Revert ":sparkles: Wire up Service Account (#1038)"

This reverts commit 95b9f0d.

Author: joelanford

cmd/manager/main.go

@@ -22,17 +22,13 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/types"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
-	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -46,7 +42,6 @@ import (
 
 	ocv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
 	"github.com/operator-framework/operator-controller/internal/action"
-	"github.com/operator-framework/operator-controller/internal/authentication"
 	"github.com/operator-framework/operator-controller/internal/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/controllers"
@@ -163,34 +158,9 @@ func main() {
 		ext := obj.(*ocv1alpha1.ClusterExtension)
 		return ext.Spec.InstallNamespace, nil
 	})
-	coreClient, err := corev1client.NewForConfig(mgr.GetConfig())
-	if err != nil {
-		setupLog.Error(err, "unable to create core client")
-		os.Exit(1)
-	}
-	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
-
-	restConfigMapper := func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
-		cExt, ok := o.(*ocv1alpha1.ClusterExtension)
-		if !ok {
-			return c, nil
-		}
-		namespacedName := types.NamespacedName{
-			Name:      cExt.Spec.ServiceAccount.Name,
-			Namespace: cExt.Spec.InstallNamespace,
-		}
-		token, err := tokenGetter.Get(ctx, namespacedName)
-		if err != nil {
-			return nil, fmt.Errorf("failed to extract SA token, %w", err)
-		}
-		tempConfig := rest.AnonymousClientConfig(c)
-		tempConfig.BearerToken = token
-		return tempConfig, nil
-	}
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
 		helmclient.StorageNamespaceMapper(installNamespaceMapper),
 		helmclient.ClientNamespaceMapper(installNamespaceMapper),
-		helmclient.RestConfigMapper(restConfigMapper),
 	)
 	if err != nil {
 		setupLog.Error(err, "unable to config for creating helm client")

config/base/rbac/role.yaml

@@ -5,11 +5,11 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - apiextensions.k8s.io
+  - '*'
   resources:
-  - customresourcedefinitions
+  - '*'
   verbs:
-  - get
+  - '*'
 - apiGroups:
   - catalogd.operatorframework.io
   resources:
@@ -36,21 +36,13 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create
 - apiGroups:
   - olm.operatorframework.io
   resources:
   - clusterextensions
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - olm.operatorframework.io

config/samples/olm_v1alpha1_clusterextension.yaml

@@ -7,4 +7,4 @@ spec:
   packageName: argocd-operator
   version: 0.6.0
   serviceAccount:
-    name: default
+    name: argocd-installer

hack/test/pre-upgrade-setup.sh

@@ -33,42 +33,6 @@ spec:
       insecureSkipTLSVerify: true
 EOF
 
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: upgrade-e2e
-  namespace: default
-EOF
-
-kubectl apply -f - <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: upgrade-e2e
-rules:
-  - apiGroups:
-    - "*"
-    resources:
-    - "*"
-    verbs:
-    - "*"
-EOF
-
-kubectl apply -f - <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: upgrade-e2e
-subjects:
-  - kind: ServiceAccount
-    name: upgrade-e2e
-    namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: upgrade-e2e
-EOF
 
 kubectl apply -f - << EOF
 apiVersion: olm.operatorframework.io/v1alpha1
@@ -80,7 +44,7 @@ spec:
   packageName: prometheus
   version: 1.0.0
   serviceAccount:
-    name: upgrade-e2e
+    name: default
 EOF
 
 kubectl wait --for=condition=Unpacked --timeout=60s ClusterCatalog $TEST_CLUSTER_CATALOG_NAME

internal/controllers/clusterextension_controller.go

@@ -112,12 +112,11 @@ type Preflight interface {
 	Upgrade(context.Context, *release.Release) error
 }
 
-//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=create;update;patch;delete;get;list;watch
-//+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
-//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
+//+kubebuilder:rbac:groups=*,resources=*,verbs=*
 
 //+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=clustercatalogs,verbs=list;watch
 //+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogmetadata,verbs=list;watch

test/e2e/cluster_extension_install_test.go

@@ -16,7 +16,6 @@ import (
 	"gopkg.in/yaml.v2"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -39,65 +38,7 @@ const (
 var pollDuration = time.Minute
 var pollInterval = time.Second
 
-func createServiceAccount(ctx context.Context, name types.NamespacedName) (*corev1.ServiceAccount, error) {
-	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name.Name,
-			Namespace: name.Namespace,
-		},
-	}
-	err := c.Create(ctx, sa)
-	if err != nil {
-		return nil, err
-	}
-	cr := &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name.Name,
-		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{
-					"*",
-				},
-				Resources: []string{
-					"*",
-				},
-				Verbs: []string{
-					"*",
-				},
-			},
-		},
-	}
-	err = c.Create(ctx, cr)
-	if err != nil {
-		return nil, err
-	}
-	crb := &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name.Name,
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      name.Name,
-				Namespace: name.Namespace,
-			},
-		},
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     name.Name,
-		},
-	}
-	err = c.Create(ctx, crb)
-	if err != nil {
-		return nil, err
-	}
-
-	return sa, nil
-}
-
-func testInit(t *testing.T) (*ocv1alpha1.ClusterExtension, *catalogd.ClusterCatalog, *corev1.ServiceAccount) {
+func testInit(t *testing.T) (*ocv1alpha1.ClusterExtension, *catalogd.ClusterCatalog) {
 	var err error
 	extensionCatalog, err := createTestCatalog(context.Background(), testCatalogName, os.Getenv(testCatalogRefEnvVar))
 	require.NoError(t, err)
@@ -108,18 +49,10 @@ func testInit(t *testing.T) (*ocv1alpha1.ClusterExtension, *catalogd.ClusterCata
 			Name: clusterExtensionName,
 		},
 	}
-
-	defaultNamespace := types.NamespacedName{
-		Name:      clusterExtensionName,
-		Namespace: "default",
-	}
-
-	sa, err := createServiceAccount(context.Background(), defaultNamespace)
-	require.NoError(t, err)
-	return clusterExtension, extensionCatalog, sa
+	return clusterExtension, extensionCatalog
 }
 
-func testCleanup(t *testing.T, cat *catalogd.ClusterCatalog, clusterExtension *ocv1alpha1.ClusterExtension, sa *corev1.ServiceAccount) {
+func testCleanup(t *testing.T, cat *catalogd.ClusterCatalog, clusterExtension *ocv1alpha1.ClusterExtension) {
 	require.NoError(t, c.Delete(context.Background(), cat))
 	require.Eventually(t, func() bool {
 		err := c.Get(context.Background(), types.NamespacedName{Name: cat.Name}, &catalogd.ClusterCatalog{})
@@ -130,26 +63,21 @@ func testCleanup(t *testing.T, cat *catalogd.ClusterCatalog, clusterExtension *o
 		err := c.Get(context.Background(), types.NamespacedName{Name: clusterExtension.Name}, &ocv1alpha1.ClusterExtension{})
 		return errors.IsNotFound(err)
 	}, pollDuration, pollInterval)
-	require.NoError(t, c.Delete(context.Background(), sa))
-	require.Eventually(t, func() bool {
-		err := c.Get(context.Background(), types.NamespacedName{Name: sa.Name, Namespace: sa.Namespace}, &corev1.ServiceAccount{})
-		return errors.IsNotFound(err)
-	}, pollDuration, pollInterval)
 }
 
 func TestClusterExtensionInstallRegistry(t *testing.T) {
 	t.Log("When a cluster extension is installed from a catalog")
 	t.Log("When the extension bundle format is registry+v1")
 
-	clusterExtension, extensionCatalog, sa := testInit(t)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	clusterExtension, extensionCatalog := testInit(t)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	clusterExtension.Spec = ocv1alpha1.ClusterExtensionSpec{
 		PackageName:      "prometheus",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	t.Log("It resolves the specified package with correct bundle path")
@@ -200,8 +128,8 @@ func TestClusterExtensionBlockInstallNonSuccessorVersion(t *testing.T) {
 	t.Log("When a cluster extension is installed from a catalog")
 	t.Log("When resolving upgrade edges")
 
-	clusterExtension, extensionCatalog, sa := testInit(t)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	clusterExtension, extensionCatalog := testInit(t)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	t.Log("By creating an ClusterExtension at a specified version")
@@ -210,7 +138,7 @@ func TestClusterExtensionBlockInstallNonSuccessorVersion(t *testing.T) {
 		Version:          "1.0.0",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	require.NoError(t, c.Create(context.Background(), clusterExtension))
@@ -249,8 +177,8 @@ func TestClusterExtensionForceInstallNonSuccessorVersion(t *testing.T) {
 	t.Log("When a cluster extension is installed from a catalog")
 	t.Log("When resolving upgrade edges")
 
-	clusterExtension, extensionCatalog, sa := testInit(t)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	clusterExtension, extensionCatalog := testInit(t)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	t.Log("By creating an ClusterExtension at a specified version")
@@ -259,7 +187,7 @@ func TestClusterExtensionForceInstallNonSuccessorVersion(t *testing.T) {
 		Version:          "1.0.0",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	require.NoError(t, c.Create(context.Background(), clusterExtension))
@@ -297,8 +225,8 @@ func TestClusterExtensionForceInstallNonSuccessorVersion(t *testing.T) {
 func TestClusterExtensionInstallSuccessorVersion(t *testing.T) {
 	t.Log("When a cluster extension is installed from a catalog")
 	t.Log("When resolving upgrade edges")
-	clusterExtension, extensionCatalog, sa := testInit(t)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	clusterExtension, extensionCatalog := testInit(t)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	t.Log("By creating an ClusterExtension at a specified version")
@@ -307,7 +235,7 @@ func TestClusterExtensionInstallSuccessorVersion(t *testing.T) {
 		Version:          "1.0.0",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	require.NoError(t, c.Create(context.Background(), clusterExtension))
@@ -344,15 +272,15 @@ func TestClusterExtensionInstallSuccessorVersion(t *testing.T) {
 func TestClusterExtensionInstallReResolvesWhenCatalogIsPatched(t *testing.T) {
 	t.Log("When a cluster extension is installed from a catalog")
 	t.Log("It resolves again when a catalog is patched with new ImageRef")
-	clusterExtension, extensionCatalog, sa := testInit(t)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	clusterExtension, extensionCatalog := testInit(t)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	clusterExtension.Spec = ocv1alpha1.ClusterExtensionSpec{
 		PackageName:      "prometheus",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	t.Log("It resolves the specified package with correct bundle path")
@@ -423,16 +351,14 @@ func TestClusterExtensionInstallReResolvesWhenNewCatalog(t *testing.T) {
 			Name: clusterExtensionName,
 		},
 	}
-	sa, err := createServiceAccount(context.Background(), types.NamespacedName{Name: clusterExtensionName, Namespace: "default"})
-	require.NoError(t, err)
-	defer testCleanup(t, extensionCatalog, clusterExtension, sa)
+	defer testCleanup(t, extensionCatalog, clusterExtension)
 	defer getArtifactsOutput(t)
 
 	clusterExtension.Spec = ocv1alpha1.ClusterExtensionSpec{
 		PackageName:      "prometheus",
 		InstallNamespace: "default",
 		ServiceAccount: ocv1alpha1.ServiceAccountReference{
-			Name: sa.Name,
+			Name: "default",
 		},
 	}
 	t.Log("It resolves the specified package with correct bundle path")