operators-installer enhancments

- enhance configuraiton for OperatorGroups - allow for installation of different operators in different namespaces
redhat-cop · Jul 7, 2023 · 1de3c9e · 1de3c9e
1 parent 107c859
commit 1de3c9e
Show file tree

Hide file tree

Showing 16 changed files with 160 additions and 46 deletions.
diff --git a/charts/operators-installer/Chart.yaml b/charts/operators-installer/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.0
+version: 2.0.0
 
 home: https://github.com/redhat-cop/helm-charts
 

diff --git a/charts/operators-installer/README.md b/charts/operators-installer/README.md
@@ -1,17 +1,18 @@
 # operators-installer
 
-Installs a given list of operators either using Automatic or Manual InstallPlans. If Manual then version of operator can be controlled declarativly.
+Installs a given list of operators either using Automatic or Manual InstallPlans. If Manual then version of operator can be controlled declaratively.
 
 ## Purpose
 
-There is no native way to declarativly control the version of installed operators. If you set to Automatic, then operators will auto upgrade, breaking declraative, if set to Manual then human has to go manaully approve. This helm chart allows for setting to Manual but having the helm chart automatically approve the correct InstallPlan for the specific version, so as not to accidently approve a newer InstallPlan.
+There is no native way to declaratively control the version of installed operators. If you set to Automatic, then operators will auto upgrade, breaking declarative, if set to Manual then human has to go manually approve. This helm chart allows for setting to Manual but having the helm chart automatically approve the correct InstallPlan for the specific version, so as not to accidentally approve a newer InstallPlan.
 
 ## Configuration
 
 For all of the Subscription parameters see
 
 | Parameter                                    | Default Value | Required? | Description
 |----------------------------------------------|---------------|-----------|------------
+| operators                                    | `[]`          | No        | List of operators to install.
 | operators[].channel                          |               | Yes       | [Subscription](https://docs.openshift.com/container-platform/4latest/rest_api/operatorhub_apis/subscription-operators-coreos-com-v1alpha1) channel.
 | operators[].installPlanApproval              |               | Yes       | [Subscription](https://docs.openshift.com/container-platform/4latest/rest_api/operatorhub_apis/subscription-operators-coreos-com-v1alpha1) installPlanApproval.
 | operators[].name                             |               | Yes       | [Subscription](https://docs.openshift.com/container-platform/4latest/rest_api/operatorhub_apis/subscription-operators-coreos-com-v1alpha1) name.
@@ -20,17 +21,22 @@ For all of the Subscription parameters see
 | operators[].csv                                      |               | Yes       | The CSV to install.
 | operators[].installPlanVerifierRetries       | `10`          | No        | Number of times to check if the InstallPlan has actually been installed. This may need to increase of an operator takes a long time to install.
 | operators[].installPlanVerifierActiveDeadlineSeconds | `120` | No        | Total amount of time that can be spent waiting for InstallPlan to finish installing. This may need to increase of an operator takes a long time to install.
+| operators[].namespace                        | `.Release.Namespace` | No | Specify the namespace to install the operator into, which allows different operators to be installed into different namespaces from the same chart. If 
+| operatorGroups                               | `[]`          | No        | Optional list of configuration for OperatorGroups. If this is not supplied then it is assumed OperatorGroups are already in place in the selected `operators[].namespace`s.
+| operatorGroups[].name                        | `.Release.Namespace` | No | Name of the OperatorGroup & Namespace the OperatorGroup will be placed in.
+| operatorGroups[].createNamespace             | `false`       | No        | If `true` create the Namespace of the same name of the OperatorGroup. If `false` assumed the Namespace is already in place.
+| operatorGroups[].targetOwnNamespace          | `false`       | No        | If `true` add the OperatorGroup's Namespace as a `targetNamespaces`. If `true` then OperatorGroup will only work for Operators using `OwnNamespace` or `MultiNamespace` `installModes`. If blank and no `otherTargetNamespaces` specified then OperatorGroup will be configured to allow for operators using `installModes` `AllNamespaces`.
+| operatorGroups[].otherTargetNamespaces       | `[]`          | No        | List of additional Namespaces to target. If specified OperatorGroup will only work for operators using `SingleNamespace` or `MultiNamespace` `installModes` depending on value of `targetOwnNamespace`.
 | installPlanApproverAndVerifyJobsImage        | `registry.redhat.io/openshift4/ose-cli:v4.10` | Yes | Image to use for the InstallPlan Approver and Verify Jobs 
-| createOperatorGroup                          | `false`       | No        | Whether or not to create an OperatorGroup in the target release namespace
 | commonLabels                                 | `{}`          | No        | Common labels to add to all chart created resources. Implements the same idea from Kustomize for this chart.
 
