pkg/controller: Fix panic when creating cluster-scoped RBAC in OG controller

timflannagan · timflannagan · commit 09d1e58eaa60 · 2021-09-08T19:55:18.000-04:00
Fixes [#2091](#2091). This is a follow-up to [#2309](#2309) that attempted to fix the original issue. When checking whether the ClusterRole/ClusterRoleBinding resources already exist, we're also checking whether the existing labels are owned by the CSV we're currently handling. When accessing the "cr" or "crb" variables that the Create calls output, a panic is produced as we're attempting to access the meta.Labels key from those resources, except those resources themselves are nil. Update the check to instead use the static type instead to avoid a panic. Signed-off-by: timflannagan <timflannagan@gmail.com>
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -531,13 +531,11 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 				}),
 			}
 			// TODO: this should do something smarter if the cluster role already exists
-			if cr, err := a.opClient.CreateClusterRole(clusterRole); err != nil {
-				// if the CR already exists, but the label is correct, the cache is just behind
-				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(cr, csv) {
+			if _, err := a.opClient.CreateClusterRole(clusterRole); err != nil {
+				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(clusterRole, csv) {
 					continue
-				} else {
-					return err
 				}
+				return err
 			}
 			a.logger.Debug("created cluster role")
 		}
@@ -571,13 +569,12 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 				},
 			}
 			// TODO: this should do something smarter if the cluster role binding already exists
-			if crb, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {
+			if _, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {
 				// if the CR already exists, but the label is correct, the cache is just behind
-				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(crb, csv) {
+				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(clusterRoleBinding, csv) {
 					continue
-				} else {
-					return err
 				}
+				return err
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -531,13 +531,11 @@ func (a Operator) ensureSingletonRBAC(operatorNamespace string, csv v1alpha1.C`
`531`	`531`	`}),`
`532`	`532`	`}`
`533`	`533`	`// TODO: this should do something smarter if the cluster role already exists`
`534`		`- if cr, err := a.opClient.CreateClusterRole(clusterRole); err != nil {`
`535`		`- // if the CR already exists, but the label is correct, the cache is just behind`
`536`		`- if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(cr, csv) {`
	`534`	`+ if _, err := a.opClient.CreateClusterRole(clusterRole); err != nil {`
	`535`	`+ if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(clusterRole, csv) {`
`537`	`536`	`continue`
`538`		`- } else {`
`539`		`- return err`
`540`	`537`	`}`
	`538`	`+ return err`
`541`	`539`	`}`
`542`	`540`	`a.logger.Debug("created cluster role")`
`543`	`541`	`}`
`@@ -571,13 +569,12 @@ func (a Operator) ensureSingletonRBAC(operatorNamespace string, csv v1alpha1.C`
`571`	`569`	`},`
`572`	`570`	`}`
`573`	`571`	`// TODO: this should do something smarter if the cluster role binding already exists`
`574`		`- if crb, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {`
	`572`	`+ if _, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {`
`575`	`573`	`// if the CR already exists, but the label is correct, the cache is just behind`
`576`		`- if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(crb, csv) {`
	`574`	`+ if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(clusterRoleBinding, csv) {`
`577`	`575`	`continue`
`578`		`- } else {`
`579`		`- return err`
`580`	`576`	`}`
	`577`	`+ return err`
`581`	`578`	`}`
`582`	`579`	`}`
`583`	`580`	`}`