fix(operatorgroup): set labels on copied resources correctly

ecordell · ecordell · commit 58f3e624ef17 · 2019-03-10T15:28:05.000-04:00
diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"math"
 	"math/big"
+	"sort"
 	"strings"
 	"testing"
 	"time"
@@ -422,6 +423,15 @@ func withAnnotations(obj runtime.Object, annotations map[string]string) runtime.
 	return meta.(runtime.Object)
 }
 
+func withLabels(obj runtime.Object, labels map[string]string) runtime.Object {
+	meta, ok := obj.(metav1.Object)
+	if !ok {
+		panic("could not find metadata on object")
+	}
+	meta.SetLabels(labels)
+	return meta.(runtime.Object)
+}
+
 func csvWithAnnotations(csv *v1alpha1.ClusterServiceVersion, annotations map[string]string) *v1alpha1.ClusterServiceVersion {
 	return withAnnotations(csv, annotations).(*v1alpha1.ClusterServiceVersion)
 }
@@ -3089,7 +3099,10 @@ func TestSyncOperatorGroups(t *testing.T) {
 					annotatedDeployment,
 				},
 				targetNamespace: {
-					withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+					withLabels(
+						withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+						map[string]string{v1alpha1.CopiedLabelKey: operatorNamespace},
+					),
 					&rbacv1.Role{
 						TypeMeta: metav1.TypeMeta{
 							Kind:       "Role",
@@ -3099,8 +3112,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							Name:      "csv-role",
 							Namespace: targetNamespace,
 							Labels: map[string]string{
+								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
-								"olm.owner.namespace": "operator-ns",
+								"olm.owner.namespace": "target-ns",
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 							OwnerReferences: []metav1.OwnerReference{
@@ -3118,8 +3132,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							Name:      "csv-rolebinding",
 							Namespace: targetNamespace,
 							Labels: map[string]string{
+								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
-								"olm.owner.namespace": "operator-ns",
+								"olm.owner.namespace": "target-ns",
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 							OwnerReferences: []metav1.OwnerReference{
@@ -3184,7 +3199,10 @@ func TestSyncOperatorGroups(t *testing.T) {
 					annotatedDeployment,
 				},
 				targetNamespace: {
-					withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+					withLabels(
+						withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+						map[string]string{v1alpha1.CopiedLabelKey: operatorNamespace},
+					),
 					&rbacv1.Role{
 						TypeMeta: metav1.TypeMeta{
 							Kind:       "Role",
@@ -3194,8 +3212,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							Name:      "csv-role",
 							Namespace: targetNamespace,
 							Labels: map[string]string{
+								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
-								"olm.owner.namespace": "operator-ns",
+								"olm.owner.namespace": "target-ns",
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 							OwnerReferences: []metav1.OwnerReference{
@@ -3213,8 +3232,9 @@ func TestSyncOperatorGroups(t *testing.T) {
 							Name:      "csv-rolebinding",
 							Namespace: targetNamespace,
 							Labels: map[string]string{
+								"olm.copiedFrom":      "operator-ns",
 								"olm.owner":           "csv1",
-								"olm.owner.namespace": "operator-ns",
+								"olm.owner.namespace": "target-ns",
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 							OwnerReferences: []metav1.OwnerReference{
@@ -3325,7 +3345,10 @@ func TestSyncOperatorGroups(t *testing.T) {
 					},
 				},
 				targetNamespace: {
-					withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+					withLabels(
+						withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+						map[string]string{v1alpha1.CopiedLabelKey: operatorNamespace},
+					),
 				},
 			}},
 		},
@@ -3435,7 +3458,10 @@ func TestSyncOperatorGroups(t *testing.T) {
 					},
 				},
 				targetNamespace: {
-					withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+					withLabels(
+						withAnnotations(targetCSV.DeepCopy(), map[string]string{v1alpha2.OperatorGroupAnnotationKey: "operator-group-1", v1alpha2.OperatorGroupNamespaceAnnotationKey: operatorNamespace}),
+						map[string]string{v1alpha1.CopiedLabelKey: operatorNamespace},
+					),
 				},
 			}},
 		},
@@ -3604,6 +3630,8 @@ func TestSyncOperatorGroups(t *testing.T) {
 
 			operatorGroup, err := op.GetClient().OperatorsV1alpha2().OperatorGroups(tt.initial.operatorGroup.GetNamespace()).Get(tt.initial.operatorGroup.GetName(), metav1.GetOptions{})
 			require.NoError(t, err)
+			sort.Strings(tt.expectedStatus.Namespaces)
+			sort.Strings(operatorGroup.Status.Namespaces)
 			assert.Equal(t, tt.expectedStatus, operatorGroup.Status)
 
 			for namespace, objects := range tt.final.objects {
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -397,7 +397,7 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 		return err
 	}
 
-	targetRoles, err := a.lister.RbacV1().RoleLister().List(ownerutil.CSVOwnerSelector(targetCSV))
+	targetRoles, err := a.lister.RbacV1().RoleLister().Roles(targetNamespace).List(ownerutil.CSVOwnerSelector(targetCSV))
 	if err != nil {
 		return err
 	}
@@ -409,6 +409,7 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 
 	for _, ownedRole := range ownedRoles {
 		// don't trust the owner label
+		// TODO: this can skip objects that have owner labels but different ownerreferences
 		if !ownerutil.IsOwnedBy(ownedRole, csv) {
 			continue
 		}
@@ -425,8 +426,11 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 		}
 
 		// role doesn't exist, create it
+		// TODO: we can work around error cases here; if there's an un-owned role with a matching name we should generate instead
 		ownedRole.SetNamespace(targetNamespace)
 		ownedRole.SetOwnerReferences([]metav1.OwnerReference{ownerutil.NonBlockingOwner(targetCSV)})
+		ownerutil.AddOwnerLabels(ownedRole, targetCSV)
+		ownedRole.SetLabels(utillabels.AddLabel(ownedRole.GetLabels(), v1alpha1.CopiedLabelKey, operatorNamespace))
 		if _, err := a.OpClient.CreateRole(ownedRole); err != nil {
 			return err
 		}
@@ -437,7 +441,7 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 		return err
 	}
 
-	targetRoleBindings, err := a.lister.RbacV1().RoleBindingLister().List(ownerutil.CSVOwnerSelector(targetCSV))
+	targetRoleBindings, err := a.lister.RbacV1().RoleBindingLister().RoleBindings(targetNamespace).List(ownerutil.CSVOwnerSelector(targetCSV))
 	if err != nil {
 		return err
 	}
@@ -457,13 +461,16 @@ func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, c
 
 		// role binding exists
 		if ok {
-			// TODO: should we check if SA/role has changed?
+			// TODO: we should check if SA/role has changed
 			continue
 		}
 
 		// role binding doesn't exist
+		// TODO: we can work around error cases here; if there's an un-owned role with a matching name we should generate instead
 		ownedRoleBinding.SetNamespace(targetNamespace)
 		ownedRoleBinding.SetOwnerReferences([]metav1.OwnerReference{ownerutil.NonBlockingOwner(targetCSV)})
+		ownerutil.AddOwnerLabels(ownedRoleBinding, targetCSV)
+		ownedRoleBinding.SetLabels(utillabels.AddLabel(ownedRoleBinding.GetLabels(), v1alpha1.CopiedLabelKey, operatorNamespace))
 		if _, err := a.OpClient.CreateRoleBinding(ownedRoleBinding); err != nil {
 			return err
 		}
@@ -504,7 +511,9 @@ func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespac
 	logger = logger.WithField("csv", csv.GetName())
 	if fetchedCSV != nil {
 		logger.Debug("checking annotations")
-		if !reflect.DeepEqual(fetchedCSV.Annotations, newCSV.Annotations) {
+
+		if !reflect.DeepEqual(a.copyOperatorGroupAnnotations(&fetchedCSV.ObjectMeta), a.copyOperatorGroupAnnotations(&newCSV.ObjectMeta)) {
+			// TODO: only copy over the opgroup annotations, not _all_ annotations
 			fetchedCSV.Annotations = newCSV.Annotations
 			fetchedCSV.SetLabels(utillabels.AddLabel(fetchedCSV.GetLabels(), v1alpha1.CopiedLabelKey, csv.GetNamespace()))
 			// CRs don't support strategic merge patching, but in the future if they do this should be updated to patch
@@ -534,7 +543,7 @@ func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespac
 	} else if k8serrors.IsNotFound(err) {
 		newCSV.SetNamespace(namespace)
 		newCSV.SetResourceVersion("")
-		newCSV.SetLabels(utillabels.AddLabel(fetchedCSV.GetLabels(), v1alpha1.CopiedLabelKey, csv.GetNamespace()))
+		newCSV.SetLabels(utillabels.AddLabel(newCSV.GetLabels(), v1alpha1.CopiedLabelKey, csv.GetNamespace()))
 
 		logger.Debug("copying CSV to target")
 		createdCSV, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(namespace).Create(newCSV)
