-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
generate: consider service accounts when generating a CSV (#3610)
This commit adds handling for extra RBAC objects present in `generate <bundle|packagemanifests>` input. These objects will be written to the resulting bundle. For now, only Roles, RoleBindings, their Cluster equivalents, and ServiceAccounts are written. This PR also correctly names service account for (cluster) role permissions. These are currently incorrect because the CSV generator is naively using (cluster) role names instead of actual service account names. Previously this was ok because the names match the service account, but this is no longer the case. See #3600. Old test data has been removed, and a static `basic.operator.yaml` containing the output of `kustomize build config/manifests` added; the static file's contents match a current project manifest build. internal/cmd/operator-sdk/generate: write RBAC objects to stdout or files named with object.Name + GVK, and rename `--update-crds` to `--update-objects` internal/generate/{collector/clusterserviceversion}: consider (cluster) role bindings so CSV generator can assign the correct service account names to roles
- Loading branch information
Eric Stroczynski
committed
Aug 1, 2020
1 parent
bfe13ff
commit 3270033
Showing
57 changed files
with
1,154 additions
and
2,582 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
entries: | ||
- description: > | ||
`generate <bundle|packagemanifests>` will write RBAC objects (Roles, RoleBindings, their Cluster equivalents, | ||
and ServiceAccounts) not bound to CSV deployment service accounts | ||
to the resulting manifests directory. | ||
kind: addition | ||
- description: > | ||
The `--update-crds` flag has been renamed to `--update-objects` for the `generate packagemanifests` subcommand. | ||
kind: change | ||
breaking: true | ||
migration: | ||
header: Rename `--update-crds` flag to `--update-objects` in `generate packagemanifests` invocations | ||
body: > | ||
This flag has been renamed to account for all objects that can be written to the package directory, | ||
ex. Roles. | ||
- description: > | ||
Fixed incorrect (cluster) role name assignments in generated CSVs | ||
[#3600](https://github.com/operator-framework/operator-sdk/issues/3600). | ||
kind: bugfix |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
// Copyright 2020 The Operator-SDK Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package genutil | ||
|
||
import ( | ||
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" | ||
|
||
"github.com/operator-framework/operator-sdk/internal/generate/collector" | ||
) | ||
|
||
// GetManifestObjects returns all objects to be written to a manifests directory from collector.Manifests. | ||
func GetManifestObjects(c *collector.Manifests) (objs []controllerutil.Object) { | ||
// All CRDs passed in should be written. | ||
for i := range c.V1CustomResourceDefinitions { | ||
objs = append(objs, &c.V1CustomResourceDefinitions[i]) | ||
} | ||
for i := range c.V1beta1CustomResourceDefinitions { | ||
objs = append(objs, &c.V1beta1CustomResourceDefinitions[i]) | ||
} | ||
|
||
// All ServiceAccounts passed in should be written. | ||
for i := range c.ServiceAccounts { | ||
objs = append(objs, &c.ServiceAccounts[i]) | ||
} | ||
|
||
// RBAC objects that are not a part of the CSV should be written. | ||
_, roleObjs := c.SplitCSVPermissionsObjects() | ||
objs = append(objs, roleObjs...) | ||
_, clusterRoleObjs := c.SplitCSVClusterPermissionsObjects() | ||
objs = append(objs, clusterRoleObjs...) | ||
|
||
return objs | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.