feat: enable CSV injector in NamespaceScope CR (#92)

* feat: enable CSV injector in NamespaceScope CR

In order to make the NamespaceScope operator can be used in more situations, it should have the capability to patch CSVs of Operators to convert them can be managed by the NamespaceScope operator.

"csvInjector.enable" is used to control if the NamespaceScope operator will patch the CSVs of specific operators. The default value is false.

* Fix typo

Author: horis233

README.md

@@ -1,4 +1,4 @@
-# NamspaceScope - Manage operator and operand authority across namespaces
+# namespaceScope - Manage operator and operand authority across namespaces
 
 This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster.
 
@@ -20,7 +20,7 @@ spec:
   # ConfigMap name that will contain the list of namespaces to be watched
   configmapName: namespace-scope
 
-  # Restart pods with the following labels when the namspace list changes
+  # Restart pods with the following labels when the namespace list changes
   restartLabels:
     intent: projected
   ```

api/v1/namespacescope_types.go

@@ -20,13 +20,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // NamespaceScopeSpec defines the desired state of NamespaceScope
 type NamespaceScopeSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
 
 	// Namespaces that are part of this scope
 	NamespaceMembers []string `json:"namespaceMembers,omitempty"`
@@ -37,20 +32,29 @@ type NamespaceScopeSpec struct {
 	// ConfigMap name that will contain the list of namespaces to be watched
 	ConfigmapName string `json:"configmapName,omitempty"`
 
-	// Restart pods with the following labels when the namspace list changes
+	// Restart pods with the following labels when the namespace list changes
 	RestartLabels map[string]string `json:"restartLabels,omitempty"`
 
-	// Set the following to true to manaually manage permissions for the NamespaceScope operator to extend control over other namespaces
+	// Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces
 	// The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the
 	// authorize-namespace command.
 	ManualManagement bool `json:"manualManagement,omitempty"`
+
+	// When CSVInjector is enabled, operator will inject the watch namespace list into operator csv.
+	CSVInjector CSVInjector `json:"csvInjector,omitempty"`
+}
+
+// CSVInjector manages if operator will insert labels and WATCH_NAMESPACES in CSV automatically
+type CSVInjector struct {
+	Enable bool `json:"enable"`
 }
 
 // NamespaceScopeStatus defines the observed state of NamespaceScope
 type NamespaceScopeStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
 	ValidatedMembers []string `json:"validatedMembers,omitempty"`
+
+	ManagedCSVList []string `json:"managedCSVList,omitempty"`
+	PatchedCSVList []string `json:"patchedCSVList,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v1/zz_generated.deepcopy.go

@@ -1,8 +1,8 @@
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
   name: namespacescopes.operator.ibm.com
 spec:
@@ -15,60 +15,74 @@ spec:
     - nss
     singular: namespacescope
   scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: NamespaceScope is the Schema for the namespacescopes API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: NamespaceScopeSpec defines the desired state of NamespaceScope
-          properties:
-            configmapName:
-              description: ConfigMap name that will contain the list of namespaces to be watched
-              type: string
-            manualManagement:
-              description: Set the following to true to manaually manage permissions for the NamespaceScope operator to extend control over other namespaces The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the authorize-namespace command.
-              type: boolean
-            namespaceMembers:
-              description: Namespaces that are part of this scope
-              items:
-                type: string
-              type: array
-            restartLabels:
-              additionalProperties:
-                type: string
-              description: Restart pods with the following labels when the namspace list changes
-              type: object
-            serviceAccountMembers:
-              description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
-              items:
-                type: string
-              type: array
-          type: object
-        status:
-          description: NamespaceScopeStatus defines the observed state of NamespaceScope
-          properties:
-            validatedMembers:
-              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
-              items:
-                type: string
-              type: array
-          type: object
-      type: object
-  version: v1
   versions:
   - name: v1
+    schema:
+      openAPIV3Schema:
+        description: NamespaceScope is the Schema for the namespacescopes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NamespaceScopeSpec defines the desired state of NamespaceScope
+            properties:
+              configmapName:
+                description: ConfigMap name that will contain the list of namespaces to be watched
+                type: string
+              csvInjector:
+                description: When CSVInjector is enabled, operator will inject the watch namespace list into operator csv.
+                properties:
+                  enable:
+                    type: boolean
+                required:
+                - enable
+                type: object
+              manualManagement:
+                description: Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the authorize-namespace command.
+                type: boolean
+              namespaceMembers:
+                description: Namespaces that are part of this scope
+                items:
+                  type: string
+                type: array
+              restartLabels:
+                additionalProperties:
+                  type: string
+                description: Restart pods with the following labels when the namespace list changes
+                type: object
+              serviceAccountMembers:
+                description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: NamespaceScopeStatus defines the observed state of NamespaceScope
+            properties:
+              managedCSVList:
+                items:
+                  type: string
+                type: array
+              patchedCSVList:
+                items:
+                  type: string
+                type: array
+              validatedMembers:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

bundle-restricted/manifests/operator.ibm.com_namespacescopes.yaml

@@ -1,8 +1,8 @@
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
   name: namespacescopes.operator.ibm.com
 spec:
@@ -15,60 +15,74 @@ spec:
     - nss
     singular: namespacescope
   scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: NamespaceScope is the Schema for the namespacescopes API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: NamespaceScopeSpec defines the desired state of NamespaceScope
-          properties:
-            configmapName:
-              description: ConfigMap name that will contain the list of namespaces to be watched
-              type: string
-            manualManagement:
-              description: Set the following to true to manaually manage permissions for the NamespaceScope operator to extend control over other namespaces The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the authorize-namespace command.
-              type: boolean
-            namespaceMembers:
-              description: Namespaces that are part of this scope
-              items:
-                type: string
-              type: array
-            restartLabels:
-              additionalProperties:
-                type: string
-              description: Restart pods with the following labels when the namspace list changes
-              type: object
-            serviceAccountMembers:
-              description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
-              items:
-                type: string
-              type: array
-          type: object
-        status:
-          description: NamespaceScopeStatus defines the observed state of NamespaceScope
-          properties:
-            validatedMembers:
-              description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
-              items:
-                type: string
-              type: array
-          type: object
-      type: object
-  version: v1
   versions:
   - name: v1
+    schema:
+      openAPIV3Schema:
+        description: NamespaceScope is the Schema for the namespacescopes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NamespaceScopeSpec defines the desired state of NamespaceScope
+            properties:
+              configmapName:
+                description: ConfigMap name that will contain the list of namespaces to be watched
+                type: string
+              csvInjector:
+                description: When CSVInjector is enabled, operator will inject the watch namespace list into operator csv.
+                properties:
+                  enable:
+                    type: boolean
+                required:
+                - enable
+                type: object
+              manualManagement:
+                description: Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the authorize-namespace command.
+                type: boolean
+              namespaceMembers:
+                description: Namespaces that are part of this scope
+                items:
+                  type: string
+                type: array
+              restartLabels:
+                additionalProperties:
+                  type: string
+                description: Restart pods with the following labels when the namespace list changes
+                type: object
+              serviceAccountMembers:
+                description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: NamespaceScopeStatus defines the observed state of NamespaceScope
+            properties:
+              managedCSVList:
+                items:
+                  type: string
+                type: array
+              patchedCSVList:
+                items:
+                  type: string
+                type: array
+              validatedMembers:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""