diff --git a/Makefile b/Makefile index 44146b8a6..320afc314 100644 --- a/Makefile +++ b/Makefile @@ -163,9 +163,6 @@ generate_files: generate_exes $(TYPES_FILES) # generate protobuf hack/update-protobuf.sh -create-certs: - hack/create-certs.sh - ############################################################ # build section ############################################################ diff --git a/build/run-e2e-tests.sh b/build/run-e2e-tests.sh index c84877971..572e7446d 100755 --- a/build/run-e2e-tests.sh +++ b/build/run-e2e-tests.sh @@ -81,8 +81,6 @@ images: newName: $IMAGE_NAME_AND_VERSION EOF -make create-certs - kubectl apply -k "${HUB_PATH}" MANAGED_CLUSTER=$(kubectl get managedclusters | grep cluster | awk '{print $1}') @@ -105,7 +103,7 @@ done for i in {1..7}; do echo "############$i Checking ManagedClusterInfo" - INFO=$(kubectl get managedclusterinfos -n "${MANAGED_CLUSTER}" "${MANAGED_CLUSTER}" -o yaml | grep -c "loggingCA" | tr -d '[:space:]') + INFO=$(kubectl get managedclusterinfos -n "${MANAGED_CLUSTER}" "${MANAGED_CLUSTER}" -o yaml | grep -c "ManagedClusterInfo" | tr -d '[:space:]') if [ "${INFO}" -eq 1 ]; then break fi diff --git a/cmd/acm-controller/app/server.go b/cmd/acm-controller/app/server.go index 7f0ca97fb..0eaa1c11a 100644 --- a/cmd/acm-controller/app/server.go +++ b/cmd/acm-controller/app/server.go @@ -54,8 +54,7 @@ func Run(o *options.ControllerRunOptions, stopCh <-chan struct{}) error { caData, err := GetAgentCA(o.CAFile) if err != nil { - klog.Errorf("unable to get acm agent server CA file: %v", err) - return err + klog.Warningf("unable to get acm agent server CA file: %v", err) } kubeConfig.QPS = o.QPS diff --git a/deploy/dev/hub/kustomization.yaml b/deploy/dev/hub/kustomization.yaml index 081251098..d3553e55f 100644 --- a/deploy/dev/hub/kustomization.yaml +++ b/deploy/dev/hub/kustomization.yaml @@ -7,8 +7,6 @@ resources: - resources/crds/hive.openshift.io_clusterdeployments.yaml - resources/crds/hive.openshift.io_syncsetinstances.yaml - resources/100-clusterrole.yaml -- resources/100-agent-cert.yaml -- resources/100-apiserver-cert.yaml - resources/100-proxyserver-apiservice.yaml - resources/100-proxyserver-service.yaml - resources/200-proxyserver.yaml diff --git a/deploy/dev/hub/resources/100-agent-cert.yaml b/deploy/dev/hub/resources/100-agent-cert.yaml deleted file mode 100644 index f866be7bd..000000000 --- a/deploy/dev/hub/resources/100-agent-cert.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - ca.crt: $ACM_AGENT_CA - tls.crt: $ACM_AGENT_CLIENT - tls.key: $ACM_AGENT_KEY -kind: Secret -metadata: - name: acm-agent-cert - namespace: open-cluster-management -type: Opaque diff --git a/deploy/dev/hub/resources/100-apiserver-cert.yaml b/deploy/dev/hub/resources/100-apiserver-cert.yaml deleted file mode 100644 index 8c9033122..000000000 --- a/deploy/dev/hub/resources/100-apiserver-cert.