Add Redhat Openshift support (#912)

* feat(mgr,wh,srv): changed port (443->)9443

RHOS requires ports to be over 1024.

* chore(chart): updated service to use port names

To decouple service ports from container ports.

* feat(ctrlr,crd): added/extd finalizer RBAC gen

So finalizer RBACs would be covered for create,
delete, patch, update.
Required for RHOS.

After changing the controller markers the
manifests were regenerated using
`make manifests`.

* chore(container): updated base image

To an advertised tag.

* feat(kcl): passed envoyConfig.PodSecurityContext

RHOS requires the propagation of the envoy config
podSecurityContext to set uid/gid.

* chore(dep): upped api 2 v0.25.0 for podSecContext

Required to be able to use the envoy
podSecurityContext.

---------

Co-authored-by: Patrik Egyed <[email protected]>

Author: hi-im-aren

Dockerfile

@@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static-debian11:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 ENTRYPOINT ["/manager"]

charts/kafka-operator/templates/operator-deployment-with-webhook.yaml

@@ -213,7 +213,7 @@ spec:
           {{- end }}
           ports:
           {{- if .Values.webhook.enabled }}
-            - containerPort: {{ .Values.webhook.serverPort | default 443 }}
+            - containerPort: {{ .Values.webhook.serverPort | default 9443 }}
               name: webhook-server
               protocol: TCP
           {{- end }}

charts/kafka-operator/templates/operator-rbac.yaml

@@ -115,6 +115,63 @@ rules:
   - get
   - update
   - patch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkaclusters/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkausers/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkatopics/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -234,33 +291,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - kafka.banzaicloud.io
-  resources:
-  - cruisecontroloperations/status
-  verbs:
-  - get
-  - patch
-  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/kafka-operator/templates/operator-service.yaml

@@ -28,9 +28,9 @@ spec:
   ports:
   - name: https
     port: 443
-    targetPort: {{ (.Values.webhook).serverPort | default 443 }}
+    targetPort: webhook-server
   {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
   - name: metrics
     port: 8080
-    targetPort: {{ (.Values.metricEndpoint).port | default 8080 }}
+    targetPort: metrics
   {{- end }}

config/base/rbac/role.yaml

@@ -178,6 +178,9 @@ rules:
   resources:
   - cruisecontroloperations/finalizers
   verbs:
+  - create
+  - delete
+  - patch
   - update
 - apiGroups:
   - kafka.banzaicloud.io
@@ -199,6 +202,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkaclusters/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
@@ -220,6 +232,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkatopics/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:
@@ -241,6 +262,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - kafkausers/finalizers
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 - apiGroups:
   - kafka.banzaicloud.io
   resources:

config/base/webhook/service.yaml

@@ -7,6 +7,6 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager

controllers/cruisecontroloperation_controller.go

@@ -70,7 +70,7 @@ type CruiseControlOperationReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=update
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=create;update;patch;delete
 
 //nolint:gocyclo
 func (r *CruiseControlOperationReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {

controllers/kafkacluster_controller.go

@@ -79,6 +79,7 @@ type KafkaClusterReconciler struct {
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/finalizers,verbs=create;update;patch;delete
 // +kubebuilder:rbac:groups=servicemesh.cisco.com,resources=istiomeshgateways,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=networking.istio.io,resources=*,verbs=*
 

controllers/kafkatopic_controller.go

@@ -71,6 +71,7 @@ type KafkaTopicReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/finalizers,verbs=create;update;patch;delete
 
 // Reconcile reconciles the kafka topic
 func (r *KafkaTopicReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {

controllers/kafkauser_controller.go

@@ -154,6 +154,7 @@ type KafkaUserReconciler struct {
 
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/finalizers,verbs=create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,resources=clusterissuers,verbs=get;list;watch;create;update;patch;delete