(feat) block cluster upgrade when installed incompatible operators

Author: gallettilance

cmd/cluster-olm-operator/main.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/component-base/cli"
 	utilflag "k8s.io/component-base/cli/flag"
 
+	"github.com/openshift/cluster-olm-operator/internal/utils"
 	"github.com/openshift/cluster-olm-operator/pkg/clients"
 	"github.com/openshift/cluster-olm-operator/pkg/controller"
 	"github.com/openshift/cluster-olm-operator/pkg/version"
@@ -105,13 +106,28 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error
 		deploymentControllerList = append(deploymentControllerList, controller)
 	}
 
+	operatorImageVersion := status.VersionForOperatorFromEnv()
+	nextOCPMinorVersion, err := utils.GetNextOCPMinorVersion(operatorImageVersion)
+	if err != nil {
+		return err
+	}
+
 	upgradeableConditionController := controller.NewStaticUpgradeableConditionController(
 		"OLMStaticUpgradeableConditionController",
 		cl.OperatorClient,
 		cc.EventRecorder.ForComponent("OLMStaticUpgradeableConditionController"),
 		controllerNames,
 	)
 
+	incompatibleOperatorController := controller.NewIncompatibleOperatorController(
+		"OLMIncompatibleOperatorController",
+		nextOCPMinorVersion,
+		cl.KubeClient,
+		cl.ClusterExtensionClient,
+		cl.OperatorClient,
+		cc.EventRecorder.ForComponent("OLMIncompatibleOperatorController"),
+	)
+
 	versionGetter := status.NewVersionGetter()
 	versionGetter.SetVersion("operator", status.VersionForOperatorFromEnv())
 
@@ -129,7 +145,7 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error
 
 	cl.StartInformers(ctx)
 
-	for _, c := range append(staticResourceControllerList, upgradeableConditionController, clusterOperatorController, operatorLoggingController) {
+	for _, c := range append(staticResourceControllerList, upgradeableConditionController, incompatibleOperatorController, clusterOperatorController, operatorLoggingController) {
 		go func(c factory.Controller) {
 			defer runtime.HandleCrash()
 			c.Run(ctx, 1)

pkg/internal/dependencymagnet/dependencies.go renamed to internal/dependencymagnet/dependencies.go

@@ -0,0 +1,48 @@
+package utils
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	semver "github.com/blang/semver/v4"
+)
+
+func GetNextOCPMinorVersion(versionString string) (*semver.Version, error) {
+	v, err := semver.Parse(versionString)
+	if err != nil {
+		return &v, err
+	}
+	v.Build = nil                 // Builds are irrelevant
+	v.Pre = nil                   // Next Y release
+	return &v, v.IncrementMinor() // Sets Y=Y+1 and Z=0
+}
+
+func ToAllowedSemver(value string) (*semver.Version, error) {
+	if value == "" {
+		// Handle "" separately, so parse doesn't treat it as a zero
+		return nil, fmt.Errorf(`value cannot be "" (an empty string)`)
+	}
+
+	if value != strings.TrimPrefix(value, "v") {
+		return nil, fmt.Errorf(`version string cannot start with 'v'`)
+	}
+
+	parts := strings.Split(value, ".")
+	if len(parts) == 3 {
+		return nil, fmt.Errorf(`version string should not include patch version`)
+	}
+
+	if len(parts) != 2 {
+		return nil, fmt.Errorf(`invalid version string. String must be in the form: Major.Minor`)
+	}
+	major, err := strconv.ParseUint(parts[0], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+	minor, err := strconv.ParseUint(parts[1], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+	return &semver.Version{Major: major, Minor: minor}, err
+}

internal/utils/utils.go

@@ -72,6 +72,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:
@@ -210,6 +218,7 @@ rules:
     verbs:
     - get
     - list
+    - watch
   - apiGroups:
     - ""
     resources:

manifests/0000_51_olm_02_operator_clusterrole.yaml

@@ -58,7 +58,6 @@ spec:
         - /cluster-olm-operator
         args:
         - start
-        - -v=2
         imagePullPolicy: IfNotPresent
         env:
         - name: OPERATOR_NAME

manifests/0000_51_olm_06_deployment.yaml

@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
+	ocv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -26,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/dynamic/dynamicinformer"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -43,6 +45,7 @@ type Clients struct {
 	RESTMapper                 meta.RESTMapper
 	OperatorClient             *OperatorClient
 	OperatorInformers          operatorinformers.SharedInformerFactory
+	ClusterExtensionClient     *ClusterExtensionClient
 	ConfigClient               configclient.Interface
 	KubeInformerFactory        informers.SharedInformerFactory
 	ConfigInformerFactory      configinformer.SharedInformerFactory
@@ -91,23 +94,34 @@ func New(cc *controllercmd.ControllerContext) (*Clients, error) {
 		return nil, err
 	}
 
+	infFact := dynamicinformer.NewDynamicSharedInformerFactory(dynClient, defaultResyncPeriod)
+	clusterExtensionGVR := ocv1alpha1.GroupVersion.WithResource("clusterextensions")
+	inf := infFact.ForResource(clusterExtensionGVR)
+
+	ceClient := &ClusterExtensionClient{
+		factory:  infFact,
+		informer: inf,
+	}
+
 	return &Clients{
-		KubeClient:            kubeClient,
-		APIExtensionsClient:   apiExtensionsClient,
-		DynamicClient:         dynClient,
-		RESTMapper:            rm,
-		OperatorClient:        opClient,
-		OperatorInformers:     operatorInformersFactory,
-		ConfigClient:          configClient,
-		KubeInformerFactory:   informers.NewSharedInformerFactory(kubeClient, defaultResyncPeriod),
-		ConfigInformerFactory: configinformer.NewSharedInformerFactory(configClient, defaultResyncPeriod),
+		KubeClient:             kubeClient,
+		APIExtensionsClient:    apiExtensionsClient,
+		DynamicClient:          dynClient,
+		RESTMapper:             rm,
+		OperatorClient:         opClient,
+		OperatorInformers:      operatorInformersFactory,
+		ClusterExtensionClient: ceClient,
+		ConfigClient:           configClient,
+		KubeInformerFactory:    informers.NewSharedInformerFactory(kubeClient, defaultResyncPeriod),
+		ConfigInformerFactory:  configinformer.NewSharedInformerFactory(configClient, defaultResyncPeriod),
 	}, nil
 }
 
 func (c *Clients) StartInformers(ctx context.Context) {
 	c.KubeInformerFactory.Start(ctx.Done())
 	c.ConfigInformerFactory.Start(ctx.Done())
 	c.OperatorInformers.Start(ctx.Done())
+	c.ClusterExtensionClient.factory.Start(ctx.Done())
 	if c.KubeInformersForNamespaces != nil {
 		c.KubeInformersForNamespaces.Start(ctx.Done())
 	}
@@ -131,6 +145,15 @@ const (
 	fieldManager     = "cluster-olm-operator"
 )
 
+type ClusterExtensionClient struct {
+	factory  dynamicinformer.DynamicSharedInformerFactory
+	informer informers.GenericInformer
+}
+
+func (ce ClusterExtensionClient) Informer() informers.GenericInformer {
+	return ce.informer
+}
+
 type OperatorClient struct {
 	clientset operatorclient.Interface
 	informers operatorinformers.SharedInformerFactory

pkg/clients/clients.go

@@ -0,0 +1,181 @@
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+
+	semver "github.com/blang/semver/v4"
+	"github.com/go-logr/logr"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	"github.com/openshift/cluster-olm-operator/internal/utils"
+	"github.com/openshift/cluster-olm-operator/pkg/clients"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
+	storage "github.com/operator-framework/helm-operator-plugins/pkg/storage"
+	"github.com/operator-framework/operator-registry/alpha/property"
+	helm "helm.sh/helm/v3/pkg/storage"
+	"helm.sh/helm/v3/pkg/storage/driver"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes"
+	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/klog/v2"
+)
+
+const (
+	reasonIncompatibleOperatorsInstalled = "IncompatibleOperatorsInstalled"
+	typeIncompatibelOperatorsUpgradeable = "InstalledOLMOperatorsUpgradeable"
+	reasonInvalidBundleProperties        = "InvalidBundleProperties"
+	maxOpenShiftVersionProperty          = "olm.maxOpenShiftVersion"
+	ownerKindKey                         = "olm.operatorframework.io/owner-kind"
+	ownerNameKey                         = "olm.operatorframework.io/owner-name"
+	packageNameKey                       = "olm.operatorframework.io/package-name"
+	bundleNameKey                        = "olm.operatorframework.io/bundle-name"
+	bundleVersionKey                     = "olm.operatorframework.io/bundle-version"
+)
+
+type incompatibleOperatorController struct {
+	name                   string
+	nextOCPMinorVersion    *semver.Version
+	kubeclient             kubernetes.Interface
+	clusterExtensionClient *clients.ClusterExtensionClient
+	operatorClient         *clients.OperatorClient
+	logger                 logr.Logger
+}
+
+func NewIncompatibleOperatorController(name string, nextOCPMinorVersion *semver.Version, kubeclient kubernetes.Interface, clusterExtensionClient *clients.ClusterExtensionClient, operatorClient *clients.OperatorClient, eventRecorder events.Recorder) factory.Controller {
+	c := &incompatibleOperatorController{
+		name:                   name,
+		nextOCPMinorVersion:    nextOCPMinorVersion,
+		kubeclient:             kubeclient,
+		clusterExtensionClient: clusterExtensionClient,
+		operatorClient:         operatorClient,
+		logger:                 klog.NewKlogr().WithName(name),
+	}
+
+	return factory.New().WithSync(c.sync).WithSyncDegradedOnError(operatorClient).WithInformers(operatorClient.Informer(), clusterExtensionClient.Informer().Informer()).ToController(name, eventRecorder)
+}
+
+func (c *incompatibleOperatorController) sync(ctx context.Context, _ factory.SyncContext) error {
+	c.logger.Info("sync started")
+	defer c.logger.Info("sync finished")
+
+	var updateStatusFn v1helpers.UpdateStatusFunc
+	incompatibleOperators, err := c.getIncompatibleOperators()
+	if len(incompatibleOperators) > 0 {
+		updateStatusFn = v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{
+			Type:    typeIncompatibelOperatorsUpgradeable,
+			Status:  operatorv1.ConditionFalse,
+			Reason:  reasonIncompatibleOperatorsInstalled,
+			Message: strings.Join(incompatibleOperators, ","),
+		})
+	} else {
+		if err != nil {
+			updateStatusFn = v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{
+				Type:    typeIncompatibelOperatorsUpgradeable,
+				Status:  operatorv1.ConditionFalse,
+				Reason:  reasonInvalidBundleProperties,
+				Message: err.Error(),
+			})
+		} else {
+			updateStatusFn = v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{
+				Type:   typeIncompatibelOperatorsUpgradeable,
+				Status: operatorv1.ConditionTrue,
+			})
+		}
+	}
+
+	if _, _, updateErr := v1helpers.UpdateStatus(ctx, c.operatorClient, updateStatusFn); updateErr != nil {
+		c.logger.V(4).Info(fmt.Sprintf("Error updating operator condition status: %v", updateErr))
+		return updateErr
+	}
+	return err
+}
+
+func (c *incompatibleOperatorController) getIncompatibleOperators() ([]string, error) {
+	var incompatibleOperators []string
+
+	ceList, err := c.clusterExtensionClient.Informer().Lister().List(labels.NewSelector())
+	if err != nil {
+		c.logger.V(4).Error(err, "Error listing cluster extensions")
+		return nil, err
+	}
+
+	store := c.buildHelmStore(c.kubeclient.CoreV1().Secrets("openshift-operator-controller"))
+
+	var errs []error
+	// Get all ClusterExtensions incompatible with next Y-stream
+	for _, obj := range ceList {
+		metaObj, ok := obj.(metav1.Object)
+		if !ok {
+			errs = append(errs, fmt.Errorf("metav1.Object type assertion failed for object %v", obj))
+			continue
+		}
+		name := metaObj.GetName()
+		rel, err := store.Deployed(name)
+		if errors.Is(err, driver.ErrNoDeployedReleases) {
+			c.logger.Info("Cluster Extension not yet deployed - will check again later")
+			continue
+		}
+		if err != nil {
+			c.logger.V(4).Error(err, "Error returning the last deployed release")
+			return nil, err
+		}
+
+		if rel.Chart == nil || rel.Chart.Metadata == nil {
+			continue
+		}
+		props, err := propertyListFromPropertiesAnnotation(rel.Chart.Metadata.Annotations["olm.properties"])
+		if err != nil {
+			c.logger.V(4).Error(err, "Error converting olm.properties")
+			return nil, err
+		}
+		numMaxOCPProps := 0
+		for _, p := range props {
+			if p.Type == maxOpenShiftVersionProperty {
+				numMaxOCPProps++
+				maxOCPVersion, err := utils.ToAllowedSemver(string(p.Value))
+				if err != nil {
+					errs = append(errs, fmt.Errorf(fmt.Sprintf("Error converting to semver for version %s: %v", string(p.Value), err)))
+					continue
+				}
+				if numMaxOCPProps > 1 {
+					errs = append(errs, fmt.Errorf("%s has more than one %s", name, maxOpenShiftVersionProperty))
+					continue
+				}
+				if maxOCPVersion != nil && !maxOCPVersion.GTE(*c.nextOCPMinorVersion) {
+					// Incompatible
+					incompatibleOperators = append(incompatibleOperators, rel.Labels[bundleNameKey])
+				}
+			}
+		}
+	}
+
+	// deterministic ordering
+	sort.Strings(incompatibleOperators)
+
+	return incompatibleOperators, errors.Join(errs...)
+}
+
+func propertyListFromPropertiesAnnotation(raw string) ([]property.Property, error) {
+	var props []property.Property
+	if err := json.Unmarshal([]byte(raw), &props); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal properties annotation: %w", err)
+	}
+	return props, nil
+}
+
+func (c *incompatibleOperatorController) buildHelmStore(secretClient v1.SecretInterface) helm.Storage {
+	log := func(s string, args ...interface{}) { c.logger.V(4).Info(fmt.Sprintf(s, args...)) }
+	csConfig := storage.ChunkedSecretsConfig{Log: log}
+
+	return helm.Storage{
+		Driver: storage.NewChunkedSecrets(secretClient, "operator-controller", csConfig),
+		Log:    log,
+	}
+}