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - ca.crt: $ACM_APISERVER_CA - tls.crt: $ACM_APISERVER_CLIENT - tls.key: $ACM_APISERVER_KEY -kind: Secret -metadata: - name: acm-apiserver-cert - namespace: open-cluster-management -type: Opaque diff --git a/deploy/dev/hub/resources/100-proxyserver-apiservice.yaml b/deploy/dev/hub/resources/100-proxyserver-apiservice.yaml index cc5add1d5..ff6fedfc2 100644 --- a/deploy/dev/hub/resources/100-proxyserver-apiservice.yaml +++ b/deploy/dev/hub/resources/100-proxyserver-apiservice.yaml @@ -8,7 +8,6 @@ spec: service: namespace: open-cluster-management name: acm-proxyserver - port: 443 - caBundle: $ACM_APISERVER_CA + insecureSkipTLSVerify: true groupPriorityMinimum: 10000 versionPriority: 20 diff --git a/deploy/dev/hub/resources/200-controller.yaml b/deploy/dev/hub/resources/200-controller.yaml index 83252a96d..f322cb20f 100644 --- a/deploy/dev/hub/resources/200-controller.yaml +++ b/deploy/dev/hub/resources/200-controller.yaml @@ -27,11 +27,7 @@ spec: imagePullPolicy: IfNotPresent args: - "/acm-controller" - - "--agent-cafile=/var/run/agent/ca.crt" - "--enable-rbac=true" - volumeMounts: - - mountPath: /var/run/agent - name: agent-certs livenessProbe: httpGet: path: /healthz @@ -44,8 +40,3 @@ spec: port: 8000 failureThreshold: 3 periodSeconds: 10 - volumes: - - name: agent-certs - secret: - defaultMode: 420 - secretName: acm-agent-cert diff --git a/deploy/dev/hub/resources/200-proxyserver.yaml b/deploy/dev/hub/resources/200-proxyserver.yaml index a77543ba9..97dcd1eaf 100644 --- a/deploy/dev/hub/resources/200-proxyserver.yaml +++ b/deploy/dev/hub/resources/200-proxyserver.yaml @@ -23,11 +23,6 @@ spec: args: - "/acm-proxyserver" - "--secure-port=6443" - - "--tls-cert-file=/var/run/apiserver/tls.crt" - - "--tls-private-key-file=/var/run/apiserver/tls.key" - - "--agent-cafile=/var/run/agent/ca.crt" - - "--agent-certfile=/var/run/agent/tls.crt" - - "--agent-keyfile=/var/run/agent/tls.key" livenessProbe: httpGet: path: /healthz @@ -41,17 +36,3 @@ spec: scheme: HTTPS port: 6443 initialDelaySeconds: 2 - volumeMounts: - - mountPath: /var/run/agent - name: agent-certs - - mountPath: /var/run/apiserver - name: apiserver-certs - volumes: - - name: agent-certs - secret: - defaultMode: 420 - secretName: acm-agent-cert - - name: apiserver-certs - secret: - defaultMode: 420 - secretName: acm-apiserver-cert diff --git a/deploy/dev/hub/webhook/100-mutating-webhook-admission.yaml b/deploy/dev/hub/webhook/100-mutating-webhook-admission.yaml deleted file mode 100644 index 7033fd55d..000000000 --- a/deploy/dev/hub/webhook/100-mutating-webhook-admission.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: acm-webhook - name: acm-mutating-webhook -webhooks: - - name: acm.mutating.webhook.admission.open-cluster-management.io - admissionReviewVersions: - - v1beta1 - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNRENDQWhpZ0F3SUJBZ0lRT3ppUzV1WnlnekQyTjVvZjg5a3RLREFOQmdrcWhraUc5dzBCQVFzRkFEQXkKTVRBd0xnWURWUVFERXlkaFkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1egpkbU13SGhjTk1qQXdOakl6TURrME16UTRXaGNOTWpFd05qSXpNRGswTXpRNFdqQXlNVEF3TGdZRFZRUURFeWRoClkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1emRtTXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFZsYnhQUE1FNXNkUUpCa3p2eGdraWlqM0kyZzRNUEMyMQpXZVpGKytIcldZQk5iSlFYRU93dW5EQTA0LzRnYW41UWpaV3RyTlZuMUNKVFhnOTQxSTdlUTdGSUd2VXV1MDlvCm9yNnYxbmt1K2YrNDdZNnZML1dITXFUc0Zjd1VkaFJLSmkrOW5zZjJEQXdreGpDUTJNQ0h2VWhuK2lCYWgrcCsKb2FobmVuaEN0UmF6SGxycjRmZENOSU5BQ1pqbFlWVnBHdnpxaU9TeWl4VlNQV1ZnZmo1bUtFRFIyNThYa24vQgpKam00WjNPQzIvTUpmRFZQOGI4NmttaHgybDBua3VCTWpmUHpoSkgySTduU1dPWG9QOStFQ2hwK1FycHRMa1FwCmZGS2tWZ3kvZjVuNVpvWk5yeUJTWUFqeUhXMklmUXgxRTE5Q2lOZkJOR2lmMm01MktQT2hBZ01CQUFHalFqQkEKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJdwpEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFZelV5L1QzSFd6ZzVKZGV5Ck5HQlpTVVpmUzBOeitzNGNEWU1CdlIvaTBDZmpiWS83Ny9pTk9pNHF3eC9vQW0rTWorUmlyTERJaU5ickx3TTYKZUdRdE5jKy9STWluR1lJKy9vYitVbjR3VmRyQ3JGTGYzajdjZ0ZBMGdvZkVGdmduajFMdTNxNG5XTVI3R21lMApJK1BoRlRFb3ppRHp5WTZ0aHhsQS9lK1FDMzlQRkJnak5xWUdsTTR3ellQSWpHbU5oVTUwelZHN1FTTGhyajJTCkFlZWVoN3JEc0p3WnFUcjlJenkzVEdEdjFvckcyemRuQTZkYS9HRmpLY01QamdjVWUyNHY1VFoxMDhyRzZ5QjIKd0Nid0FrWVBCS2NCZTIxaXhhTDFsMVd4WUE2eWZlazlvQ1lIWFNJbnNUME9RVjVKSFlFTXRjakNvTWNwckdFcAprdnBmL3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: acm-webhook - namespace: open-cluster-management - port: 443 - path: /mutating - sideEffects: None - timeoutSeconds: 5 - rules: - - apiGroups: - - apps.open-cluster-management.io - apiVersions: - - v1 - operations: - - CREATE - resources: - - deployables - - channels - - subscriptions - - placementrules - scope: '*' - - apiGroups: - - app.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - applications - scope: '*' diff --git a/deploy/dev/hub/webhook/100-validating-webhook-admission.yaml b/deploy/dev/hub/webhook/100-validating-webhook-admission.yaml deleted file mode 100644 index 7eb5fadb9..000000000 --- a/deploy/dev/hub/webhook/100-validating-webhook-admission.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: acm-webhook - name: acm-validating-webhook -webhooks: - - name: acm.validating.webhook.admission.open-cluster-management.io - admissionReviewVersions: - - v1beta1 - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNRENDQWhpZ0F3SUJBZ0lRT3ppUzV1WnlnekQyTjVvZjg5a3RLREFOQmdrcWhraUc5dzBCQVFzRkFEQXkKTVRBd0xnWURWUVFERXlkaFkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1egpkbU13SGhjTk1qQXdOakl6TURrME16UTRXaGNOTWpFd05qSXpNRGswTXpRNFdqQXlNVEF3TGdZRFZRUURFeWRoClkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1emRtTXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFZsYnhQUE1FNXNkUUpCa3p2eGdraWlqM0kyZzRNUEMyMQpXZVpGKytIcldZQk5iSlFYRU93dW5EQTA0LzRnYW41UWpaV3RyTlZuMUNKVFhnOTQxSTdlUTdGSUd2VXV1MDlvCm9yNnYxbmt1K2YrNDdZNnZML1dITXFUc0Zjd1VkaFJLSmkrOW5zZjJEQXdreGpDUTJNQ0h2VWhuK2lCYWgrcCsKb2FobmVuaEN0UmF6SGxycjRmZENOSU5BQ1pqbFlWVnBHdnpxaU9TeWl4VlNQV1ZnZmo1bUtFRFIyNThYa24vQgpKam00WjNPQzIvTUpmRFZQOGI4NmttaHgybDBua3VCTWpmUHpoSkgySTduU1dPWG9QOStFQ2hwK1FycHRMa1FwCmZGS2tWZ3kvZjVuNVpvWk5yeUJTWUFqeUhXMklmUXgxRTE5Q2lOZkJOR2lmMm01MktQT2hBZ01CQUFHalFqQkEKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJdwpEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFZelV5L1QzSFd6ZzVKZGV5Ck5HQlpTVVpmUzBOeitzNGNEWU1CdlIvaTBDZmpiWS83Ny9pTk9pNHF3eC9vQW0rTWorUmlyTERJaU5ickx3TTYKZUdRdE5jKy9STWluR1lJKy9vYitVbjR3VmRyQ3JGTGYzajdjZ0ZBMGdvZkVGdmduajFMdTNxNG5XTVI3R21lMApJK1BoRlRFb3ppRHp5WTZ0aHhsQS9lK1FDMzlQRkJnak5xWUdsTTR3ellQSWpHbU5oVTUwelZHN1FTTGhyajJTCkFlZWVoN3JEc0p3WnFUcjlJenkzVEdEdjFvckcyemRuQTZkYS9HRmpLY01QamdjVWUyNHY1VFoxMDhyRzZ5QjIKd0Nid0FrWVBCS2NCZTIxaXhhTDFsMVd4WUE2eWZlazlvQ1lIWFNJbnNUME9RVjVKSFlFTXRjakNvTWNwckdFcAprdnBmL3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: acm-webhook - namespace: open-cluster-management - port: 443 - path: /validating - sideEffects: None - timeoutSeconds: 5 - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - DELETE - resources: - - namespaces - scope: '*' diff --git a/deploy/dev/hub/webhook/100-webhook-secret.yaml b/deploy/dev/hub/webhook/100-webhook-secret.yaml deleted file mode 100644 index 3f4f589e0..000000000 --- a/deploy/dev/hub/webhook/100-webhook-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNRENDQWhpZ0F3SUJBZ0lRT3ppUzV1WnlnekQyTjVvZjg5a3RLREFOQmdrcWhraUc5dzBCQVFzRkFEQXkKTVRBd0xnWURWUVFERXlkaFkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1egpkbU13SGhjTk1qQXdOakl6TURrME16UTRXaGNOTWpFd05qSXpNRGswTXpRNFdqQXlNVEF3TGdZRFZRUURFeWRoClkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1emRtTXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFZsYnhQUE1FNXNkUUpCa3p2eGdraWlqM0kyZzRNUEMyMQpXZVpGKytIcldZQk5iSlFYRU93dW5EQTA0LzRnYW41UWpaV3RyTlZuMUNKVFhnOTQxSTdlUTdGSUd2VXV1MDlvCm9yNnYxbmt1K2YrNDdZNnZML1dITXFUc0Zjd1VkaFJLSmkrOW5zZjJEQXdreGpDUTJNQ0h2VWhuK2lCYWgrcCsKb2FobmVuaEN0UmF6SGxycjRmZENOSU5BQ1pqbFlWVnBHdnpxaU9TeWl4VlNQV1ZnZmo1bUtFRFIyNThYa24vQgpKam00WjNPQzIvTUpmRFZQOGI4NmttaHgybDBua3VCTWpmUHpoSkgySTduU1dPWG9QOStFQ2hwK1FycHRMa1FwCmZGS2tWZ3kvZjVuNVpvWk5yeUJTWUFqeUhXMklmUXgxRTE5Q2lOZkJOR2lmMm01MktQT2hBZ01CQUFHalFqQkEKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJdwpEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFZelV5L1QzSFd6ZzVKZGV5Ck5HQlpTVVpmUzBOeitzNGNEWU1CdlIvaTBDZmpiWS83Ny9pTk9pNHF3eC9vQW0rTWorUmlyTERJaU5ickx3TTYKZUdRdE5jKy9STWluR1lJKy9vYitVbjR3VmRyQ3JGTGYzajdjZ0ZBMGdvZkVGdmduajFMdTNxNG5XTVI3R21lMApJK1BoRlRFb3ppRHp5WTZ0aHhsQS9lK1FDMzlQRkJnak5xWUdsTTR3ellQSWpHbU5oVTUwelZHN1FTTGhyajJTCkFlZWVoN3JEc0p3WnFUcjlJenkzVEdEdjFvckcyemRuQTZkYS9HRmpLY01QamdjVWUyNHY1VFoxMDhyRzZ5QjIKd0Nid0FrWVBCS2NCZTIxaXhhTDFsMVd4WUE2eWZlazlvQ1lIWFNJbnNUME9RVjVKSFlFTXRjakNvTWNwckdFcAprdnBmL3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMVENDQWhXZ0F3SUJBZ0lRTCsrTStTcDAwZGx4UTFjcmlLREZDVEFOQmdrcWhraUc5dzBCQVFzRkFEQXkKTVRBd0xnWURWUVFERXlkaFkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1egpkbU13SGhjTk1qQXdOakl6TURrME16UTRXaGNOTWpFd05qSXpNRGswTXpRNFdqQXlNVEF3TGdZRFZRUURFeWRoClkyMHRkMlZpYUc5dmF5NXZjR1Z1TFdOc2RYTjBaWEl0YldGdVlXZGxiV1Z1ZEM1emRtTXdnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3RDTVFwZERoS1pnZHAzWm9TWmo1ZFZyVzhVUmxIV1VqcwpmSElqL0hpWGExOC80ZDJzR0EvR2JnaUdHU3NqWjVJV0k2RW95d1hlS0tTdi9sN3RCdkFwTUg3alhhWHdQbFFhCnAxTGdNcWtoNEUwSEcyOWtLclVsS2dueDFWeXV2MHF2WGlLbHQvelJXTm9ySVFZVElKTnJqSzd0Vmh5NEVOL0UKTW5zTzdhL1d0Yk1NVjB4MllJb1RoZmJoS05xRTJYNkZoUVRmRHZxREJLYm9ZMnRBL1B4VFI0SkttZ2lQZ25pRwpsQnlsYjdQN3d5T3owQ0NrRmhQYTlpMkZ4V0h3eDVzUzB1ZkxKeEhNTDM1cnFzd2NLM3A4MHYreFZBUXJpRmd0Ck1zanBFZ2xqdzhQQzl2b2wxT2Zyd0JCYmFzV0V1NnBTaG9DelplY3RzRDI0TWYyNGJIWHJBZ01CQUFHalB6QTkKTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJdwpEQVlEVlIwVEFRSC9CQUl3QURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZYTXZOcEhxUnZZMzI5VTRSQUNLCnhDZFhwMERBZWpOREZvNUpoRGhBbW04ekRUdXN1Ry9nRmpsbVVzTzMweFV2L3d0SW9uc2JEdnlBQ0xoOFdIVFgKVTJiYng1R1haNkhyZ1UxeEgvR2ZJWWg4OUQrakpyRFRJbTJvWUFyTFFHN09jQzRjQkdHZXBORXgvYWd5LytOOQpJMk5PUHZ4U2w5S0lXclFSYjFSR25ZNDdXVkFlMHJURWJXL1d2VWZWNEh2Z3g5UlcwNjBpSjUrSUs5d1E3N2FuCmdNU0RTSWpTdEVzcENkS1pxVzhLNnl3YnB2MG95bGVBdEo4cXFjQlhHVXYrNHh1YS9JWHJCV2IwN2xSM05RdUQKSlI0VE8zTFBxb1JCZjlSVCsvTlYxTDkxcmpwVFJQL1EwNWJrWmZYWHZmcXZKbWhEc3RndWc3b2lJeEcxSSt3NAp3QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBclFqRUtYUTRTbVlIYWQyYUVtWStYVmExdkZFWlIxbEk3SHh5SS94NGwydGZQK0hkCnJCZ1B4bTRJaGhrckkyZVNGaU9oS01zRjNpaWtyLzVlN1Fid0tUQis0MTJsOEQ1VUdxZFM0REtwSWVCTkJ4dHYKWkNxMUpTb0o4ZFZjcnI5S3IxNGlwYmY4MFZqYUt5RUdFeUNUYTR5dTdWWWN1QkRmeERKN0R1MnYxcld6REZkTQpkbUNLRTRYMjRTamFoTmwraFlVRTN3NzZnd1NtNkdOclFQejhVMGVDU3BvSWo0SjRocFFjcFcreis4TWpzOUFnCnBCWVQydll0aGNWaDhNZWJFdExueXljUnpDOSthNnJNSEN0NmZOTC9zVlFFSzRoWUxUTEk2UklKWThQRHd2YjYKSmRUbjY4QVFXMnJGaEx1cVVvYUFzMlhuTGJBOXVESDl1R3gxNndJREFRQUJBb0lCQUdmdS9ReTlUMVo0NUhrVgpiNGNmdk5RSjBrMlVGUEFEVkVjZ0ZOdEN1aGlSbVB2aEttcEZaYXhWeVc3cXpUdU42WFM4My8rRnV6ZVBDQ1RpClVKaGs4M3A2TTYxVVFla0ZOelZ2VGR0MjhwcHpoVEVBcks3bzdEZXZnWnV1QWViQTVoWmlIOE9VdVJueUdkR1EKRzNyL3RTMERxc3JLVDZQTUZ1eGRPZ2RrZzVzZU9kMzdQUW5WR2o4cHhQTHdLYXRUeWZjczVaUjJ3ZnV5cWt2agpMVU9uaTlZSldBSG5VMkJjcTZCaWZHZ3E1MkRWNzhxSU5lQW50aFYwbmVQZXJFaHphSis3cDc1TFFic2NrazdwClBJZXE4Y2liT3drTVJvNGE1Z1JsMDA3OE0wZnkrTC9rNFdEUG1lU0VldFBDeDRpNXNZMWp3Zkt1L3NtNDFQSDYKSXZSWi80RUNnWUVBME9ROExlbnQwVDRoZUc5Vm1nK3VjangvangzbnZLbi9QUW9JVEhJbkpJZTBvMUtlUllGRgpkbmlSS2xXR3hmT0JzMlgyOCtnNEZyc0ljS081ZVg2eENFSng4YnFwMWNqN2ZtMlVEWmpWR0lIN1BqTHFyT1hEClZKamZlenJPeERmb0MyWWhEQXhIWFVrQ3o5M0VlQjRwMytjaVpwNWdQemtBMFNJbWpBdUhzcXNDZ1lFQTFBNXAKTkI2UmlLbVBoTVNHc3I0UFd2U0U1aWQxeFpTVHJBUVVBYVlGc01xZmdhaWFUWFduQ3gwRzJZNTdaaEliSVdxdwpzSDVjdU9yc05yek9LS05wSnJDeGN0eWxOMWMrRlhHT2kwTDZjWW5jcDdUbWJVSHNXRU04ejRhT3BCa2U3VFYyCkFXcWNBYldRVC9LTVF1OEUyM0hHY3JzOUhuK3BkTk96alorRVNjRUNnWUJkWXh2d1h0dWVKd3VwbndTRENxMnYKanBKc2RpOHE3a2tZamNxbCtvYTdVeHdUeEJUVDkvWUkvOS9PTUV3L1pSekFDajY4VGozOUU0S3pjTTZ6blVzaAo2U3F0cWdqUmRiZlJqc1dZeXBIQ0VpSXpiV256QUFreVllSFBZcndiaHU3cllhNDJoNnJEN3FjZUxRUHZ1M1IzCkVBc1dHNG5sMmVNZW5BamxwU1gyWHdLQmdRQ2puKzhMZVY3Z3JiMkJPOGVYMmxHczVDbzhFVXl0eFdSaEFkQ1MKS1JJUkJYZ29xdmxOTmJCTVFmeU1HSVlkRDNHQnlucEY1V3NVZ0tqOTM1ZlFBYTljWEZEQUNZTXVmWkg1SitOTwpqOE1Cb3RmeFRBUFZZRjNIQ1RLK0N0eTd3R3A5ckplK3BnMTB3QzEza3ZjcG1wY0w0UEc0aThPd2FkOU90eCsvCjhzczN3UUtCZ1FDOXEwSWhURDRFdm8wL3dhYVlVbExvOVRwcXVGeWJJd0VsQzRTZWJCN1hYeHJKNVorREF4bWEKY0NFeGNTM2pmNmcvcm1wYjZ4N0JKaHl3NmNzY0VxOElRVnRtNFp5azZmNkx1RWUxaE03eTdDVWRqUlRwK1Q4dQp0cEJaeEZLSXlBUGxqMFZjSzdlZG9OdjRiVHFGQkxmN29Fd3c4dTUwdDhkLzZCNklYVnZuZ2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= -kind: Secret -metadata: - labels: - app: acm-webhook - name: acm-webhook-secret - namespace: open-cluster-management -type: Opaque - - - diff --git a/deploy/dev/hub/webhook/200-webhook-deployment.yaml b/deploy/dev/hub/webhook/200-webhook-deployment.yaml deleted file mode 100644 index 143dc1017..000000000 --- a/deploy/dev/hub/webhook/200-webhook-deployment.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: acm-webhook - name: acm-webhook - namespace: open-cluster-management -spec: - selector: - matchLabels: - app: acm-webhook - template: - metadata: - labels: - app: acm-webhook - spec: - serviceAccountName: acm-foundation-sa - containers: - - args: - - /acm-webhook - - --tls-cert-file=/var/run/acm-webhook/tls.crt - - --tls-private-key-file=/var/run/acm-webhook/tls.key - image: ko://github.com/open-cluster-management/multicloud-operators-foundation/cmd/acm-webhook - imagePullPolicy: IfNotPresent - name: acm-webhook - ports: - - containerPort: 8000 - protocol: TCP - volumeMounts: - - mountPath: /var/run/acm-webhook - name: webhook-cert - volumes: - - name: webhook-cert - secret: - defaultMode: 420 - secretName: acm-webhook-secret diff --git a/deploy/dev/hub/webhook/200-webhook-service.yaml b/deploy/dev/hub/webhook/200-webhook-service.yaml deleted file mode 100644 index 2ad28e49c..000000000 --- a/deploy/dev/hub/webhook/200-webhook-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: acm-webhook - name: acm-webhook - namespace: open-cluster-management -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 8000 - selector: - app: acm-webhook - type: ClusterIP diff --git a/deploy/dev/klusterlet/manifestwork/agent.yaml b/deploy/dev/klusterlet/manifestwork/agent.yaml index 6e4d89a7d..1d584107b 100644 --- a/deploy/dev/klusterlet/manifestwork/agent.yaml +++ b/deploy/dev/klusterlet/manifestwork/agent.yaml @@ -87,6 +87,7 @@ spec: - "--port=4443" - "--agent-address=acm-agent.open-cluster-management-agent.svc" - "--agent-port=443" + - "--insecure=true" volumeMounts: - name: hub-config mountPath: /var/run/hub diff --git a/deploy/dev/klusterlet/resources/200-agent.yaml b/deploy/dev/klusterlet/resources/200-agent.yaml index 2598c727e..dcdd0b236 100644 --- a/deploy/dev/klusterlet/resources/200-agent.yaml +++ b/deploy/dev/klusterlet/resources/200-agent.yaml @@ -26,6 +26,7 @@ spec: - "--port=4443" - "--agent-address=acm-agent.open-cluster-management-agent.svc" - "--agent-port=443" + - "--insecure=true" volumeMounts: - name: hub-config mountPath: /var/run/hub diff --git a/hack/certs/cert.go b/hack/certs/cert.go deleted file mode 100644 index a8b4094fa..000000000 --- a/hack/certs/cert.go +++ /dev/null @@ -1,111 +0,0 @@ -package main - -import ( - "crypto" - "crypto/rand" - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/base64" - "flag" - - "math" - "math/big" - "os" - "time" - - "github.com/open-cluster-management/multicloud-operators-foundation/pkg/utils" - certutil "k8s.io/client-go/util/cert" - "k8s.io/client-go/util/keyutil" - "k8s.io/klog" -) - -var path string - -func init() { - flag.StringVar(&path, "path", "", "path is the file path") - flag.Parse() -} - -func main() { - var err error - if path == "" { - path, err = os.Getwd() - if err != nil { - klog.Fatal(err) - } - } - - dnsNames := []string{"acm-proxyserver", "acm-proxyserver.open-cluster-management", "acm-proxyserver.open-cluster-management.svc"} - if err := NewCerts(path, "acm-apiserver", dnsNames); err != nil { - klog.Fatal(err) - } - if err := NewCerts(path, "acm-agent", nil); err != nil { - klog.Fatal(err) - } -} - -func NewCerts(path string, commonName string, dnsNames []string) error { - cakey, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return err - } - config := certutil.Config{ - CommonName: commonName, - Organization: []string{"OpenShift ACM"}, - } - caCert, err := certutil.NewSelfSignedCACert(config, cakey) - if err != nil { - return err - } - - key, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return err - } - - cert, err := NewSignedCert(key, caCert, cakey, commonName, dnsNames) - if err != nil { - return err - } - caData := utils.EncodeCertPEM(caCert) - keyData := utils.EncodePrivateKeyPEM(key) - certData := utils.EncodeCertPEM(cert) - - if err := certutil.WriteCert(path+"/"+commonName+"-client.pem", []byte(base64.StdEncoding.EncodeToString(certData))); err != nil { - return err - } - if err := certutil.WriteCert(path+"/"+commonName+"-ca.pem", []byte(base64.StdEncoding.EncodeToString(caData))); err != nil { - return err - } - if err := keyutil.WriteKey(path+"/"+commonName+"-key.pem", []byte(base64.StdEncoding.EncodeToString(keyData))); err != nil { - return err - } - return nil -} - -func NewSignedCert(key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, commonName string, dnsNames []string) (*x509.Certificate, error) { - serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) - if err != nil { - return nil, err - } - - certTmpl := x509.Certificate{ - Subject: pkix.Name{ - CommonName: commonName, - Organization: []string{"OpenShift ACM"}, - }, - DNSNames: dnsNames, - SerialNumber: serial, - NotBefore: caCert.NotBefore, - NotAfter: time.Now().Add(time.Hour * 24 * 365 * 10).UTC(), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - } - certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) - if err != nil { - return nil, err - } - return x509.ParseCertificate(certDERBytes) -} diff --git a/hack/create-certs.sh b/hack/create-certs.sh deleted file mode 100755 index d45e3ab92..000000000 --- a/hack/create-certs.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -set -o errexit - -OS=$(uname -s | tr '[:upper:]' '[:lower:]') -SED="sed" -if [ "${OS}" == "darwin" ]; then - SED="gsed" - if [ ! -x "$(command -v ${SED})" ]; then - echo "ERROR: $SED required, but not found." - echo "Perform \"brew install gnu-sed\" and try again." - exit 1 - fi -fi - -DIRPATH="$(cd "$(dirname "$0")"; pwd)" -DEPLOYPAHT="${DIRPATH}/../deploy/dev/hub/resources" - -# create certs -go mod tidy -go run hack/certs/cert.go --path="${DIRPATH}" - -# overrides the manifests -acm_agent_ca=$(cat "${DIRPATH}"/acm-agent-ca.pem) -acm_agent_client=$(cat "${DIRPATH}"/acm-agent-client.pem) -acm_agent_key=$(cat "${DIRPATH}"/acm-agent-key.pem) -acm_apiserver_ca=$(cat "${DIRPATH}"/acm-apiserver-ca.pem) -acm_apiserver_client=$(cat "${DIRPATH}"/acm-apiserver-client.pem) -acm_apiserver_key=$(cat "${DIRPATH}"/acm-apiserver-key.pem) - -${SED} -i "s/\$ACM_AGENT_CA/$acm_agent_ca/g" "${DEPLOYPAHT}"/100-agent-cert.yaml -${SED} -i "s/\$ACM_AGENT_CLIENT/$acm_agent_client/g" "${DEPLOYPAHT}"/100-agent-cert.yaml -${SED} -i "s/\$ACM_AGENT_KEY/$acm_agent_key/g" "${DEPLOYPAHT}"/100-agent-cert.yaml -${SED} -i "s/\$ACM_APISERVER_CA/$acm_apiserver_ca/g" "${DEPLOYPAHT}"/100-apiserver-cert.yaml -${SED} -i "s/\$ACM_APISERVER_CLIENT/$acm_apiserver_client/g" "${DEPLOYPAHT}"/100-apiserver-cert.yaml -${SED} -i "s/\$ACM_APISERVER_KEY/$acm_apiserver_key/g" "${DEPLOYPAHT}"/100-apiserver-cert.yaml -${SED} -i "s/\$ACM_APISERVER_CA/$acm_apiserver_ca/g" "${DEPLOYPAHT}"/100-proxyserver-apiservice.yaml - -# clean cert files -rm "${DIRPATH}"/*.pem diff --git a/pkg/apis/action/v1beta1/action_types.go b/pkg/apis/action/v1beta1/action_types.go index 2d26b8edd..da5a04618 100644 --- a/pkg/apis/action/v1beta1/action_types.go +++ b/pkg/apis/action/v1beta1/action_types.go @@ -15,14 +15,14 @@ type ManagedClusterAction struct { // Standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata // +optional - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` // Spec defines the desired