Replace WebhookProviderCertManager and WebhookProviderOpenshiftServiceCA with flag certificate-provider

Author: camilamacedo86

Makefile

@@ -152,7 +152,6 @@ update-crds:
 #
 # Override HELM_SETTINGS on the command line to include additional Helm settings
 # e.g. make HELM_SETTINGS="options.openshift.enabled=true" manifests
-# e.g. make HELM_SETTINGS="operatorControllerFeatures={WebhookProviderCertManager}" manifests
 #
 MANIFESTS ?= $(STANDARD_MANIFEST) $(STANDARD_E2E_MANIFEST) $(EXPERIMENTAL_MANIFEST) $(EXPERIMENTAL_E2E_MANIFEST)
 $(STANDARD_MANIFEST) ?= helm/cert-manager.yaml

cmd/operator-controller/main.go

@@ -105,11 +105,14 @@ type config struct {
 	catalogdCasDir       string
 	pullCasDir           string
 	globalPullSecret     string
+	certificateProvider  string
 }
 
 const (
-	authFilePrefix   = "operator-controller-global-pull-secrets"
-	fieldOwnerPrefix = "olm.operatorframework.io"
+	authFilePrefix                 = "operator-controller-global-pull-secrets"
+	fieldOwnerPrefix               = "olm.operatorframework.io"
+	certificateProviderCertManager = "cert-manager"
+	certificateProviderOpenshiftCA = "openshift-serviceca"
 )
 
 // podNamespace checks whether the controller is running in a Pod vs.
@@ -159,6 +162,7 @@ func init() {
 	flags.StringVar(&cfg.cachePath, "cache-path", "/var/cache", "The local directory path used for filesystem based caching")
 	flags.StringVar(&cfg.systemNamespace, "system-namespace", "", "Configures the namespace that gets used to deploy system resources.")
 	flags.StringVar(&cfg.globalPullSecret, "global-pull-secret", "", "The <namespace>/<name> of the global pull secret that is going to be used to pull bundle images.")
+	flags.StringVar(&cfg.certificateProvider, "certificate-provider", certificateProviderCertManager, "The certificate provider to use for webhook support. Options: 'cert-manager' (default) or 'openshift-serviceca'.")
 
 	//adds version sub command
 	operatorControllerCmd.AddCommand(versionCommand)
@@ -451,7 +455,11 @@ func run() error {
 		return err
 	}
 
-	certProvider := getCertificateProvider()
+	certProvider, err := getCertificateProvider()
+	if err != nil {
+		setupLog.Error(err, "invalid certificate provider configuration")
+		return err
+	}
 	regv1ManifestProvider := &applier.RegistryV1ManifestProvider{
 		BundleRenderer:              registryv1.Renderer,
 		CertificateProvider:         certProvider,
@@ -514,13 +522,14 @@ func run() error {
 	return nil
 }
 
-func getCertificateProvider() render.CertificateProvider {
-	if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderCertManager) {
-		return certproviders.CertManagerCertificateProvider{}
-	} else if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderOpenshiftServiceCA) {
-		return certproviders.OpenshiftServiceCaCertificateProvider{}
+func getCertificateProvider() (render.CertificateProvider, error) {
+	switch strings.ToLower(cfg.certificateProvider) {
+	case "", certificateProviderCertManager:
+		return certproviders.CertManagerCertificateProvider{}, nil
+	case certificateProviderOpenshiftCA:
+		return certproviders.OpenshiftServiceCaCertificateProvider{}, nil
 	}
-	return nil
+	return nil, fmt.Errorf("unsupported certificate provider %q", cfg.certificateProvider)
 }
 
 func setupBoxcutter(

docs/draft/howto/enable-webhook-support.md

@@ -1,20 +1,20 @@
 ## Installation of Bundles containing Webhooks
 
 !!! note
-Webhook support is enabled by default. The controller uses the `WebhookProviderCertManager`
-feature-gate unless you override it. To switch to the OpenShift Service CA provider,
-start the controller with `--feature-gates=WebhookProviderCertManager=false`.
+Webhook support is enabled by default. The controller uses the `cert-manager`
+certificate provider unless you override it. To switch to the OpenShift Service CA provider,
+start the controller with `--certificate-provider=openshift-serviceca`.
 
