Create OperatorGroup and RBAC for each CSV

operator-framework · Nov 20, 2020 · 8b82a1a · 8b82a1a
1 parent 1d02874
commit 8b82a1a
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 3 deletions.
diff --git a/manifests/0000_50_olm_09-aggregated.clusterrole.yaml b/manifests/0000_50_olm_09-aggregated.clusterrole.yaml
@@ -8,7 +8,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups: ["operators.coreos.com"]
-  resources: ["subscriptions"]
+  resources: ["subscriptions", "operatorconditions"]
   verbs: ["create", "update", "patch", "delete"]
 - apiGroups: ["operators.coreos.com"]
   resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions"]

diff --git a/pkg/controller/operators/catalog/operator.go b/pkg/controller/operators/catalog/operator.go
@@ -2073,6 +2073,7 @@ func (o *Operator) apiresourceFromGVK(gvk schema.GroupVersionKind) (metav1.APIRe
 
 const (
 	PrometheusRuleKind        = "PrometheusRule"
+	OperatorConditionKind     = "OperatorCondition"
 	ServiceMonitorKind        = "ServiceMonitor"
 	PodDisruptionBudgetKind   = "PodDisruptionBudget"
 	PriorityClassKind         = "PriorityClass"
@@ -2085,6 +2086,7 @@ var supportedKinds = map[string]struct{}{
 	PodDisruptionBudgetKind:   {},
 	PriorityClassKind:         {},
 	VerticalPodAutoscalerKind: {},
+	OperatorConditionKind:     {},
 }
 
 // isSupported returns true if OLM supports this type of CustomResource.

diff --git a/pkg/controller/registry/resolver/rbac.go b/pkg/controller/registry/resolver/rbac.go
@@ -22,7 +22,7 @@ func generateName(base string, o interface{}) string {
 	hashutil.DeepHashObject(hasher, o)
 	hash := utilrand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
 	if len(base)+len(hash) > maxNameLength {
-		base = base[:maxNameLength - len(hash) - 1]
+		base = base[:maxNameLength-len(hash)-1]
 	}
 
 	return fmt.Sprintf("%s-%s", base, hash)
@@ -90,6 +90,13 @@ func RBACForClusterServiceVersion(csv *v1alpha1.ClusterServiceVersion) (map[stri
 			permissions[permission.ServiceAccountName] = NewOperatorPermissions(serviceAccount)
 		}
 
+		operatorConditionRBAC := rbacv1.PolicyRule{
+			Verbs:         []string{"get", "update"},
+			APIGroups:     []string{"operators.coreos.com"},
+			Resources:     []string{"operatorconditions"},
+			ResourceNames: []string{csv.GetName()},
+		}
+
 		// Create Role
 		role := &rbacv1.Role{
 			ObjectMeta: metav1.ObjectMeta{
@@ -98,7 +105,7 @@ func RBACForClusterServiceVersion(csv *v1alpha1.ClusterServiceVersion) (map[stri
 				OwnerReferences: []metav1.OwnerReference{ownerutil.NonBlockingOwner(csv)},
 				Labels:          ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind),
 			},
-			Rules: permission.Rules,
+			Rules: append(permission.Rules, operatorConditionRBAC),
 		}
 		permissions[permission.ServiceAccountName].AddRole(role)
 

diff --git a/pkg/controller/registry/resolver/steps.go b/pkg/controller/registry/resolver/steps.go
@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"strings"
 
+	v1 "github.com/operator-framework/api/pkg/operators/v1"
 	"github.com/operator-framework/operator-registry/pkg/api"
 	extScheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	k8sjson "k8s.io/apimachinery/pkg/runtime/serializer/json"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/yaml"
@@ -86,6 +88,22 @@ func NewStepResourceFromObject(obj runtime.Object, catalogSourceName, catalogSou
 	return resource, nil
 }
 
+func NewOperatorConditionStepResource(csv *v1alpha1.ClusterServiceVersion, catalogSourceName, catalogSourceNamespace string) (v1alpha1.StepResource, error) {
+	operatorCondition := &v1.OperatorCondition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      csv.GetName(),
+			Namespace: csv.GetNamespace(),
+		},
+	}
+	operatorCondition.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   v1.GroupVersion.Group,
+		Version: v1.GroupVersion.Version,
+		Kind:    "OperatorCondition",
+	})
+
+	return NewStepResourceFromObject(operatorCondition, catalogSourceName, catalogSourceNamespace)
+}
+
 func NewSubscriptionStepResource(namespace string, info OperatorSourceInfo) (v1alpha1.StepResource, error) {
 	return NewStepResourceFromObject(&v1alpha1.Subscription{
 		ObjectMeta: metav1.ObjectMeta{
@@ -136,6 +154,12 @@ func NewStepResourceFromBundle(bundle *api.Bundle, namespace, replaces, catalogS
 	}
 	steps := []v1alpha1.StepResource{step}
 
+	step, err = NewOperatorConditionStepResource(csv, catalogSourceName, catalogSourceName)
+	if err != nil {
+		return nil, err
+	}
+	steps = append(steps, step)
+
 	for _, object := range bundle.Object {
 		dec := yaml.NewYAMLOrJSONDecoder(strings.NewReader(object), 10)
 		unst := &unstructured.Unstructured{}

diff --git a/pkg/lib/ownerutil/util.go b/pkg/lib/ownerutil/util.go
@@ -406,6 +406,12 @@ func InferGroupVersionKind(obj runtime.Object) error {
 			Version: apiextensionsv1beta1.SchemeGroupVersion.Version,
 			Kind:    "CustomResourceDefinition",
 		})
+	case *operatorsv1.OperatorCondition:
+		objectKind.SetGroupVersionKind(schema.GroupVersionKind{
+			Group:   operatorsv1.GroupVersion.Group,
+			Version: operatorsv1.GroupVersion.Version,
+			Kind:    "OperatorCondition",
+		})
 	case *apiextensionsv1.CustomResourceDefinition:
 		objectKind.SetGroupVersionKind(schema.GroupVersionKind{
 			Group:   apiextensionsv1.GroupName,

diff --git a/test/e2e/subscription_e2e_test.go b/test/e2e/subscription_e2e_test.go
@@ -75,6 +75,12 @@ var _ = Describe("Subscription", func() {
 		csv, err := fetchCSV(crc, subscription.Status.CurrentCSV, testNamespace, buildCSVConditionChecker(v1alpha1.CSVPhaseSucceeded))
 		require.NoError(GinkgoT(), err)
 
+		// Ensure that the OperatorCondition was created for the CSV.
+		Eventually(func() error {
+			_, err = crc.OperatorsV1().OperatorConditions(csv.GetNamespace()).Get(context.TODO(), csv.GetName(), metav1.GetOptions{})
+			return err
+		}).Should(BeNil())
+
 		// Check for the olm.package property as a proxy for
 		// verifying that the annotation value is reasonable.
 		Expect(