behavior of the action. // +optional - Spec ActionSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` + Spec ActionSpec `json:"spec,omitempty"` // Status describes the desired status of the action // +optional - Status ActionStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Status ActionStatus `json:"status,omitempty"` } // +kubebuilder:object:root=true @@ -33,33 +33,31 @@ type ManagedClusterActionList struct { // Standard list metadata. // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds // +optional - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` // List of ManagedClusterAction objects. - Items []ManagedClusterAction `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []ManagedClusterAction `json:"items"` } // ActionSpec defines the action to be processed on a cluster type ActionSpec struct { // ActionType is the type of the action - ActionType ActionType `json:"actionType,omitempty" protobuf:"bytes,1,opt,name=actionType"` + ActionType ActionType `json:"actionType,omitempty"` // KubeWorkSpec is the action payload to process - KubeWork *KubeWorkSpec `json:"kube,omitempty" protobuf:"bytes,2,opt,name=kube"` + KubeWork *KubeWorkSpec `json:"kube,omitempty"` } // ActionStatus returns the current status of the action type ActionStatus struct { // Conditions represents the conditions of this resource on managed cluster - // +patchMergeKey=type - // +patchStrategy=merge // +optional - Conditions []conditions.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + Conditions []conditions.Condition `json:"conditions,omitempty"` // Result references the related result of the action // +nullable // +optional - Result runtime.RawExtension `json:"result,omitempty" protobuf:"bytes,2,opt,name=result"` + Result runtime.RawExtension `json:"result,omitempty"` } // ActionType defines the type of the action @@ -90,16 +88,16 @@ const ( // KubeWorkSpec is the kubernetes work details type KubeWorkSpec struct { // Resource of the object - Resource string `json:"resource,omitempty" protobuf:"bytes,1,opt,name=resource"` + Resource string `json:"resource,omitempty"` // Name of the object - Name string `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"` + Name string `json:"name,omitempty"` // Namespace of the object - Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"` + Namespace string `json:"namespace,omitempty"` // ObjectTemplate is the template of the object - ObjectTemplate runtime.RawExtension `json:"template,omitempty" protobuf:"bytes,4,opt,name=template"` + ObjectTemplate runtime.RawExtension `json:"template,omitempty"` } const ( diff --git a/pkg/apis/view/v1beta1/view_types.go b/pkg/apis/view/v1beta1/view_types.go index 2c63ebe25..7466141b2 100644 --- a/pkg/apis/view/v1beta1/view_types.go +++ b/pkg/apis/view/v1beta1/view_types.go @@ -54,10 +54,8 @@ type ViewSpec struct { // ViewStatus returns the status of the view type ViewStatus struct { // Conditions represents the conditions of this resource on managed cluster - // +patchMergeKey=type - // +patchStrategy=merge // +optional - Conditions []conditions.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + Conditions []conditions.Condition `json:"conditions,omitempty"` // Result references the related result of the view // +nullable