Check the hosting cluster vendor when in hosted mode

When the hosting cluster is not OpenShift, OpenShift configuration should not
be enabled on the hosting cluster, regardless of if the hosted cluster
is OpenShift.

Relates:
https://issues.redhat.com/browse/ACM-13204

Signed-off-by: mprahl <[email protected]>

Author: mprahl

pkg/addon/common.go

@@ -135,6 +135,24 @@ func NewRegistrationOption(
 	}
 }
 
+func GetClusterVendor(cluster *clusterv1.ManagedCluster) string {
+	var vendor string
+	// Don't just set it to the value in the label, it might be something like "auto-detect"
+	if cluster.Labels["vendor"] == "OpenShift" {
+		vendor = "OpenShift"
+	}
+
+	for _, cc := range cluster.Status.ClusterClaims {
+		if cc.Name == "product.open-cluster-management.io" {
+			vendor = cc.Value
+
+			break
+		}
+	}
+
+	return vendor
+}
+
 func GetAndAddAgent(
 	ctx context.Context,
 	mgr addonmanager.AddonManager,

pkg/addon/configpolicy/agent_addon.go

@@ -8,12 +8,14 @@ import (
 	"strconv"
 
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"open-cluster-management.io/addon-framework/pkg/addonfactory"
 	"open-cluster-management.io/addon-framework/pkg/addonmanager"
 	"open-cluster-management.io/addon-framework/pkg/agent"
 	"open-cluster-management.io/addon-framework/pkg/utils"
 	addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
 	addonv1alpha1client "open-cluster-management.io/api/client/addon/clientset/versioned"
+	clusterv1client "open-cluster-management.io/api/client/cluster/clientset/versioned"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -39,11 +41,12 @@ type UserArgs struct {
 }
 
 type UserValues struct {
-	GlobalValues           policyaddon.GlobalValues `json:"global,"`
-	KubernetesDistribution string                   `json:"kubernetesDistribution"`
-	Prometheus             map[string]interface{}   `json:"prometheus"`
-	OperatorPolicy         map[string]interface{}   `json:"operatorPolicy"`
-	UserArgs               UserArgs                 `json:"args,"`
+	GlobalValues                  policyaddon.GlobalValues `json:"global,"`
+	KubernetesDistribution        string                   `json:"kubernetesDistribution"`
+	HostingKubernetesDistribution string                   `json:"hostingKubernetesDistribution"`
+	Prometheus                    map[string]interface{}   `json:"prometheus"`
+	OperatorPolicy                map[string]interface{}   `json:"operatorPolicy"`
+	UserArgs                      UserArgs                 `json:"args,"`
 }
 
 // FS go:embed
@@ -60,138 +63,145 @@ var agentPermissionFiles = []string{
 	"manifests/hubpermissions/rolebinding.yaml",
 }
 
-func getValues(cluster *clusterv1.ManagedCluster,
-	addon *addonapiv1alpha1.ManagedClusterAddOn,
+func getValues(ctx context.Context, clusterClient *clusterv1client.Clientset) func(*clusterv1.ManagedCluster,
+	*addonapiv1alpha1.ManagedClusterAddOn,
 ) (addonfactory.Values, error) {
-	userValues := UserValues{
-		GlobalValues: policyaddon.GlobalValues{
-			ImagePullPolicy: "IfNotPresent",
-			ImagePullSecret: "open-cluster-management-image-pull-credentials",
-			ImageOverrides: map[string]string{
-				"config_policy_controller": os.Getenv("CONFIG_POLICY_CONTROLLER_IMAGE"),
+	return func(
+		cluster *clusterv1.ManagedCluster, addon *addonapiv1alpha1.ManagedClusterAddOn,
+	) (addonfactory.Values, error) {
+		userValues := UserValues{
+			GlobalValues: policyaddon.GlobalValues{
+				ImagePullPolicy: "IfNotPresent",
+				ImagePullSecret: "open-cluster-management-image-pull-credentials",
+				ImageOverrides: map[string]string{
+					"config_policy_controller": os.Getenv("CONFIG_POLICY_CONTROLLER_IMAGE"),
+				},
+				ProxyConfig: map[string]string{
+					"HTTP_PROXY":  "",
+					"HTTPS_PROXY": "",
+					"NO_PROXY":    "",
+				},
 			},
-			ProxyConfig: map[string]string{
-				"HTTP_PROXY":  "",
-				"HTTPS_PROXY": "",
-				"NO_PROXY":    "",
+			Prometheus:     map[string]interface{}{},
+			OperatorPolicy: map[string]interface{}{},
+			UserArgs: UserArgs{
+				UserArgs: policyaddon.UserArgs{
+					LogEncoder:  "console",
+					LogLevel:    0,
+					PkgLogLevel: -1,
+				},
+				// Defaults from `values.yaml` will be used if these stay at 0.
+				EvaluationConcurrency: 0,
+				ClientQPS:             0, // will be set based on concurrency if not explicitly set
+				ClientBurst:           0, // will be set based on concurrency if not explicitly set
 			},
-		},
-		Prometheus:     map[string]interface{}{},
-		OperatorPolicy: map[string]interface{}{},
-		UserArgs: UserArgs{
-			UserArgs: policyaddon.UserArgs{
-				LogEncoder:  "console",
-				LogLevel:    0,
-				PkgLogLevel: -1,
-			},
-			// Defaults from `values.yaml` will be used if these stay at 0.
-			EvaluationConcurrency: 0,
-			ClientQPS:             0, // will be set based on concurrency if not explicitly set
-			ClientBurst:           0, // will be set based on concurrency if not explicitly set
-		},
-	}
+		}
 
-	// Don't just set it to the value in the label, it might be something like "auto-detect"
-	if cluster.Labels["vendor"] == "OpenShift" {
-		userValues.KubernetesDistribution = "OpenShift"
-	}
+		userValues.KubernetesDistribution = policyaddon.GetClusterVendor(cluster)
 
-	for _, cc := range cluster.Status.ClusterClaims {
-		if cc.Name == "product.open-cluster-management.io" {
-			userValues.KubernetesDistribution = cc.Value
+		hostingClusterName := addon.Annotations["addon.open-cluster-management.io/hosting-cluster-name"]
+		if hostingClusterName != "" {
+			hostingCluster, err := clusterClient.ClusterV1().ManagedClusters().Get(
+				ctx, hostingClusterName, metav1.GetOptions{},
+			)
+			if err != nil {
+				return nil, err
+			}
 
-			break
+			userValues.HostingKubernetesDistribution = policyaddon.GetClusterVendor(hostingCluster)
+		} else {
+			userValues.HostingKubernetesDistribution = userValues.KubernetesDistribution
 		}
-	}
 
-	// Enable Prometheus metrics by default on OpenShift
-	userValues.Prometheus["enabled"] = userValues.KubernetesDistribution == "OpenShift"
+		// Enable Prometheus metrics by default on OpenShift
+		userValues.Prometheus["enabled"] = userValues.HostingKubernetesDistribution == "OpenShift"
 
-	// Disable OperatorPolicy if the cluster is not on OpenShift version 4.y
-	userValues.OperatorPolicy["disabled"] = cluster.Labels["openshiftVersion-major"] != "4"
+		// Disable OperatorPolicy if the cluster is not on OpenShift version 4.y
+		userValues.OperatorPolicy["disabled"] = cluster.Labels["openshiftVersion-major"] != "4"
 
-	// Set the default namespace for OperatorPolicy for OpenShift 4
-	if cluster.Labels["openshiftVersion-major"] == "4" {
-		userValues.OperatorPolicy["defaultNamespace"] = "openshift-operators"
-	}
+		// Set the default namespace for OperatorPolicy for OpenShift 4
+		if cluster.Labels["openshiftVersion-major"] == "4" {
+			userValues.OperatorPolicy["defaultNamespace"] = "openshift-operators"
+		}
 
-	annotations := addon.GetAnnotations()
+		annotations := addon.GetAnnotations()
 
-	if val, ok := annotations[policyaddon.PolicyLogLevelAnnotation]; ok {
-		logLevel := policyaddon.GetLogLevel(addonName, val)
-		userValues.UserArgs.UserArgs.LogLevel = logLevel
-		userValues.UserArgs.UserArgs.PkgLogLevel = logLevel - 2
-	}
+		if val, ok := annotations[policyaddon.PolicyLogLevelAnnotation]; ok {
+			logLevel := policyaddon.GetLogLevel(addonName, val)
+			userValues.UserArgs.UserArgs.LogLevel = logLevel
+			userValues.UserArgs.UserArgs.PkgLogLevel = logLevel - 2
+		}
 
