diff --git a/build/rbac/keep-rbac-yaml.py b/build/rbac/keep-rbac-yaml.py index c63c18f467747..eb7a4c0836ac9 100755 --- a/build/rbac/keep-rbac-yaml.py +++ b/build/rbac/keep-rbac-yaml.py @@ -26,6 +26,11 @@ def log(*values): def kind_and_name(doc): return doc["kind"] + "/" + doc["metadata"]["name"] +# Remove label for rendered RBAC +def remove_label(label_name): + if "labels" in doc["metadata"] and label_name in doc["metadata"]["labels"]: + log("dropping " + label_name + " label") + del doc["metadata"]["labels"][label_name] # Set up and configure the yaml parser/dumper yaml=ruamel.yaml.YAML() @@ -56,14 +61,12 @@ def kind_and_name(doc): log(" dropping comment:", comment.value.strip()) comments.remove(comment) - # helm-managed resources have a "chart" label, but we remove those for rendered RBAC - if "labels" in doc["metadata"] and "chart" in doc["metadata"]["labels"]: - log(" dropping 'chart' label") - del doc["metadata"]["labels"]["chart"] + remove_label("helm.sh/chart") + remove_label("app.kubernetes.io/managed-by") + remove_label("app.kubernetes.io/created-by") kept_docs.append(doc) - kept_docs.sort(key=kind_and_name) # Log to stderr the overall list of docs kept and a summary diff --git a/build/rbac/rbac.yaml b/build/rbac/rbac.yaml index 611d7a9613459..0d956261cedc8 100644 --- a/build/rbac/rbac.yaml +++ b/build/rbac/rbac.yaml @@ -74,6 +74,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: - policy @@ -185,6 +186,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: - '' @@ -217,6 +219,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: - '' @@ -342,6 +345,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: - '' @@ -398,6 +402,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: [''] resources: [secrets, configmaps] @@ -463,6 +468,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint. # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...] @@ -535,6 +541,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -593,6 +600,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -609,6 +617,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -891,6 +900,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator rules: - apiGroups: - '' @@ -1018,6 +1028,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1124,6 +1135,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -1142,6 +1154,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator --- # Service account for Ceph mgrs apiVersion: v1 @@ -1152,6 +1165,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator --- # Service account for Ceph OSDs apiVersion: v1 @@ -1163,6 +1177,7 @@ metadata: operator: rook storage-backend: ceph i-am-a-new-label: delete-me + app.kubernetes.io/part-of: rook-operator --- # Service account for job that purges OSDs from a Rook-Ceph cluster apiVersion: v1 @@ -1180,6 +1195,7 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/part-of: rook-operator --- # Service account for the CephFS CSI driver apiVersion: v1 diff --git a/cluster/charts/library/templates/_cluster-psp.tpl b/cluster/charts/library/templates/_cluster-psp.tpl index 072c9654b7737..1918f7774e86d 100644 --- a/cluster/charts/library/templates/_cluster-psp.tpl +++ b/cluster/charts/library/templates/_cluster-psp.tpl @@ -10,6 +10,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster/charts/library/templates/_cluster-serviceaccount.tpl b/cluster/charts/library/templates/_cluster-serviceaccount.tpl index 804556b70357a..8ca0ec806a1f7 100644 --- a/cluster/charts/library/templates/_cluster-serviceaccount.tpl +++ b/cluster/charts/library/templates/_cluster-serviceaccount.tpl @@ -12,6 +12,7 @@ metadata: operator: rook storage-backend: ceph i-am-a-new-label: delete-me + {{- include "library.rook-ceph.labels" . | nindent 4 }} {{ include "library.imagePullSecrets" . }} --- # Service account for Ceph mgrs @@ -23,6 +24,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} {{ include "library.imagePullSecrets" . }} --- # Service account for the job that reports the Ceph version in an image @@ -34,6 +36,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} {{ include "library.imagePullSecrets" . }} --- # Service account for job that purges OSDs from a Rook-Ceph cluster diff --git a/cluster/charts/library/templates/_recommended-labels.tpl b/cluster/charts/library/templates/_recommended-labels.tpl new file mode 100644 index 0000000000000..fb9e3c18c99b7 --- /dev/null +++ b/cluster/charts/library/templates/_recommended-labels.tpl @@ -0,0 +1,9 @@ +{{/* +Common labels +*/}} +{{- define "library.rook-ceph.labels" -}} +app.kubernetes.io/part-of: rook-operator +app.kubernetes.io/managed-by: helm +app.kubernetes.io/created-by: helm +helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +{{- end -}} diff --git a/cluster/charts/rook-ceph/templates/clusterrole.yaml b/cluster/charts/rook-ceph/templates/clusterrole.yaml index 83ba8bc9f86cd..30312a9228fcc 100644 --- a/cluster/charts/rook-ceph/templates/clusterrole.yaml +++ b/cluster/charts/rook-ceph/templates/clusterrole.yaml @@ -6,6 +6,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint. # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...] @@ -26,6 +27,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: - "" @@ -58,6 +60,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: - "" @@ -183,6 +186,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: - "" @@ -239,6 +243,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["secrets", "configmaps"] diff --git a/cluster/charts/rook-ceph/templates/clusterrolebinding.yaml b/cluster/charts/rook-ceph/templates/clusterrolebinding.yaml index b4a3935fdb1ab..51b599953acfc 100644 --- a/cluster/charts/rook-ceph/templates/clusterrolebinding.yaml +++ b/cluster/charts/rook-ceph/templates/clusterrolebinding.yaml @@ -6,6 +6,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -23,7 +24,7 @@ metadata: labels: operator: rook storage-backend: ceph - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "library.rook-ceph.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml index 9eb1c46077da1..3e0d5799c78a5 100644 --- a/cluster/charts/rook-ceph/templates/deployment.yaml +++ b/cluster/charts/rook-ceph/templates/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: operator: rook storage-backend: ceph - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "library.rook-ceph.labels" . | nindent 4 }} spec: replicas: 1 selector: @@ -15,7 +15,7 @@ spec: metadata: labels: app: rook-ceph-operator - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" {{- if .Values.annotations }} annotations: {{ toYaml .Values.annotations | indent 8 }} diff --git a/cluster/charts/rook-ceph/templates/psp.yaml b/cluster/charts/rook-ceph/templates/psp.yaml index 77667a1f5e15a..fa4c0540c0868 100644 --- a/cluster/charts/rook-ceph/templates/psp.yaml +++ b/cluster/charts/rook-ceph/templates/psp.yaml @@ -84,7 +84,7 @@ metadata: labels: operator: rook storage-backend: ceph - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: - policy @@ -102,7 +102,7 @@ metadata: labels: operator: rook storage-backend: ceph - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "library.rook-ceph.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster/charts/rook-ceph/templates/role.yaml b/cluster/charts/rook-ceph/templates/role.yaml index e6185c43d9072..74cefb7cc44bf 100644 --- a/cluster/charts/rook-ceph/templates/role.yaml +++ b/cluster/charts/rook-ceph/templates/role.yaml @@ -8,6 +8,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/cluster/charts/rook-ceph/templates/rolebinding.yaml b/cluster/charts/rook-ceph/templates/rolebinding.yaml index 3b5eaa1aa9bcd..4025df5b65760 100644 --- a/cluster/charts/rook-ceph/templates/rolebinding.yaml +++ b/cluster/charts/rook-ceph/templates/rolebinding.yaml @@ -8,6 +8,7 @@ metadata: labels: operator: rook storage-backend: ceph + {{- include "library.rook-ceph.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/cluster/charts/rook-ceph/templates/serviceaccount.yaml b/cluster/charts/rook-ceph/templates/serviceaccount.yaml index c6562530b9413..aceeb2a0a6de6 100644 --- a/cluster/charts/rook-ceph/templates/serviceaccount.yaml +++ b/cluster/charts/rook-ceph/templates/serviceaccount.yaml @@ -7,7 +7,7 @@ metadata: labels: operator: rook storage-backend: ceph - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "library.rook-ceph.labels" . | nindent 4 }} {{ template "library.imagePullSecrets" . }} --- # Service account for the CephFS CSI driver diff --git a/cluster/examples/kubernetes/ceph/common.yaml b/cluster/examples/kubernetes/ceph/common.yaml index 54dbce9937c3b..011ed367713b5 100644 --- a/cluster/examples/kubernetes/ceph/common.yaml +++ b/cluster/examples/kubernetes/ceph/common.yaml @@ -41,6 +41,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: - apiGroups: - "" @@ -70,6 +74,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint. # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...] @@ -91,6 +99,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: - apiGroups: - "" @@ -137,6 +149,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: - apiGroups: - "" @@ -262,6 +278,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: - apiGroups: - "" @@ -303,6 +323,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph rules: - apiGroups: [""] resources: ["secrets", "configmaps"] @@ -359,6 +383,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph # imagePullSecrets: # - name: my-registry-secret @@ -374,6 +402,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -390,6 +422,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -407,6 +443,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml index bb67dac7d1712..fd0be23c5f65a 100644 --- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml +++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml @@ -424,6 +424,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph spec: selector: matchLabels: diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml index 6e2512236e196..f4cef56079290 100644 --- a/cluster/examples/kubernetes/ceph/operator.yaml +++ b/cluster/examples/kubernetes/ceph/operator.yaml @@ -341,6 +341,10 @@ metadata: labels: operator: rook storage-backend: ceph + app.kubernetes.io/name: rook-ceph + app.kubernetes.io/instance: rook-ceph + app.kubernetes.io/component: ceph-csi + app.kubernetes.io/part-of: rook-ceph spec: selector: matchLabels: