Skip to content

✨ (hack) Make service-account optional #1956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

✨ (hack) Make service-account optional #1956

wants to merge 1 commit into from

Conversation

@perdasilva
Copy link
Contributor

@perdasilva perdasilva commented May 7, 2025
edited
Loading

Description

  • makes the olmv1 service account admin
  • makes the .spec.serviceAccount optional
  • sets create namespace to true in the helm applier
cat <<EOF | kubectl create -f -
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: zookeeper-operator
spec:
  namespace: zookeeper-operator
  source:
    sourceType: Catalog
    catalog:
      packageName: zookeeper-operator
      version: 0.17.0

kubectl wait clusterextension zookeeper-operator --for=condition=Installed=true

just_works

Demo

asciicast

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@netlify
Copy link

netlify bot commented May 7, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit f594f63
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/681c7c95a13e03000824c8b2
😎 Deploy Preview https://deploy-preview-1956--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 7, 2025
@openshift-ci
Copy link

openshift-ci bot commented May 7, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tmshort for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@perdasilva perdasilva changed the title :sparkling: (hack) Make service-account optional ✨ : (hack) Make service-account optional May 7, 2025
@perdasilva perdasilva changed the title ✨ : (hack) Make service-account optional ✨ (hack) Make service-account optional May 7, 2025
@perdasilva perdasilva force-pushed the optional-sa branch 3 times, most recently from d57ed80 to 0453eab Compare May 8, 2025 09:42
Make service-account optional
f594f63 
Signed-off-by: Per Goncalves da Silva <[email protected]>
camilamacedo86
camilamacedo86 reviewed May 8, 2025
View reviewed changes
internal/operator-controller/controllers/clusterextension_controller.go
//+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch
//+kubebuilder:rbac:groups=*,resources=*,verbs=*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would not it result in OLM have all possible permissions, do we want that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's an open question at the moment. But given that we can create tokens for any service account, that's essentially what we have already XDD

camilamacedo86
camilamacedo86 reviewed May 8, 2025
View reviewed changes
internal/operator-controller/action/restconfig.go
cExt := o.(*ocv1.ClusterExtension)
if cExt.Spec.ServiceAccount == nil {
return rest.CopyConfig(c), nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, can we create one to bind if the user does not provide an SA?
Is that?

Copy link
Contributor Author

@perdasilva perdasilva May 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the point of this PR was just to demo the kind of UX I'm after. It just made it so that you could stamp out a ClusterExtension and everything would "just work". I didn't really think about all the odds and ends. I think the idea here was: if user doesn't specify an sa, just use olm's.

@perdasilva perdasilva closed this May 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@perdasilva @camilamacedo86