-	if val, ok := annotations[evaluationConcurrencyAnnotation]; ok {
-		value, err := strconv.ParseUint(val, 10, 8)
-		if err != nil {
-			log.Error(err, fmt.Sprintf(
-				"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
-				evaluationConcurrencyAnnotation, val, addonName, userValues.UserArgs.EvaluationConcurrency),
-			)
-		} else {
-			// This is safe because we specified the uint8 in ParseUint
-			userValues.UserArgs.EvaluationConcurrency = uint8(value)
+		if val, ok := annotations[evaluationConcurrencyAnnotation]; ok {
+			value, err := strconv.ParseUint(val, 10, 8)
+			if err != nil {
+				log.Error(err, fmt.Sprintf(
+					"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
+					evaluationConcurrencyAnnotation, val, addonName, userValues.UserArgs.EvaluationConcurrency),
+				)
+			} else {
+				// This is safe because we specified the uint8 in ParseUint
+				userValues.UserArgs.EvaluationConcurrency = uint8(value)
+			}
 		}
-	}
 
-	if val, ok := annotations[clientQPSAnnotation]; ok {
-		value, err := strconv.ParseUint(val, 10, 8)
-		if err != nil {
-			log.Error(err, fmt.Sprintf(
-				"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
-				clientQPSAnnotation, val, addonName, userValues.UserArgs.ClientQPS),
-			)
-		} else {
-			// This is safe because we specified the uint8 in ParseUint
-			userValues.UserArgs.ClientQPS = uint8(value)
+		if val, ok := annotations[clientQPSAnnotation]; ok {
+			value, err := strconv.ParseUint(val, 10, 8)
+			if err != nil {
+				log.Error(err, fmt.Sprintf(
+					"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
+					clientQPSAnnotation, val, addonName, userValues.UserArgs.ClientQPS),
+				)
+			} else {
+				// This is safe because we specified the uint8 in ParseUint
+				userValues.UserArgs.ClientQPS = uint8(value)
+			}
+		} else { // not set explicitly
+			userValues.UserArgs.ClientQPS = userValues.UserArgs.EvaluationConcurrency * 15
 		}
-	} else { // not set explicitly
-		userValues.UserArgs.ClientQPS = userValues.UserArgs.EvaluationConcurrency * 15
-	}
 
-	if val, ok := annotations[clientBurstAnnotation]; ok {
-		value, err := strconv.ParseUint(val, 10, 8)
-		if err != nil {
-			log.Error(err, fmt.Sprintf(
-				"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
-				clientBurstAnnotation, val, addonName, userValues.UserArgs.ClientBurst),
-			)
-		} else {
-			// This is safe because we specified the uint8 in ParseUint
-			userValues.UserArgs.ClientBurst = uint8(value)
+		if val, ok := annotations[clientBurstAnnotation]; ok {
+			value, err := strconv.ParseUint(val, 10, 8)
+			if err != nil {
+				log.Error(err, fmt.Sprintf(
+					"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %d)",
+					clientBurstAnnotation, val, addonName, userValues.UserArgs.ClientBurst),
+				)
+			} else {
+				// This is safe because we specified the uint8 in ParseUint
+				userValues.UserArgs.ClientBurst = uint8(value)
+			}
+		} else if userValues.UserArgs.EvaluationConcurrency != 0 {
+			// only scale with concurrency if concurrency was set.
+			userValues.UserArgs.ClientBurst = userValues.UserArgs.EvaluationConcurrency*22 + 1
 		}
-	} else if userValues.UserArgs.EvaluationConcurrency != 0 {
-		// only scale with concurrency if concurrency was set.
-		userValues.UserArgs.ClientBurst = userValues.UserArgs.EvaluationConcurrency*22 + 1
-	}
 
-	if val, ok := annotations[prometheusEnabledAnnotation]; ok {
-		valBool, err := strconv.ParseBool(val)
-		if err != nil {
-			log.Error(err, fmt.Sprintf(
-				"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %v)",
-				prometheusEnabledAnnotation, val, addonName, userValues.Prometheus["enabled"]),
-			)
-		} else {
-			userValues.Prometheus["enabled"] = valBool
+		if val, ok := annotations[prometheusEnabledAnnotation]; ok {
+			valBool, err := strconv.ParseBool(val)
+			if err != nil {
+				log.Error(err, fmt.Sprintf(
+					"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %v)",
+					prometheusEnabledAnnotation, val, addonName, userValues.Prometheus["enabled"]),
+				)
+			} else {
+				userValues.Prometheus["enabled"] = valBool
+			}
 		}
-	}
 
