operator-framework · joelanford · Jun 13, 2024 · Jun 7, 2024
diff --git a/changelog/fragments/02-helm-operator-role-generation-fix.yaml b/changelog/fragments/02-helm-operator-role-generation-fix.yaml
@@ -0,0 +1,24 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (helm/v1) Fix broken helm-operator role scaffolding which causes reconciler to hang due to lack of permissions.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false
+
+    # Migration can be defined to automatically add a section to
+    # the migration guide. This is required for breaking changes.
+    migration:
+      header: Fix helm-operator scaffolding that was broken in 1.34.0, 1.34.1, and 1.34.2
+      body: |
+        Users who scaffolded a helm-operator project with 1.34.0, 1.34.1, or 1.34.2
+        need re-generate the project in order to get a fixed `config/rbac/role.yaml` file.
diff --git a/hack/generate/samples/internal/helm/memcached.go b/hack/generate/samples/internal/helm/memcached.go
@@ -103,7 +103,7 @@ func (mh *Memcached) Run() {
 
 	log.Infof("adding customized roles")
 	err = kbutil.ReplaceInFile(filepath.Join(mh.ctx.Dir, "config", "rbac", "role.yaml"),
-		rolesFragmentReplaceTarget, policyRolesFragment)
+		"#+kubebuilder:scaffold:rules", policyRolesFragment)
 	pkg.CheckError("adding customized roles", err)
 
 	log.Infof("creating the bundle")
@@ -122,12 +122,6 @@ func (mh *Memcached) Run() {
 
 const createdAt = `createdAt: "2022-11-08T17:26:37Z"`
 
-const rolesFragmentReplaceTarget = `
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
-`
-
 const policyRolesFragment = `
 ##
 ## Base operator rules

diff --git a/internal/plugins/helm/v1/scaffolds/init.go b/internal/plugins/helm/v1/scaffolds/init.go
@@ -18,8 +18,6 @@ limitations under the License.
 package scaffolds
 
 import (
-	"os"
-
 	kustomizev2 "sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2"
 
 	"sigs.k8s.io/kubebuilder/v3/pkg/config"
@@ -67,9 +65,10 @@ func (s *initScaffolder) Scaffold() error {
 		machinery.WithConfig(s.config),
 	)
 
-	if err := os.MkdirAll(chartutil.HelmChartsDir, 0755); err != nil {
+	if err := s.fs.FS.MkdirAll(chartutil.HelmChartsDir, 0755); err != nil {
 		return err
 	}
+
 	return scaffold.Execute(
 		&templates.Dockerfile{
 			HelmOperatorVersion: helmOperatorVersion,

diff --git a/internal/plugins/helm/v1/scaffolds/internal/templates/config/rbac/manager_role.go b/internal/plugins/helm/v1/scaffolds/internal/templates/config/rbac/manager_role.go
@@ -52,6 +52,7 @@ func (f *ManagerRole) SetTemplateDefaults() error {
 	}
 
 	f.TemplateBody = fmt.Sprintf(roleTemplate, machinery.NewMarkerFor(f.Path, rulesMarker))
+	f.IfExistsAction = machinery.OverwriteFile
 
 	return nil
 }

diff --git a/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -75,6 +75,72 @@ spec:
     spec:
       clusterPermissions:
       - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - namespaces
+          verbs:
+          - get
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - '*'
+        - apiGroups:
+          - ""
+          resources:
+          - events
+          verbs:
+          - create
+        - apiGroups:
+          - cache.example.com
+          resources:
+          - memcacheds
+          - memcacheds/status
+          - memcacheds/finalizers
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          - services
+          - services/finalizers
+          - endpoints
+          - persistentvolumeclaims
+          - events
+          - configmaps
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - deployments
+          - daemonsets
+          - replicasets
+          - statefulsets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - ""
           resources:

diff --git a/testdata/helm/memcached-operator/config/rbac/role.yaml b/testdata/helm/memcached-operator/config/rbac/role.yaml
@@ -1,13 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: manager-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: memcached-operator
-    app.kubernetes.io/part-of: memcached-operator
-    app.kubernetes.io/managed-by: kustomize
   name: manager-role
 rules:
 ##
@@ -88,6 +81,84 @@ rules:
   - watch
 
 
+##
+## Base operator rules
+##
+# We need to get namespaces so the operator can read namespaces to ensure they exist
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+# We need to manage Helm release secrets
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - "*"
+# We need to create events on CRs about things happening during reconciliation
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+
+##
+## Rules for cache.example.com/v1alpha1, Kind: Memcached
+##
+- apiGroups:
+  - cache.example.com
+  resources:
+  - memcacheds
+  - memcacheds/status
+  - memcacheds/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+
 ##
 ## Rules customized for cache.example.com/v1alpha1, Kind: Memcached
 ##
@@ -119,3 +190,4 @@ rules:
   - watch
 
 #+kubebuilder:scaffold:rules
+
diff --git a/website/content/en/docs/contribution-guidelines/plugins.md b/website/content/en/docs/contribution-guidelines/plugins.md
@@ -72,8 +72,8 @@ If you are looking to develop similar solutions to allow users for example to cr
 [plugin-manifest]: https://github.com/operator-framework/operator-sdk/tree/master/internal/plugins/manifests/v2
 [plugin-scorecard]: https://github.com/operator-framework/operator-sdk/tree/master/internal/plugins/scorecard/v2
 [kubebuilder-declarative-pattern]: https://github.com/kubernetes-sigs/kubebuilder-declarative-pattern
-[kubebuilder-declarative-pattern-example]: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v3/controllers/firstmate_controller.go
-[default-scaffold]: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v3/controllers/admiral_controller.go
+[kubebuilder-declarative-pattern-example]: https://github.com/kubernetes-sigs/kubebuilder/blob/v3.13.0/testdata/project-v3/controllers/firstmate_controller.go
+[default-scaffold]: https://github.com/kubernetes-sigs/kubebuilder/blob/v3.13.0/testdata/project-v3/controllers/admiral_controller.go
 [kb-issue]: https://github.com/kubernetes-sigs/kubebuilder/issues/1378
 [create-your-own-plugins]: https://master.book.kubebuilder.io/plugins/creating-plugins.html
 [scorecard]: /docs/testing-operators/scorecard/