fix(olm): unit test flakes

Jeff Peeler · Jeff Peeler · commit ae5ef0583060 · 2019-05-16T11:04:48.000-04:00
This refactors the implementation to no longer race itself with reading
from the cache, which sometimes would fail. Essentially, the code has
been modified to not create a CSV and then later within the same sync
loop try to look up the same CSV in the lister.

Changes:
-ensureRBACInTargetNamespace was moved from syncCopyCSV to syncClusterServiceVersion
-ensureRBACInTargetNamespace changed to no longer create role/rolebindings, just cluster level RBAC
-ensureTenantRBAC was moved into ensureCSVsInNamespaces
-ensureTenantRBAC was changed to utilize newly created CSV of target namespace instead of retrieving from the cache
diff --git a/pkg/controller/operators/olm/operator.go b/pkg/controller/operators/olm/operator.go
@@ -582,6 +582,23 @@ func (a *Operator) syncClusterServiceVersion(obj interface{}) (syncError error)
 		}
 	}
 
+	operatorGroup := a.operatorGroupFromAnnotations(logger, clusterServiceVersion)
+	if operatorGroup == nil {
+		logger.WithField("reason", "no operatorgroup found for active CSV").Debug("skipping potential RBAC creation in target namespaces")
+		return
+	}
+
+	if len(operatorGroup.Status.Namespaces) == 1 && operatorGroup.Status.Namespaces[0] == operatorGroup.GetNamespace() {
+		logger.Debug("skipping copy for OwnNamespace operatorgroup")
+		return
+	}
+	// Ensure operator has access to targetnamespaces with cluster RBAC
+	// (roles/rolebindings are checked for each target namespace in syncCopyCSV)
+	if err := a.ensureRBACInTargetNamespace(clusterServiceVersion, operatorGroup); err != nil {
+		logger.WithError(err).Info("couldn't ensure RBAC in target namespaces")
+		syncError = err
+	}
+
 	if !outCSV.IsUncopiable() {
 		a.copyQueueIndexer.Enqueue(outCSV)
 	}
@@ -607,7 +624,9 @@ func (a *Operator) syncCopyCSV(obj interface{}) (syncError error) {
 
 	operatorGroup := a.operatorGroupFromAnnotations(logger, clusterServiceVersion)
 	if operatorGroup == nil {
-		logger.WithField("reason", "no operatorgroup found for active CSV").Debug("skipping CSV resource copy to target namespaces")
+		// since syncClusterServiceVersion is the only enqueuer, annotations should be present
+		logger.WithField("reason", "no operatorgroup found for active CSV").Error("operatorgroup should have annotations")
+		syncError = fmt.Errorf("operatorGroup for csv '%v' should have annotations", clusterServiceVersion.GetName())
 		return
 	}
 
@@ -621,12 +640,6 @@ func (a *Operator) syncCopyCSV(obj interface{}) (syncError error) {
 		syncError = err
 	}
 
-	// Ensure operator has access to targetnamespaces
-	if err := a.ensureRBACInTargetNamespace(clusterServiceVersion, operatorGroup); err != nil {
-		logger.WithError(err).Info("couldn't ensure RBAC in target namespaces")
-		syncError = err
-	}
-
 	return
 }
 
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -315,30 +315,6 @@ func (a *Operator) ensureRBACInTargetNamespace(csv *v1alpha1.ClusterServiceVersi
 		return nil
 	}
 
-	// otherwise, create roles/rolebindings for each target namespace
-	for _, ns := range targetNamespaces {
-		if ns == operatorGroup.GetNamespace() {
-			continue
-		}
-
-		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv.GetNamespace())
-		if err != nil {
-			logger.WithError(err).Debug("permission status")
-			return err
-		}
-		logger.WithField("target", ns).WithField("permMet", permMet).Debug("permission status")
-
-		// operator already has access in the target namespace
-		if permMet {
-			logger.Debug("operator has access")
-			continue
-		}
-
-		if err := a.ensureTenantRBAC(operatorGroup.GetNamespace(), ns, csv); err != nil {
-			logger.WithError(err).Debug("ensuring tenant rbac")
-			return err
-		}
-	}
 	return nil
 }
 
@@ -413,15 +389,11 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 	return nil
 }
 
-func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, csv *v1alpha1.ClusterServiceVersion) error {
+func (a *Operator) ensureTenantRBAC(operatorNamespace, targetNamespace string, csv *v1alpha1.ClusterServiceVersion, targetCSV *v1alpha1.ClusterServiceVersion) error {
 	if operatorNamespace == targetNamespace {
 		return nil
 	}
 
-	targetCSV, err := a.lister.OperatorsV1alpha1().ClusterServiceVersionLister().ClusterServiceVersions(targetNamespace).Get(csv.GetName())
-	if err != nil {
-		return err
-	}
 	ownerSelector := ownerutil.CSVOwnerSelector(csv)
 	ownedRoles, err := a.lister.RbacV1().RoleLister().Roles(operatorNamespace).List(ownerSelector)
 	if err != nil {
@@ -525,27 +497,74 @@ func (a *Operator) ensureCSVsInNamespaces(csv *v1alpha1.ClusterServiceVersion, o
 	if err != nil {
 		return err
 	}
+
+	strategyResolver := install.StrategyResolver{}
+	strategy, err := strategyResolver.UnmarshalStrategy(csv.Spec.InstallStrategy)
+	if err != nil {
+		return err
+	}
+	strategyDetailsDeployment, ok := strategy.(*install.StrategyDetailsDeployment)
+	if !ok {
+		return fmt.Errorf("could not cast install strategy as type %T", strategyDetailsDeployment)
+	}
+	ruleChecker := install.NewCSVRuleChecker(a.lister.RbacV1().RoleLister(), a.lister.RbacV1().RoleBindingLister(), a.lister.RbacV1().ClusterRoleLister(), a.lister.RbacV1().ClusterRoleBindingLister(), csv)
+
+	logger := a.Log.WithField("opgroup", operatorGroup.GetName()).WithField("csv", csv.GetName())
+
+	targetCSVs := make(map[string]*v1alpha1.ClusterServiceVersion)
 	for _, ns := range namespaces {
 		if ns.GetName() == operatorGroup.Namespace {
 			continue
 		}
 		if targets.Contains(ns.GetName()) {
-			if err := a.copyToNamespace(csv, ns.GetName()); err != nil {
+			var targetCSV *v1alpha1.ClusterServiceVersion
+			if targetCSV, err = a.copyToNamespace(csv, ns.GetName()); err != nil {
 				a.Log.WithError(err).Debug("error copying to target")
 			}
+			targetCSVs[ns.GetName()] = targetCSV
 		} else {
 			if err := a.pruneFromNamespace(operatorGroup.GetName(), ns.GetName()); err != nil {
 				a.Log.WithError(err).Debug("error pruning from old target")
 			}
 		}
 	}
 
+	targetNamespaces := operatorGroup.Status.Namespaces
+	if targetNamespaces == nil {
+		a.Log.Errorf("operatorgroup '%v' should have non-nil status", operatorGroup.GetName())
+		return nil
+	}
+	for _, ns := range targetNamespaces {
+		// create roles/rolebindings for each target namespace
+		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv.GetNamespace())
+		if err != nil {
+			logger.WithError(err).Debug("permission status")
+			return err
+		}
+		logger.WithField("target", ns).WithField("permMet", permMet).Debug("permission status")
+
+		// operator already has access in the target namespace
+		if permMet {
+			logger.Debug("operator has access")
+			continue
+		}
+
+		targetCSV, ok := targetCSVs[ns]
+		if !ok {
+			return fmt.Errorf("bug: no target CSV for namespace %v", ns)
+		}
+		if err := a.ensureTenantRBAC(operatorGroup.GetNamespace(), ns, csv, targetCSV); err != nil {
+			logger.WithError(err).Debug("ensuring tenant rbac")
+			return err
+		}
+	}
+
 	return nil
 }
 
-func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespace string) error {
+func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespace string) (*v1alpha1.ClusterServiceVersion, error) {
 	if csv.GetNamespace() == namespace {
-		return nil
+		return nil, fmt.Errorf("bug: can not copy to active namespace %v", csv.GetNamespace())
 	}
 
 	logger := a.Log.WithField("operator-ns", csv.GetNamespace()).WithField("target-ns", namespace)
@@ -566,7 +585,7 @@ func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespac
 			logger.Debug("updating target CSV")
 			if _, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(namespace).Update(fetchedCSV); err != nil {
 				logger.WithError(err).Error("update target CSV failed")
-				return err
+				return nil, err
 			}
 		}
 
@@ -582,10 +601,12 @@ func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespac
 			fetchedCSV.Status.LastUpdateTime = timeNow()
 			if _, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(namespace).UpdateStatus(fetchedCSV); err != nil {
 				logger.WithError(err).Error("status update for target CSV failed")
-				return err
+				return nil, err
 			}
 		}
 
+		return fetchedCSV, nil
+
 	} else if k8serrors.IsNotFound(err) {
 		newCSV.SetNamespace(namespace)
 		newCSV.SetResourceVersion("")
@@ -595,21 +616,25 @@ func (a *Operator) copyToNamespace(csv *v1alpha1.ClusterServiceVersion, namespac
 		createdCSV, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(namespace).Create(newCSV)
 		if err != nil {
 			a.Log.Errorf("Create for new CSV failed: %v", err)
-			return err
+			return nil, err
 		}
 		createdCSV.Status.Reason = v1alpha1.CSVReasonCopied
 		createdCSV.Status.Message = fmt.Sprintf("The operator is running in %s but is managing this namespace", csv.GetNamespace())
 		createdCSV.Status.LastUpdateTime = timeNow()
 		if _, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(namespace).UpdateStatus(createdCSV); err != nil {
 			a.Log.Errorf("Status update for CSV failed: %v", err)
-			return err
+			return nil, err
 		}
 
+		return createdCSV, nil
+
 	} else if err != nil {
 		logger.WithError(err).Error("couldn't get CSV")
-		return err
+		return nil, err
 	}
-	return nil
+
+	// this return shouldn't be hit
+	return nil, fmt.Errorf("unhandled code path")
 }
 
 func (a *Operator) pruneFromNamespace(operatorGroupName, namespace string) error {
