From 6245715d80bdd3c28e6ed4a545957421385513f4 Mon Sep 17 00:00:00 2001 From: spilchen Date: Thu, 11 Jan 2024 12:55:52 -0400 Subject: [PATCH] Fixes for OLM style deployments (#662) When publishing the 2.0.0 operator in operatorhub.io/OpenShift, I came across a few issues that were preventing it. This change addresses that. A summary of the changes are: - use a new channel for the 2.0.0 release. We are switching from a namespace scoped operator to a cluster scoped operator, so we need to define a new channel to prevent upgrading from the 1.x.x operator to the 2.x.x operator. The new channel is called v2-stable (the old channel was stable). - change the minimum Kubernetes version from 1.21.1 to 1.21.0. There is no change in our support, but to get the operator on OpenShift we had to drop the x.x.1 to be compatible with OCP 4.8. - don't allow the operator CRD write permissions of OLM style deployments. We added CRD write permissions so that the operator can update the conversion webhook, which is stored in the CRD, with the CA bundle of the webhook cert. OLM style deployments handle this themselves, so the operator does not need to do anything. This also required us to upgrade OLM in our tests from 0.22.0 to 0.26.0. The old version we were using didn't automatically update the conversion webhook. --- Makefile | 10 +++++++--- README.md | 4 ++-- .../unreleased/Changed-20240111-104241.yaml | 5 +++++ cmd/operator/main.go | 11 +++-------- ...rticadb-operator.clusterserviceversion.yaml | 2 +- .../tests/manager-role_test.yaml | 18 ++++++++++++++++++ pkg/controllers/vdb/verticadb_controller.go | 4 ---- scripts/deploy-olm.sh | 1 - scripts/gen-csv.sh | 9 +++++---- scripts/setup-olm.sh | 4 +++- scripts/template-helm-chart.sh | 15 +++++++++++++++ 11 files changed, 59 insertions(+), 24 deletions(-) create mode 100644 changes/unreleased/Changed-20240111-104241.yaml create mode 100644 helm-charts/verticadb-operator/tests/manager-role_test.yaml diff --git a/Makefile b/Makefile index b4026c2e4..9359dc35f 100644 --- a/Makefile +++ b/Makefile @@ -29,8 +29,12 @@ SOAK_CFG?=local-soak.cfg # cause an infinite number of iterations to run. NUM_SOAK_ITERATIONS?=1 -# CHANNELS define the bundle channels used in the bundle. -CHANNELS=stable +# CHANNELS define the bundle channels used in the bundle: +# - stable: This was the channel named for the first version of the operator +# when it was namespace scoped. +# - v2-stable: This is the new channel name to use for cluster scoped operator. +# This corresponds with the 2.0.0 release of the operator. +CHANNELS=v2-stable # To re-generate a bundle for other specific channels without changing the standard setup, you can: # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") @@ -42,7 +46,7 @@ endif # To re-generate a bundle for any other default channel without changing the default setup, you can: # - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) # - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") -DEFAULT_CHANNEL=stable +DEFAULT_CHANNEL?=v2-stable ifneq ($(origin DEFAULT_CHANNEL), undefined) BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) endif diff --git a/README.md b/README.md index 2cee4ce71..2ec4ea6eb 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,8 @@ See [Containerized Environments](https://docs.vertica.com/latest/en/supported-pl # Prerequisites - Resources to deploy Kubernetes objects -- Kubernetes (version 1.21.1+) -- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (version 1.21.1+) +- Kubernetes (version 1.21.0+) +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (version 1.21.0+) - [helm](https://helm.sh/docs/intro/install/) (version 3.5.0+) # Installing the VerticaDB Operator diff --git a/changes/unreleased/Changed-20240111-104241.yaml b/changes/unreleased/Changed-20240111-104241.yaml new file mode 100644 index 000000000..67c3aadf1 --- /dev/null +++ b/changes/unreleased/Changed-20240111-104241.yaml @@ -0,0 +1,5 @@ +kind: Changed +body: Drop CRD write permissions for OLM style deployments +time: 2024-01-11T10:42:41.589206787-04:00 +custom: + Issue: "662" diff --git a/cmd/operator/main.go b/cmd/operator/main.go index f694ecd1f..4d91d2a5c 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -165,19 +165,14 @@ func setupWebhook(ctx context.Context, mgr manager.Manager, restCfg *rest.Config return fmt.Errorf("failed to setup the webhook: %w", err) } if oc.WebhookCertSecret == "" { - setupLog.Info("geneating webhook cert") + setupLog.Info("generating webhook cert") if err := security.GenerateWebhookCert(ctx, &setupLog, restCfg, CertDir, oc.PrefixName, ns); err != nil { return err } } else if val, ok := os.LookupEnv(vmeta.OperatorDeploymentMethodEnvVar); ok && val == vmeta.OLMDeploymentType { // OLM will generate the cert themselves and they have their own - // mechanism to update the webhook configs. We only need to include - // the CA bundle in the CRD for the conversion webhook. - setupLog.Info("OLM deployment detected. Only updating the conversion webhook", "deploymentType", val) - if err := security.PatchConversionWebhookFromSecret(ctx, &setupLog, restCfg, - oc.WebhookCertSecret, oc.PrefixName, ns); err != nil { - return err - } + // mechanism to update the webhook configs and conversion webhook in the CRD. + setupLog.Info("OLM deployment detected. Skipping webhook cert update") } else if !oc.UseCertManager { setupLog.Info("using provided webhook cert", "secret", oc.WebhookCertSecret) if err := security.PatchWebhookCABundleFromSecret(ctx, &setupLog, restCfg, oc.WebhookCertSecret, diff --git a/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml b/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml index 83c6db850..fba032706 100644 --- a/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/verticadb-operator.clusterserviceversion.yaml @@ -1971,7 +1971,7 @@ spec: - email: mspilchen@opentext.com name: Matt Spilchen maturity: stable - minKubeVersion: 1.21.1 + minKubeVersion: 1.21.0 provider: name: Vertica url: http://www.vertica.com diff --git a/helm-charts/verticadb-operator/tests/manager-role_test.yaml b/helm-charts/verticadb-operator/tests/manager-role_test.yaml new file mode 100644 index 000000000..10fbe162d --- /dev/null +++ b/helm-charts/verticadb-operator/tests/manager-role_test.yaml @@ -0,0 +1,18 @@ +suite: Manager ClusterRole +templates: + - verticadb-operator-manager-role-cr.yaml +tests: + - it: should have CRD update permissions by default + asserts: + - contains: + path: rules + content: + apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update diff --git a/pkg/controllers/vdb/verticadb_controller.go b/pkg/controllers/vdb/verticadb_controller.go index 4254878df..e03241d17 100644 --- a/pkg/controllers/vdb/verticadb_controller.go +++ b/pkg/controllers/vdb/verticadb_controller.go @@ -76,10 +76,6 @@ type VerticaDBReconciler struct { // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch -// We need the ability to update CRDs so that we can refresh the client cert for -// the conversion webhook. -// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;update;patch - // SetupWithManager sets up the controller with the Manager. func (r *VerticaDBReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). diff --git a/scripts/deploy-olm.sh b/scripts/deploy-olm.sh index 5c85ea56f..ea1e6685d 100755 --- a/scripts/deploy-olm.sh +++ b/scripts/deploy-olm.sh @@ -105,7 +105,6 @@ metadata: name: e2e-verticadb-subscription namespace: $NAMESPACE spec: - channel: stable name: verticadb-operator source: $CATALOG_SOURCE_NAME sourceNamespace: $OLM_NS diff --git a/scripts/gen-csv.sh b/scripts/gen-csv.sh index ae58fbf35..111e1b490 100755 --- a/scripts/gen-csv.sh +++ b/scripts/gen-csv.sh @@ -60,11 +60,12 @@ then usage fi -VERSION=${@:$OPTIND:1} -BUNDLE_METADATA_OPTS=${@:$OPTIND+1:1} -BUNDLE_GEN_FLAGS="-q --overwrite --version $VERSION $BUNDLE_METADATA_OPTS $USE_IMAGE_DIGESTS_FLAG" - set -o xtrace +shift $(expr $OPTIND - 1) +VERSION=$1 +shift +BUNDLE_METADATA_OPTS=$@ +BUNDLE_GEN_FLAGS="-q --overwrite --version $VERSION $BUNDLE_METADATA_OPTS $USE_IMAGE_DIGESTS_FLAG" cd $REPO_DIR rm -rf bundle/ 2>/dev/null || true diff --git a/scripts/setup-olm.sh b/scripts/setup-olm.sh index ad10d6a72..7f9021c58 100755 --- a/scripts/setup-olm.sh +++ b/scripts/setup-olm.sh @@ -82,7 +82,7 @@ if ! $SCRIPT_DIR/is-openshift.sh then if ! kubectl get -n $OLM_NS deployment olm-operator then - $OPERATOR_SDK olm install --version 0.22.0 + $OPERATOR_SDK olm install --version 0.26.0 # Delete the default catalog that OLM ships with to avoid a lot of duplicates entries. kubectl delete catalogsource operatorhubio-catalog -n $OLM_NS || true @@ -101,6 +101,8 @@ metadata: namespace: $OLM_NS spec: sourceType: grpc + grpcPodConfig: + securityContextConfig: restricted image: $(make echo-images | grep OLM_CATALOG_IMG | cut -d"=" -f2) EOF diff --git a/scripts/template-helm-chart.sh b/scripts/template-helm-chart.sh index a05cd6dd0..0288a42db 100755 --- a/scripts/template-helm-chart.sh +++ b/scripts/template-helm-chart.sh @@ -189,3 +189,18 @@ do perl -i -0777 -pe 's/(--verticaautoscaler-concurrency=)[0-9]+/$1\{\{ .Values.reconcileConcurrency.verticaautoscaler \}\}/g' $f perl -i -0777 -pe 's/(--eventtrigger-concurrency=)[0-9]+/$1\{\{ .Values.reconcileConcurrency.eventtrigger \}\}/g' $f done + +# 20. Add permissions to manager ClusterRole to allow it to patch the CRD. This +# is only needed if the webhook cert is generated by the operator or provided +# by a Secret. +cat << EOF >> $TEMPLATE_DIR/verticadb-operator-manager-role-cr.yaml +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - patch + - update +EOF