 OLMv1 supports the installation of bundles containing webhooks by default.
 Webhooks, or more concretely Admission Webhooks, are part of Kuberntes' [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
 feature. Webhooks run as services called by the kube-apiservice in due course of processing a resource related request. They can be used to validate resources, ensure reasonable default values,
 are set, or aid in the migration to new CustomResourceDefinition schema. The communication with the webhook service is secured by TLS. In OLMv1, the TLS certificate is managed by a 
-certificate provider. Currently, two certificate providers are supported: CertManager and Openshift-ServiceCA. The certificate provider to use given by the feature-gate:
+certificate provider. Currently, two certificate providers are supported: CertManager and Openshift-ServiceCA. The controller selects the provider via the `--certificate-provider` flag:
 
-- `WebhookProviderCertManager` for [CertManager](https://cert-manager.io/)
-- `WebhookProviderOpenshiftServiceCA` for [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator)
+- `cert-manager` for [CertManager](https://cert-manager.io/) (default)
+- `openshift-serviceca` for [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator)
 
-As CertManager is already installed with OLMv1, we suggest using `WebhookProviderCertManager`.
+As CertManager is already installed with OLMv1, we suggest staying with the default `cert-manager` provider.
 
 ### Run OLM v1 with Webhook Support
 

hack/demo/webhook-provider-certmanager-demo-script.sh

@@ -5,9 +5,6 @@
 #
 trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
 
-# enable 'WebhookProviderCertManager' feature
-kubectl kustomize config/overlays/featuregate/webhook-provider-certmanager | kubectl apply -f -
-
 # wait for operator-controller to become available
 kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
 

helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml

@@ -44,6 +44,9 @@ spec:
             {{- if not .Values.options.tilt.enabled }}
             - --leader-elect
             {{- end }}
+            {{- if .Values.options.openshift.enabled }}
+            - --certificate-provider=openshift-serviceca
+            {{- end }}
             {{- range .Values.operatorControllerFeatures }}
             - --feature-gates={{- . -}}=true
             {{- end }}

internal/operator-controller/features/features.go

@@ -11,13 +11,11 @@ import (
 const (
 	// Add new feature gates constants (strings)
 	// Ex: SomeFeature featuregate.Feature = "SomeFeature"
-	PreflightPermissions              featuregate.Feature = "PreflightPermissions"
-	SingleOwnNamespaceInstallSupport  featuregate.Feature = "SingleOwnNamespaceInstallSupport"
-	SyntheticPermissions              featuregate.Feature = "SyntheticPermissions"
-	WebhookProviderCertManager        featuregate.Feature = "WebhookProviderCertManager"
-	WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA"
-	HelmChartSupport                  featuregate.Feature = "HelmChartSupport"
-	BoxcutterRuntime                  featuregate.Feature = "BoxcutterRuntime"
+	PreflightPermissions             featuregate.Feature = "PreflightPermissions"
+	SingleOwnNamespaceInstallSupport featuregate.Feature = "SingleOwnNamespaceInstallSupport"
+	SyntheticPermissions             featuregate.Feature = "SyntheticPermissions"
+	HelmChartSupport                 featuregate.Feature = "HelmChartSupport"
+	BoxcutterRuntime                 featuregate.Feature = "BoxcutterRuntime"
 )
 
 var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -46,26 +44,6 @@ var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.Feature
 		LockToDefault: false,
 	},
 
-	// WebhookProviderCertManager enables support for installing
-	// registry+v1 cluster extensions that include validating,
-	// mutating, and/or conversion webhooks with CertManager
-	// as the certificate provider.
-	WebhookProviderCertManager: {
-		Default:       true,
-		PreRelease:    featuregate.GA,
-		LockToDefault: false,
-	},
-
-	// WebhookProviderCertManager enables support for installing
-	// registry+v1 cluster extensions that include validating,
-	// mutating, and/or conversion webhooks with Openshift Service CA
-	// as the certificate provider.
-	WebhookProviderOpenshiftServiceCA: {
-		Default:       true,
-		PreRelease:    featuregate.GA,
-		LockToDefault: false,
-	},
-
 	// HelmChartSupport enables support for installing,
 	// updating and uninstalling Helm Charts via Cluster Extensions.
 	HelmChartSupport: {