Detect WebhookDescription changes in CSVs

awgreene · awgreene · commit 23181b1d07df · 2020-05-08T14:54:58.000-04:00
Problem:
Once a CSV has reached the Succeeded phase, updating
WebhookDescriptions in the CSV on cluster does not cause OLM to update
existing ValidatingWebhookConfigurations or
MutatingWebhookConfigurations on cluster.

Solution:
Update OLM to calculate if a change to the WebhookDescription has
occurred when a CSV is updated and if so update the on cluster
resources.
diff --git a/pkg/controller/install/webhook.go b/pkg/controller/install/webhook.go
@@ -3,14 +3,17 @@ package install
 import (
 	"context"
 	"fmt"
+	"hash/fnv"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 
 	log "github.com/sirupsen/logrus"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/rand"
 )
 
 func ValidWebhookRules(rules []admissionregistrationv1.RuleWithOperations) error {
@@ -105,6 +108,7 @@ func (i *StrategyDeploymentInstaller) createOrUpdateMutatingWebhook(ogNamespacel
 		webhook.Webhooks = []admissionregistrationv1.MutatingWebhook{
 			desc.GetMutatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 		}
+		addWebhookLabels(&webhook, desc)
 
 		// Attempt an update
 		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
@@ -151,6 +155,7 @@ func (i *StrategyDeploymentInstaller) createOrUpdateValidatingWebhook(ogNamespac
 		webhook.Webhooks = []admissionregistrationv1.ValidatingWebhook{
 			desc.GetValidatingWebhook(i.owner.GetNamespace(), ogNamespacelabelSelector, caPEM),
 		}
+		addWebhookLabels(&webhook, desc)
 
 		// Attempt an update
 		if _, err := i.strategyClient.GetOpClient().KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), &webhook, metav1.UpdateOptions{}); err != nil {
@@ -162,7 +167,8 @@ func (i *StrategyDeploymentInstaller) createOrUpdateValidatingWebhook(ogNamespac
 	return nil
 }
 
-const WebhookDescKey = "webhookDescriptionGenerateName"
+const WebhookDescKey = "olm.webhook-description-generate-name"
+const WebhookHashKey = "olm.webhook-description-hash"
 
 // addWebhookLabels adds webhook labels to an object
 func addWebhookLabels(object metav1.Object, webhookDesc v1alpha1.WebhookDescription) error {
@@ -171,7 +177,15 @@ func addWebhookLabels(object metav1.Object, webhookDesc v1alpha1.WebhookDescript
 		labels = map[string]string{}
 	}
 	labels[WebhookDescKey] = webhookDesc.GenerateName
+	labels[WebhookHashKey] = HashWebhookDesc(webhookDesc)
 	object.SetLabels(labels)
 
 	return nil
 }
+
+// HashWebhookDesc calculates a hash given a webhookDescription
+func HashWebhookDesc(webhookDesc v1alpha1.WebhookDescription) string {
+	hasher := fnv.New32a()
+	hashutil.DeepHashObject(hasher, &webhookDesc)
+	return rand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
+}
diff --git a/pkg/controller/operators/olm/apiservices.go b/pkg/controller/operators/olm/apiservices.go
@@ -486,3 +486,87 @@ func (a *Operator) updateDeploymentSpecsWithApiServiceData(csv *v1alpha1.Cluster
 	}
 	return strategyDetailsDeployment, nil
 }
+
+func (a *Operator) cleanUpRemovedWebhooks(csv *v1alpha1.ClusterServiceVersion) error {
+	webhookLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+	webhookLabels = ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+	webhookSelector := labels.SelectorFromSet(webhookLabels).String()
+
+	csvWebhookGenerateNames := make(map[string]struct{}, len(csv.Spec.WebhookDefinitions))
+	for _, webhook := range csv.Spec.WebhookDefinitions {
+		csvWebhookGenerateNames[webhook.GenerateName] = struct{}{}
+	}
+
+	// Delete unknown ValidatingWebhooksConfigurations owned by the CSV
+	validatingWebhookConfigurationList, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
+	for _, webhook := range validatingWebhookConfigurationList.Items {
+		webhookGenerateNameLabel, ok := webhook.GetLabels()[install.WebhookDescKey]
+		if !ok {
+			return fmt.Errorf("ValidatingWebhookConfiguration %s does not have WebhookDesc key", webhook.Name)
+		}
+		if _, ok := csvWebhookGenerateNames[webhookGenerateNameLabel]; !ok {
+			err = a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+			if err != nil && k8serrors.IsNotFound(err) {
+				return err
+			}
+		}
+	}
+
+	// Delete unknown MutatingWebhooksConfigurations owned by the CSV
+	mutatingWebhookConfigurationList, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+	if err != nil {
+		return err
+	}
+	for _, webhook := range mutatingWebhookConfigurationList.Items {
+		webhookGenerateNameLabel, ok := webhook.GetLabels()[install.WebhookDescKey]
+		if !ok {
+			return fmt.Errorf("MutatingWebhookConfiguration %s does not have WebhookDesc key", webhook.Name)
+		}
+		if _, ok := csvWebhookGenerateNames[webhookGenerateNameLabel]; !ok {
+			err = a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), webhook.Name, metav1.DeleteOptions{})
+			if err != nil && k8serrors.IsNotFound(err) {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (a *Operator) areWebhooksAvailable(csv *v1alpha1.ClusterServiceVersion) (bool, error) {
+	err := a.cleanUpRemovedWebhooks(csv)
+	if err != nil {
+		return false, err
+	}
+	for _, desc := range csv.Spec.WebhookDefinitions {
+		// Create Webhook Label Selector
+		webhookLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
+		webhookLabels[install.WebhookDescKey] = desc.GenerateName
+		webhookLabels[install.WebhookHashKey] = install.HashWebhookDesc(desc)
+		webhookSelector := labels.SelectorFromSet(webhookLabels).String()
+
+		webhookCount := 0
+		switch desc.Type {
+		case v1alpha1.ValidatingAdmissionWebhook:
+			webhookList, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+			if err != nil {
+				return false, err
+			}
+			webhookCount = len(webhookList.Items)
+		case v1alpha1.MutatingAdmissionWebhook:
+			webhookList, err := a.opClient.KubernetesInterface().AdmissionregistrationV1().MutatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
+			if err != nil {
+				return false, err
+			}
+			webhookCount = len(webhookList.Items)
+		}
+		if webhookCount == 0 {
+			a.logger.Info("Expected Webhook does not exist")
+			return false, nil
+		}
+	}
+	return true, nil
+}
diff --git a/pkg/controller/operators/olm/operator.go b/pkg/controller/operators/olm/operator.go
@@ -1719,15 +1719,17 @@ func (a *Operator) checkReplacementsAndUpdateStatus(csv *v1alpha1.ClusterService
 }
 
