Skip to content

Commit

Permalink
(bugfix): OCPBUGS-3072 - fix operator-sdk run bundle(-upgrade) PSA …
Browse files Browse the repository at this point in the history 
…related issues (#6210) (#6261)

Signed-off-by: rashmigottipati <chowdary.grashmi@gmail.com>

Signed-off-by: rashmigottipati <chowdary.grashmi@gmail.com>
Co-authored-by: Bryce Palmer <bpalmer@redhat.com>
  • Loading branch information
@rashmigottipati @everettraven
rashmigottipati and everettraven committed Jan 25, 2023
1 parent b24bd9f commit 021ea07
Show file tree
Hide file tree
Showing 14 changed files with 90 additions and 43 deletions.
31 changes: 31 additions & 0 deletions changelog/fragments/05-rbu-psa.yaml
View file
@@ -0,0 +1,31 @@
# entries is a list of entries to include in
# release notes and/or the migration guide
entries:
- description: >
`operator-sdk run bundle(-upgrade)`: Fix a bug where SQLite bundle images were failing to be run properly due to
a change in the default channel that is used by `run bundle(-upgrade)` when creating a subscription.
kind: "bugfix"
breaking: false
- description: >
`operator-sdk run bundle(-upgrade)`: Update the logic used to set a Registry Pod's PSA configuration
to fix a bug where a Pod's containers still had a restrictive SecurityContext even when setting
`--security-context-config=legacy`.
kind: "bugfix"
breaking: false
- description: >
`operator-sdk run bundle(-upgrade)`: Change default of the `--security-context-config` flag to be `legacy`
instead of `restricted`.
kind: "change"
breaking: false
- description: >
`operator-sdk run bundle`: When creating the CatalogSource, we now set the `grpcPodConfig.SecurityContextConfig`
to the value of the `--security-context-config` flag.
kind: "change"
breaking: false
16 changes: 9 additions & 7 deletions internal/olm/operator/bundle/install.go
View file
Expand Up @@ -17,6 +17,7 @@ package bundle
import (
"context"
"fmt"
"strings"

log "github.com/sirupsen/logrus"
"github.com/spf13/pflag"
Expand Down Expand Up @@ -102,13 +103,7 @@ func (i *Install) setup(ctx context.Context) error {
if i.IndexImageCatalogCreator.BundleAddMode != "" {
return fmt.Errorf("specifying the bundle add mode is not supported for File-Based Catalog bundles and index images")
}
} else {
// index image is of the SQLite index format.
deprecationMsg := fmt.Sprintf("%s is a SQLite index image. SQLite based index images are being deprecated and will be removed in a future release, please migrate your catalogs to the new File-Based Catalog format", i.IndexImageCatalogCreator.IndexImage)
log.Warn(deprecationMsg)
}

if i.IndexImageCatalogCreator.HasFBCLabel {
// FBC variables
f := &fbcutil.FBCContext{
Package: labels[registrybundle.PackageLabel],
Expand All @@ -130,13 +125,20 @@ func (i *Install) setup(ctx context.Context) error {
}

i.IndexImageCatalogCreator.FBCContent = content
i.OperatorInstaller.Channel = fbcutil.DefaultChannel
} else {
// index image is of the SQLite index format.
deprecationMsg := fmt.Sprintf("%s is a SQLite index image. SQLite based index images are being deprecated and will be removed in a future release, please migrate your catalogs to the new File-Based Catalog format", i.IndexImageCatalogCreator.IndexImage)
log.Warn(deprecationMsg)

// set the channel the old way
i.OperatorInstaller.Channel = strings.Split(labels[registrybundle.ChannelsLabel], ",")[0]
}

i.OperatorInstaller.PackageName = labels[registrybundle.PackageLabel]
i.OperatorInstaller.CatalogSourceName = operator.CatalogNameForPackage(i.OperatorInstaller.PackageName)
i.OperatorInstaller.StartingCSV = csv.Name
i.OperatorInstaller.SupportedInstallModes = operator.GetSupportedInstallModes(csv.Spec.InstallModes)
i.OperatorInstaller.Channel = fbcutil.DefaultChannel

i.IndexImageCatalogCreator.PackageName = i.OperatorInstaller.PackageName
i.IndexImageCatalogCreator.BundleImage = i.BundleImage
Expand Down
20 changes: 11 additions & 9 deletions internal/olm/operator/registry/fbcindex/fbc_registry_pod.go
View file
Expand Up @@ -32,7 +32,7 @@ import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/util/retry"
pointer "k8s.io/utils/pointer"
"k8s.io/utils/pointer"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