-	if val, ok := annotations[operatorPolicyDisabledAnnotation]; ok {
-		valBool, err := strconv.ParseBool(val)
-		if err != nil {
-			log.Error(err, fmt.Sprintf(
-				"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %v)",
-				operatorPolicyDisabledAnnotation, val, addonName, userValues.OperatorPolicy["disabled"]),
-			)
-		} else {
-			userValues.OperatorPolicy["disabled"] = valBool
+		if val, ok := annotations[operatorPolicyDisabledAnnotation]; ok {
+			valBool, err := strconv.ParseBool(val)
+			if err != nil {
+				log.Error(err, fmt.Sprintf(
+					"Failed to verify '%s' annotation value '%s' for component %s (falling back to default value %v)",
+					operatorPolicyDisabledAnnotation, val, addonName, userValues.OperatorPolicy["disabled"]),
+				)
+			} else {
+				userValues.OperatorPolicy["disabled"] = valBool
+			}
 		}
-	}
 
-	return addonfactory.JsonStructToValues(userValues)
+		return addonfactory.JsonStructToValues(userValues)
+	}
 }
 
 // mandateValues sets deployment variables regardless of user overrides. As a result, caution should
@@ -239,7 +249,7 @@ func GetAgentAddon(ctx context.Context, controllerContext *controllercmd.Control
 				addonfactory.ToAddOnNodePlacementValues,
 				addonfactory.ToAddOnCustomizedVariableValues,
 			),
-			getValues,
+			getValues(ctx, clusterClient),
 			addonfactory.GetValuesFromAddonAnnotation,
 			mandateValues,
 		).

pkg/addon/configpolicy/manifests/managedclusterchart/templates/auth_cluster_role.yaml

@@ -2,7 +2,7 @@
 # Note that this only needs to be created in hosted mode since the controller has all permissions on the managed
 # cluster.
 
-{{- if and (eq .Values.installMode "Hosted") .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+{{- if and (eq .Values.installMode "Hosted") .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

pkg/addon/configpolicy/manifests/managedclusterchart/templates/auth_cluster_role_binding.yaml

@@ -2,7 +2,7 @@
 # Note that this only needs to be created in hosted mode since the controller has all permissions on the managed
 # cluster.
 
-{{- if and (eq .Values.installMode "Hosted") .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+{{- if and (eq .Values.installMode "Hosted") .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml

@@ -51,7 +51,7 @@ spec:
           - --client-max-qps={{ .Values.args.clientQPS }}
           - --client-burst={{ .Values.args.clientBurst }}
           - --health-probe-bind-address=:8081
-          {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+          {{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
           - --secure-metrics=true
           - --metrics-bind-address=0.0.0.0:8443
           {{- else if .Values.prometheus.enabled }}
@@ -114,7 +114,7 @@ spec:
           failureThreshold: 30
           periodSeconds: 10
         {{- end }}
-        {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+        {{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
         ports:
         - name: metrics
           protocol: TCP
@@ -127,7 +127,7 @@ spec:
         {{- end }}
         resources: {{- toYaml .Values.resources | nindent 10 }}
         volumeMounts:
-          {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+          {{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
           - mountPath: "/var/run/metrics-cert"
             name: metrics-cert
             readOnly: true
@@ -155,7 +155,7 @@ spec:
           secret:
             secretName: {{ .Values.managedKubeConfigSecret }}
         {{- end }}
-        {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+        {{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
         - name: metrics-cert
           secret:
             secretName: {{ include "controller.fullname" . }}-metrics

pkg/addon/configpolicy/manifests/managedclusterchart/templates/install-namespace.yaml

@@ -8,7 +8,7 @@ metadata:
     addon.open-cluster-management.io/namespace: "true"
     addon.open-cluster-management.io/hosted-manifest-location: hosting
     {{- end }}
-    {{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+    {{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
     openshift.io/cluster-monitoring: "true"
     {{- end }}
   {{- if or (eq .Release.Namespace "open-cluster-management-agent-addon") (eq (.Release.Namespace | trimPrefix "klusterlet-") .Values.clusterName) }}

pkg/addon/configpolicy/manifests/managedclusterchart/templates/monitoring_role.yaml

@@ -1,6 +1,6 @@
 # Copyright Contributors to the Open Cluster Management project
 
-{{- if and .Values.prometheus.enabled (eq .Values.kubernetesDistribution "OpenShift") }}
+{{- if and .Values.prometheus.enabled (eq .Values.hostingKubernetesDistribution "OpenShift") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata: