Fixup

Author: thetechnick

api/v1/clusterextensionrevision_types.go

@@ -38,7 +38,7 @@ type ClusterExtensionRevisionSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="phases is immutable"
 	Phases []ClusterExtensionRevisionPhase `json:"phases"`
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="previous is immutable"
-	Previous []ClusterExtensionRevisionPrevious `json:"previous"`
+	Previous []ClusterExtensionRevisionPrevious `json:"previous,omitempty"`
 }
 
 // ClusterExtensionRevisionLifecycleState specifies the lifecycle state of the ClusterExtensionRevision.

cmd/operator-controller/main.go

@@ -473,7 +473,18 @@ func run() error {
 		return err
 	}
 	mapFunc := func(ctx context.Context, ce *ocv1.ClusterExtension, c *rest.Config, o crcache.Options) (*rest.Config, crcache.Options, error) {
-		// TODO: Rest Config Mapping / change ServiceAccount
+		saKey := client.ObjectKey{
+			Name:      ce.Spec.ServiceAccount.Name,
+			Namespace: ce.Spec.Namespace,
+		}
+		saConfig := rest.AnonymousClientConfig(c)
+		saConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return &authentication.TokenInjectingRoundTripper{
+				Tripper:     rt,
+				TokenGetter: tokenGetter,
+				Key:         saKey,
+			}
+		})
 
 		// Cache scoping
 		req1, err := labels.NewRequirement(
@@ -483,12 +494,17 @@ func run() error {
 		}
 		o.DefaultLabelSelector = labels.NewSelector().Add(*req1)
 
-		return c, o, nil
+		return saConfig, o, nil
 	}
-	accessManager := managedcache.NewObjectBoundAccessManager[*ocv1.ClusterExtension](
+
+	accessManager := managedcache.NewObjectBoundAccessManager(
 		ctrl.Log.WithName("accessmanager"), mapFunc, restConfig, crcache.Options{
 			Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper(),
 		})
+	if err := mgr.Add(accessManager); err != nil {
+		setupLog.Error(err, "unable to register AccessManager")
+		return err
+	}
 	// Boxcutter
 
 	if err = (&controllers.ClusterExtensionReconciler{

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensionrevisions.yaml

@@ -0,0 +1,177 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: clusterextensionrevisions.olm.operatorframework.io
+spec:
+  group: olm.operatorframework.io
+  names:
+    kind: ClusterExtensionRevision
+    listKind: ClusterExtensionRevisionList
+    plural: clusterextensionrevisions
+    singular: clusterextensionrevision
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterExtensionRevision is the Schema for the clusterextensionrevisions
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is an optional field that defines the desired state
+              of the ClusterExtension.
+            properties:
+              lifecycleState:
+                default: Active
+                description: Specifies the lifecycle state of the ClusterExtensionRevision.
+                enum:
+                - Active
+                - Paused
+                - Archived
+                type: string
+                x-kubernetes-validations:
+                - message: can not un-archive
+                  rule: oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived'
+                    && oldSelf == self
+              phases:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    objects:
+                      items:
+                        properties:
+                          object:
+                            type: object
+                            x-kubernetes-embedded-resource: true
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - object
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - objects
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: phases is immutable
+                  rule: self == oldSelf
+              previous:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    uid:
+                      description: |-
+                        UID is a type that holds unique ID values, including UUIDs.  Because we
+                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                        intent and helps make sure that UIDs and names do not get conflated.
+                      type: string
+                  required:
+                  - name
+                  - uid
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: previous is immutable
+                  rule: self == oldSelf
+              revision:
+                format: int64
+                type: integer
+                x-kubernetes-validations:
+                - message: revision is immutable
+                  rule: self == oldSelf
+            required:
+            - phases
+            - revision
+            type: object
+          status:
+            description: status is an optional field that defines the observed state
+              of the ClusterExtension.
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/base/operator-controller/rbac/role.yaml

@@ -28,8 +28,9 @@ rules:
   - olm.operatorframework.io
   resources:
   - clusterextensionrevisions
-  - clusterextensions
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -50,6 +51,16 @@ rules:
   verbs:
   - patch
   - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

internal/operator-controller/applier/boxcutter.go

@@ -105,6 +105,7 @@ func (bc *Boxcutter) apply(
 	// Build desired revision
 	desiredRevision := &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{},
 			Labels: map[string]string{
 				controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
 			},
@@ -146,8 +147,9 @@ func (bc *Boxcutter) apply(
 		revisionNumber++
 
 		newRevision := desiredRevision
+		newRevision.Name = fmt.Sprintf("%s-%d", ext.Name, revisionNumber)
+		newRevision.Annotations[revisionHashAnnotation] = desiredHash
 		newRevision.Spec.Revision = revisionNumber
-		// newRevision.Spec.Previous
 		for _, prevRevision := range prevRevisions {
 			newRevision.Spec.Previous = append(newRevision.Spec.Previous, ocv1.ClusterExtensionRevisionPrevious{
 				Name: prevRevision.Name,

internal/operator-controller/controllers/clusterextension_controller.go

@@ -418,6 +418,7 @@ func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	controller, err := ctrl.NewControllerManagedBy(mgr).
 		For(&ocv1.ClusterExtension{}).
 		Named("controller-operator-cluster-extension-controller").
+		Owns(&ocv1.ClusterExtensionRevision{}).
 		Watches(&ocv1.ClusterCatalog{},
 			crhandler.EnqueueRequestsFromMapFunc(clusterExtensionRequestsForCatalog(mgr.GetClient(), mgr.GetLogger())),
 			builder.WithPredicates(predicate.Funcs{

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -59,7 +59,7 @@ type accessManager interface {
 	Source(handler.EventHandler, ...predicate.Predicate) source.Source
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch;create;delete
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/finalizers,verbs=update
 
@@ -118,6 +118,18 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(
 			objects = append(objects, &pobj)
 		}
 	}
+
+	// THIS IS STUPID, PLEASE FIX!
+	// Revisions need individual finalizers on the ClusterExtension to prevent it's premature deletion.
+	if rev.DeletionTimestamp.IsZero() &&
+		rev.Spec.LifecycleState != ocv1.ClusterExtensionRevisionLifecycleStateArchived {
+		// We can't lookup the complete ClusterExtension when it's already deleted.
+		// This only works when the controller-manager is not restarted during teardown.
+		if err := c.Client.Get(ctx, client.ObjectKeyFromObject(ce), ce); err != nil {
+			return res, err
+		}
+	}
+
 	accessor, err := c.AccessManager.GetWithUser(ctx, ce, rev, objects)
 	if err != nil {
 		return res, fmt.Errorf("get cache: %w", err)
@@ -280,7 +292,7 @@ func (c *ClusterExtensionRevisionReconciler) SetupWithManager(mgr ctrl.Manager)
 		).
 		WatchesRawSource(
 			c.AccessManager.Source(
-				handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &ocv1.ClusterExtension{}),
+				handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &ocv1.ClusterExtensionRevision{}),
 				predicate.ResourceVersionChangedPredicate{},
 			),
 		).