Remove CRDs from tigera-operator.yaml

Makefile

@@ -71,8 +71,6 @@ get-operator-crds: var-require-all-OPERATOR_BRANCH
 	@echo ================================================================
 	cd ./charts/tigera-operator/crds/ && \
 	for file in operator.tigera.io_*.yaml; do echo "downloading $$file from operator repo" && curl -fsSL https://raw.githubusercontent.com/tigera/operator/$(OPERATOR_BRANCH)/pkg/crds/operator/$${file%_crd.yaml}.yaml -o $${file}; done
-	cd ./manifests/ocp/ && \
-	for file in operator.tigera.io_*.yaml; do echo "downloading $$file from operator repo" && curl -fsSL https://raw.githubusercontent.com/tigera/operator/$(OPERATOR_BRANCH)/pkg/crds/operator/$${file%_crd.yaml}.yaml -o $${file}; done
 
 gen-semaphore-yaml:
 	cd .semaphore && ./generate-semaphore-yaml.sh
@@ -160,14 +158,7 @@ helm-index:
 
 # Creates the tar file used for installing Calico on OpenShift.
 bin/ocp.tgz: manifests/ocp/ bin/yq
-	mkdir -p bin/tmp
-	cp -r manifests/ocp bin/tmp/
-	$(DOCKER_RUN) $(CALICO_BUILD) /bin/bash -c "                                        \
-		for file in bin/tmp/ocp/*crd* ;                                                 \
-        	do bin/yq -i 'del(.. | select(has(\"description\")).description)' \$$file ; \
-        done"
-	tar czvf $@ -C bin/tmp ocp
-	rm -rf bin/tmp
+	tar czvf $@ -C manifests/ ocp
 
 ## Generates release notes for the given version.
 .PHONY: release-notes

charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml

@@ -6,6 +6,49 @@ metadata:
   labels:
     {{- include "tigera-operator.labels" (dict "context" .) | nindent 4 }}
 rules:
+  # The tigera/operator installs CustomResourceDefinitions necessary for itself
+  # and Calico more broadly to function.
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+  # We only allow update access to our own CRDs.
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - update
+    resourceNames:
+      - adminnetworkpolicies.policy.networking.k8s.io
+      - apiservers.operator.tigera.io
+      - imagesets.operator.tigera.io
+      - installations.operator.tigera.io
+      - tigerastatuses.operator.tigera.io
+      - bgpconfigurations.crd.projectcalico.org
+      - bgpfilters.crd.projectcalico.org
+      - bgppeers.crd.projectcalico.org
+      - blockaffinities.crd.projectcalico.org
+      - caliconodestatuses.crd.projectcalico.org
+      - clusterinformations.crd.projectcalico.org
+      - felixconfigurations.crd.projectcalico.org
+      - globalnetworkpolicies.crd.projectcalico.org
+      - globalnetworksets.crd.projectcalico.org
+      - hostendpoints.crd.projectcalico.org
+      - ipamblocks.crd.projectcalico.org
+      - ipamconfigs.crd.projectcalico.org
+      - ipamhandles.crd.projectcalico.org
+      - ippools.crd.projectcalico.org
+      - ipreservations.crd.projectcalico.org
+      - kubecontrollersconfigurations.crd.projectcalico.org
+      - networkpolicies.crd.projectcalico.org
+      - networksets.crd.projectcalico.org
+      - tiers.crd.projectcalico.org
   - apiGroups:
       - ""
     resources:

charts/tigera-operator/templates/tigera-operator/02-tigera-operator.yaml

@@ -51,6 +51,9 @@ spec:
           imagePullPolicy: IfNotPresent
           command:
             - operator
+          args:
+            # Configure tigera-operator to manage installation of the necessary CRDs.
+            - -manage-crds=true
           volumeMounts:
             - name: var-lib-calico
               readOnly: true
@@ -88,6 +91,14 @@ spec:
             defaultMode: 0777
             name: install-resources-script
       initContainers:
+        # Install CRDs first, so that APIs exist for calicoctl to use.
+        - name: bootstrap-crds
+          image: {{ template "tigera-operator.image" .Values.tigeraOperator}}
+          command:
+            - operator
+          args:
+            - -bootstrap-crds
+        # Install any v3 API resources provided in the calico-resources ConfigMap.
         - name: create-initial-resources
           image: {{.Values.calicoctl.image}}:{{.Values.calicoctl.tag}}
           env:

manifests/generate.sh

@@ -32,7 +32,6 @@ metadata:
 EOF
 
 ${HELM} -n tigera-operator template \
-	--include-crds \
 	--no-hooks \
 	--set installation.enabled=false \
 	--set apiServer.enabled=false \
@@ -96,7 +95,7 @@ done
 # OCP requires resources in their own yaml files, so output to a dir.
 # Then do a bit of cleanup to reduce the directory depth to 1.
 ##########################################################################
-${HELM} template --include-crds \
+${HELM} template \
 	-n tigera-operator \
 	../charts/tigera-operator/ \
 	--output-dir ocp \