000000 --- a/k8s/helm/templates/backupschedule-rbac.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules/finalizers - verbs: - - update - - apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role-binding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: '{{ include "k8s-backup-operator.name" . }}-backupschedule-editor-role' -subjects: - - kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-backupschedule-viewer-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules - verbs: - - get - - list - - watch - - apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules/status - verbs: - - get \ No newline at end of file diff --git a/k8s/helm/templates/cleanup-role-binding.yaml b/k8s/helm/templates/cleanup-role-binding.yaml new file mode 100644 index 0000000..4353c20 --- /dev/null +++ b/k8s/helm/templates/cleanup-role-binding.yaml @@ -0,0 +1,16 @@ +# This is needed to clean up the whole cluster before a restore +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "k8s-backup-operator.name" . }}-cleanup-role-binding + labels: + app.kubernetes.io/component: rbac + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "k8s-backup-operator.name" . }}-cleanup-role' +subjects: + - kind: ServiceAccount + name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/k8s/helm/templates/cleanup-role.yaml b/k8s/helm/templates/cleanup-role.yaml new file mode 100644 index 0000000..70cbe98 --- /dev/null +++ b/k8s/helm/templates/cleanup-role.yaml @@ -0,0 +1,17 @@ +# This is necessary to clean up the whole cluster before a restore +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "k8s-backup-operator.name" . }}-cleanup-role + labels: + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - delete + - update \ No newline at end of file diff --git a/k8s/helm/templates/cronjob-editor-rbac.yaml b/k8s/helm/templates/cronjob-editor-rbac.yaml deleted file mode 100644 index 8e3e117..0000000 --- a/k8s/helm/templates/cronjob-editor-rbac.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-cronjob-editor-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - '*' - resources: - - cronjobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-cronjob-editor-role-binding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: '{{ include "k8s-backup-operator.name" . }}-cronjob-editor-role' -subjects: - - kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/k8s/helm/templates/deployment.yaml b/k8s/helm/templates/deployment.yaml index 1ee7fe1..bc0e478 100644 --- a/k8s/helm/templates/deployment.yaml +++ b/k8s/helm/templates/deployment.yaml @@ -42,7 +42,6 @@ spec: - operator - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect env: - name: LOG_LEVEL value: {{ .Values.manager.env.logLevel | default "info" }} diff --git a/k8s/helm/templates/leader-election-rbac.yaml b/k8s/helm/templates/leader-election-rbac.yaml deleted file mode 100644 index 474c42e..0000000 --- a/k8s/helm/templates/leader-election-rbac.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-leader-election-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-leader-election-rolebinding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: '{{ include "k8s-backup-operator.name" . }}-leader-election-role' -subjects: -- kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/k8s/helm/templates/manager-rbac.yaml b/k8s/helm/templates/manager-rbac.yaml deleted file mode 100644 index f5a7f22..0000000 --- a/k8s/helm/templates/manager-rbac.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "k8s-backup-operator.name" . }}-manager-role - labels: - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules/finalizers - verbs: - - update -- apiGroups: - - k8s.cloudogu.com - resources: - - backupschedules/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-manager-rolebinding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "k8s-backup-operator.name" . }} -subjects: -- kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "k8s-backup-operator.name" . }}-manager-cluster-role - labels: - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - delete - - update - - watch \ No newline at end of file diff --git a/k8s/helm/templates/metrics-reader-rbac.yaml b/k8s/helm/templates/metrics-reader-rbac.yaml deleted file mode 100644 index 37f19c9..0000000 --- a/k8s/helm/templates/metrics-reader-rbac.