Changed the operator to gracefully degrade when not on cluster-wide s…

…cope (#916)

Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>

Makefile

@@ -25,7 +25,7 @@ SDK_VERSION=v0.15.1
 GOPATH ?= "$(HOME)/go"
 
 LD_FLAGS ?= "-X $(VERSION_PKG).version=$(OPERATOR_VERSION) -X $(VERSION_PKG).buildDate=$(VERSION_DATE) -X $(VERSION_PKG).defaultJaeger=$(JAEGER_VERSION)"
-UNIT_TEST_PACKAGES := $(shell go list ./cmd/... ./pkg/... |  grep -v elasticsearch/v1 | grep -v kafka/v1beta1)
+UNIT_TEST_PACKAGES := $(shell go list ./cmd/... ./pkg/... | grep -v elasticsearch/v1 | grep -v kafka/v1beta1)
 TEST_OPTIONS = $(VERBOSE) -kubeconfig $(KUBERNETES_CONFIG) -namespacedMan ../../deploy/test/namespace-manifests.yaml -globalMan ../../deploy/test/global-manifests.yaml -root .
 
 .DEFAULT_GOAL := build
@@ -53,7 +53,7 @@ lint:
 .PHONY: security
 security:
 	@echo Security...
-	@${GOPATH}/bin/gosec -quiet -exclude=G104  ./... 2>/dev/null
+	@${GOPATH}/bin/gosec -quiet -exclude=G104 ./... 2>/dev/null
 
 .PHONY: build
 build: format
@@ -84,16 +84,21 @@ e2e-tests: prepare-e2e-tests e2e-tests-smoke e2e-tests-cassandra e2e-tests-es e2
 .PHONY: prepare-e2e-tests
 prepare-e2e-tests: build docker push
 	@mkdir -p deploy/test
-	@cp test/service_account.yaml deploy/test/namespace-manifests.yaml
+	@cp deploy/service_account.yaml deploy/test/namespace-manifests.yaml
 	@echo "---" >> deploy/test/namespace-manifests.yaml
 
-	@cat test/operator.yaml | sed "s~image: jaegertracing\/jaeger-operator\:.*~image: $(BUILD_IMAGE)~gi" >> deploy/test/namespace-manifests.yaml
+	@cat deploy/role.yaml >> deploy/test/namespace-manifests.yaml
+	@echo "---" >> deploy/test/namespace-manifests.yaml
 
 	@# ClusterRoleBinding is created in test codebase because we don't know service account namespace
-	@cp deploy/role.yaml deploy/test/global-manifests.yaml
-	@echo "---" >> deploy/test/global-manifests.yaml
+	@cat deploy/role_binding.yaml >> deploy/test/namespace-manifests.yaml
+	@echo "---" >> deploy/test/namespace-manifests.yaml
 
-	@cat deploy/crds/jaegertracing.io_jaegers_crd.yaml  >> deploy/test/global-manifests.yaml
+	@sed "s~image: jaegertracing\/jaeger-operator\:.*~image: $(BUILD_IMAGE)~gi" test/operator.yaml >> deploy/test/namespace-manifests.yaml
+
+	@cp deploy/crds/jaegertracing.io_jaegers_crd.yaml deploy/test/global-manifests.yaml
+	@echo "---" >> deploy/test/global-manifests.yaml
+	@cat deploy/cluster_role.yaml >> deploy/test/global-manifests.yaml
 
 .PHONY: e2e-tests-smoke
 e2e-tests-smoke: prepare-e2e-tests
@@ -182,14 +187,14 @@ undeploy-es-operator:
 ifeq ($(OLM),true)
 	@echo Skipping es-operator undeployment, as it should have been installed via OperatorHub
 else
-	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/05-deployment.yaml -n ${ES_OPERATOR_NAMESPACE} || true
-	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/04-crd.yaml -n ${ES_OPERATOR_NAMESPACE} || true
-	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/03-role-bindings.yaml || true
-	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/02-role.yaml || true
-	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/01-service-account.yaml -n ${ES_OPERATOR_NAMESPACE} || true
-	@kubectl delete -f https://raw.githubusercontent.com/coreos/prometheus-operator/${PROMETHEUS_OPERATOR_TAG}/example/prometheus-operator-crd/servicemonitor.crd.yaml || true
-	@kubectl delete -f https://raw.githubusercontent.com/coreos/prometheus-operator/${PROMETHEUS_OPERATOR_TAG}/example/prometheus-operator-crd/prometheusrule.crd.yaml || true
-	@kubectl delete namespace ${ES_OPERATOR_NAMESPACE} 2>&1 || true
+	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/05-deployment.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/04-crd.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/03-role-bindings.yaml --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/02-role.yaml --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/openshift/elasticsearch-operator/${ES_OPERATOR_BRANCH}/manifests/01-service-account.yaml -n ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/coreos/prometheus-operator/${PROMETHEUS_OPERATOR_TAG}/example/prometheus-operator-crd/servicemonitor.crd.yaml --ignore-not-found=true || true
+	@kubectl delete -f https://raw.githubusercontent.com/coreos/prometheus-operator/${PROMETHEUS_OPERATOR_TAG}/example/prometheus-operator-crd/prometheusrule.crd.yaml --ignore-not-found=true || true
+	@kubectl delete namespace ${ES_OPERATOR_NAMESPACE} --ignore-not-found=true 2>&1 || true
 endif
 
