Fixup

Author: thetechnick

api/v1/clusterextensionrevision_types.go

@@ -38,7 +38,7 @@ type ClusterExtensionRevisionSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="phases is immutable"
 	Phases []ClusterExtensionRevisionPhase `json:"phases"`
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="previous is immutable"
-	Previous []ClusterExtensionRevisionPrevious `json:"previous"`
+	Previous []ClusterExtensionRevisionPrevious `json:"previous,omitempty"`
 }
 
 // ClusterExtensionRevisionLifecycleState specifies the lifecycle state of the ClusterExtensionRevision.

cmd/operator-controller/main.go

@@ -451,7 +451,18 @@ func run() error {
 		return err
 	}
 	mapFunc := func(ctx context.Context, ce *ocv1.ClusterExtension, c *rest.Config, o crcache.Options) (*rest.Config, crcache.Options, error) {
-		// TODO: Rest Config Mapping / change ServiceAccount
+		saKey := client.ObjectKey{
+			Name:      ce.Spec.ServiceAccount.Name,
+			Namespace: ce.Spec.Namespace,
+		}
+		saConfig := rest.AnonymousClientConfig(c)
+		saConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return &authentication.TokenInjectingRoundTripper{
+				Tripper:     rt,
+				TokenGetter: tokenGetter,
+				Key:         saKey,
+			}
+		})
 
 		// Cache scoping
 		req1, err := labels.NewRequirement(
@@ -461,12 +472,17 @@ func run() error {
 		}
 		o.DefaultLabelSelector = labels.NewSelector().Add(*req1)
 
-		return c, o, nil
+		return saConfig, o, nil
 	}
-	accessManager := managedcache.NewObjectBoundAccessManager[*ocv1.ClusterExtension](
+
+	accessManager := managedcache.NewObjectBoundAccessManager(
 		ctrl.Log.WithName("accessmanager"), mapFunc, restConfig, crcache.Options{
 			Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper(),
 		})
+	if err := mgr.Add(accessManager); err != nil {
+		setupLog.Error(err, "unable to register AccessManager")
+		return err
+	}
 	// Boxcutter
 
 	if err = (&controllers.ClusterExtensionReconciler{

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensionrevisions.yaml

@@ -104,7 +104,6 @@ spec:
                   rule: self == oldSelf
             required:
             - phases
-            - previous
             - revision
             type: object
           status:

config/base/operator-controller/rbac/role.yaml

@@ -28,8 +28,9 @@ rules:
   - olm.operatorframework.io
   resources:
   - clusterextensionrevisions
-  - clusterextensions
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -50,6 +51,16 @@ rules:
   verbs:
   - patch
   - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

go.mod

@@ -2,6 +2,8 @@ module github.com/operator-framework/operator-controller
 
 go 1.23.4
 
+replace pkg.package-operator.run/boxcutter => ../../package-operator/boxcutter
+
 require (
 	github.com/BurntSushi/toml v1.5.0
 	github.com/Masterminds/semver/v3 v3.3.1
@@ -109,7 +111,7 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.1 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
 	github.com/go-openapi/runtime v0.28.0 // indirect
@@ -184,8 +186,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/proglottis/gpgme v0.1.4 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

go.sum

@@ -178,8 +178,8 @@ github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC0
 github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
 github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU=
 github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
+github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
 github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
 github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
 github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
@@ -436,13 +436,13 @@ github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
+github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/procfs v0.16.0 h1:xh6oHhKwnOJKMYiYBDWmkHqQPyiY40sny36Cmx2bbsM=
+github.com/prometheus/procfs v0.16.0/go.mod h1:8veyXUu3nGP7oaCxhX6yeaM5u4stL2FeMXnCqhDthZg=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
 github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U=
 github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc=
@@ -803,8 +803,6 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
 oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
-pkg.package-operator.run/boxcutter v0.1.0 h1:SXTrkqe19ikGrRuUgbOJUFvd/U5h928o5SWr3mTRAbo=
-pkg.package-operator.run/boxcutter v0.1.0/go.mod h1:1vqTF3YbUHfyuQGrFUB9Glj8xokcncIjhzePH++02SM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.20.3 h1:I6Ln8JfQjHH7JbtCD2HCYHoIzajoRxPNuvhvcDbZgkI=

internal/operator-controller/applier/boxcutter.go

@@ -103,6 +103,7 @@ func (bc *Boxcutter) apply(
 	// Build desired revision
 	desiredRevision := &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{},
 			Labels: map[string]string{
 				controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
 			},
@@ -144,8 +145,9 @@ func (bc *Boxcutter) apply(
 		revisionNumber++
 
 		newRevision := desiredRevision
+		newRevision.Name = fmt.Sprintf("%s-%d", ext.Name, revisionNumber)
+		newRevision.Annotations[revisionHashAnnotation] = desiredHash
 		newRevision.Spec.Revision = revisionNumber
-		// newRevision.Spec.Previous
 		for _, prevRevision := range prevRevisions {
 			newRevision.Spec.Previous = append(newRevision.Spec.Previous, ocv1.ClusterExtensionRevisionPrevious{
 				Name: prevRevision.Name,

internal/operator-controller/controllers/clusterextension_controller.go

@@ -409,6 +409,7 @@ func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	controller, err := ctrl.NewControllerManagedBy(mgr).
 		For(&ocv1.ClusterExtension{}).
 		Named("controller-operator-cluster-extension-controller").
+		Owns(&ocv1.ClusterExtensionRevision{}).
 		Watches(&ocv1.ClusterCatalog{},
 			crhandler.EnqueueRequestsFromMapFunc(clusterExtensionRequestsForCatalog(mgr.GetClient(), mgr.GetLogger())),
 			builder.WithPredicates(predicate.Funcs{

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -59,7 +59,7 @@ type accessManager interface {
 	Source(handler.EventHandler, ...predicate.Predicate) source.Source
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch;create;delete
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/finalizers,verbs=update
 
@@ -118,6 +118,18 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(
 			objects = append(objects, &pobj)
 		}
 	}
+
+	// THIS IS STUPID, PLEASE FIX!
+	// Revisions need individual finalizers on the ClusterExtension to prevent it's premature deletion.
+	if rev.DeletionTimestamp.IsZero() &&
+		rev.Spec.LifecycleState != ocv1.ClusterExtensionRevisionLifecycleStateArchived {
+		// We can't lookup the complete ClusterExtension when it's already deleted.
+		// This only works when the controller-manager is not restarted during teardown.
+		if err := c.Client.Get(ctx, client.ObjectKeyFromObject(ce), ce); err != nil {
+			return res, err
+		}
+	}
+
 	accessor, err := c.AccessManager.GetWithUser(ctx, ce, rev, objects)
 	if err != nil {
 		return res, fmt.Errorf("get cache: %w", err)
@@ -280,7 +292,7 @@ func (c *ClusterExtensionRevisionReconciler) SetupWithManager(mgr ctrl.Manager)
 		).
 		WatchesRawSource(
 			c.AccessManager.Source(
-				handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &ocv1.ClusterExtension{}),
+				handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &ocv1.ClusterExtensionRevision{}),
 				predicate.ResourceVersionChangedPredicate{},
 			),
 		).