✨ Cherry pick enable-sync-lables to 0.13 (#515)

* sync labels from klusterlet to all agent resources (#475)

Signed-off-by: Zhiwei Yin <[email protected]>

* add enable-sync-labels flag to klusterlet operator (#505)

Signed-off-by: Zhiwei Yin <[email protected]>

* fix issue that pull secret and ns are synced labels when enable-sync-labels is disabled (#511)

Signed-off-by: Zhiwei Yin <[email protected]>

---------

Signed-off-by: Zhiwei Yin <[email protected]>

manifests/klusterlet/managed/klusterlet-registration-clusterrole-addon-management.yaml

@@ -7,6 +7,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-registration:addon-management
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # Allow agent to get/list/watch/create/delete/update/patch secrets.
 - apiGroups: [""]

manifests/klusterlet/managed/klusterlet-registration-clusterrole.yaml

@@ -4,6 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-registration:agent
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # Allow agent to get/list/watch nodes
 # list nodes to calculates the capacity and allocatable resources of the managed cluster

manifests/klusterlet/managed/klusterlet-registration-clusterrolebinding-addon-management.yaml

@@ -7,6 +7,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-registration:addon-management
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-registration-clusterrolebinding.yaml

@@ -3,6 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-registration:agent
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-registration-serviceaccount.yaml

@@ -3,5 +3,11 @@ kind: ServiceAccount
 metadata:
   name: {{ .RegistrationServiceAccount }}
   namespace: {{ .KlusterletNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 imagePullSecrets:
 - name: open-cluster-management-image-pull-credentials

manifests/klusterlet/managed/klusterlet-work-clusterrole-execution.yaml

@@ -6,6 +6,11 @@ metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:execution
   labels:
     open-cluster-management.io/aggregate-to-work: "true"
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # Allow agent to get/list/watch/create/delete crds.
 - apiGroups: ["apiextensions.k8s.io"]

manifests/klusterlet/managed/klusterlet-work-clusterrole.yaml

@@ -4,6 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:agent
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # Allow agent to managed appliedmanifestworks
 - apiGroups: ["work.open-cluster-management.io"]

manifests/klusterlet/managed/klusterlet-work-clusterrolebinding-aggregate.yaml

@@ -4,6 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:aggregate
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-work-clusterrolebinding-execution-admin.yaml

@@ -4,6 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:execution-admin
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-work-clusterrolebinding-execution.yaml

@@ -3,6 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:execution
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-work-clusterrolebinding.yaml

@@ -3,6 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:agent
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/managed/klusterlet-work-serviceaccount.yaml

@@ -3,5 +3,11 @@ kind: ServiceAccount
 metadata:
   name: {{ .WorkServiceAccount }}
   namespace: {{ .KlusterletNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 imagePullSecrets:
 - name: open-cluster-management-image-pull-credentials

manifests/klusterlet/management/klusterlet-agent-deployment.yaml

@@ -5,7 +5,11 @@ metadata:
   namespace: {{ .AgentNamespace }}
   labels:
     app: klusterlet-agent
-    createdBy: klusterlet
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 spec:
   replicas: {{ .Replica }}
   selector:
@@ -17,6 +21,11 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: klusterlet-agent
+        {{ if gt (len .Labels) 0 }}
+        {{ range $key, $value := .Labels }}
+        {{ $key }}: {{ $value }}
+        {{ end }}
+        {{ end }}
     spec:
       {{if .HubApiServerHostAlias }}
       hostAliases:

manifests/klusterlet/management/klusterlet-registration-clusterrole-addon-management.yaml

@@ -4,6 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:addon-management
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # Allow agent to get/list/watch/create/delete/update/patch secrets, registration agent needs secret permission for an 
 # arbitrary namespace to create hub-kubeconfig secret for an addon

manifests/klusterlet/management/klusterlet-registration-clusterrolebinding-addon-management.yaml

