Add ownership annotations to new and existing olm-managed secrets

As a part of certificates ownership work, all of new and existing secrets that are created with
certificate information need to have ownership annotations. New secrets that are created with OLM
certresources controller will have new ownership annotations injected at creation/update time. The
existing olm-managed secrets that don't have the required annotations will get reconciled at startup
when olm operator is restarted/redeployed. This PR only add OpenShift owning component annotation
and the description annotation can be added later.

Signed-off-by: Vu Dinh <[email protected]>

Author: dinhxuanvu

manifests/0000_50_olm_00-pprof-secret.yaml

@@ -6,6 +6,7 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/create-only: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
+    openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager"
   name: pprof-cert
   namespace: openshift-operator-lifecycle-manager
 type: kubernetes.io/tls

microshift-manifests/0000_50_olm_00-pprof-secret.yaml

@@ -6,6 +6,7 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/create-only: "true"
     capability.openshift.io/name: "OperatorLifecycleManager"
+    openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager"
   name: pprof-cert
   namespace: openshift-operator-lifecycle-manager
 type: kubernetes.io/tls

staging/operator-lifecycle-manager/cmd/olm/main.go

@@ -224,6 +224,11 @@ func main() {
 		go monitor.Run(op.Done())
 	}
 
+	// Reconcile all olm-managed secrets to add ownership annotations if not existed
+	if err = op.EnsureSecretOwnershipAnnotations; err != nil {
+		logger.WithError(err).Fatal("error injecting ownership annotations to existing olm-managed secrets")
+	}
+
 	// Start the controller manager
 	if err := mgr.Start(ctx); err != nil {
 		logger.WithError(err).Fatal("controller manager stopped")

staging/operator-lifecycle-manager/pkg/controller/install/certresources.go

@@ -42,6 +42,10 @@ const (
 	// olm managed label
 	OLMManagedLabelKey   = "olm.managed"
 	OLMManagedLabelValue = "true"
+	// Use this const for now to avoid openshift/api bump
+	// TODO: Bump openshift/api and remove this const
+	OpenShiftComponent     = "openshift.io/owning-component"
+	OLMOwnershipAnnotation = "Operator Framework / operator-lifecycle-manager"
 )
 
 type certResource interface {
@@ -300,6 +304,11 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 	}
 	caHash := certs.PEMSHA256(caPEM)
 
+	annotations := map[string]string{
+		OpenShiftComponent:     OLMOwnershipAnnotation,
+		OLMCAHashAnnotationKey: caHash,
+	}
+
 	secret := &corev1.Secret{
 		Data: map[string][]byte{
 			"tls.crt":   certPEM,
@@ -310,8 +319,8 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 	}
 	secret.SetName(SecretName(service.GetName()))
 	secret.SetNamespace(i.owner.GetNamespace())
-	secret.SetAnnotations(map[string]string{OLMCAHashAnnotationKey: caHash})
 	secret.SetLabels(map[string]string{OLMManagedLabelKey: OLMManagedLabelValue})
+	secret.SetAnnotations(annotations)
 
 	existingSecret, err := i.strategyClient.GetOpLister().CoreV1().SecretLister().Secrets(i.owner.GetNamespace()).Get(secret.GetName())
 	if err == nil {
@@ -322,7 +331,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 
 		// Attempt an update
 		// TODO: Check that the secret was not modified
-		if existingCAPEM, ok := existingSecret.Data[OLMCAPEMKey]; ok && !ShouldRotateCerts(i.owner.(*v1alpha1.ClusterServiceVersion)) {
+		if existingCAPEM, ok := existingSecret.Data[OLMCAPEMKey]; ok && !ShouldRotateCerts(i.owner.(*v1alpha1.ClusterServiceVersion)) && existingSecret.Annotations[OpenShiftComponent] != "" {
 			logger.Warnf("reusing existing cert %s", secret.GetName())
 			secret = existingSecret
 			caPEM = existingCAPEM

staging/operator-lifecycle-manager/pkg/controller/operators/olm/operator.go

@@ -2900,3 +2900,27 @@ func (a *Operator) ensureLabels(in *v1alpha1.ClusterServiceVersion, labelSets ..
 	out, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(out.GetNamespace()).Update(context.TODO(), out, metav1.UpdateOptions{})
 	return out, err
 }
+
+// syncSecret adds required ownership annotations to olm-managed secrets
+func (a *Operator) EnsureSecretOwnershipAnnotations() error {
+	secrets, err := a.lister.CoreV1().SecretLister().List(labels.SelectorFromSet(labels.Set{install.OLMManagedLabelKey: install.OLMManagedLabelValue}))
+	if err != nil {
+		return err
+	}
+	for _, secret := range secrets {
+		if secret.Annotations[install.OpenShiftComponent] == "" {
+			secret.Annotations[install.OpenShiftComponent] = install.OLMOwnershipAnnotation
+			logger := a.logger.WithFields(logrus.Fields{
+				"name":      secret.GetName(),
+				"namespace": secret.GetNamespace(),
+				"self":      secret.GetSelfLink(),
+			})
+			logger.Debug("injecting ownership annotations to existing secret")
+			if _, updateErr := a.opClient.UpdateSecret(secret); updateErr != nil {
+				logger.WithError(err).Warn("error adding ownership annotations to existing secret")
+				return err
+			}
+		}
+	}
+	return nil
+}