Skip to content

Support Global Operators in Console #326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 4, 2022
Merged

Support Global Operators in Console #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
77ed0a2
Introduce protectedCopiedCSVNamespaces flag (#2811)
awgreene Jul 21, 2022
c2ec825
Protect Global Copied CSVs in the openshift namespace
awgreene Jun 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ spec:
- /srv-cert/tls.key
- --client-ca
- /profile-collector-cert/tls.crt
- --protectedCopiedCSVNamespaces
- openshift
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
ports:
Expand Down
2 changes: 2 additions & 0 deletions manifests/0000_50_olm_07-olm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ spec:
- /srv-cert/tls.key
- --client-ca
- /profile-collector-cert/tls.crt
- --protectedCopiedCSVNamespaces
- openshift
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
ports:
Expand Down
36 changes: 36 additions & 0 deletions manifests/0000_50_olm_15-csv-viewer.rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
name: copied-csv-viewer
namespace: openshift
rules:
- apiGroups:
- "operators.coreos.com"
resources:
- "clusterserviceversions"
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
name: copied-csv-viewers
namespace: openshift
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: copied-csv-viewer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
Comment on lines +33 to +36
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this might be related to the CI failures:

{  fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:232]: Jul 27 20:24:39.743: system:authenticated has extra permissions in namespace "openshift":
{APIGroups:["operators.coreos.com"], Resources:["clusterserviceversions"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened openshift/origin#27326 to address this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: The PR that Alex had linked is now merged. Looking at the e2e-gcp check, it looks like those changes worked, and we're back in business.

35 changes: 35 additions & 0 deletions scripts/generate_crds_manifests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,41 @@ metadata:
release.openshift.io/delete: "true"
EOF

cat << EOF > manifests/0000_50_olm_15-csv-viewer.rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: copied-csv-viewer
namespace: openshift
rules:
- apiGroups:
- "operators.coreos.com"
resources:
- "clusterserviceversions"
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: copied-csv-viewers
namespace: openshift
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: copied-csv-viewer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
EOF

add_ibm_managed_cloud_annotations "${ROOT_DIR}/manifests"

find "${ROOT_DIR}/manifests" -type f -exec $SED -i "/^#/d" {} \;
Expand Down
8 changes: 8 additions & 0 deletions scripts/olm-deployment.patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@
value:
name: RELEASE_VERSION
value: "0.0.1-snapshot"
- command: update
path: spec.template.spec.containers[0].args[+]
value:
--protectedCopiedCSVNamespaces
- command: update
path: spec.template.spec.containers[0].args[+]
value:
openshift
Comment on lines +12 to +19
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kept hitting formatting errors when attempting to add 2 lines to the array with a single update command, if anyone knows how to do this in a single update please chime in.

- command: update
path: spec.template.spec.containers[*].securityContext
value:
Expand Down
4 changes: 4 additions & 0 deletions staging/operator-lifecycle-manager/cmd/olm/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ var (
tlsKeyPath = pflag.String(
"tls-key", "", "Path to use for private key (requires tls-cert)")

protectedCopiedCSVNamespaces = pflag.String("protectedCopiedCSVNamespaces",
"", "A comma-delimited set of namespaces where global Copied CSVs will always appear, even if Copied CSVs are disabled")

tlsCertPath = pflag.String(
"tls-cert", "", "Path to use for certificate key (requires tls-key)")

Expand Down Expand Up @@ -162,6 +165,7 @@ func main() {
olm.WithOperatorClient(opClient),
olm.WithRestConfig(config),
olm.WithConfigClient(versionedConfigClient),
olm.WithProtectedCopiedCSVNamespaces(*protectedCopiedCSVNamespaces),
)
if err != nil {
logger.WithError(err).Fatal("error configuring operator")
Expand Down
55 changes: 35 additions & 20 deletions staging/operator-lifecycle-manager/pkg/controller/operators/olm/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package olm

import (
"strings"
"time"

"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer"
Expand All @@ -21,18 +22,19 @@ import (
type OperatorOption func(*operatorConfig)

type operatorConfig struct {
resyncPeriod func() time.Duration
operatorNamespace string
watchedNamespaces []string
clock utilclock.Clock
logger *logrus.Logger
operatorClient operatorclient.ClientInterface
externalClient versioned.Interface
strategyResolver install.StrategyResolverInterface
apiReconciler APIIntersectionReconciler
apiLabeler labeler.Labeler
restConfig *rest.Config
configClient configv1client.Interface
protectedCopiedCSVNamespaces map[string]struct{}
resyncPeriod func() time.Duration
operatorNamespace string
watchedNamespaces []string
clock utilclock.Clock
logger *logrus.Logger
operatorClient operatorclient.ClientInterface
externalClient versioned.Interface
strategyResolver install.StrategyResolverInterface
apiReconciler APIIntersectionReconciler
apiLabeler labeler.Labeler
restConfig *rest.Config
configClient configv1client.Interface
}

func (o *operatorConfig) apply(options []OperatorOption) {
Expand Down Expand Up @@ -77,14 +79,15 @@ func (o *operatorConfig) validate() (err error) {

func defaultOperatorConfig() *operatorConfig {
return &operatorConfig{
resyncPeriod: queueinformer.ResyncWithJitter(30*time.Second, 0.2),
operatorNamespace: "default",
watchedNamespaces: []string{metav1.NamespaceAll},
clock: utilclock.RealClock{},
logger: logrus.New(),
strategyResolver: &install.StrategyResolver{},
apiReconciler: APIIntersectionReconcileFunc(ReconcileAPIIntersection),
apiLabeler: labeler.Func(LabelSetsFor),
resyncPeriod: queueinformer.ResyncWithJitter(30*time.Second, 0.2),
operatorNamespace: "default",
watchedNamespaces: []string{metav1.NamespaceAll},
clock: utilclock.RealClock{},
logger: logrus.New(),
strategyResolver: &install.StrategyResolver{},
apiReconciler: APIIntersectionReconcileFunc(ReconcileAPIIntersection),
apiLabeler: labeler.Func(LabelSetsFor),
protectedCopiedCSVNamespaces: map[string]struct{}{},
}
}

Expand Down Expand Up @@ -112,6 +115,18 @@ func WithLogger(logger *logrus.Logger) OperatorOption {
}
}

func WithProtectedCopiedCSVNamespaces(namespaces string) OperatorOption {
return func(config *operatorConfig) {
if namespaces == "" {
return
}

for _, ns := range strings.Split(namespaces, ",") {
config.protectedCopiedCSVNamespaces[ns] = struct{}{}
}
}
}

func WithClock(clock utilclock.Clock) OperatorOption {
return func(config *operatorConfig) {
config.clock = clock
Expand Down
Loading