Release v0.7.0 (#266)

* Bump version

Signed-off-by: Waldemar Quevedo <wally@synadia.com>

* Add example for cluster scoped mode and service accs

Signed-off-by: Waldemar Quevedo <wally@synadia.com>

deploy/10-deployment.yaml

@@ -18,7 +18,7 @@ spec:
       serviceAccountName: nats-operator
       containers:
       - name: nats-operator
-        image: connecteverything/nats-operator:0.6.2
+        image: connecteverything/nats-operator:0.7.0
         imagePullPolicy: IfNotPresent
         args:
         - nats-operator

example/example-cluster-service-accounts.yaml

@@ -73,7 +73,7 @@ spec:
   containers:
     - name: nats-ops
       command: ["/bin/sh"]
-      image: "wallyqs/nats-ops:latest"
+      image: "synadia/nats-box:latest"
       tty: true
       stdin: true
       stdinOnce: true
@@ -104,7 +104,7 @@ spec:
   containers:
     - name: nats-ops
       command: ["/bin/sh"]
-      image: "wallyqs/nats-ops:latest"
+      image: "synadia/nats-box:latest"
       tty: true
       stdin: true
       stdinOnce: true

example/example-svc-accounts-diff-namespaces.yaml

@@ -0,0 +1,134 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nats-system
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-app-ns
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-admin-app-ns
+---
+apiVersion: nats.io/v1alpha2
+kind: NatsCluster
+metadata:
+  name: nats-cluster
+  namespace: nats-system
+spec:
+  size: 3
+  version: "2.1.7"
+  pod:
+    enableConfigReload: true
+  auth:
+    enableServiceAccounts: true
+
+# In cluster scope mode, the token secret will be created at the same namespace
+# where the ServiceAccount is created.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-admin-user
+  namespace: my-admin-app-ns
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-user
+  namespace: my-app-ns
+
+# In cluster scope mode, the NatsServiceRole definitions have to be created
+# in the same namespace as the nats cluster.
+---
+apiVersion: nats.io/v1alpha2
+kind: NatsServiceRole
+metadata:
+  name: nats-user
+  namespace: nats-system
+
+  # Specifies which NATS cluster will be mapping this account,
+  # (have to create a service role with permission per cluster).
+  labels:
+    nats_cluster: nats-cluster
+spec:
+  permissions:
+    publish: ["foo.*", "foo.bar.quux"]
+    subscribe: ["foo.bar", "greetings", "hello.world"]
+---
+apiVersion: nats.io/v1alpha2
+kind: NatsServiceRole
+metadata:
+  name: nats-admin-user
+  namespace: nats-system
+  labels:
+    nats_cluster: nats-cluster
+spec:
+  permissions:
+    publish: [">"]
+    subscribe: [">"]
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nats-user-pod
+  namespace: my-app-ns
+spec:
+  volumes:
+    - name: "token"
+      projected:
+        sources:
+        - secret:
+            name: "nats-user-nats-cluster-bound-token"
+            items:
+              - key: token
+                path: "token"
+  restartPolicy: Never
+  containers:
+    - name: nats-ops
+      command: ["/bin/sh"]
+      image: "synadia/nats-box:latest"
+      tty: true
+      stdin: true
+      stdinOnce: true
+
+      # Service Account Token is mounted via projected volume.
+      volumeMounts:
+      - name: "token"
+        mountPath: "/var/run/secrets/nats.io"
+        readOnly: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nats-admin-user-pod
+  namespace: my-admin-app-ns
+spec:
+  volumes:
+    - name: "token"
+      projected:
+        sources:
+        - secret:
+            name: "nats-admin-user-nats-cluster-bound-token"
+            items:
+              - key: token
+                path: "token"
+  restartPolicy: Never
+  containers:
+    - name: nats-ops
+      command: ["/bin/sh"]
+      image: "synadia/nats-box:latest"
+      tty: true
+      stdin: true
+      stdinOnce: true
+
+      # Service Account Token is mounted via projected volume.
+      volumeMounts:
+      - name: "token"
+        mountPath: "/var/run/secrets/nats.io"
+        readOnly: true

example/nats-operator-cluster-scoped-rbac.yaml

@@ -0,0 +1,109 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-operator
+  namespace: nats-io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-operator-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-operator
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: nats-io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nats-operator
+rules:
+# Allow creating CRDs
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ["get", "list", "create", "update", "watch"]
+
+# Allow all actions on NATS Operator manager CRDs
+- apiGroups:
+  - nats.io
+  resources:
+  - natsclusters
+  - natsserviceroles
+  verbs: ["*"]
+
+# Allowed actions on Pods
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Services
+- apiGroups: [""]
+  resources:
+  - services
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Secrets
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+
+# Allow all actions on some special subresources
+- apiGroups: [""]
+  resources:
+  - pods/exec
+  - pods/log
+  - serviceaccounts/token
+  - events
+  verbs: ["*"]
+
+# Allow listing Namespaces and ServiceAccounts
+- apiGroups: [""]
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs: ["list", "get", "watch"]
+
+# Allow actions on Endpoints
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-server
+  namespace: nats-io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nats-server
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-server-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-server
+subjects:
+- kind: ServiceAccount
+  name: nats-server
+  namespace: nats-io

example/nats-operator-cluster-scoped.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nats-io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nats-operator
+  namespace: nats-io
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: nats-operator
+  template:
+    metadata:
+      labels:
+        name: nats-operator
+    spec:
+      serviceAccountName: nats-operator
+      containers:
+      - name: nats-operator
+        image: connecteverything/nats-operator:0.7.0
+        imagePullPolicy: IfNotPresent
+        args:
+        - nats-operator
+        - --feature-gates=ClusterScoped=true
+        ports:
+        - name: readyz
+          containerPort: 8080
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: readyz
+          initialDelaySeconds: 15
+          timeoutSeconds: 3

version/version.go

@@ -1,4 +1,4 @@
-// Copyright 2017-2019 The nats-operator Authors
+// Copyright 2017-2020 The nats-operator Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,6 +15,6 @@
 package version
 
 var (
-	OperatorVersion = "0.6.4-v1alpha2+git"
+	OperatorVersion = "0.7.0"
 	GitSHA          = "Not provided"
 )