Merge pull request #1447 from exdx/feat/support-secrets

feat: support secrets from bundle

Author: ecordell

pkg/api/apis/operators/installplan_types.go

@@ -354,6 +354,10 @@ type StepResource struct {
 	Kind                   string
 	Name                   string
 	Manifest               string
+	// BundleSecret is a one-off flag for handling secrets from a user bundle versus from the catalog source.
+	// This field is handled internally by OLM and should not be exposed by the API. 
+	// Longer term StepResources will be refactored.
+	BundleSecret           bool
 }
 
 func (r StepResource) String() string {

pkg/api/apis/operators/v1alpha1/installplan_types.go

@@ -322,6 +322,7 @@ type StepResource struct {
 	Kind                   string `json:"kind"`
 	Name                   string `json:"name"`
 	Manifest               string `json:"manifest,omitempty"`
+	BundleSecret           bool   `json:"bundleSecret"`
 }
 
 func (r StepResource) String() string {

pkg/api/apis/operators/v1alpha1/zz_generated.conversion.go

@@ -1518,6 +1518,21 @@ func (o *Operator) ExecutePlan(plan *v1alpha1.InstallPlan) error {
 				plan.Status.Plan[i].Status = status
 
 			case secretKind:
+				if step.Resource.BundleSecret {
+					var s corev1.Secret
+					err := json.Unmarshal([]byte(step.Resource.Manifest), &s)
+					if err != nil {
+						return errorwrap.Wrapf(err, "error parsing step manifest: %s", step.Resource.Name)
+					}
+					status, err := ensurer.EnsureBundleSecret(plan.Namespace, &s)
+					if err != nil {
+						return err
+					}
+
+					plan.Status.Plan[i].Status = status
+					continue
+				}
+
 				status, err := ensurer.EnsureSecret(o.namespace, plan.GetNamespace(), step.Resource.Name)
 				if err != nil {
 					return err

pkg/controller/operators/catalog/operator.go

@@ -424,6 +424,50 @@ func TestExecutePlan(t *testing.T) {
 			want: []runtime.Object{configmap("cfg", namespace)},
 			err:  nil,
 		},
+		{
+			testName: "CreateSecretFromBundle",
+			in: withSteps(installPlan("p", namespace, v1alpha1.InstallPlanPhaseInstalling, "csv"),
+				[]*v1alpha1.Step{
+					{
+						Resource: v1alpha1.StepResource{
+							CatalogSource:          "catalog",
+							CatalogSourceNamespace: namespace,
+							Group:                  "",
+							Version:                "v1",
+							Kind:                   "Secret",
+							Name:                   "s",
+							Manifest:               toManifest(t, secret("s", namespace)),
+							BundleSecret:           true,
+						},
+						Status: v1alpha1.StepStatusUnknown,
+					},
+				},
+			),
+			want: []runtime.Object{secret("s", namespace)},
+			err:  nil,
+		},
+		{
+			testName: "DoesNotCreateSecretNotFromBundle",
+			in: withSteps(installPlan("p", namespace, v1alpha1.InstallPlanPhaseInstalling, "csv"),
+				[]*v1alpha1.Step{
+					{
+						Resource: v1alpha1.StepResource{
+							CatalogSource:          "catalog",
+							CatalogSourceNamespace: namespace,
+							Group:                  "",
+							Version:                "v1",
+							Kind:                   "Secret",
+							Name:                   "s",
+							Manifest:               toManifest(t, secret("s", namespace)),
+							BundleSecret:           false,
+						},
+						Status: v1alpha1.StepStatusUnknown,
+					},
+				},
+			),
+			want: []runtime.Object{},
+			err:  fmt.Errorf("secret s does not exist - secrets \"s\" not found"),
+		},
 		{
 			testName: "UpdateServiceAccountWithSameFields",
 			in: withSteps(installPlan("p", namespace, v1alpha1.InstallPlanPhaseInstalling, "csv"),
@@ -1388,6 +1432,15 @@ func service(name, namespace string) *corev1.Service {
 	}
 }
 
+func secret(name, namespace string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+	}
+}
+
 func serviceAccount(name, namespace, generateName string, secretRef *corev1.ObjectReference) *corev1.ServiceAccount {
 	if secretRef == nil {
 		return &corev1.ServiceAccount{

pkg/controller/operators/catalog/operator_test.go

@@ -109,6 +109,30 @@ func (o *StepEnsurer) EnsureSecret(operatorNamespace, planNamespace, name string
 	return
 }
 
+// EnsureBundleSecret creates user-specified secrets from the bundle. Called when StepResource.Secret is true
+func (o *StepEnsurer) EnsureBundleSecret(namespace string, secret *corev1.Secret) (status v1alpha1.StepStatus, err error) {
+	_, createErr := o.kubeClient.KubernetesInterface().CoreV1().Secrets(namespace).Create(secret)
+	if createErr == nil {
+		status = v1alpha1.StepStatusCreated
+		return
+	}
+
+	if !k8serrors.IsAlreadyExists(createErr) {
+		err = errorwrap.Wrapf(createErr, "error updating secret: %s", secret.GetName())
+		return
+	}
+
+	secret.SetNamespace(namespace)
+	// NOTE: any annotations/changes applied to the secret are lost
+	if _, updateErr := o.kubeClient.UpdateSecret(secret); updateErr != nil {
+		err = errorwrap.Wrapf(updateErr, "error updating secret: %s", secret.GetName())
+		return
+	}
+
+	status = v1alpha1.StepStatusPresent
+	return
+}
+
 // EnsureServiceAccount writes the specified ServiceAccount object to the cluster.
 func (o *StepEnsurer) EnsureServiceAccount(namespace string, sa *corev1.ServiceAccount) (status v1alpha1.StepStatus, err error) {
 	_, createErr := o.kubeClient.KubernetesInterface().CoreV1().ServiceAccounts(namespace).Create(sa)

pkg/controller/operators/catalog/step_ensurer.go

@@ -20,6 +20,10 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
+const (
+	secretKind = "Secret"
+)
+
 var (
 	scheme = runtime.NewScheme()
 )
@@ -71,6 +75,13 @@ func NewStepResourceFromObject(obj runtime.Object, catalogSourceName, catalogSou
 		CatalogSourceNamespace: catalogSourceNamespace,
 	}
 
+	// Treat secret objects with a special case
+	// OLM copies secrets as well as supports creating new ones from the bundle
+	// This boolean determines whether its a user-created secret
+	if obj.GetObjectKind().GroupVersionKind().Kind == secretKind {
+		resource.BundleSecret = true
+	}
+
 	return resource, nil
 }
 
@@ -124,6 +135,7 @@ func NewStepResourceFromBundle(bundle *api.Bundle, namespace, replaces, catalogS
 		if unst.GetObjectKind().GroupVersionKind().Kind == v1alpha1.ClusterServiceVersionKind {
 			continue
 		}
+
 		step, err := NewStepResourceFromObject(unst, catalogSourceName, catalogSourceNamespace)
 		if err != nil {
 			return nil, err