fix: use Kubernetes configuration for name and version when available (#805)

* fix: use Kubernetes configuration for name and version when available

Fixes #801

Signed-off-by: Chris Laprun <[email protected]>

* refactor: RBACRule should be used instead of PermissionRule

RBACRules should be used when the rules should apply to the service
account of the Reconciler since they would also impact the generated
Kubernetes manifests and be automatically propagated to the CSV, whereas
the reverse is not true (i.e. PermissionRule will not appear in the
generated Kubernetes manifests).

Signed-off-by: Chris Laprun <[email protected]>

* docs: clarify service account name role in PermissionRule

Signed-off-by: Chris Laprun <[email protected]>

---------

Signed-off-by: Chris Laprun <[email protected]>

Author: metacosm

annotations/src/main/java/io/quarkiverse/operatorsdk/annotations/CSVMetadata.java

@@ -91,6 +91,12 @@
         boolean supported() default true;
     }
 
+    /**
+     * Additional RBAC rules that need to be provided because they cannot be inferred automatically. Note that RBAC rules added
+     * to your reconciler via {@link RBACRule} should already be handled automatically, under the service account name
+     * associated with your Reconciler so this annotation should only be used to add additional rules to other service accounts
+     * or for rules that you don't want to appear in the generated Kubernetes manifests.
+     */
     @interface PermissionRule {
         String[] apiGroups();
 
@@ -99,8 +105,11 @@
         String[] verbs() default { "get", "list", "watch", "create", "delete", "patch", "update" };
 
         /**
-         * @return the service account name for the permission rule. If not provided, it will use the default service account
-         *         name.
+         * @return the service account name to which the permission rule will be assigned. If not provided, the default service
+         *         account name as defined for your operator will be used. Note that for the rule to be effectively added to the
+         *         CSV, a service account with that name <em>must</em> exist in the generated kubernetes manifests as this is
+         *         the base upon which the bundle generator works. This means that if you add a rule that targets a service
+         *         account that is not present in the generated manifest, then this rule won't appear in the generated CSV.
          */
         String serviceAccountName() default "";
     }

bundle-generator/deployment/src/main/java/io/quarkiverse/operatorsdk/bundle/deployment/BundleProcessor.java

@@ -66,15 +66,17 @@ public boolean getAsBoolean() {
 
     @SuppressWarnings({ "unused" })
     @BuildStep(onlyIf = IsGenerationEnabled.class)
-    CSVMetadataBuildItem gatherCSVMetadata(ApplicationInfoBuildItem configuration,
+    CSVMetadataBuildItem gatherCSVMetadata(KubernetesConfig kubernetesConfig,
+            ApplicationInfoBuildItem appConfiguration,
             BundleGenerationConfiguration bundleConfiguration,
             CombinedIndexBuildItem combinedIndexBuildItem) {
         final var index = combinedIndexBuildItem.getIndex();
-        final var defaultName = bundleConfiguration.packageName.orElse(configuration.getName());
+        final var defaultName = bundleConfiguration.packageName
+                .orElse(ResourceNameUtil.getResourceName(kubernetesConfig, appConfiguration));
 
         // note that version, replaces, etc. should probably be settable at the reconciler level
         // use version specified in bundle configuration, if not use the one extracted from the project, if available
-        final var version = configuration.getVersion();
+        final var version = kubernetesConfig.getVersion().orElse(appConfiguration.getVersion());
         final var defaultVersion = bundleConfiguration.version
                 .orElse(ApplicationInfoBuildItem.UNSET_VALUE.equals(version) ? null : version);
 

bundle-generator/deployment/src/test/java/io/quarkiverse/operatorsdk/bundle/MultipleOperatorsBundleTest.java