-## Cavieats
+## Caveats
 
 ### ArgoCD / Red Hat OpenShift GitOps
 If using this helm chart with ArgoCD / Red Hat OpenShift GitOps then you will need to patch how ArgoCD does health checks on Subscriptions by default
 because the default health check will fail if there is any pending installations which is a problem for two reasons. First the approval is a post hook
 (which technically it could be made an install hook, if not for reason two), secondly if installing an older version fo an operator the Subscription will
-report there is a pending update, even though you dont wan't to update, and ArgoCD will constently say the Subscription is pending.
+report there is a pending update, even though you don't wan't to update, and ArgoCD will constantly say the Subscription is pending.
 
 Here is a sample updated health check to use which if the InstallPlan is set to Manual then will ignore pending plan approvals with a detailed message. How you patch ArgoCD with this health check depends on your version of ArgoCD so see the docs for your version.
 

diff --git a/...er/templates/Job_installplan-approver.yml → ...r/templates/Job_installplan-approver.yaml b/...er/templates/Job_installplan-approver.yml → ...r/templates/Job_installplan-approver.yaml
@@ -1,10 +1,12 @@
+# create one installplan-approver job per manual operator
 {{- range .Values.operators }}
 {{- if eq .installPlanApproval "Manual" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: installplan-approver--{{ .name }}
+  namespace: {{ .namespace | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
   annotations:

diff --git a/...tes/Job_installplan-complete-verifier.yml → ...es/Job_installplan-complete-verifier.yaml b/...tes/Job_installplan-complete-verifier.yml → ...es/Job_installplan-complete-verifier.yaml
@@ -1,10 +1,12 @@
+# create one installplan-complete-verifier job per manual operator
 {{- range .Values.operators }}
 {{- if eq .installPlanApproval "Manual" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: installplan-complete-verifier--{{ .name }}
+  namespace: {{ .namespace | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
   annotations:

diff --git a/charts/operators-installer/templates/Namespace.yaml b/charts/operators-installer/templates/Namespace.yaml
@@ -0,0 +1,13 @@
+{{- range $operatorGroup := .Values.operatorGroups }}
+{{- if $operatorGroup.createNamespace }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .name | default $.Release.Namespace }}
+  labels:
+    {{- include "operators-installer.labels" $ | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+{{- end }}
+{{- end }}
diff --git a/charts/operators-installer/templates/OperatorGroup.yaml b/charts/operators-installer/templates/OperatorGroup.yaml
@@ -0,0 +1,19 @@
+
+{{- range .Values.operatorGroups }}
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: {{ .name | default $.Release.Namespace }}
+  namespace: {{ .name | default $.Release.Namespace }}
+  labels:
+    {{- include "operators-installer.labels" $ | nindent 4 }}
+spec:
+  targetNamespaces:
+  {{- if .targetOwnNamespace }}
+  - {{ .name | default $.Release.Namespace }}
+  {{- end }}
+  {{- range $otherTargetNamespace := .otherTargetNamespaces }}
+  - {{ $otherTargetNamespace }}
+  {{- end }}
+{{- end }}
diff --git a/charts/operators-installer/templates/OperatorGroup.yml b/charts/operators-installer/templates/OperatorGroup.yml
diff --git a/...tes/RoleBinding_installplan-approvers.yml → ...es/RoleBinding_installplan-approvers.yaml b/...tes/RoleBinding_installplan-approvers.yml → ...es/RoleBinding_installplan-approvers.yaml
@@ -1,8 +1,11 @@
+# create one installplan-approvers RoleBinding per unqiue namespace operators are being installed in
+{{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: installplan-approvers
+  namespace: {{ $namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
   annotations:
@@ -15,4 +18,5 @@ roleRef:
   name: installplan-approver
 subjects:
   - kind: ServiceAccount
-    name: installplan-approver
+    name: installplan-approver
+{{- end }}
diff --git a/charts/operators-installer/templates/Role_installplan-approver.yaml b/charts/operators-installer/templates/Role_installplan-approver.yaml
@@ -0,0 +1,25 @@
+# create one installplan-approver Role per unqiue namespace operators are being installed in
+{{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: installplan-approver
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "operators-installer.labels" $ | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-1"
+rules:
+- apiGroups:
+  - operators.coreos.com
+  resources:
+  - installplans
+  - subscriptions
+  verbs:
+  - get
+  - list
+  - patch
+{{- end }}
diff --git a/charts/operators-installer/templates/Role_installplan-approver.yml b/charts/operators-installer/templates/Role_installplan-approver.yml
diff --git a/...s/ServiceAccount_installplan-approver.yml → .../ServiceAccount_installplan-approver.yaml b/...s/ServiceAccount_installplan-approver.yml → .../ServiceAccount_installplan-approver.yaml
@@ -1,11 +1,15 @@
+# create one installplan-approver ServiceAccount per unqiue namespace operators are being installed in
+{{- range $namespace := (include "operators-installer.uniqueNamespaces" $ | fromJsonArray) }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: installplan-approver
+  namespace: {{ $namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-1"
+{{- end }}
diff --git a/...tors-installer/templates/Subscription.yml → ...ors-installer/templates/Subscription.yaml b/...tors-installer/templates/Subscription.yml → ...ors-installer/templates/Subscription.yaml
@@ -1,9 +1,11 @@
+# create one Subscription per operator
 {{- range .Values.operators }}
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: {{ .name }}
+  namespace: {{ .namespace | default $.Release.Namespace }}
   labels:
     {{- include "operators-installer.labels" $ | nindent 4 }}
 spec:
@@ -13,4 +15,4 @@ spec:
   source: {{ .source }}
   sourceNamespace: {{ .sourceNamespace }}
   startingCSV: {{ .csv }}
-{{- end }}
+{{- end }}
diff --git a/charts/operators-installer/templates/_helpers.tpl b/charts/operators-installer/templates/_helpers.tpl
@@ -52,3 +52,18 @@ Selector labels
 app.kubernetes.io/name: {{ include "operators-installer.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Unique namespaces from list of operators
+*/}}
+{{- define "operators-installer.uniqueNamespaces" -}}
+{{-   $uniqueNamespaces := list }}
+{{-   range .Values.operators }}
+{{-     if .namespace }}
+{{-       $uniqueNamespaces = append $uniqueNamespaces .namespace | uniq }}
+{{-     else }}
+{{-       $uniqueNamespaces = append $uniqueNamespaces $.Release.Namespace | uniq }}
+{{-     end }}
+{{-   end }}
+{{    toJson $uniqueNamespaces }}
+{{- end }}
diff --git a/charts/operators-installer/test-install-multiple-operators-in-different-namespacesyaml b/charts/operators-installer/test-install-multiple-operators-in-different-namespacesyaml
@@ -0,0 +1,45 @@
+operatorGroups:
+# EXAMPLE: adding OperatorGroup to named namespace
+- name: dynatrace
+  createNamespace: true
+  targetOwnNamespace: true
+  otherTargetNamespaces:
+
+# EXAMPLE: adding OperatorGroup to Helm .Release.Namespace
+- createNamespace: false
+  targetOwnNamespace: false
+  otherTargetNamespaces:
+
+operators:
+- channel: stable
+  installPlanApproval: Manual
+  name: external-secrets-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace
+  csv: external-secrets-operator.v0.8.1
+  namespace: openshift-operators
+- channel: alpha
+  installPlanApproval: Manual
+  name: fake-operator
+  source: certified-operators
+  sourceNamespace: fake-operators
+  csv: fake-operator.v0.42.1
+  namespace: openshift-operators
+  createOperatorGroup: true
+- channel: alpha
+  installPlanApproval: Manual
+  name: dynatrace-operator
+  source: certified-operators
+  sourceNamespace: openshift-marketplace
+  csv: dynatrace-operator.v0.12.0
+  namespace: dynatrace
+  createOperatorGroup: true
+- channel: alpha
+  installPlanApproval: Manual
+  name: fake-operator-install-in-helm-release-namespace
+  source: fake-operators
+  sourceNamespace: openshift-marketplace
+  csv: fake-operator-install-in-helm-release-namespace.v0.42.2
+
+commonLabels:
+  test-label: xyz123
diff --git a/charts/operators-installer/test-install-old-operator-values.yaml b/charts/operators-installer/test-install-old-operator-values.yaml
@@ -5,6 +5,6 @@ operators:
   source: community-operators
   sourceNamespace: openshift-marketplace
   csv: external-secrets-operator.v0.8.1
-
+  namespace: openshift-operators
 commonLabels:
   test-label: xyz123
diff --git a/charts/operators-installer/values.yaml b/charts/operators-installer/values.yaml
@@ -1,10 +1,7 @@
 # Image to use for the InstallPlan Approver and Verify Jobs
 installPlanApproverAndVerifyJobsImage: registry.redhat.io/openshift4/ose-cli:v4.10
 
-# Whether or not to create an OperatorGroup in the target release namespace
-createOperatorGroup: false
-
-# EXAMPLE: declarativly controlled operator version
+# EXAMPLE: declaratively controlled operator version
 operators:
 # - channel: stable
 #   installPlanApproval: Manual
@@ -13,6 +10,19 @@ operators:
 #   sourceNamespace: openshift-marketplace
 #   csv: external-secrets-operator.v0.8.2
 
+# configuration for control of OperatorGroups
+operatorGroups:
+# EXAMPLE: adding OperatorGroup to named namespace
+# - name:
+#   createNamespace:
+#   targetOwnNamespace:
+#   otherTargetNamespaces:
+
+# EXAMPLE: adding OperatorGroup to Helm .Release.Namespace
+# - createNamespace:
+#   targetOwnNamespace:
+#   otherTargetNamespaces:
+
 # Common labels to add to all chart created resources.
 # Implements the same idea from Kustomize for this chart.
 commonLabels: