diff --git a/deploy/10-deployment.yaml b/deploy/10-deployment.yaml index 279000b2..a240a4bd 100644 --- a/deploy/10-deployment.yaml +++ b/deploy/10-deployment.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: nats-operator containers: - name: nats-operator - image: connecteverything/nats-operator:0.6.2 + image: connecteverything/nats-operator:0.7.0 imagePullPolicy: IfNotPresent args: - nats-operator diff --git a/example/example-cluster-service-accounts.yaml b/example/example-cluster-service-accounts.yaml index 849dfd80..2cd25ed2 100644 --- a/example/example-cluster-service-accounts.yaml +++ b/example/example-cluster-service-accounts.yaml @@ -73,7 +73,7 @@ spec: containers: - name: nats-ops command: ["/bin/sh"] - image: "wallyqs/nats-ops:latest" + image: "synadia/nats-box:latest" tty: true stdin: true stdinOnce: true @@ -104,7 +104,7 @@ spec: containers: - name: nats-ops command: ["/bin/sh"] - image: "wallyqs/nats-ops:latest" + image: "synadia/nats-box:latest" tty: true stdin: true stdinOnce: true diff --git a/example/example-svc-accounts-diff-namespaces.yaml b/example/example-svc-accounts-diff-namespaces.yaml new file mode 100644 index 00000000..838027ea --- /dev/null +++ b/example/example-svc-accounts-diff-namespaces.yaml @@ -0,0 +1,134 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: nats-system +--- +apiVersion: v1 +kind: Namespace +metadata: + name: my-app-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: my-admin-app-ns +--- +apiVersion: nats.io/v1alpha2 +kind: NatsCluster +metadata: + name: nats-cluster + namespace: nats-system +spec: + size: 3 + version: "2.1.7" + pod: + enableConfigReload: true + auth: + enableServiceAccounts: true + +# In cluster scope mode, the token secret will be created at the same namespace +# where the ServiceAccount is created. +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-admin-user + namespace: my-admin-app-ns +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-user + namespace: my-app-ns + +# In cluster scope mode, the NatsServiceRole definitions have to be created +# in the same namespace as the nats cluster. +--- +apiVersion: nats.io/v1alpha2 +kind: NatsServiceRole +metadata: + name: nats-user + namespace: nats-system + + # Specifies which NATS cluster will be mapping this account, + # (have to create a service role with permission per cluster). + labels: + nats_cluster: nats-cluster +spec: + permissions: + publish: ["foo.*", "foo.bar.quux"] + subscribe: ["foo.bar", "greetings", "hello.world"] +--- +apiVersion: nats.io/v1alpha2 +kind: NatsServiceRole +metadata: + name: nats-admin-user + namespace: nats-system + labels: + nats_cluster: nats-cluster +spec: + permissions: + publish: [">"] + subscribe: [">"] + +--- +apiVersion: v1 +kind: Pod +metadata: + name: nats-user-pod + namespace: my-app-ns +spec: + volumes: + - name: "token" + projected: + sources: + - secret: + name: "nats-user-nats-cluster-bound-token" + items: + - key: token + path: "token" + restartPolicy: Never + containers: + - name: nats-ops + command: ["/bin/sh"] + image: "synadia/nats-box:latest" + tty: true + stdin: true + stdinOnce: true + + # Service Account Token is mounted via projected volume. + volumeMounts: + - name: "token" + mountPath: "/var/run/secrets/nats.io" + readOnly: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: nats-admin-user-pod + namespace: my-admin-app-ns +spec: + volumes: + - name: "token" + projected: + sources: + - secret: + name: "nats-admin-user-nats-cluster-bound-token" + items: + - key: token + path: "token" + restartPolicy: Never + containers: + - name: nats-ops + command: ["/bin/sh"] + image: "synadia/nats-box:latest" + tty: true + stdin: true + stdinOnce: true + + # Service Account Token is mounted via projected volume. + volumeMounts: + - name: "token" + mountPath: "/var/run/secrets/nats.io" + readOnly: true diff --git a/example/nats-operator-cluster-scoped-rbac.yaml b/example/nats-operator-cluster-scoped-rbac.yaml new file mode 100644 index 00000000..f40805c6 --- /dev/null +++ b/example/nats-operator-cluster-scoped-rbac.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-operator + namespace: nats-io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nats-operator-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nats-operator +subjects: +- kind: ServiceAccount + name: nats-operator + namespace: nats-io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nats-operator +rules: +# Allow creating CRDs +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ["get", "list", "create", "update", "watch"] + +# Allow all actions on NATS Operator manager CRDs +- apiGroups: + - nats.io + resources: + - natsclusters + - natsserviceroles + verbs: ["*"] + +# Allowed actions on Pods +- apiGroups: [""] + resources: + - pods + verbs: ["create", "watch", "get", "patch", "update", "delete", "list"] + +# Allowed actions on Services +- apiGroups: [""] + resources: + - services + verbs: ["create", "watch", "get", "patch", "update", "delete", "list"] + +# Allowed actions on Secrets +- apiGroups: [""] + resources: + - secrets + verbs: ["create", "watch", "get", "update", "delete", "list"] + +# Allow all actions on some special subresources +- apiGroups: [""] + resources: + - pods/exec + - pods/log + - serviceaccounts/token + - events + verbs: ["*"] + +# Allow listing Namespaces and ServiceAccounts +- apiGroups: [""] + resources: + - namespaces + - serviceaccounts + verbs: ["list", "get", "watch"] + +# Allow actions on Endpoints +- apiGroups: [""] + resources: + - endpoints + verbs: ["create", "watch", "get", "update", "delete", "list"] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-server + namespace: nats-io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nats-server +rules: +- apiGroups: [""] + resources: + - nodes + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nats-server-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nats-server +subjects: +- kind: ServiceAccount + name: nats-server + namespace: nats-io diff --git a/example/nats-operator-cluster-scoped.yaml b/example/nats-operator-cluster-scoped.yaml new file mode 100644 index 00000000..e5d78acb --- /dev/null +++ b/example/nats-operator-cluster-scoped.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: nats-io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nats-operator + namespace: nats-io +spec: + replicas: 1 + selector: + matchLabels: + name: nats-operator + template: + metadata: + labels: + name: nats-operator + spec: + serviceAccountName: nats-operator + containers: + - name: nats-operator + image: connecteverything/nats-operator:0.7.0 + imagePullPolicy: IfNotPresent + args: + - nats-operator + - --feature-gates=ClusterScoped=true + ports: + - name: readyz + containerPort: 8080 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + readinessProbe: + httpGet: + path: /readyz + port: readyz + initialDelaySeconds: 15 + timeoutSeconds: 3 diff --git a/version/version.go b/version/version.go index dc3effc9..261cf621 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ -// Copyright 2017-2019 The nats-operator Authors +// Copyright 2017-2020 The nats-operator Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,6 +15,6 @@ package version var ( - OperatorVersion = "0.6.4-v1alpha2+git" + OperatorVersion = "0.7.0" GitSHA = "Not provided" )