WIP: Remove generation of rbac and webhooks

Signed-off-by: Todd Short <[email protected]>

Author: tmshort

Makefile

@@ -149,16 +149,6 @@ KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac
 manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
-	# Generate the remaining operator-controller standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
-	# Generate the remaining operator-controller experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
-	# Generate the remaining catalogd standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard
-	# Generate the remaining catalogd experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental
 	# Update base config to include helm templates
 	./hack/tools/patch-base-for-helm.sh
 	# Generate manifests stored in source-control

hack/tools/patch-base-for-helm.sh

@@ -7,53 +7,11 @@
 # YAML once helm templating has been added.
 
 # Patch catalogd rbac
-catalogd_rbac_filelist=(
-    helm/olmv1/base/catalogd/rbac/experimental/*.yaml
-    helm/olmv1/base/catalogd/rbac/standard/*.yaml
-)
-for f in "${catalogd_rbac_filelist[@]}"; do
-    yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}"
-    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "catalogd-role-rules"})' "${f}"
-    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "catalogd-cluster-role-rules"})' "${f}"
-done
-
-# Patch operator-controller rbac
-operator_controller_rbac_filelist=(
-    helm/olmv1/base/operator-controller/rbac/experimental/*.yaml
-    helm/olmv1/base/operator-controller/rbac/standard/*.yaml
-)
-for f in "${operator_controller_rbac_filelist[@]}"; do
-    yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}"
-    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "operator-controller-role-rules"})' "${f}"
-    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "operator-controller-cluster-role-rules"})' "${f}"
-done
-
-# Patch catalogd webhook
-catalogd_webhook_filelist=(
-    helm/olmv1/base/catalogd/webhook/experimental/*.yaml
-    helm/olmv1/base/catalogd/webhook/standard/*.yaml
-)
-for f in "${catalogd_webhook_filelist[@]}"; do
-    yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}"
-    yq -i '.metadata.name = "catalogd-mutating-webhook-configuration"' "${f}"
-    yq -i '.metadata.annotations["catalogd-webhook-annotations"] = "replaceMe"' "${f}"
-    yq -i '.webhooks[0].clientConfig.service.namespace = "olmv1-system"' "${f}"
-    yq -i '.webhooks[0].clientConfig.service.name = "catalogd-service"' "${f}"
-    yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}"
-    yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}"
-    yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}"
-done
 
 # Patch everything generically
 filelist=(
-    helm/olmv1/base/catalogd/rbac/experimental/*.yaml
-    helm/olmv1/base/catalogd/rbac/standard/*.yaml
     helm/olmv1/base/catalogd/crd/experimental/*.yaml
     helm/olmv1/base/catalogd/crd/standard/*.yaml
-    helm/olmv1/base/catalogd/webhook/experimental/*.yaml
-    helm/olmv1/base/catalogd/webhook/standard/*.yaml
-    helm/olmv1/base/operator-controller/rbac/experimental/*.yaml
-    helm/olmv1/base/operator-controller/rbac/standard/*.yaml
     helm/olmv1/base/operator-controller/crd/experimental/*.yaml
     helm/olmv1/base/operator-controller/crd/standard/*.yaml
 )
@@ -64,13 +22,7 @@ for f in "${filelist[@]}"; do
     yq -i '.metadata.labels.replaceMe = "labels"' "${f}"
     # Replace with helm template - must be done last or yq will complain about the file format
     sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}"
-    sed -i.bak 's/catalogd-webhook-annotations: replaceMe/{{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }}/g' "${f}"
     sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}"
-    sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}"
-    sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}"
-    sed -i.bak 's/- replaceMe: catalogd-cluster-role-rules/{{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}/g' "${f}"
-    sed -i.bak 's/- replaceMe: operator-controller-role-rules/{{- include "olmv1.operatorController.role.rules" . | nindent 2 }}/g' "${f}"
-    sed -i.bak 's/- replaceMe: operator-controller-cluster-role-rules/{{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}/g' "${f}"
     # Delete sed's backup file
     rm -f "${f}.bak"
 done

internal/catalogd/controllers/core/clustercatalog_controller.go

@@ -76,12 +76,6 @@ type storedCatalogData struct {
 	observedGeneration int64
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/finalizers,verbs=update
-//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch
-
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 //

internal/catalogd/webhook/cluster_catalog_webhook.go

@@ -11,10 +11,6 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 )
 
-// +kubebuilder:webhook:admissionReviewVersions={v1},failurePolicy=Fail,groups=olm.operatorframework.io,mutating=true,name=inject-metadata-name.olm.operatorframework.io,path=/mutate-olm-operatorframework-io-v1-clustercatalog,resources=clustercatalogs,verbs=create;update,versions=v1,sideEffects=None,timeoutSeconds=10
-
-// +kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;patch;update
-
 // ClusterCatalog wraps the external v1.ClusterCatalog type and implements admission.Defaulter
 type ClusterCatalog struct{}
 

internal/operator-controller/controllers/clustercatalog_controller.go

@@ -45,8 +45,6 @@ type ClusterCatalogReconciler struct {
 	CatalogCachePopulator CatalogCachePopulator
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch
-
 func (r *ClusterCatalogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	l := log.FromContext(ctx).WithName("cluster-catalog")
 	ctx = log.IntoContext(ctx, l)

internal/operator-controller/controllers/clusterextension_controller.go

@@ -90,17 +90,6 @@ type InstalledBundleGetter interface {
 	GetInstalledBundle(ctx context.Context, ext *ocv1.ClusterExtension) (*InstalledBundle, error)
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch;update;patch
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update
-//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=create;update;patch;delete;deletecollection;get;list;watch
-//+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
-//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch
-//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch
-
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch
-
 // The operator controller needs to watch all the bundle objects and reconcile accordingly. Though not ideal, but these permissions are required.
 // This has been taken from rukpak, and an issue was created before to discuss it: https://github.com/operator-framework/rukpak/issues/800.
 func (r *ClusterExtensionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {