Replace current ServiceAccount used in pods under test (#47)

* Replace current ServiceAccount used in pods under test

* Allow creation of the resources we want to include in this change

testpmd-lb-operator/config/rbac/role.yaml

@@ -78,4 +78,33 @@ rules:
       - privileged
     verbs:
       - use
+  ##
+  ## Rules to allow the creation of ServiceAccount, Role and RoleBinding
+  ## for the pods deployed by this operator
+  ##
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
 # +kubebuilder:scaffold:rules

testpmd-lb-operator/roles/loadbalancer/tasks/main.yml

@@ -39,6 +39,21 @@
   loop_control:
     loop_var: network_item
 
+- name: Create ServiceAccount for LoadBalancer resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'service_account.yml') }}"
+
+- name: Create Role for LoadBalancer resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'role.yml') }}"
+
+- name: Create RoleBinding for LoadBalancer resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'role_binding.yml') }}"
+
 - name: Create LoadBalancer deployment
   k8s:
     state: present

testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml

@@ -41,7 +41,7 @@ spec:
                 - cnf-app
                 - pkt-gen
             topologyKey: kubernetes.io/hostname
-      serviceAccountName: testpmd-lb-operator-controller-manager
+      serviceAccountName: loadbalancer-account
 {% if numa_aware_topology is defined and numa_aware_topology | length %}
       schedulerName: "{{ numa_aware_topology }}"
 {% endif %}

testpmd-lb-operator/roles/loadbalancer/templates/role.yml

@@ -0,0 +1,82 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: loadbalancer-role
+  namespace: example-cnf
+rules:
+  ##
+  ## Base operator rules
+  ##
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - pods
+      - pods/exec
+      - pods/log
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  ##
+  ## Rules for examplecnf.openshift.io/v1, Kind: LoadBalancer
+  ##
+  - apiGroups:
+      - examplecnf.openshift.io
+    resources:
+      - loadbalancers
+      - loadbalancers/status
+      - loadbalancers/finalizers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - examplecnf.openshift.io
+    resources:
+      - cnfappmacs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - k8s.cni.cncf.io
+    resources:
+      - network-attachment-definitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - privileged
+    verbs:
+      - use
+# +kubebuilder:scaffold:rules

testpmd-lb-operator/roles/loadbalancer/templates/role_binding.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: loadbalancer-rolebinding
+  namespace: example-cnf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: loadbalancer-role
+subjects:
+- kind: ServiceAccount
+  name: loadbalancer-account
+  namespace: example-cnf

testpmd-lb-operator/roles/loadbalancer/templates/service_account.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loadbalancer-account
+  namespace: example-cnf

testpmd-operator/config/rbac/role.yaml

@@ -70,4 +70,33 @@ rules:
       - privileged
     verbs:
       - use
+  ##
+  ## Rules to allow the creation of ServiceAccount, Role and RoleBinding
+  ## for the pods deployed by this operator
+  ##
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
 # +kubebuilder:scaffold:rules

testpmd-operator/roles/testpmd/tasks/main.yml

@@ -61,6 +61,21 @@
   debug:
     var: network_resources
 
+- name: Create ServiceAccount for TestPMD resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'service_account.yml') }}"
+
+- name: Create Role for TestPMD resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'role.yml') }}"
+
+- name: Create RoleBinding for TestPMD resource
+  k8s:
+    state: present
+    definition: "{{ lookup('template', 'role_binding.yml') }}"
+
 - name: Create TestPMD deployment
   community.kubernetes.k8s:
     state: present

testpmd-operator/roles/testpmd/templates/deployment.yml

@@ -45,7 +45,7 @@ spec:
                 values:
                 - lb-app
             topologyKey: kubernetes.io/hostname
-      serviceAccountName: testpmd-operator-controller-manager
+      serviceAccountName: testpmd-account
 {% if high_perf_runtime is defined and high_perf_runtime|length %}
       runtimeClassName: "{{ high_perf_runtime }}"
 {% endif %}

testpmd-operator/roles/testpmd/templates/role.yml

@@ -0,0 +1,74 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: testpmd-role
+  namespace: example-cnf
+rules:
+  ##
+  ## Base operator rules
+  ##
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - pods
+      - pods/exec
+      - pods/log
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  ##
+  ## Rules for examplecnf.openshift.io/v1, Kind: TestPMD
+  ##
+  - apiGroups:
+      - examplecnf.openshift.io
+    resources:
+      - testpmds
+      - testpmds/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - k8s.cni.cncf.io
+    resources:
+      - network-attachment-definitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - privileged
+    verbs:
+      - use
+# +kubebuilder:scaffold:rules

testpmd-operator/roles/testpmd/templates/role_binding.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: testpmd-rolebinding
+  namespace: example-cnf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: testpmd-role
+subjects:
+- kind: ServiceAccount
+  name: testpmd-account
+  namespace: example-cnf

testpmd-operator/roles/testpmd/templates/service_account.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: testpmd-account
+  namespace: example-cnf

trex-operator/config/rbac/role.yaml

@@ -139,4 +139,33 @@ rules:
       - get
       - list
       - watch
+  ##
+  ## Rules to allow the creation of ServiceAccount, Role and RoleBinding
+  ## for the pods deployed by this operator
+  ##
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
 # +kubebuilder:scaffold:rules

trex-operator/roles/app/tasks/job-check.yml

@@ -20,8 +20,25 @@
   when:
     - "'failed' not in item.status or item.status.failed != 1"
 
-- name: create trexapp job
-  k8s:
-    state: present
-    definition: "{{ lookup('template', 'job.yml') }}"
-  when: "active_jobs|int == 0"
+- name: trexapp job creation
+  when: "active_jobs|int == 0"  
+  block:
+    - name: Create ServiceAccount for trexapp job resource
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'service_account.yml') }}"
+
+    - name: Create Role for trexapp job resource
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'role.yml') }}"
+
+    - name: Create RoleBinding for trexapp job resource
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'role_binding.yml') }}"
+
+    - name: create trexapp job
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'job.yml') }}"