Add OVNcontroller and OVSnodeOsp to cvs-generator

this adds new added OVNcontroller and OVSnodeOsp CRDs to the
csv-generator, also adds the scc generation as it is not handled
by olm correct.

Also changes the CRD version to v1beta as otherwise OLM failed
to install the plan.

cmd/manager/main.go

@@ -17,16 +17,22 @@ import (
 	"github.com/openstack-k8s-operators/neutron-operator/pkg/controller"
 	"github.com/openstack-k8s-operators/neutron-operator/version"
 
+	secv1 "github.com/openshift/api/security/v1"
 	"github.com/operator-framework/operator-sdk/pkg/k8sutil"
 	kubemetrics "github.com/operator-framework/operator-sdk/pkg/kube-metrics"
 	"github.com/operator-framework/operator-sdk/pkg/leader"
 	"github.com/operator-framework/operator-sdk/pkg/log/zap"
 	"github.com/operator-framework/operator-sdk/pkg/metrics"
 	sdkVersion "github.com/operator-framework/operator-sdk/version"
 	"github.com/spf13/pflag"
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -130,6 +136,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	// add SecurityContextConstraint API to scheme
+	if err := secv1.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
 	// Setup all Controllers
 	if err := controller.AddToManager(mgr); err != nil {
 		log.Error(err, "")
@@ -139,6 +151,13 @@ func main() {
 	// Add the Metrics Service
 	addMetrics(ctx, cfg)
 
+	log.Info("Creating SCC for neutron-operator.")
+	err = ensureSCCExists(mgr.GetClient(), namespace, "neutron-operator")
+	if err != nil {
+		log.Error(err, "Failed to create SCC for neutron-operator.")
+		os.Exit(1)
+	}
+
 	log.Info("Starting the Cmd.")
 
 	// Start the Cmd
@@ -217,3 +236,66 @@ func serveCRMetrics(cfg *rest.Config, operatorNs string) error {
 	}
 	return nil
 }
+
+const sccName = "neutron-operator"
+
+// EnsureSCCExists ensures the security context constraint for neutron-operator exists
+func ensureSCCExists(c client.Client, saNamespace, saName string) error {
+
+	userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)
+	trueVar := true
+	priority := int32(10)
+
+	scc := &secv1.SecurityContextConstraints{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: sccName,
+			Labels: map[string]string{
+				"neutron.openstack.org": "",
+			},
+		},
+		Priority: &priority,
+		FSGroup: secv1.FSGroupStrategyOptions{
+			Type: secv1.FSGroupStrategyRunAsAny,
+		},
+		AllowPrivilegedContainer: true,
+		AllowPrivilegeEscalation: &trueVar,
+		AllowHostDirVolumePlugin: true,
+		AllowHostIPC:             true,
+		AllowHostNetwork:         true,
+		AllowHostPID:             true,
+		AllowHostPorts:           false,
+		ReadOnlyRootFilesystem:   false,
+		AllowedCapabilities: []corev1.Capability{
+			"*",
+		},
+		DefaultAddCapabilities:   []corev1.Capability{},
+		RequiredDropCapabilities: []corev1.Capability{},
+		RunAsUser: secv1.RunAsUserStrategyOptions{
+			Type: secv1.RunAsUserStrategyRunAsAny,
+		},
+		SELinuxContext: secv1.SELinuxContextStrategyOptions{
+			Type: secv1.SELinuxStrategyRunAsAny,
+		},
+		SupplementalGroups: secv1.SupplementalGroupsStrategyOptions{
+			Type: secv1.SupplementalGroupsStrategyRunAsAny,
+		},
+		SeccompProfiles: []string{"*"},
+		Volumes: []secv1.FSType{
+			secv1.FSTypeAll,
+		},
+		Users: []string{
+			userName,
+		},
+	}
+
+	// cache has not been started yet so we just attempt creation(no query). If it fails we handle accordingly
+	err := c.Create(context.TODO(), scc)
+	if meta.IsNoMatchError(err) {
+		log.Info("No match error for SecurityContextConstraints API, skipping SCC configuration.")
+		return nil
+	} else if apierrors.IsAlreadyExists(err) {
+		return nil
+	}
+	return err
+
+}

deploy/cluster_role.yaml

@@ -0,0 +1,17 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: neutron-operator
+  namespace: openstack
+rules:
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - get
+  - create
+  - watch
+  - patch
+  - update
+  - delete

deploy/cluster_role_binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: neutron-operator
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: neutron-operator
+subjects:
+- kind: ServiceAccount
+  name: neutron-operator
+  namespace: openstack

deploy/crds/neutron.openstack.org_ovncontrollers_crd.yaml

@@ -1,4 +1,4 @@
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: ovncontrollers.neutron.openstack.org
@@ -10,61 +10,62 @@ spec:
     plural: ovncontrollers
     singular: ovncontroller
   scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: OVNController is the Schema for the ovncontrollers API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: OVNControllerSpec defines the desired state of OVNController
+          properties:
+            ovnControllerImage:
+              description: container image to run for the daemon
+              type: string
+            ovnLogLevel:
+              description: log level
+              type: string
+            roleName:
+              description: Name of the worker role created for OSP computes
+              type: string
+            serviceAccount:
+              description: service account used to create pods
+              type: string
+          required:
+          - ovnControllerImage
+          - ovnLogLevel
+          - roleName
+          - serviceAccount
+          type: object
+        status:
+          description: OVNControllerStatus defines the observed state of OVNController
+          properties:
+            count:
+              description: Count is the number of nodes the daemon is deployed to
+              format: int32
+              type: integer
+            daemonsetHash:
+              description: Daemonset hash used to detect changes
+              type: string
+          required:
+          - count
+          - daemonsetHash
+          type: object
+      type: object
+  version: v1
   versions:
   - name: v1
-    schema:
-      openAPIV3Schema:
-        description: OVNController is the Schema for the ovncontrollers API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: OVNControllerSpec defines the desired state of OVNController
-            properties:
-              ovnControllerImage:
-                description: container image to run for the daemon
-                type: string
-              ovnLogLevel:
-                description: log level
-                type: string
-              roleName:
-                description: Name of the worker role created for OSP computes
-                type: string
-              serviceAccount:
-                description: service account used to create pods
-                type: string
-            required:
-            - ovnControllerImage
-            - ovnLogLevel
-            - roleName
-            - serviceAccount
-            type: object
-          status:
-            description: OVNControllerStatus defines the observed state of OVNController
-            properties:
-              count:
-                description: Count is the number of nodes the daemon is deployed to
-                format: int32
-                type: integer
-              daemonsetHash:
-                description: Daemonset hash used to detect changes
-                type: string
-            required:
-            - count
-            - daemonsetHash
-            type: object
-        type: object
     served: true
     storage: true
-    subresources:
-      status: {}