diff --git a/go.mod b/go.mod index aaae2f0b43..221b549d9d 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/openshift/api v0.0.0-20211209135129-c58d9f695577 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3 github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3 - github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 + github.com/openshift/library-go v0.0.0-20220117173518-ca57b619b5d6 github.com/spf13/cobra v1.2.1 github.com/stretchr/testify v1.7.0 go.etcd.io/etcd/client/v3 v3.5.0 diff --git a/go.sum b/go.sum index daa9c73892..cd147dd4ad 100644 --- a/go.sum +++ b/go.sum @@ -512,8 +512,8 @@ github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3 h1:65 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3 h1:SG1aqwleU6bGD0X4mhkTNupjVnByMYYuW4XbnCPavQU= github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3/go.mod h1:cwhyki5lqBmrT0m8Im+9I7PGFaraOzcYPtEz93RcsGY= -github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 h1:oj/rSQqVWVj6YJUydZwLz2frrJreiyI4oa9g/YPgMsM= -github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492/go.mod h1:4UQ9snU1vg53fyTpHQw3vLPiAxI8ub5xrc+y8KPQQFs= +github.com/openshift/library-go v0.0.0-20220117173518-ca57b619b5d6 h1:HS6brMoum1oJyFriix+Ae3J2FfvK9u9TBqUu+JnG/pc= +github.com/openshift/library-go v0.0.0-20220117173518-ca57b619b5d6/go.mod h1:4UQ9snU1vg53fyTpHQw3vLPiAxI8ub5xrc+y8KPQQFs= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= diff --git a/vendor/github.com/openshift/library-go/pkg/config/leaderelection/leaderelection.go b/vendor/github.com/openshift/library-go/pkg/config/leaderelection/leaderelection.go index 5cec68257b..edbd10fb1d 100644 --- a/vendor/github.com/openshift/library-go/pkg/config/leaderelection/leaderelection.go +++ b/vendor/github.com/openshift/library-go/pkg/config/leaderelection/leaderelection.go @@ -22,8 +22,15 @@ import ( configv1 "github.com/openshift/api/config/v1" ) -// ToConfigMapLeaderElection returns a leader election config that you just need to fill in the Callback for. Don't forget the callbacks! -func ToConfigMapLeaderElection(clientConfig *rest.Config, config configv1.LeaderElection, component, identity string) (leaderelection.LeaderElectionConfig, error) { +// ToLeaderElectionWithConfigmapLease returns a "configmapsleases" based leader +// election config that you just need to fill in the Callback for. +// It is compatible with a "configmaps" based leader election and +// paves the way toward using "leases" based leader election. +// See https://github.com/kubernetes/kubernetes/issues/107454 for +// details on how to migrate to "leases" leader election. +// Don't forget the callbacks! +// TODO: In the next version we should switch to using "leases" +func ToLeaderElectionWithConfigmapLease(clientConfig *rest.Config, config configv1.LeaderElection, component, identity string) (leaderelection.LeaderElectionConfig, error) { kubeClient, err := kubernetes.NewForConfig(clientConfig) if err != nil { return leaderelection.LeaderElectionConfig{}, err @@ -50,7 +57,7 @@ func ToConfigMapLeaderElection(clientConfig *rest.Config, config configv1.Leader eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: v1core.New(kubeClient.CoreV1().RESTClient()).Events("")}) eventRecorder := eventBroadcaster.NewRecorder(clientgoscheme.Scheme, corev1.EventSource{Component: component}) rl, err := resourcelock.New( - resourcelock.ConfigMapsResourceLock, + resourcelock.ConfigMapsLeasesResourceLock, config.Namespace, config.Name, kubeClient.CoreV1(), diff --git a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go index f98b86f3d4..820892a17c 100644 --- a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go +++ b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go @@ -329,7 +329,7 @@ func (b *ControllerBuilder) Run(ctx context.Context, config *unstructured.Unstru leaderConfig := rest.CopyConfig(protoConfig) leaderConfig.Timeout = b.leaderElection.RenewDeadline.Duration - leaderElection, err := leaderelectionconverter.ToConfigMapLeaderElection(leaderConfig, *b.leaderElection, b.componentName, b.instanceIdentity) + leaderElection, err := leaderelectionconverter.ToLeaderElectionWithConfigmapLease(leaderConfig, *b.leaderElection, b.componentName, b.instanceIdentity) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/apiserver/audit/bindata/bindata.go b/vendor/github.com/openshift/library-go/pkg/operator/apiserver/audit/bindata/bindata.go index 5198d67387..ef1efd4bc5 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/apiserver/audit/bindata/bindata.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/apiserver/audit/bindata/bindata.go @@ -88,6 +88,8 @@ func pkgOperatorApiserverAuditManifestsAllrequestbodiesRulesYaml() (*asset, erro var _pkgOperatorApiserverAuditManifestsBasePolicyYaml = []byte(` apiVersion: audit.k8s.io/v1 kind: Policy + # drop managed fields from audit, this is at global scope. + omitManagedFields: true # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go index ca47c78d81..4ab81ee5eb 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go @@ -37,6 +37,7 @@ type GuardController struct { targetNamespace, podResourcePrefix string operatorName string readyzPort string + operandPodLabelSelector labels.Selector nodeLister corelisterv1.NodeLister podLister corelisterv1.PodLister @@ -50,7 +51,9 @@ type GuardController struct { } func NewGuardController( - targetNamespace, podResourcePrefix string, + targetNamespace string, + operandPodLabelSelector labels.Selector, + podResourcePrefix string, operatorName string, readyzPort string, kubeInformersForTargetNamespace informers.SharedInformerFactory, @@ -62,17 +65,18 @@ func NewGuardController( createConditionalFunc func() (bool, error), ) factory.Controller { c := &GuardController{ - targetNamespace: targetNamespace, - podResourcePrefix: podResourcePrefix, - operatorName: operatorName, - readyzPort: readyzPort, - nodeLister: kubeInformersClusterScoped.Core().V1().Nodes().Lister(), - podLister: kubeInformersForTargetNamespace.Core().V1().Pods().Lister(), - podGetter: podGetter, - pdbGetter: pdbGetter, - pdbLister: kubeInformersForTargetNamespace.Policy().V1().PodDisruptionBudgets().Lister(), - installerPodImageFn: getInstallerPodImageFromEnv, - createConditionalFunc: createConditionalFunc, + targetNamespace: targetNamespace, + operandPodLabelSelector: operandPodLabelSelector, + podResourcePrefix: podResourcePrefix, + operatorName: operatorName, + readyzPort: readyzPort, + nodeLister: kubeInformersClusterScoped.Core().V1().Nodes().Lister(), + podLister: kubeInformersForTargetNamespace.Core().V1().Pods().Lister(), + podGetter: podGetter, + pdbGetter: pdbGetter, + pdbLister: kubeInformersForTargetNamespace.Policy().V1().PodDisruptionBudgets().Lister(), + installerPodImageFn: getInstallerPodImageFromEnv, + createConditionalFunc: createConditionalFunc, } return factory.New().WithInformers( @@ -162,7 +166,7 @@ func (c *GuardController) sync(ctx context.Context, syncCtx factory.SyncContext) return err } - pods, err := c.podLister.Pods(c.targetNamespace).List(labels.SelectorFromSet(labels.Set{"app": c.podResourcePrefix})) + pods, err := c.podLister.Pods(c.targetNamespace).List(c.operandPodLabelSelector) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go index 7c3f3e6919..8ef536e666 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go @@ -51,10 +51,17 @@ func init() { utilruntime.Must(admissionregistrationv1.AddToScheme(genericScheme)) } +// StaticResourcesPreconditionsFuncType checks if the precondition is met (is true) and then proceeds with the sync. +// When the requirement is not met, the controller reports degraded status. +// +// In case, the returned ready flag is false, a proper error with a valid description is recommended. +type StaticResourcesPreconditionsFuncType func(ctx context.Context) (bool, error) + type StaticResourceController struct { name string manifests []conditionalManifests ignoreNotFoundOnCreate bool + preconfitions []StaticResourcesPreconditionsFuncType operatorClient v1helpers.OperatorClient clients *resourceapply.ClientHolder @@ -99,6 +106,8 @@ func NewStaticResourceController( operatorClient: operatorClient, clients: clients, + preconfitions: []StaticResourcesPreconditionsFuncType{defaultStaticResourcesPreconditionsFunc}, + eventRecorder: eventRecorder.WithComponentSuffix(strings.ToLower(name)), factory: factory.New().WithInformers(operatorClient.Informer()).ResyncEvery(1 * time.Minute), @@ -119,6 +128,18 @@ func (c *StaticResourceController) WithIgnoreNotFoundOnCreate() *StaticResourceC return c } +// WithPrecondition adds a precondition, which blocks the sync method from being executed. Preconditions might be chained using: +// WithPrecondition(a).WithPrecondition(b).WithPrecondition(c). +// If any of the preconditions is false, the sync will result in an error. +// +// The requirement parameter should follow the convention described in the StaticResourcesPreconditionsFuncType. +// +// When the requirement is not met, the controller reports degraded status. +func (c *StaticResourceController) WithPrecondition(precondition StaticResourcesPreconditionsFuncType) *StaticResourceController { + c.preconfitions = append(c.preconfitions, precondition) + return c +} + // WithConditionalResources adds a set of manifests to be created when the shouldCreateFnArg is true and should be // deleted when the shouldDeleteFnArg is true. // If shouldCreateFnArg is nil, then it is always create. @@ -262,6 +283,28 @@ func (c *StaticResourceController) Sync(ctx context.Context, syncContext factory return nil } + for _, precondition := range c.preconfitions { + ready, err := precondition(ctx) + // We don't care about the other preconditions, we just stop on the first one. + if !ready { + var message string + if err != nil { + message = err.Error() + } else { + message = "the operator didn't specify what preconditions are missing" + } + if _, _, updateErr := v1helpers.UpdateStatus(ctx, c.operatorClient, v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{ + Type: fmt.Sprintf("%sDegraded", c.name), + Status: operatorv1.ConditionTrue, + Reason: "PreconditionNotReady", + Message: message, + })); updateErr != nil { + return updateErr + } + return err + } + } + errors := []error{} var notFoundErrorsCount int for _, conditionalManifest := range c.manifests { @@ -393,3 +436,7 @@ func (c *StaticResourceController) RelatedObjects() ([]configv1.ObjectReference, func (c *StaticResourceController) Run(ctx context.Context, workers int) { c.factory.WithSync(c.Sync).ToController(c.Name(), c.eventRecorder).Run(ctx, workers) } + +func defaultStaticResourcesPreconditionsFunc(_ context.Context) (bool, error) { + return true, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go index 46d5c13b0c..de48550f6f 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go @@ -383,3 +383,42 @@ func InjectObservedProxyIntoContainers(podSpec *corev1.PodSpec, containerNames [ return nil } + +func InjectTrustedCAIntoContainers(podSpec *corev1.PodSpec, configMapName string, containerNames []string) error { + podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{ + Name: "non-standard-root-system-trust-ca-bundle", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMapName, + }, + Items: []corev1.KeyToPath{ + {Key: "ca-bundle.crt", Path: "tls-ca-bundle.pem"}, + }, + }, + }, + }) + + for _, containerName := range containerNames { + for i := range podSpec.InitContainers { + if podSpec.InitContainers[i].Name == containerName { + podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + for i := range podSpec.Containers { + if podSpec.Containers[i].Name == containerName { + podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + } + + return nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 4f27ada1ea..b577019c3e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -249,7 +249,7 @@ github.com/openshift/client-go/route/informers/externalversions/route/v1 github.com/openshift/client-go/route/listers/route/v1 github.com/openshift/client-go/user/clientset/versioned/scheme github.com/openshift/client-go/user/clientset/versioned/typed/user/v1 -# github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 +# github.com/openshift/library-go v0.0.0-20220117173518-ca57b619b5d6 ## explicit; go 1.17 github.com/openshift/library-go/pkg/apps/deployment github.com/openshift/library-go/pkg/assets