 .PHONY: es
@@ -216,7 +221,7 @@ else
 	@kubectl create clusterrolebinding strimzi-cluster-operator-entity-operator-delegation --clusterrole=strimzi-entity-operator --serviceaccount ${KAFKA_NAMESPACE}:strimzi-cluster-operator 2>&1 | grep -v "already exists" || true
 	@kubectl create clusterrolebinding strimzi-cluster-operator-topic-operator-delegation --clusterrole=strimzi-topic-operator --serviceaccount ${KAFKA_NAMESPACE}:strimzi-cluster-operator 2>&1 | grep -v "already exists" || true
 	@curl --location $(KAFKA_YAML) --output deploy/test/kafka-operator.yaml
-	@sed 's/namespace: .*/namespace: $(KAFKA_NAMESPACE)/' deploy/test/kafka-operator.yaml | kubectl -n $(KAFKA_NAMESPACE) apply -f -  2>&1 | grep -v "already exists" || true
+	@sed 's/namespace: .*/namespace: $(KAFKA_NAMESPACE)/' deploy/test/kafka-operator.yaml | kubectl -n $(KAFKA_NAMESPACE) apply -f - 2>&1 | grep -v "already exists" || true
 	@kubectl set env deployment strimzi-cluster-operator -n ${KAFKA_NAMESPACE} STRIMZI_NAMESPACE="*"
 endif
 
@@ -225,19 +230,19 @@ undeploy-kafka-operator:
 ifeq ($(OLM),true)
 	@echo Skiping kafka-operator undeploy
 else
-	@kubectl delete --namespace $(KAFKA_NAMESPACE) -f deploy/test/kafka-operator.yaml 2>&1 || true
-	@kubectl delete clusterrolebinding strimzi-cluster-operator-namespaced
-	@kubectl delete clusterrolebinding strimzi-cluster-operator-entity-operator-delegation
-	@kubectl delete clusterrolebinding strimzi-cluster-operator-topic-operator-delegation
+	@kubectl delete --namespace $(KAFKA_NAMESPACE) -f deploy/test/kafka-operator.yaml --ignore-not-found=true 2>&1 || true
+	@kubectl delete clusterrolebinding strimzi-cluster-operator-namespaced --ignore-not-found=true || true
+	@kubectl delete clusterrolebinding strimzi-cluster-operator-entity-operator-delegation --ignore-not-found=true || true
+	@kubectl delete clusterrolebinding strimzi-cluster-operator-topic-operator-delegation --ignore-not-found=true || true
 endif
-	@kubectl delete namespace $(KAFKA_NAMESPACE) 2>&1 || true
+	@kubectl delete namespace $(KAFKA_NAMESPACE) --ignore-not-found=true 2>&1 || true
 
 .PHONY: kafka
 kafka: deploy-kafka-operator
 	@echo Creating namespace $(KAFKA_NAMESPACE)
 	@kubectl create namespace $(KAFKA_NAMESPACE) 2>&1 | grep -v "already exists" || true
 	@curl --location $(KAFKA_EXAMPLE) --output deploy/test/kafka-example.yaml
-	@kubectl -n $(KAFKA_NAMESPACE) apply -f deploy/test/kafka-example.yaml  2>&1 | grep -v "already exists" || true
+	@kubectl -n $(KAFKA_NAMESPACE) apply -f deploy/test/kafka-example.yaml 2>&1 | grep -v "already exists" || true
 
 .PHONY: undeploy-kafka
 undeploy-kafka: undeploy-kafka-operator
@@ -249,15 +254,18 @@ clean: undeploy-kafka undeploy-es-operator
 	@if [ -d deploy/test ]; then rmdir deploy/test ; fi
 	@kubectl delete -f ./test/cassandra.yml --ignore-not-found=true -n $(STORAGE_NAMESPACE) || true
 	@kubectl delete -f ./test/elasticsearch.yml --ignore-not-found=true -n $(STORAGE_NAMESPACE) || true
+	@kubectl delete -f deploy/crds/jaegertracing.io_jaegers_crd.yaml --ignore-not-found=true || true
+	@kubectl delete -f deploy/operator.yaml --ignore-not-found=true || true
+	@kubectl delete -f deploy/role_binding.yaml --ignore-not-found=true || true
+	@kubectl delete -f deploy/role.yaml --ignore-not-found=true || true
+	@kubectl delete -f deploy/service_account.yaml --ignore-not-found=true || true
 
