Merge pull request #345 from itewk/feature/operators-installer-approv…

…er-hook operators-installer - add approveManualInstallPlanViaHook option
redhat-cop · Jul 10, 2023 · 988cf47 · 988cf47
2 parents 8600c8f + d09d3f2
commit 988cf47
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 10 deletions.
diff --git a/charts/operators-installer/Chart.yaml b/charts/operators-installer/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.0
+version: 2.1.0
 
 home: https://github.com/redhat-cop/helm-charts
 

diff --git a/charts/operators-installer/README.md b/charts/operators-installer/README.md
@@ -28,6 +28,7 @@ For all of the Subscription parameters see
 | operatorGroups[].targetOwnNamespace          | `false`       | No        | If `true` add the OperatorGroup's Namespace as a `targetNamespaces`. If `true` then OperatorGroup will only work for Operators using `OwnNamespace` or `MultiNamespace` `installModes`. If blank and no `otherTargetNamespaces` specified then OperatorGroup will be configured to allow for operators using `installModes` `AllNamespaces`.
 | operatorGroups[].otherTargetNamespaces       | `[]`          | No        | List of additional Namespaces to target. If specified OperatorGroup will only work for operators using `SingleNamespace` or `MultiNamespace` `installModes` depending on value of `targetOwnNamespace`.
 | installPlanApproverAndVerifyJobsImage        | `registry.redhat.io/openshift4/ose-cli:v4.10` | Yes | Image to use for the InstallPlan Approver and Verify Jobs 
+| approveManualInstallPlanViaHook              | `true`        | No        | `true` to create (and clean up) manual InstallPlan approval resources as part of post-install,post-upgrade helm hook<br>`false` to create  manual InstallPlan approval resources as part of normal install<br><br>The hook method is nice to not have lingering resources needed for the manual InstallPlan approval but has the downside that no CustomResources using CustomResourceDefinitions installed by the operator can be used in the same chart because the operator InstallPlan wont be approved, and therefor the operator wont be installed, until the post-install,post-upgrade phase which means you will never get to that phase because your CustomResources wont be able to apply because the Operator isn't installed.<br><br>This is is ultimately a trade off between cleaning up these resources or being able to install and configure the operator in the same helm chart that has a dependency on this helm chart.
 | commonLabels                                 | `{}`          | No        | Common labels to add to all chart created resources. Implements the same idea from Kustomize for this chart.
 
 ## Caveats

diff --git a/charts/operators-installer/templates/Job_installplan-approver.yaml b/charts/operators-installer/templates/Job_installplan-approver.yaml
@@ -1,18 +1,20 @@
-# create one installplan-approver job per manual operator
 {{- range .Values.operators }}
 {{- if eq .installPlanApproval "Manual" }}
 ---
+# create one installplan-approver job per manual operator
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: installplan-approver--{{ .name }}
+  name: installplan-approver--{{ .csv }}
   namespace: {{ .namespace | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
+  {{- if $.Values.approveManualInstallPlanViaHook }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "0"
+  {{- end }}
 spec:
   completions: 1
   backoffLimit: 5

diff --git a/charts/operators-installer/templates/Job_installplan-complete-verifier.yaml b/charts/operators-installer/templates/Job_installplan-complete-verifier.yaml
@@ -1,18 +1,20 @@
-# create one installplan-complete-verifier job per manual operator
 {{- range .Values.operators }}
 {{- if eq .installPlanApproval "Manual" }}
 ---
+# create one installplan-complete-verifier job per manual operator
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: installplan-complete-verifier--{{ .name }}
+  name: installplan-complete-verifier--{{ .csv }}
   namespace: {{ .namespace | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
+  {{- if $.Values.approveManualInstallPlanViaHook }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "10"
+  {{- end }}
 spec:
   completions: 1
   backoffLimit: {{ .installPlanVerifierRetries | default 10 }}

diff --git a/charts/operators-installer/templates/Namespace.yaml b/charts/operators-installer/templates/Namespace.yaml
@@ -7,7 +7,5 @@ metadata:
   name: {{ .name | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
 {{- end }}
 {{- end }}
diff --git a/charts/operators-installer/templates/RoleBinding_installplan-approvers.yaml b/charts/operators-installer/templates/RoleBinding_installplan-approvers.yaml
@@ -1,17 +1,19 @@
-# create one installplan-approvers RoleBinding per unqiue namespace operators are being installed in
 {{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
 ---
+# create one installplan-approvers RoleBinding per unqiue namespace operators are being installed in
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: installplan-approvers
   namespace: {{ $namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
+  {{- if $.Values.approveManualInstallPlanViaHook }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-1"
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

diff --git a/charts/operators-installer/templates/Role_installplan-approver.yaml b/charts/operators-installer/templates/Role_installplan-approver.yaml
@@ -1,17 +1,19 @@
-# create one installplan-approver Role per unqiue namespace operators are being installed in
 {{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
 ---
+# create one installplan-approver Role per unqiue namespace operators are being installed in
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: installplan-approver
   namespace: {{ $namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
+  {{- if $.Values.approveManualInstallPlanViaHook }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-1"
+  {{- end }}
 rules:
 - apiGroups:
   - operators.coreos.com

diff --git a/charts/operators-installer/templates/ServiceAccount_installplan-approver.yaml b/charts/operators-installer/templates/ServiceAccount_installplan-approver.yaml
@@ -1,15 +1,17 @@
-# create one installplan-approver ServiceAccount per unqiue namespace operators are being installed in
 {{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
 ---
+# create one installplan-approver ServiceAccount per unqiue namespace operators are being installed in
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: installplan-approver
   namespace: {{ $namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
+  {{- if $.Values.approveManualInstallPlanViaHook }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-1"
+  {{- end }}
 {{- end }}
diff --git a/charts/operators-installer/test-install-multiple-operators-in-different-namespacesyaml b/charts/operators-installer/test-install-multiple-operators-in-different-namespacesyaml
@@ -1,3 +1,5 @@
+approveManualInstallPlanViaHook: true
+
 operatorGroups:
 # EXAMPLE: adding OperatorGroup to named namespace
 - name: dynatrace

diff --git a/charts/operators-installer/values.yaml b/charts/operators-installer/values.yaml
@@ -1,3 +1,14 @@
+# `true` to create (and clean up) manual InstallPlan approval resources as part of post-install,post-upgrade helm hook
+# `false` to create  manual InstallPlan approval resources as part of normal install
+#
+# The hook method is nice to not have lingering resources needed for the manual InstallPlan approval but has the downside
+# that no CustomResources using CustomResourceDefinitions installed by the operator can be used in the same chart because
+# the operator InstallPlan wont be approved, and therefor the operator wont be installed, until the post-install,post-upgrade phase
+# which means you will never get to that phase because your CustomResources wont be able to apply because the Operator isn't installed.
+# This is is ultimately a trade off between cleaning up these resources or being able to install and configure the operator in the same
+# helm chart that has a dependency on this helm chart.
+approveManualInstallPlanViaHook: true
+
 # Image to use for the InstallPlan Approver and Verify Jobs
 installPlanApproverAndVerifyJobsImage: registry.redhat.io/openshift4/ose-cli:v4.10