Connect Boxcutter Applier with ClusterExtension

Author: thetechnick

Makefile

@@ -141,6 +141,7 @@ manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole,
 	mkdir $(CRD_WORKING_DIR)
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) crd paths="./api/v1/..." output:crd:artifacts:config=$(CRD_WORKING_DIR)
 	mv $(CRD_WORKING_DIR)/olm.operatorframework.io_clusterextensions.yaml $(KUSTOMIZE_OPCON_CRDS_DIR)
+	mv $(CRD_WORKING_DIR)/olm.operatorframework.io_clusterextensionrevisions.yaml $(KUSTOMIZE_OPCON_CRDS_DIR)
 	mv $(CRD_WORKING_DIR)/olm.operatorframework.io_clustercatalogs.yaml $(KUSTOMIZE_CATD_CRDS_DIR)
 	rmdir $(CRD_WORKING_DIR)
 	# Generate the remaining operator-controller manifests

api/v1/clusterextensionrevision_types.go

@@ -29,7 +29,7 @@ type ClusterExtensionRevisionSpec struct {
 	// Specifies the lifecycle state of the ClusterExtensionRevision.
 	// +kubebuilder:default="Active"
 	// +kubebuilder:validation:Enum=Active;Paused;Archived
-	// +kubebuilder:validation:XValidation:rule="oldSelf == "Active" || oldSelf == "Paused" || oldSelf == 'Archived' && oldSelf == self", message="can not un-archive"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived' && oldSelf == self", message="can not un-archive"
 	LifecycleState ClusterExtensionRevisionLifecycleState `json:"lifecycleState,omitempty"`
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="revision is immutable"

cmd/operator-controller/main.go

@@ -32,7 +32,6 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
@@ -62,16 +61,13 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/controllers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/finalizers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/resolve"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/scheme"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 	httputil "github.com/operator-framework/operator-controller/internal/shared/util/http"
@@ -408,29 +404,34 @@ func run() error {
 		},
 	}
 
-	aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
-	if err != nil {
-		setupLog.Error(err, "unable to create apiextensions client")
-		return err
-	}
+	// aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
+	// if err != nil {
+	// 	setupLog.Error(err, "unable to create apiextensions client")
+	// 	return err
+	// }
 
-	preflights := []applier.Preflight{
-		crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
-	}
+	// preflights := []applier.Preflight{
+	// 	crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
+	// }
+
+	// // determine if PreAuthorizer should be enabled based on feature gate
+	// var preAuth authorization.PreAuthorizer
+	// if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+	// 	preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+	// }
 
-	// determine if PreAuthorizer should be enabled based on feature gate
-	var preAuth authorization.PreAuthorizer
-	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+	boxcutterApplier := &applier.Boxcutter{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
 	}
 
 	// now initialize the helmApplier, assigning the potentially nil preAuth
-	helmApplier := &applier.Helm{
-		ActionClientGetter:  acg,
-		Preflights:          preflights,
-		BundleToHelmChartFn: convert.RegistryV1ToHelmChart,
-		PreAuthorizer:       preAuth,
-	}
+	// helmApplier := &applier.Helm{
+	// 	ActionClientGetter:  acg,
+	// 	Preflights:          preflights,
+	// 	BundleToHelmChartFn: convert.RegistryV1ToHelmChart,
+	// 	PreAuthorizer:       preAuth,
+	// }
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
 	err = clusterExtensionFinalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
@@ -473,7 +474,7 @@ func run() error {
 		Resolver:              resolver,
 		ImageCache:            imageCache,
 		ImagePuller:           imagePuller,
-		Applier:               helmApplier,
+		Applier:               boxcutterApplier,
 		InstalledBundleGetter: &controllers.DefaultInstalledBundleGetter{ActionClientGetter: acg},
 		Finalizers:            clusterExtensionFinalizers,
 		Manager:               cm,

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensionrevisions.yaml

@@ -0,0 +1,178 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: clusterextensionrevisions.olm.operatorframework.io
+spec:
+  group: olm.operatorframework.io
+  names:
+    kind: ClusterExtensionRevision
+    listKind: ClusterExtensionRevisionList
+    plural: clusterextensionrevisions
+    singular: clusterextensionrevision
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterExtensionRevision is the Schema for the clusterextensionrevisions
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is an optional field that defines the desired state
+              of the ClusterExtension.
+            properties:
+              lifecycleState:
+                default: Active
+                description: Specifies the lifecycle state of the ClusterExtensionRevision.
+                enum:
+                - Active
+                - Paused
+                - Archived
+                type: string
+                x-kubernetes-validations:
+                - message: can not un-archive
+                  rule: oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived'
+                    && oldSelf == self
+              phases:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    objects:
+                      items:
+                        properties:
+                          object:
+                            type: object
+                            x-kubernetes-embedded-resource: true
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - object
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - objects
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: phases is immutable
+                  rule: self == oldSelf
+              previous:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    uid:
+                      description: |-
+                        UID is a type that holds unique ID values, including UUIDs.  Because we
+                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                        intent and helps make sure that UIDs and names do not get conflated.
+                      type: string
+                  required:
+                  - name
+                  - uid
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: previous is immutable
+                  rule: self == oldSelf
+              revision:
+                format: int64
+                type: integer
+                x-kubernetes-validations:
+                - message: revision is immutable
+                  rule: self == oldSelf
+            required:
+            - phases
+            - previous
+            - revision
+            type: object
+          status:
+            description: status is an optional field that defines the observed state
+              of the ClusterExtension.
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/base/operator-controller/crd/kustomization.yaml

@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/olm.operatorframework.io_clusterextensions.yaml
+- bases/olm.operatorframework.io_clusterextensionrevisions.yaml
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

config/base/operator-controller/rbac/role.yaml

@@ -27,6 +27,7 @@ rules:
 - apiGroups:
   - olm.operatorframework.io
   resources:
+  - clusterextensionrevisions
   - clusterextensions
   verbs:
   - get
@@ -37,12 +38,14 @@ rules:
 - apiGroups:
   - olm.operatorframework.io
   resources:
+  - clusterextensionrevisions/finalizers
   - clusterextensions/finalizers
   verbs:
   - update
 - apiGroups:
   - olm.operatorframework.io
   resources:
+  - clusterextensionrevisions/status
   - clusterextensions/status
   verbs:
   - patch

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -59,6 +59,10 @@ type accessManager interface {
 	Source(handler.EventHandler, ...predicate.Predicate) source.Source
 }
 
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/status,verbs=update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/finalizers,verbs=update
+
 func (c *ClusterExtensionRevisionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
 	l := log.FromContext(ctx).WithName("cluster-extension-revision")
 	ctx = log.IntoContext(ctx, l)
@@ -271,7 +275,7 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(
 func (c *ClusterExtensionRevisionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(
-			&corev1.ConfigMap{},
+			&ocv1.ClusterExtensionRevision{},
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
 		).
 		WatchesRawSource(