fix helm e2e failures

Signed-off-by: everettraven <everettraven@gmail.com>
operator-framework · Jan 25, 2024 · d013ad4 · d013ad4
1 parent 336d9ad
commit d013ad4
Show file tree

Hide file tree

Showing 4 changed files with 240 additions and 17 deletions.
diff --git a/hack/generate/samples/internal/helm/memcached.go b/hack/generate/samples/internal/helm/memcached.go
@@ -102,8 +102,8 @@ func (mh *Memcached) Run() {
 	pkg.CheckError("enabling prometheus metrics", err)
 
 	log.Infof("adding customized roles")
-	err = kbutil.InsertCode(filepath.Join(mh.ctx.Dir, "config", "rbac", "role.yaml"),
-		"rules:", policyRolesFragment)
+	err = kbutil.ReplaceInFile(filepath.Join(mh.ctx.Dir, "config", "rbac", "role.yaml"),
+		rolesFragmentReplaceTarget, policyRolesFragment)
 	pkg.CheckError("adding customized roles", err)
 
 	log.Infof("creating the bundle")
@@ -122,7 +122,91 @@ func (mh *Memcached) Run() {
 
 const createdAt = `createdAt: "2022-11-08T17:26:37Z"`
 
+const rolesFragmentReplaceTarget = `
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+`
+
 const policyRolesFragment = `
+##
+## Base operator rules
+##
+# We need to get namespaces so the operator can read namespaces to ensure they exist
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+# We need to manage Helm release secrets
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - "*"
+# We need to create events on CRs about things happening during reconciliation
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+
+##
+## Rules for cache.example.com/v1alpha1, Kind: Memcached
+##
+- apiGroups:
+  - cache.example.com
+  resources:
+  - memcacheds
+  - memcacheds/status
+  - memcacheds/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+
 ##
 ## Rules customized for cache.example.com/v1alpha1, Kind: Memcached
 ##

diff --git a/internal/cmd/helm-operator/run/cmd.go b/internal/cmd/helm-operator/run/cmd.go
@@ -244,7 +244,7 @@ func getWatchNamespaces(namespaces map[string]cache.Config) []string {
 		log.Info("Watching single namespace.")
 		return []string{namespace}
 	}
-	if len(namespaces) == 0 {
+	if namespaces == nil || len(namespaces) == 0 {
 		log.Info(fmt.Sprintf("Watch namespaces not configured by environment variable %s or file. "+
 			"Watching all namespaces.", k8sutil.WatchNamespaceEnvVar))
 		return []string{metav1.NamespaceAll}
@@ -283,13 +283,20 @@ func buildNewCacheFunc(watchNamespaces []string, ws []watches.Watch, sch *apimac
 	}
 	defaultSelector := labels.NewSelector().Add(*req)
 
-	return func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
-		defaultNamespaces := map[string]cache.Config{}
-		for _, ns := range watchNamespaces {
-			// Don't specify any config values so the defaults specified
-			// a couple lines later are used
-			defaultNamespaces[ns] = cache.Config{}
+	defaultNamespaces := map[string]cache.Config{}
+	for _, ns := range watchNamespaces {
+		// Don't specify any config values so the defaults specified
+		// a couple lines later are used
+		defaultNamespaces[ns] = cache.Config{}
+		if ns == metav1.NamespaceAll {
+			defaultNamespaces[ns] = cache.Config{
+				LabelSelector: labels.Everything(),
+			}
 		}
+	}
+	fmt.Println("XXX Debug", "defaultNamespaces", defaultNamespaces)
+
+	return func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
 		opts.ByObject = selectorsByObject
 		opts.DefaultLabelSelector = defaultSelector
 		opts.DefaultNamespaces = defaultNamespaces

diff --git a/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -76,10 +76,29 @@ spec:
       clusterPermissions:
       - rules:
         - apiGroups:
-          - policy
+          - ""
+          resources:
+          - namespaces
+          verbs:
+          - get
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - '*'
+        - apiGroups:
+          - ""
           resources:
           - events
-          - poddisruptionbudgets
+          verbs:
+          - create
+        - apiGroups:
+          - cache.example.com
+          resources:
+          - memcacheds
+          - memcacheds/status
+          - memcacheds/finalizers
           verbs:
           - create
           - delete
@@ -91,8 +110,42 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - serviceaccounts
+          - pods
           - services
+          - services/finalizers
+          - endpoints
+          - persistentvolumeclaims
+          - events
+          - configmaps
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - deployments
+          - daemonsets
+          - replicasets
+          - statefulsets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - policy
+          resources:
+          - events
+          - poddisruptionbudgets
           verbs:
           - create
           - delete
@@ -104,10 +157,15 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - pods
+          - serviceaccounts
+          - services
           verbs:
+          - create
+          - delete
           - get
           - list
+          - patch
+          - update
           - watch
         - apiGroups:
           - authentication.k8s.io

diff --git a/testdata/helm/memcached-operator/config/rbac/role.yaml b/testdata/helm/memcached-operator/config/rbac/role.yaml
@@ -10,6 +10,84 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: manager-role
 rules:
+##
+## Base operator rules
+##
+# We need to get namespaces so the operator can read namespaces to ensure they exist
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+# We need to manage Helm release secrets
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - "*"
+# We need to create events on CRs about things happening during reconciliation
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+
+##
+## Rules for cache.example.com/v1alpha1, Kind: Memcached
+##
+- apiGroups:
+  - cache.example.com
+  resources:
+  - memcacheds
+  - memcacheds/status
+  - memcacheds/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+
 ##
 ## Rules customized for cache.example.com/v1alpha1, Kind: Memcached
 ##
@@ -41,7 +119,3 @@ rules:
   - watch
 
 #+kubebuilder:scaffold:rules
-
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]