Boxcutter Preflight

Signed-off-by: Todd Short <[email protected]>

Author: tmshort

cmd/operator-controller/main.go

@@ -458,6 +458,7 @@ func run() error {
 					CertificateProvider: certProvider,
 				},
 			},
+			Preflights: preflights,
 		}
 		ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{}))
 	} else {
@@ -470,7 +471,8 @@ func run() error {
 				CertificateProvider:     certProvider,
 				IsWebhookSupportEnabled: certProvider != nil,
 			},
-			PreAuthorizer: preAuth,
+			PreAuthorizer:                 preAuth,
+			HelmReleaseToObjectsConverter: &applier.HelmReleaseToObjectsConverter{},
 		}
 	}
 

internal/operator-controller/applier/boxcutter.go

@@ -97,13 +97,24 @@ type Boxcutter struct {
 	Client            client.Client
 	Scheme            *runtime.Scheme
 	RevisionGenerator ClusterExtensionRevisionGenerator
+	Preflights        []Preflight
 }
 
 func (bc *Boxcutter) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, storageLabels map[string]string) ([]client.Object, string, error) {
 	objs, err := bc.apply(ctx, contentFS, ext, objectLabels, storageLabels)
 	return objs, "", err
 }
 
+func (bc *Boxcutter) getObjects(rev *ocv1.ClusterExtensionRevision) []client.Object {
+	var objs []client.Object
+	for _, phase := range rev.Spec.Phases {
+		for _, phaseObject := range phase.Objects {
+			objs = append(objs, &phaseObject.Object)
+		}
+	}
+	return objs
+}
+
 func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, _ map[string]string) ([]client.Object, error) {
 	// Generate desired revision
 	desiredRevision, err := bc.RevisionGenerator.GenerateRevision(contentFS, ext, objectLabels)
@@ -122,6 +133,7 @@ func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust
 	var (
 		currentRevision *ocv1.ClusterExtensionRevision
 	)
+	state := StateNeedsInstall
 	if len(existingRevisions) > 0 {
 		maybeCurrentRevision := existingRevisions[len(existingRevisions)-1]
 		annotations := maybeCurrentRevision.GetAnnotations()
@@ -130,6 +142,27 @@ func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust
 				currentRevision = &maybeCurrentRevision
 			}
 		}
+		state = StateNeedsUpgrade
+	}
+
+	// Preflights
+	plainObjs := bc.getObjects(desiredRevision)
+	for _, preflight := range bc.Preflights {
+		if shouldSkipPreflight(ctx, preflight, ext, state) {
+			continue
+		}
+		switch state {
+		case StateNeedsInstall:
+			err := preflight.Install(ctx, plainObjs)
+			if err != nil {
+				return nil, err
+			}
+		case StateNeedsUpgrade:
+			err := preflight.Upgrade(ctx, plainObjs)
+			if err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	if currentRevision == nil {
@@ -164,13 +197,7 @@ func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust
 	// TODO: Read status from revision.
 
 	// Collect objects
-	var plain []client.Object
-	for _, phase := range desiredRevision.Spec.Phases {
-		for _, phaseObject := range phase.Objects {
-			plain = append(plain, &phaseObject.Object)
-		}
-	}
-	return plain, nil
+	return bc.getObjects(desiredRevision), nil
 }
 
 // getExistingRevisions returns the list of ClusterExtensionRevisions for a ClusterExtension with name extName in revision order (oldest to newest)

internal/operator-controller/applier/helm.go

@@ -20,71 +20,47 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apimachyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 )
 
-const (
-	StateNeedsInstall     string = "NeedsInstall"
-	StateNeedsUpgrade     string = "NeedsUpgrade"
-	StateUnchanged        string = "Unchanged"
-	StateError            string = "Error"
-	maxHelmReleaseHistory        = 10
-)
-
-// Preflight is a check that should be run before making any changes to the cluster
-type Preflight interface {
-	// Install runs checks that should be successful prior
-	// to installing the Helm release. It is provided
-	// a Helm release and returns an error if the
-	// check is unsuccessful
-	Install(context.Context, *release.Release) error
-
-	// Upgrade runs checks that should be successful prior
-	// to upgrading the Helm release. It is provided
-	// a Helm release and returns an error if the
-	// check is unsuccessful
-	Upgrade(context.Context, *release.Release) error
-}
-
 type BundleToHelmChartConverter interface {
 	ToHelmChart(bundle source.BundleSource, installNamespace string, watchNamespace string) (*chart.Chart, error)
 }
 
-type Helm struct {
-	ActionClientGetter         helmclient.ActionClientGetter
-	Preflights                 []Preflight
-	PreAuthorizer              authorization.PreAuthorizer
-	BundleToHelmChartConverter BundleToHelmChartConverter
+type HelmReleaseToObjectsConverter struct {
+	Mock bool
 }
 
-// shouldSkipPreflight is a helper to determine if the preflight check is CRDUpgradeSafety AND
-// if it is set to enforcement None.
-func shouldSkipPreflight(ctx context.Context, preflight Preflight, ext *ocv1.ClusterExtension, state string) bool {
-	l := log.FromContext(ctx)
-	hasCRDUpgradeSafety := ext.Spec.Install != nil && ext.Spec.Install.Preflight != nil && ext.Spec.Install.Preflight.CRDUpgradeSafety != nil
-	_, isCRDUpgradeSafetyInstance := preflight.(*crdupgradesafety.Preflight)
+type HelmReleaseToObjectsConverterInterface interface {
+	GetObjectsFromRelease(rel *release.Release) ([]client.Object, error)
+}
 
-	if hasCRDUpgradeSafety && isCRDUpgradeSafetyInstance {
-		if state == StateNeedsInstall || state == StateNeedsUpgrade {
-			l.Info("crdUpgradeSafety ", "policy", ext.Spec.Install.Preflight.CRDUpgradeSafety.Enforcement)
-		}
-		if ext.Spec.Install.Preflight.CRDUpgradeSafety.Enforcement == ocv1.CRDUpgradeSafetyEnforcementNone {
-			// Skip this preflight check because it is of type *crdupgradesafety.Preflight and the CRD Upgrade Safety
-			// policy is set to None
-			return true
-		}
+func (h HelmReleaseToObjectsConverter) GetObjectsFromRelease(rel *release.Release) ([]client.Object, error) {
+	if rel == nil || h.Mock {
+		return nil, nil
+	}
+
+	relObjects, err := util.ManifestObjects(strings.NewReader(rel.Manifest), fmt.Sprintf("%s-release-manifest", rel.Name))
+	if err != nil {
+		return nil, fmt.Errorf("parsing release %q objects: %w", rel.Name, err)
 	}
-	return false
+	return relObjects, nil
+}
+
+type Helm struct {
+	ActionClientGetter            helmclient.ActionClientGetter
+	Preflights                    []Preflight
+	PreAuthorizer                 authorization.PreAuthorizer
+	BundleToHelmChartConverter    BundleToHelmChartConverter
+	HelmReleaseToObjectsConverter HelmReleaseToObjectsConverterInterface
 }
 
 // runPreAuthorizationChecks performs pre-authorization checks for a Helm release
@@ -149,19 +125,23 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to get release state using server-side dry-run: %w", err)
 	}
+	objs, err := h.HelmReleaseToObjectsConverter.GetObjectsFromRelease(desiredRel)
+	if err != nil {
+		return nil, state, err
+	}
 
 	for _, preflight := range h.Preflights {
 		if shouldSkipPreflight(ctx, preflight, ext, state) {
 			continue
 		}
 		switch state {
 		case StateNeedsInstall:
-			err := preflight.Install(ctx, desiredRel)
+			err := preflight.Install(ctx, objs)
 			if err != nil {
 				return nil, state, err
 			}
 		case StateNeedsUpgrade:
-			err := preflight.Upgrade(ctx, desiredRel)
+			err := preflight.Upgrade(ctx, objs)
 			if err != nil {
 				return nil, state, err
 			}

internal/operator-controller/applier/helm_test.go

@@ -48,11 +48,11 @@ func (p *mockPreAuthorizer) PreAuthorize(
 	return p.missingRules, p.returnError
 }
 
-func (mp *mockPreflight) Install(context.Context, *release.Release) error {
+func (mp *mockPreflight) Install(context.Context, []client.Object) error {
 	return mp.installErr
 }
 
-func (mp *mockPreflight) Upgrade(context.Context, *release.Release) error {
+func (mp *mockPreflight) Upgrade(context.Context, []client.Object) error {
 	return mp.upgradeErr
 }
 
@@ -248,9 +248,10 @@ func TestApply_Installation(t *testing.T) {
 		}
 		mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			Preflights:                 []applier.Preflight{mockPf},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			Preflights:                    []applier.Preflight{mockPf},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -266,8 +267,9 @@ func TestApply_Installation(t *testing.T) {
 			installErr:   errors.New("failed installing chart"),
 		}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -286,8 +288,9 @@ func TestApply_Installation(t *testing.T) {
 			},
 		}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -328,10 +331,11 @@ func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
 		}
 		mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			Preflights:                 []applier.Preflight{mockPf},
-			PreAuthorizer:              &mockPreAuthorizer{nil, nil},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			Preflights:                    []applier.Preflight{mockPf},
+			PreAuthorizer:                 &mockPreAuthorizer{nil, nil},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -408,9 +412,10 @@ func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
 			},
 		}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			PreAuthorizer:              &mockPreAuthorizer{nil, nil},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			PreAuthorizer:                 &mockPreAuthorizer{nil, nil},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		// Use a ClusterExtension with valid Spec fields.
@@ -464,9 +469,10 @@ func TestApply_Upgrade(t *testing.T) {
 		}
 		mockPf := &mockPreflight{upgradeErr: errors.New("failed during upgrade pre-flight check")}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			Preflights:                 []applier.Preflight{mockPf},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			Preflights:                    []applier.Preflight{mockPf},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -488,7 +494,8 @@ func TestApply_Upgrade(t *testing.T) {
 		mockPf := &mockPreflight{}
 		helmApplier := applier.Helm{
 			ActionClientGetter: mockAcg, Preflights: []applier.Preflight{mockPf},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -509,9 +516,10 @@ func TestApply_Upgrade(t *testing.T) {
 		}
 		mockPf := &mockPreflight{}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			Preflights:                 []applier.Preflight{mockPf},
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			Preflights:                    []applier.Preflight{mockPf},
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -530,8 +538,9 @@ func TestApply_Upgrade(t *testing.T) {
 			desiredRel: &testDesiredRelease,
 		}
 		helmApplier := applier.Helm{
-			ActionClientGetter:         mockAcg,
-			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{},
+			ActionClientGetter:            mockAcg,
+			BundleToHelmChartConverter:    &convert.BundleToHelmChartConverter{},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
@@ -562,6 +571,7 @@ func TestApply_InstallationWithSingleOwnNamespaceInstallSupportEnabled(t *testin
 					return nil, nil
 				},
 			},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		testExt := &ocv1.ClusterExtension{
@@ -595,6 +605,7 @@ func TestApply_RegistryV1ToChartConverterIntegration(t *testing.T) {
 					return nil, nil
 				},
 			},
+			HelmReleaseToObjectsConverter: applier.HelmReleaseToObjectsConverter{Mock: true},
 		}
 
 		_, _, _ = helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)