Bundle modifications (#567)

* Revert 640a4db, remove OSE specific ServiceAccountName from pods * Add k8ssandra-client from quay.io to certified-bundle * Fix some rebase issues * Remove k8ssandra-client from registry.connect.redhat.com for now * No backport * One more
k8ssandra · Sep 9, 2023 · 214035d · 214035d
1 parent 3e957ad
commit 214035d
Show file tree

Hide file tree

Showing 20 changed files with 70 additions and 186 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,8 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti
 
 ## unreleased
 
+* [CHANGE] [#541](https://github.com/k8ssandra/cass-operator/issues/541) Revert when deployed through OLM, add serviceAccount to Cassandra pods that use nonroot priviledge. This is no longer necessary with 1.17.0 and up.
+
 ## v1.17.0
 
 * [CHANGE] [#565](https://github.com/k8ssandra/cass-operator/issues/565) Replace the use of wget with curl when making Kubernetes -> management-api HTTP(S) calls

diff --git a/Makefile b/Makefile
@@ -315,8 +315,7 @@ endif
 bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPSDK) generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	scripts/preprocess-bundle.sh
-	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/manifests | $(OPSDK) generate bundle -q --overwrite --extra-service-accounts cass-operator-cassandra-default-sa --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/manifests | $(OPSDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	scripts/postprocess-bundle.sh $(REGISTRY)
 	$(OPSDK) bundle validate ./bundle --select-optional suite=operatorframework
 

diff --git a/apis/config/v1beta1/operatorconfig_types.go b/apis/config/v1beta1/operatorconfig_types.go
@@ -38,9 +38,6 @@ type OperatorConfig struct {
 
 	// ImageConfigFile indicates the path where to load the imageConfig from
 	ImageConfigFile string `json:"imageConfigFile,omitempty"`
-
-	// OLMDeployed is set to true when operator is deployed through OLM. This will activate additional Openshift features
-	OLMDeployed bool `json:"olmDeployment,omitempty"`
 }
 
 func init() {

diff --git a/cmd/main.go b/cmd/main.go
@@ -115,11 +115,10 @@ func main() {
 	}
 
 	if err = (&controllers.CassandraDatacenterReconciler{
-		Client:         mgr.GetClient(),
-		Log:            ctrl.Log.WithName("controllers").WithName("CassandraDatacenter"),
-		Scheme:         mgr.GetScheme(),
-		Recorder:       mgr.GetEventRecorderFor("cass-operator"),
-		OperatorConfig: &operConfig,
+		Client:   mgr.GetClient(),
+		Log:      ctrl.Log.WithName("controllers").WithName("CassandraDatacenter"),
+		Scheme:   mgr.GetScheme(),
+		Recorder: mgr.GetEventRecorderFor("cass-operator"),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CassandraDatacenter")
 		os.Exit(1)

diff --git a/config/components/webhook/controller_manager_config.yaml b/config/components/webhook/controller_manager_config.yaml
@@ -13,4 +13,3 @@ leaderElection:
   resourceName: b569adb7.cassandra.datastax.com
 disableWebhooks: false
 imageConfigFile: /configs/image_config.yaml
-olmDeployment: false
diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml
@@ -13,4 +13,3 @@ leaderElection:
   resourceName: b569adb7.cassandra.datastax.com
 disableWebhooks: true
 imageConfigFile: /configs/image_config.yaml
-olmDeployment: false
diff --git a/config/rbac/nonroot_role.yaml b/config/rbac/nonroot_role.yaml
diff --git a/config/rbac/service_account_nonroot.yaml b/config/rbac/service_account_nonroot.yaml
diff --git a/config/samples/example-cassdc-three-nodes-single-rack.yaml b/config/samples/example-cassdc-three-nodes-single-rack.yaml
@@ -17,6 +17,7 @@ spec:
         resources:
           requests:
             storage: 10Gi
+  dockerImageRunsAsCassandra: false
   resources:
     requests:
       memory: 2Gi

