wip on making service account optional; need to add synthetic auth back in

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

api/v1/clusterextension_types.go

@@ -70,10 +70,20 @@ type ClusterExtensionSpec struct {
 	// serviceAccount is a reference to a ServiceAccount used to perform all interactions
 	// with the cluster that are required to manage the extension.
 	// Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
+	//
+	// <opcon:standard:description>
 	// serviceAccount is required.
+	// </opcon:standard:description>
 	//
-	// +kubebuilder:validation:Required
-	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
+	// <opcon:experimental:description>
+	// If not set, operator-controller will authenticate as:
+	//   - User:  "olmv1:clusterextension:<clusterExtensionName>"
+	//   - Group: "olmv1:clusterextensions"
+	// </opcon:experimental:description>
+	//
+	// <opcon:standard:validation:Required>
+	// <opcon:experimental:validation:Optional>
+	ServiceAccount *ServiceAccountReference `json:"serviceAccount,omitempty"`
 
 	// source is a required field which selects the installation source of content
 	// for this ClusterExtension. Selection is performed by setting the sourceType.
@@ -373,7 +383,7 @@ type CatalogFilter struct {
 	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
 }
 
-// ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
+// ServiceAccountReference identifies the serviceAccount name used to manage a ClusterExtension.
 type ServiceAccountReference struct {
 	// name is a required, immutable reference to the name of the ServiceAccount
 	// to be used for installation and management of the content for the package

config/samples/olm_v1_clusterextension.yaml

@@ -282,8 +282,6 @@ metadata:
   name: argocd
 spec:
   namespace: argocd
-  serviceAccount:
-    name: argocd-installer
   source:
     sourceType: Catalog
     catalog:

docs/api-reference/olmv1-api-reference.md

@@ -340,7 +340,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
-| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.<br />serviceAccount is required. |  | Required: \{\} <br /> |
+| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is an optional field that references a ServiceAccount used to<br />perform all interactions with the cluster that are required to manage the extension.<br />If not set, operator-controller will use its own ServiceAccount for extension management.<br />Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount. |  |  |
 | `source` _[SourceConfig](#sourceconfig)_ | source is a required field which selects the installation source of content<br />for this ClusterExtension. Selection is performed by setting the sourceType.<br />Catalog is currently the only implemented sourceType, and setting the<br />sourcetype to "Catalog" requires the catalog field to also be defined.<br />Below is a minimal example of a source definition (in yaml):<br />source:<br />  sourceType: Catalog<br />  catalog:<br />    packageName: example-package |  | Required: \{\} <br /> |
 | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is an optional field used to configure the installation options<br />for the ClusterExtension such as the pre-flight check configuration. |  |  |
 | `config` _[ClusterExtensionConfig](#clusterextensionconfig)_ | config is an optional field used to specify bundle specific configuration<br />used to configure the bundle. Configuration is bundle specific and a bundle may provide<br />a configuration schema. When not specified, the default configuration of the resolved bundle will be used.<br />config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide<br />a configuration schema the final manifests will be derived on a best-effort basis. More information on how<br />to configure the bundle should be found in its end-user documentation.<br /><opcon:experimental> |  |  |
@@ -439,7 +439,7 @@ _Appears in:_
 
 
 
-ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
+ServiceAccountReference identifies the serviceAccount name used to manage a ClusterExtension.
 
 
 