@@ -11,6 +11,7 @@
 
 import io.fabric8.kubernetes.api.model.HasMetadata;
 import io.fabric8.kubernetes.api.model.Pod;
+import io.fabric8.kubernetes.api.model.rbac.PolicyRuleBuilder;
 import io.quarkiverse.operatorsdk.bundle.sources.*;
 import io.quarkiverse.operatorsdk.common.ConfigurationUtils;
 import io.quarkus.test.ProdBuildResults;
@@ -50,6 +51,14 @@ public void shouldWriteBundleForTheOperators() throws IOException {
         assertEquals(BUNDLE_PACKAGE, bundleMeta.getAnnotations().get("operators.operatorframework.io.bundle.package.v1"));
 
         checkBundleFor(bundle, "second-operator", Second.class);
+        csv = getCSVFor(bundle, "second-operator");
+        final var permissions = csv.getSpec().getInstall().getSpec().getPermissions();
+        assertEquals(1, permissions.size());
+        assertTrue(permissions.get(0).getRules().contains(new PolicyRuleBuilder()
+                .addToApiGroups(SecondReconciler.RBAC_RULE_GROUP)
+                .addToResources(SecondReconciler.RBAC_RULE_RES)
+                .addToVerbs(SecondReconciler.RBAC_RULE_VERBS)
+                .build()));
 
         checkBundleFor(bundle, "third-operator", Third.class);
         // also check that external CRD is present

bundle-generator/deployment/src/test/java/io/quarkiverse/operatorsdk/bundle/sources/SecondReconciler.java

@@ -1,12 +1,19 @@
 package io.quarkiverse.operatorsdk.bundle.sources;
 
 import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
 import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
 import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
 import io.quarkiverse.operatorsdk.annotations.CSVMetadata;
+import io.quarkiverse.operatorsdk.annotations.RBACRule;
 
 @CSVMetadata(name = "second-operator")
+@RBACRule(apiGroups = SecondReconciler.RBAC_RULE_GROUP, resources = SecondReconciler.RBAC_RULE_RES, verbs = SecondReconciler.RBAC_RULE_VERBS)
+@ControllerConfiguration(namespaces = "foo")
 public class SecondReconciler implements Reconciler<Second> {
+    public static final String RBAC_RULE_GROUP = "halkyon.io";
+    public static final String RBAC_RULE_RES = "SomeResource";
+    public static final String RBAC_RULE_VERBS = "write";
 
     @Override
     public UpdateControl<Second> reconcile(Second request, Context<Second> context) {

core/deployment/src/main/java/io/quarkiverse/operatorsdk/deployment/helm/HelmChartProcessor.java

@@ -33,7 +33,8 @@
 import io.quarkus.deployment.builditem.ApplicationInfoBuildItem;
 import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
 import io.quarkus.deployment.pkg.builditem.OutputTargetBuildItem;
-import io.quarkus.kubernetes.spi.*;
+import io.quarkus.kubernetes.deployment.KubernetesConfig;
+import io.quarkus.kubernetes.deployment.ResourceNameUtil;
 import io.quarkus.qute.Qute;
 
 @BuildSteps(onlyIf = HelmGenerationEnabled.class)
@@ -128,9 +129,9 @@ void addClusterRolesForReconcilers(HelmTargetDirectoryBuildItem helmTargetDirect
     @Produce(ArtifactResultBuildItem.class)
     void addExplicitlyAddedKubernetesResources(DeserializedKubernetesResourcesBuildItem generatedKubernetesResources,
             HelmTargetDirectoryBuildItem helmDirBI,
-            ApplicationInfoBuildItem appInfo) {
+            ApplicationInfoBuildItem appInfo, KubernetesConfig kubernetesConfig) {
         var resources = generatedKubernetesResources.getResources();
-        resources = filterOutStandardResources(resources, appInfo);
+        resources = filterOutStandardResources(resources, ResourceNameUtil.getResourceName(kubernetesConfig, appInfo));
         if (!resources.isEmpty()) {
             final var kubernetesManifest = helmDirBI.getPathToTemplatesDir().resolve("kubernetes.yml");
             String yaml = FileUtils.asYaml(resources);
@@ -142,7 +143,7 @@ void addExplicitlyAddedKubernetesResources(DeserializedKubernetesResourcesBuildI
         }
     }
 
-    private List<HasMetadata> filterOutStandardResources(List<HasMetadata> resources, ApplicationInfoBuildItem appInfo) {
+    private List<HasMetadata> filterOutStandardResources(List<HasMetadata> resources, String operatorName) {
         return resources.stream().filter(r -> {
             if (r instanceof ClusterRole) {
                 return !r.getMetadata().getName().endsWith("-cluster-role");
@@ -151,11 +152,11 @@ private List<HasMetadata> filterOutStandardResources(List<HasMetadata> resources
                 return !r.getMetadata().getName().endsWith("-crd-validating-role-binding");
             }
             if (r instanceof RoleBinding) {
-                return !r.getMetadata().getName().equals(appInfo.getName() + "-view") &&
+                return !r.getMetadata().getName().equals(operatorName + "-view") &&
                         !r.getMetadata().getName().endsWith("-role-binding");
             }
             if (r instanceof Service || r instanceof Deployment || r instanceof ServiceAccount) {
-                return !r.getMetadata().getName().equals(appInfo.getName());
+                return !r.getMetadata().getName().equals(operatorName);
             }
             return true;
         }).collect(Collectors.toList());
@@ -178,10 +179,9 @@ void addGeneratedDeployment(HelmTargetDirectoryBuildItem helmDirBI,
                 .filter(Deployment.class::isInstance).findFirst()
                 .orElseThrow();
         final var envs = deployment.getSpec().getTemplate().getSpec().getContainers().get(0).getEnv();
-        controllerConfigurations.getControllerConfigs().values().forEach(c -> {
-            envs.add(new EnvVar(ConfigurationUtils.getNamespacesPropertyName(c.getName(), true),
-                    "{watchNamespaces}", null));
-        });
+        controllerConfigurations.getControllerConfigs()
+                .forEach((name, unused) -> envs.add(new EnvVar(ConfigurationUtils.getNamespacesPropertyName(name, true),
+                        "{watchNamespaces}", null)));
 
         // a bit hacky solution to get the exact placeholder without brackets
         final var template = FileUtils.asYaml(deployment);

samples/joke/src/main/java/io/quarkiverse/operatorsdk/samples/joke/JokeRequestReconciler.java

@@ -30,11 +30,13 @@
 import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
 import io.quarkiverse.operatorsdk.annotations.CSVMetadata;
 import io.quarkiverse.operatorsdk.annotations.CSVMetadata.Icon;
+import io.quarkiverse.operatorsdk.annotations.RBACRule;
 import io.quarkiverse.operatorsdk.samples.joke.JokeRequestSpec.ExcludedTopic;
 import io.quarkiverse.operatorsdk.samples.joke.JokeRequestStatus.State;
 
-@CSVMetadata(permissionRules = @CSVMetadata.PermissionRule(apiGroups = Joke.GROUP, resources = "jokes"), requiredCRDs = @CSVMetadata.RequiredCRD(kind = "Joke", name = Joke.NAME, version = Joke.VERSION), icon = @Icon(fileName = "icon.png", mediatype = "image/png"))
+@CSVMetadata(requiredCRDs = @CSVMetadata.RequiredCRD(kind = "Joke", name = Joke.NAME, version = Joke.VERSION), icon = @Icon(fileName = "icon.png", mediatype = "image/png"))
 @ControllerConfiguration(namespaces = WATCH_CURRENT_NAMESPACE)
+@RBACRule(apiGroups = Joke.GROUP, resources = "jokes", verbs = RBACRule.ALL)
 @SuppressWarnings("unused")
 public class JokeRequestReconciler implements Reconciler<JokeRequest> {
     @Inject