diff --git a/internal/controllers/cassandra/cassandradatacenter_controller.go b/internal/controllers/cassandra/cassandradatacenter_controller.go
@@ -44,7 +44,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	api "github.com/k8ssandra/cass-operator/apis/cassandra/v1beta1"
-	configv1beta1 "github.com/k8ssandra/cass-operator/apis/config/v1beta1"
 )
 
 var (
@@ -76,9 +75,6 @@ type CassandraDatacenterReconciler struct {
 	// during reconciliation where we update the mappings for the watches.
 	// Putting it here allows us to get it to both places.
 	SecretWatches dynamicwatch.DynamicWatches
-
-	// OperatorConfig allows Reconciler to access generic configuration properties
-	OperatorConfig *configv1beta1.OperatorConfig
 }
 
 // Reconcile reads that state of the cluster for a Datacenter object
@@ -109,7 +105,7 @@ func (r *CassandraDatacenterReconciler) Reconcile(ctx context.Context, request c
 
 	logger.Info("======== handler::Reconcile has been called")
 
-	rc, err := reconciliation.CreateReconciliationContext(ctx, &request, r.Client, r.Scheme, r.Recorder, r.SecretWatches, r.OperatorConfig.OLMDeployed)
+	rc, err := reconciliation.CreateReconciliationContext(ctx, &request, r.Client, r.Scheme, r.Recorder, r.SecretWatches)
 
 	if err != nil {
 		if errors.IsNotFound(err) {

diff --git a/internal/controllers/cassandra/suite_test.go b/internal/controllers/cassandra/suite_test.go
@@ -36,7 +36,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	cassandradatastaxcomv1beta1 "github.com/k8ssandra/cass-operator/apis/cassandra/v1beta1"
-	configv1beta1 "github.com/k8ssandra/cass-operator/apis/config/v1beta1"
 	controlapi "github.com/k8ssandra/cass-operator/apis/control/v1alpha1"
 	"github.com/k8ssandra/cass-operator/pkg/images"
 	"github.com/k8ssandra/cass-operator/pkg/reconciliation"
@@ -97,16 +96,11 @@ var _ = BeforeSuite(func() {
 	})
 	Expect(err).ToNot(HaveOccurred())
 
-	operConfig := &configv1beta1.OperatorConfig{
-		OLMDeployed: false,
-	}
-
 	err = (&CassandraDatacenterReconciler{
-		Client:         k8sClient,
-		Log:            ctrl.Log.WithName("controllers").WithName("CassandraDatacenter"),
-		Scheme:         k8sManager.GetScheme(),
-		Recorder:       k8sManager.GetEventRecorderFor("cass-operator"),
-		OperatorConfig: operConfig,
+		Client:   k8sClient,
+		Log:      ctrl.Log.WithName("controllers").WithName("CassandraDatacenter"),
+		Scheme:   k8sManager.GetScheme(),
+		Recorder: k8sManager.GetEventRecorderFor("cass-operator"),
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())
 

diff --git a/pkg/reconciliation/construct_podtemplatespec.go b/pkg/reconciliation/construct_podtemplatespec.go
@@ -32,7 +32,6 @@ const (
 	CassandraContainerName               = "cassandra"
 	PvcName                              = "server-data"
 	SystemLoggerContainerName            = "server-system-logger"
-	OpenShiftPodServiceAccount           = "cass-operator-cassandra-default-sa"
 )
 
 // calculateNodeAffinity provides a way to decide where to schedule pods within a statefulset based on labels
@@ -740,7 +739,7 @@ func buildContainers(dc *api.CassandraDatacenter, baseTemplate *corev1.PodTempla
 	return nil
 }
 
-func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount, openShift bool) (*corev1.PodTemplateSpec, error) {
+func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyInternodeMount bool) (*corev1.PodTemplateSpec, error) {
 
 	baseTemplate := dc.Spec.PodTemplateSpec.DeepCopy()
 
@@ -749,9 +748,6 @@ func buildPodTemplateSpec(dc *api.CassandraDatacenter, rack api.Rack, addLegacyI
 	}
 
