Revert API changes

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

api/v1/clusterextension_types.go

@@ -66,19 +66,10 @@ type ClusterExtensionSpec struct {
 	// with the cluster that are required to manage the extension.
 	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
 	// The ServiceAccount must exist in the namespace referenced in the spec.
+	// serviceAccount is required.
 	//
-	// serviceAccount is optional. If a service account is not defined, requests to the apiserver will instead use
-	// username "olmv1:clusterextensions:<clusterExtension.metadata.name>:admin" and groups
-	// "olmv1:clusterextensions:admin" and "system:authenticated"
-	//
-	// Deprecated: Use of serviceAccount is not recommended. Instead, administrators are encouraged
-	// to use the synthetic user/groups described above. All of the same RBAC setup is still required with these
-	// synthetic user/groups. However, this mode is preferred because it requires administrators to specifically
-	// configure RBAC for extension management, rather than enabling piggybacking on existing highly privileged
-	// service accounts that already exist on the cluster.
-	//
-	// +optional
-	ServiceAccount *ServiceAccountReference `json:"serviceAccount"`
+	// +kubebuilder:validation:Required
+	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
 
 	// source is a required field which selects the installation source of content
 	// for this ClusterExtension. Selection is performed by setting the sourceType.

api/v1/zz_generated.deepcopy.go

@@ -135,16 +135,7 @@ spec:
                   with the cluster that are required to manage the extension.
                   The ServiceAccount must be configured with the necessary permissions to perform these interactions.
                   The ServiceAccount must exist in the namespace referenced in the spec.
-
-                  serviceAccount is optional. If a service account is not defined, requests to the apiserver will instead use
-                  username "olmv1:clusterextensions:<clusterExtension.metadata.name>:admin" and groups
-                  "olmv1:clusterextensions:admin" and "system:authenticated"
-
-                  Deprecated: Use of serviceAccount is not recommended. Instead, administrators are encouraged
-                  to use the synthetic user/groups described above. All of the same RBAC setup is still required with these
-                  synthetic user/groups. However, this mode is preferred because it requires administrators to specifically
-                  configure RBAC for extension management, rather than enabling piggybacking on existing highly privileged
-                  service accounts that already exist on the cluster.
+                  serviceAccount is required.
                 properties:
                   name:
                     description: |-
@@ -467,6 +458,7 @@ spec:
                     has(self.catalog) : !has(self.catalog)'
             required:
             - namespace
+            - serviceAccount
             - source
             type: object
           status:

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -4,13 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - groups
-  - users
-  verbs:
-  - impersonate
 - apiGroups:
   - ""
   resources:

config/base/operator-controller/rbac/role.yaml

@@ -2,7 +2,13 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: argocd-system
+  name: argocd
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-installer
+  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -13,8 +19,9 @@ roleRef:
   kind: ClusterRole
   name: argocd-installer-clusterrole
 subjects:
-- kind: User
-  name: "olmv1:clusterextensions:argocd-operator:admin"
+- kind: ServiceAccount
+  name: argocd-installer
+  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -69,8 +76,9 @@ roleRef:
   kind: ClusterRole
   name: argocd-installer-rbac-clusterrole
 subjects:
-- kind: User
-  name: "olmv1:clusterextensions:argocd-operator:admin"
+- kind: ServiceAccount
+  name: argocd-installer
+  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -214,7 +222,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: argocd-installer-role
-  namespace: argocd-system
+  namespace: argocd
 rules:
 - apiGroups: [""]
   resources: [serviceaccounts]
@@ -252,21 +260,24 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd-installer-binding
-  namespace: argocd-system
+  namespace: argocd
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: argocd-installer-role
 subjects:
-- kind: User
-  name: "olmv1:clusterextensions:argocd-operator:admin"
+- kind: ServiceAccount
+  name: argocd-installer
+  namespace: argocd
 ---
 apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
-  name: argocd-operator
+  name: argocd
 spec:
-  namespace: argocd-system
+  namespace: argocd
+  serviceAccount:
+    name: argocd-installer
   source:
     sourceType: Catalog
     catalog:

