diff --git a/go.mod b/go.mod index 2636ce5f163..f7140c786f3 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/go-logr/logr v1.2.4 github.com/golang/mock v1.6.0 github.com/google/go-cmp v0.5.9 + github.com/google/uuid v1.3.0 github.com/googleapis/gnostic v0.5.5 github.com/itchyny/gojq v0.11.0 github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2 @@ -124,7 +125,6 @@ require ( github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.3.0 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go index 5cac02b6cf6..ffa2a6448ae 100644 --- a/pkg/controller/operators/olm/operator_test.go +++ b/pkg/controller/operators/olm/operator_test.go @@ -8,6 +8,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "errors" "fmt" "math" "math/big" @@ -50,6 +51,9 @@ import ( operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" "github.com/operator-framework/api/pkg/operators/v1alpha1" + opregistry "github.com/operator-framework/operator-registry/pkg/registry" + clienttesting "k8s.io/client-go/testing" + "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned" "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned/fake" "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs" @@ -64,8 +68,6 @@ import ( "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil" "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer" "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped" - opregistry "github.com/operator-framework/operator-registry/pkg/registry" - clienttesting "k8s.io/client-go/testing" ) type TestStrategy struct{} @@ -4453,6 +4455,306 @@ func TestSyncOperatorGroups(t *testing.T) { LastUpdated: &now, }, }, + { + name: "MatchingNamespace/NoCSVs/CreatesClusterRoles", + expectedEqual: true, + initial: initial{ + operatorGroup: &operatorsv1.OperatorGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: "operator-group-1", + Namespace: operatorNamespace, + UID: "1234", + }, + Spec: operatorsv1.OperatorGroupSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "app-a"}, + }, + }, + }, + k8sObjs: []runtime.Object{ + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: operatorNamespace, + }, + }, + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetNamespace, + Labels: map[string]string{"app": "app-a"}, + }, + }, + }, + }, + expectedStatus: operatorsv1.OperatorGroupStatus{ + Namespaces: []string{targetNamespace}, + LastUpdated: &now, + }, + final: final{objects: map[string][]runtime.Object{ + "": { + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.admin-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "admin", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.edit-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "edit", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.view-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "view", + }, + }, + }, + }, + }}, + }, + { + // check that even if old cluster roles exist, we create the new ones and leave the old ones unchanged + name: "MatchingNamespace/NoCSVs/UpdatesOldClusterRoles", + expectedEqual: true, + initial: initial{ + operatorGroup: &operatorsv1.OperatorGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: "operator-group-1", + Namespace: operatorNamespace, + UID: "1234", + }, + Spec: operatorsv1.OperatorGroupSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "app-a"}, + }, + }, + }, + k8sObjs: []runtime.Object{ + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: operatorNamespace, + }, + }, + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetNamespace, + Labels: map[string]string{"app": "app-a"}, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-admin", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-view", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-edit", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + }, + }, + expectedStatus: operatorsv1.OperatorGroupStatus{ + Namespaces: []string{targetNamespace}, + LastUpdated: &now, + }, + final: final{objects: map[string][]runtime.Object{ + "": { + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.admin-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "admin", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.edit-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "edit", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.view-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "view", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-admin", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-view", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "operator-group-1-edit", + Labels: map[string]string{ + "olm.owner": "operator-group-1", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + }, + }, + }, + }, + }}, + }, + { + name: "MatchingNamespace/NoCSVs/Updates" + + "" + + "" + + "" + + "" + + "" + + "" + + "" + + "ClusterRoles", + expectedEqual: true, + initial: initial{ + operatorGroup: &operatorsv1.OperatorGroup{ + ObjectMeta: metav1.ObjectMeta{ + Name: "operator-group-1", + Namespace: operatorNamespace, + UID: "1234", + }, + Spec: operatorsv1.OperatorGroupSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "app-a"}, + }, + }, + }, + k8sObjs: []runtime.Object{ + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: operatorNamespace, + }, + }, + &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetNamespace, + Labels: map[string]string{"app": "app-a"}, + }, + }, + }, + }, + expectedStatus: operatorsv1.OperatorGroupStatus{ + Namespaces: []string{targetNamespace}, + LastUpdated: &now, + }, + final: final{objects: map[string][]runtime.Object{ + "": { + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.admin-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "admin", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.edit-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "edit", + }, + }, + }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + ResourceVersion: "", + Name: "olm.operatorgroup.view-aaaaa", + Labels: map[string]string{ + "olm.owner": "1234", + "olm.owner.namespace": "operator-ns", + "olm.owner.kind": "OperatorGroup", + "olm.operatorgroup.rolelevel": "view", + }, + }, + }, + }, + }}, + }, { name: "MatchingNamespace/CSVPresent/Found", expectedEqual: true, @@ -4900,6 +5202,10 @@ func TestSyncOperatorGroups(t *testing.T) { return copied } + // change the genName function to return a predictable value + genName = func(prefix string) string { + return fmt.Sprintf("%saaaaa", prefix) + } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { // Pick out Namespaces @@ -5022,7 +5328,10 @@ func TestSyncOperatorGroups(t *testing.T) { for namespace, objects := range tt.final.objects { if err := RequireObjectsInCache(t, op.lister, namespace, objects, true); err != nil { - return false, nil + if apierrors.IsNotFound(err) { + return false, nil + } + return false, err } } @@ -5258,7 +5567,10 @@ func RequireObjectsInCache(t *testing.T, lister operatorlister.OperatorLister, n require.Failf(t, "couldn't find expected object", "%#v", object) } if err != nil { - return fmt.Errorf("namespace: %v, error: %v", namespace, err) + if apierrors.IsNotFound(err) { + return err + } + return errors.Join(err, fmt.Errorf("namespace: %v, error: %v", namespace, err)) } if doCompare { if !reflect.DeepEqual(object, fetched) { diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go index cd135c8058f..b010a0ad097 100644 --- a/pkg/controller/operators/olm/operatorgroup.go +++ b/pkg/controller/operators/olm/operatorgroup.go @@ -7,7 +7,8 @@ import ( "reflect" "strings" - utillabels "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/labels" + "k8s.io/apiserver/pkg/storage/names" + "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -17,14 +18,17 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/errors" + utillabels "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/labels" + operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" "github.com/operator-framework/api/pkg/operators/v1alpha1" + opregistry "github.com/operator-framework/operator-registry/pkg/registry" + "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install" "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/decorators" "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/resolver/cache" hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash" "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil" - opregistry "github.com/operator-framework/operator-registry/pkg/registry" ) const ( @@ -43,6 +47,7 @@ var ( EditSuffix: EditVerbs, ViewSuffix: ViewVerbs, } + genName = names.SimpleNameGenerator.GenerateName ) func aggregationLabelFromAPIKey(k opregistry.APIKey, suffix string) (string, error) { @@ -978,38 +983,34 @@ func (a *Operator) updateNamespaceList(op *operatorsv1.OperatorGroup) ([]string, } func (a *Operator) ensureOpGroupClusterRole(op *operatorsv1.OperatorGroup, suffix string, apis cache.APISet) error { + // create target cluster role spec clusterRole := &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: strings.Join([]string{op.GetName(), suffix}, "-"), - }, - } - var selectors []metav1.LabelSelector - for api := range apis { - aggregationLabel, err := aggregationLabelFromAPIKey(api, suffix) - if err != nil { - return err - } - selectors = append(selectors, metav1.LabelSelector{ - MatchLabels: map[string]string{ - aggregationLabel: "true", + Name: genName(fmt.Sprintf("olm.operatorgroup.%s-", suffix)), + Labels: map[string]string{ + ownerutil.OlmOperatorGroupClusterRoleLevel: suffix, }, - }) - } - if len(selectors) > 0 { - clusterRole.AggregationRule = &rbacv1.AggregationRule{ - ClusterRoleSelectors: selectors, - } + }, } - err := ownerutil.AddOwnerLabels(clusterRole, op) + + var err error + clusterRole.AggregationRule, err = a.getClusterRoleAggregationRule(apis, suffix) if err != nil { return err } - existingRole, err := a.lister.RbacV1().ClusterRoleLister().Get(clusterRole.Name) - if err != nil && !apierrors.IsNotFound(err) { + if err := ownerutil.AddOwnerLabels(clusterRole, op); err != nil { return err } - if apierrors.IsNotFound(err) { + + // get existing cluster role for this level (suffix: admin, edit, view)) + existingClusterRoleList, err := a.lister.RbacV1().ClusterRoleLister().List(labels.SelectorFromSet(ownerutil.ClusterRoleByOwnerAndLevel(op, suffix))) + if err != nil { + return err + } + + var existingRole *rbacv1.ClusterRole + if len(existingClusterRoleList) == 0 { existingRole, err = a.opClient.KubernetesInterface().RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}) if err == nil { return nil @@ -1018,6 +1019,10 @@ func (a *Operator) ensureOpGroupClusterRole(op *operatorsv1.OperatorGroup, suffi a.logger.WithError(err).Errorf("Create cluster role failed: %v", clusterRole) return err } + } else if len(existingClusterRoleList) == 1 { + existingRole = existingClusterRoleList[0].DeepCopy() + } else { + return fmt.Errorf("found multiple cluster roles at level '%s' for operator group: '%s'", suffix, op.Name) } if existingRole != nil && labels.Equals(existingRole.Labels, clusterRole.Labels) && reflect.DeepEqual(existingRole.AggregationRule, clusterRole.AggregationRule) { @@ -1031,6 +1036,27 @@ func (a *Operator) ensureOpGroupClusterRole(op *operatorsv1.OperatorGroup, suffi return nil } +func (a *Operator) getClusterRoleAggregationRule(apis cache.APISet, suffix string) (*rbacv1.AggregationRule, error) { + var selectors []metav1.LabelSelector + for api := range apis { + aggregationLabel, err := aggregationLabelFromAPIKey(api, suffix) + if err != nil { + return nil, err + } + selectors = append(selectors, metav1.LabelSelector{ + MatchLabels: map[string]string{ + aggregationLabel: "true", + }, + }) + } + if len(selectors) > 0 { + return &rbacv1.AggregationRule{ + ClusterRoleSelectors: selectors, + }, nil + } + return nil, nil +} + func (a *Operator) ensureOpGroupClusterRoles(op *operatorsv1.OperatorGroup, apis cache.APISet) error { for _, suffix := range Suffices { if err := a.ensureOpGroupClusterRole(op, suffix, apis); err != nil { diff --git a/pkg/lib/ownerutil/util.go b/pkg/lib/ownerutil/util.go index 24ff1afe2e0..93e002bb4a9 100644 --- a/pkg/lib/ownerutil/util.go +++ b/pkg/lib/ownerutil/util.go @@ -20,10 +20,14 @@ import ( ) const ( - OwnerKey = "olm.owner" - OwnerNamespaceKey = "olm.owner.namespace" - OwnerKind = "olm.owner.kind" - OwnerPackageServer = "packageserver" + OwnerKey = "olm.owner" + OwnerNamespaceKey = "olm.owner.namespace" + OwnerKind = "olm.owner.kind" + OlmOperatorGroupClusterRoleLevel = "olm.operatorgroup.rolelevel" + ClusterRoleLevelAdmin = "admin" + ClusterRoleLevelEdit = "edit" + ClusterRoleLevelView = "view" + OwnerPackageServer = "packageserver" ) var ( @@ -208,12 +212,18 @@ func NonBlockingOwner(owner Owner) metav1.OwnerReference { // OwnerLabel returns a label added to generated objects for later querying func OwnerLabel(owner Owner, kind string) map[string]string { return map[string]string{ - OwnerKey: owner.GetName(), + OwnerKey: string(owner.GetUID()), OwnerNamespaceKey: owner.GetNamespace(), OwnerKind: kind, } } +func ClusterRoleByOwnerAndLevel(owner Owner, level string) map[string]string { + labels := OwnerLabel(owner, "OperatorGroup") + labels[OlmOperatorGroupClusterRoleLevel] = level + return labels +} + // AddOwnerLabels adds ownerref-like labels to an object by inferring the owner kind func AddOwnerLabels(object metav1.Object, owner Owner) error { err := InferGroupVersionKind(owner) @@ -272,6 +282,11 @@ func CSVOwnerSelector(owner *operatorsv1alpha1.ClusterServiceVersion) labels.Sel return labels.SelectorFromSet(OwnerLabel(owner, operatorsv1alpha1.ClusterServiceVersionKind)) } +// ClusterRoleSelector returns a label selector to find cluster role objects owned by owner +func ClusterRoleSelector(owner *operatorsv1.OperatorGroup) labels.Selector { + return labels.SelectorFromSet(OwnerLabel(owner, operatorsv1.OperatorGroupKind)) +} + // AddOwner adds an owner to the ownerref list. func AddOwner(object metav1.Object, owner Owner, blockOwnerDeletion, isController bool) { // Most of the time we won't have TypeMeta on the object, so we infer it for types we know about diff --git a/test/e2e/operator_groups_e2e_test.go b/test/e2e/operator_groups_e2e_test.go index 743f8ff37df..b24966250f5 100644 --- a/test/e2e/operator_groups_e2e_test.go +++ b/test/e2e/operator_groups_e2e_test.go @@ -340,21 +340,22 @@ var _ = Describe("Operator Group", func() { }) // validate provided API clusterroles for the operatorgroup - adminRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), operatorGroup.Name+"-admin", metav1.GetOptions{}) + roleNamePrefix := fmt.Sprintf("olm.%s.operator-group.%s.role.", opGroupNamespace, operatorGroup.Name) + adminRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), roleNamePrefix+"admin", metav1.GetOptions{}) require.NoError(GinkgoT(), err) adminPolicyRules := []rbacv1.PolicyRule{ {Verbs: []string{"*"}, APIGroups: []string{mainCRD.Spec.Group}, Resources: []string{mainCRDPlural}}, } require.Equal(GinkgoT(), adminPolicyRules, adminRole.Rules) - editRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), operatorGroup.Name+"-edit", metav1.GetOptions{}) + editRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), roleNamePrefix+"edit", metav1.GetOptions{}) require.NoError(GinkgoT(), err) editPolicyRules := []rbacv1.PolicyRule{ {Verbs: []string{"create", "update", "patch", "delete"}, APIGroups: []string{mainCRD.Spec.Group}, Resources: []string{mainCRDPlural}}, } require.Equal(GinkgoT(), editPolicyRules, editRole.Rules) - viewRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), operatorGroup.Name+"-view", metav1.GetOptions{}) + viewRole, err := c.KubernetesInterface().RbacV1().ClusterRoles().Get(context.TODO(), roleNamePrefix+"view", metav1.GetOptions{}) require.NoError(GinkgoT(), err) viewPolicyRules := []rbacv1.PolicyRule{ {Verbs: []string{"get"}, APIGroups: []string{"apiextensions.k8s.io"}, Resources: []string{"customresourcedefinitions"}, ResourceNames: []string{mainCRD.Name}},