Merge pull request #1112 from rfredette/gwapi-subscription

NE-1907: Manage OSSM operator subscription manually to ensure a compatible version is installed

Author: openshift-merge-bot[bot]

cmd/ingress-operator/start.go

@@ -32,7 +32,9 @@ import (
 const (
 	// defaultTrustedCABundle is the fully qualified path of the trusted CA bundle
 	// that is mounted from configmap openshift-ingress-operator/trusted-ca.
-	defaultTrustedCABundle = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+	defaultTrustedCABundle           = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+	defaultGatewayAPIOperatorChannel = "stable"
+	defaultGatewayAPIOperatorVersion = "servicemeshoperator.v2.6.2"
 )
 
 type StartOptions struct {
@@ -51,6 +53,10 @@ type StartOptions struct {
 	CanaryImage string
 	// ReleaseVersion is the cluster version which the operator will converge to.
 	ReleaseVersion string
+	// GatewayAPIOperatorChannel is the release channel of the Gateway API implementation to install.
+	GatewayAPIOperatorChannel string
+	// GatewayAPIOperatorVersion is the name and release of the Gateway API implementation to install.
+	GatewayAPIOperatorVersion string
 }
 
 func NewStartCommand() *cobra.Command {
@@ -74,6 +80,8 @@ func NewStartCommand() *cobra.Command {
 	cmd.Flags().StringVarP(&options.ReleaseVersion, "release-version", "", statuscontroller.UnknownVersionValue, "the release version the operator should converge to (required)")
 	cmd.Flags().StringVarP(&options.MetricsListenAddr, "metrics-listen-addr", "", "127.0.0.1:60000", "metrics endpoint listen address (required)")
 	cmd.Flags().StringVarP(&options.ShutdownFile, "shutdown-file", "s", defaultTrustedCABundle, "if provided, shut down the operator when this file changes")
+	cmd.Flags().StringVarP(&options.GatewayAPIOperatorChannel, "gateway-api-operator-channel", "", defaultGatewayAPIOperatorChannel, "release channel of the Gateway API implementation to install")
+	cmd.Flags().StringVarP(&options.GatewayAPIOperatorVersion, "gateway-api-operator-version", "", defaultGatewayAPIOperatorVersion, "name and release of the Gateway API implementation to install")
 
 	if err := cmd.MarkFlagRequired("namespace"); err != nil {
 		panic(err)
@@ -118,10 +126,12 @@ func start(opts *StartOptions) error {
 	defer cancel()
 
 	operatorConfig := operatorconfig.Config{
-		OperatorReleaseVersion: opts.ReleaseVersion,
-		Namespace:              opts.OperatorNamespace,
-		IngressControllerImage: opts.IngressControllerImage,
-		CanaryImage:            opts.CanaryImage,
+		OperatorReleaseVersion:    opts.ReleaseVersion,
+		Namespace:                 opts.OperatorNamespace,
+		IngressControllerImage:    opts.IngressControllerImage,
+		CanaryImage:               opts.CanaryImage,
+		GatewayAPIOperatorChannel: opts.GatewayAPIOperatorChannel,
+		GatewayAPIOperatorVersion: opts.GatewayAPIOperatorVersion,
 	}
 
 	// Start operator metrics.

manifests/00-cluster-role.yaml

@@ -178,6 +178,7 @@ rules:
   - operators.coreos.com
   resources:
   - subscriptions
+  - installplans
   verbs:
   - '*'
 

manifests/02-deployment-ibm-cloud-managed.yaml

@@ -35,6 +35,10 @@ spec:
         - $(CANARY_IMAGE)
         - --release-version
         - $(RELEASE_VERSION)
+        - --gateway-api-operator-channel
+        - $(GATEWAY_API_OPERATOR_CHANNEL)
+        - --gateway-api-operator-version
+        - $(GATEWAY_API_OPERATOR_VERSION)
         env:
         - name: RELEASE_VERSION
           value: 0.0.1-snapshot
@@ -46,6 +50,10 @@ spec:
           value: openshift/origin-haproxy-router:v4.0
         - name: CANARY_IMAGE
           value: openshift/origin-cluster-ingress-operator:latest
+        - name: GATEWAY_API_OPERATOR_CHANNEL
+          value: stable
+        - name: GATEWAY_API_OPERATOR_VERSION
+          value: servicemeshoperator.v2.6.2
         image: openshift/origin-cluster-ingress-operator:latest
         imagePullPolicy: IfNotPresent
         name: ingress-operator

