build: generate CSV templates, and validate in CI

Start tracking generated CSV templates, and validate that they don't
change in builds.

Signed-off-by: Blaine Gardner <blaine.gardner@redhat.com>

.github/workflows/build.yml

@@ -44,12 +44,20 @@ jobs:
 
     - name: run crds-gen
       working-directory: /Users/runner/go/src/github.com/rook/rook
-      run: make csv-clean && GOPATH=$(go env GOPATH) make crds
+      run: GOPATH=$(go env GOPATH) make crds
 
     - name: validate crds-gen
       working-directory: /Users/runner/go/src/github.com/rook/rook
       run: tests/scripts/validate_modified_files.sh crd
 
+    - name: run csv gen
+      working-directory: /Users/runner/go/src/github.com/rook/rook/
+      run: make csv-clean && GOPATH=$(go env GOPATH) make csv-templates
+
+    - name: validate csv gen
+      working-directory: /Users/runner/go/src/github.com/rook/rook/
+      run: tests/scripts/validate_modified_files.sh csv-templates
+
     - name: setup tmate session for debugging
       if: failure()
       uses: mxschmitt/action-tmate@v3

.github/workflows/csv-templates.yml

@@ -0,0 +1,41 @@
+name: CSV Templates
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - master
+      - release-*
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+defaults:
+  run:
+    # reference: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
+    shell: bash --noprofile --norc -eo pipefail -x {0}
+
+jobs:
+  csv-templates:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/setup-go@v2
+      with:
+        go-version: 1.16
+
+    - name: checkout
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    - name: copy working directory to GOPATH
+      run: sudo mkdir -p /home/runner/go/src/github.com && sudo cp -a /home/runner/work/rook /home/runner/go/src/github.com/
+
+    - name: run make csv-templates
+      working-directory: /home/runner/go/src/github.com/rook/rook
+      run: GOPATH=$(go env GOPATH) make csv-templates
+
+    - name: validate csv-templates
+      working-directory: /home/runner/go/src/github.com/rook/rook
+      run: tests/scripts/validate_modified_files.sh csv-templates

.gitignore

@@ -7,6 +7,9 @@
 
 /tests/integration/rook-test/
 
-# OLM related stuff
-cluster/olm/ceph/deploy/*
-cluster/olm/ceph/templates/*
+# Ignore the CRDs generated for the CSV templates. They are duplicated multiple times and end up
+# adding 20k+ lines. Since we already detect CRD changes in
+# cluster/examples/kubernetes/ceph/crds.yaml, ignore them in the CSVs.
+cluster/olm/ceph/deploy/crds/*
+cluster/olm/ceph/deploy/olm-catalog/**/manifests
+cluster/olm/ceph/templates/crds/*

Makefile

@@ -171,11 +171,24 @@ csv-ceph: csv-clean crds ## Generate a CSV file for OLM.
 	$(MAKE) -C images/ceph csv
 
 csv-clean: ## Remove existing OLM files.
-	@$(MAKE) -C images/ceph csv-clean
+	$(MAKE) -C images/ceph csv-clean
 
+GEN_CRD_TEMP := /tmp/rook-ceph-gen-crds
+BUILD_CRDS_INTO_DIR ?= $(GEN_CRD_TEMP) # unless overridden, build CRDs into the temp dir
 crds: $(CONTROLLER_GEN) $(YQ)
 	@echo Updating CRD manifests
-	@build/crds/build-crds.sh $(CONTROLLER_GEN) $(YQ)
+	@# build into a temp dir so that it doesn't interfere with CSV generation
+	rm -rf $(GEN_CRD_TEMP) && mkdir -p $(GEN_CRD_TEMP)
+	build/crds/build-crds.sh $(CONTROLLER_GEN) $(YQ)
+	rm -rf $(GEN_CRD_TEMP)
+
+GEN_CSV_TEMP := /tmp/rook-ceph-gen-csv-template
+csv-templates: ## Generate CSVs which are tracked in Rook source
+	rm -rf $(GEN_CSV_TEMP) && mkdir -p $(GEN_CSV_TEMP)
+	$(MAKE) -C images/ceph CSV_TEMPLATE_DIR=$(GEN_CSV_TEMP) generate-csv-templates
+	cp -a $(GEN_CSV_TEMP)/cluster/olm/ceph/templates cluster/olm/ceph/.
+	cp -a $(GEN_CSV_TEMP)/cluster/olm/ceph/deploy cluster/olm/ceph/.
+	rm -rf $(GEN_CSV_TEMP)
 
 .PHONY: all build.common cross.build.parallel
 .PHONY: build build.all install test check vet fmt codegen mod.check clean distclean prune

build/crds/build-crds.sh

@@ -33,8 +33,10 @@ if [[ -n "$BUILD_CRDS_INTO_DIR" ]]; then
   DESTINATION_ROOT="$BUILD_CRDS_INTO_DIR"
 fi
 OLM_CATALOG_DIR="${DESTINATION_ROOT}/cluster/olm/ceph/deploy/crds"
-CEPH_CRDS_FILE_PATH="${DESTINATION_ROOT}/cluster/examples/kubernetes/ceph/crds.yaml"
-CEPH_HELM_CRDS_FILE_PATH="${DESTINATION_ROOT}/cluster/charts/rook-ceph/templates/resources.yaml"
+CEPH_CRDS_DIR="${DESTINATION_ROOT}/cluster/examples/kubernetes/ceph"
+CEPH_CRDS_FILE_PATH="${CEPH_CRDS_DIR}/crds.yaml"
+CEPH_HELM_CRDS_DIR="${DESTINATION_ROOT}/cluster/charts/rook-ceph/templates"
+CEPH_HELM_CRDS_FILE_PATH="${CEPH_HELM_CRDS_DIR}/resources.yaml"
 
 #############
 # FUNCTIONS #
@@ -59,7 +61,9 @@ generate_vol_rep_crds() {
 }
 
 generating_main_crd() {
+  mkdir -p "$CEPH_CRDS_DIR"
   true > "$CEPH_CRDS_FILE_PATH"
+  mkdir -p "$CEPH_HELM_CRDS_DIR"
   true > "$CEPH_HELM_CRDS_FILE_PATH"
 cat <<EOF > "$CEPH_CRDS_FILE_PATH"
 ##############################################################################

cluster/olm/ceph/deploy/operator.yaml

@@ -0,0 +1,151 @@
+# OLM: BEGIN OPERATOR DEPLOYMENT
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rook-ceph-operator
+  namespace: rook-ceph # namespace:operator
+  labels:
+    operator: rook
+    storage-backend: ceph
+spec:
+  selector:
+    matchLabels:
+      app: rook-ceph-operator
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: rook-ceph-operator
+    spec:
+      serviceAccountName: rook-ceph-system
+      containers:
+        - name: rook-ceph-operator
+          image: rook/ceph:master
+          args: ["ceph", "operator"]
+          volumeMounts:
+            - mountPath: /var/lib/rook
+              name: rook-config
+            - mountPath: /etc/ceph
+              name: default-config-dir
+            - mountPath: /etc/webhook
+              name: webhook-cert
+          ports:
+            - containerPort: 9443
+              name: https-webhook
+              protocol: TCP
+          env:
+            # If the operator should only watch for cluster CRDs in the same namespace, set this to "true".
+            # If this is not set to true, the operator will watch for cluster CRDs in all namespaces.
+            - name: ROOK_CURRENT_NAMESPACE_ONLY
+              value: "false"
+            # Rook Discover toleration. Will tolerate all taints with all keys.
+            # Choose between NoSchedule, PreferNoSchedule and NoExecute:
+            # - name: DISCOVER_TOLERATION
+            #   value: "NoSchedule"
+            # (Optional) Rook Discover toleration key. Set this to the key of the taint you want to tolerate
+            # - name: DISCOVER_TOLERATION_KEY
+            #   value: "<KeyOfTheTaintToTolerate>"
+            # (Optional) Rook Discover tolerations list. Put here list of taints you want to tolerate in YAML format.
+            # - name: DISCOVER_TOLERATIONS
+            #   value: |
+            #     - effect: NoSchedule
+            #       key: node-role.kubernetes.io/controlplane
+            #       operator: Exists
+            #     - effect: NoExecute
+            #       key: node-role.kubernetes.io/etcd
+            #       operator: Exists
+            # (Optional) Rook Discover priority class name to set on the pod(s)
+            # - name: DISCOVER_PRIORITY_CLASS_NAME
+            #   value: "<PriorityClassName>"
+            # (Optional) Discover Agent NodeAffinity.
+            # - name: DISCOVER_AGENT_NODE_AFFINITY
+            #   value: "role=storage-node; storage=rook, ceph"
+            # (Optional) Discover Agent Pod Labels.
+            # - name: DISCOVER_AGENT_POD_LABELS
+            #   value: "key1=value1,key2=value2"
+
+            # The duration between discovering devices in the rook-discover daemonset.
+            - name: ROOK_DISCOVER_DEVICES_INTERVAL
+              value: "60m"
+
+            # Whether to start pods as privileged that mount a host path, which includes the Ceph mon and osd pods.
+            # Set this to true if SELinux is enabled (e.g. OpenShift) to workaround the anyuid issues.
+            # For more details see https://github.com/rook/rook/issues/1314#issuecomment-355799641
+            - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
+              value: "false"
+
+            # In some situations SELinux relabelling breaks (times out) on large filesystems, and doesn't work with cephfs ReadWriteMany volumes (last relabel wins).
+            # Disable it here if you have similar issues.
+            # For more details see https://github.com/rook/rook/issues/2417
+            - name: ROOK_ENABLE_SELINUX_RELABELING
+              value: "true"
+
+            # In large volumes it will take some time to chown all the files. Disable it here if you have performance issues.
+            # For more details see https://github.com/rook/rook/issues/2254
+            - name: ROOK_ENABLE_FSGROUP
+              value: "true"
+
+            # Disable automatic orchestration when new devices are discovered
+            - name: ROOK_DISABLE_DEVICE_HOTPLUG
+              value: "false"
+
+            # Provide customised regex as the values using comma. For eg. regex for rbd based volume, value will be like "(?i)rbd[0-9]+".
+            # In case of more than one regex, use comma to separate between them.
+            # Default regex will be "(?i)dm-[0-9]+,(?i)rbd[0-9]+,(?i)nbd[0-9]+"
+            # Add regex expression after putting a comma to blacklist a disk
+            # If value is empty, the default regex will be used.
+            - name: DISCOVER_DAEMON_UDEV_BLACKLIST
+              value: "(?i)dm-[0-9]+,(?i)rbd[0-9]+,(?i)nbd[0-9]+"
+
+            # Time to wait until the node controller will move Rook pods to other
+            # nodes after detecting an unreachable node.
+            # Pods affected by this setting are:
+            # mgr, rbd, mds, rgw, nfs, PVC based mons and osds, and ceph toolbox
+            # The value used in this variable replaces the default value of 300 secs
+            # added automatically by k8s as Toleration for
+            # <node.kubernetes.io/unreachable>
+            # The total amount of time to reschedule Rook pods in healthy nodes
+            # before detecting a <not ready node> condition will be the sum of:
+            #  --> node-monitor-grace-period: 40 seconds (k8s kube-controller-manager flag)
+            #  --> ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS: 5 seconds
+            - name: ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS
+              value: "5"
+
+            # The name of the node to pass with the downward API
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # The pod name to pass with the downward API
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            # The pod namespace to pass with the downward API
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # Recommended resource requests and limits, if desired
+          #resources:
+          #  limits:
+          #    cpu: 500m
+          #    memory: 256Mi
+          #  requests:
+          #    cpu: 100m
+          #    memory: 128Mi
+
+          #  Uncomment it to run lib bucket provisioner in multithreaded mode
+          #- name: LIB_BUCKET_PROVISIONER_THREADS
+          #  value: "5"
+
+      # Uncomment it to run rook operator on the host network
+      #hostNetwork: true
+      volumes:
+        - name: rook-config
+          emptyDir: {}
+        - name: default-config-dir
+          emptyDir: {}
+        - name: webhook-cert
+          emptyDir: {}
+# OLM: END OPERATOR DEPLOYMENT