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "k8s-backup-operator.name" . }}-metrics-reader - labels: - app.kubernetes.io/component: kube-rbac-proxy - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- nonResourceURLs: - - /metrics - verbs: - - get \ No newline at end of file diff --git a/k8s/helm/templates/metrics-service.yaml b/k8s/helm/templates/metrics-service.yaml deleted file mode 100644 index 864f0da..0000000 --- a/k8s/helm/templates/metrics-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "k8s-backup-operator.name" . }}-controller-manager-metrics-service - labels: - app.kubernetes.io/component: kube-rbac-proxy - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -spec: - type: ClusterIP - selector: - {{- include "k8s-backup-operator.selectorLabels" . | nindent 4 }} - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https \ No newline at end of file diff --git a/k8s/helm/templates/proxy-rbac.yaml b/k8s/helm/templates/proxy-role-binding.yaml similarity index 54% rename from k8s/helm/templates/proxy-rbac.yaml rename to k8s/helm/templates/proxy-role-binding.yaml index 6b1f8fd..24a398b 100644 --- a/k8s/helm/templates/proxy-rbac.yaml +++ b/k8s/helm/templates/proxy-role-binding.yaml @@ -1,25 +1,4 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-proxy-role - labels: - app.kubernetes.io/component: kube-rbac-proxy - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "k8s-backup-operator.name" . }}-proxy-rolebinding diff --git a/k8s/helm/templates/proxy-role.yaml b/k8s/helm/templates/proxy-role.yaml new file mode 100644 index 0000000..63f200c --- /dev/null +++ b/k8s/helm/templates/proxy-role.yaml @@ -0,0 +1,21 @@ +# This is necessary for the rbac proxy of the controller +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "k8s-backup-operator.name" . }}-proxy-role + labels: + app.kubernetes.io/component: kube-rbac-proxy + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/k8s/helm/templates/restore-editor-rbac.yaml b/k8s/helm/templates/restore-editor-rbac.yaml deleted file mode 100644 index 490fefa..0000000 --- a/k8s/helm/templates/restore-editor-rbac.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-restore-editor-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: -- apiGroups: - - k8s.cloudogu.com - resources: - - restores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - k8s.cloudogu.com - resources: - - restore/finalizers - verbs: - - update -- apiGroups: - - k8s.cloudogu.com - resources: - - restores/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-restore-editor-role-binding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: '{{ include "k8s-backup-operator.name" . }}-restore-editor-role' -subjects: - - kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "k8s-backup-operator.name" . }}-restore-viewer-role - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - k8s.cloudogu.com - resources: - - restores - verbs: - - get - - list - - watch - - apiGroups: - - k8s.cloudogu.com - resources: - - restores/status - verbs: - - get \ No newline at end of file diff --git a/k8s/helm/templates/restore-editor-role-binding.yaml b/k8s/helm/templates/restore-editor-role-binding.yaml new file mode 100644 index 0000000..b77f4e6 --- /dev/null +++ b/k8s/helm/templates/restore-editor-role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "k8s-backup-operator.name" . }}-restore-editor-role-binding + labels: + app.kubernetes.io/component: rbac + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "k8s-backup-operator.name" . }}-restore-editor-role' +subjects: + - kind: ServiceAccount + name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' diff --git a/k8s/helm/templates/restore-editor-role.yaml b/k8s/helm/templates/restore-editor-role.yaml new file mode 100644 index 0000000..b39ba9d --- /dev/null +++ b/k8s/helm/templates/restore-editor-role.yaml @@ -0,0 +1,41 @@ +# This is necessary to create cloudogu restores +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "k8s-backup-operator.name" . }}-restore-editor-role + labels: + app.kubernetes.io/component: rbac + {{- include "k8s-backup-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - k8s.cloudogu.com + resources: + - restores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - k8s.cloudogu.com + resources: + - restore/finalizers + verbs: + - update +- apiGroups: + - k8s.cloudogu.com + resources: + - restores/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create \ No newline at end of file diff --git a/k8s/helm/templates/serviceaccount.yaml b/k8s/helm/templates/service-account.yaml similarity index 100% rename from k8s/helm/templates/serviceaccount.yaml rename to k8s/helm/templates/service-account.yaml diff --git a/k8s/helm/templates/manager-cleanup-rbac.yaml b/k8s/helm/templates/velero-role-binding.yaml similarity index 63% rename from k8s/helm/templates/manager-cleanup-rbac.yaml rename to k8s/helm/templates/velero-role-binding.yaml index 43cd07f..cea3fd2 100644 --- a/k8s/helm/templates/manager-cleanup-rbac.yaml +++ b/k8s/helm/templates/velero-role-binding.yaml @@ -1,14 +1,14 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: {{ include "k8s-backup-operator.name" . }}-manager-cleanup-rolebinding + name: {{ include "k8s-backup-operator.name" . }}-velero-rolebinding labels: app.kubernetes.io/component: rbac {{- include "k8s-backup-operator.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: '{{ include "k8s-backup-operator.name" . }}-manager-cluster-role' + kind: Role + name: '{{ include "k8s-backup-operator.name" . }}-velero-role' subjects: - kind: ServiceAccount name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' diff --git a/k8s/helm/templates/velero-rbac.yaml b/k8s/helm/templates/velero-role.yaml similarity index 58% rename from k8s/helm/templates/velero-rbac.yaml rename to k8s/helm/templates/velero-role.yaml index a27eed5..8ca653c 100644 --- a/k8s/helm/templates/velero-rbac.yaml +++ b/k8s/helm/templates/velero-role.yaml @@ -1,3 +1,4 @@ +# This is necessary to manage velero backups and restores apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -47,20 +48,4 @@ rules: verbs: - get - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "k8s-backup-operator.name" . }}-velero-rolebinding - labels: - app.kubernetes.io/component: rbac - {{- include "k8s-backup-operator.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: '{{ include "k8s-backup-operator.name" . }}-velero-role' -subjects: -- kind: ServiceAccount - name: '{{ include "k8s-backup-operator.name" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file + - watch \ No newline at end of file diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 7f4b30f..875c5d4 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -23,7 +23,7 @@ manager: image: registry: docker.io repository: cloudogu/k8s-backup-operator - tag: 1.1.1 + tag: 1.2.0 imagePullPolicy: IfNotPresent resources: limits: diff --git a/pkg/restore/createManager.go b/pkg/restore/createManager.go index efecde6..8ab95bc 100644 --- a/pkg/restore/createManager.go +++ b/pkg/restore/createManager.go @@ -70,7 +70,7 @@ func (cm *defaultCreateManager) create(ctx context.Context, restore *v1.Restore) err = cm.maintenanceModeSwitch.Activate(ctx, repository.MaintenanceModeDescription{Title: maintenanceModeTitle, Text: maintenanceModeText}) if err != nil { - return fmt.Errorf("failed to activate maintenance mode: %w", err) + logger.Error(err, "The Maintenance mode could not be activated. Continuing anyways...") } defer func() { diff --git a/pkg/restore/createManager_test.go b/pkg/restore/createManager_test.go index e0bedc5..c83caaa 100644 --- a/pkg/restore/createManager_test.go +++ b/pkg/restore/createManager_test.go @@ -235,7 +235,7 @@ func Test_defaultCreateManager_create(t *testing.T) { assert.ErrorIs(t, err, assert.AnError) }) - t.Run("should return error failing activate maintenance mode", func(t *testing.T) { + t.Run("should continue with restore when failing ti activate maintenance mode", func(t *testing.T) { // given restore := &v1.Restore{ObjectMeta: metav1.ObjectMeta{Name: "restore", Namespace: testNamespace}, Spec: v1.RestoreSpec{BackupName: "backup", Provider: "velero"}} @@ -249,6 +249,8 @@ func Test_defaultCreateManager_create(t *testing.T) { providerMock := newMockRestoreProvider(t) providerMock.EXPECT().CheckReady(testCtx).Return(nil) + providerMock.EXPECT().CreateRestore(testCtx, restore).Return(nil) + providerMock.EXPECT().SyncBackups(testCtx).Return(nil) oldNewVeleroProvider := provider.NewVeleroProvider provider.NewVeleroProvider = func(clientSet provider.EcosystemClientSet, recorder provider.EventRecorder, namespace string) (provider.Provider, error) { return providerMock, nil @@ -257,20 +259,25 @@ func Test_defaultCreateManager_create(t *testing.T) { maintenanceModeMock := newMockMaintenanceModeSwitch(t) maintenanceModeMock.EXPECT().Activate(testCtx, repository.MaintenanceModeDescription{Title: "Service temporary unavailable", Text: "Restore in progress"}).Return(assert.AnError) + maintenanceModeMock.EXPECT().Deactivate(testCtx).Return(nil) + + restoreClientMock.EXPECT().UpdateStatusCompleted(testCtx, restore).Return(restore, nil) + + cleanupMock := newMockCleanupManager(t) + cleanupMock.EXPECT().Cleanup(testCtx).Return(nil) + v1Alpha1Client := newMockEcosystemV1Alpha1Interface(t) v1Alpha1Client.EXPECT().Restores(testNamespace).Return(restoreClientMock) clientSetMock := newMockEcosystemInterface(t) clientSetMock.EXPECT().EcosystemV1Alpha1().Return(v1Alpha1Client) - sut := &defaultCreateManager{recorder: recorderMock, ecosystemClientSet: clientSetMock, maintenanceModeSwitch: maintenanceModeMock, namespace: testNamespace} + sut := &defaultCreateManager{recorder: recorderMock, ecosystemClientSet: clientSetMock, maintenanceModeSwitch: maintenanceModeMock, cleanup: cleanupMock, namespace: testNamespace} // when err := sut.create(testCtx, restore) // then - require.Error(t, err) - assert.ErrorContains(t, err, "failed to activate maintenance mode") - assert.ErrorIs(t, err, assert.AnError) + require.NoError(t, err) }) t.Run("should return error on cleanup error", func(t *testing.T) {