@@ -5,6 +5,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:addon-management
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterlet/management/klusterlet-registration-deployment.yaml

@@ -5,7 +5,11 @@ metadata:
   namespace: {{ .AgentNamespace }}
   labels:
     app: klusterlet-registration-agent
-    createdBy: klusterlet
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 spec:
   replicas: {{ .Replica }}
   selector:
@@ -17,6 +21,11 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: klusterlet-registration-agent
+        {{ if gt (len .Labels) 0 }}
+        {{ range $key, $value := .Labels }}
+        {{ $key }}: {{ $value }}
+        {{ end }}
+        {{ end }}
     spec:
       {{if .HubApiServerHostAlias }}
       hostAliases:

manifests/klusterlet/management/klusterlet-registration-role.yaml

@@ -5,6 +5,12 @@ kind: Role
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:agent
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # leader election needs to operate configmaps and leases
 - apiGroups: [""]

manifests/klusterlet/management/klusterlet-registration-rolebinding-extension-apiserver.yaml

@@ -3,6 +3,12 @@ kind: RoleBinding
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:agent
   namespace: kube-system
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/klusterlet/management/klusterlet-registration-rolebinding.yaml

@@ -4,6 +4,12 @@ kind: RoleBinding
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:agent
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/klusterlet/management/klusterlet-registration-serviceaccount.yaml

@@ -3,5 +3,11 @@ kind: ServiceAccount
 metadata:
   name: {{ .RegistrationServiceAccount }}
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 imagePullSecrets:
 - name: open-cluster-management-image-pull-credentials

manifests/klusterlet/management/klusterlet-role-extension-apiserver.yaml

@@ -7,6 +7,12 @@ kind: Role
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}:extension-apiserver
   namespace: kube-system
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 - apiGroups: [""]
   resources: ["configmaps"]

manifests/klusterlet/management/klusterlet-work-deployment.yaml

@@ -5,7 +5,11 @@ metadata:
   namespace: {{ .AgentNamespace }}
   labels:
     app: klusterlet-manifestwork-agent
-    createdBy: klusterlet
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 spec:
   replicas: {{ .Replica }}
   selector:
@@ -17,6 +21,11 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: klusterlet-manifestwork-agent
+        {{ if gt (len .Labels) 0 }}
+        {{ range $key, $value := .Labels }}
+        {{ $key }}: {{ $value }}
+        {{ end }}
+        {{ end }}
     spec:
       {{if .HubApiServerHostAlias }}
       hostAliases:

manifests/klusterlet/management/klusterlet-work-role.yaml

@@ -5,6 +5,12 @@ kind: Role
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-work:agent
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 rules:
 # leader election needs to operate configmaps and leases
 - apiGroups: [""]

manifests/klusterlet/management/klusterlet-work-rolebinding-extension-apiserver.yaml

@@ -3,6 +3,12 @@ kind: RoleBinding
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-work:agent
   namespace: kube-system
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/klusterlet/management/klusterlet-work-rolebinding.yaml

@@ -4,6 +4,12 @@ kind: RoleBinding
 metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-work:agent
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/klusterlet/management/klusterlet-work-serviceaccount.yaml

@@ -3,5 +3,11 @@ kind: ServiceAccount
 metadata:
   name: {{ .WorkServiceAccount }}
   namespace: {{ .AgentNamespace }}
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 imagePullSecrets:
 - name: open-cluster-management-image-pull-credentials

manifests/klusterletkube111/klusterlet-registration-operator-clusterrolebinding.yaml

@@ -3,6 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-registration-operator:operator-kube111
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifests/klusterletkube111/klusterlet-work-clusterrolebinding.yaml

@@ -3,6 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: open-cluster-management:{{ .KlusterletName }}-work:agent-kube111
+  labels:
+    {{ if gt (len .Labels) 0 }}
+    {{ range $key, $value := .Labels }}
+    {{ $key }}: {{ $value }}
+    {{ end }}
+    {{ end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole