ACM-6596: Initialize controller for OperatorPolicy

Makefile

@@ -122,10 +122,13 @@ CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
 .PHONY: manifests
 manifests: controller-gen kustomize
  $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=config-policy-controller paths="./..." output:crd:artifacts:config=deploy/crds output:rbac:artifacts:config=deploy/rbac
- mv deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml deploy/crds/kustomize/policy.open-cluster-management.io_configurationpolicies.yaml
+ mv deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
+ mv deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml deploy/crds/kustomize_operatorpolicy/policy.open-cluster-management.io_operatorpolicies.yaml
  # Add a newline so that the format matches what kubebuilder generates
  @printf "\n---\n" > deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
- $(KUSTOMIZE) build deploy/crds/kustomize >> deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+ @printf "\n---\n" > deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
+ $(KUSTOMIZE) build deploy/crds/kustomize_configurationpolicy >> deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+ $(KUSTOMIZE) build deploy/crds/kustomize_operatorpolicy >> deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -189,6 +192,7 @@ install-crds:
  kubectl apply -f test/crds/oauths.config.openshift.io_crd.yaml
  kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/governance-policy-propagator/main/deploy/crds/policy.open-cluster-management.io_policies.yaml
  kubectl apply -f deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+ kubectl apply -f deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml
 
 .PHONY: install-resources
 install-resources:

api/v1/configurationpolicy_types.go

@@ -103,7 +103,9 @@ func (t Target) String() string {
  return fmt.Sprintf(fmtSelectorStr, t.Include, t.Exclude, *t.MatchLabels, *t.MatchExpressions)
 }
 
-// Configures the minimum elapsed time before a ConfigurationPolicy is reevaluated
+// Configures the minimum elapsed time before a ConfigurationPolicy is reevaluated. If the policy
+// spec is changed, or if the list of namespaces selected by the policy changes, the policy may be
+// evaluated regardless of the settings here.
 type EvaluationInterval struct {
  //+kubebuilder:validation:Pattern=`^(?:(?:(?:[0-9]+(?:.[0-9])?)(?:h|m|s|(?:ms)|(?:us)|(?:ns)))|never)+$`
  // The minimum elapsed time before a ConfigurationPolicy is reevaluated when in the compliant state. Set this to

api/v1beta1/groupversion_info.go

@@ -0,0 +1,23 @@
+// Copyright (c) 2021 Red Hat, Inc.
+// Copyright Contributors to the Open Cluster Management project
+
+// Package v1beta1 contains API Schema definitions for the policy v1beta1 API group
+// +kubebuilder:object:generate=true
+// +groupName=policy.open-cluster-management.io
+package v1beta1
+
+import (
+ "k8s.io/apimachinery/pkg/runtime/schema"
+ "sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+ // GroupVersion is group version used to register these objects
+ GroupVersion = schema.GroupVersion{Group: "policy.open-cluster-management.io", Version: "v1beta1"}
+
+ // SchemeBuilder is used to add go types to the GroupVersionKind scheme
+ SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+ // AddToScheme adds the types in this group-version to the given scheme.
+ AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1beta1/operatorpolicy_types.go

@@ -0,0 +1,148 @@
+// Copyright (c) 2021 Red Hat, Inc.
+// Copyright Contributors to the Open Cluster Management project
+
+package v1beta1
+
+import (
+ operatorv1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ policyv1 "open-cluster-management.io/config-policy-controller/api/v1"
+)
+
+// StatusConfigAction : StatusMessageOnly or NonCompliant
+// +kubebuilder:validation:Enum=StatusMessageOnly;NonCompliant
+type StatusConfigAction string
+
+// RemovalAction : Keep, Delete, or DeleteIfUnused
+// +kubebuilder:validation:Enum=Keep;Delete;DeleteIfUnused
+type RemovalAction string
+
+const (
+ // StatusMessageOnly is a StatusConfigAction that only shows the status message
+ StatusMessageOnly StatusConfigAction = "StatusMessageOnly"
+ // NonCompliant is a StatusConfigAction that shows the status message and sets
+ // the compliance to NonCompliant
+ NonCompliant StatusConfigAction = "NonCompliant"
+)
+
+const (
+ // Keep is a RemovalBehavior indicating that the controller may not delete a type
+ Keep RemovalAction = "Keep"
+ // Delete is a RemovalBehavior indicating that the controller may delete a type
+ Delete RemovalAction = "Delete"
+ // DeleteIfUnused is a RemovalBehavior indicating that the controller may delete
+ // a type only if is not being used by another subscription
+ DeleteIfUnused RemovalAction = "DeleteIfUnused"
+)
+
+type TargetNsOrSelector struct {
+ // 'namespaces' and 'selector' both define an array/set of target namespaces that
+ // should be affected on the cluster. Only one of 'namespaces' or 'selector'
+ // should be specified, and if both are set then 'selector' will be omitted.
+ Namespace []string `json:"namespaces,omitempty"`
+ // 'namespaces' and 'selector' both define an array/set of target namespaces that
+ // should be affected on the cluster. Only one of 'namespaces' or 'selector'
+ // should be specified, and if both are set then 'selector' will be omitted.
+ Selector *metav1.LabelSelector `json:"selector,omitempty"`
+}
+
+// OperatorGroup specifies an OLM OperatorGroup. More info:
+// https://olm.operatorframework.io/docs/concepts/crds/operatorgroup/
+type OperatorGroup struct {
+ // Name of the referent
+ Name string `json:"name,omitempty"`
+ // Namespace of the referent
+ Namespace string `json:"namespace,omitempty"`
+ // Target namespaces of the referent
+ Target []TargetNsOrSelector `json:"target,omitempty"`
+ // Name of the OLM ServiceAccount that defines permissions for member operators
+ // +optional
+ ServiceAccountName string `json:"serviceAccountName,omitempty"`
+}
+
+// SubscriptionSpec extends an OLM subscription with a namespace field. More info:
+// https://olm.operatorframework.io/docs/concepts/crds/subscription/
+type SubscriptionSpec struct {
+ operatorv1.SubscriptionSpec `json:",inline"`
+ // Namespace of the referent
+ Namespace string `json:"namespace,omitempty"`
+}
+
+// RemovalBehavior defines resource behavior when policy is removed
+type RemovalBehavior struct {
+ // Kind OperatorGroup
+ OperatorGroups RemovalAction `json:"operatorGroups,omitempty"`
+ // Kind Subscription
+ Subscriptions RemovalAction `json:"subscriptions,omitempty"`
+ // Kind ClusterServiceVersion
+ CSVs RemovalAction `json:"clusterServiceVersions,omitempty"`
+ // Kind InstallPlan
+ InstallPlan RemovalAction `json:"installPlans,omitempty"`
+ // Kind CustomResourceDefinitions
+ CRDs RemovalAction `json:"customResourceDefinitions,omitempty"`
+ // Kind APIServiceDefinitions
+ APIServiceDefinitions RemovalAction `json:"apiServiceDefinitions,omitempty"`
+}
+
+// StatusConfig defines how resource statuses affect the OperatorPolicy status and compliance
+type StatusConfig struct {
+ CatalogSourceUnhealthy StatusConfigAction `json:"catalogSourceUnhealthy,omitempty"`
+ DeploymentsUnavailable StatusConfigAction `json:"deploymentsUnavailable,omitempty"`
+ UpgradesAvailable StatusConfigAction `json:"upgradesAvailable,omitempty"`
+ UpgradesProgressing StatusConfigAction `json:"upgradesProgressing,omitempty"`
+}
+
+// OperatorPolicySpec defines the desired state of OperatorPolicy
+type OperatorPolicySpec struct {
+ Severity policyv1.Severity `json:"severity,omitempty"` // low, medium, high
+ RemediationAction policyv1.RemediationAction `json:"remediationAction,omitempty"` // inform, enforce
+ ComplianceType policyv1.ComplianceType `json:"complianceType"` // Compliant, NonCompliant
+ // OperatorGroup requires at least 1 of target namespaces, or label selectors
+ // to be set to scope member operators' namespaced permissions. If both are provided,
+ // only the target namespace will be used and the label selector will be omitted.
+ // +optional
+ OperatorGroup *OperatorGroup `json:"operatorGroup,omitempty"`
+ // Subscription defines an Application that can be installed
+ Subscription SubscriptionSpec `json:"subscription,omitempty"`
+ // Versions is a list of nonempty strings that specifies which installed versions are compliant when
+ // in 'inform' mode, and which installPlans are approved when in 'enforce' mode
+ Versions []policyv1.NonEmptyString `json:"versions,omitempty"`
+ RemovalBehavior RemovalBehavior `json:"removalBehavior,omitempty"`
+ StatusConfig StatusConfig `json:"statusConfig,omitempty"`
+}
+
+// OperatorPolicyStatus defines the observed state of OperatorPolicy
+type OperatorPolicyStatus struct {
+ // Most recent compliance state of the policy
+ ComplianceState policyv1.ComplianceState `json:"compliant,omitempty"`
+ // Historic details on the condition of the policy
+ Condition []metav1.Condition `json:"conditions,omitempty"`
+ // List of resources processed by the policy
+ RelatedObject policyv1.RelatedObject `json:"relatedObject"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// OperatorPolicy is the Schema for the operatorpolicies API
+type OperatorPolicy struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec OperatorPolicySpec `json:"spec,omitempty"`
+ Status OperatorPolicyStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// OperatorPolicyList contains a list of OperatorPolicy
+type OperatorPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []OperatorPolicy `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&OperatorPolicy{}, &OperatorPolicyList{})
+}

config/crd/kustomization.yaml

@@ -0,0 +1,21 @@
+# This kustomization.yaml is not intended to be run by itself,
+# since it depends on service name and namespace that are out of this kustomize package.
+# It should be run by config/default
+resources:
+- bases/policy.open-cluster-management.io_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizeresource
+
+# patchesStrategicMerge:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# patches here are for enabling the conversion webhook for each CRD
+#- patches/webhook_in_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+# patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_operatorpolicies.yaml
+#+kubebuilder:scaffold:crdkustomizecainjectionpatch
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+- kustomizeconfig.yaml

config/crd/kustomizeconfig.yaml

@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+ version: v1
+ fieldSpecs:
+ - kind: CustomResourceDefinition
+ version: v1
+ group: apiextensions.k8s.io
+ path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+ version: v1
+ group: apiextensions.k8s.io
+ path: spec/conversion/webhook/clientConfig/service/namespace
+ create: false
+
+varReference:
+- path: metadata/annotations

config/crd/patches/cainjection_in_operatorpolicies.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: operatorpolicies.policy.open-cluster-management.io

config/crd/patches/webhook_in_operatorpolicies.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: operatorpolicies.policy.open-cluster-management.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ clientConfig:
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
+ conversionReviewVersions:
+ - v1