@@ -448,7 +448,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `name` _string_ | name is a required, immutable reference to the name of the ServiceAccount<br />to be used for installation and management of the content for the package<br />specified in the packageName field.<br />name follows the DNS subdomain standard as defined in [RFC 1123].<br />It must contain only lowercase alphanumeric characters,<br />hyphens (-) or periods (.), start and end with an alphanumeric character,<br />and be no longer than 253 characters.<br />Some examples of valid values are:<br />  - some-serviceaccount<br />  - 123-serviceaccount<br />  - 1-serviceaccount-2<br />  - someserviceaccount<br />  - some.serviceaccount<br />Some examples of invalid values are:<br />  - -some-serviceaccount<br />  - some-serviceaccount-<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 253 <br />Required: \{\} <br /> |
+| `name` _string_ | name is a required, immutable reference to the name of the ServiceAccount<br />to be used for installation and management of the content for the package<br />specified in the packageName field.<br />name follows the DNS subdomain standard as defined in [RFC 1123].<br />It must contain only lowercase alphanumeric characters,<br />hyphens (-) or periods (.), start and end with an alphanumeric character,<br />and be no longer than 253 characters.<br />Some examples of valid values are:<br />  - some-serviceaccount<br />  - 123-serviceaccount<br />  - 1-serviceaccount-2<br />  - someserviceaccount<br />  - some.serviceaccount<br />Some examples of invalid values are:<br />  - -some-serviceaccount<br />  - some-serviceaccount-<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 253 <br /> |
 
 
 #### SourceConfig

hack/tools/crd-generator/main.go

@@ -23,6 +23,7 @@ import (
 	"log"
 	"os"
 	"regexp"
+	"slices"
 	"strings"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -136,7 +137,7 @@ func runGenerator(args ...string) {
 				if channel == StandardChannel && strings.Contains(version.Name, "alpha") {
 					channelCrd.Spec.Versions[i].Served = false
 				}
-				version.Schema.OpenAPIV3Schema.Properties = opconTweaksMap(channel, version.Schema.OpenAPIV3Schema.Properties)
+				version.Schema.OpenAPIV3Schema.Properties = opconTweaksMap(channel, version.Schema.OpenAPIV3Schema)
 			}
 
 			conv, err := crd.AsVersion(*channelCrd, apiextensionsv1.SchemeGroupVersion)
@@ -179,10 +180,11 @@ func runGenerator(args ...string) {
 	}
 }
 
-func opconTweaksMap(channel string, props map[string]apiextensionsv1.JSONSchemaProps) map[string]apiextensionsv1.JSONSchemaProps {
+func opconTweaksMap(channel string, obj *apiextensionsv1.JSONSchemaProps) map[string]apiextensionsv1.JSONSchemaProps {
+	props := obj.Properties
 	for name := range props {
 		jsonProps := props[name]
-		p := opconTweaks(channel, name, jsonProps)
+		p := opconTweaks(channel, name, obj, jsonProps)
 		if p == nil {
 			delete(props, name)
 		} else {
@@ -194,7 +196,7 @@ func opconTweaksMap(channel string, props map[string]apiextensionsv1.JSONSchemaP
 
 // Custom Opcon API Tweaks for tags prefixed with `<opcon:` that get past
 // the limitations of Kubebuilder annotations.
-func opconTweaks(channel string, name string, jsonProps apiextensionsv1.JSONSchemaProps) *apiextensionsv1.JSONSchemaProps {
+func opconTweaks(channel string, name string, parent *apiextensionsv1.JSONSchemaProps, jsonProps apiextensionsv1.JSONSchemaProps) *apiextensionsv1.JSONSchemaProps {
 	if channel == StandardChannel {
 		if strings.Contains(jsonProps.Description, "<opcon:experimental>") {
 			return nil
@@ -210,6 +212,22 @@ func opconTweaks(channel string, name string, jsonProps apiextensionsv1.JSONSche
 	numExpressions := strings.Count(jsonProps.Description, validationPrefix)
 	numValid := 0
 	if numExpressions > 0 {
+		requiredRe := regexp.MustCompile(validationPrefix + "Required>")
+		requiredMatches := requiredRe.FindAllStringSubmatch(jsonProps.Description, -1)
+		for _, _ = range requiredMatches {
+			numValid += 1
+			parent.Required = append(parent.Required, name)
+			slices.Sort(parent.Required)
+		}
+
+		optionalRe := regexp.MustCompile(validationPrefix + "Optional>")
+		optionalMatches := optionalRe.FindAllStringSubmatch(jsonProps.Description, -1)
+		for _, _ = range optionalMatches {
+			numValid += 1
+			parent.Required = slices.DeleteFunc(parent.Required, func(s string) bool { return s == name })
+			slices.Sort(parent.Required)
+		}
+
 		enumRe := regexp.MustCompile(validationPrefix + "Enum=([A-Za-z;]*)>")
 		enumMatches := enumRe.FindAllStringSubmatch(jsonProps.Description, 64)
 		for _, enumMatch := range enumMatches {
@@ -246,36 +264,51 @@ func opconTweaks(channel string, name string, jsonProps apiextensionsv1.JSONSche
 	jsonProps.Description = formatDescription(jsonProps.Description, channel, name)
 
