Connect Boxcutter Applier with ClusterExtension

Author: thetechnick

api/v1/clusterextensionrevision_types.go

@@ -29,16 +29,16 @@ type ClusterExtensionRevisionSpec struct {
 	// Specifies the lifecycle state of the ClusterExtensionRevision.
 	// +kubebuilder:default="Active"
 	// +kubebuilder:validation:Enum=Active;Paused;Archived
-	// +kubebuilder:validation:XValidation:rule="oldSelf == "Active" || oldSelf == "Paused" || oldSelf == 'Archived' && oldSelf == self", message="can not un-archive"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived' && oldSelf == self", message="can not un-archive"
 	LifecycleState ClusterExtensionRevisionLifecycleState `json:"lifecycleState,omitempty"`
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="revision is immutable"
 	Revision int64 `json:"revision"`
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="phases is immutable"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf || oldSelf.size() == 0", message="phases is immutable"
 	Phases []ClusterExtensionRevisionPhase `json:"phases"`
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="previous is immutable"
-	Previous []ClusterExtensionRevisionPrevious `json:"previous"`
+	Previous []ClusterExtensionRevisionPrevious `json:"previous,omitempty"`
 }
 
 // ClusterExtensionRevisionLifecycleState specifies the lifecycle state of the ClusterExtensionRevision.
@@ -59,6 +59,7 @@ const (
 type ClusterExtensionRevisionPhase struct {
 	Name    string                           `json:"name"`
 	Objects []ClusterExtensionRevisionObject `json:"objects"`
+	Slices  []string                         `json:"slices,omitempty"`
 }
 
 type ClusterExtensionRevisionObject struct {

api/v1/zz_generated.deepcopy.go

@@ -31,7 +31,6 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
 	rbacv1 "k8s.io/api/rbac/v1"
-	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
@@ -60,19 +59,13 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/controllers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/finalizers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/resolve"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/certproviders"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/registryv1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/scheme"
 	sharedcontrollers "github.com/operator-framework/operator-controller/internal/shared/controllers"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
@@ -417,45 +410,50 @@ func run() error {
 		},
 	}
 
-	aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
-	if err != nil {
-		setupLog.Error(err, "unable to create apiextensions client")
-		return err
-	}
+	// aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
+	// if err != nil {
+	// 	setupLog.Error(err, "unable to create apiextensions client")
+	// 	return err
+	// }
 
-	preflights := []applier.Preflight{
-		crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
-	}
+	// preflights := []applier.Preflight{
+	// 	crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
+	// }
 
-	// determine if PreAuthorizer should be enabled based on feature gate
-	var preAuth authorization.PreAuthorizer
-	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+	// // determine if PreAuthorizer should be enabled based on feature gate
+	// var preAuth authorization.PreAuthorizer
+	// if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+	// 	preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+	// }
+
+	boxcutterApplier := &applier.Boxcutter{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
 	}
 
 	// determine if a certificate provider should be set in the bundle renderer and feature support for the provider
 	// based on the feature flag
-	var certProvider render.CertificateProvider
-	var isWebhookSupportEnabled bool
-	if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderCertManager) {
-		certProvider = certproviders.CertManagerCertificateProvider{}
-		isWebhookSupportEnabled = true
-	} else if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderOpenshiftServiceCA) {
-		certProvider = certproviders.OpenshiftServiceCaCertificateProvider{}
-		isWebhookSupportEnabled = true
-	}
+	// var certProvider render.CertificateProvider
+	// var isWebhookSupportEnabled bool
+	// if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderCertManager) {
+	// 	certProvider = certproviders.CertManagerCertificateProvider{}
+	// 	isWebhookSupportEnabled = true
+	// } else if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderOpenshiftServiceCA) {
+	// 	certProvider = certproviders.OpenshiftServiceCaCertificateProvider{}
+	// 	isWebhookSupportEnabled = true
+	// }
 
 	// now initialize the helmApplier, assigning the potentially nil preAuth
-	helmApplier := &applier.Helm{
-		ActionClientGetter: acg,
-		Preflights:         preflights,
-		BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{
-			BundleRenderer:          registryv1.Renderer,
-			CertificateProvider:     certProvider,
-			IsWebhookSupportEnabled: isWebhookSupportEnabled,
-		},
-		PreAuthorizer: preAuth,
-	}
+	// helmApplier := &applier.Helm{
+	// 	ActionClientGetter: acg,
+	// 	Preflights:         preflights,
+	// 	BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{
+	// 		BundleRenderer:          registryv1.Renderer,
+	// 		CertificateProvider:     certProvider,
+	// 		IsWebhookSupportEnabled: isWebhookSupportEnabled,
+	// 	},
+	// 	PreAuthorizer: preAuth,
+	// }
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
 	err = clusterExtensionFinalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
@@ -475,7 +473,18 @@ func run() error {
 		return err
 	}
 	mapFunc := func(ctx context.Context, ce *ocv1.ClusterExtension, c *rest.Config, o crcache.Options) (*rest.Config, crcache.Options, error) {
-		// TODO: Rest Config Mapping / change ServiceAccount
+		saKey := client.ObjectKey{
+			Name:      ce.Spec.ServiceAccount.Name,
+			Namespace: ce.Spec.Namespace,
+		}
+		saConfig := rest.AnonymousClientConfig(c)
+		saConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return &authentication.TokenInjectingRoundTripper{
+				Tripper:     rt,
+				TokenGetter: tokenGetter,
+				Key:         saKey,
+			}
+		})
 
 		// Cache scoping
 		req1, err := labels.NewRequirement(
@@ -485,20 +494,25 @@ func run() error {
 		}
 		o.DefaultLabelSelector = labels.NewSelector().Add(*req1)
 
-		return c, o, nil
+		return saConfig, o, nil
 	}
-	accessManager := managedcache.NewObjectBoundAccessManager[*ocv1.ClusterExtension](
+
+	accessManager := managedcache.NewObjectBoundAccessManager(
 		ctrl.Log.WithName("accessmanager"), mapFunc, restConfig, crcache.Options{
 			Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper(),
 		})
+	if err := mgr.Add(accessManager); err != nil {
+		setupLog.Error(err, "unable to register AccessManager")
+		return err
+	}
 	// Boxcutter
 
 	if err = (&controllers.ClusterExtensionReconciler{
 		Client:                cl,
 		Resolver:              resolver,
 		ImageCache:            imageCache,
 		ImagePuller:           imagePuller,
-		Applier:               helmApplier,
+		Applier:               boxcutterApplier,
 		InstalledBundleGetter: &controllers.DefaultInstalledBundleGetter{ActionClientGetter: acg},
 		Finalizers:            clusterExtensionFinalizers,
 		Manager:               cm,

cmd/operator-controller/main.go

@@ -27,8 +27,10 @@ rules:
 - apiGroups:
   - olm.operatorframework.io
   resources:
-  - clusterextensions
+  - clusterextensionrevisions
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -37,16 +39,28 @@ rules:
 - apiGroups:
   - olm.operatorframework.io
   resources:
+  - clusterextensionrevisions/finalizers
   - clusterextensions/finalizers
   verbs:
   - update
 - apiGroups:
   - olm.operatorframework.io
   resources:
+  - clusterextensionrevisions/status
   - clusterextensions/status
   verbs:
   - patch
   - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

config/base/operator-controller/rbac/experimental/role.yaml

@@ -13,7 +13,8 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/controllers"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -28,8 +29,9 @@ const (
 )
 
 type Boxcutter struct {
-	Client client.Client
-	Scheme *runtime.Scheme
+	Client         client.Client
+	Scheme         *runtime.Scheme
+	BundleRenderer render.BundleRenderer
 }
 
 func (bc *Boxcutter) Apply(
@@ -46,7 +48,7 @@ func (bc *Boxcutter) apply(
 	ext *ocv1.ClusterExtension,
 	objectLabels, _ map[string]string,
 ) ([]client.Object, error) {
-	reg, err := convert.ParseFS(contentFS)
+	reg, err := source.FromFS(contentFS).GetBundle()
 	if err != nil {
 		return nil, err
 	}
@@ -56,14 +58,14 @@ func (bc *Boxcutter) apply(
 		return nil, err
 	}
 
-	plain, err := convert.PlainConverter.Convert(reg, ext.Spec.Namespace, []string{watchNamespace})
+	plain, err := bc.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace))
 	if err != nil {
 		return nil, err
 	}
 
 	// objectLabels
-	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(plain.Objects))
-	for _, obj := range plain.Objects {
+	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(plain))
+	for _, obj := range plain {
 		labels := obj.GetLabels()
 		if labels == nil {
 			labels = map[string]string{}
@@ -103,6 +105,7 @@ func (bc *Boxcutter) apply(
 	// Build desired revision
 	desiredRevision := &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{},
 			Labels: map[string]string{
 				controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
 			},
@@ -144,8 +147,9 @@ func (bc *Boxcutter) apply(
 		revisionNumber++
 
 		newRevision := desiredRevision
+		newRevision.Name = fmt.Sprintf("%s-%d", ext.Name, revisionNumber)
+		newRevision.Annotations[revisionHashAnnotation] = desiredHash
 		newRevision.Spec.Revision = revisionNumber
-		// newRevision.Spec.Previous
 		for _, prevRevision := range prevRevisions {
 			newRevision.Spec.Previous = append(newRevision.Spec.Previous, ocv1.ClusterExtensionRevisionPrevious{
 				Name: prevRevision.Name,
@@ -178,7 +182,7 @@ func (bc *Boxcutter) apply(
 
 	// TODO: Read status from revision.
 
-	return plain.Objects, nil
+	return plain, nil
 }
 
 // computeSHA256Hash returns a sha236 hash value calculated from object.

internal/operator-controller/applier/boxcutter.go

@@ -418,6 +418,7 @@ func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	controller, err := ctrl.NewControllerManagedBy(mgr).
 		For(&ocv1.ClusterExtension{}).
 		Named("controller-operator-cluster-extension-controller").
+		Owns(&ocv1.ClusterExtensionRevision{}).
 		Watches(&ocv1.ClusterCatalog{},
 			crhandler.EnqueueRequestsFromMapFunc(clusterExtensionRequestsForCatalog(mgr.GetClient(), mgr.GetLogger())),
 			builder.WithPredicates(predicate.Funcs{