config/samples/olm_v1_clusterextension.yaml

@@ -306,7 +306,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This is the namespace in which the provided ServiceAccount must exist.<br />It also designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br /><br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br /><br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
-| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />The ServiceAccount must be configured with the necessary permissions to perform these interactions.<br />The ServiceAccount must exist in the namespace referenced in the spec.<br /><br />serviceAccount is optional. If a service account is not defined, requests to the apiserver will instead use<br />username "olmv1:clusterextensions:<clusterExtension.metadata.name>:admin" and groups<br />"olmv1:clusterextensions:admin" and "system:authenticated"<br /><br />Deprecated: Use of serviceAccount is not recommended. Instead, administrators are encouraged<br />to use the synthetic user/groups described above. All of the same RBAC setup is still required with these<br />synthetic user/groups. However, this mode is preferred because it requires administrators to specifically<br />configure RBAC for extension management, rather than enabling piggybacking on existing highly privileged<br />service accounts that already exist on the cluster. |  |  |
+| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />The ServiceAccount must be configured with the necessary permissions to perform these interactions.<br />The ServiceAccount must exist in the namespace referenced in the spec.<br />serviceAccount is required. |  | Required: \{\} <br /> |
 | `source` _[SourceConfig](#sourceconfig)_ | source is a required field which selects the installation source of content<br />for this ClusterExtension. Selection is performed by setting the sourceType.<br /><br />Catalog is currently the only implemented sourceType, and setting the<br />sourcetype to "Catalog" requires the catalog field to also be defined.<br /><br />Below is a minimal example of a source definition (in yaml):<br /><br />source:<br />  sourceType: Catalog<br />  catalog:<br />    packageName: example-package |  | Required: \{\} <br /> |
 | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is an optional field used to configure the installation options<br />for the ClusterExtension such as the pre-flight check configuration. |  |  |
 

docs/api-reference/operator-controller-api-reference.md

@@ -44,6 +44,9 @@ func TestClusterExtensionSourceConfig(t *testing.T) {
 						},
 					},
 					Namespace: "default",
+					ServiceAccount: ocv1.ServiceAccountReference{
+						Name: "default",
+					},
 				}))
 			}
 			if tc.unionField == "" {
@@ -52,6 +55,9 @@ func TestClusterExtensionSourceConfig(t *testing.T) {
 						SourceType: tc.sourceType,
 					},
 					Namespace: "default",
+					ServiceAccount: ocv1.ServiceAccountReference{
+						Name: "default",
+					},
 				}))
 			}
 
@@ -108,6 +114,9 @@ func TestClusterExtensionAdmissionPackageName(t *testing.T) {
 					},
 				},
 				Namespace: "default",
+				ServiceAccount: ocv1.ServiceAccountReference{
+					Name: "default",
+				},
 			}))
 			if tc.errMsg == "" {
 				require.NoError(t, err, "unexpected error for package name %q: %w", tc.pkgName, err)
@@ -203,6 +212,9 @@ func TestClusterExtensionAdmissionVersion(t *testing.T) {
 					},
 				},
 				Namespace: "default",
+				ServiceAccount: ocv1.ServiceAccountReference{
+					Name: "default",
+				},
 			}))
 			if tc.errMsg == "" {
 				require.NoError(t, err, "unexpected error for version %q: %w", tc.version, err)
@@ -255,6 +267,9 @@ func TestClusterExtensionAdmissionChannel(t *testing.T) {
 					},
 				},
 				Namespace: "default",
+				ServiceAccount: ocv1.ServiceAccountReference{
+					Name: "default",
+				},
 			}))
 			if tc.errMsg == "" {
 				require.NoError(t, err, "unexpected error for channel %q: %w", tc.channels, err)
@@ -305,6 +320,9 @@ func TestClusterExtensionAdmissionInstallNamespace(t *testing.T) {
 					},
 				},
 				Namespace: tc.namespace,
+				ServiceAccount: ocv1.ServiceAccountReference{
+					Name: "default",
+				},
 			}))
 			if tc.errMsg == "" {
 				require.NoError(t, err, "unexpected error for namespace %q: %w", tc.namespace, err)
@@ -356,7 +374,7 @@ func TestClusterExtensionAdmissionServiceAccount(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: &ocv1.ServiceAccountReference{
+				ServiceAccount: ocv1.ServiceAccountReference{
 					Name: tc.serviceAccount,
 				},
 			}))
@@ -415,7 +433,10 @@ func TestClusterExtensionAdmissionInstall(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				Install:   tc.installConfig,
+				ServiceAccount: ocv1.ServiceAccountReference{
+					Name: "default",
+				},
+				Install: tc.installConfig,
 			}))
 			if tc.errMsg == "" {
 				require.NoError(t, err, "unexpected error for install configuration %v: %w", tc.installConfig, err)

internal/operator-controller/controllers/clusterextension_admission_test.go

@@ -95,7 +95,6 @@ type InstalledBundleGetter interface {
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update
 //+kubebuilder:rbac:namespace=system,groups=core,resources=secrets,verbs=create;update;patch;delete;deletecollection;get;list;watch
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
-//+kubebuilder:rbac:groups=core,resources=users;groups,verbs=impersonate
 //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
 
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch

internal/operator-controller/controllers/clusterextension_controller.go

@@ -69,6 +69,9 @@ func TestClusterExtensionResolutionFails(t *testing.T) {
 				},
 			},
 			Namespace: "default",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "default",
+			},
 		},
 	}
 	require.NoError(t, cl.Create(ctx, clusterExtension))
@@ -128,6 +131,7 @@ func TestClusterExtensionResolutionSuccessfulUnpackFails(t *testing.T) {
 			pkgVer := "1.0.0"
 			pkgChan := "beta"
 			namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+			serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 			clusterExtension := &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -141,6 +145,9 @@ func TestClusterExtensionResolutionSuccessfulUnpackFails(t *testing.T) {
 						},
 					},
 					Namespace: namespace,
+					ServiceAccount: ocv1.ServiceAccountReference{
+						Name: serviceAccount,
+					},
 				},
 			}
 			err := cl.Create(ctx, clusterExtension)
@@ -204,6 +211,7 @@ func TestClusterExtensionResolutionAndUnpackSuccessfulApplierFails(t *testing.T)
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -217,6 +225,9 @@ func TestClusterExtensionResolutionAndUnpackSuccessfulApplierFails(t *testing.T)
 				},
 			},
 			Namespace: namespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)
@@ -284,7 +295,7 @@ func TestClusterExtensionServiceAccountNotFound(t *testing.T) {
 				},
 			},
 			Namespace: "default",
-			ServiceAccount: &ocv1.ServiceAccountReference{
+			ServiceAccount: ocv1.ServiceAccountReference{
 				Name: "missing-sa",
 			},
 		},
@@ -331,6 +342,7 @@ func TestClusterExtensionApplierFailsWithBundleInstalled(t *testing.T) {
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -344,6 +356,9 @@ func TestClusterExtensionApplierFailsWithBundleInstalled(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)
@@ -423,6 +438,7 @@ func TestClusterExtensionManagerFailed(t *testing.T) {
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -436,6 +452,9 @@ func TestClusterExtensionManagerFailed(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)
@@ -497,6 +516,7 @@ func TestClusterExtensionManagedContentCacheWatchFail(t *testing.T) {
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	installNamespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -511,6 +531,9 @@ func TestClusterExtensionManagedContentCacheWatchFail(t *testing.T) {
 				},
 			},
 			Namespace: installNamespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)
@@ -574,6 +597,7 @@ func TestClusterExtensionInstallationSucceeds(t *testing.T) {
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -587,6 +611,9 @@ func TestClusterExtensionInstallationSucceeds(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)
@@ -648,6 +675,7 @@ func TestClusterExtensionDeleteFinalizerFails(t *testing.T) {
 	pkgVer := "1.0.0"
 	pkgChan := "beta"
 	namespace := fmt.Sprintf("test-ns-%s", rand.String(8))
+	serviceAccount := fmt.Sprintf("test-sa-%s", rand.String(8))
 
 	clusterExtension := &ocv1.ClusterExtension{
 		ObjectMeta: metav1.ObjectMeta{Name: extKey.Name},
@@ -661,6 +689,9 @@ func TestClusterExtensionDeleteFinalizerFails(t *testing.T) {
 				},
 			},
 			Namespace: namespace,
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: serviceAccount,
+			},
 		},
 	}
 	err := cl.Create(ctx, clusterExtension)