Skip to content

✨ Single/Own Namespace Install Mode Support #1724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Feb 27, 2025
Merged

✨ Single/Own Namespace Install Mode Support #1724

merged 7 commits into from
Feb 27, 2025

Conversation

@perdasilva
Copy link
Contributor

@perdasilva perdasilva commented Feb 6, 2025
edited
Loading

Description

Part of #593
Closes #1751 and #1752

Adds initial implementation of SingleNamespace and OwnNamespace install mode support for registry+v1 bundle behind SingleOwnNamespaceInstallSupport alpha feature-gate.

The user can install a registry+v1 bundle in SingleNamespace or OwnNamespace install mode by setting the watch namespace through the olm.operatorframework.io/watch-namespace annotation on the ClusterExtension, as long as the following criteria is met:

  • bundle supports Single- and/or OwnNamespace install modes
  • SingleOwnNamespaceInstallSupport feature-gate is enabled on the controller
  • olm.operatorframework.io/watch-namespace annotation points to a single existing namespace

The annotation value will determine the install mode:

  • empty: bundle is installed in AllNamespaces mode
  • valid namespace name and is equal to the value the install namespace of (.spec.namespace) in the ClusterExtension: bundle is installed in OwnNamespace mode (or SingleNamespace mode if OwnNamespace mode is not supported)
  • valid namespace name and the value is not equal to the install namespace (.spec.namespace) in the ClusterExtension: bundle is installed in SingleNamespace mode

Note: SingleNamespace mode also covers the case where the watchNamespace == .spec.namespace. If the operator only supports OwnNamespace install mode, this means it can ONLY watch the install namespace.

If the annotation is not present, standard behavior applies: AllNamespaces mode.
If annotation value is not a valid namespace name the installation will halt with an error.

Notes:

  • In order to facilitate testing, I've modified the applier adding the bundleToChart conversion function as a memeber (this way we can mock it). I've only tested the integration of this function into the applier. In a follow up PR mode robust testing will be applier to the conversion package to (further) ensure we're accurately rendering registry+v1 bundles.
  • I've also removed the context parameter since it only served to pass a logger that used to log an error when closing the manifest file. To me, it didn't seem worth it. Though I'd be ok with reverting that if there are any objections.

DEMOS

SingleNamespace

asciicast

OwnNamespace

asciicast

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 6, 2025
@netlify
Copy link

netlify bot commented Feb 6, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit e39a1f5
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/67c05d1cc47d1d0008daecde
😎 Deploy Preview https://deploy-preview-1724--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov
Copy link

codecov bot commented Feb 6, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.88889% with 3 lines in your changes missing coverage. Please review.

Project coverage is 68.43%. Comparing base (13a594f) to head (e39a1f5).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/operator-controller/applier/helm.go 70.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1724      +/-   ##
==========================================
+ Coverage   68.39%   68.43%   +0.03%     
==========================================
  Files          62       63       +1     
  Lines        5117     5132      +15     
==========================================
+ Hits         3500     3512      +12     
- Misses       1388     1390       +2     
- Partials      229      230       +1
Flag Coverage Δ
e2e 51.55% <51.85%> (-0.15%) ⬇️
unit 56.02% <77.77%> (+0.10%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@joelanford
Copy link
Member

Wow, I am impressed with how simple that is with the existing code we have.

joelanford
joelanford reviewed Feb 6, 2025
View reviewed changes
@LalatenduMohanty
Copy link
Member

@joelanford @perdasilva Are we planning to write a RFC for this feature Single own namespace. Also Is this PR related to #593 in some way. In that case, can we update the epic description too.

@perdasilva perdasilva changed the title [WIP] ✨ Single own namespace [WIP] ✨ Single/Own Namespace Install Mode Support Feb 6, 2025
@perdasilva perdasilva force-pushed the single-own-namespace branch 11 times, most recently from 8088b37 to 24d0e36 Compare February 12, 2025 15:11
camilamacedo86
camilamacedo86 reviewed Feb 12, 2025
View reviewed changes
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 12, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 13, 2025
@perdasilva perdasilva changed the title [WIP] ✨ Single/Own Namespace Install Mode Support ✨ Single/Own Namespace Install Mode Support Feb 13, 2025
@perdasilva perdasilva marked this pull request as ready for review February 13, 2025 09:19
@perdasilva perdasilva requested a review from a team as a code owner February 13, 2025 09:19
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 13, 2025
camilamacedo86
camilamacedo86 reviewed Feb 14, 2025
View reviewed changes
@perdasilva perdasilva added this pull request to the merge queue Feb 24, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 24, 2025
@perdasilva perdasilva enabled auto-merge February 24, 2025 18:32
Per Goncalves da Silva added 6 commits February 27, 2025 13:32
Add feature gate
f26be51 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Get extension watch namespace from annotation
cc6f1c4 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Make bundle->chart function configurable in applier and add tests
f8d8874 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Add resource dir env var to demo generation script
9190b9d 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Add feature demo
0e8f7a2 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Add docs
b421152 
Signed-off-by: Per Goncalves da Silva <[email protected]>
camilamacedo86
camilamacedo86 previously approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@camilamacedo86 camilamacedo86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2025
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2025
Fixup tests
e39a1f5 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@thetechnick
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2025
@perdasilva perdasilva added this pull request to the merge queue Feb 27, 2025
Merged via the queue into operator-framework:main with commit df35dcd Feb 27, 2025
21 checks passed
@ankitathomas ankitathomas mentioned this pull request Apr 1, 2025
Merged
pgodowski
pgodowski reviewed May 14, 2025
View reviewed changes
docs/draft/howto/single-ownnamespace-install.md
OLMv1 will not attempt multi-tenancy (see [design decisions document](../../project/olmv1_design_decisions.md)) and will think of operators
as globally installed, i.e. in OLMv0 parlance, as installed in *AllNamespaces* mode. However, there are operators that
were intended only for the *SingleNamespace* and *OwnNamespace* install modes. In order to make these operators installable in v1 while they
transition to the new model, v1 is adding support for these two new *installModes*. It should be noted that, in line with v1's no multi-tenancy policy,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in the separate venue, @joelanford , there is set of use cases, where it is expected for OLMv1 to allow multiple installation of the same operator with different scopes each, on the same cluster. Just want to make sure this PR is an incremental step towards this and not the final decision.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OLMv1 won't directly support multi-tenancy as a first class concept. This PR doesn't change that one way or the other. All this PR does is make it possible to install registry+v1 bundles that support Own/SingleNamespace mode, but not AllNamespace mode.

This PR does not preclude multiple installations of the same bundle in different namespaces, so long as the installation of that bundle does not violate OLMv1's single owner policy. One fairly obvious outcome is that bundles that ship CRDs will never be able to be installed twice because CRD names are validated according to their resource name and group. Also of note, the registry+v1 format does not allow for templated names of objects in the bundle, so if a bundle has any cluster-scoped objects, it will only be installable once per cluster. But this is a registry+v1 limitation, not an OLMv1 limitation. In the future, I expect OLMv1 to handle bundle formats that do support arbitrary templating.

I can see how this text makes it seem like we're making a blanket statement about one install per cluster, but that is not technically the case. From a practical perspective, I'm guessing >95% of bundles include a cluster-scoped object, which largely makes this sentence true for end users for now.

@camilamacedo86 camilamacedo86 mentioned this pull request May 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joelanford joelanford joelanford left review comments

@thetechnick thetechnick thetechnick approved these changes

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

+1 more reviewer

@pgodowski pgodowski pgodowski left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thetechnick thetechnick

@camilamacedo86 camilamacedo86

Labels

lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add alpha feature gate

7 participants

@perdasilva @joelanford @LalatenduMohanty @thetechnick @camilamacedo86 @pgodowski @openshift-merge-robot