From 76b582e03ec95882367611396a568a5bc65e8599 Mon Sep 17 00:00:00 2001 From: "Adam D. Cornett" Date: Tue, 10 Jun 2025 14:50:56 -0700 Subject: [PATCH] updating to operator-sdk 1.40 Signed-off-by: Adam D. Cornett --- Makefile | 27 ++++++++++++----- ...fication.redhat.com_operatorpipelines.yaml | 2 +- config/default/metrics_service.yaml | 1 + config/manager/manager.yaml | 4 +++ config/manifests/kustomization.yaml | 5 ++-- .../network-policy/allow-metrics-traffic.yaml | 3 +- config/prometheus/monitor.yaml | 2 ++ config/rbac/kustomization.yaml | 8 +++++ config/rbac/leader_election_role.yaml | 2 ++ config/rbac/leader_election_role_binding.yaml | 2 ++ config/rbac/operatorpipeline_admin_role.yaml | 27 +++++++++++++++++ config/rbac/operatorpipeline_editor_role.yaml | 10 ++++++- config/rbac/operatorpipeline_viewer_role.yaml | 10 ++++++- config/rbac/role.yaml | 24 +++++++-------- config/rbac/role_binding.yaml | 2 ++ config/rbac/service_account.yaml | 2 ++ config/scorecard/kustomization.yaml | 1 + config/scorecard/patches/basic.config.yaml | 2 +- config/scorecard/patches/olm.config.yaml | 10 +++---- .../controller/operatorpipeline_controller.go | 1 + internal/controller/suite_test.go | 29 +++++++++++++++++++ 21 files changed, 143 insertions(+), 31 deletions(-) create mode 100644 config/rbac/operatorpipeline_admin_role.yaml diff --git a/Makefile b/Makefile index d0f673a..f45b1e1 100644 --- a/Makefile +++ b/Makefile @@ -57,8 +57,6 @@ endif # Image URL to use all building/pushing image targets IMG ?= $(IMAGE_TAG_BASE):$(RELEASE_TAG) -# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION = 1.31.0 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -191,10 +189,13 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk ## Tool Versions -KUSTOMIZE_VERSION ?= v5.4.3 -CONTROLLER_TOOLS_VERSION ?= v0.16.1 -ENVTEST_VERSION ?= release-0.19 -OPERATOR_SDK_VERSION ?= "v1.39.0" +KUSTOMIZE_VERSION ?= v5.6.0 +CONTROLLER_TOOLS_VERSION ?= v0.17.2 +#ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20) +ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}') +#ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31) +ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}') +OPERATOR_SDK_VERSION ?= "v1.40.0" KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. @@ -211,11 +212,23 @@ $(CONTROLLER_GEN): $(LOCALBIN) test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) +.PHONY: setup-envtest +setup-envtest: envtest ## Download the binaries required for ENVTEST in the local bin directory. + @echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..." + @$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \ + echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \ + exit 1; \ + } + .PHONY: envtest envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION) +.PHONY: lint-config +lint-config: golangci-lint ## Verify golangci-lint linter configuration + $(GOLANGCI_LINT) config verify + .PHONY: operator-sdk OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk operator-sdk: ## Download operator-sdk locally if necessary. @@ -257,7 +270,7 @@ ifeq (,$(shell which opm 2>/dev/null)) set -e ;\ mkdir -p $(dir $(OPM)) ;\ OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/config/crd/bases/certification.redhat.com_operatorpipelines.yaml b/config/crd/bases/certification.redhat.com_operatorpipelines.yaml index 67bc3e5..50b269e 100644 --- a/config/crd/bases/certification.redhat.com_operatorpipelines.yaml +++ b/config/crd/bases/certification.redhat.com_operatorpipelines.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.17.2 name: operatorpipelines.certification.redhat.com spec: group: certification.redhat.com diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml index d81883d..7ea73f1 100644 --- a/config/default/metrics_service.yaml +++ b/config/default/metrics_service.yaml @@ -15,3 +15,4 @@ spec: targetPort: 8443 selector: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 830eeb0..ad0bc56 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -3,6 +3,7 @@ kind: Namespace metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator name: system --- apiVersion: apps/v1 @@ -12,10 +13,12 @@ metadata: namespace: system labels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator spec: selector: matchLabels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator replicas: 1 template: metadata: @@ -23,6 +26,7 @@ spec: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator spec: securityContext: runAsNonRoot: true diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 10eac96..0e75810 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -9,7 +9,7 @@ resources: # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. # These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: +#patches: #- target: # group: apps # version: v1 @@ -20,7 +20,8 @@ resources: # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. # - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 + +# path: /spec/template/spec/containers/0/volumeMounts/0 # # Remove the "cert" volume, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing volumes in the manager's Deployment. # - op: remove diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml index cd6cd37..5cf43d2 100644 --- a/config/network-policy/allow-metrics-traffic.yaml +++ b/config/network-policy/allow-metrics-traffic.yaml @@ -1,6 +1,6 @@ # This NetworkPolicy allows ingress traffic # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those -# namespaces are able to gathering data from the metrics endpoint. +# namespaces are able to gather data from the metrics endpoint. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -13,6 +13,7 @@ spec: podSelector: matchLabels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator policyTypes: - Ingress ingress: diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 206f33e..a190fed 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -5,6 +5,7 @@ kind: ServiceMonitor metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator name: controller-manager-metrics-monitor namespace: system spec: @@ -18,3 +19,4 @@ spec: selector: matchLabels: control-plane: controller-manager + app.kubernetes.io/name: operator-certification-operator diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 5619aa0..96852f6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -18,3 +18,11 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the {{ .ProjectName }} itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +#- operatorpipeline_admin_role.yaml +#- operatorpipeline_editor_role.yaml +#- operatorpipeline_viewer_role.yaml + diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 4190ec8..a37293f 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: leader-election-role rules: - apiGroups: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 1d1321e..8351bda 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/operatorpipeline_admin_role.yaml b/config/rbac/operatorpipeline_admin_role.yaml new file mode 100644 index 0000000..838a184 --- /dev/null +++ b/config/rbac/operatorpipeline_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project operator-certification-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over cache.example.com. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: operator-certification-operator + app.kubernetes.io/managed-by: kustomize + name: operatorpipeline-admin-role +rules: +- apiGroups: + - cache.example.com + resources: + - operatorpipelines + verbs: + - '*' +- apiGroups: + - cache.example.com + resources: + - operatorpipelines/status + verbs: + - get diff --git a/config/rbac/operatorpipeline_editor_role.yaml b/config/rbac/operatorpipeline_editor_role.yaml index b4c6b51..34de1a0 100644 --- a/config/rbac/operatorpipeline_editor_role.yaml +++ b/config/rbac/operatorpipeline_editor_role.yaml @@ -1,7 +1,15 @@ -# permissions for end users to edit operatorpipelines. +# This rule is not used by the project operator-certification-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the cache.example.com. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: operatorpipeline-editor-role rules: - apiGroups: diff --git a/config/rbac/operatorpipeline_viewer_role.yaml b/config/rbac/operatorpipeline_viewer_role.yaml index 353670f..41d1c2d 100644 --- a/config/rbac/operatorpipeline_viewer_role.yaml +++ b/config/rbac/operatorpipeline_viewer_role.yaml @@ -1,7 +1,15 @@ -# permissions for end users to view operatorpipelines. +# This rule is not used by the project operator-certification-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to cache.example.com resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: operatorpipeline-viewer-role rules: - apiGroups: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7cdac63..bdf7092 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,9 +5,9 @@ metadata: name: manager-role rules: - apiGroups: - - certification.redhat.com + - "" resources: - - operatorpipelines + - secrets verbs: - create - delete @@ -19,29 +19,29 @@ rules: - apiGroups: - certification.redhat.com resources: - - operatorpipelines/finalizers + - operatorpipelines verbs: + - create + - delete + - get + - list + - patch - update + - watch - apiGroups: - certification.redhat.com resources: - - operatorpipelines/status + - operatorpipelines/finalizers verbs: - - get - - patch - update - apiGroups: - - "" + - certification.redhat.com resources: - - secrets + - operatorpipelines/status verbs: - - create - - delete - get - - list - patch - update - - watch - apiGroups: - image.openshift.io resources: diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2070ede..ee8e25b 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,6 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 7cd6025..80734e9 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -1,5 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: + labels: + app.kubernetes.io/name: operator-certification-operator name: controller-manager namespace: system diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml index 61ceb4d..54e8aa5 100644 --- a/config/scorecard/kustomization.yaml +++ b/config/scorecard/kustomization.yaml @@ -15,3 +15,4 @@ patches: kind: Configuration name: config version: v1alpha3 +# +kubebuilder:scaffold:patches diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index cb44b9f..f7e0ed4 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 27f401c..85895c9 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.14.0 + image: quay.io/operator-framework/scorecard-test:v1.40.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/internal/controller/operatorpipeline_controller.go b/internal/controller/operatorpipeline_controller.go index 09845a4..e9575d3 100644 --- a/internal/controller/operatorpipeline_controller.go +++ b/internal/controller/operatorpipeline_controller.go @@ -218,5 +218,6 @@ func (r *OperatorPipelineReconciler) SetupWithManager(mgr ctrl.Manager) error { Owns(&securityv1.SecurityContextConstraints{}). Owns(&rbacv1.ClusterRole{}). Owns(&rbacv1.ClusterRoleBinding{}). + Named("operator_pipeline"). Complete(r) } diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go index a6df786..df9e46b 100644 --- a/internal/controller/suite_test.go +++ b/internal/controller/suite_test.go @@ -17,6 +17,7 @@ limitations under the License. package controller import ( + "os" "path/filepath" "testing" @@ -57,6 +58,11 @@ var _ = BeforeSuite(func() { ErrorIfCRDPathMissing: true, } + // Retrieve the first found binary directory to allow running tests from IDEs + if getFirstFoundEnvTestBinaryDir() != "" { + testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() + } + var err error // cfg is defined in this file globally. cfg, err = testEnv.Start() @@ -78,3 +84,26 @@ var _ = AfterSuite(func() { err := testEnv.Stop() Expect(err).NotTo(HaveOccurred()) }) + +// getFirstFoundEnvTestBinaryDir locates the first binary in the specified path. +// ENVTEST-based tests depend on specific binaries, usually located in paths set by +// controller-runtime. When running tests directly (e.g., via an IDE) without using +// Makefile targets, the 'BinaryAssetsDirectory' must be explicitly configured. +// +// This function streamlines the process by finding the required binaries, similar to +// setting the 'KUBEBUILDER_ASSETS' environment variable. To ensure the binaries are +// properly set up, run 'make setup-envtest' beforehand. +func getFirstFoundEnvTestBinaryDir() string { + basePath := filepath.Join("..", "..", "bin", "k8s") + entries, err := os.ReadDir(basePath) + if err != nil { + logf.Log.Error(err, "Failed to read directory", "path", basePath) + return "" + } + for _, entry := range entries { + if entry.IsDir() { + return filepath.Join(basePath, entry.Name()) + } + } + return "" +}