Add log level support

manifests/0000_09_cluster-osin-operator_00_roles.yaml

@@ -9,3 +9,6 @@ subjects:
 - kind: ServiceAccount
   namespace: openshift-core-operators
   name: origin-cluster-osin-operator
+- kind: ServiceAccount
+  namespace: openshift-osin
+  name: openshift-osin

manifests/0000_09_cluster-osin-operator_04_sa.yaml

@@ -5,3 +5,11 @@ metadata:
   name: origin-cluster-osin-operator
   labels:
     app: origin-cluster-osin-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-osin
+  name: openshift-osin
+  labels:
+    app: origin-cluster-osin-operator2

pkg/apis/authentication/v1alpha1/register.go

@@ -9,8 +9,9 @@ import (
 	operatorsv1alpha1api "github.com/openshift/api/operator/v1alpha1"
 )
 
+const GroupName = "authentication.operator.openshift.io"
+
 var (
-	GroupName     = "authentication.operator.openshift.io"
 	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
 	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, configv1.Install, operatorsv1alpha1api.Install)
 	// Install is a function which adds this version to a scheme

pkg/apis/authentication/v1alpha1/types.go

@@ -19,11 +19,11 @@ type AuthenticationOperatorConfig struct {
 }
 
 type AuthenticationOperatorConfigSpec struct {
-	v1.OperatorSpec
+	v1.OperatorSpec `json:",inline"`
 }
 
 type AuthenticationOperatorConfigStatus struct {
-	v1.OperatorStatus
+	v1.OperatorStatus `json:",inline"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/operator2/deployment.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"strings"
 
+	operatorv1 "github.com/openshift/api/operator/v1"
+	authv1alpha1 "github.com/openshift/cluster-osin-operator/pkg/apis/authentication/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -15,6 +17,8 @@ import (
 	"github.com/openshift/library-go/pkg/operator/v1alpha1helpers"
 )
 
+const hashAnnotation = authv1alpha1.GroupName + "/rvs-hash"
+
 func (c *authOperator) getGeneration() int64 {
 	deployment, err := c.deployments.Deployments(targetName).Get(targetName, metav1.GetOptions{})
 	if err != nil {
@@ -23,7 +27,7 @@ func (c *authOperator) getGeneration() int64 {
 	return deployment.Generation
 }
 
-func defaultDeployment(syncData []idpSyncData, resourceVersions ...string) *appsv1.Deployment {
+func defaultDeployment(operatorConfig *authv1alpha1.AuthenticationOperatorConfig, syncData []idpSyncData, resourceVersions ...string) *appsv1.Deployment {
 	replicas := int32(3) // TODO configurable?
 	gracePeriod := int64(30)
 
@@ -89,8 +93,12 @@ func defaultDeployment(syncData []idpSyncData, resourceVersions ...string) *apps
 	rvsHash := sha512.Sum512([]byte(rvs))
 	rvsHashStr := base64.RawURLEncoding.EncodeToString(rvsHash[:])
 
+	// make sure ApplyDeployment knows to update
+	meta := defaultMeta()
+	meta.Annotations[hashAnnotation] = rvsHashStr
+
 	deployment := &appsv1.Deployment{
-		ObjectMeta: defaultMeta(), // TODO add hash annotation here as well
+		ObjectMeta: meta,
 		Spec: appsv1.DeploymentSpec{
 			Replicas: &replicas,
 			Selector: &metav1.LabelSelector{
@@ -101,7 +109,7 @@ func defaultDeployment(syncData []idpSyncData, resourceVersions ...string) *apps
 					Name:   targetName,
 					Labels: defaultLabels(),
 					Annotations: map[string]string{
-						"authentication.operator.openshift.io/rvs-hash": rvsHashStr,
+						hashAnnotation: rvsHashStr,
 					},
 				},
 				Spec: corev1.PodSpec{
@@ -132,6 +140,7 @@ func defaultDeployment(syncData []idpSyncData, resourceVersions ...string) *apps
 					//		Effect:   corev1.TaintEffectNoSchedule,
 					//	},
 					//},
+					ServiceAccountName:            targetName,
 					RestartPolicy:                 corev1.RestartPolicyAlways,
 					SchedulerName:                 corev1.DefaultSchedulerName,
 					TerminationGracePeriodSeconds: &gracePeriod,
@@ -145,6 +154,7 @@ func defaultDeployment(syncData []idpSyncData, resourceVersions ...string) *apps
 								"hypershift",
 								"openshift-osinserver",
 								fmt.Sprintf("--config=%s/%s", systemConfigPath, configKey),
+								fmt.Sprintf("--v=%d", getLogLevel(operatorConfig.Spec.LogLevel)),
 							},
 							Ports: []corev1.ContainerPort{
 								{
@@ -205,3 +215,18 @@ func toVolumesAndMounts(data map[string]sourceData, volumes []corev1.Volume, mou
 	}
 	return volumes, mounts
 }
+
+func getLogLevel(logLevel operatorv1.LogLevel) int {
+	switch logLevel {
+	case operatorv1.Normal:
+		return 2
+	case operatorv1.Debug:
+		return 4
+	case operatorv1.Trace:
+		return 6
+	case operatorv1.TraceAll:
+		return 100 // this is supposed to be 8 but I prefer "all" to really mean all
+	default:
+		return 0
+	}
+}

pkg/operator2/oauth.go

@@ -15,6 +15,7 @@ import (
 	kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
 	osinv1 "github.com/openshift/api/osin/v1"
 	routev1 "github.com/openshift/api/route/v1"
+	authv1alpha1 "github.com/openshift/cluster-osin-operator/pkg/apis/authentication/v1alpha1"
 	"github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 )
@@ -30,16 +31,15 @@ func init() {
 	utilruntime.Must(kubecontrolplanev1.Install(kubeControlplaneScheme))
 }
 
