Create CRD for OperatorPolicy

https://issues.redhat.com/browse/ACM-6595

Signed-off-by: Jason Zhang <jaszhang@redhat.com>

Makefile

@@ -122,10 +122,13 @@ CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
 .PHONY: manifests
 manifests: controller-gen kustomize
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=config-policy-controller paths="./..." output:crd:artifacts:config=deploy/crds output:rbac:artifacts:config=deploy/rbac
-	mv deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml deploy/crds/kustomize/policy.open-cluster-management.io_configurationpolicies.yaml
+	mv deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
+	mv deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml deploy/crds/kustomize_operatorpolicy/policy.open-cluster-management.io_operatorpolicies.yaml
 	# Add a newline so that the format matches what kubebuilder generates
 	@printf "\n---\n" > deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
-	$(KUSTOMIZE) build deploy/crds/kustomize >> deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+	@printf "\n---\n" > deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
+	$(KUSTOMIZE) build deploy/crds/kustomize_configurationpolicy >> deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+	$(KUSTOMIZE) build deploy/crds/kustomize_operatorpolicy >> deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -189,6 +192,7 @@ install-crds:
 	kubectl apply -f test/crds/oauths.config.openshift.io_crd.yaml
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/governance-policy-propagator/main/deploy/crds/policy.open-cluster-management.io_policies.yaml
 	kubectl apply -f deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+	kubectl apply -f deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
 
 .PHONY: install-resources
 install-resources:

api/v1beta1/groupversion_info.go

@@ -0,0 +1,23 @@
+// Copyright (c) 2021 Red Hat, Inc.
+// Copyright Contributors to the Open Cluster Management project
+
+// Package v1beta1 contains API Schema definitions for the policy v1beta1 API group
+// +kubebuilder:object:generate=true
+// +groupName=policy.open-cluster-management.io
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "policy.open-cluster-management.io", Version: "v1beta1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1beta1/operatorpolicy_types.go

@@ -0,0 +1,148 @@
+// Copyright (c) 2021 Red Hat, Inc.
+// Copyright Contributors to the Open Cluster Management project
+
+package v1beta1
+
+import (
+	operatorv1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	policyv1 "open-cluster-management.io/config-policy-controller/api/v1"
+)
+
+// StatusConfigAction : StatusMessageOnly or NonCompliant
+// +kubebuilder:validation:Enum=StatusMessageOnly;NonCompliant
+type StatusConfigAction string
+
+// RemovalAction : Keep, Delete, or DeleteIfUnused
+// +kubebuilder:validation:Enum=Keep;Delete;DeleteIfUnused
+type RemovalAction string
+
+const (
+	// StatusMessageOnly is a StatusConfigAction that only shows the status message
+	StatusMessageOnly StatusConfigAction = "StatusMessageOnly"
+	// NonCompliant is a StatusConfigAction that shows the status message and sets
+	// the compliance to NonCompliant
+	NonCompliant StatusConfigAction = "NonCompliant"
+)
+
+const (
+	// Keep is a RemovalBehavior indicating that the controller may not delete a type
+	Keep RemovalAction = "Keep"
+	// Delete is a RemovalBehavior indicating that the controller may delete a type
+	Delete RemovalAction = "Delete"
+	// DeleteIfUnused is a RemovalBehavior indicating that the controller may delete
+	// a type only if is not being used by another subscription
+	DeleteIfUnused RemovalAction = "DeleteIfUnused"
+)
+
+type TargetNsOrSelector struct {
+	// 'namespaces' and 'selector' both define an array/set of target namespaces that
+	// should be affected on the cluster. Only one of 'namespaces' or 'selector'
+	// should be specified, and if both are set then 'selector' will be omitted.
+	Namespace []string `json:"namespaces,omitempty"`
+	// 'namespaces' and 'selector' both define an array/set of target namespaces that
+	// should be affected on the cluster. Only one of 'namespaces' or 'selector'
+	// should be specified, and if both are set then 'selector' will be omitted.
+	Selector *metav1.LabelSelector `json:"selector,omitempty"`
+}
+
+// OperatorGroup specifies an OLM OperatorGroup. More info:
+// https://olm.operatorframework.io/docs/concepts/crds/operatorgroup/
+type OperatorGroup struct {
+	// Name of the referent
+	Name string `json:"name,omitempty"`
+	// Namespace of the referent
+	Namespace string `json:"namespace,omitempty"`
+	// Target namespaces of the referent
+	Target []TargetNsOrSelector `json:"target,omitempty"`
+	// Name of the OLM ServiceAccount that defines permissions for member operators
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+}
+
+// SubscriptionSpec extends an OLM subscription with a namespace field. More info:
+// https://olm.operatorframework.io/docs/concepts/crds/subscription/
+type SubscriptionSpec struct {
+	operatorv1.SubscriptionSpec `json:",inline"`
+	// Namespace of the referent
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// RemovalBehavior defines resource behavior when policy is removed
+type RemovalBehavior struct {
+	// Kind OperatorGroup
+	OperatorGroups RemovalAction `json:"operatorGroups,omitempty"`
+	// Kind Subscription
+	Subscriptions RemovalAction `json:"subscriptions,omitempty"`
+	// Kind ClusterServiceVersion
+	CSVs RemovalAction `json:"clusterServiceVersions,omitempty"`
+	// Kind InstallPlan
+	InstallPlan RemovalAction `json:"installPlans,omitempty"`
+	// Kind CustomResourceDefinitions
+	CRDs RemovalAction `json:"customResourceDefinitions,omitempty"`
+	// Kind APIServiceDefinitions
+	APIServiceDefinitions RemovalAction `json:"apiServiceDefinitions,omitempty"`
+}
+
+// StatusConfig defines how resource statuses affect the OperatorPolicy status and compliance
+type StatusConfig struct {
+	CatalogSourceUnhealthy StatusConfigAction `json:"catalogSourceUnhealthy,omitempty"`
+	DeploymentsUnavailable StatusConfigAction `json:"deploymentsUnavailable,omitempty"`
+	UpgradesAvailable      StatusConfigAction `json:"upgradesAvailable,omitempty"`
+	UpgradesProgressing    StatusConfigAction `json:"upgradesProgressing,omitempty"`
+}
+
+// OperatorPolicySpec defines the desired state of OperatorPolicy
+type OperatorPolicySpec struct {
+	Severity          policyv1.Severity          `json:"severity,omitempty"`          // low, medium, high
+	RemediationAction policyv1.RemediationAction `json:"remediationAction,omitempty"` // inform, enforce
+	ComplianceType    policyv1.ComplianceType    `json:"complianceType"`              // Compliant, NonCompliant
+	// OperatorGroup requires at least 1 of target namespaces, or label selectors
+	// to be set to scope member operators' namespaced permissions. If both are provided,
+	// only the target namespace will be used and the label selector will be omitted.
+	// +optional
+	OperatorGroup *OperatorGroup `json:"operatorGroup,omitempty"`
+	// Subscription defines an Application that can be installed
+	Subscription SubscriptionSpec `json:"subscription,omitempty"`
+	// Versions is a list of nonempty strings that specifies which installed versions are compliant when
+	// in 'inform' mode, and which installPlans are approved when in 'enforce' mode
+	Versions        []policyv1.NonEmptyString `json:"versions,omitempty"`
+	RemovalBehavior RemovalBehavior           `json:"removalBehavior,omitempty"`
+	StatusConfig    StatusConfig              `json:"statusConfig,omitempty"`
+}
+
+// OperatorPolicyStatus defines the observed state of OperatorPolicy
+type OperatorPolicyStatus struct {
+	// Most recent compliance state of the policy
+	ComplianceState policyv1.ComplianceState `json:"compliant,omitempty"`
+	// Historic details on the condition of the policy
+	Condition []metav1.Condition `json:"conditions,omitempty"`
+	// List of resources processed by the policy
+	RelatedObject policyv1.RelatedObject `json:"relatedObject"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// OperatorPolicy is the Schema for the operatorpolicies API
+type OperatorPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   OperatorPolicySpec   `json:"spec,omitempty"`
+	Status OperatorPolicyStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// OperatorPolicyList contains a list of OperatorPolicy
+type OperatorPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OperatorPolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OperatorPolicy{}, &OperatorPolicyList{})
+}

config/crd/kustomization.yaml

@@ -0,0 +1,21 @@
+# This kustomization.yaml is not intended to be run by itself,
+# since it depends on service name and namespace that are out of this kustomize package.
+# It should be run by config/default
+resources:
+- bases/policy.open-cluster-management.io_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizeresource
+
+# patchesStrategicMerge:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# patches here are for enabling the conversion webhook for each CRD
+#- patches/webhook_in_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+# patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizecainjectionpatch
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+- kustomizeconfig.yaml

config/crd/kustomizeconfig.yaml

@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  version: v1
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhook/clientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations

config/crd/patches/cainjection_in_operatorpolicies.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: operatorpolicies.policy.open-cluster-management.io

config/crd/patches/webhook_in_operatorpolicies.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: operatorpolicies.policy.open-cluster-management.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1

config/rbac/operatorpolicy_editor_role.yaml

@@ -0,0 +1,31 @@
+# permissions for end users to edit operatorpolicies.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: operatorpolicy-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: config-policy-controller
+    app.kubernetes.io/part-of: config-policy-controller
+    app.kubernetes.io/managed-by: kustomize
+  name: operatorpolicy-editor-role
+rules:
+- apiGroups:
+  - policy.open-cluster-management.io
+  resources:
+  - operatorpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policy.open-cluster-management.io
+  resources:
+  - operatorpolicies/status
+  verbs:
+  - get