che-incubator · dkwon17 · Dec 21, 2023 · Dec 19, 2023 · Dec 20, 2023 · Dec 20, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,11 @@
+# CHANGELOG
+
+## v1.1.0
+- [Introduce webhook to prevent more than 1 KIP resource in a single namespace #115](https://github.com/che-incubator/kubernetes-image-puller-operator/pull/115)
+    - The Kubernetes Image Puller Operator now deploys a validating webhook to prevent more than one `KubernetesImagePuller` custom resource from being created in the same namespace.
+    - For Kubernetes clusters, [cert-manager](https://github.com/cert-manager/cert-manager) operator must be installed in order to serve the validating webhook.
+    - Names of resources that are created alongside the Kubernetes Image Puller Operator installation has been renamed.
+        - The `controller-manager-metrics-service` Service has been renamed to `kubernetes-image-puller-operator-manager-metrics-service`
+        - The `metrics-reader` ClusterRole has been renamed to `kubernetes-image-puller-operator-metrics-reader`
+        - The `kubernetes-image-puller-operator` ServiceAccount has been renamed to `kubernetes-image-puller-operator-sa`
+        - The ` kubernetes-image-puller-operator` Deployment has been renamed to `kubernetes-image-puller-operator-manager`
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.0.6
+VERSION ?= 1.1.0
 
 ifneq (,$(shell which kubectl 2>/dev/null)$(shell which oc 2>/dev/null))
 	include build/make/deploy.mk

diff --git a/README.md b/README.md
@@ -35,6 +35,11 @@ spec:
 
 ### Installing The Operator
 
+> Notice: starting from version 1.1.0, this operator requires the cert-manager operator for serving validating webhooks on Kubernetes clusters. This is not required for installation on OpenShift clusters. To install cert-manager on a Kubernetes cluster run:
+```
+kubectl apply --validate=false -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
+```
+
 #### Installing from OperatorHub
 
 > Notice: to install operator using OperatorHub you need to have Kubernetes cluster with pre-installed OLM. 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/...r-manager-metrics-service_v1_service.yaml → ...r-manager-metrics-service_v1_service.yaml b/...r-manager-metrics-service_v1_service.yaml → ...r-manager-metrics-service_v1_service.yaml
@@ -16,7 +16,7 @@ metadata:
   creationTimestamp: null
   labels:
     name: kubernetes-image-puller-operator
-  name: controller-manager-metrics-service
+  name: kubernetes-image-puller-operator-manager-metrics-service
 spec:
   ports:
   - name: https

diff --git a/bundle/manifests/kubernetes-image-puller-operator-manager-service_v1_service.yaml b/bundle/manifests/kubernetes-image-puller-operator-manager-service_v1_service.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2019-2023 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  name: kubernetes-image-puller-operator-manager-service
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+  selector:
+    name: kubernetes-image-puller-operator
+status:
+  loadBalancer: {}
diff --git a/....authorization.k8s.io_v1_clusterrole.yaml → ....authorization.k8s.io_v1_clusterrole.yaml b/....authorization.k8s.io_v1_clusterrole.yaml → ....authorization.k8s.io_v1_clusterrole.yaml
@@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: metrics-reader
+  name: kubernetes-image-puller-operator-metrics-reader
 rules:
 - nonResourceURLs:
   - /metrics

diff --git a/bundle/manifests/kubernetes-imagepuller-operator.clusterserviceversion.yaml b/bundle/manifests/kubernetes-imagepuller-operator.clusterserviceversion.yaml
@@ -31,14 +31,14 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Developer Tools
     certified: "false"
-    containerImage: quay.io/eclipse/kubernetes-image-puller-operator:1.0.6
+    containerImage: quay.io/eclipse/kubernetes-image-puller-operator:1.1.0
     createdAt: ""
     description: Create and manage kubernetes-image-puller instances.
     operators.operatorframework.io/builder: operator-sdk-v1.9.0+git
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/che-incubator/kubernetes-image-puller-operator
     support: ""
-  name: kubernetes-imagepuller-operator.v1.0.6
+  name: kubernetes-imagepuller-operator.v1.1.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -128,9 +128,9 @@ spec:
                 - subjectaccessreviews
               verbs:
                 - create
-          serviceAccountName: kubernetes-image-puller-operator
+          serviceAccountName: kubernetes-image-puller-operator-sa
       deployments:
-        - name: kubernetes-image-puller-operator
+        - name: kubernetes-image-puller-operator-manager
           spec:
             replicas: 1
             selector:
@@ -143,17 +143,6 @@ spec:
                   name: kubernetes-image-puller-operator
               spec:
                 containers:
-                  - args:
-                      - --secure-listen-address=0.0.0.0:8443
-                      - --upstream=http://127.0.0.1:8080/
-                      - --logtostderr=true
-                      - --v=10
-                    image: quay.io/brancz/kube-rbac-proxy:v0.11.0
-                    name: kube-rbac-proxy
-                    ports:
-                      - containerPort: 8443
-                        name: https
-                    resources: {}
                   - args:
                       - --health-probe-bind-address=:8081
                       - --metrics-bind-address=127.0.0.1:8080
@@ -171,7 +160,7 @@ spec:
                             fieldPath: metadata.name
                       - name: OPERATOR_NAME
                         value: kubernetes-image-puller-operator
-                    image: quay.io/eclipse/kubernetes-image-puller-operator:1.0.6
+                    image: quay.io/eclipse/kubernetes-image-puller-operator:1.1.0
                     imagePullPolicy: Always
                     livenessProbe:
                       httpGet:
@@ -180,6 +169,10 @@ spec:
                       initialDelaySeconds: 15
                       periodSeconds: 20
                     name: kubernetes-image-puller-operator
+                    ports:
+                      - containerPort: 9443
+                        name: webhook-server
+                        protocol: TCP
                     readinessProbe:
                       httpGet:
                         path: /readyz
@@ -193,10 +186,52 @@ spec:
                       requests:
                         cpu: 100m
                         memory: 64Mi
-                serviceAccountName: kubernetes-image-puller-operator
+                  - args:
+                      - --secure-listen-address=0.0.0.0:8443
+                      - --upstream=http://127.0.0.1:8080/
+                      - --logtostderr=true
+                      - --v=10
+                    image: quay.io/brancz/kube-rbac-proxy:v0.11.0
+                    name: kube-rbac-proxy
+                    ports:
+                      - containerPort: 8443
+                        name: https
+                    resources: {}
+                serviceAccountName: kubernetes-image-puller-operator-sa
                 terminationGracePeriodSeconds: 10
       permissions:
         - rules:
+            - apiGroups:
+                - ""
+              resources:
+                - configmaps
+              verbs:
+                - get
+                - list
+                - watch
+                - create
+                - update
+                - patch
+                - delete
+            - apiGroups:
+                - coordination.k8s.io
+              resources:
+                - leases
+              verbs:
+                - get
+                - list
+                - watch
+                - create
+                - update
+                - patch
+                - delete
+            - apiGroups:
+                - ""
+              resources:
+                - events
+              verbs:
+                - create
+                - patch
             - apiGroups:
                 - ""
               resources:
@@ -274,38 +309,7 @@ spec:
                 - patch
                 - update
                 - watch
-            - apiGroups:
-                - ""
-              resources:
-                - configmaps
-              verbs:
-                - get
-                - list
-                - watch
-                - create
-                - update
-                - patch
-                - delete
-            - apiGroups:
-                - coordination.k8s.io
-              resources:
-                - leases
-              verbs:
-                - get
-                - list
-                - watch
-                - create
-                - update
-                - patch
-                - delete
-            - apiGroups:
-                - ""
-              resources:
-                - events
-              verbs:
-                - create
-                - patch
-          serviceAccountName: kubernetes-image-puller-operator
+          serviceAccountName: kubernetes-image-puller-operator-sa
     strategy: deployment
   installModes:
     - supported: false
@@ -336,5 +340,26 @@ spec:
   selector:
     matchLabels:
       app: kubernetes-image-puller-operator
-  version: 1.0.6
-  replaces: kubernetes-imagepuller-operator.v1.0.5
+  version: 1.1.0
+  webhookdefinitions:
+    - admissionReviewVersions:
+        - v1
+        - v1beta1
+      containerPort: 443
+      deploymentName: kubernetes-image-puller-operator-manager
+      failurePolicy: Fail
+      generateName: vkubernetesimagepuller.kb.io
+      rules:
+        - apiGroups:
+            - che.eclipse.org
+          apiVersions:
+            - v1alpha1
+          operations:
+            - CREATE
+          resources:
+            - kubernetesimagepullers
+      sideEffects: None
+      targetPort: 9443
+      type: ValidatingAdmissionWebhook
+      webhookPath: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller
+  replaces: kubernetes-imagepuller-operator.v1.0.6
diff --git a/olm-catalog/stable/channel.yaml b/olm-catalog/stable/channel.yaml
@@ -27,3 +27,5 @@ entries:
     replaces: kubernetes-imagepuller-operator.v1.0.4
   - name: kubernetes-imagepuller-operator.v1.0.6
     replaces: kubernetes-imagepuller-operator.v1.0.5
+  - name: kubernetes-imagepuller-operator.v1.1.0
+    replaces: kubernetes-imagepuller-operator.v1.0.6
diff --git a/olm-catalog/stable/kubernetes-imagepuller-operator.v1.1.0.bundle.yaml b/olm-catalog/stable/kubernetes-imagepuller-operator.v1.1.0.bundle.yaml
diff --git a/version/version.go b/version/version.go
@@ -13,5 +13,5 @@
 package version
 
 var (
-	Version = "1.0.6"
+	Version = "1.1.0"
 )