 func (a *Operator) updateInstallStatus(csv *v1alpha1.ClusterServiceVersion, installer install.StrategyInstaller, strategy install.Strategy, requeuePhase v1alpha1.ClusterServiceVersionPhase, requeueConditionReason v1alpha1.ConditionReason) error {
-	apiServicesInstalled, apiServiceErr := a.areAPIServicesAvailable(csv)
 	strategyInstalled, strategyErr := installer.CheckInstalled(strategy)
 	now := a.now()
 
 	if strategyErr != nil {
 		a.logger.WithError(strategyErr).Debug("operator not installed")
 	}
 
-	if strategyInstalled && apiServicesInstalled {
+	apiServicesInstalled, apiServiceErr := a.areAPIServicesAvailable(csv)
+	webhooksInstalled, webhookErr := a.areWebhooksAvailable(csv)
+
+	if strategyInstalled && apiServicesInstalled && webhooksInstalled {
 		// if there's no error, we're successfully running
 		csv.SetPhaseWithEventIfChanged(v1alpha1.CSVPhaseSucceeded, v1alpha1.CSVReasonInstallSuccessful, "install strategy completed with no errors", now, a.recorder)
 		return nil
@@ -1753,6 +1755,16 @@ func (a *Operator) updateInstallStatus(csv *v1alpha1.ClusterServiceVersion, inst
 		return fmt.Errorf("APIServices not installed")
 	}
 
+	if !webhooksInstalled || webhookErr != nil {
+		msg := "Webhooks not installed"
+		csv.SetPhaseWithEventIfChanged(requeuePhase, requeueConditionReason, fmt.Sprintf(msg), now, a.recorder)
+		if err := a.csvQueueSet.Requeue(csv.GetNamespace(), csv.GetName()); err != nil {
+			a.logger.Warn(err.Error())
+		}
+
+		return fmt.Errorf(msg)
+	}
+
 	if strategyErr != nil {
 		csv.SetPhaseWithEventIfChanged(requeuePhase, requeueConditionReason, fmt.Sprintf("installing: %s", strategyErr), now, a.recorder)
 		if err := a.csvQueueSet.Requeue(csv.GetNamespace(), csv.GetName()); err != nil {
diff --git a/test/e2e/webhook_e2e_test.go b/test/e2e/webhook_e2e_test.go
@@ -97,7 +97,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			_, err = fetchCSV(GinkgoT(), crc, csv.Name, namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
 
-			actualWebhook, err := getWebhookWithGenName(c, webhook)
+			actualWebhook, err := getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			Expect(actualWebhook.Webhooks[0].NamespaceSelector).Should(Equal(ogSelector))
@@ -136,7 +136,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			_, err = fetchCSV(GinkgoT(), crc, csv.Name, namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
 