 	if len(jsonProps.Properties) > 0 {
-		jsonProps.Properties = opconTweaksMap(channel, jsonProps.Properties)
+		jsonProps.Properties = opconTweaksMap(channel, &jsonProps)
 	} else if jsonProps.Items != nil && jsonProps.Items.Schema != nil {
-		jsonProps.Items.Schema = opconTweaks(channel, name, *jsonProps.Items.Schema)
+		jsonProps.Items.Schema = opconTweaks(channel, name, &jsonProps, *jsonProps.Items.Schema)
 	}
 
 	return &jsonProps
 }
 
 func formatDescription(description string, channel string, name string) string {
-	startTag := "<opcon:experimental:description>"
-	endTag := "</opcon:experimental:description>"
-	if channel == StandardChannel && strings.Contains(description, startTag) {
-		regexPattern := `\n*` + regexp.QuoteMeta(startTag) + `(?s:(.*?))` + regexp.QuoteMeta(endTag) + `\n*`
+	startTagStandard := "<opcon:standard:description>"
+	endTagStandard := "</opcon:standard:description>"
+	if channel == ExperimentalChannel && strings.Contains(description, startTagStandard) {
+		regexPattern := `\n*` + regexp.QuoteMeta(startTagStandard) + `(?s:(.*?))` + regexp.QuoteMeta(endTagStandard) + `\n*`
+		re := regexp.MustCompile(regexPattern)
+		match := re.FindStringSubmatch(description)
+		if len(match) != 2 {
+			log.Fatalf("Invalid <opcon:standard:description> tag for %s", name)
+		}
+		description = re.ReplaceAllString(description, "\n\n")
+	} else {
+		description = strings.ReplaceAll(description, startTagStandard, "")
+		description = strings.ReplaceAll(description, endTagStandard, "")
+	}
+
+	startTagExperimental := "<opcon:experimental:description>"
+	endTagExperimental := "</opcon:experimental:description>"
+	if channel == StandardChannel && strings.Contains(description, startTagExperimental) {
+		regexPattern := `\n*` + regexp.QuoteMeta(startTagExperimental) + `(?s:(.*?))` + regexp.QuoteMeta(endTagExperimental) + `\n*`
 		re := regexp.MustCompile(regexPattern)
 		match := re.FindStringSubmatch(description)
 		if len(match) != 2 {
 			log.Fatalf("Invalid <opcon:experimental:description> tag for %s", name)
 		}
 		description = re.ReplaceAllString(description, "\n\n")
 	} else {
-		description = strings.ReplaceAll(description, startTag, "")
-		description = strings.ReplaceAll(description, endTag, "")
+		description = strings.ReplaceAll(description, startTagExperimental, "")
+		description = strings.ReplaceAll(description, endTagExperimental, "")
 	}
 
 	// Comments within "opcon:util:excludeFromCRD" tag are not included in the generated CRD and all trailing \n operators before
 	// and after the tags are removed and replaced with three \n operators.
-	startTag = "<opcon:util:excludeFromCRD>"
-	endTag = "</opcon:util:excludeFromCRD>"
-	if strings.Contains(description, startTag) {
-		regexPattern := `\n*` + regexp.QuoteMeta(startTag) + `(?s:(.*?))` + regexp.QuoteMeta(endTag) + `\n*`
+	startTagExclude := "<opcon:util:excludeFromCRD>"
+	endTagExclude := "</opcon:util:excludeFromCRD>"
+	if strings.Contains(description, startTagExclude) {
+		regexPattern := `\n*` + regexp.QuoteMeta(startTagExclude) + `(?s:(.*?))` + regexp.QuoteMeta(endTagExclude) + `\n*`
 		re := regexp.MustCompile(regexPattern)
 		match := re.FindStringSubmatch(description)
 		if len(match) != 2 {

helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml

@@ -174,7 +174,10 @@ spec:
                   serviceAccount is a reference to a ServiceAccount used to perform all interactions
                   with the cluster that are required to manage the extension.
                   Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
-                  serviceAccount is required.
+
+                  If not set, operator-controller will authenticate as:
+                    - User:  "olmv1:clusterextension:<clusterExtensionName>"
+                    - Group: "olmv1:clusterextensions"
                 properties:
                   name:
                     description: |-
@@ -495,7 +498,6 @@ spec:
                     has(self.catalog) : !has(self.catalog)'
             required:
             - namespace
-            - serviceAccount
             - source
             type: object
           status:

helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml

@@ -135,6 +135,7 @@ spec:
                   serviceAccount is a reference to a ServiceAccount used to perform all interactions
                   with the cluster that are required to manage the extension.
                   Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
+
                   serviceAccount is required.
                 properties:
                   name:

internal/operator-controller/action/restconfig.go

@@ -23,9 +23,11 @@ func ServiceAccountRestConfigMapper() func(ctx context.Context, o client.Object,
 			return nil, err
 		}
 		cc := rest.CopyConfig(c)
-		cc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
-			return transport.NewImpersonatingRoundTripper(authentication.ServiceAccountImpersonationConfig(*cExt), rt)
-		})
+		if cExt.Spec.ServiceAccount.Name != "" {
+			cc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+				return transport.NewImpersonatingRoundTripper(authentication.ServiceAccountImpersonationConfig(*cExt), rt)
+			})
+		}
 		return cc, nil
 	}
 }

internal/operator-controller/applier/helm.go

@@ -113,7 +113,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		labels: objectLabels,
 	}
 
-	if h.PreAuthorizer != nil {
+	if h.PreAuthorizer != nil && ext.Spec.ServiceAccount.Name != "" {
 		err := h.runPreAuthorizationChecks(ctx, ext, chrt, values, post)
 		if err != nil {
 			// Return the pre-authorization error directly

manifests/experimental-e2e.yaml

@@ -979,7 +979,10 @@ spec:
                   serviceAccount is a reference to a ServiceAccount used to perform all interactions
                   with the cluster that are required to manage the extension.
                   Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
-                  serviceAccount is required.
+
+                  If not set, operator-controller will authenticate as:
+                    - User:  "olmv1:clusterextension:<clusterExtensionName>"
+                    - Group: "olmv1:clusterextensions"
                 properties:
                   name:
                     description: |-
@@ -1300,7 +1303,6 @@ spec:
                     has(self.catalog) : !has(self.catalog)'
             required:
             - namespace
-            - serviceAccount
             - source
             type: object
           status:

manifests/experimental.yaml

@@ -944,7 +944,10 @@ spec:
                   serviceAccount is a reference to a ServiceAccount used to perform all interactions
                   with the cluster that are required to manage the extension.
                   Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
-                  serviceAccount is required.
+
+                  If not set, operator-controller will authenticate as:
+                    - User:  "olmv1:clusterextension:<clusterExtensionName>"
+                    - Group: "olmv1:clusterextensions"
                 properties:
                   name:
                     description: |-
@@ -1265,7 +1268,6 @@ spec:
                     has(self.catalog) : !has(self.catalog)'
             required:
             - namespace
-            - serviceAccount
             - source
             type: object
           status: