From 15254849aeee1a19822534bf302ac1f7e0771182 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Mon, 11 Aug 2025 15:55:39 -0500 Subject: [PATCH 1/5] Add olmv1 blog wip --- ...-olmv1-support-and-chart-dependencies.adoc | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc diff --git a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc new file mode 100644 index 000000000..659729470 --- /dev/null +++ b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc @@ -0,0 +1,147 @@ +--- + date: 2025-07-24 + title: Supporting the Latest Standards with Validated Patterns + summary: This post introduces how the Validated Patterns framework supports OLMv1, the new operator packaging standard + author: Martin Jackson + blog_tags: + - patterns + - announce +--- +:toc: +:imagesdir: /images + +Open Source Technology is always evolving, and we need to be prepared to evolve with it. In OpenShift 4.18, Red Hat +promoted the new OLMv1 packaging standard to General Availability. OLM is the Operator Lifecycle Manager, a vital +component of OpenShift. Users generally do not interact with OLM as such, but they are familiar with how OpenShift +offers Operators to install on clusters and OperatorHub - all of the operators advertized there are offered as OLM +packages. + +Up until this point, Validated Patterns have only supported installation via OLMv0. OLMv1 uses the same packaging +format, but places some restrictions on what the bundles can and cannot do. Further, OLMv1 requires a serviceAccount +to explicitly be named to install the bundle. This required changes to one of the framework's key charts, and that in +turn led to changes with how we manage our chart publication pipeline. This blog post will cover three topics: + +* Support for OLMv1 objects (ClusterExtensions) in the Validated Patterns Framework +* Using the new vp-rbac chart with Validated Patterns +* How our chart building pipeline had to change + +Please note that all of these changes are effective as of the publication of clustergroup chart version 0.9.30, so any +new installation of any publicly maintained Validated Pattern after August 8, 2025 will be able to make use of these +new features. + +== Support for OLMv1 (ClusterExtensions) + +Definitive explanations of what OLMv1 is can be found here: link:https://www.redhat.com/en/blog/announcing-olm-v1-next-generation-operator-lifecycle-management[Announcing OLM v1: Next-Generation Operator Lifecycle Management]. Detailed +information on how to create ClusterExtension objects can be found here: link:https://developers.redhat.com/articles/2025/06/02/manage-operators-clusterextensions-olm-v1[Manage operators as ClusterExtensions with OLM v1]. + +OLMv1 introduces a completely new Kubernetes Kind, the ClusterExtension, which functions somewhat differently than the +Subscription object that previous versions of OLM used. Further, OLMv1 requires the explicit use of a service account +with which to install the operator bundle. OLMv1 is fairly restrictive in not allowing several previously common +methods of declaring version constraints, but over time we expect more operator bundles will support being installed +via OLMv1. + +OLMv1 objects are created by passing entries through the Subscriptions object. Each subscription may be an OLMv0 or +OLMv1 object. The determination on which type of object to create is based on the presence of OLMv1 specific fields. +If the object for the subscription contains a "channels", "upgradeConstraintPolicy" or "serviceAccount" key, an OLMv1 +ClusterExtension object will be created. Otherwise, the framework will create an OLMv0 Subscription. Existing code +will continue to function as it has. + +Here is an example of a subscription object that will create an OLMv1 ClusterExtension: + +[source,yaml] +---- +--- + subscriptions: + quay-operator: + name: quay-operator + namespace: redhat-quay + channels: [ "stable-3.12" ] + serviceAccountName: quay-sa +---- + +The chart sees the "channels" key and the "serviceAccountName" key and knows that it should create an OLMv1 object +based on that. The name becomes the OLMv1 PackageName. You may also specify a "version" key to pin the subscription +to a specific version or range as described link:https://developers.redhat.com/articles/2025/06/02/manage-operators-clusterextensions-olm-v1#3__upgrade_a_clusterextension[here]. If you need it, the chart also understands and uses the +"upgradeConstraintPolicy" key. + +Additionally, OLMv1 allows multiple channels to be added, so they key "channels" takes an array of channel names. + +The final difference is the serviceAccountName. OLMv1 now requires a service account name to install each operator. +Before, the Validated Patterns framework did not have a mechanism to install serviceAccounts, roles, or role +bindings early enough for them to be used to install operators. Several patterns had their own structures for +adding these objects, but they were private to the patterns, or else not especially flexible and could not be +changed without effectively re-writing them. Since that chart had been published under the name "rbac" in our charts +repository, we wrote a new chart that could be used by clustergroup, and could be included as a dependency in other +charts as well. + +== Using vp-rbac + +The new vp-rbac chart is designed to provision serviceAccounts, roles, clusterRoles, and rolebindings. It was +developed primarily to meet the needs of clustergroup for adding serviceAccounts to install operators with +fine-grained access controls, but can be used for other serviceAccounts scenarios as well. + +The (simplest, though perhaps not the most secure) structure needed to install quay looks like this: + +[source,yaml] +---- +vp-rbac: + serviceAccounts: + quay-sa: + namespace: redhat-quay + roleBindings: + clusterRoles: + - cluster-admin +---- + +The key ('quay-sa' in this case) becomes the name of the serviceAccount, and the namespace key is required. +Rolebindings can be created for roles or clusterRoles; in this case we bind quay-sa to the (pre-existing) +cluster-admin clusterRole. Rolebindings are always part of the serviceAccount structure for this chart. + +The chart also supports creating roles and clusterRoles, if you need to define custom ones. Roles and clusterRoles +support multiple rules. Each rule may specify apiGroups, resources, and verbs. If a rule omits one of these keys, +they each have defaults: apiGroups defaults to [ "'*'" ] (which includes the empty or core apiGroup); resources +similarly defaults to [ "'*'" ]; verbs defaults to [ 'get', 'list', 'watch' ] (that is, "read-only" permissions). + +Here is a more complete example of what can be done with the vp-rbac structure: + +[source,yaml] +---- +vp-rbac: + serviceAccounts: + web-terminal-sa: + namespace: web-terminal + roleBindings: + clusterRoles: + - cluster-admin + test-admin: + namespace: aap-config + roleBindings: + clusterRoles: + - cluster-admin + - view-secrets-cms + roles: + - testrole + createRoles: + testrole: + namespace: aap-config + rules: + - apiGroups: + - '""' + resources: + - configmaps + verbs: + - "list" + - "watch" + createClusterRoles: + view-secrets-cms: + rules: + - apiGroups: + - '""' + resources: + - secrets + - configmaps + verbs: + - "get" + - "list" + - "watch" +---- From 36ee3b32f109c0b45c53fa6c27a8d5212c1f8660 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Tue, 12 Aug 2025 09:41:41 -0500 Subject: [PATCH 2/5] Finish olmv1 blog draft --- ...-olmv1-support-and-chart-dependencies.adoc | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc index 659729470..7f86127f3 100644 --- a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc +++ b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc @@ -121,7 +121,7 @@ vp-rbac: - view-secrets-cms roles: - testrole - createRoles: + roles: testrole: namespace: aap-config rules: @@ -132,7 +132,7 @@ vp-rbac: verbs: - "list" - "watch" - createClusterRoles: + clusterRoles: view-secrets-cms: rules: - apiGroups: @@ -145,3 +145,29 @@ vp-rbac: - "list" - "watch" ---- + +This structure allows the creation of structures as fine-grained as you may need, and also makes it straightforward +to create a serviceAccount with admin just to experiment or as a proof-of-concept if you do not know exactly what +permissions are actually needed. + +== Using vp-rbac + +You can add vp-rbac to your charts by declaring it as a dependency to your chart, like this (in Chart.yaml): + +[source,yaml] +---- +dependencies: + - name: vp-rbac + version: "0.1.*" + repository: "https://charts.validatedpatterns.io" +---- + +We enhanced our chart-building pipeline to be able to resolve and include chart dependencies for the charts +that we publish in link:https://charts.validatedpatterns.io[our chart repository]. + +We may replace some of the RBACs that we create in the patterns framework with the vp-rbac chart, but we +do not plan to do this for all of our charts as this might break backwards compatibility in some cases. + +== We Want Your Feedback! + +We are excited to offer support for OLMv1 fairly early in its adoption cycle; please feel free to give it a try! From 7bd416ab33a3a17b0384859db41e1ab5a3fbf825 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Tue, 12 Aug 2025 10:47:19 -0500 Subject: [PATCH 3/5] Correct dates --- .../blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc index 7f86127f3..1d4af313a 100644 --- a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc +++ b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc @@ -1,5 +1,5 @@ --- - date: 2025-07-24 + date: 2025-08-11 title: Supporting the Latest Standards with Validated Patterns summary: This post introduces how the Validated Patterns framework supports OLMv1, the new operator packaging standard author: Martin Jackson From d10d10d6a9273a6bbad69fe263ad7fe00237d6b3 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 13 Aug 2025 07:28:09 -0500 Subject: [PATCH 4/5] Avoid unintentional bolding --- .../blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc index 1d4af313a..eb60bcf2e 100644 --- a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc +++ b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc @@ -99,7 +99,7 @@ cluster-admin clusterRole. Rolebindings are always part of the serviceAccount st The chart also supports creating roles and clusterRoles, if you need to define custom ones. Roles and clusterRoles support multiple rules. Each rule may specify apiGroups, resources, and verbs. If a rule omits one of these keys, -they each have defaults: apiGroups defaults to [ "'*'" ] (which includes the empty or core apiGroup); resources +they each have defaults: apiGroups defaults to [ "'\*'" ] (which includes the empty or core apiGroup); resources similarly defaults to [ "'*'" ]; verbs defaults to [ 'get', 'list', 'watch' ] (that is, "read-only" permissions). Here is a more complete example of what can be done with the vp-rbac structure: From 9e00cc322a5160b99f8af09492d3f3adc14cdd22 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 13 Aug 2025 16:38:12 -0500 Subject: [PATCH 5/5] Add issues links for clustergroup and vp-rbac charts --- .../blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc index eb60bcf2e..832f65854 100644 --- a/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc +++ b/content/blog/2025-08-11-olmv1-support-and-chart-dependencies.adoc @@ -171,3 +171,4 @@ do not plan to do this for all of our charts as this might break backwards compa == We Want Your Feedback! We are excited to offer support for OLMv1 fairly early in its adoption cycle; please feel free to give it a try! +If you encounter any issues with the OLMv1 feature in clustergroup, please report them link:https://github.com/validatedpatterns/clustergroup-chart/issues[here]. Any issues witht the vp-rbac chart can be reported link:https://github.com/validatedpatterns/vp-rbac-chart/issues[here].