Fixes for OLM style deployments (#662)

When publishing the 2.0.0 operator in operatorhub.io/OpenShift, I came across a few issues that were preventing it. This change addresses that. A summary of the changes are: - use a new channel for the 2.0.0 release. We are switching from a namespace scoped operator to a cluster scoped operator, so we need to define a new channel to prevent upgrading from the 1.x.x operator to the 2.x.x operator. The new channel is called v2-stable (the old channel was stable). - change the minimum Kubernetes version from 1.21.1 to 1.21.0. There is no change in our support, but to get the operator on OpenShift we had to drop the x.x.1 to be compatible with OCP 4.8. - don't allow the operator CRD write permissions of OLM style deployments. We added CRD write permissions so that the operator can update the conversion webhook, which is stored in the CRD, with the CA bundle of the webhook cert. OLM style deployments handle this themselves, so the operator does not need to do anything. This also required us to upgrade OLM in our tests from 0.22.0 to 0.26.0. The old version we were using didn't automatically update the conversion webhook.
vertica · Jan 11, 2024 · 6245715 · 6245715
1 parent cf5f0bf
commit 6245715
Show file tree

Hide file tree

Showing 11 changed files with 59 additions and 24 deletions.
diff --git a/Makefile b/Makefile
@@ -29,8 +29,12 @@ SOAK_CFG?=local-soak.cfg
 # cause an infinite number of iterations to run.
 NUM_SOAK_ITERATIONS?=1
 
-# CHANNELS define the bundle channels used in the bundle. 
-CHANNELS=stable
+# CHANNELS define the bundle channels used in the bundle:
+# - stable: This was the channel named for the first version of the operator
+#   when it was namespace scoped.
+# - v2-stable: This is the new channel name to use for cluster scoped operator.
+#   This corresponds with the 2.0.0 release of the operator.
+CHANNELS=v2-stable
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
 # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)
 # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")
@@ -42,7 +46,7 @@ endif
 # To re-generate a bundle for any other default channel without changing the default setup, you can:
 # - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable)
 # - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable")
-DEFAULT_CHANNEL=stable
+DEFAULT_CHANNEL?=v2-stable
 ifneq ($(origin DEFAULT_CHANNEL), undefined)
 BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
 endif

diff --git a/README.md b/README.md
@@ -9,8 +9,8 @@ See [Containerized Environments](https://docs.vertica.com/latest/en/supported-pl
 # Prerequisites
 
 - Resources to deploy Kubernetes objects
-- Kubernetes (version 1.21.1+)
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (version 1.21.1+)  
+- Kubernetes (version 1.21.0+)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (version 1.21.0+)
 - [helm](https://helm.sh/docs/intro/install/) (version 3.5.0+)
 
 # Installing the VerticaDB Operator

diff --git a/changes/unreleased/Changed-20240111-104241.yaml b/changes/unreleased/Changed-20240111-104241.yaml
@@ -0,0 +1,5 @@
+kind: Changed
+body: Drop CRD write permissions for OLM style deployments
+time: 2024-01-11T10:42:41.589206787-04:00
+custom:
+  Issue: "662"
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -165,19 +165,14 @@ func setupWebhook(ctx context.Context, mgr manager.Manager, restCfg *rest.Config
 			return fmt.Errorf("failed to setup the webhook: %w", err)
 		}
 		if oc.WebhookCertSecret == "" {
-			setupLog.Info("geneating webhook cert")
+			setupLog.Info("generating webhook cert")
 			if err := security.GenerateWebhookCert(ctx, &setupLog, restCfg, CertDir, oc.PrefixName, ns); err != nil {
 				return err
 			}
 		} else if val, ok := os.LookupEnv(vmeta.OperatorDeploymentMethodEnvVar); ok && val == vmeta.OLMDeploymentType {
 			// OLM will generate the cert themselves and they have their own
-			// mechanism to update the webhook configs. We only need to include
-			// the CA bundle in the CRD for the conversion webhook.
-			setupLog.Info("OLM deployment detected. Only updating the conversion webhook", "deploymentType", val)
-			if err := security.PatchConversionWebhookFromSecret(ctx, &setupLog, restCfg,
-				oc.WebhookCertSecret, oc.PrefixName, ns); err != nil {
-				return err
-			}
+			// mechanism to update the webhook configs and conversion webhook in the CRD.
+			setupLog.Info("OLM deployment detected. Skipping webhook cert update")
 		} else if !oc.UseCertManager {
 			setupLog.Info("using provided webhook cert", "secret", oc.WebhookCertSecret)
 			if err := security.PatchWebhookCABundleFromSecret(ctx, &setupLog, restCfg, oc.WebhookCertSecret,

diff --git a/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml b/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml
@@ -1971,7 +1971,7 @@ spec:
   - email: [email protected]
     name: Matt Spilchen
   maturity: stable
-  minKubeVersion: 1.21.1
+  minKubeVersion: 1.21.0
   provider:
     name: Vertica
     url: http://www.vertica.com

diff --git a/helm-charts/verticadb-operator/tests/manager-role_test.yaml b/helm-charts/verticadb-operator/tests/manager-role_test.yaml
@@ -0,0 +1,18 @@
+suite: Manager ClusterRole
+templates:
+  - verticadb-operator-manager-role-cr.yaml
+tests:
+  - it: should have CRD update permissions by default
+    asserts:
+    - contains:
+        path: rules
+        content:
+          apiGroups:
+          - apiextensions.k8s.io
+          resources:
+          - customresourcedefinitions
+          verbs:
+          - get
+          - list
+          - patch
+          - update
diff --git a/pkg/controllers/vdb/verticadb_controller.go b/pkg/controllers/vdb/verticadb_controller.go
@@ -76,10 +76,6 @@ type VerticaDBReconciler struct {
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch
 
-// We need the ability to update CRDs so that we can refresh the client cert for
-// the conversion webhook.
-// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;update;patch
-
 // SetupWithManager sets up the controller with the Manager.
 func (r *VerticaDBReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).

diff --git a/scripts/deploy-olm.sh b/scripts/deploy-olm.sh
@@ -105,7 +105,6 @@ metadata:
   name: e2e-verticadb-subscription
   namespace: $NAMESPACE
 spec:
-  channel: stable
   name: verticadb-operator
   source: $CATALOG_SOURCE_NAME
   sourceNamespace: $OLM_NS

diff --git a/scripts/gen-csv.sh b/scripts/gen-csv.sh
@@ -60,11 +60,12 @@ then
     usage
 fi
 
-VERSION=${@:$OPTIND:1}
-BUNDLE_METADATA_OPTS=${@:$OPTIND+1:1}
-BUNDLE_GEN_FLAGS="-q --overwrite --version $VERSION $BUNDLE_METADATA_OPTS $USE_IMAGE_DIGESTS_FLAG"
-
 set -o xtrace
+shift $(expr $OPTIND - 1)
+VERSION=$1
+shift
+BUNDLE_METADATA_OPTS=$@
+BUNDLE_GEN_FLAGS="-q --overwrite --version $VERSION $BUNDLE_METADATA_OPTS $USE_IMAGE_DIGESTS_FLAG"
 
 cd $REPO_DIR
 rm -rf bundle/ 2>/dev/null || true

diff --git a/scripts/setup-olm.sh b/scripts/setup-olm.sh
@@ -82,7 +82,7 @@ if ! $SCRIPT_DIR/is-openshift.sh
 then
     if ! kubectl get -n $OLM_NS deployment olm-operator
     then
-        $OPERATOR_SDK olm install --version 0.22.0
+        $OPERATOR_SDK olm install --version 0.26.0
 
         # Delete the default catalog that OLM ships with to avoid a lot of duplicates entries.
         kubectl delete catalogsource operatorhubio-catalog -n $OLM_NS || true
@@ -101,6 +101,8 @@ metadata:
   namespace: $OLM_NS
 spec:
   sourceType: grpc
+  grpcPodConfig:
+    securityContextConfig: restricted
   image: $(make echo-images | grep OLM_CATALOG_IMG | cut -d"=" -f2)
 EOF
 

diff --git a/scripts/template-helm-chart.sh b/scripts/template-helm-chart.sh
@@ -189,3 +189,18 @@ do
     perl -i -0777 -pe 's/(--verticaautoscaler-concurrency=)[0-9]+/$1\{\{ .Values.reconcileConcurrency.verticaautoscaler \}\}/g' $f
     perl -i -0777 -pe 's/(--eventtrigger-concurrency=)[0-9]+/$1\{\{ .Values.reconcileConcurrency.eventtrigger \}\}/g' $f
 done
+
+# 20. Add permissions to manager ClusterRole to allow it to patch the CRD. This
+# is only needed if the webhook cert is generated by the operator or provided
+# by a Secret.
+cat << EOF >> $TEMPLATE_DIR/verticadb-operator-manager-role-cr.yaml
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+EOF