fix(operatorgroups): fixes rbac checking for multinamespace groups

this was causing the operatorgroup test to hang

Author: ecordell

pkg/controller/operators/olm/operator.go

@@ -551,6 +551,12 @@ func (a *Operator) syncClusterServiceVersion(obj interface{}) (syncError error)
 	})
 	logger.Debug("syncing CSV")
 
+	if clusterServiceVersion.IsCopied() {
+		logger.Debug("skipping copied csv transition, schedule for gc check")
+		a.gcQueueIndexer.Enqueue(clusterServiceVersion)
+		return
+	}
+
 	outCSV, syncError := a.transitionCSVState(*clusterServiceVersion)
 
 	if outCSV == nil {
@@ -569,9 +575,10 @@ func (a *Operator) syncClusterServiceVersion(obj interface{}) (syncError error)
 			updateErr := errors.New("error updating ClusterServiceVersion status: " + err.Error())
 			if syncError == nil {
 				logger.Info(updateErr)
-				return updateErr
+				syncError = updateErr
+			} else {
+				syncError = fmt.Errorf("error transitioning ClusterServiceVersion: %s and error updating CSV status: %s", syncError, updateErr)
 			}
-			syncError = fmt.Errorf("error transitioning ClusterServiceVersion: %s and error updating CSV status: %s", syncError, updateErr)
 		}
 	}
 
@@ -598,11 +605,6 @@ func (a *Operator) syncCopyCSV(obj interface{}) (syncError error) {
 
 	logger.Debug("copying CSV")
 
-	if clusterServiceVersion.IsUncopiable() {
-		logger.Debug("CSV uncopiable")
-		return
-	}
-
 	operatorGroup := a.operatorGroupFromAnnotations(logger, clusterServiceVersion)
 	if operatorGroup == nil {
 		logger.WithField("reason", "no operatorgroup found for active CSV").Debug("skipping CSV resource copy to target namespaces")
@@ -743,12 +745,6 @@ func (a *Operator) transitionCSVState(in v1alpha1.ClusterServiceVersion) (out *v
 	out = in.DeepCopy()
 	now := timeNow()
 
-	if out.IsCopied() {
-		logger.Debug("skipping copied csv transition, schedule for gc check")
-		a.gcQueueIndexer.Enqueue(out)
-		return
-	}
-
 	operatorSurface, err := resolver.NewOperatorFromV1Alpha1CSV(out)
 	if err != nil {
 		// TODO: Add failure status to CSV

pkg/controller/operators/olm/operator_test.go

@@ -2466,8 +2466,8 @@ func TestTransitionCSV(t *testing.T) {
 			},
 			expected: expected{
 				csvStates: map[string]csvState{
-					"csv1": {exists: true, phase: v1alpha1.CSVPhaseDeleting},
-					"csv2": {exists: true, phase: v1alpha1.CSVPhaseDeleting},
+					"csv1": {exists: true, phase: v1alpha1.CSVPhaseReplacing},
+					"csv2": {exists: true, phase: v1alpha1.CSVPhaseReplacing},
 					"csv3": {exists: true, phase: v1alpha1.CSVPhaseSucceeded},
 				},
 			},
@@ -3549,8 +3549,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							APIVersion: rbacv1.GroupName,
 						},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      "csv-role",
-							Namespace: targetNamespace,
+							ResourceVersion: "0",
+							Name:            "csv-role",
+							Namespace:       targetNamespace,
 							Labels: map[string]string{
 								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
@@ -3569,8 +3570,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							APIVersion: rbacv1.GroupName,
 						},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      "csv-rolebinding",
-							Namespace: targetNamespace,
+							ResourceVersion: "0",
+							Name:            "csv-rolebinding",
+							Namespace:       targetNamespace,
 							Labels: map[string]string{
 								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
@@ -3649,8 +3651,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							APIVersion: rbacv1.GroupName,
 						},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      "csv-role",
-							Namespace: targetNamespace,
+							ResourceVersion: "0",
+							Name:            "csv-role",
+							Namespace:       targetNamespace,
 							Labels: map[string]string{
 								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
@@ -3669,8 +3672,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							APIVersion: rbacv1.GroupName,
 						},
 						ObjectMeta: metav1.ObjectMeta{
-							Name:      "csv-rolebinding",
-							Namespace: targetNamespace,
+							ResourceVersion: "0",
+							Name:            "csv-rolebinding",
+							Namespace:       targetNamespace,
 							Labels: map[string]string{
 								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",

pkg/controller/operators/olm/operatorgroup.go

@@ -297,7 +297,7 @@ func (a *Operator) ensureRBACInTargetNamespace(csv *v1alpha1.ClusterServiceVersi
 			strategyDetailsDeployment.ClusterPermissions = append(strategyDetailsDeployment.ClusterPermissions, p)
 		}
 		strategyDetailsDeployment.Permissions = nil
-		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll)
+		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll, csv.GetNamespace())
 		if err != nil {
 			return err
 		}
@@ -321,15 +321,21 @@ func (a *Operator) ensureRBACInTargetNamespace(csv *v1alpha1.ClusterServiceVersi
 			continue
 		}
 
-		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns)
+		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv.GetNamespace())
 		if err != nil {
+			logger.WithError(err).Debug("permission status")
 			return err
 		}
+		logger.WithField("target", ns).WithField("permMet", permMet).Debug("permission status")
+
 		// operator already has access in the target namespace
 		if permMet {
-			return nil
+			logger.Debug("operator has access")
+			continue
 		}
+
 		if err := a.ensureTenantRBAC(operatorGroup.GetNamespace(), ns, csv); err != nil {
+			logger.WithError(err).Debug("ensuring tenant rbac")
 			return err
 		}
 	}
@@ -408,6 +414,10 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 }
 
 func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, csv *v1alpha1.ClusterServiceVersion) error {
+	if operatorNamespace == targetNamespace {
+		return nil
+	}
+
 	targetCSV, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(targetNamespace).Get(csv.GetName())
 	if err != nil {
 		return err
@@ -418,6 +428,10 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 		return err
 	}
 
+	if len(ownedRoles) == 0 {
+		return fmt.Errorf("owned roles not found in cache")
+	}
+
 	targetRoles, err := a.lister.RbacV1().RoleLister().Roles(targetNamespace).List(ownerutil.CSVOwnerSelector(targetCSV))
 	if err != nil {
 		return err
@@ -448,13 +462,15 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 
 		// role doesn't exist, create it
 		// TODO: we can work around error cases here; if there's an un-owned role with a matching name we should generate instead
-		ownedRole.SetNamespace(targetNamespace)
-		ownedRole.SetOwnerReferences([]metav1.OwnerReference{ownerutil.NonBlockingOwner(targetCSV)})
-		if err := ownerutil.AddOwnerLabels(ownedRole, targetCSV); err != nil {
+		targetRole := ownedRole.DeepCopy()
+		targetRole.SetResourceVersion("0")
+		targetRole.SetNamespace(targetNamespace)
+		targetRole.SetOwnerReferences([]metav1.OwnerReference{ownerutil.NonBlockingOwner(targetCSV)})
+		if err := ownerutil.AddOwnerLabels(targetRole, targetCSV); err != nil {
 			return err
 		}
-		ownedRole.SetLabels(utillabels.AddLabel(ownedRole.GetLabels(), v1alpha1.CopiedLabelKey, operatorNamespace))
-		if _, err := a.OpClient.CreateRole(ownedRole); err != nil {
+		targetRole.SetLabels(utillabels.AddLabel(targetRole.GetLabels(), v1alpha1.CopiedLabelKey, operatorNamespace))
+		if _, err := a.OpClient.CreateRole(targetRole); err != nil {
 			return err
 		}
 	}
@@ -491,6 +507,7 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 		// role binding doesn't exist
 		// TODO: we can work around error cases here; if there's an un-owned role with a matching name we should generate instead
 		ownedRoleBinding.SetNamespace(targetNamespace)
+		ownedRoleBinding.SetResourceVersion("0")
 		ownedRoleBinding.SetOwnerReferences([]metav1.OwnerReference{ownerutil.NonBlockingOwner(targetCSV)})
 		if err := ownerutil.AddOwnerLabels(ownedRoleBinding, targetCSV); err != nil {
 			return err

pkg/controller/operators/olm/requirements.go

@@ -242,7 +242,7 @@ func (a *Operator) requirementStatus(strategyDetailsDeployment *install.Strategy
 }
 
 // permissionStatus checks whether the given CSV's RBAC requirements are met in its namespace
-func (a *Operator) permissionStatus(strategyDetailsDeployment *install.StrategyDetailsDeployment, ruleChecker install.RuleChecker, csvNamespace string) (bool, []v1alpha1.RequirementStatus, error) {
+func (a *Operator) permissionStatus(strategyDetailsDeployment *install.StrategyDetailsDeployment, ruleChecker install.RuleChecker, targetNamespace, serviceAccountNamespace string) (bool, []v1alpha1.RequirementStatus, error) {
 	statusesSet := map[string]v1alpha1.RequirementStatus{}
 
 	checkPermissions := func(permissions []install.StrategyDeploymentPermissions, namespace string) (bool, error) {
@@ -266,7 +266,7 @@ func (a *Operator) permissionStatus(strategyDetailsDeployment *install.StrategyD
 			}
 
 			// Ensure the ServiceAccount exists
-			sa, err := a.OpClient.GetServiceAccount(csvNamespace, perm.ServiceAccountName)
+			sa, err := a.OpClient.GetServiceAccount(serviceAccountNamespace, perm.ServiceAccountName)
 			if err != nil {
 				met = false
 				status.Status = v1alpha1.RequirementStatusReasonNotPresent
@@ -320,7 +320,7 @@ func (a *Operator) permissionStatus(strategyDetailsDeployment *install.StrategyD
 		return met, nil
 	}
 
-	permMet, err := checkPermissions(strategyDetailsDeployment.Permissions, csvNamespace)
+	permMet, err := checkPermissions(strategyDetailsDeployment.Permissions, targetNamespace)
 	if err != nil {
 		return false, nil, err
 	}
@@ -331,7 +331,7 @@ func (a *Operator) permissionStatus(strategyDetailsDeployment *install.StrategyD
 
 	statuses := []v1alpha1.RequirementStatus{}
 	for key, status := range statusesSet {
-		a.Log.Debugf("appending permission status: %s", key)
+		a.Log.WithField("key", key).WithField("status", status).Debugf("appending permission status")
 		statuses = append(statuses, status)
 	}
 
@@ -365,7 +365,7 @@ func (a *Operator) requirementAndPermissionStatus(csv *v1alpha1.ClusterServiceVe
 	clusterRoleBindingLister := rbacLister.ClusterRoleBindingLister()
 
 	ruleChecker := install.NewCSVRuleChecker(roleLister, roleBindingLister, clusterRoleLister, clusterRoleBindingLister, csv)
-	permMet, permStatuses, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, csv.GetNamespace())
+	permMet, permStatuses, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, csv.GetNamespace(), csv.GetNamespace())
 	if err != nil {
 		return false, nil, err
 	}

test/e2e/operator_groups_e2e_test.go

@@ -163,6 +163,7 @@ func TestOperatorGroup(t *testing.T) {
 	require.NoError(t, err)
 
 	log("Creating CSV")
+
 	// Generate permissions
 	serviceAccountName := genName("nginx-sa")
 	permissions := []install.StrategyDeploymentPermissions{
@@ -178,19 +179,35 @@ func TestOperatorGroup(t *testing.T) {
 		},
 	}
 
+	// Create a new NamedInstallStrategy
+	deploymentName := genName("operator-deployment")
+	namedStrategy := newNginxInstallStrategy(deploymentName, permissions, nil)
+
+	aCSV := newCSV(csvName, opGroupNamespace, "", semver.MustParse("0.0.0"), []apiextensions.CustomResourceDefinition{mainCRD}, nil, namedStrategy)
+	createdCSV, err := crc.OperatorsV1alpha1().ClusterServiceVersions(opGroupNamespace).Create(&aCSV)
+	require.NoError(t, err)
+
 	serviceAccount := &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: opGroupNamespace,
 			Name:      serviceAccountName,
 		},
 	}
+	ownerutil.AddNonBlockingOwner(serviceAccount, createdCSV)
+	err = ownerutil.AddOwnerLabels(serviceAccount, createdCSV)
+	require.NoError(t, err)
+
 	role := &rbacv1.Role{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: opGroupNamespace,
 			Name:      serviceAccountName + "-role",
 		},
 		Rules: permissions[0].Rules,
 	}
+	ownerutil.AddNonBlockingOwner(role, createdCSV)
+	err = ownerutil.AddOwnerLabels(role, createdCSV)
+	require.NoError(t, err)
+
 	roleBinding := &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: opGroupNamespace,
@@ -208,21 +225,17 @@ func TestOperatorGroup(t *testing.T) {
 			Name: role.GetName(),
 		},
 	}
+	ownerutil.AddNonBlockingOwner(roleBinding, createdCSV)
+	err = ownerutil.AddOwnerLabels(roleBinding, createdCSV)
+	require.NoError(t, err)
+
 	_, err = c.CreateServiceAccount(serviceAccount)
 	require.NoError(t, err)
 	_, err = c.CreateRole(role)
 	require.NoError(t, err)
 	_, err = c.CreateRoleBinding(roleBinding)
 	require.NoError(t, err)
 
-	// Create a new NamedInstallStrategy
-	deploymentName := genName("operator-deployment")
-	namedStrategy := newNginxInstallStrategy(deploymentName, permissions, nil)
-
-	aCSV := newCSV(csvName, opGroupNamespace, "", semver.MustParse("0.0.0"), []apiextensions.CustomResourceDefinition{mainCRD}, nil, namedStrategy)
-	createdCSV, err := crc.OperatorsV1alpha1().ClusterServiceVersions(opGroupNamespace).Create(&aCSV)
-	require.NoError(t, err)
-
 	log("wait for CSV to succeed")
 	err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {
 		fetched, err := crc.OperatorsV1alpha1().ClusterServiceVersions(opGroupNamespace).Get(createdCSV.GetName(), metav1.GetOptions{})