Add webhook to replicate operandrequest in partial watched namespace (#1059)

* Add webhook to replicate operandrequest in partial watched namespace

Signed-off-by: Daniel Fan <[email protected]>

* update setup-envtest

Signed-off-by: Daniel Fan <[email protected]>

* Add test cases

Signed-off-by: Daniel Fan <[email protected]>

* Update GetFilteredOpreqSpec name

Signed-off-by: Daniel Fan <[email protected]>

* wait for OperandRegistry before annotating OperandRequest

Signed-off-by: Daniel Fan <[email protected]>

---------

Signed-off-by: Daniel Fan <[email protected]>

Author: Daniel-Fan

bundle/manifests/operand-deployment-lifecycle-manager.clusterserviceversion.yaml

@@ -573,6 +573,7 @@ spec:
                 - get
                 - list
                 - watch
+                - update
             - apiGroups:
                 - operator.ibm.com
               resources:
@@ -618,6 +619,18 @@ spec:
                 - patch
                 - update
                 - watch
+            - apiGroups:
+                - admissionregistration.k8s.io
+              resources:
+                - mutatingwebhookconfigurations
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
           serviceAccountName: operand-deployment-lifecycle-manager
       deployments:
         - label:
@@ -705,9 +718,15 @@ spec:
                       privileged: false
                       readOnlyRootFilesystem: true
                       runAsNonRoot: true
+                    volumeMounts:
+                      - mountPath: /etc/ssl/certs/webhook
+                        name: webhook-certs
                 serviceAccount: operand-deployment-lifecycle-manager
                 serviceAccountName: operand-deployment-lifecycle-manager
                 terminationGracePeriodSeconds: 10
+                volumes:
+                  - emptyDir: {}
+                    name: webhook-certs
       permissions:
         - rules:
             - apiGroups:

config/manager/manager.yaml

@@ -92,5 +92,11 @@ spec:
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+        volumeMounts:
+          - mountPath: /etc/ssl/certs/webhook
+            name: webhook-certs
       terminationGracePeriodSeconds: 10
       serviceAccount: operand-deployment-lifecycle-manager
+      volumes:
+        - emptyDir: {}
+          name: webhook-certs

config/rbac/role.yaml

@@ -10,6 +10,7 @@ rules:
     - get
     - list
     - watch
+    - update
   apiGroups:
     - operator.ibm.com
   resources:
@@ -62,6 +63,18 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - admissionregistration.k8s.io
+  resources:
+    - mutatingwebhookconfigurations
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

controllers/constant/constant.go

@@ -21,6 +21,11 @@ import (
 )
 
 const (
+	//OperatorName is the name of operator
+	OperatorName string = "operand-deployment-lifecycle-manager"
+
+	//CSVName is the name of Operand Deployment Lifecycle Manager CSV
+	CSVName string = "operand-deployment-lifecycle-manager.v1.21.13"
 
 	//ClusterOperatorNamespace is the namespace of cluster operators
 	ClusterOperatorNamespace string = "openshift-operators"
@@ -52,6 +57,9 @@ const (
 	//FindOperandRegistry is the key for checking if the OperandRegistry is found
 	FindOperandRegistry string = "operator.ibm.com/operandregistry-is-not-found"
 
+	//OdlmManagedLabel is the label used to label the webhook managed by ODLM
+	OdlmManagedLabel string = "operator.ibm.com/managedBy-odlm"
+
 	//HashedData is the key for checking the checksum of data section
 	HashedData string = "hashedData"
 

controllers/util/util.go

@@ -17,14 +17,19 @@
 package util
 
 import (
+	"context"
+	"errors"
 	"os"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // GetOperatorNamespace returns the Namespace of the operator
@@ -70,6 +75,23 @@ func GetoperatorCheckerMode() bool {
 	return false
 }
 
+func GetPartialWatchNamespace() string {
+	ns, found := os.LookupEnv("PARTIAL_WATCH_NAMESPACE")
+	if !found {
+		return ""
+	}
+	return ns
+}
+
+func PartialWatchNamespaceEnabled() bool {
+	// If it is not found, it is enabled by default
+	isEnabled, found := os.LookupEnv("ENABLE_PARTIAL_WATCH_NAMESPACE")
+	if !found || isEnabled == "true" {
+		return true
+	}
+	return false
+}
+
 // ResourceExists returns true if the given resource kind exists
 // in the given api groupversion
 func ResourceExists(dc discovery.DiscoveryInterface, apiGroupVersion, kind string) (bool, error) {
@@ -188,3 +210,46 @@ func Contains(list []string, s string) bool {
 	}
 	return false
 }
+
+// returns error, roleName, roleUID
+func GetClusterRoleDetails(kube client.Client, ns string, csvName string) (string, types.UID, error) {
+	existingResource := &rbacv1.ClusterRoleList{}
+	opts := []client.ListOption{
+		client.MatchingLabels(map[string]string{
+			"olm.owner.namespace": ns,
+			"olm.owner":           csvName,
+		}),
+	}
+	err := kube.List(context.TODO(), existingResource, opts...)
+	if err != nil {
+		return "", "", err
+	}
+	switch len(existingResource.Items) {
+	case 0:
+		return "", "", errors.New("unable to find ClusterRole for operator " + csvName)
+	default:
+		// 1 or more ClusterRole returned so index first one
+		return existingResource.Items[0].Name, existingResource.Items[0].UID, nil
+	}
+}
+
+func GetClusterRole(kube client.Client, ns string, csvName string) (*rbacv1.ClusterRole, error) {
+	existingResource := &rbacv1.ClusterRoleList{}
+	opts := []client.ListOption{
+		client.MatchingLabels(map[string]string{
+			"olm.owner.namespace": ns,
+			"olm.owner":           csvName,
+		}),
+	}
+	err := kube.List(context.TODO(), existingResource, opts...)
+	if err != nil {
+		return nil, err
+	}
+	switch len(existingResource.Items) {
+	case 0:
+		return nil, errors.New("unable to find ClusterRole for operator " + csvName)
+	default:
+		// 1 or more ClusterRole returned so index first one
+		return &existingResource.Items[0], nil
+	}
+}