[Openshift] Admin user can disable auto creation of RBAC resources

config/crs/openshift/config/all/operator_v1alpha1_config_cr.yaml

@@ -25,3 +25,6 @@ spec:
       value: "true"
     - name: pipelineTemplates
       value: "true"
+  params:
+  - name: createRbacResource
+    value: "true"

pkg/apis/operator/v1alpha1/common.go

@@ -94,8 +94,8 @@ func (c *CommonSpec) GetTargetNamespace() string {
 
 // Param declares an string value to use for the parameter called name.
 type Param struct {
-	Name  string `json:"name"`
-	Value string `json:"value"`
+	Name  string `json:"name,omitempty"`
+	Value string `json:"value,omitempty"`
 }
 
 // ParamValue defines a default value and possible values for a param

pkg/apis/operator/v1alpha1/tektonconfig_types.go

@@ -84,6 +84,9 @@ type TektonConfigSpec struct {
 	// Dashboard holds the customizable options for dashboards component
 	// +optional
 	Dashboard Dashboard `json:"dashboard,omitempty"`
+	// Params is the list of params passed for all platforms
+	// +optional
+	Params []Param `json:"params,omitempty"`
 }
 
 // TektonConfigStatus defines the observed state of TektonConfig
@@ -97,6 +100,10 @@ type TektonConfigStatus struct {
 	// The version of the installed release
 	// +optional
 	Version string `json:"version,omitempty"`
+
+	// The current installer set name
+	// +optional
+	TektonInstallerSet map[string]string `json:"tektonInstallerSets,omitempty"`
 }
 
 // TektonConfigList contains a list of TektonConfig

pkg/reconciler/openshift/tektonconfig/common.go

@@ -0,0 +1,119 @@
+package tektonconfig
+
+import (
+	"context"
+
+	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
+	"github.com/tektoncd/operator/pkg/client/clientset/versioned"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func createInstallerSet(ctx context.Context, oc versioned.Interface, tc *v1alpha1.TektonConfig, labels map[string]string,
+	releaseVersion, component, installerSetName string) error {
+
+	is := makeInstallerSet(tc, installerSetName, releaseVersion, labels)
+
+	createdIs, err := oc.OperatorV1alpha1().TektonInstallerSets().
+		Create(ctx, is, metav1.CreateOptions{})
+	if err != nil && !errors.IsAlreadyExists(err) {
+		return err
+	}
+
+	if len(tc.Status.TektonInstallerSet) == 0 {
+		tc.Status.TektonInstallerSet = map[string]string{}
+	}
+
+	// Update the status of tektonConfig with created installerSet name
+	tc.Status.TektonInstallerSet[component] = createdIs.Name
+	tc.Status.SetVersion(releaseVersion)
+
+	_, err = oc.OperatorV1alpha1().TektonConfigs().
+		UpdateStatus(ctx, tc, metav1.UpdateOptions{})
+
+	return err
+}
+
+func makeInstallerSet(tc *v1alpha1.TektonConfig, name, releaseVersion string, labels map[string]string) *v1alpha1.TektonInstallerSet {
+	ownerRef := *metav1.NewControllerRef(tc, tc.GetGroupVersionKind())
+	return &v1alpha1.TektonInstallerSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: labels,
+			Annotations: map[string]string{
+				releaseVersionKey:  releaseVersion,
+				targetNamespaceKey: tc.Spec.TargetNamespace,
+			},
+			OwnerReferences: []metav1.OwnerReference{ownerRef},
+		},
+	}
+}
+
+func deleteInstallerSet(ctx context.Context, oc versioned.Interface, tc *v1alpha1.TektonConfig, component string) error {
+
+	compInstallerSet, ok := tc.Status.TektonInstallerSet[component]
+	if !ok {
+		return nil
+	}
+
+	if compInstallerSet != "" {
+		// delete the installer set
+		err := oc.OperatorV1alpha1().TektonInstallerSets().
+			Delete(ctx, tc.Status.TektonInstallerSet[component], metav1.DeleteOptions{})
+		if err != nil && !errors.IsNotFound(err) {
+			return err
+		}
+
+		// clear the name of installer set from TektonAddon status
+		delete(tc.Status.TektonInstallerSet, component)
+		_, err = oc.OperatorV1alpha1().TektonConfigs().
+			UpdateStatus(ctx, tc, metav1.UpdateOptions{})
+		if err != nil && !errors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// checkIfInstallerSetExist checks if installer set exists for a component and return true/false based on it
+// and if installer set which already exist is of older version then it deletes and return false to create a new
+// installer set
+func checkIfInstallerSetExist(ctx context.Context, oc versioned.Interface, relVersion string,
+	tc *v1alpha1.TektonConfig, component string) (bool, error) {
+
+	// Check if installer set is already created
+	compInstallerSet, ok := tc.Status.TektonInstallerSet[component]
+	if !ok {
+		return false, nil
+	}
+
+	if compInstallerSet != "" {
+		// if already created then check which version it is
+		ctIs, err := oc.OperatorV1alpha1().TektonInstallerSets().
+			Get(ctx, compInstallerSet, metav1.GetOptions{})
+		if err != nil {
+			if errors.IsNotFound(err) {
+				return false, nil
+			}
+			return false, err
+		}
+
+		if version, ok := ctIs.Annotations[releaseVersionKey]; ok && version == relVersion {
+			// if installer set already exist and release version is same
+			// then ignore and move on
+			return true, nil
+		}
+
+		// release version doesn't exist or is different from expected
+		// deleted existing InstallerSet and create a new one
+
+		err = oc.OperatorV1alpha1().TektonInstallerSets().
+			Delete(ctx, compInstallerSet, metav1.DeleteOptions{})
+		if err != nil {
+			return false, err
+		}
+	}
+
+	return false, nil
+}

pkg/reconciler/openshift/tektonconfig/extension.go

@@ -56,22 +56,44 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 func (oe openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
 
 	config := tc.(*v1alpha1.TektonConfig)
+	r := rbac{
+		kubeClientSet:     oe.kubeClientSet,
+		operatorClientSet: oe.operatorClientSet,
+		version:           os.Getenv(versionKey),
+		tektonConfig:      config,
+	}
+
 	pipelineUpdated := openshiftPipeline.SetDefault(&config.Spec.Pipeline)
 	triggerUpdated := openshiftTrigger.SetDefault(&config.Spec.Trigger.TriggersProperties)
-	if pipelineUpdated || triggerUpdated {
+	if pipelineUpdated || triggerUpdated || r.setDefault() {
 		if _, err := oe.operatorClientSet.OperatorV1alpha1().TektonConfigs().Update(ctx, config, v1.UpdateOptions{}); err != nil {
 			return err
 		}
 	}
 
-	r := rbac{
-		kubeClientSet:     oe.kubeClientSet,
-		operatorClientSet: oe.operatorClientSet,
-		ownerRef:          configOwnerRef(tc),
-		version:           os.Getenv(versionKey),
+	createRBACResource := true
+	for _, v := range config.Spec.Params {
+		// check for param name and if its matches to createRbacResource
+		// then disable auto creation of RBAC resources by deleting installerSet
+		if v.Name == rbacParamName && v.Value == "false" {
+			createRBACResource = false
+			if err := deleteInstallerSet(ctx, r.operatorClientSet, r.tektonConfig, componentName); err != nil {
+				return err
+			}
+			// remove openshift-pipelines.tekton.dev/namespace-reconcile-version label from namespaces while deleting RBAC resources.
+			if err := r.cleanUp(ctx); err != nil {
+				return err
+			}
+		}
+	}
+
+	if createRBACResource {
+		return r.createResources(ctx)
 	}
-	return r.createResources(ctx)
+
+	return nil
 }
+
 func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.TektonComponent) error {
 	configInstance := comp.(*v1alpha1.TektonConfig)
 
@@ -103,6 +125,6 @@ func (oe openshiftExtension) Finalize(ctx context.Context, comp v1alpha1.TektonC
 }
 
 // configOwnerRef returns owner reference pointing to passed instance
-func configOwnerRef(tc v1alpha1.TektonComponent) metav1.OwnerReference {
-	return *metav1.NewControllerRef(tc, tc.GroupVersionKind())
+func configOwnerRef(tc v1alpha1.TektonInstallerSet) metav1.OwnerReference {
+	return *metav1.NewControllerRef(&tc, tc.GetGroupVersionKind())
 }