 	// Service Account
-	if openShift {
-		baseTemplate.Spec.ServiceAccountName = OpenShiftPodServiceAccount
-	}
 
 	if dc.Spec.ServiceAccountName != "" {
 		baseTemplate.Spec.ServiceAccountName = dc.Spec.ServiceAccountName

diff --git a/pkg/reconciliation/construct_podtemplatespec_test.go b/pkg/reconciliation/construct_podtemplatespec_test.go
@@ -566,7 +566,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_containers_merge(t *testing.T)
 			},
 		},
 	}
-	got, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	got, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 	assert.Equal(t, 3, len(got.Spec.Containers))
@@ -600,7 +600,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_initcontainers_merge(t *testin
 			ConfigBuilderResources: testContainer.Resources,
 		},
 	}
-	got, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	got, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 	assert.Equal(t, 2, len(got.Spec.InitContainers))
@@ -643,7 +643,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_add_initContainer_after_config
 		},
 	}
 
-	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 
@@ -704,7 +704,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_add_initContainer_with_volumes
 		},
 	}
 
-	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, false)
+	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true)
 
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 
@@ -814,7 +814,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_add_container_with_volumes(t *
 		},
 	}
 
-	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, false)
+	podTemplateSpec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true)
 
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 
@@ -871,7 +871,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_add_container_with_volumes(t *
 	testZoneRack := dc.Spec.Racks[0]
 	testZoneRack.NodeAffinityLabels = map[string]string{zoneLabel: "testzone"}
 	dc.Spec.Racks[0] = testZoneRack
-	podTemplateSpec, err = buildPodTemplateSpec(dc, testZoneRack, false, false)
+	podTemplateSpec, err = buildPodTemplateSpec(dc, testZoneRack, false)
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 
 	volumes = podTemplateSpec.Spec.Volumes
@@ -971,7 +971,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_labels_merge(t *testing.T) {
 	}
 	dc.Spec.PodTemplateSpec.Labels = map[string]string{"abc": "123"}
 
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 	got := spec.Labels
 
 	expected := dc.GetRackLabels("testrack")
@@ -1005,7 +1005,7 @@ func TestCassandraDatacenter_buildContainers_additional_labels(t *testing.T) {
 	}
 	dc.Spec.PodTemplateSpec.Labels = map[string]string{"abc": "123"}
 
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 	got := spec.Labels
 
 	expected := dc.GetRackLabels("testrack")
@@ -1046,7 +1046,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_overrideSecurityContext(t *tes
 		},
 	}
 
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "should not have gotten an error when building podTemplateSpec")
 	assert.NotNil(t, spec)
@@ -1098,7 +1098,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_do_not_propagate_volumes(t *te
 		},
 	}
 
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, false)
+	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true)
 	assert.NoError(t, err, "should not have gotten error when building podTemplateSpec")
 
 	initContainers := spec.Spec.InitContainers
@@ -1163,7 +1163,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_clientImage(t *testing.T) {
 
 	// 4.0 should not have the client image or new config builder, 4.1 should
 
-	spec40, err := buildPodTemplateSpec(dc40, dc40.Spec.Racks[0], false, false)
+	spec40, err := buildPodTemplateSpec(dc40, dc40.Spec.Racks[0], false)
 	assert.NoError(err, "should not have gotten error when building podTemplateSpec")
 
 	initContainers := spec40.Spec.InitContainers
@@ -1178,7 +1178,7 @@ func TestCassandraDatacenter_buildPodTemplateSpec_clientImage(t *testing.T) {
 	assert.True(volumesContains(volumes, volumeNameMatcher("server-logs")))
 	assert.True(volumesContains(volumes, volumeNameMatcher("vector-lib")))
 