-			actualWebhook, err := getWebhookWithGenName(c, webhook)
+			actualWebhook, err := getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			ogLabel, err := getOGLabelKey(og)
@@ -147,6 +147,34 @@ var _ = Describe("CSVs with a Webhook", func() {
 				MatchExpressions: []metav1.LabelSelectorRequirement(nil),
 			}
 			Expect(actualWebhook.Webhooks[0].NamespaceSelector).Should(Equal(expected))
+
+			// Ensure that changes to the WebhookDescription within the CSV trigger an update to on cluster resources
+			changedGenerateName := webhookName + "-changed"
+			Eventually(func() error {
+				existingCSV, err := crc.OperatorsV1alpha1().ClusterServiceVersions(namespace.Name).Get(context.TODO(), csv.GetName(), metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				existingCSV.Spec.WebhookDefinitions[0].GenerateName = changedGenerateName
+
+				existingCSV, err = crc.OperatorsV1alpha1().ClusterServiceVersions(namespace.Name).Update(context.TODO(), existingCSV, metav1.UpdateOptions{})
+				return err
+			}, time.Minute, 5*time.Second).Should(Succeed())
+			Eventually(func() bool {
+				// Previous Webhook should be deleted
+				_, err = getWebhookWithGenerateName(c, webhookName)
+				if err != nil && err.Error() != "NotFound" {
+					return false
+				}
+
+				// Current Webhook should exist
+				_, err = getWebhookWithGenerateName(c, changedGenerateName)
+				if err != nil {
+					return false
+				}
+
+				return true
+			}, time.Minute, 5*time.Second).Should(BeTrue())
 		})
 		It("Fails to install a CSV if multiple Webhooks share the same name", func() {
 			sideEffect := admissionregistrationv1.SideEffectClassNone
@@ -325,7 +353,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			_, err = fetchCSV(GinkgoT(), crc, csv.Name, namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
 
-			_, err = getWebhookWithGenName(c, webhook)
+			_, err = getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			// Update the CSV so it it replaces the existing CSV
@@ -340,7 +368,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			_, err = fetchCSV(GinkgoT(), crc, csv.GetName(), namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
 
-			_, err = getWebhookWithGenName(c, webhook)
+			_, err = getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			// Make sure old resources are cleaned up.
@@ -373,7 +401,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			fetchedCSV, err := fetchCSV(GinkgoT(), crc, csv.Name, namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
 
-			actualWebhook, err := getWebhookWithGenName(c, webhook)
+			actualWebhook, err := getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			oldWebhookCABundle := actualWebhook.Webhooks[0].ClientConfig.CABundle
@@ -411,7 +439,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 			Expect(err).Should(BeNil())
 
 			// get new webhook
-			actualWebhook, err = getWebhookWithGenName(c, webhook)
+			actualWebhook, err = getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			newWebhookCABundle := actualWebhook.Webhooks[0].ClientConfig.CABundle
@@ -449,7 +477,7 @@ var _ = Describe("CSVs with a Webhook", func() {
 
 			_, err = fetchCSV(GinkgoT(), crc, csv.Name, namespace.Name, csvSucceededChecker)
 			Expect(err).Should(BeNil())
-			actualWebhook, err := getWebhookWithGenName(c, webhook)
+			actualWebhook, err := getWebhookWithGenerateName(c, webhook.GenerateName)
 			Expect(err).Should(BeNil())
 
 			expected := &metav1.LabelSelector{
@@ -515,8 +543,8 @@ var _ = Describe("CSVs with a Webhook", func() {
 	})
 })
 
-func getWebhookWithGenName(c operatorclient.ClientInterface, desc v1alpha1.WebhookDescription) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
-	webhookSelector := labels.SelectorFromSet(map[string]string{install.WebhookDescKey: desc.GenerateName}).String()
+func getWebhookWithGenerateName(c operatorclient.ClientInterface, generateName string) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
+	webhookSelector := labels.SelectorFromSet(map[string]string{install.WebhookDescKey: generateName}).String()
 	existingWebhooks, err := c.KubernetesInterface().AdmissionregistrationV1().ValidatingWebhookConfigurations().List(context.TODO(), metav1.ListOptions{LabelSelector: webhookSelector})
 	if err != nil {
 		return nil, err
@@ -525,7 +553,7 @@ func getWebhookWithGenName(c operatorclient.ClientInterface, desc v1alpha1.Webho
 	if len(existingWebhooks.Items) > 0 {
 		return &existingWebhooks.Items[0], nil
 	}
-	return nil, fmt.Errorf("Could not find Webhook")
+	return nil, fmt.Errorf("NotFound")
 }
 
 func createCSVWithWebhook(namespace string, webhookDesc v1alpha1.WebhookDescription) v1alpha1.ClusterServiceVersion {
