modify watch namespace to only Istio-operator (#5183)

* modify watch namespace to only Istio-operator also start the eval with demo profile first. * use demo as the first starting point * update grab script * add watch ns * fix lint
2019-10-20 18:00:36 -04:00 · 2019-10-20 18:00:36 -04:00 · 402e41d772
parent 0c464a3bdc
commit 402e41d772
3 changed files with 89 additions and 75 deletions
--- a/content/en/docs/setup/install/standalone-operator/index.md
+++ b/content/en/docs/setup/install/standalone-operator/index.md
@ -30,14 +30,14 @@ instead, which is a stable feature.
    $ kubectl apply -f https://preliminary.istio.io/operator.yaml
    {{< /text >}}

-1. (Optionally) change profiles from the default profile to one of the following profiles:
+1. (Optionally) change profiles from the demo profile to one of the following profiles:

 {{< tabset cookie-name="profile" >}}

-{{< tab name="permissive mutual TLS" cookie-value="permissive" >}}
+{{< tab name="demo" cookie-value="permissive" >}}
 When using the [permissive mutual TLS mode](/docs/concepts/security/#permissive-mode), all services accept both plaintext and
 mutual TLS traffic. Clients send plaintext traffic unless configured for
-[mutual TLS migration](/docs/tasks/security/mtls-migration/).
+[mutual TLS migration](/docs/tasks/security/mtls-migration/). This profile is installed during the first step.

 Choose this profile for:

@ -53,7 +53,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-demo.yaml

 {{< /tab >}}

-{{< tab name="strict mutual TLS" cookie-value="strict" >}}
+{{< tab name="demo-auth" cookie-value="strict" >}}
 This profile will enforce
 [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) between all clients and servers.

@ -85,9 +85,7 @@ $ kubectl apply -f https://preliminary.istio.io/operator-profile-sds.yaml
 {{< /tab >}}

 {{< tab name="default" cookie-value="default" >}}
-This profile enables Istio's default settings. This profile is installed during the first step.
-
-Run the following command to switch to this profile:
+This profile enables Istio's default settings. Run the following command to switch to this profile:

 {{< text bash >}}
 $ kubectl apply -f https://preliminary.istio.io/operator-profile-default.yaml
--- a/scripts/grab_operator_yamls.sh
+++ b/scripts/grab_operator_yamls.sh
@ -29,12 +29,7 @@ tempdir_operator="$(mktemp -d)"
 # Upstream GIT tags or branches used for the operator repo. The operator is
 # currently only available as a master version. This will change when
 # 1.4 is tagged.
-operator_tag="master"
-
-# Great care should be taken when modifying the ordering of this list. This
-# script cats these files together in order with a yaml separator.
-
-operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_cr.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
+operator_tag="release-1.4"

 # Add profiles here to have them automatically added to the website.
 # It is important to also document these files, which is not done automatically.
@ -49,13 +44,6 @@ git clone -q --single-branch --branch "${operator_tag}" https://github.com/istio
 pushd operator >/dev/null || exit
 git checkout -q "${operator_tag}"

-# Generate the main manifest
-for manifest_file in "${operator_manifest_files[@]}"
-do
-	cat "${manifest_file}" >> "${output_dir}"/operator.yaml
-	echo "---" >> "${output_dir}"/operator.yaml
-done
-
 # Generate the profiles
 for profile in "${operator_profiles[@]}"
 do
@ -64,5 +52,19 @@ do
 	sed -i "s/profile: default/profile: ${profile}/g" "${output_dir}"/operator-profile-"${profile}".yaml 
 done

+# Great care should be taken when modifying the ordering of this list. This
+# script cats these files together in order with a yaml separator.
+
+operator_manifest_files=( "deploy/namespace.yaml" "deploy/crds/istio_v1alpha2_istiocontrolplane_crd.yaml" "${output_dir}/operator-profile-demo.yaml" "deploy/service_account.yaml" "deploy/clusterrole.yaml" "deploy/clusterrole_binding.yaml" "deploy/service.yaml" "deploy/operator.yaml" )
+
+# Generate the main manifest
+for manifest_file in "${operator_manifest_files[@]}"
+do
+	echo "manifest_file is $manifest_file"
+	cat "${manifest_file}" >> "${output_dir}"/operator.yaml
+	echo "---" >> "${output_dir}"/operator.yaml
+done
+
+
 popd >/dev/null || exit
 rm -rf "${tempdir_operator}" > /dev/null 2>&1
--- a/static/operator.yaml
+++ b/static/operator.yaml
@ -14,6 +14,8 @@ spec:
    listKind: IstioControlPlaneList
    plural: istiocontrolplanes
    singular: istiocontrolplane
+    shortNames:
+    - icp
  scope: Namespaced
  subresources:
    status: {}
@ -47,7 +49,8 @@ metadata:
  namespace: istio-operator
  name: example-istiocontrolplane
 spec:
-  profile: default
+  profile: demo
+---
 ---
 apiVersion: v1
 kind: ServiceAccount
@ -61,6 +64,25 @@ metadata:
  creationTimestamp: null
  name: istio-operator
 rules:
+# istio groups
+- apiGroups:
+  - authentication.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - config.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - install.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
  - networking.istio.io
  resources:
@ -74,57 +96,17 @@ rules:
  verbs:
  - '*'
 - apiGroups:
-  - config.istio.io
+  - security.istio.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  - clusterroles
-  verbs:
-  - '*'
- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - '*'
+# k8s groups
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
-  verbs:
-  - '*'
- apiGroups:
-  - autoscaling
-  resources:
-  - horizontalpodautoscalers
-  verbs:
-  - '*'
- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  - pods
-  - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
-  - configmaps
-  - secrets
-  - namespaces
-  verbs:
-  - '*'
- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - daemonsets
-  - replicasets
-  - statefulsets
+  - validatingwebhookconfigurations
  verbs:
  - '*'
 - apiGroups:
@ -134,6 +116,24 @@ rules:
  - customresourcedefinitions
  verbs:
  - '*'
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/finalizers
+  - ingresses
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
 - apiGroups:
  - monitoring.coreos.com
  resources:
@ -142,18 +142,32 @@ rules:
  - get
  - create
 - apiGroups:
-  - apps
-  resourceNames:
-  - istio-operator
+  - policy
  resources:
-  - deployments/finalizers
+  - poddisruptionbudgets
  verbs:
-  - update
- apiGroups:
-  - install.istio.io
-  resources:
  - '*'
-  - istiocontrolplanes
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - namespaces
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - services
+  - serviceaccounts
  verbs:
  - '*'
 ---
@ -203,14 +217,14 @@ spec:
      serviceAccountName: istio-operator
      containers:
        - name: istio-operator
-          image: gcr.io/istio-testing/operator:master-latest-daily
+          image: gcr.io/istio-testing/operator:1.4-dev
          command:
          - istio-operator
          - server
          imagePullPolicy: Always
          env:
            - name: WATCH_NAMESPACE
-              value: ""
+              value: "istio-operator"
            - name: LEADER_ELECTION_NAMESPACE
              valueFrom:
                fieldRef: