Deploy operands in the operator's namespace

[alebedev87]

Operand can be deployed in the operator namespace:

$ oc -n external-dns-operator get pods
NAME                                     READY   STATUS    RESTARTS   AGE
external-dns-operator-6644944b64-2txst   2/2     Running   0          2m12s

$ oc get ns external-dns
Error from server (NotFound): namespaces "external-dns" not found

$ oc apply -f infoblox-cr.yaml 
externaldns.externaldns.olm.openshift.io/sample-infoblox created

$ oc -n external-dns-operator get pods
NAME                                            READY   STATUS    RESTARTS   AGE
external-dns-operator-6644944b64-2txst          2/2     Running   0          3m40s
external-dns-sample-infoblox-57f97c7849-q2rp9   1/1     Running   0          59s

$ oc get externaldns 
NAME              AGE
sample-infoblox   68s

$ oc -n external-dns-operator logs external-dns-sample-infoblox-57f97c7849-q2rp9
...
time="2022-04-11T20:55:57Z" level=info msg="Created OpenShift client https://10.217.4.1:443"
time="2022-04-11T20:56:08Z" level=debug msg="fetched 0 records from infoblox"
...
time="2022-04-11T20:56:08Z" level=info msg="All records are already up to date"

Removal of the CR and the operator namespace works with no problem:

$ oc delete externaldns sample-infoblox
externaldns.externaldns.olm.openshift.io "sample-infoblox" deleted

$ oc -n external-dns-operator get pods
NAME                                     READY   STATUS    RESTARTS   AGE
external-dns-operator-6644944b64-2txst   2/2     Running   0          8m24s

$ oc delete ns external-dns-operator
namespace "external-dns-operator" deleted

$ oc get ns external-dns-operator
Error from server (NotFound): namespaces "external-dns-operator" not found

Even if there is a CR and an operand the namespace can be removed - no problem:

$ oc -n external-dns-operator get pods
NAME                                            READY   STATUS    RESTARTS   AGE
external-dns-operator-6cf8d8576d-r9drk          2/2     Running   0          34s
external-dns-sample-infoblox-57f97c7849-rztbw   1/1     Running   0          11s

$ oc get externaldns
NAME              AGE
sample-infoblox   18s

$ oc delete ns external-dns-operator
namespace "external-dns-operator" deleted

$ oc get externaldns
NAME              AGE
sample-infoblox   41s

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/assign @quarterpin
I tested this change manually (see the description), the e2e tests are passed too.
However this is a major design change and needs to be tested thoroughly.

[alebedev87]

/hold
migration doc is to be added, no need to spawn test clusters

[alebedev87]

/unhold
as it doesn't stop the tests :(

[alebedev87]

/assign @sherine-k

[alebedev87]

/retest

[sherine-k]

I like this implementation as it preserves the possibility to go back to separate NSs in the future if needed. Kudos!
Couple of nitpicks below

[sherine-k]

serviceAccount external-dns still exists (used by operands) but namespace would become external-dns-operator, right?

[alebedev87]

The service accounts for the operand will be created in external-dns-operator namespace now. If the operator is installed on a new cluster external-dns namespace won't be there, same about service accounts in it. If the operator is upgraded on a cluster which already had it, then yes the service accounts will still be there until the migration procedure is followed.
This binding is not strictly necessary anymore, I kept it just in case, the operator can be used in both modes with it.

[sherine-k]

I have a doubt as to why the operator serviceAccount also needs this clusterrolebinding

[alebedev87]

Yes, the operator doesn't need it. It's just that there is no way to exclude 1 service account from the namespace group.
Unfortunately there is not much choice to work this around without giving the operator the update permission on clusterrolebindings resource.

[sherine-k]

Related to comment on bundle/manifests/external-dns_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml

[quarterpin]

/label qe-approved

[sherine-k]

/lgtm

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[sherine-k]

/lgtm

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[alebedev87]

/label docs-approved
/label px-approved