[Openshift] Admin user can disable auto creation of RBAC resources

tektoncd · Oct 7, 2021 · b27be86 · b27be86
1 parent 4162dd5
commit b27be86
Show file tree

Hide file tree

Showing 8 changed files with 306 additions and 49 deletions.
diff --git a/config/crs/openshift/config/all/operator_v1alpha1_config_cr.yaml b/config/crs/openshift/config/all/operator_v1alpha1_config_cr.yaml
@@ -25,3 +25,6 @@ spec:
       value: "true"
     - name: pipelineTemplates
       value: "true"
+  params:
+  - name: createRbacResource
+    value: "true"
diff --git a/pkg/apis/operator/v1alpha1/common.go b/pkg/apis/operator/v1alpha1/common.go
@@ -94,8 +94,8 @@ func (c *CommonSpec) GetTargetNamespace() string {
 
 // Param declares an string value to use for the parameter called name.
 type Param struct {
-	Name  string `json:"name"`
-	Value string `json:"value"`
+	Name  string `json:"name,omitempty"`
+	Value string `json:"value,omitempty"`
 }
 
 // ParamValue defines a default value and possible values for a param

diff --git a/pkg/apis/operator/v1alpha1/tektonconfig_types.go b/pkg/apis/operator/v1alpha1/tektonconfig_types.go
@@ -84,6 +84,9 @@ type TektonConfigSpec struct {
 	// Dashboard holds the customizable options for dashboards component
 	// +optional
 	Dashboard Dashboard `json:"dashboard,omitempty"`
+	// Params is the list of params passed for all platforms
+	// +optional
+	Params []Param `json:"params,omitempty"`
 }
 
 // TektonConfigStatus defines the observed state of TektonConfig
@@ -97,6 +100,10 @@ type TektonConfigStatus struct {
 	// The version of the installed release
 	// +optional
 	Version string `json:"version,omitempty"`
+
+	// The current installer set name
+	// +optional
+	TektonInstallerSet map[string]string `json:"tektonInstallerSets,omitempty"`
 }
 
 // TektonConfigList contains a list of TektonConfig

diff --git a/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/openshift/tektonconfig/common.go b/pkg/reconciler/openshift/tektonconfig/common.go
@@ -0,0 +1,135 @@
+/*
+Copyright 2021 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tektonconfig
+
+import (
+	"context"
+
+	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
+	"github.com/tektoncd/operator/pkg/client/clientset/versioned"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func createInstallerSet(ctx context.Context, oc versioned.Interface, tc *v1alpha1.TektonConfig, labels map[string]string,
+	releaseVersion, component, installerSetName string) error {
+
+	is := makeInstallerSet(tc, installerSetName, releaseVersion, labels)
+
+	createdIs, err := oc.OperatorV1alpha1().TektonInstallerSets().
+		Create(ctx, is, metav1.CreateOptions{})
+	if err != nil && !errors.IsAlreadyExists(err) {
+		return err
+	}
+
+	if len(tc.Status.TektonInstallerSet) == 0 {
+		tc.Status.TektonInstallerSet = map[string]string{}
+	}
+
+	// Update the status of tektonConfig with created installerSet name
+	tc.Status.TektonInstallerSet[component] = createdIs.Name
+	tc.Status.SetVersion(releaseVersion)
+
+	_, err = oc.OperatorV1alpha1().TektonConfigs().
+		UpdateStatus(ctx, tc, metav1.UpdateOptions{})
+
+	return err
+}
+
+func makeInstallerSet(tc *v1alpha1.TektonConfig, name, releaseVersion string, labels map[string]string) *v1alpha1.TektonInstallerSet {
+	ownerRef := *metav1.NewControllerRef(tc, tc.GetGroupVersionKind())
+	return &v1alpha1.TektonInstallerSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: labels,
+			Annotations: map[string]string{
+				releaseVersionKey:  releaseVersion,
+				targetNamespaceKey: tc.Spec.TargetNamespace,
+			},
+			OwnerReferences: []metav1.OwnerReference{ownerRef},
+		},
+	}
+}
+
+func deleteInstallerSet(ctx context.Context, oc versioned.Interface, tc *v1alpha1.TektonConfig, component string) error {
+
+	compInstallerSet, ok := tc.Status.TektonInstallerSet[component]
+	if !ok {
+		return nil
+	}
+
+	if compInstallerSet != "" {
+		// delete the installer set
+		err := oc.OperatorV1alpha1().TektonInstallerSets().
+			Delete(ctx, tc.Status.TektonInstallerSet[component], metav1.DeleteOptions{})
+		if err != nil && !errors.IsNotFound(err) {
+			return err
+		}
+
+		// clear the name of installer set from TektonConfig status
+		delete(tc.Status.TektonInstallerSet, component)
+		_, err = oc.OperatorV1alpha1().TektonConfigs().
+			UpdateStatus(ctx, tc, metav1.UpdateOptions{})
+		if err != nil && !errors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// checkIfInstallerSetExist checks if installer set exists for a component and return true/false based on it
+// and if installer set which already exist is of older version then it deletes and return false to create a new
+// installer set
+func checkIfInstallerSetExist(ctx context.Context, oc versioned.Interface, relVersion string,
+	tc *v1alpha1.TektonConfig, component string) (bool, error) {
+
+	// Check if installer set is already created
+	compInstallerSet, ok := tc.Status.TektonInstallerSet[component]
+	if !ok {
+		return false, nil
+	}
+
+	if compInstallerSet != "" {
+		// if already created then check which version it is
+		ctIs, err := oc.OperatorV1alpha1().TektonInstallerSets().
+			Get(ctx, compInstallerSet, metav1.GetOptions{})
+		if err != nil {
+			if errors.IsNotFound(err) {
+				return false, nil
+			}
+			return false, err
+		}
+
+		if version, ok := ctIs.Annotations[releaseVersionKey]; ok && version == relVersion {
+			// if installer set already exist and release version is same
+			// then ignore and move on
+			return true, nil
+		}
+
+		// release version doesn't exist or is different from expected
+		// deleted existing InstallerSet and create a new one
+
+		err = oc.OperatorV1alpha1().TektonInstallerSets().
+			Delete(ctx, compInstallerSet, metav1.DeleteOptions{})
+		if err != nil {
+			return false, err
+		}
+	}
+
+	return false, nil
+}
diff --git a/pkg/reconciler/openshift/tektonconfig/extension.go b/pkg/reconciler/openshift/tektonconfig/extension.go
@@ -56,22 +56,44 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 func (oe openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
 
 	config := tc.(*v1alpha1.TektonConfig)
+	r := rbac{
+		kubeClientSet:     oe.kubeClientSet,
+		operatorClientSet: oe.operatorClientSet,
+		version:           os.Getenv(versionKey),
+		tektonConfig:      config,
+	}
+
 	pipelineUpdated := openshiftPipeline.SetDefault(&config.Spec.Pipeline)
 	triggerUpdated := openshiftTrigger.SetDefault(&config.Spec.Trigger.TriggersProperties)
-	if pipelineUpdated || triggerUpdated {
+	if pipelineUpdated || triggerUpdated || r.setDefault() {
 		if _, err := oe.operatorClientSet.OperatorV1alpha1().TektonConfigs().Update(ctx, config, v1.UpdateOptions{}); err != nil {
 			return err
 		}
 	}
 
-	r := rbac{
-		kubeClientSet:     oe.kubeClientSet,
-		operatorClientSet: oe.operatorClientSet,
-		ownerRef:          configOwnerRef(tc),
-		version:           os.Getenv(versionKey),
+	createRBACResource := true
+	for _, v := range config.Spec.Params {
+		// check for param name and if its matches to createRbacResource
+		// then disable auto creation of RBAC resources by deleting installerSet
+		if v.Name == rbacParamName && v.Value == "false" {
+			createRBACResource = false
+			if err := deleteInstallerSet(ctx, r.operatorClientSet, r.tektonConfig, componentName); err != nil {
+				return err
+			}
+			// remove openshift-pipelines.tekton.dev/namespace-reconcile-version label from namespaces while deleting RBAC resources.
+			if err := r.cleanUp(ctx); err != nil {
+				return err
+			}
+		}
+	}
+
+	if createRBACResource {
+		return r.createResources(ctx)
 	}
-	return r.createResources(ctx)
+
+	return nil
 }
+
 func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.TektonComponent) error {
 	configInstance := comp.(*v1alpha1.TektonConfig)
 
@@ -103,6 +125,6 @@ func (oe openshiftExtension) Finalize(ctx context.Context, comp v1alpha1.TektonC
 }
 
 // configOwnerRef returns owner reference pointing to passed instance
-func configOwnerRef(tc v1alpha1.TektonComponent) metav1.OwnerReference {
-	return *metav1.NewControllerRef(tc, tc.GroupVersionKind())
+func configOwnerRef(tc v1alpha1.TektonInstallerSet) metav1.OwnerReference {
+	return *metav1.NewControllerRef(&tc, tc.GetGroupVersionKind())
 }