 .PHONY: crd
 crd:
 	@kubectl create -f deploy/crds/jaegertracing.io_jaegers_crd.yaml 2>&1 | grep -v "already exists" || true
 
 .PHONY: ingress
 ingress:
-	# see https://kubernetes.github.io/ingress-nginx/deploy/#verify-installation
-	@kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.18.0/deploy/mandatory.yaml
 	@minikube addons enable ingress
 
 .PHONY: generate
@@ -293,6 +301,13 @@ install-tools:
 .PHONY: install
 install: install-sdk install-tools
 
+.PHONY: deploy
+deploy: ingress crd
+	@kubectl apply -f deploy/service_account.yaml
+	@kubectl apply -f deploy/role.yaml
+	@kubectl apply -f deploy/role_binding.yaml
+	@sed "s~image: jaegertracing\/jaeger-operator\:.*~image: $(BUILD_IMAGE)~gi" deploy/operator.yaml | kubectl apply -f -
+
 .PHONY: operatorhub
 operatorhub: check-operatorhub-pr-template
 	@./.ci/operatorhub.sh

README.md

@@ -10,13 +10,21 @@ The Jaeger Operator is an implementation of a [Kubernetes Operator](https://kube
 To install the operator, run:
 ```
 kubectl create namespace observability
-kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/crds/jaegertracing.io_jaegers_crd.yaml
-kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account.yaml
-kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role.yaml
-kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role_binding.yaml
-kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/operator.yaml
+kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/crds/jaegertracing.io_jaegers_crd.yaml
+kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account.yaml
+kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role.yaml
+kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role_binding.yaml
+kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/operator.yaml
 ```
 
+The operator will activate extra features if given cluster-wide permissions. To enable that, run:
+```
+kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/cluster_role.yaml
+kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/cluster_role_binding.yaml
+```
+
+Note that you'll need to download and customize the `cluster_role_binding.yaml` if you are using a namespace other than `observability`. You probably also want to download and customize the `operator.yaml`, setting the env var `WATCH_NAMESPACES` to have an empty value, so that it can watch for instances across all namespaces.
+
 Once the `jaeger-operator` deployment in the namespace `observability` is ready, create a Jaeger instance, like:
 
 ```

deploy/cluster_role.yaml

@@ -0,0 +1,54 @@
+## this is an extra set of permissions that the Jaeger Operator might make use of if granted
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: jaeger-operator-cluster
+rules:
+
+## required for cluster-wide operators
+- apiGroups:
+  - jaegertracing.io
+  resources:
+  - '*'
+  verbs:
+  - 'get'
+  - 'list'
+  - 'create'
+  - 'update'
+  - 'delete'
+  - 'watch'
+
+## needed if support for injecting sidecars based on namespace annotation is required
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - 'get'
+  - 'list'
+  - 'watch'
+
+## needed if support for injecting sidecars based on deployment annotation is required, across all namespaces
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - 'get'
+  - 'list'
+  - 'create'
+  - 'update'
+  - 'watch'
+
+## needed only when .Spec.Ingress.Openshift.DelegateUrls is used
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - 'get'
+  - 'list'
+  - 'create'
+  - 'update'
+  - 'delete'
+  - 'watch'

deploy/cluster_role_binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jaeger-operator-cluster
+subjects:
+- kind: ServiceAccount
+  name: jaeger-operator
+  namespace: "observability" # change to point to the namespace you installed your operator
+roleRef:
+  kind: ClusterRole
+  name: jaeger-operator-cluster
+  apiGroup: rbac.authorization.k8s.io

deploy/examples/operator-with-tracing.yaml

@@ -4,7 +4,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: jaeger-operator
-  namespace: observability
 spec:
   replicas: 1
   selector:
@@ -26,7 +25,9 @@ spec:
         imagePullPolicy: Always
         env:
         - name: WATCH_NAMESPACE
-          value: ""
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         - name: POD_NAME
           valueFrom:
             fieldRef:

deploy/olm-catalog/csv-config.yaml

@@ -0,0 +1,6 @@
+crd-cr-paths:
+- deploy/crds
+operator-path: deploy/operator.yaml
+role-paths:
+- deploy/role.yaml
+- deploy/cluster_role.yaml

deploy/operator.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: jaeger-operator
-  namespace: observability
 spec:
   replicas: 1
   selector:
@@ -24,7 +23,9 @@ spec:
         imagePullPolicy: Always
         env:
         - name: WATCH_NAMESPACE
-          value: ""
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         - name: POD_NAME
           valueFrom:
             fieldRef: