Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create role bindings for operator service accounts #571

Merged
merged 6 commits into from
Nov 27, 2018
Merged

Create role bindings for operator service accounts #571

merged 6 commits into from
Nov 27, 2018

Conversation

ecordell
Copy link
Member

@ecordell ecordell commented Nov 13, 2018
edited
Loading

  • Support operatorgroups watching all namespaces. In this case, targetNamespaces will be ""
  • Create role bindings for operator service accounts in target namespaces
  • If target namespaces == all namespaces, generate cluster role bindings instead
  • Always include the operator namespace in the targetnamespace list.
  • OperatorGroup status uses a list of strings instead of a list of Namespace objects
  • Generated rolebinings have ownerreferences pointing to the target CSV, so that they're cleaned up automatically if the target namespaces change.
  • Rewrote some of the operatorgroup testing to check both operator namespace and target namespace expectations.
  • Moved deployment template annotation to CSV loop
  • Removed a bunch of dead code / tests for installing permissions from the CSV loop (installplan generates them instead now)

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2018
@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Nov 13, 2018
@ecordell ecordell force-pushed the serviceaccount-rbac branch from eaef874 to 92223c3 Compare November 14, 2018 13:00
@jpeeler
Copy link

jpeeler commented Nov 15, 2018

A few minor fixes you can steal are here: https://github.com/jpeeler/operator-lifecycle-manager/tree/evan-pr-571. (Can I push to your branch directly?)

@ecordell ecordell force-pushed the serviceaccount-rbac branch 2 times, most recently from c33b459 to 7120fef Compare November 15, 2018 14:34
@alecmerdler alecmerdler mentioned this pull request Nov 16, 2018
Closed
@jpeeler jpeeler mentioned this pull request Nov 16, 2018
Merged
@ecordell ecordell force-pushed the serviceaccount-rbac branch from 7120fef to 77252f4 Compare November 26, 2018 18:31
@ecordell ecordell changed the title [WIP] create role bindings for operator service accounts Create role bindings for operator service accounts Nov 26, 2018
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 26, 2018
@ecordell ecordell requested a review from njhale November 26, 2018 18:36
@ecordell ecordell force-pushed the serviceaccount-rbac branch 2 times, most recently from 806aa39 to b2cab67 Compare November 26, 2018 18:54
njhale
njhale reviewed Nov 26, 2018
View reviewed changes
pkg/controller/registry/resolver/resolver.go
// User a StrategyResolver to get the strategy details
strategyResolver := install.StrategyResolver{}
strategy, err := strategyResolver.UnmarshalStrategy(csv.Spec.InstallStrategy)
extractedRBAC, err := RBACForClusterServiceVersion(csv)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😎

njhale
njhale reviewed Nov 26, 2018
View reviewed changes
pkg/lib/ownerutil/util.go
}
}

// OwnerLabel returns a label added to generated objects for later querying
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be useful to generalize this to take metav1.Object?

njhale
njhale reviewed Nov 26, 2018
View reviewed changes
Copy link
Member

@njhale njhale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff! There are only a few small things that I saw.

jpeeler
jpeeler reviewed Nov 26, 2018
View reviewed changes
pkg/controller/operators/olm/operator_test.go Outdated
obj = v
default:
meta, ok := obj.(metav1.Object)
if !ok {
panic("could not assert object as Deployment, APIService, or Secret while adding annotations")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably should be changed to "couldn't find object metadata" or something

jpeeler
jpeeler reviewed Nov 26, 2018
View reviewed changes
pkg/controller/operators/olm/operator_test.go
@@ -2292,24 +2528,43 @@ func TestSyncOperatorGroups(t *testing.T) {
err = op.syncOperatorGroups(tt.initial.operatorGroup)
require.NoError(t, err)

// Sync csvs enough to get them back to succeeded state
for i := 0; i < 6; i++ {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clever

@ecordell ecordell force-pushed the serviceaccount-rbac branch from b2cab67 to bff3b20 Compare November 26, 2018 21:11
@ecordell
Copy link
Member Author

@jpeeler @njhale addressed comments!

@jpeeler
Copy link

jpeeler commented Nov 26, 2018

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 26, 2018
@njhale
Copy link
Member

njhale commented Nov 26, 2018

/approve

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: njhale

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 26, 2018
@openshift-merge-robot openshift-merge-robot merged commit bb46d55 into operator-framework:master Nov 27, 2018
ecordell pushed a commit to ecordell/operator-lifecycle-manager that referenced this pull request Mar 8, 2019
@openshift-merge-robot
Merge pull request operator-framework#571 from ecordell/serviceaccoun…
0001072 
…t-rbac

Create role bindings for operator service accounts
@njhale njhale added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@njhale njhale njhale left review comments

@jpeeler jpeeler jpeeler left review comments

@alecmerdler alecmerdler Awaiting requested review from alecmerdler

Assignees

@jpeeler jpeeler

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ecordell @jpeeler @njhale @openshift-ci-robot @openshift-merge-robot