"github.com/operator-framework/operator-sdk/internal/olm/operator"
Expand Down Expand Up @@ -134,6 +134,16 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}

// Update the Registry Pod container security context to be restrictive
f.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(false),
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}
}

if err := f.cfg.Client.Create(ctx, f.pod); err != nil {
Expand Down Expand Up @@ -306,14 +316,6 @@ func (f *FBCRegistryPod) podForBundleRegistry(cs *v1alpha1.CatalogSource) (*core
{Name: defaultContainerPortName, ContainerPort: f.GRPCPort},
},
VolumeMounts: volumeMounts,
SecurityContext: &corev1.SecurityContext{
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(false),
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
},
},
ServiceAccountName: f.cfg.ServiceAccount,
Expand Down
25 changes: 14 additions & 11 deletions internal/olm/operator/registry/index/registry_pod.go
View file
Expand Up @@ -139,6 +139,16 @@ func (rp *SQLiteRegistryPod) Create(ctx context.Context, cfg *operator.Configura
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}

// Update the Registry Pod container security context to be restrictive
rp.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(false),
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}
}

if err := rp.cfg.Client.Create(ctx, rp.pod); err != nil {
Expand Down Expand Up @@ -277,14 +287,7 @@ func (rp *SQLiteRegistryPod) podForBundleRegistry() (*corev1.Pod, error) {
Ports: []corev1.ContainerPort{
{Name: defaultContainerPortName, ContainerPort: rp.GRPCPort},
},
SecurityContext: &corev1.SecurityContext{
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(false),
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
WorkingDir: "/tmp",
},
},
ServiceAccountName: rp.cfg.ServiceAccount,
Expand Down Expand Up @@ -362,11 +365,11 @@ func newBool(b bool) *bool {
return bp
}

const cmdTemplate = `mkdir -p {{ dirname .DBPath }} && \
const cmdTemplate = `[[ -f {{ .DBPath }} ]] && cp {{ .DBPath }} /tmp/tmp.db; \
{{- range $i, $item := .BundleItems }}
opm registry add -d {{ $.DBPath }} -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls-verify={{ $.SkipTLSVerify }} --use-http={{ $.UseHTTP }} && \
opm registry add -d /tmp/tmp.db -b {{ $item.ImageTag }} --mode={{ $item.AddMode }}{{ if $.CASecretName }} --ca-file=/certs/cert.pem{{ end }} --skip-tls-verify={{ $.SkipTLSVerify }} --use-http={{ $.UseHTTP }} && \
{{- end }}
opm registry serve -d {{ .DBPath }} -p {{ .GRPCPort }}
opm registry serve -d /tmp/tmp.db -p {{ .GRPCPort }}
`

// getContainerCmd uses templating to construct the container command
Expand Down
5 changes: 3 additions & 2 deletions internal/olm/operator/registry/index/registry_pod_test.go
View file
Expand Up @@ -290,7 +290,8 @@ func containerCommandFor(dbPath string, items []BundleItem, hasCA, skipTLSVerify
}
additions := &strings.Builder{}
for _, item := range items {
additions.WriteString(fmt.Sprintf("opm registry add -d %s -b %s --mode=%s%s --skip-tls-verify=%v --use-http=%v && \\\n", dbPath, item.ImageTag, item.AddMode, caFlag, skipTLSVerify, useHTTP))
additions.WriteString(fmt.Sprintf("opm registry add -d /tmp/tmp.db -b %s --mode=%s%s --skip-tls-verify=%v --use-http=%v && \\\n", item.ImageTag, item.AddMode, caFlag, skipTLSVerify, useHTTP))
}
return fmt.Sprintf("mkdir -p /database && \\\n%sopm registry serve -d /database/index.db -p 50051\n", additions.String())

return fmt.Sprintf("[[ -f %s ]] && cp %s /tmp/tmp.db; \\\n%sopm registry serve -d /tmp/tmp.db -p 50051\n", dbPath, dbPath, additions.String())
}
5 changes: 3 additions & 2 deletions internal/olm/operator/registry/index_image.go
View file
Expand Up @@ -138,8 +138,8 @@ func (c *IndexImageCatalogCreator) BindFlags(fs *pflag.FlagSet) {
fs.BoolVar(&c.UseHTTP, "use-http", false, "use plain HTTP for container image registries "+
"while pulling bundles")

// default to Restricted
c.SecurityContext = SecurityContext{ContextType: Restricted}
// default to Legacy
c.SecurityContext = SecurityContext{ContextType: Legacy}
fs.Var(&c.SecurityContext, "security-context-config", "specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'.")
}

Expand All @@ -148,6 +148,7 @@ func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string
cs := newCatalogSource(name, c.cfg.Namespace,
withSDKPublisher(c.PackageName),
withSecrets(c.SecretName),
withGrpcPodSecurityContextConfig(c.SecurityContext.String()),
)
if err := c.cfg.Client.Create(ctx, cs); err != nil {
return nil, fmt.Errorf("error creating catalog source: %v", err)
Expand Down
9 changes: 9 additions & 0 deletions internal/olm/operator/registry/olm_resources.go
View file
Expand Up @@ -89,6 +89,15 @@ func withSecrets(secretNames ...string) func(*v1alpha1.CatalogSource) {
}
}

func withGrpcPodSecurityContextConfig(securityContextConfig string) func(*v1alpha1.CatalogSource) {
return func(cs *v1alpha1.CatalogSource) {
if cs.Spec.GrpcPodConfig == nil {
cs.Spec.GrpcPodConfig = &v1alpha1.GrpcPodConfig{}
}
cs.Spec.GrpcPodConfig.SecurityContextConfig = v1alpha1.SecurityConfig(securityContextConfig)
}
}

// newCatalogSource creates a new CatalogSource with a name derived from
// pkgName, the package manifest's packageName, in namespace. opts will
// be applied to the CatalogSource object.
Expand Down
2 changes: 1 addition & 1 deletion website/content/en/docs/advanced-topics/custom-bundle-validation.md
View file
Expand Up @@ -309,7 +309,7 @@ $ operator-sdk bundle validate ./bundle --alpha-select-external ./myvalidator/ma
WARN[0000] Warning: Value sandbox-op.v0.0.1: owned CRD "sandboxes.sandbox.example.come" has an empty description
INFO[0000] All validation tests have completed successfully
```
[errors-pkg]: https://github.com/operator-framework/api/pkg/tree/master/validation/errors
[errors-pkg]: https://github.com/operator-framework/api/tree/master/pkg/validation/errors
[manifest_result]: https://github.com/operator-framework/api/blob/master/pkg/validation/errors/error.go#L9-L16
[of-api]: https://github.com/operator-framework/api
[of-validation]: https://github.com/operator-framework/api/tree/master/pkg/validation
2 changes: 1 addition & 1 deletion website/content/en/docs/advanced-topics/multi-arch.md
View file
Expand Up @@ -50,7 +50,7 @@ For operators distributed through the [Operator Lifecycle Manager (OLM)][olm]:

[manifest_list]: https://docs.docker.com/registry/spec/manifest-v2-2/#manifest-list
[image_index]: https://github.com/opencontainers/image-spec/blob/main/image-index.md
[buildah]: https://github.com/containers/buildah/blob/main/docs/buildah-bud.md#building-an-multi-architecture-image-using-a---manifest-option-requires-emulation-software
[buildah]: https://github.com/containers/buildah/blob/main/docs/buildah-build.1.md#building-an-multi-architecture-image-using-the---manifest-option-requires-emulation-software
[buildx]: https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images
[buildx_multiarch]: https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images
[olm]: https://olm.operatorframework.io/docs/
Expand Down
2 changes: 1 addition & 1 deletion website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md
View file
Expand Up @@ -24,7 +24,7 @@ operator-sdk run bundle-upgrade <bundle-image> [flags]
--kubeconfig string Path to the kubeconfig file to use for CLI requests.
-n, --namespace string If present, namespace scope for this CLI request
--pull-secret-name string Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
--security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted)
--security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default legacy)
--service-account string Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
--skip-tls skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
--skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles
Expand Down
2 changes: 1 addition & 1 deletion website/content/en/docs/cli/operator-sdk_run_bundle.md
View file
Expand Up @@ -35,7 +35,7 @@ operator-sdk run bundle <bundle-image> [flags]
--kubeconfig string Path to the kubeconfig file to use for CLI requests.
-n, --namespace string If present, namespace scope for this CLI request
--pull-secret-name string Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
--security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted)
--security-context-config SecurityContext specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default legacy)
--service-account string Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
--skip-tls skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
--skip-tls-verify skip TLS certificate verification for container image registries while pulling bundles
Expand Down
10 changes: 4 additions & 6 deletions website/content/en/docs/contribution-guidelines/releasing.md
View file
Expand Up @@ -198,12 +198,10 @@ We will use the `v1.3.1` release version in this example.

#### 0. Lock down release branches on GitHub

Lock down the `v1.3.x` branch to prevent further merges/commits.

To do this, edit the `Branch protection rules`: https://github.com/operator-framework/operator-sdk/settings/branches

- click `Edit` on the `v.*` branch rule.
- In section `Protect matching branches` of the `Rule settings` box, set "Required approving reviewers" to `6`.
1. Lock down the `v1.3.x` branch to prevent further commits before the release completes:
1. Go to `Settings -> Branches` in the SDK repo.
1. Under `Branch protection rules`, click `Edit` on the `v*.` branch rule.
1. In section `Protect matching branches` of the `Rule settings` box, increase the number of required approving reviewers to `6`.

#### 1. Branch

Expand Down
2 changes: 1 addition & 1 deletion website/content/en/docs/overview/cheat-sheet.md
View file
Expand Up @@ -70,7 +70,7 @@ make bundle CHANNELS=fast,preview DEFAULT_CHANNEL=stable VERSION=1.0.0 IMG=<some
[bundle]:https://github.com/operator-framework/operator-registry/blob/v1.16.1/docs/design/operator-bundle.md
[operatorhub-io]: https://operatorhub.io/
[upgrade-project]: /docs/olm-integration/generation/#upgrade-your-operator
[channel-namming-doc]: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/channel-naming.md
[channel-namming-doc]: https://olm.operatorframework.io/docs/best-practices/channel-naming/
[controllers-k8s-doc]: https://kubernetes.io/docs/concepts/architecture/controller
[gkvs]: https://book.kubebuilder.io/cronjob-tutorial/gvks.html
[extend-k8s-api]: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
Expand Down
2 changes: 1 addition & 1 deletion website/content/en/docs/upgrading-sdk-version/v1.5.0.md
View file
Expand Up @@ -11,7 +11,7 @@ _See [#4402](https://github.com/operator-framework/operator-sdk/pull/4402) for m

## PROJECT config version 3-alpha must be upgraded to 3.

PROJECT config version 3-alpha has been stabilized as [version 3](https://github.com/kubernetes-sigs/kubebuilder/blob/master/docs/book/src/migration/manually_migration_guide_v2_v3.md) (the `version` key in your PROJECT file), and contains a set of config fields sufficient to fully describe a project. While this change is not technically breaking because the spec at that version was alpha, it was used by default in `operator-sdk` commands so should be marked as breaking and have a convenient migration path. The `alpha config-3alpha-to-3` command will convert most of your PROJECT file from version 3-alpha to 3, and leave comments with directions where automatic conversion is not possible:
PROJECT config version 3-alpha has been stabilized as [version 3](https://github.com/kubernetes-sigs/kubebuilder/blob/master/docs/book/src/migration/legacy/manually_migration_guide_v2_v3.md) (the `version` key in your PROJECT file), and contains a set of config fields sufficient to fully describe a project. While this change is not technically breaking because the spec at that version was alpha, it was used by default in `operator-sdk` commands so should be marked as breaking and have a convenient migration path. The `alpha config-3alpha-to-3` command will convert most of your PROJECT file from version 3-alpha to 3, and leave comments with directions where automatic conversion is not possible:

```console
$ cat PROJECT
Expand Down

0 comments on commit 021ea07

Please sign in to comment.