Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an example of InstallPlanApprover #256

Open
ch-stark opened this issue Apr 6, 2022 · 2 comments
Open

Add an example of InstallPlanApprover #256

ch-stark opened this issue Apr 6, 2022 · 2 comments

Comments

@ch-stark
Copy link
Contributor

ch-stark commented Apr 6, 2022
edited
Loading

when manually updating Operators where is currently a known aspect of the current implementation that installation and updates are treated differently in the internal logic

The following workaround can be used (in Gitops-Scenarios).

https://github.com/redhat-cop/gitops-catalog/tree/main/installplan-approver

This example can be further enhanced or reimplement e.g. by Kyverno to check only one specific operator, even if they are in the same namespace

Some ideas:
if you can write a match rule to identify the approval resource, I think you could then mutate it to approve it.

https://kyverno.io/docs/writing-policies/mutate/

Some work done:
https://github.com/mvazquezc/telco-operations/blob/kyverno/rhacm/kyverno/assets/autoapprove-installplans-in-namespace.yaml
@gojeaqui
Copy link

This worked for me:

  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: managed-cluster-security-operator-sub
      spec:
        remediationAction: inform
        severity: high
        object-templates:
          - complianceType: musthave
            objectDefinition:
              apiVersion: operators.coreos.com/v1alpha1
              kind: Subscription
              metadata:
                name: rhacs-operator
                namespace: rhacs-operator
              spec:
                channel: latest
                installPlanApproval: Automatic
                name: rhacs-operator
                source: redhat-operators
                sourceNamespace: openshift-marketplace

          # With the following object we aprove the instalation of the operator
          - complianceType: musthave
            objectDefinition:
              apiVersion: operators.coreos.com/v1alpha1
              kind: InstallPlan
              metadata:
                # The enforcement fails at first because the name is "<no value>" but then it applies correctly
                name: '{{ (lookup "operators.coreos.com/v1alpha1" "Subscription" "rhacs-operator" "rhacs-operator").status.installPlanRef.name }}'
                namespace: rhacs-operator
              spec:
                approved: true

@gparvin
Copy link
Member

gparvin commented Feb 27, 2024

The following enhancement is being worked on too. https://github.com/open-cluster-management-io/enhancements/tree/main/enhancements/sig-policy/89-operator-policy-kind#operatorpolicy-syntax
Could you take a look at that and see how much it helps?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gparvin @ch-stark @gojeaqui