-func (c *authOperator) handleOAuthConfig(route *routev1.Route, configOverrides []byte) (*corev1.ConfigMap, []idpSyncData, error) {
+func (c *authOperator) handleOAuthConfig(operatorConfig *authv1alpha1.AuthenticationOperatorConfig, route *routev1.Route) (*configv1.OAuth, *corev1.ConfigMap, []idpSyncData, error) {
 	oauthConfig, err := c.oauth.Get(globalConfigName, metav1.GetOptions{})
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
-	// TODO maybe move the OAuth stuff up one level
 	syncData, err := c.handleConfigSync(oauthConfig)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
 	var accessTokenInactivityTimeoutSeconds *int32
@@ -151,17 +151,18 @@ func (c *authOperator) handleOAuthConfig(route *routev1.Route, configOverrides [
 
 	cliConfigBytes := encodeOrDieKubeControlplane(cliConfig)
 
-	completeConfigBytes, err := resourcemerge.MergeProcessConfig(nil, cliConfigBytes, configOverrides)
+	completeConfigBytes, err := resourcemerge.MergeProcessConfig(nil, cliConfigBytes, operatorConfig.Spec.UnsupportedConfigOverrides.Raw)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
-	return &corev1.ConfigMap{
-		ObjectMeta: defaultMeta(),
-		Data: map[string]string{
-			configKey: string(completeConfigBytes),
-		},
-	}, syncData, nil
+	return oauthConfig, // TODO update OAuth status
+		&corev1.ConfigMap{
+			ObjectMeta: defaultMeta(),
+			Data: map[string]string{
+				configKey: string(completeConfigBytes),
+			},
+		}, syncData, nil
 }
 
 func getMasterCA() *string {

pkg/operator2/operator.go

@@ -131,13 +131,13 @@ func (c *authOperator) Key() (metav1.Object, error) {
 }
 
 func (c *authOperator) Sync(obj metav1.Object) error {
-	authConfig := obj.(*authv1alpha1.AuthenticationOperatorConfig)
+	operatorConfig := obj.(*authv1alpha1.AuthenticationOperatorConfig)
 
-	if authConfig.Spec.ManagementState != operatorv1.Managed {
+	if operatorConfig.Spec.ManagementState != operatorv1.Managed {
 		return nil // TODO do something better for all states
 	}
 
-	if err := c.handleSync(authConfig.Spec.UnsupportedConfigOverrides.Raw); err != nil {
+	if err := c.handleSync(operatorConfig); err != nil {
 		return err
 	}
 
@@ -146,18 +146,18 @@ func (c *authOperator) Sync(obj metav1.Object) error {
 	return nil
 }
 
-func (c *authOperator) handleSync(configOverrides []byte) error {
+func (c *authOperator) handleSync(operatorConfig *authv1alpha1.AuthenticationOperatorConfig) error {
 	route, err := c.handleRoute()
 	if err != nil {
 		return err
 	}
 
-	metadataConfigMap, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, getMetadataConfigMap(route))
+	metadata, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, getMetadataConfigMap(route))
 	if err != nil {
 		return err
 	}
 
-	auth, err := c.handleAuthConfig()
+	authConfig, err := c.handleAuthConfig()
 	if err != nil {
 		return err
 	}
@@ -167,36 +167,38 @@ func (c *authOperator) handleSync(configOverrides []byte) error {
 		return err
 	}
 
-	sessionSecret, err := c.expectedSessionSecret()
+	expectedSessionSecret, err := c.expectedSessionSecret()
 	if err != nil {
 		return err
 	}
-	secret, _, err := resourceapply.ApplySecret(c.secrets, c.recorder, sessionSecret)
+	sessionSecret, _, err := resourceapply.ApplySecret(c.secrets, c.recorder, expectedSessionSecret)
 	if err != nil {
 		return err
 	}
 
-	expectedOAuthConfigMap, syncData, err := c.handleOAuthConfig(route, configOverrides)
+	oauthConfig, expectedCLIconfig, syncData, err := c.handleOAuthConfig(operatorConfig, route)
 	if err != nil {
 		return err
 	}
-	configMap, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, expectedOAuthConfigMap)
+	cliConfig, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, expectedCLIconfig)
 	if err != nil {
 		return err
 	}
 
 	// deployment, have RV of all resources
 	// TODO use ExpectedDeploymentGeneration func
-	// TODO probably do not need every RV
-	// TODO we do not know the RV of all the config maps and secrets in syncData, so we may fail to redeploy
+	// TODO manually get RV of all the config maps and secrets in syncData
 	expectedDeployment := defaultDeployment(
+		operatorConfig,
 		syncData,
+		operatorConfig.ResourceVersion,
 		route.ResourceVersion,
-		metadataConfigMap.ResourceVersion,
-		auth.ResourceVersion,
+		metadata.ResourceVersion,
+		authConfig.ResourceVersion,
 		service.ResourceVersion,
-		secret.ResourceVersion,
-		configMap.ResourceVersion,
+		sessionSecret.ResourceVersion,
+		oauthConfig.ResourceVersion,
+		cliConfig.ResourceVersion,
 	)
 	deployment, _, err := resourceapply.ApplyDeployment(c.deployments, c.recorder, expectedDeployment, c.getGeneration(), false)
 	if err != nil {