Check capabilities before watching OLM resource

Only try to watch subscriptions and installplans if the "marketplace"
and "OperatorLifecycleManager" capabilities are enabled.

If the "OperatorLifecycleManager" capability is not enabled, the
installplans and subscriptions resources do not exist, and if the
"marketplace" capability is not enabled, the default catalog does not
exist.  Before this commit, the operator would fail to initialize when
these capabilities were not enabled as the status and gatewayclass
controllers would try and fail to watch the non-existent resources.

This commit fixes OCPBUGS-55317

https://issues.redhat.com/browse/OCPBUGS-55317

* pkg/operator/controller/gatewayapi/controller.go (Config): Add
MarketplaceEnabled and OperatorLifecycleManagerEnabled fields to
indicate whether the associated capabilities are enabled.
(Reconcile): Don't enable dependent controllers if the marketplace and
OLM capabilities are not enabled.
* pkg/operator/controller/gatewayapi/controller_test.go
(Test_Reconcile): Add a test case in which the featuregates are enabled
but the marketplace and OLM capabilities are not enabled.  Indicate that
the capabilities are enabled for the existing test cases.
(TestReconcileOnlyStartsControllerOnce): Set MarketplaceEnabled and
OperatorLifecycleManagerEnabled to true for the test.
* pkg/operator/controller/status/controller.go (New): Only watch
subscriptions if the required capabilities are enabled.
(Config): Add MarketplaceEnabled and OperatorLifecycleManagerEnabled
fields.
(getOperatorState): Only try to get the subscription if the required
capabilities are enabled.
* pkg/operator/operator.go (New): Read the capabilities from the cluster
ClusterVersion, and set the MarketplaceEnabled and
OperatorLifecycleManagerEnabled fields in the status controller's and
gatewayapi controller's configs accordingly.

Author: Miciah

pkg/operator/controller/gatewayapi/controller.go

@@ -104,6 +104,12 @@ type Config struct {
 	GatewayAPIEnabled bool
 	// GatewayAPIControllerEnabled indicates that the "GatewayAPIController" featuregate is enabled.
 	GatewayAPIControllerEnabled bool
+	// MarketplaceEnabled indicates whether the "marketplace" capability is
+	// enabled.
+	MarketplaceEnabled bool
+	// OperatorLifecycleManagerEnabled indicates whether the
+	// "OperatorLifecycleManager" capability is enabled.
+	OperatorLifecycleManagerEnabled bool
 
 	// DependentControllers is a list of controllers that watch Gateway API
 	// resources.  The gatewayapi controller starts these controllers once
@@ -148,6 +154,16 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		return reconcile.Result{}, nil
 	}
 
+	// The subscriptions resource only exists if the
+	// "OperatorLifecycleManager" capability is enabled, and the default
+	// catalog only exists if the "marketplace" capability is enabled.  We
+	// cannot install OSSM if the subscriptions resource or default catalog
+	// does not exist, and accordingly, we should not start these
+	// controllers if the capabilities are not enabled.
+	if !r.config.MarketplaceEnabled || !r.config.OperatorLifecycleManagerEnabled {
+		return reconcile.Result{}, nil
+	}
+
 	r.startControllers.Do(func() {
 		for i := range r.config.DependentControllers {
 			c := &r.config.DependentControllers[i]

pkg/operator/controller/gatewayapi/controller_test.go

@@ -57,6 +57,8 @@ func Test_Reconcile(t *testing.T) {
 		name                        string
 		gatewayAPIEnabled           bool
 		gatewayAPIControllerEnabled bool
+		marketplaceEnabled          bool
+		olmEnabled                  bool
 		existingObjects             []runtime.Object
 		// existingStatusSubresource contains the original version of objects
 		// whose status will updated by Reconcile function.
@@ -72,8 +74,10 @@ func Test_Reconcile(t *testing.T) {
 		expectStartCtrl    bool
 	}{
 		{
-			name:              "gateway API disabled",
-			gatewayAPIEnabled: false,
+			name:               "gateway API disabled",
+			gatewayAPIEnabled:  false,
+			marketplaceEnabled: true,
+			olmEnabled:         true,
 			existingObjects: []runtime.Object{
 				co("ingress"),
 			},
@@ -86,6 +90,8 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "gateway API enabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			marketplaceEnabled:          true,
+			olmEnabled:                  true,
 			existingObjects: []runtime.Object{
 				co("ingress"),
 			},
@@ -106,6 +112,30 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "gateway API enabled, gateway API controller disabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: false,
+			marketplaceEnabled:          true,
+			olmEnabled:                  true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
+			},
+			expectUpdate:    []client.Object{},
+			expectDelete:    []client.Object{},
+			expectStartCtrl: false,
+		},
+		{
+			name:                        "GatewayAPI enabled, GatewayAPIController enabled, marketplace and OLM capabilities disabled",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			marketplaceEnabled:          false,
+			olmEnabled:                  false,
 			existingObjects: []runtime.Object{
 				co("ingress"),
 			},
@@ -126,6 +156,8 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "unmanaged gateway API CRDs created",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			marketplaceEnabled:          true,
+			olmEnabled:                  true,
 			existingObjects: []runtime.Object{
 				co("ingress"),
 				crd("listenersets.gateway.networking.x-k8s.io"),
@@ -154,6 +186,8 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "unmanaged gateway API CRDs removed",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			marketplaceEnabled:          true,
+			olmEnabled:                  true,
 			existingObjects: []runtime.Object{
 				coWithExtension("ingress", `{"unmanagedGatewayAPICRDNames":"listenersets.gateway.networking.x-k8s.io"}`),
 			},
@@ -180,6 +214,8 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "third party CRDs",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			marketplaceEnabled:          true,
+			olmEnabled:                  true,
 			existingObjects: []runtime.Object{
 				co("ingress"),
 				crd("thirdpartycrd1.openshift.io"),
@@ -241,9 +277,11 @@ func Test_Reconcile(t *testing.T) {
 				client: cl,
 				cache:  cache,
 				config: Config{
-					GatewayAPIEnabled:           tc.gatewayAPIEnabled,
-					GatewayAPIControllerEnabled: tc.gatewayAPIControllerEnabled,
-					DependentControllers:        []controller.Controller{ctrl},
+					GatewayAPIEnabled:               tc.gatewayAPIEnabled,
+					GatewayAPIControllerEnabled:     tc.gatewayAPIControllerEnabled,
+					MarketplaceEnabled:              tc.marketplaceEnabled,
+					OperatorLifecycleManagerEnabled: tc.olmEnabled,
+					DependentControllers:            []controller.Controller{ctrl},
 				},
 			}
 			req := reconcile.Request{
@@ -316,9 +354,11 @@ func TestReconcileOnlyStartsControllerOnce(t *testing.T) {
 		client: cl,
 		cache:  cache,
 		config: Config{
-			GatewayAPIEnabled:           true,
-			GatewayAPIControllerEnabled: true,
-			DependentControllers:        []controller.Controller{ctrl},
+			GatewayAPIEnabled:               true,
+			GatewayAPIControllerEnabled:     true,
+			MarketplaceEnabled:              true,
+			OperatorLifecycleManagerEnabled: true,
+			DependentControllers:            []controller.Controller{ctrl},
 		},
 	}
 	req := reconcile.Request{NamespacedName: types.NamespacedName{Name: "cluster"}}

pkg/operator/controller/status/controller.go

@@ -99,7 +99,15 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 		return nil, err
 	}
 
-	if config.GatewayAPIEnabled {
+	// If the "GatewayAPI" controller featuregate is enabled, watch
+	// subscriptions so that this controller can update status when the OSSM
+	// subscription is created or updated.  Note that the subscriptions
+	// resource only exists if the "OperatorLifecycleManager" capability is
+	// enabled, so we cannot watch it if the capability is not enabled.
+	// Additionally, the default catalog only exists if the "marketplace"
+	// capability is enabled, so we cannot install OSSM without that
+	// capability.
+	if config.GatewayAPIEnabled && config.MarketplaceEnabled && config.OperatorLifecycleManagerEnabled {
 		if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{}, handler.EnqueueRequestsFromMapFunc(toDefaultIngressController), predicate.Funcs{
 			CreateFunc: func(e event.CreateEvent) bool {
 				return e.Object.GetNamespace() == operatorcontroller.OpenshiftOperatorNamespace
@@ -124,11 +132,17 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 // Config holds all the things necessary for the controller to run.
 type Config struct {
 	// GatewayAPIEnabled indicates that the "GatewayAPI" featuregate is enabled.
-	GatewayAPIEnabled      bool
-	IngressControllerImage string
-	CanaryImage            string
-	OperatorReleaseVersion string
-	Namespace              string
+	GatewayAPIEnabled bool
+	// MarketplaceEnabled indicates whether the "marketplace" capability is
+	// enabled.
+	MarketplaceEnabled bool
+	// OperatorLifecycleManagerEnabled indicates whether the
+	// "OperatorLifecycleManager" capability is enabled.
+	OperatorLifecycleManagerEnabled bool
+	IngressControllerImage          string
+	CanaryImage                     string
+	OperatorReleaseVersion          string
+	Namespace                       string
 }
 
 // IngressOperatorStatusExtension holds status extensions of the ingress cluster operator.
@@ -338,14 +352,17 @@ func (r *reconciler) getOperatorState(ingressNamespace, canaryNamespace string,
 	}
 
 	if r.config.GatewayAPIEnabled {
-		var subscription operatorsv1alpha1.Subscription
-		subscriptionName := operatorcontroller.ServiceMeshOperatorSubscriptionName()
-		if err := r.cache.Get(context.TODO(), subscriptionName, &subscription); err != nil {
-			if !errors.IsNotFound(err) {
-				return state, fmt.Errorf("failed to get subscription %q: %v", subscriptionName, err)
+		if r.config.MarketplaceEnabled && r.config.OperatorLifecycleManagerEnabled {
+			var subscription operatorsv1alpha1.Subscription
+			subscriptionName := operatorcontroller.ServiceMeshOperatorSubscriptionName()
+			if err := r.cache.Get(context.TODO(), subscriptionName, &subscription); err != nil {
+				if !errors.IsNotFound(err) {
+					return state, fmt.Errorf("failed to get subscription %q: %v", subscriptionName, err)
+				}
+			} else {
+				state.haveOSSMSubscription = true
+
 			}
-		} else {
-			state.haveOSSMSubscription = true
 		}
 
 		if len(co.Status.Extension.Raw) > 0 {

pkg/operator/operator.go

@@ -46,6 +46,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/retry"
@@ -140,6 +141,17 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro
 	ingressControllerDCMEnabled := featureGates.Enabled(features.FeatureGateIngressControllerDynamicConfigurationManager)
 	gcpCustomEndpointsEnabled := featureGates.Enabled(features.FeatureGateGCPCustomAPIEndpoints)
 
+	cv, err := configClient.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed fetching clusterversion: %w", err)
+	}
+	enabledCapabilities := sets.New[configv1.ClusterVersionCapability]()
+	for _, cap := range cv.Status.Capabilities.EnabledCapabilities {
+		enabledCapabilities.Insert(cap)
+	}
+	marketplaceEnabled := enabledCapabilities.Has(configv1.ClusterVersionCapabilityMarketplace)
+	olmEnabled := enabledCapabilities.Has(configv1.ClusterVersionCapabilityOperatorLifecycleManager)
+
 	// Set up an operator manager for the operator namespace.
 	mgr, err := manager.New(kubeConfig, manager.Options{
 		Scheme: scheme,
@@ -208,11 +220,13 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro
 
 	// Set up the status controller.
 	if _, err := statuscontroller.New(mgr, statuscontroller.Config{
-		Namespace:              config.Namespace,
-		IngressControllerImage: config.IngressControllerImage,
-		CanaryImage:            config.CanaryImage,
-		OperatorReleaseVersion: config.OperatorReleaseVersion,
-		GatewayAPIEnabled:      gatewayAPIEnabled,
+		Namespace:                       config.Namespace,
+		IngressControllerImage:          config.IngressControllerImage,
+		CanaryImage:                     config.CanaryImage,
+		OperatorReleaseVersion:          config.OperatorReleaseVersion,
+		GatewayAPIEnabled:               gatewayAPIEnabled,
+		MarketplaceEnabled:              marketplaceEnabled,
+		OperatorLifecycleManagerEnabled: olmEnabled,
 	}); err != nil {
 		return nil, fmt.Errorf("failed to create status controller: %v", err)
 	}
@@ -324,8 +338,10 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro
 
 	// Set up the gatewayapi controller.
 	if _, err := gatewayapicontroller.New(mgr, gatewayapicontroller.Config{
-		GatewayAPIEnabled:           gatewayAPIEnabled,
-		GatewayAPIControllerEnabled: gatewayAPIControllerEnabled,
+		GatewayAPIEnabled:               gatewayAPIEnabled,
+		GatewayAPIControllerEnabled:     gatewayAPIControllerEnabled,
+		MarketplaceEnabled:              marketplaceEnabled,
+		OperatorLifecycleManagerEnabled: olmEnabled,
 		DependentControllers: []controller.Controller{
 			gatewayClassController,
 			gatewayServiceDNSController,