Skip to content

Wire up installation of content using a provided ServiceAccount #973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #737
everettraven opened this issue Jun 25, 2024 · 2 comments
Closed
Tracked by #737

Wire up installation of content using a provided ServiceAccount #973

everettraven opened this issue Jun 25, 2024 · 2 comments
Assignees
@theishshah
Labels
epic/provided-sa

Comments

@everettraven
Copy link
Contributor

everettraven commented Jun 25, 2024
edited
Loading

Following #971 and #972, we need to wire up the logic such that a ServiceAccount referenced in a ClusterExtension is used to install/upgrade/uninstall content via the Helm client.

While exact implementation may vary, here are some things to consider during implementation:

Acceptance Criteria:

  • The client.NewActionConfigGetter setup in

    operator-controller/cmd/manager/main.go

    Lines 168 to 175 in 2eca31d

    cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
    helmclient.StorageNamespaceMapper(installNamespaceMapper),
    helmclient.ClientNamespaceMapper(installNamespaceMapper),
    )
    if err != nil {
    setupLog.Error(err, "unable to config for creating helm client")
    os.Exit(1)
    }
    is updated to use a client.RestConfigMapper that creates a rest.Config configured with a token from the ServiceAccount referenced in a ClusterExtension
  • Updates to the existing unit + e2e tests as necessary for them to continue functioning as expected. It is anticipated that some work will need to be done to configure a ServiceAccount with appropriate permissions to be used during e2e tests.
  • Permissions on the operator-controller ServiceAccount should be updated to no longer require write permissions on content to be installed (and clean up any other permissions that are no longer necessary)
  • Any changes to the previously implemented interfaces to facilitate the wiring of components successfully are made
@everettraven everettraven mentioned this issue Jun 25, 2024
Closed
7 tasks
@theishshah theishshah mentioned this issue Jul 11, 2024
Merged
@joelanford
Copy link
Member

I noticed in #1038 that we use a */*/* ServiceAccount in tests. Can we change those permissions to the minimum necessary ones based on the bundle contents to make sure that future changes we make don't impose more permissions requirements?

@everettraven
Copy link
Contributor Author

Closing this one as completed as #1038 was merged.

@joelanford Your comment should be addressed via #1074

@everettraven everettraven moved this to Done in OLM v1 Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theishshah theishshah

Labels
epic/provided-sa
Projects
OLM v1
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joelanford @theishshah @everettraven