operator-framework · ecordell · Nov 1, 2019 · Nov 1, 2019 · Oct 8, 2019 · Jun 3, 2019
diff --git a/Dockerfile b/Dockerfile
@@ -38,6 +38,7 @@ USER 1001
 
 EXPOSE 8080
 EXPOSE 5443
+EXPOSE 6789
 
 # Apply labels as needed. ART build automation fills in others required for
 # shipping, including component NVR (name-version-release) and image name. OSBS

diff --git a/Makefile b/Makefile
@@ -121,6 +121,7 @@ container:
 	docker build -t $(IMAGE_REPO):$(IMAGE_TAG) .
 
 clean-e2e:
+	kubectl delete validatingwebhookconfigurations --all
 	kubectl delete crds --all
 	kubectl delete apiservices.apiregistration.k8s.io v1.packages.operators.coreos.com || true
 	kubectl delete -f test/e2e/resources/0000_50_olm_00-namespace.yaml

diff --git a/README.md b/README.md
@@ -27,11 +27,11 @@ This project does not:
 ## Prerequisites
 
 - [git][git_tool]
-- [go][go_tool] version v1.12+.
+- [go][go_tool] version v1.13+.
 - [docker][docker_tool] version 17.03+.
   - Alternatively [podman][podman_tool] `v1.2.0+` or [buildah][buildah_tool] `v1.7+`
-- [kubectl][kubectl_tool] version v1.11.3+.
-- Access to a Kubernetes v1.11.3+ cluster.
+- [kubectl][kubectl_tool] version v1.16+.
+- Access to a Kubernetes v1.16+ cluster.
 
 ## Getting Started 
 

diff --git a/cmd/olm/main.go b/cmd/olm/main.go
@@ -15,7 +15,9 @@ import (
 	log "github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/util/workqueue"
 
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/admission"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
@@ -173,6 +175,7 @@ func main() {
 	if err != nil {
 		log.Fatalf("error configuring client: %s", err.Error())
 	}
+	csvAdmitQueue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "csvAdmit")
 
 	cleanup(logger, opClient, crClient)
 
@@ -186,6 +189,7 @@ func main() {
 		olm.WithOperatorClient(opClient),
 		olm.WithRestConfig(config),
 		olm.WithConfigClient(versionedConfigClient),
+		olm.WithCSVAdmissionQueue(csvAdmitQueue),
 	)
 	if err != nil {
 		log.WithError(err).Fatalf("error configuring operator")
@@ -212,5 +216,16 @@ func main() {
 		go monitor.Run(op.Done())
 	}
 
+	logger.Info("configuring admission")
+
+	admissionMux := http.NewServeMux()
+	admissionMux.HandleFunc("/operator-admit", admission.AdmitHandlerFunc(csvAdmitQueue))
+	go func() {
+		err := http.ListenAndServeTLS(":6789", "/webhook.local.config/certificates/webhook.crt", "/webhook.local.config/certificates/webhook.key", admissionMux)
+		if err != nil {
+			logger.Errorf("Admission Webhook serving failed: %v", err)
+		}
+	}()
+
 	<-op.Done()
 }
diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
@@ -5,102 +5,4 @@ metadata:
   namespace: {{ .Values.namespace }}
   labels:
     app: olm-operator
-spec:
-  strategy:
-    type: RollingUpdate
-  replicas: {{ .Values.olm.replicaCount }}
-  selector:
-    matchLabels:
-      app: olm-operator
-  template:
-    metadata:
-      labels:
-        app: olm-operator
-    spec:
-      serviceAccountName: olm-operator-serviceaccount
-      {{- if and .Values.installType (eq .Values.installType "ocp") }}
-      priorityClassName: "system-cluster-critical"
-      {{- end }}
-      containers:
-        - name: olm-operator
-          command:
-          - /bin/olm
-          args:
-          - -namespace
-          - $(OPERATOR_NAMESPACE)
-          {{- if .Values.watchedNamespaces }}
-          - -watchedNamespaces
-          - {{ .Values.watchedNamespaces }}
-          {{- end }}
-          {{- if .Values.olm.commandArgs }}
-          - {{ .Values.olm.commandArgs }}
-          {{- end }}
-          {{- if .Values.debug }}
-          - -debug
-          {{- end }}
-          {{- if .Values.writeStatusName }}
-          - -writeStatusName
-          - {{ .Values.writeStatusName }}
-          {{- end }}
-          {{- if .Values.writePackageServerStatusName }}
-          - -writePackageServerStatusName
-          - {{ .Values.writePackageServerStatusName }}
-          {{- end }}
-          {{- if .Values.olm.tlsCertPath }}
-          - -tls-cert
-          - {{ .Values.olm.tlsCertPath }}
-          {{- end }}
-          {{- if .Values.olm.tlsKeyPath }}
-          - -tls-key
-          - {{ .Values.olm.tlsKeyPath }}
-          {{- end }}
-          image: {{ .Values.olm.image.ref }}
-          imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
-          ports:
-            - containerPort: {{ .Values.olm.service.internalPort }}
-            - containerPort: 8081
-              name: metrics
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: {{ .Values.olm.service.internalPort }}
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: {{ .Values.olm.service.internalPort }}
-          terminationMessagePolicy: FallbackToLogsOnError
-          env:
-        {{ if and .Values.installType (eq .Values.installType "ocp") }}
-          - name: RELEASE_VERSION
-            value: "0.0.1-snapshot"
-        {{ end }}
-          - name: OPERATOR_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: OPERATOR_NAME
-            value: olm-operator
-          {{- if .Values.olm.resources }}
-          resources:
-{{ toYaml .Values.olm.resources | indent 12 }}
-          {{- end}}
-          {{ if and .Values.installType (eq .Values.installType "ocp") }}
-          volumeMounts:
-          - mountPath: /var/run/secrets/serving-cert
-            name: serving-cert
-          {{ end }}
-      {{ if and .Values.installType (eq .Values.installType "ocp") }}
-      volumes:
-      - name: serving-cert
-        secret:
-          secretName: olm-operator-serving-cert
-      {{ end }}
-    {{- if .Values.olm.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.olm.nodeSelector | indent 8 }}
-    {{- end }}
-    {{- if .Values.olm.tolerations }}
-      tolerations:
-{{ toYaml .Values.olm.tolerations | indent 6 }}
-    {{- end }}
+{{- include "olm.deployment-spec" . }}
diff --git a/deploy/chart/templates/0000_50_olm_15-packageserver.clusterserviceversion.yaml b/deploy/chart/templates/0000_50_olm_15-packageserver.clusterserviceversion.yaml
@@ -1 +1,83 @@
-{{- include "packageserver.clusterserviceversion" . }}
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  name: packageserver
+  namespace: {{ .Values.namespace }}
+  labels:
+    olm.version: {{ .Chart.Version }}
+    {{- if .Values.writePackageServerStatusName }}
+    olm.clusteroperator.name: {{ .Values.writePackageServerStatusName }}
+    {{- end }}
+spec:
+  displayName: Package Server
+  description: Represents an Operator package that is available from a given CatalogSource which will resolve to a ClusterServiceVersion.
+  minKubeVersion: {{ .Values.minKubeVersion }}
+  keywords: ['packagemanifests', 'olm', 'packages']
+  maintainers:
+    - name: Red Hat
+      email: openshift-operators@redhat.com
+  provider:
+    name: Red Hat
+  links:
+    - name: Package Server
+      url: https://github.com/operator-framework/operator-lifecycle-manager/tree/master/pkg/package-server
+  installModes:
+    - type: OwnNamespace
+      supported: true
+    - type: SingleNamespace
+      supported: true
+    - type: MultiNamespace
+      supported: true
+    - type: AllNamespaces
+      supported: true
+  install:
+    strategy: deployment
+    spec:
+      clusterPermissions:
+        - serviceAccountName: olm-operator-serviceaccount
+          rules:
+            - apiGroups:
+                - authorization.k8s.io
+              resources:
+                - subjectaccessreviews
+              verbs:
+                - create
+                - get
+            - apiGroups:
+                - ""
+              resources:
+                - configmaps
+              verbs:
+                - get
+                - list
+                - watch
+            - apiGroups:
+                - "operators.coreos.com"
+              resources:
+                - catalogsources
+              verbs:
+                - get
+                - list
+                - watch
+            - apiGroups:
+                - "packages.operators.coreos.com"
+              resources:
+                - packagemanifests
+              verbs:
+                - get
+                - list
+      deployments:
+      - name: packageserver
+          {{- include "packageserver.deployment-spec" . | nindent 8 }}
+  maturity: alpha
+  version: {{ .Chart.Version }}
+  apiservicedefinitions:
+    owned:
+      - group: packages.operators.coreos.com
+        version: v1
+        kind: PackageManifest
+        name: packagemanifests
+        displayName: PackageManifest
+        description: A PackageManifest is a resource generated from existing CatalogSources and their ConfigMaps
+        deploymentName: packageserver
+        containerPort: {{ .Values.package.service.internalPort }}
diff --git a/deploy/chart/templates/0000_50_olm_16-olm.clusterserviceversion.yaml b/deploy/chart/templates/0000_50_olm_16-olm.clusterserviceversion.yaml
@@ -0,0 +1,64 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  name: olm
+  namespace: {{ .Values.namespace }}
+  labels:
+    olm.version: {{ .Chart.Version }}
+spec:
+  displayName: Operator Lifecycle Manager
+  description: later
+  minKubeVersion: {{ .Values.minKubeVersion }}
+  keywords: ['operat', 'olm', 'lifecycle']
+  maintainers:
+    - name: Red Hat
+      email: openshift-operators@redhat.com
+  provider:
+    name: Red Hat
+  installModes:
+    - type: OwnNamespace
+      supported: true
+    - type: SingleNamespace
+      supported: true
+    - type: MultiNamespace
+      supported: true
+    - type: AllNamespaces
+      supported: true
+  install:
+    strategy: deployment
+    spec:
+      clusterPermissions:
+        - serviceAccountName: olm-operator-serviceaccount
+          rules:
+            - apiGroups: ["*"]
+              resources: ["*"]
+              verbs: ["*"]
+            - nonResourceURLs: ["*"]
+              verbs: ["*"]
+      deployments:
+      - name: olm-operator
+        {{- include "olm.deployment-spec" . | nindent 8 }}
+  maturity: alpha
+  version: {{ .Chart.Version }}
+  webhookdefinitions:
+    - name: csv.operators.coreos.com
+      type: ValidatingAdmissionWebhook
+      deploymentName: olm-operator
+      webhookPath: "/operator-admit"
+      containerPort: 6789
+      sideEffects: "None"
+      failurePolicy: Fail
+      admissionReviewVersions:
+        - "v1"
+        - "v1beta1"
+      rules:
+        - apiGroups:
+            - "operators.coreos.com"
+          apiVersions:
+            - v1alpha1
+          operations:
+            - CREATE
+          resources:
+            - clusterserviceversions
+          scope: "Namespaced"
+      timeoutSeconds: 1
diff --git a/deploy/chart/templates/0000_90_olm_00-service-monitor.yaml b/deploy/chart/templates/0000_90_olm_00-service-monitor.yaml
@@ -36,7 +36,6 @@ metadata:
   labels:
     app: catalog-operator
 spec:
-  jobLabel: k8s-app
   endpoints:
   - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
     interval: 30s