operator-framework
diff --git a/‎Documentation/design/architecture.md
Lines changed: 16 additions & 13 deletions b/‎Documentation/design/architecture.md
Lines changed: 16 additions & 13 deletions
diff --git a/‎pkg/api/apis/operators/v1alpha1/clusterserviceversion_types.go
Lines changed: 32 additions & 17 deletions b/‎pkg/api/apis/operators/v1alpha1/clusterserviceversion_types.go
Lines changed: 32 additions & 17 deletions
diff --git a/‎pkg/controller/certs/certs.go
Lines changed: 6 additions & 8 deletions b/‎pkg/controller/certs/certs.go
Lines changed: 6 additions & 8 deletions
@@ -54,26 +54,29 @@ While the OLM Operator is often configured to watch all namespaces, it can also
 ```
            +------------------------------------------------------+
            |                                                      |
-           v                                      +--> Succeeded -+
-None --> Pending --> InstallReady --> Installing -|
-                                                  +--> Failed
+           |                                      +--> Succeeded -+
+           v                                      |               |
+None --> Pending --> InstallReady --> Installing -|               |
+           ^                                       +--> Failed <--+   
+           |                                              |
+           +----------------------------------------------+
 \                                                                 /
  +---------------------------------------------------------------+
     |
     v
 Replacing --> Deleting
 ```
 
-| Phase      | Description                                                                                                            |
-|------------|------------------------------------------------------------------------------------------------------------------------|
-| None       | initial phase, once seen by the Operator, it is immediately transitioned to `Pending`                                  |
-| Pending    | requirements in the CSV are not met, once they are this phase transitions to `Installing`                              |
-| InstallReady | all requirements in the CSV are present, the Operator will begin executing the install strategy                      |
-| Installing | the install strategy is being executed and resources are being created, but not all components are reporting as ready  |
-| Succeeded  | the execution of the Install Strategy was successful; if requirements disappear, this may transition back to `Pending` |
-| Failed     | upon failed execution of the Install Strategy, the CSV transitions to this terminal phase                              |
-| Replacing | a newer CSV that replaces this one has been discovered in the cluster. This status means the CSV is marked for GC       | 
-| Deleting | the GC loop has determined this CSV is safe to delete from the cluster. It will disappear soon.                          |
+| Phase      | Description                                                                                                                                                                                                                           |
+|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| None       | initial phase, once seen by the Operator, it is immediately transitioned to `Pending`                                                                                                                                                 |
+| Pending    | requirements in the CSV are not met, once they are this phase transitions to `Installing`                                                                                                                                             |
+| InstallReady | all requirements in the CSV are present, the Operator will begin executing the install strategy                                                                                                                                     |
+| Installing | the install strategy is being executed and resources are being created, but not all components are reporting as ready                                                                                                                 |
+| Succeeded  | the execution of the Install Strategy was successful; if requirements disappear, or an APIService cert needs to be rotated this may transition back to `Pending`; if an installed component dissapears this may transition to `Failed`|
+| Failed     | upon failed execution of the Install Strategy, or an installed component dissapears the CSV transitions to this phase; if the component can be recreated by OLM, this may transition to `Pending`                                     |
+| Replacing  | a newer CSV that replaces this one has been discovered in the cluster. This status means the CSV is marked for GC                                                                                                                     | 
+| Deleting   | the GC loop has determined this CSV is safe to delete from the cluster. It will disappear soon.                                                                                                                                       |
 
 ### Namespace Control Loop
 
 
@@ -182,21 +182,24 @@ const (
 type ConditionReason string
 
 const (
-	CSVReasonRequirementsUnknown     ConditionReason = "RequirementsUnknown"
-	CSVReasonRequirementsNotMet      ConditionReason = "RequirementsNotMet"
-	CSVReasonRequirementsMet         ConditionReason = "AllRequirementsMet"
-	CSVReasonOwnerConflict           ConditionReason = "OwnerConflict"
-	CSVReasonComponentFailed         ConditionReason = "InstallComponentFailed"
-	CSVReasonInvalidStrategy         ConditionReason = "InvalidInstallStrategy"
-	CSVReasonWaiting                 ConditionReason = "InstallWaiting"
-	CSVReasonInstallSuccessful       ConditionReason = "InstallSucceeded"
-	CSVReasonInstallCheckFailed      ConditionReason = "InstallCheckFailed"
-	CSVReasonComponentUnhealthy      ConditionReason = "ComponentUnhealthy"
-	CSVReasonBeingReplaced           ConditionReason = "BeingReplaced"
-	CSVReasonReplaced                ConditionReason = "Replaced"
-	CSVReasonNeedCertRotation        ConditionReason = "NeedCertRotation"
-	CSVReasonAPIServiceResourceIssue ConditionReason = "APIServiceResourceIssue"
-	CSVReasonCopied                  ConditionReason = "Copied"
+	CSVReasonRequirementsUnknown              ConditionReason = "RequirementsUnknown"
+	CSVReasonRequirementsNotMet               ConditionReason = "RequirementsNotMet"
+	CSVReasonRequirementsMet                  ConditionReason = "AllRequirementsMet"
+	CSVReasonOwnerConflict                    ConditionReason = "OwnerConflict"
+	CSVReasonComponentFailed                  ConditionReason = "InstallComponentFailed"
+	CSVReasonInvalidStrategy                  ConditionReason = "InvalidInstallStrategy"
+	CSVReasonWaiting                          ConditionReason = "InstallWaiting"
+	CSVReasonInstallSuccessful                ConditionReason = "InstallSucceeded"
+	CSVReasonInstallCheckFailed               ConditionReason = "InstallCheckFailed"
+	CSVReasonComponentUnhealthy               ConditionReason = "ComponentUnhealthy"
+	CSVReasonBeingReplaced                    ConditionReason = "BeingReplaced"
+	CSVReasonReplaced                         ConditionReason = "Replaced"
+	CSVReasonNeedsReinstall                   ConditionReason = "NeedsReinstall"
+	CSVReasonNeedsCertRotation                ConditionReason = "NeedsCertRotation"
+	CSVReasonAPIServiceResourceIssue          ConditionReason = "APIServiceResourceIssue"
+	CSVReasonAPIServiceResourcesNeedReinstall ConditionReason = "APIServiceResourcesNeedReinstall"
+	CSVReasonAPIServiceInstallFailed          ConditionReason = "APIServiceInstallFailed"
+	CSVReasonCopied                           ConditionReason = "Copied"
 )
 
 // Conditions appear in the status as a record of state transitions on the ClusterServiceVersion
@@ -220,8 +223,20 @@ type ClusterServiceVersionCondition struct {
 
 // OwnsCRD determines whether the current CSV owns a paritcular CRD.
 func (csv ClusterServiceVersion) OwnsCRD(name string) bool {
-	for _, crdDescription := range csv.Spec.CustomResourceDefinitions.Owned {
-		if crdDescription.Name == name {
+	for _, desc := range csv.Spec.CustomResourceDefinitions.Owned {
+		if desc.Name == name {
+			return true
+		}
+	}
+
+	return false
+}
+
+// OwnsAPIService determines whether the current CSV owns a paritcular APIService.
+func (csv ClusterServiceVersion) OwnsAPIService(name string) bool {
+	for _, desc := range csv.Spec.APIServiceDefinitions.Owned {
+		apiServiceName := fmt.Sprintf("%s.%s", desc.Version, desc.Group)
+		if apiServiceName == name {
 			return true
 		}
 	}
 
@@ -15,10 +15,6 @@ import (
 	"time"
 )
 
-const (
-	Organization = "Red Hat, Inc."
-)
-
 // KeyPair stores an x509 certificate and its ECDSA private key
 type KeyPair struct {
 	Cert *x509.Certificate
@@ -49,7 +45,7 @@ func (kp *KeyPair) ToPEM() (certPEM []byte, privPEM []byte, err error) {
 }
 
 // GenerateCA generates a self-signed CA cert/key pair that expires in expiresIn days
-func GenerateCA(notAfter time.Time) (*KeyPair, error) {
+func GenerateCA(notAfter time.Time, organization string) (*KeyPair, error) {
 	notBefore := time.Now()
 	if notAfter.Before(notBefore) {
 		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
@@ -63,7 +59,7 @@ func GenerateCA(notAfter time.Time) (*KeyPair, error) {
 	caDetails := &x509.Certificate{
 		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{Organization},
+			Organization: []string{organization},
 		},
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
@@ -98,7 +94,7 @@ func GenerateCA(notAfter time.Time) (*KeyPair, error) {
 }
 
 // CreateSignedServingPair creates a serving cert/key pair signed by the given ca
-func CreateSignedServingPair(notAfter time.Time, ca *KeyPair, hosts []string) (*KeyPair, error) {
+func CreateSignedServingPair(notAfter time.Time, organization string, ca *KeyPair, hosts []string) (*KeyPair, error) {
 	notBefore := time.Now()
 	if notAfter.Before(notBefore) {
 		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
@@ -112,7 +108,7 @@ func CreateSignedServingPair(notAfter time.Time, ca *KeyPair, hosts []string) (*
 	certDetails := &x509.Certificate{
 		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{Organization},
+			Organization: []string{organization},
 		},
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
@@ -185,8 +181,10 @@ func Active(cert *x509.Certificate) bool {
 	return active
 }
 
+// PEMHash returns a hash of the given PEM encoded cert
 type PEMHash func(certPEM []byte) (hash string)
 
+// PEMSHA256 returns the hex encoded SHA 256 hash of the given PEM encoded cert
 func PEMSHA256(certPEM []byte) (hash string) {
 	hasher := sha256.New()
 	hasher.Write(certPEM)