Fixed an old bug that resurfaced itself, causing the operator to fail…

… when run

in cluster-scope. Default client tries to cache all objects from all namespaces
when WATCH_NAMESPACE is empty, causing auth failures. The fix bypasses this
(broken) cache, allowing permissions to be approrpiately scoped to namespaces.

Added build/make_bundle.sh which uses the "operator-sdk generate csv" command
to generate a splunk OLM bundle in the deploy/olm-catalog/splunk directory.
This is executed as part of the "make generate" command.

You can now use OLM to install the splunk operator bundle to your Kubernetes
cluster. If you do not have OLM installed, you can use "operator-sdk olm install"
to install it (see "operator-sdk olm --help" for more). Once you have OLM
installed, ensure that your ~/.kube/config context points to a clean namespace
and then run "operator-sdk run --olm --manifests=deploy/olm-catalog/splunk --operator-version=0.1.0"
Just delete the namespace when you are done testing.

All the deploy/*.yaml files are now sources used to construct the OLM bundle
and/or standalone YAML installation files (which are generated via build/package.sh).

Removed deploy/cluster_operator.yaml and deploy/namespace_operator.yaml since
these have become redundant files. They are no longer necessary because the
build/package.sh script now constructs all the proper install/release YAML
files from sources located in deploy/*.yaml.

Changed splunk:operator:namespace-manager from a ClusterRole to a Role, since
this is easier for reuse across tools and it is not required to be a ClusterRole.

Removed splunk:operator:resource-manager from the YAML used for namespace-scoped
installs, since it only is required for cluster-scoped.

These changes also made the "splunk-operator-rbac.yaml" install resource
unnecessary, since CRDS are now the only cluster-admin resources that need to
be installed for namespace-scoped deployments.

Note that these changes involve more YAML processing than what we previously
did, so the "yq" utilitity is now a required development tool. Updated README
for install instructions.

Added build/run_scorecard.sh script which can be used to run the operator-sdk
scorecard test suite. You can also use "make scorecard" to run this. Note that
this requires having OLM installed in your Kubernetes cluster and that your
~/.kube/config context points to a clean namespace. Also note that the
"statusdescriptorstest" test currently fails due to missing descriptors for some
of the status fields. I didn't fix this because it would require a CRD update.

.gitignore

@@ -78,6 +78,8 @@ tags
 
 .idea
 .DS_Store
+.osdk-scorecard.yaml
+.yq_script.yaml
 Gopkg.lock
 vendor/
 push_targets

Makefile

@@ -39,6 +39,10 @@ local:
 	@mkdir -p ./build/_output/bin
 	@go build -v -o ./build/_output/bin/splunk-operator-local ./cmd/manager
 
+scorecard:
+	@echo Running operator-sdk scorecard tests
+	@build/run_scorecard.sh
+
 test:
 	@echo Running unit tests for splunk-operator
 	@go test -v -covermode=count -coverprofile=coverage.out --timeout=300s github.com/splunk/splunk-operator/pkg/splunk/resources github.com/splunk/splunk-operator/pkg/splunk/spark github.com/splunk/splunk-operator/pkg/splunk/enterprise github.com/splunk/splunk-operator/pkg/splunk/reconcile github.com/splunk/splunk-operator/pkg/splunk/client
@@ -68,9 +72,9 @@ generate:
 	@echo Running operator-sdk generate k8s
 	@operator-sdk generate k8s
 	@echo Running operator-sdk generate crds
-	@cp deploy/rbac.yaml deploy/role.yaml
 	@operator-sdk generate crds
-	@rm -f deploy/role.yaml deploy/crds/*_cr.yaml
+	@rm -f deploy/crds/*_cr.yaml
+	@build/make_bundle.sh
 
 package: lint fmt generate
 	@build/package.sh

README.md

@@ -54,6 +54,7 @@ which are used by various `make` targets:
 go get -u golang.org/x/lint/golint
 go get -u golang.org/x/tools/cmd/cover
 go get -u github.com/mattn/goveralls
+go get -u github.com/mikefarah/yq/v3
 ```
 
 
@@ -106,7 +107,8 @@ Other make targets include (more info below):
 * `make image`: builds the `splunk/splunk-operator` container image without using `splunk/splunk-operator-builder`
 * `make local`: builds the splunk-operator-local binary for test and debugging purposes
 * `make test`: Runs unit tests with Coveralls code coverage output to coverage.out
-* `make generate`: runs operator-generate k8s and crds commands, updating installation YAML files
+* `make scorecard`: Runs operator-sdk scorecard tests using OLM installation bundle
+* `make generate`: runs operator-generate k8s, crds and csv commands, updating installation YAML files and OLM bundle
 * `make package`: generates tarball of the `splunk/splunk-operator` container image and installation YAML file
 * `make clean`: removes the binary build output and `splunk/splunk-operator` container image
 * `make run`: runs the splunk operator locally, monitoring the Kubernetes cluster configured in your current `kubectl` context

build/make_bundle.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# Script to update OLM bundle in deploy/olm-catalog/splunk-operator
+
+# exit when any command fails
+set -e
+
+VERSION=`grep "Version.*=.*\".*\"" version/version.go | sed "s,.*Version.*=.*\"\(.*\)\".*,\1,"`
+IMAGE="docker.io/splunk/splunk-operator:${VERSION}"
+YAML_SCRIPT_FILE=.yq_script.yaml
+
+RESOURCES="
+  - kind: StatefulSets
+    version: apps/v1
+  - kind: Deployments
+    version: apps/v1
+  - kind: Pods
+    version: v1
+  - kind: Services
+    version: v1
+  - kind: ConfigMaps
+    version: v1
+  - kind: Secrets
+    version: v1
+"
+
+cat << EOF >$YAML_SCRIPT_FILE
+- command: update
+  path: spec.install.spec.deployments[0].spec.template.spec.containers[0].image
+  value: $IMAGE
+- command: update
+  path: spec.install.spec.permissions[0].serviceAccountName
+  value: splunk-operator
+- command: update
+  path: spec.customresourcedefinitions.owned[0].resources
+  value: $RESOURCES
+- command: update
+  path: spec.customresourcedefinitions.owned[1].resources
+  value: $RESOURCES
+- command: update
+  path: spec.customresourcedefinitions.owned[2].resources
+  value: $RESOURCES
+- command: update
+  path: spec.customresourcedefinitions.owned[3].resources
+  value: $RESOURCES
+- command: update
+  path: spec.customresourcedefinitions.owned[4].resources
+  value: $RESOURCES
+- command: update
+  path: metadata.annotations.alm-examples
+  value: |-
+    [{
+      "apiVersion": "enterprise.splunk.com/v1alpha2",
+      "kind": "IndexerCluster",
+      "metadata": {
+        "name": "example"
+      },
+      "spec": {}
+    },
+    {
+      "apiVersion": "enterprise.splunk.com/v1alpha2",
+      "kind": "LicenseMaster",
+      "metadata": {
+        "name": "example"
+      },
+      "spec": {}
+    },
+    {
+      "apiVersion": "enterprise.splunk.com/v1alpha2",
+      "kind": "SearchHeadCluster",
+      "metadata": {
+        "name": "example"
+      },
+      "spec": {}
+    },
+    {
+      "apiVersion": "enterprise.splunk.com/v1alpha2",
+      "kind": "Spark",
+      "metadata": {
+        "name": "example"
+      },
+      "spec": {}
+    },
+    {
+      "apiVersion": "enterprise.splunk.com/v1alpha2",
+      "kind": "Standalone",
+      "metadata": {
+        "name": "example"
+      },
+      "spec": {}
+    }]
+EOF
+
+operator-sdk generate csv --csv-version $VERSION --operator-name splunk --update-crds --verbose
+yq w -i -s $YAML_SCRIPT_FILE deploy/olm-catalog/splunk/$VERSION/splunk.v${VERSION}.clusterserviceversion.yaml
+
+rm -f $YAML_SCRIPT_FILE

build/package.sh

@@ -9,21 +9,17 @@ if [[ "x$VERSION" == "x" ]]; then
     # Use latest commit id if no version is provided
     VERSION=`git rev-parse HEAD | cut -c1-12`
 fi
+IMAGE="docker.io/splunk/splunk-operator:${VERSION}"
 IMAGE_ID=`docker images splunk/splunk-operator:latest -q`
 
 echo Tagging image ${IMAGE_ID} as splunk/splunk-operator:${VERSION}
 docker tag ${IMAGE_ID} splunk/splunk-operator:${VERSION}
 
 echo Generating release-${VERSION}/splunk-operator-${VERSION}.tar.gz
 mkdir -p release-${VERSION}
+rm -f release-${VERSION}/*
 docker image save splunk/splunk-operator:${VERSION} | gzip -c > release-${VERSION}/splunk-operator-${VERSION}.tar.gz
 
-echo Generating release-${VERSION}/splunk-operator-noadmin.yaml
-sed -e "s,image: splunk/splunk-operator.*,image: \"splunk/splunk-operator:${VERSION}\"," deploy/namespace_operator.yaml > release-${VERSION}/splunk-operator-noadmin.yaml
-
-echo Generating release-${VERSION}/splunk-operator-rbac.yaml
-cp deploy/rbac.yaml release-${VERSION}/splunk-operator-rbac.yaml
-
 echo Generating release-${VERSION}/splunk-operator-crds.yaml
 echo "---" > release-${VERSION}/splunk-operator-crds.yaml
 cat deploy/crds/enterprise.splunk.com_standalones_crd.yaml >> release-${VERSION}/splunk-operator-crds.yaml
@@ -36,11 +32,24 @@ cat deploy/crds/enterprise.splunk.com_indexerclusters_crd.yaml >> release-${VERS
 echo "---" >> release-${VERSION}/splunk-operator-crds.yaml
 cat deploy/crds/enterprise.splunk.com_sparks_crd.yaml >> release-${VERSION}/splunk-operator-crds.yaml
 
+echo Generating release-${VERSION}/splunk-operator-noadmin.yaml
+cat deploy/service_account.yaml deploy/role.yaml deploy/role_binding.yaml > release-${VERSION}/splunk-operator-noadmin.yaml
+echo "---" >> release-${VERSION}/splunk-operator-noadmin.yaml
+yq w deploy/operator.yaml "spec.template.spec.containers[0].image" $IMAGE >> release-${VERSION}/splunk-operator-noadmin.yaml
+
 echo Generating release-${VERSION}/splunk-operator-install.yaml
-cat release-${VERSION}/splunk-operator-crds.yaml deploy/rbac.yaml release-${VERSION}/splunk-operator-noadmin.yaml > release-${VERSION}/splunk-operator-install.yaml
+cat release-${VERSION}/splunk-operator-crds.yaml release-${VERSION}/splunk-operator-noadmin.yaml > release-${VERSION}/splunk-operator-install.yaml
 
 echo Rebuilding release-${VERSION}/splunk-operator-cluster.yaml
-cat release-${VERSION}/splunk-operator-crds.yaml deploy/rbac.yaml > release-${VERSION}/splunk-operator-cluster.yaml
-sed -e "s,image: splunk/splunk-operator.*,image: \"splunk/splunk-operator:${VERSION}\"," deploy/cluster_operator.yaml >> release-${VERSION}/splunk-operator-cluster.yaml
+cat release-${VERSION}/splunk-operator-crds.yaml deploy/namespace.yaml > release-${VERSION}/splunk-operator-cluster.yaml
+echo "---" >> release-${VERSION}/splunk-operator-cluster.yaml
+yq w deploy/service_account.yaml metadata.namespace splunk-operator >> release-${VERSION}/splunk-operator-cluster.yaml
+echo "---" >> release-${VERSION}/splunk-operator-cluster.yaml
+yq w deploy/role.yaml metadata.namespace splunk-operator | yq w - kind ClusterRole >> release-${VERSION}/splunk-operator-cluster.yaml
+echo "---" >> release-${VERSION}/splunk-operator-cluster.yaml
+yq w deploy/role_binding.yaml metadata.namespace splunk-operator | yq w - roleRef.kind ClusterRole >> release-${VERSION}/splunk-operator-cluster.yaml
+cat deploy/cluster_role.yaml deploy/cluster_role_binding.yaml >> release-${VERSION}/splunk-operator-cluster.yaml
+echo "---" >> release-${VERSION}/splunk-operator-cluster.yaml
+yq w deploy/operator.yaml metadata.namespace splunk-operator | yq w - "spec.template.spec.containers[0].image" $IMAGE | yq w - "spec.template.spec.containers[0].env[0].value" "" | yq d - "spec.template.spec.containers[0].env[0].valueFrom" >> release-${VERSION}/splunk-operator-cluster.yaml
 
 ls -la release-${VERSION}/

build/run_scorecard.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# Script to scorecard tests
+# Reference: https://github.com/operator-framework/operator-sdk/blob/v0.15.1/doc/test-framework/scorecard.md
+
+# exit when any command fails
+set -e
+
+VERSION=`grep "Version.*=.*\".*\"" version/version.go | sed "s,.*Version.*=.*\"\(.*\)\".*,\1,"`
+IMAGE="docker.io/splunk/splunk-operator:${VERSION}"
+CONFIG_FILE=.osdk-scorecard.yaml
+ARGS=$@
+if [ $# = 0 ]; then
+    ARGS="--output text --verbose"
+fi
+
+for crd in deploy/examples/*; do
+    for f in $crd/*.yaml; do
+        MANIFESTS="${MANIFESTS}          - $f
+"
+    done
+done
+
+cat << EOF >$CONFIG_FILE
+scorecard:
+    bundle: "deploy/olm-catalog/splunk"
+    plugins:
+    - basic:
+        cr-manifest:
+$MANIFESTS
+    - olm:
+        cr-manifest:
+$MANIFESTS
+        csv-path: "deploy/olm-catalog/splunk/${VERSION}/splunk.v${VERSION}.clusterserviceversion.yaml"
+EOF
+
+operator-sdk scorecard $ARGS
+
+rm $CONFIG_FILE

deploy/cluster_role.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: splunk:operator:resource-manager
+rules:
+- apiGroups:
+    - enterprise.splunk.com
+  resources:
+    - '*'
+  verbs:
+    - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - list
+  - get
+  - watch

deploy/cluster_role_binding.yaml

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: splunk:operator:resource-manager
+subjects:
+- kind: ServiceAccount
+  name: splunk-operator
+  namespace: splunk-operator
+roleRef:
+  kind: ClusterRole
+  name: splunk:operator:resource-manager
+  apiGroup: rbac.authorization.k8s.io

deploy/examples/indexercluster/default.yaml

@@ -0,0 +1,5 @@
+apiVersion: enterprise.splunk.com/v1alpha2
+kind: IndexerCluster
+metadata:
+  name: test
+spec: {}

deploy/examples/licensemaster/default.yaml

@@ -0,0 +1,5 @@
+apiVersion: enterprise.splunk.com/v1alpha2
+kind: LicenseMaster
+metadata:
+  name: test
+spec: {}

deploy/examples/searchheadcluster/default.yaml

@@ -0,0 +1,5 @@
+apiVersion: enterprise.splunk.com/v1alpha2
+kind: SearchHeadCluster
+metadata:
+  name: test
+spec: {}

deploy/examples/spark/default.yaml

@@ -0,0 +1,5 @@
+apiVersion: enterprise.splunk.com/v1alpha2
+kind: Spark
+metadata:
+  name: test
+spec: {}

deploy/examples/standalone/default.yaml

@@ -0,0 +1,5 @@
+apiVersion: enterprise.splunk.com/v1alpha2
+kind: Standalone
+metadata:
+  name: test
+spec: {}

deploy/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: splunk-operator