-	spec41, err := buildPodTemplateSpec(dc41, dc41.Spec.Racks[0], false, false)
+	spec41, err := buildPodTemplateSpec(dc41, dc41.Spec.Racks[0], false)
 	assert.NoError(err, "should not have gotten error when building podTemplateSpec")
 
 	initContainers = spec41.Spec.InitContainers
@@ -1207,40 +1207,6 @@ func TestCassandraDatacenter_buildPodTemplateSpec_clientImage(t *testing.T) {
 	assert.True(volumesContains(volumes, volumeNameMatcher("vector-lib")))
 }
 
-func TestCassandraDatacenter_buildPodTemplateSpec_openShift(t *testing.T) {
-	assert := assert.New(t)
-
-	dc := &api.CassandraDatacenter{
-		Spec: api.CassandraDatacenterSpec{
-			ClusterName:   "bob",
-			ServerType:    "cassandra",
-			ServerVersion: "4.1.2",
-			Racks: []api.Rack{
-				{
-					Name: "default",
-				},
-			},
-		},
-	}
-
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, false)
-	assert.NoError(err, "should not have gotten error when building podTemplateSpec")
-
-	assert.Equal(spec.Spec.ServiceAccountName, "", "no default serviceAccount is set")
-
-	spec, err = buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, true)
-	assert.NoError(err, "should not have gotten error when building podTemplateSpec")
-
-	assert.Equal(spec.Spec.ServiceAccountName, OpenShiftPodServiceAccount, "missing serviceAccount when running under OLM")
-
-	dc.Spec.ServiceAccountName = "overrideSA"
-
-	spec, err = buildPodTemplateSpec(dc, dc.Spec.Racks[0], true, true)
-	assert.NoError(err, "should not have gotten error when building podTemplateSpec")
-
-	assert.Equal(spec.Spec.ServiceAccountName, "overrideSA", "under OLM the serviceAccountName must be overwritable")
-}
-
 func TestCassandraDatacenter_buildContainers_DisableSystemLoggerSidecar(t *testing.T) {
 	dc := &api.CassandraDatacenter{
 		Spec: api.CassandraDatacenterSpec{
@@ -1431,7 +1397,7 @@ func TestTolerations(t *testing.T) {
 		},
 	}
 
-	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	spec, err := buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "failed to build PodTemplateSpec")
 	// using ElementsMatch instead of Equal because we do not really care about ordering.
@@ -1468,7 +1434,7 @@ func TestTolerations(t *testing.T) {
 		},
 	}
 
-	spec, err = buildPodTemplateSpec(dc, dc.Spec.Racks[0], false, false)
+	spec, err = buildPodTemplateSpec(dc, dc.Spec.Racks[0], false)
 
 	assert.NoError(t, err, "failed to build PodTemplateSpec")
 	// using ElementsMatch instead of Equal because we do not really care about ordering.
@@ -1688,7 +1654,7 @@ func TestServiceAccountPrecedence(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		pds, err := buildPodTemplateSpec(test.dc, test.dc.Spec.Racks[0], false, false)
+		pds, err := buildPodTemplateSpec(test.dc, test.dc.Spec.Racks[0], false)
 		assert.NoError(err)
 		assert.Equal(test.accountName, pds.Spec.ServiceAccountName)
 	}

diff --git a/pkg/reconciliation/construct_statefulset.go b/pkg/reconciliation/construct_statefulset.go
@@ -64,8 +64,7 @@ func newStatefulSetForCassandraDatacenter(
 	sts *appsv1.StatefulSet,
 	rackName string,
 	dc *api.CassandraDatacenter,
-	replicaCount int,
-	openShift bool) (*appsv1.StatefulSet, error) {
+	replicaCount int) (*appsv1.StatefulSet, error) {
 
 	replicaCountInt32 := int32(replicaCount)
 
@@ -113,7 +112,7 @@ func newStatefulSetForCassandraDatacenter(
 
 	nsName := newNamespacedNameForStatefulSet(dc, rackName)
 
-	template, err := buildPodTemplateSpec(dc, rack, legacyInternodeMount(dc, sts), openShift)
+	template, err := buildPodTemplateSpec(dc, rack, legacyInternodeMount(dc, sts))
 	if err != nil {
 		return nil, err
 	}