Update operatorhub bundle generation (#1410)

* Updated template ClusterServiceVersion with values from repo From upstream-community-operators. * Remove deployments field from template It'll be filled in by the kustomize output anyway. * Add new CRDs to ClusterServiceVersion template This shouldn't need to be done, but without them in the CSV yaml the descriptions aren't available. I haven't yet been able to find a different way of providing the descriptions - doc comments on the types go into the OpenAPI schema rather than being attached to the CRD directly. * Use a different service account in the operator bundle deployment We can't rely on the default service account because OLM deploys the operator in the `operators` namespace alongside other operators. Make sure that the service account used on the role bindings is also updated. * Rename bundle dir and CSV so it can be dropped into community-operators
Azure · Apr 21, 2021 · 21c38a7 · 21c38a7
1 parent 0c94d5a
commit 21c38a7
Show file tree

Hide file tree

Showing 8 changed files with 273 additions and 118 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,8 @@
+PUBLIC_REPO=mcr.microsoft.com/k8s/azureserviceoperator
+PLACEHOLDER_IMAGE=controller:latest
+
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= $(PLACEHOLDER_IMAGE)
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -175,11 +178,11 @@ validate-cainjection-files:
 
 # Generate manifests for helm and package them up
 .PHONY: helm-chart-manifests
-helm-chart-manifests: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest  | jq .tag_name | sed 's/"//g')
+helm-chart-manifests: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest  | jq '.tag_name' --raw-output )
 helm-chart-manifests: generate
 	@echo "Latest released tag is $(LATEST_TAG)"
 	# substitute released tag into values file.
-	perl -pi -e 's,repository: mcr.microsoft.com/k8s/azureserviceoperator:\K.*,$(LATEST_TAG),' ./charts/azure-service-operator/values.yaml
+	perl -pi -e 's,repository: $(PUBLIC_REPO):\K.*,$(LATEST_TAG),' ./charts/azure-service-operator/values.yaml
 	# remove generated files
 	rm -rf charts/azure-service-operator/templates/generated/
 	rm -rf charts/azure-service-operator/crds
@@ -339,12 +342,16 @@ else
 	chmod +x operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu && sudo mkdir -p /usr/local/bin/ && sudo cp operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu /usr/local/bin/operator-sdk && rm operator-sdk-${RELEASE_VERSION}-x86_64-linux-gnu
 endif
 
-# Current operator version
-VERSION ?= 0.37.0
-
+.PHONY: generate-operator-bundle
+generate-operator-bundle: LATEST_TAG := $(shell curl -sL https://api.github.com/repos/Azure/azure-service-operator/releases/latest  | jq '.tag_name' --raw-output )
 generate-operator-bundle: manifests
-	kustomize build config/manifests | operator-sdk generate bundle --version $(VERSION) --channels stable --default-channel stable --overwrite
+	rm -r bundle
+	@echo "Latest released tag is $(LATEST_TAG)"
+	kustomize build config/operator-bundle | operator-sdk generate bundle --version $(LATEST_TAG) --channels stable --default-channel stable --overwrite --kustomize-dir config/operator-bundle
 	# This is only needed until CRD conversion support is released in OpenShift 4.6.x/Operator Lifecycle Manager 0.16.x
 	scripts/add-openshift-cert-handling.sh
-	# Rather than modify config/rbac manifests, replace CSV's default serviceAccount with azure-service-operator
-	sed -i 's/serviceAccountName: default/serviceAccountName: azure-service-operator/g' bundle/manifests/azure-service-operator.clusterserviceversion.yaml
+	# Inject the container reference into the bundle.
+	scripts/inject-container-reference.sh "$(PUBLIC_REPO)@$(LATEST_TAG)"
+	# Rename files so they're easy to add to the community-operators repo for a PR
+	mv bundle/manifests bundle/$(LATEST_TAG)
+	mv bundle/$(LATEST_TAG)/azure-service-operator.clusterserviceversion.yaml bundle/$(LATEST_TAG)/azure-service-operator.v$(LATEST_TAG).clusterserviceversion.yaml
diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
diff --git a/...rvice-operator.clusterserviceversion.yaml → ...rvice-operator.clusterserviceversion.yaml b/...rvice-operator.clusterserviceversion.yaml → ...rvice-operator.clusterserviceversion.yaml
diff --git a/config/operator-bundle/kustomization.yaml b/config/operator-bundle/kustomization.yaml
@@ -0,0 +1,7 @@
+resources:
+  - ../default
+  - ../samples
+
+patches:
+  - patches/serviceaccountname_in_deployment.yaml
+  - patches/serviceaccountname_in_rolebindings.yaml
diff --git a/config/operator-bundle/patches/serviceaccountname_in_deployment.yaml b/config/operator-bundle/patches/serviceaccountname_in_deployment.yaml
@@ -0,0 +1,12 @@
+# This sets the controller-manager deployment to use a non-default
+# service account on its pods, since installing the operator with OLM
+# puts it into the `operators` namespace alongside other operators.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: azureoperator-controller-manager
+  namespace: azureoperator-system
+spec:
+  template:
+    spec:
+      serviceAccountName: azure-service-operator
diff --git a/config/operator-bundle/patches/serviceaccountname_in_rolebindings.yaml b/config/operator-bundle/patches/serviceaccountname_in_rolebindings.yaml
@@ -0,0 +1,31 @@
+# This updates the different rolebindings to refer to the
+# azure-service-operator service account on its pods, since installing
+# the operator with OLM puts it into the `operators` namespace
+# alongside other operators.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: azureoperator-leader-election-rolebinding
+  namespace: azureoperator-system
+subjects:
+  - kind: ServiceAccount
+    name: azure-service-operator
+    namespace: azureoperator-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azureoperator-manager-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: azure-service-operator
+    namespace: azureoperator-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azureoperator-proxy-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: azure-service-operator
+    namespace: azureoperator-system
diff --git a/scripts/add-openshift-cert-handling.sh b/scripts/add-openshift-cert-handling.sh
@@ -7,7 +7,7 @@ set -euo pipefail
 for fname in $(grep cert-manager.io bundle/manifests/* -l); do
     sed -i '/cert-manager.io\/inject-ca-from/a\    service.beta.openshift.io/inject-cabundle: "true"' $fname
 done
-cat <<EOF > bundle/manifests/service.yaml
+cat <<EOF > bundle/manifests/azureoperator-webhook-service.yaml
 kind: Service
 metadata:
   name: azureoperator-webhook-service

diff --git a/scripts/inject-container-reference.sh b/scripts/inject-container-reference.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+container_reference="$1"
+now="$(date --rfc-3339=seconds)"
+cluster_version_file="bundle/manifests/azure-service-operator.clusterserviceversion.yaml"
+
+# Replace the controller:latest reference in the deployment (embedded
+# in the CSV) with the SHA one.
+sed -i "s!controller:latest!${container_reference}!g" $cluster_version_file
+
+# Insert containerImage and createdAt into metadata.annotations.
+yq eval -i ".metadata.annotations.containerImage = \"${container_reference}\" | .metadata.annotations.createdAt = \"${now}\"" $cluster_version_file