Merge pull request #459 from securesign/env-openshift

Add new flag for manager to define target k8s environment

.github/workflows/main.yml

@@ -26,6 +26,15 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
       - name: Remove rhel9 suffix from images.go
         uses: jacobtomlinson/gha-find-replace@v3
         with:
@@ -109,7 +118,7 @@ jobs:
         run: cat internal/controller/constants/images.go
 
       - name: Build operator container
-        run: IMG=ttl.sh/securesign/secure-sign-operator:1h make docker-build docker-push
+        run: IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h make docker-build docker-push
 
   test-kind:
     name: Test kind deployment
@@ -123,7 +132,16 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
-
+
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go- 
+
       - name: Log in to registry.redhat.io
         uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
         with:
@@ -147,7 +165,8 @@ jobs:
           kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
 
       - name: Deploy operator container
-        run: IMG=ttl.sh/securesign/secure-sign-operator:1h make deploy
+        run: |
+          IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h OPENSHIFT=false make deploy
 
       - name: Wait for operator to be ready
         run: | 
@@ -227,6 +246,15 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
       - name: Install eksctl
         run: |
           ARCH=amd64
@@ -252,7 +280,7 @@ jobs:
           kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/aws/deploy.yaml
 
       - name: Deploy operator container
-        run: IMG=ttl.sh/securesign/secure-sign-operator:1h make deploy
+        run: IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h make deploy
 
       - name: Wait for operator to be ready
         run: | 

.github/workflows/upgrade.yml

@@ -31,6 +31,15 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
       - name: Log in to registry.redhat.io
         uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
         with:
@@ -223,5 +232,5 @@ jobs:
         run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
 
       - name: Run tests
-        run: TEST_BASE_CATALOG=registry.redhat.io/redhat/redhat-operator-index:v4.14 TEST_TARGET_CATALOG=$CATALOG_IMG go test ./test/e2e/... -tags=upgrade -timeout 20m
+        run: TEST_BASE_CATALOG=registry.redhat.io/redhat/redhat-operator-index:v4.14 TEST_TARGET_CATALOG=$CATALOG_IMG OPENSHIFT=false go test ./test/e2e/... -tags=upgrade -timeout 20m
 

Makefile

@@ -83,6 +83,8 @@ CONTAINER_TOOL ?= docker
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
+OPENSHIFT ?= true
+
 .PHONY: all
 all: build
 
@@ -206,6 +208,9 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
+	@if [ "$(OPENSHIFT)" == "false" ]; then \
+		$(KUBECTL) patch deploy -n openshift-rhtas-operator -p '{"spec": {"template": {"spec": {"containers": [{"name": "manager","env": [{"name": "OPENSHIFT","value":"false"}]}]}}}}' rhtas-operator-controller-manager; \
+	fi
 
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-06-13T10:31:51Z"
+    createdAt: "2024-06-24T12:36:11Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -737,6 +737,9 @@ spec:
                 - --leader-elect
                 command:
                 - /manager
+                env:
+                - name: OPENSHIFT
+                  value: "true"
                 image: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
                 livenessProbe:
                   httpGet:

cmd/main.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"strconv"
 
 	consolev1 "github.com/openshift/api/console/v1"
 	v1 "github.com/openshift/api/operator/v1"
@@ -92,6 +93,7 @@ func main() {
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.Int64Var(&constants.CreateTreeDeadline, "create-tree-deadline", constants.CreateTreeDeadline, "The time allowance (in seconds) for the create tree job to run before failing.")
+	utils.BoolFlagOrEnv(&constants.Openshift, "openshift", "OPENSHIFT", false, "Enable to ensures the operator applies OpenShift specific configurations.")
 	utils.StringFlagOrEnv(&constants.TrillianLogSignerImage, "trillian-log-signer-image", "TRILLIAN_LOG_SIGNER_IMAGE", constants.TrillianLogSignerImage, "The image used for trillian log signer.")
 	utils.StringFlagOrEnv(&constants.TrillianServerImage, "trillian-log-server-image", "TRILLIAN_LOG_SERVER_IMAGE", constants.TrillianServerImage, "The image used for trillian log server.")
 	utils.StringFlagOrEnv(&constants.TrillianDbImage, "trillian-db-image", "TRILLIAN_DB_IMAGE", constants.TrillianDbImage, "The image used for trillian's database.")
@@ -232,6 +234,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	setupLog.WithName("IsOpenshift").Info(strconv.FormatBool(constants.Openshift))
+
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")

config/crd/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 - bases/rhtas.redhat.com_ctlogs.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
-patches:
+patches: []
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- path: patches/webhook_in_securesigns.yaml

config/default/kustomization.yaml

@@ -1,3 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
 # Adds namespace to all resources.
 namespace: openshift-rhtas-operator
 
@@ -12,7 +15,7 @@ namePrefix: rhtas-
 #commonLabels:
 #  someName: someValue
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager
@@ -25,6 +28,10 @@ bases:
 #- ../prometheus
 
 patches:
+  - path: manager_openshift_patch.yaml
+    target:
+      kind: Deployment
+      name: operator-controller-manager
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.

config/default/manager_openshift_patch.yaml

@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  operator-controller-manager
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+            - name: OPENSHIFT
+              value: "true"

config/manager/manager.yaml

@@ -77,6 +77,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
+        env: []
         livenessProbe:
           httpGet:
             path: /healthz

config/manifests/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 # These resources constitute the fully configured set of manifests
 # used to generate the 'manifests/' directory in a bundle.
 resources:

config/scorecard/kustomization.yaml

@@ -1,16 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
 - bases/config.yaml
-patchesJson6902:
+patches:
 - path: patches/basic.config.yaml
   target:
     group: scorecard.operatorframework.io
-    version: v1alpha3
     kind: Configuration
     name: config
+    version: v1alpha3
 - path: patches/olm.config.yaml
   target:
     group: scorecard.operatorframework.io
-    version: v1alpha3
     kind: Configuration
     name: config
-#+kubebuilder:scaffold:patchesJson6902
+    version: v1alpha3

internal/clidownload/component.go

@@ -60,7 +60,7 @@ func (c *Component) Start(ctx context.Context) error {
 	}
 	obj = append(obj, ingress)
 
-	if kubernetes.IsOpenShift(c.Client) {
+	if kubernetes.IsOpenShift() {
 		protocol := "http://"
 		if len(ingress.Spec.TLS) > 0 {
 			protocol = "https://"

internal/controller/common/utils/flag_or_env.go

@@ -3,9 +3,10 @@ package utils
 import (
 	"flag"
 	"os"
+	"strconv"
 )
 
-// stringFlagOrEnv defines a string flag which can be set by an environment variable.
+// StringFlagOrEnv defines a string flag which can be set by an environment variable.
 // Precedence: flag > env var > default value.
 func StringFlagOrEnv(p *string, name string, envName string, defaultValue string, usage string) {
 	envValue := os.Getenv(envName)
@@ -14,3 +15,13 @@ func StringFlagOrEnv(p *string, name string, envName string, defaultValue string
 	}
 	flag.StringVar(p, name, defaultValue, usage)
 }
+
+// BoolFlagOrEnv defines a bool flag which can be set by an environment variable.
+// Precedence: flag > env var > default value.
+func BoolFlagOrEnv(p *bool, name string, envName string, defaultValue bool, usage string) {
+	envValue := os.Getenv(envName)
+	if envName != "" {
+		defaultValue, _ = strconv.ParseBool(envValue)
+	}
+	flag.BoolVar(p, name, defaultValue, usage)
+}

internal/controller/common/utils/kubernetes/common.go

@@ -3,17 +3,12 @@ package kubernetes
 import (
 	"context"
 	"fmt"
-	"github.com/go-logr/logr"
-	"k8s.io/apimachinery/pkg/api/meta"
+	"github.com/securesign/operator/internal/controller/constants"
 	"os"
 	"path/filepath"
-	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
-	"strconv"
-	"sync"
 	"time"
 
 	v13 "github.com/openshift/api/operator/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -75,47 +70,12 @@ func ContainerMode() (bool, error) {
 	return false, nil
 }
 
-var onceIsOpenshift sync.Once
-var isOpenshift bool
-
-func IsOpenShift(client client.Client) bool {
-	// atomic
-	onceIsOpenshift.Do(func() {
-		log := ctrllog.Log.WithName("IsOpenshift")
-		isOpenshift = checkIsOpenshift(client, log)
-		log.Info(strconv.FormatBool(isOpenshift))
-	})
-
-	return isOpenshift
-}
-
-func checkIsOpenshift(client client.Client, logger logr.Logger) bool {
-
-	_, err := client.RESTMapper().ResourceFor(schema.GroupVersionResource{
-		Group:    "security.openshift.io",
-		Resource: "SecurityContextConstraints",
-	})
-
-	for i := 0; i < openshiftCheckLimit; i++ {
-		if err != nil {
-			if meta.IsNoMatchError(err) {
-				// continue with non-ocp standard
-				return false
-			}
-
-			logger.Info("failed to identify", "retry", fmt.Sprintf("%d/%d", i, openshiftCheckLimit))
-			logger.V(1).Info(err.Error())
-			time.Sleep(time.Duration(i) * openshiftCheckDelay)
-			continue
-		}
-		return true
-	}
-
-	return false
+func IsOpenShift() bool {
+	return constants.Openshift
 }
 
 func CalculateHostname(ctx context.Context, client client.Client, svcName, ns string) (string, error) {
-	if IsOpenShift(client) {
+	if IsOpenShift() {
 		ctrl := &v13.IngressController{}
 		if err := client.Get(ctx, types.NamespacedName{Namespace: "openshift-ingress-operator", Name: "default"}, ctrl); err != nil {
 			return "", err

internal/controller/common/utils/kubernetes/ingress.go

@@ -16,7 +16,7 @@ func CreateIngress(ctx context.Context, cli client.Client, svc v12.Service, conf
 	var tlsConfig []networkingv1.IngressTLS
 	var annotations map[string]string
 
-	if IsOpenShift(cli) {
+	if IsOpenShift() {
 		annotations = map[string]string{"route.openshift.io/termination": "edge"}
 		// ocp is able to autogenerate TLS
 		tlsConfig = []networkingv1.IngressTLS{

internal/controller/constants/config.go

@@ -2,4 +2,5 @@ package constants
 
 var (
 	CreateTreeDeadline int64 = 1200
+	Openshift          bool
 )

internal/controller/trillian/actions/db/deployment.go

@@ -41,7 +41,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 		updated   bool
 		openshift bool
 	)
-	openshift = kubernetes.IsOpenShift(i.Client)
+	openshift = kubernetes.IsOpenShift()
 
 	labels := constants.LabelsFor(actions.DbComponentName, actions.DbDeploymentName, instance.Name)
 	db, err := trillianUtils.CreateTrillDb(instance, actions.DbDeploymentName, actions.RBACName, openshift, labels)