Skip to content

Rename ClusterRoles created by OperatorGroups #3035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 20, 2023
Merged

Rename ClusterRoles created by OperatorGroups #3035

merged 2 commits into from
Sep 20, 2023

Conversation

tmshort
Copy link
Contributor

@tmshort tmshort commented Sep 18, 2023

Description of the change:
When an OperatorGroup creates a ClusterRole, it's based directly on the OG name with a suffix, this causes two issues:

  1. same-named OGs in different namespaces overwrite each others CRs
  2. there are some very important CRs that could be overwritten by OG

Tests added.

Motivation for the change:

The ClusterRoles created by an OperatorGroup can conflict with existing CRs and with CRs created by OGs.

Architectural changes:

Naming of these OG CRs change, but since they're aggregated, admins shouldn't really be using them, so the new names shouldn't matter.

There will be a need to clean up the old roles, but that could potentially be dangerous.

Testing remarks:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Bug fixes are accompanied by regression test(s)
  • e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • Docs updated or added to /doc
  • Commit messages sensible and descriptive
  • Tests marked as [FLAKE] are truly flaky and have an issue
  • Code is properly formatted

@openshift-ci openshift-ci bot requested review from anik120 and njhale September 18, 2023 16:14
@openshift-ci
Copy link

openshift-ci bot commented Sep 18, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 18, 2023
@tmshort
Copy link
Contributor Author

tmshort commented Sep 18, 2023

Update of #2991

@tmshort
Copy link
Contributor Author

tmshort commented Sep 18, 2023
edited
Loading

/hold

Until we have plans for cleanup, and if anything will be backported.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 18, 2023
@tmshort
Copy link
Contributor Author

tmshort commented Sep 18, 2023

/retest

stevekuznetsov
stevekuznetsov reviewed Sep 18, 2023
View reviewed changes
pkg/controller/operators/olm/operator_test.go Outdated
"": {
&rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
ResourceVersion: "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can remove these empty fields

stevekuznetsov
stevekuznetsov reviewed Sep 18, 2023
View reviewed changes
pkg/controller/operators/olm/operator_test.go
@@ -5366,7 +5793,10 @@ func RequireObjectsInCache(t *testing.T, lister operatorlister.OperatorLister, n
require.Failf(t, "couldn't find expected object", "%#v", object)
}
if err != nil {
return fmt.Errorf("namespace: %v, error: %v", namespace, err)
if apierrors.IsNotFound(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the meaning of this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was in @perdasilva's change that I pulled in directly. Line numbers are probably a bit different due to reverting format-only changes.
Looks as though it's trying to avoid double-wrapping the error.

@stevekuznetsov
Copy link
Contributor

Content looks good, just nits.

/lgtm

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. and removed lgtm Indicates that a PR is ready to be merged. labels Sep 18, 2023
@stevekuznetsov
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 19, 2023
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 19, 2023
@tmshort
Copy link
Contributor Author

tmshort commented Sep 19, 2023

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 19, 2023
@stevekuznetsov
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 20, 2023
@tmshort
Rename ClusterRoles created by OperatorGroups
35f8bca 
When an OperatorGroup creates a ClusterRole, it's based directly on the
OG name with a suffix, this causes two issues:
1. same-named OGs in different namespaces overwrite each others CRs
2. there are some very important CRs that could be overwritten by OG

Tests added.

Signed-off-by: Per Goncalves da Silva <[email protected]>
Signed-off-by: Todd Short <[email protected]>
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 20, 2023
@stevekuznetsov
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 20, 2023
@tmshort tmshort merged commit 20fbc30 into operator-framework:master Sep 20, 2023
@tmshort tmshort deleted the PR-2991-new branch September 20, 2023 14:59
@tmshort tmshort mentioned this pull request Oct 2, 2023
Merged
11 tasks
@tmshort tmshort mentioned this pull request Oct 18, 2023
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevekuznetsov stevekuznetsov stevekuznetsov left review comments

@anik120 anik120 Awaiting requested review from anik120

@njhale njhale Awaiting requested review from njhale

Assignees

@stevekuznetsov stevekuznetsov

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tmshort @stevekuznetsov