pkg/controller: Fix panic when creating cluster-scoped RBAC in OG controller

timflannagan · timflannagan · commit f2adb2d1de77 · 2021-09-14T15:35:03.000-04:00
Fixes [operator-framework#2091](operator-framework#2091). This is a follow-up to [operator-framework#2309](operator-framework#2309) that attempted to fix the original issue. When checking whether the ClusterRole/ClusterRoleBinding resources already exist, we're also checking whether the existing labels are owned by the CSV we're currently handling. When accessing the "cr" or "crb" variables that the Create calls output, a panic is produced as we're attempting to access the meta.Labels key from those resources, except those resources themselves are nil. Update the check to verify that the cr/crb variables are not nil before attempting to access those object's labels. The testing fake client may need to be updated in the future to handle returning these resources properly. Signed-off-by: timflannagan <timflannagan@gmail.com>
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -533,11 +533,10 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 			// TODO: this should do something smarter if the cluster role already exists
 			if cr, err := a.opClient.CreateClusterRole(clusterRole); err != nil {
 				// if the CR already exists, but the label is correct, the cache is just behind
-				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(cr, csv) {
+				if k8serrors.IsAlreadyExists(err) && cr != nil && ownerutil.IsOwnedByLabel(cr, csv) {
 					continue
-				} else {
-					return err
 				}
+				return err
 			}
 			a.logger.Debug("created cluster role")
 		}
@@ -572,12 +571,11 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 			}
 			// TODO: this should do something smarter if the cluster role binding already exists
 			if crb, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {
-				// if the CR already exists, but the label is correct, the cache is just behind
-				if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(crb, csv) {
+				// if the CRB already exists, but the label is correct, the cache is just behind
+				if k8serrors.IsAlreadyExists(err) && crb != nil && ownerutil.IsOwnedByLabel(crb, csv) {
 					continue
-				} else {
-					return err
 				}
+				return err
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -533,11 +533,10 @@ func (a Operator) ensureSingletonRBAC(operatorNamespace string, csv v1alpha1.C`
`533`	`533`	`// TODO: this should do something smarter if the cluster role already exists`
`534`	`534`	`if cr, err := a.opClient.CreateClusterRole(clusterRole); err != nil {`
`535`	`535`	`// if the CR already exists, but the label is correct, the cache is just behind`
`536`		`- if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(cr, csv) {`
	`536`	`+ if k8serrors.IsAlreadyExists(err) && cr != nil && ownerutil.IsOwnedByLabel(cr, csv) {`
`537`	`537`	`continue`
`538`		`- } else {`
`539`		`- return err`
`540`	`538`	`}`
	`539`	`+ return err`
`541`	`540`	`}`
`542`	`541`	`a.logger.Debug("created cluster role")`
`543`	`542`	`}`
`@@ -572,12 +571,11 @@ func (a Operator) ensureSingletonRBAC(operatorNamespace string, csv v1alpha1.C`
`572`	`571`	`}`
`573`	`572`	`// TODO: this should do something smarter if the cluster role binding already exists`
`574`	`573`	`if crb, err := a.opClient.CreateClusterRoleBinding(clusterRoleBinding); err != nil {`
`575`		`- // if the CR already exists, but the label is correct, the cache is just behind`
`576`		`- if k8serrors.IsAlreadyExists(err) && ownerutil.IsOwnedByLabel(crb, csv) {`
	`574`	`+ // if the CRB already exists, but the label is correct, the cache is just behind`
	`575`	`+ if k8serrors.IsAlreadyExists(err) && crb != nil && ownerutil.IsOwnedByLabel(crb, csv) {`
`577`	`576`	`continue`
`578`		`- } else {`
`579`		`- return err`
`580`	`577`	`}`
	`578`	`+ return err`
`581`	`579`	`}`
`582`	`580`	`}`
`583`	`581`	`}`