manifests/02-deployment.yaml

@@ -64,6 +64,10 @@ spec:
           - "$(CANARY_IMAGE)"
           - --release-version
           - "$(RELEASE_VERSION)"
+          - --gateway-api-operator-channel
+          - "$(GATEWAY_API_OPERATOR_CHANNEL)"
+          - --gateway-api-operator-version
+          - "$(GATEWAY_API_OPERATOR_VERSION)"
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
@@ -75,6 +79,10 @@ spec:
               value: openshift/origin-haproxy-router:v4.0
             - name: CANARY_IMAGE
               value: openshift/origin-cluster-ingress-operator:latest
+            - name: GATEWAY_API_OPERATOR_CHANNEL
+              value: stable
+            - name: GATEWAY_API_OPERATOR_VERSION
+              value: servicemeshoperator.v2.6.2
           resources:
             requests:
               cpu: 10m

pkg/operator/config/config.go

@@ -15,5 +15,11 @@ type Config struct {
 	// CanaryImage is the ingress operator image, which runs a canary command.
 	CanaryImage string
 
+	// GatewayAPIOperatorChannel is the release channel of the Gateway API implementation to install.
+	GatewayAPIOperatorChannel string
+
+	// GatewayAPIOperatorVersion is the name and release of the Gateway API implementation to install.
+	GatewayAPIOperatorVersion string
+
 	Stop chan struct{}
 }

pkg/operator/controller/gatewayclass/controller.go

@@ -77,6 +77,28 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er
 		enqueueRequestForDefaultGatewayClassController(config.OperandNamespace), isServiceMeshSubscription)); err != nil {
 		return nil, err
 	}
+
+	isOurInstallPlan := predicate.NewPredicateFuncs(func(o client.Object) bool {
+		installPlan := o.(*operatorsv1alpha1.InstallPlan)
+		if len(installPlan.Spec.ClusterServiceVersionNames) > 0 {
+			for _, csv := range installPlan.Spec.ClusterServiceVersionNames {
+				if csv == config.GatewayAPIOperatorVersion {
+					return true
+				}
+			}
+		}
+		return false
+	})
+	// Check the approved status of an InstallPlan. The ingress operator only needs to potentially move install plans
+	// from Approved=false to Approved=true, so we can filter out all approved plans at the Watch() level.
+	isInstallPlanApproved := predicate.NewPredicateFuncs(func(o client.Object) bool {
+		installPlan := o.(*operatorsv1alpha1.InstallPlan)
+		return installPlan.Spec.Approved
+	})
+	if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, enqueueRequestForDefaultGatewayClassController(config.OperatorNamespace), isOurInstallPlan, predicate.Not(isInstallPlanApproved))); err != nil {
+		return nil, err
+	}
+
 	gatewayClassController = c
 	return c, nil
 }
@@ -89,6 +111,10 @@ type Config struct {
 	OperatorNamespace string
 	// OperandNamespace is the namespace in which Istio should be deployed.
 	OperandNamespace string
+	// GatewayAPIOperatorChannel is the release channel of the Gateway API implementation to install.
+	GatewayAPIOperatorChannel string
+	// GatewayAPIOperatorVersion is the name and release of the Gateway API implementation to install.
+	GatewayAPIOperatorVersion string
 }
 
 // reconciler reconciles gatewayclasses.
@@ -131,6 +157,9 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 	if _, _, err := r.ensureServiceMeshOperatorSubscription(ctx); err != nil {
 		errs = append(errs, fmt.Errorf("failed to ensure ServiceMeshOperatorSubscription: %w", err))
 	}
+	if _, _, err := r.ensureServiceMeshOperatorInstallPlan(ctx); err != nil {
+		errs = append(errs, err)
+	}
 	if _, _, err := r.ensureServiceMeshControlPlane(ctx, &gatewayclass); err != nil {
 		errs = append(errs, err)
 	} else {

pkg/operator/controller/gatewayclass/subscription.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
@@ -26,7 +27,7 @@ func (r *reconciler) ensureServiceMeshOperatorSubscription(ctx context.Context)
 		return false, nil, err
 	}
 
-	desired, err := desiredSubscription(name)
+	desired, err := desiredSubscription(name, r.config.GatewayAPIOperatorChannel, r.config.GatewayAPIOperatorVersion)
 	if err != nil {
 		return have, current, err
 	}
@@ -48,18 +49,19 @@ func (r *reconciler) ensureServiceMeshOperatorSubscription(ctx context.Context)
 }
 
