Merge pull request #571 from ecordell/serviceaccount-rbac

Create role bindings for operator service accounts

Author: openshift-merge-robot

deploy/chart/templates/0000_30_14-operatorgroup.crd.yaml

@@ -67,7 +67,7 @@ spec:
               type: string
             namespaces:
               items:
-                type: object
+                type: string
               type: array
           required:
           - namespaces
@@ -76,4 +76,3 @@ spec:
       required:
       - metadata
       - spec
-  version: v1alpha2

go.mod

@@ -66,7 +66,7 @@ require (
 	google.golang.org/grpc v1.16.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0-20170531160350-a96e63847dc3 // indirect
-	k8s.io/api v0.0.0-20181108095152-eee84a6322ca
+	k8s.io/api v0.0.0-20180904230853-4e7be11eab3f
 	k8s.io/apiextensions-apiserver v0.0.0-20180905004947-16750353bf97
 	k8s.io/apimachinery v0.0.0-20181026144827-8ee1a638bafa
 	k8s.io/apiserver v0.0.0-20181026151315-13cfe3978170

go.sum

@@ -210,16 +210,16 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD
 gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20181108095152-eee84a6322ca h1:0gIeW03B5m7yni69Y95oPgDXv7ow7puUMt2WqhJIKY8=
-k8s.io/api v0.0.0-20181108095152-eee84a6322ca/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
+k8s.io/api v0.0.0-20180904230853-4e7be11eab3f h1:DLRkv8Ps4Sdx8Srj+UtGisj4whV7v/HezlHx6QqiZqE=
+k8s.io/api v0.0.0-20180904230853-4e7be11eab3f/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
 k8s.io/apiextensions-apiserver v0.0.0-20180905004947-16750353bf97 h1:s4lWWs6JN5kWVzk5bztddkr5kgO/cGIbqTDP+QttUeQ=
 k8s.io/apiextensions-apiserver v0.0.0-20180905004947-16750353bf97/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
 k8s.io/apiextensions-apiserver v0.0.0-20181110192823-2c43ee60e25b h1:O3KqnOdhludLAAHs7bvV7UpPYow3gqLqF5Junc5hbw8=
 k8s.io/apimachinery v0.0.0-20181026144827-8ee1a638bafa h1:i0EOpPFWExNx7efINILpw8LJeah7gakRl1zjvwVfjiI=
 k8s.io/apimachinery v0.0.0-20181026144827-8ee1a638bafa/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
 k8s.io/apiserver v0.0.0-20181026151315-13cfe3978170 h1:CqI85nZvPaV+7JFono0nAOGOx2brocqefcOhDPVhHKI=
 k8s.io/apiserver v0.0.0-20181026151315-13cfe3978170/go.mod h1:6bqaTSOSJavUIXUtfaR9Os9JtTCm8ZqH2SUl2S60C4w=
-k8s.io/client-go v8.0.0+incompatible h1:tTI4hRmb1DRMl4fG6Vclfdi6nTM82oIrTT7HfitmxC4=
+k8s.io/client-go v8.0.0+incompatible h1:2pUaSg2x6iEHr8cia6zmWhoCXG1EDG9TCx9s//Aq7HY=
 k8s.io/client-go v8.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/client-go v9.0.0+incompatible h1:2kqW3X2xQ9SbFvWZjGEHBLlWc1LG9JIJNXWkuqwdZ3A=
 k8s.io/code-generator v0.0.0-20180904193909-8c97d6ab64da h1:L6YB6ObZIbZlYikTQcCjzZGilwS3OVyQBA2esULs8VM=
@@ -233,5 +233,5 @@ k8s.io/kube-aggregator v0.0.0-20180905000155-efa32eb095fe/go.mod h1:8sbzT4QQKDEm
 k8s.io/kube-aggregator v0.0.0-20181110192014-6f96af33cb59 h1:8VFjmCurXo3sMW0ASrUvoE4aT8FCzsIz55uic1EyUIc=
 k8s.io/kube-openapi v0.0.0-20181031203759-72693cb1fadd h1:ggv/Vfza0i5xuhUZyYyxcc25AmQvHY8Zi1C2m8WgBvA=
 k8s.io/kube-openapi v0.0.0-20181031203759-72693cb1fadd/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
-k8s.io/kubernetes v1.11.5-beta.0.0.20181108064615-3290824d1c7b h1:i9PV0cnNZrleFj2YjDYDAUku1qg/SlKfdm4LdTJzAFo=
+k8s.io/kubernetes v1.11.5-beta.0.0.20181108064615-3290824d1c7b h1:Ej2VgtycDFPfQunFFfAsWvdjT+dhte1CcwnPNId+V1k=
 k8s.io/kubernetes v1.11.5-beta.0.0.20181108064615-3290824d1c7b/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=

pkg/api/apis/operators/v1alpha1/clusterserviceversion.go

@@ -12,23 +12,23 @@ var obsoleteReasons = map[ConditionReason]struct{}{
 	CSVReasonBeingReplaced: {},
 }
 
-func (c *ClusterServiceVersion) SetPhaseWithEvent(phase ClusterServiceVersionPhase, reason ConditionReason, message string, recorder record.EventRecorder) {
+func (c *ClusterServiceVersion) SetPhaseWithEvent(phase ClusterServiceVersionPhase, reason ConditionReason, message string, now metav1.Time, recorder record.EventRecorder) {
 	var eventtype string
 	if phase == CSVPhaseFailed {
 		eventtype = v1.EventTypeWarning
 	} else {
 		eventtype = v1.EventTypeNormal
 	}
 	go recorder.Event(c, eventtype, string(reason), message)
-	c.SetPhase(phase, reason, message)
+	c.SetPhase(phase, reason, message, now)
 }
 
 // SetPhase sets the current phase and adds a condition if necessary
-func (c *ClusterServiceVersion) SetPhase(phase ClusterServiceVersionPhase, reason ConditionReason, message string) {
-	c.Status.LastUpdateTime = metav1.Now()
+func (c *ClusterServiceVersion) SetPhase(phase ClusterServiceVersionPhase, reason ConditionReason, message string, now metav1.Time) {
+	c.Status.LastUpdateTime = now
 	if c.Status.Phase != phase {
 		c.Status.Phase = phase
-		c.Status.LastTransitionTime = metav1.Now()
+		c.Status.LastTransitionTime = now
 	}
 	c.Status.Message = message
 	c.Status.Reason = reason

pkg/api/apis/operators/v1alpha1/clusterserviceversion_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestSetRequirementStatus(t *testing.T) {
@@ -51,7 +52,7 @@ func TestSetPhase(t *testing.T) {
 					Conditions: tt.currentConditions,
 				},
 			}
-			csv.SetPhase(tt.inPhase, "test", "test")
+			csv.SetPhase(tt.inPhase, "test", "test", metav1.Now())
 			require.EqualValues(t, tt.outPhase, csv.Status.Phase)
 		})
 	}

pkg/api/apis/operators/v1alpha2/operatorgroup_types.go

@@ -11,8 +11,8 @@ type OperatorGroupSpec struct {
 }
 
 type OperatorGroupStatus struct {
-	Namespaces  []*corev1.Namespace `json:"namespaces"`
-	LastUpdated metav1.Time        `json:"lastUpdated"`
+	Namespaces  []string    `json:"namespaces,omitempty"`
+	LastUpdated metav1.Time `json:"lastUpdated"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/api/apis/operators/v1alpha2/zz_generated.deepcopy.go

@@ -38,7 +38,7 @@ var _ InstallStrategyDeploymentInterface = &InstallStrategyDeploymentClientForNa
 func NewInstallStrategyDeploymentClient(opClient operatorclient.ClientInterface, opLister operatorlister.OperatorLister, namespace string) InstallStrategyDeploymentInterface {
 	return &InstallStrategyDeploymentClientForNamespace{
 		opClient:  opClient,
-		opLister: opLister,
+		opLister:  opLister,
 		Namespace: namespace,
 	}
 }

pkg/api/wrappers/deployment_install_client.go

@@ -13,17 +13,17 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
-	
-	listerfakes "github.com/operator-framework/operator-lifecycle-manager/pkg/fakes/client-go/listers"
+
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/apis/operators/v1alpha1"
+	listerfakes "github.com/operator-framework/operator-lifecycle-manager/pkg/fakes/client-go/listers"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorlister/operatorlisterfakes"
 )
 
 var (
 	Controller         = false
 	BlockOwnerDeletion = false
-	WakeupInterval = 5 * time.Second
+	WakeupInterval     = 5 * time.Second
 )
 
 func ownerReferenceFromCSV(csv *v1alpha1.ClusterServiceVersion) metav1.OwnerReference {
@@ -421,7 +421,6 @@ func TestEnsureServiceAccount(t *testing.T) {
 
 			client := NewInstallStrategyDeploymentClient(mockOpClient, fakeLister, tt.state.namespace)
 
-			
 			mockOpClient.EXPECT().
 				CreateServiceAccount(tt.input.serviceAccount).
 				Return(tt.state.createServiceAccountResult, tt.state.createServiceAccountError).

pkg/api/wrappers/deployment_install_client_test.go

@@ -5,9 +5,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/wrappers"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
@@ -38,9 +36,10 @@ type StrategyDetailsDeployment struct {
 }
 
 type StrategyDeploymentInstaller struct {
-	strategyClient   wrappers.InstallStrategyDeploymentInterface
-	owner            ownerutil.Owner
-	previousStrategy Strategy
+	strategyClient      wrappers.InstallStrategyDeploymentInterface
+	owner               ownerutil.Owner
+	previousStrategy    Strategy
+	templateAnnotations map[string]string
 }
 
 func (d *StrategyDetailsDeployment) GetStrategyName() string {
@@ -50,70 +49,27 @@ func (d *StrategyDetailsDeployment) GetStrategyName() string {
 var _ Strategy = &StrategyDetailsDeployment{}
 var _ StrategyInstaller = &StrategyDeploymentInstaller{}
 
-func NewStrategyDeploymentInstaller(strategyClient wrappers.InstallStrategyDeploymentInterface, owner ownerutil.Owner, previousStrategy Strategy) StrategyInstaller {
+func NewStrategyDeploymentInstaller(strategyClient wrappers.InstallStrategyDeploymentInterface, templateAnnotations map[string]string, owner ownerutil.Owner, previousStrategy Strategy) StrategyInstaller {
 	return &StrategyDeploymentInstaller{
-		strategyClient:   strategyClient,
-		owner:            owner,
-		previousStrategy: previousStrategy,
+		strategyClient:      strategyClient,
+		owner:               owner,
+		previousStrategy:    previousStrategy,
+		templateAnnotations: templateAnnotations,
 	}
 }
 
-func (i *StrategyDeploymentInstaller) installPermissions(perms []StrategyDeploymentPermissions) error {
-	for _, permission := range perms {
-		// create role
-		role := &rbac.Role{
-			Rules: permission.Rules,
-		}
-		ownerutil.AddNonBlockingOwner(role, i.owner)
-		role.SetGenerateName(fmt.Sprintf("%s-role-", i.owner.GetName()))
-		createdRole, err := i.strategyClient.CreateRole(role)
-		if err != nil {
-			return err
-		}
-
-		// create serviceaccount if necessary
-		serviceAccount := &corev1.ServiceAccount{}
-		serviceAccount.SetName(permission.ServiceAccountName)
-		// EnsureServiceAccount verifies/creates ownerreferences so we don't add them here
-		serviceAccount, err = i.strategyClient.EnsureServiceAccount(serviceAccount, i.owner)
-		if err != nil {
-			return err
-		}
-
-		// create rolebinding
-		roleBinding := &rbac.RoleBinding{
-			RoleRef: rbac.RoleRef{
-				Kind:     "Role",
-				Name:     createdRole.GetName(),
-				APIGroup: rbac.GroupName},
-			Subjects: []rbac.Subject{{
-				Kind:      "ServiceAccount",
-				Name:      permission.ServiceAccountName,
-				Namespace: i.owner.GetNamespace(),
-			}},
-		}
-		ownerutil.AddNonBlockingOwner(roleBinding, i.owner)
-		roleBinding.SetGenerateName(fmt.Sprintf("%s-%s-rolebinding-", createdRole.Name, serviceAccount.Name))
-
-		if _, err := i.strategyClient.CreateRoleBinding(roleBinding); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 func (i *StrategyDeploymentInstaller) installDeployments(deps []StrategyDeploymentSpec) error {
 	for _, d := range deps {
-		// Create or Update Deployment
 		dep := &appsv1.Deployment{Spec: d.Spec}
 		dep.SetName(d.Name)
 		dep.SetNamespace(i.owner.GetNamespace())
+		dep.Spec.Template.SetAnnotations(i.templateAnnotations)
 		ownerutil.AddNonBlockingOwner(dep, i.owner)
 		if dep.Labels == nil {
 			dep.SetLabels(map[string]string{})
 		}
-		dep.Labels["alm-owner-name"] = i.owner.GetName()
-		dep.Labels["alm-owner-namespace"] = i.owner.GetNamespace()
+		dep.Labels["olm.owner"] = i.owner.GetName()
+		dep.Labels["olm.owner.namespace"] = i.owner.GetNamespace()
 		if _, err := i.strategyClient.CreateOrUpdateDeployment(dep); err != nil {
 			return err
 		}
@@ -167,33 +123,13 @@ func (i *StrategyDeploymentInstaller) CheckInstalled(s Strategy) (installed bool
 		return false, StrategyError{Reason: StrategyErrReasonInvalidStrategy, Message: fmt.Sprintf("attempted to check %s strategy with deployment installer", strategy.GetStrategyName())}
 	}
 
-	// Check service accounts
-	for _, perm := range strategy.Permissions {
-		if err := i.checkForServiceAccount(perm.ServiceAccountName); err != nil {
-			return false, err
-		}
-	}
-
 	// Check deployments
 	if err := i.checkForDeployments(strategy.DeploymentSpecs); err != nil {
 		return false, err
 	}
 	return true, nil
 }
 
-func (i *StrategyDeploymentInstaller) checkForServiceAccount(serviceAccountName string) error {
-	if _, err := i.strategyClient.GetServiceAccountByName(serviceAccountName); err != nil {
-		if apierrors.IsNotFound(err) {
-			log.Debugf("service account not found: %s", serviceAccountName)
-			return StrategyError{Reason: StrategyErrReasonComponentMissing, Message: fmt.Sprintf("service account not found: %s", serviceAccountName)}
-		}
-		log.Debugf("error querying for %s: %s", serviceAccountName, err)
-		return StrategyError{Reason: StrategyErrReasonComponentMissing, Message: fmt.Sprintf("error querying for %s: %s", serviceAccountName, err)}
-	}
-	// TODO: use a SelfSubjectRulesReview (or a sync version) to verify ServiceAccount has correct access
-	return nil
-}
-
 func (i *StrategyDeploymentInstaller) checkForDeployments(deploymentSpecs []StrategyDeploymentSpec) error {
 	var depNames []string
 	for _, dep := range deploymentSpecs {
@@ -224,6 +160,16 @@ func (i *StrategyDeploymentInstaller) checkForDeployments(deploymentSpecs []Stra
 		if !ready {
 			return StrategyError{Reason: StrategyErrReasonWaiting, Message: fmt.Sprintf("waiting for deployment %s to become ready: %s", dep.Name, reason)}
 		}
+
+		// check annotations
+		if len(i.templateAnnotations) > 0 && dep.Spec.Template.Annotations == nil {
+			return StrategyError{Reason: StrategyErrReasonAnnotationsMissing, Message: fmt.Sprintf("no annotations found on deployment")}
+		}
+		for key, value := range i.templateAnnotations {
+			if dep.Spec.Template.Annotations[key] != value {
+				return StrategyError{Reason: StrategyErrReasonAnnotationsMissing, Message: fmt.Sprintf("annotations on deployment don't match. couldn't find %s: %s", key, value)}
+			}
+		}
 	}
 	return nil
 }