 // desiredSubscription returns the desired subscription.
-func desiredSubscription(name types.NamespacedName) (*operatorsv1alpha1.Subscription, error) {
+func desiredSubscription(name types.NamespacedName, gwapiOperatorChannel, gwapiOperatorVersion string) (*operatorsv1alpha1.Subscription, error) {
 	subscription := operatorsv1alpha1.Subscription{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: name.Namespace,
 			Name:      name.Name,
 		},
 		Spec: &operatorsv1alpha1.SubscriptionSpec{
-			Channel:                "stable",
-			InstallPlanApproval:    operatorsv1alpha1.ApprovalAutomatic,
+			Channel:                gwapiOperatorChannel,
+			InstallPlanApproval:    operatorsv1alpha1.ApprovalManual,
 			Package:                "servicemeshoperator",
 			CatalogSource:          "redhat-operators",
 			CatalogSourceNamespace: "openshift-marketplace",
+			StartingCSV:            gwapiOperatorVersion,
 		},
 	}
 	return &subscription, nil
@@ -115,3 +117,92 @@ func subscriptionChanged(current, expected *operatorsv1alpha1.Subscription) (boo
 
 	return true, updated
 }
+
+// ensureServiceMeshOperatorInstallPlan attempts to ensure that the install plan for the appropriate OSSM operator
+// version is approved.
+func (r *reconciler) ensureServiceMeshOperatorInstallPlan(ctx context.Context) (bool, *operatorsv1alpha1.InstallPlan, error) {
+	haveInstallPlan, current, err := r.currentInstallPlan(ctx)
+	if err != nil {
+		return false, nil, err
+	}
+	switch {
+	case !haveInstallPlan:
+		// The OLM operator creates the initial InstallPlan, so if it doesn't exist yet or it's been deleted, do nothing
+		// and let the OLM operator handle it.
+		return false, nil, nil
+	case haveInstallPlan:
+		desired := desiredInstallPlan(current)
+		if updated, err := r.updateInstallPlan(ctx, current, desired); err != nil {
+			return true, current, err
+		} else if updated {
+			return r.currentInstallPlan(ctx)
+		}
+	}
+	return false, current, nil
+}
+
+// currentInstallPlan returns the InstallPlan that describes installing the expected version of the GatewayAPI
+// implementation, if one exists.
+func (r *reconciler) currentInstallPlan(ctx context.Context) (bool, *operatorsv1alpha1.InstallPlan, error) {
+	_, subscription, err := r.currentSubscription(ctx, operatorcontroller.ServiceMeshSubscriptionName())
+	if err != nil {
+		return false, nil, err
+	}
+	installPlans := &operatorsv1alpha1.InstallPlanList{}
+	if err := r.client.List(ctx, installPlans, client.InNamespace(operatorcontroller.OpenshiftOperatorNamespace)); err != nil {
+		return false, nil, err
+	}
+	if installPlans == nil || len(installPlans.Items) == 0 {
+		return false, nil, nil
+	}
+	for _, installPlan := range installPlans.Items {
+		if len(installPlan.OwnerReferences) == 0 || len(installPlan.Spec.ClusterServiceVersionNames) == 0 {
+			continue
+		}
+		for _, ownerRef := range installPlan.OwnerReferences {
+			if ownerRef.UID == subscription.UID {
+				for _, csvName := range installPlan.Spec.ClusterServiceVersionNames {
+					if csvName == r.config.GatewayAPIOperatorVersion {
+						return true, &installPlan, nil
+					}
+				}
+			}
+		}
+	}
+	// No valid InstallPlan found.
+	return false, nil, nil
+}
+
+// desiredInstallPlan returns a version of the expected InstallPlan that is approved.
+func desiredInstallPlan(current *operatorsv1alpha1.InstallPlan) *operatorsv1alpha1.InstallPlan {
+	desired := current.DeepCopy()
+	desired.Spec.Approved = true
+	return desired
+}
+
+// updateInstallPlan updates an existing InstallPlan if it differs from the desired state.
+func (r *reconciler) updateInstallPlan(ctx context.Context, current, desired *operatorsv1alpha1.InstallPlan) (bool, error) {
+	changed, updated := installPlanChanged(current, desired)
+	if !changed {
+		return false, nil
+	}
+	diff := cmp.Diff(current.Spec, updated.Spec, cmpopts.EquateEmpty())
+	if err := r.client.Update(ctx, updated); err != nil {
+		return false, fmt.Errorf("failed to update InstallPlan %s/%s: %w", current.Namespace, current.Name, err)
+	}
+	log.Info("updated InstallPlan", "namespace", updated.Namespace, "name", updated.Name, "diff", diff)
+	return true, nil
+}
+
+// installPlanChanged returns a Boolean indicating whether the current InstallPlan matches the expected InstallPlan and
+// the updated InstallPlan if they do not match.
+func installPlanChanged(current, expected *operatorsv1alpha1.InstallPlan) (bool, *operatorsv1alpha1.InstallPlan) {
+	if cmp.Equal(current.Spec, expected.Spec, cmpopts.EquateEmpty()) {
+		return false, nil
+	}
+
+	updated := current.DeepCopy()
+	updated.Spec = expected.Spec
+
+	return true, updated
+}