add network policy for bundle unpack pods

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

pkg/controller/bundle/bundle_unpacker.go

@@ -48,8 +48,8 @@ const (
 	// attempting to recreate a failed unpack job for a bundle.
 	BundleUnpackRetryMinimumIntervalAnnotationKey = "operatorframework.io/bundle-unpack-min-retry-interval"
 
-	// bundleUnpackRefLabel is used to filter for all unpack jobs for a specific bundle.
-	bundleUnpackRefLabel = "operatorframework.io/bundle-unpack-ref"
+	// BundleUnpackRefLabel is used to filter for all unpack jobs or pods for a specific bundle.
+	BundleUnpackRefLabel = "operatorframework.io/bundle-unpack-ref"
 )
 
 type BundleUnpackResult struct {
@@ -98,7 +98,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 		ObjectMeta: metav1.ObjectMeta{
 			Labels: map[string]string{
 				install.OLMManagedLabelKey: install.OLMManagedLabelValue,
-				bundleUnpackRefLabel:       cmRef.Name,
+				BundleUnpackRefLabel:       cmRef.Name,
 			},
 		},
 		Spec: batchv1.JobSpec{
@@ -108,6 +108,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 					Name: cmRef.Name,
 					Labels: map[string]string{
 						install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+						BundleUnpackRefLabel:       cmRef.Name,
 					},
 				},
 				Spec: corev1.PodSpec{
@@ -665,7 +666,7 @@ func (c *ConfigMapUnpacker) ensureConfigmap(csRef *corev1.ObjectReference, name
 func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (job *batchv1.Job, err error) {
 	fresh := c.job(cmRef, bundlePath, secrets, timeout)
 	var jobs, toDelete []*batchv1.Job
-	jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name})
+	jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{BundleUnpackRefLabel: cmRef.Name})
 	if err != nil {
 		return
 	}
@@ -676,7 +677,7 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath
 		return
 	}
 	if jobWithoutLabel != nil {
-		_, labelExists := jobWithoutLabel.Labels[bundleUnpackRefLabel]
+		_, labelExists := jobWithoutLabel.Labels[BundleUnpackRefLabel]
 		if !labelExists {
 			jobs = append(jobs, jobWithoutLabel)
 		}

pkg/controller/bundle/bundle_unpacker_test.go

@@ -208,7 +208,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      pathHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: pathHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: pathHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -225,8 +225,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   pathHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: pathHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       pathHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy:    corev1.RestartPolicyNever,
@@ -444,7 +447,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      digestHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: digestHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: digestHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -460,8 +463,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   digestHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: digestHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       digestHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
@@ -718,7 +724,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      digestHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: digestHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: digestHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -734,8 +740,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   digestHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: digestHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       digestHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
@@ -987,7 +996,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      pathHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: pathHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: pathHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -1003,8 +1012,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   pathHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: pathHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       pathHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
@@ -1242,8 +1254,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   pathHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: pathHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       pathHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
@@ -1494,8 +1509,11 @@ func TestConfigMapUnpacker(t *testing.T) {
 							BackoffLimit:          &backoffLimit,
 							Template: corev1.PodTemplateSpec{
 								ObjectMeta: metav1.ObjectMeta{
-									Name:   pathHash,
-									Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue},
+									Name: pathHash,
+									Labels: map[string]string{
+										install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+										BundleUnpackRefLabel:       pathHash,
+									},
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
@@ -1990,7 +2008,7 @@ func TestSortUnpackJobs(t *testing.T) {
 		return &batchv1.Job{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   name,
-				Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: "test"},
+				Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: "test"},
 			},
 			Status: batchv1.JobStatus{
 				Conditions: conditions,
@@ -2000,7 +2018,7 @@ func TestSortUnpackJobs(t *testing.T) {
 	nilConditionJob := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   "nc",
-			Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: "test"},
+			Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: "test"},
 		},
 		Status: batchv1.JobStatus{
 			Conditions: nil,

pkg/controller/operators/catalog/operator_test.go

@@ -1277,10 +1277,11 @@ func TestSyncCatalogSources(t *testing.T) {
 				pod(t, *grpcCatalog),
 				service(grpcCatalog.GetName(), grpcCatalog.GetNamespace()),
 				serviceAccount(grpcCatalog.GetName(), grpcCatalog.GetNamespace(), "", objectReference("init secret")),
-				networkPolicy(grpcCatalog, map[string]string{
+				grpcServerNetworkPolicy(grpcCatalog, map[string]string{
 					reconciler.CatalogSourceLabelKey: grpcCatalog.GetName(),
 					install.OLMManagedLabelKey:       install.OLMManagedLabelValue,
 				}),
+				unpackBundlesNetworkPolicy(grpcCatalog),
 			},
 			existingSources: []sourceAddress{
 				{
@@ -2335,8 +2336,11 @@ func configMap(name, namespace string) *corev1.ConfigMap {
 	}
 }
 
-func networkPolicy(catSrc *v1alpha1.CatalogSource, matchLabels map[string]string) *networkingv1.NetworkPolicy {
-	return reconciler.DesiredRegistryNetworkPolicy(catSrc, matchLabels)
+func grpcServerNetworkPolicy(catSrc *v1alpha1.CatalogSource, matchLabels map[string]string) *networkingv1.NetworkPolicy {
+	return reconciler.DesiredGRPCServerNetworkPolicy(catSrc, matchLabels)
+}
+func unpackBundlesNetworkPolicy(catSrc *v1alpha1.CatalogSource) *networkingv1.NetworkPolicy {
+	return reconciler.DesiredUnpackBundlesNetworkPolicy(catSrc)
 }
 
 func objectReference(name string) *corev1.ObjectReference {

pkg/controller/registry/reconciler/configmap.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
 	hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -20,6 +19,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorlister"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
@@ -122,8 +122,13 @@ func (s *configMapCatalogSourceDecorator) Pod(image string, defaultPodSecurityCo
 	ownerutil.AddOwner(pod, s.CatalogSource, false, true)
 	return pod, nil
 }
-func (s *configMapCatalogSourceDecorator) NetworkPolicy() *networkingv1.NetworkPolicy {
-	return DesiredRegistryNetworkPolicy(s.CatalogSource, s.Labels())
+
+func (s *configMapCatalogSourceDecorator) GRPCServerNetworkPolicy() *networkingv1.NetworkPolicy {
+	return DesiredGRPCServerNetworkPolicy(s.CatalogSource, s.Labels())
+}
+
+func (s *configMapCatalogSourceDecorator) UnpackBundlesNetworkPolicy() *networkingv1.NetworkPolicy {
+	return DesiredUnpackBundlesNetworkPolicy(s.CatalogSource)
 }
 
 func (s *configMapCatalogSourceDecorator) ServiceAccount() *corev1.ServiceAccount {
@@ -214,11 +219,21 @@ func (c *ConfigMapRegistryReconciler) currentService(source configMapCatalogSour
 	return service, nil
 }
 
-func (c *ConfigMapRegistryReconciler) currentNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
-	npName := source.NetworkPolicy().GetName()
+func (c *ConfigMapRegistryReconciler) currentGRPCServerNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
+	npName := source.GRPCServerNetworkPolicy().GetName()
 	np, err := c.Lister.NetworkingV1().NetworkPolicyLister().NetworkPolicies(source.GetNamespace()).Get(npName)
 	if err != nil {
-		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find network policy in cache")
+		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find grpc server network policy in cache")
+		return nil
+	}
+	return np
+}
+
+func (c *ConfigMapRegistryReconciler) currentUnpackBundlesNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
+	npName := source.UnpackBundlesNetworkPolicy().GetName()
+	np, err := c.Lister.NetworkingV1().NetworkPolicyLister().NetworkPolicies(source.GetNamespace()).Get(npName)
+	if err != nil {
+		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find unpack bundles network policy in cache")
 		return nil
 	}
 	return np
@@ -342,8 +357,11 @@ func (c *ConfigMapRegistryReconciler) EnsureRegistryServer(logger *logrus.Entry,
 	}
 
 	//TODO: if any of these error out, we should write a status back (possibly set RegistryServiceStatus to nil so they get recreated)
-	if err := c.ensureNetworkPolicy(source); err != nil {
-		return pkgerrors.Wrapf(err, "error ensuring network policy: %s", source.GetName())
+	if err := c.ensureGRPCServerNetworkPolicy(source); err != nil {
+		return pkgerrors.Wrapf(err, "error ensuring grpc server network policy: %s", source.GetName())
+	}
+	if err := c.ensureUnpackBundlesNetworkPolicy(source); err != nil {
+		return pkgerrors.Wrapf(err, "error ensuring unpack bundles network policy: %s", source.GetName())
 	}
 	if err := c.ensureServiceAccount(source, overwrite); err != nil {
 		return pkgerrors.Wrapf(err, "error ensuring service account: %s", source.serviceAccountName())
@@ -382,17 +400,28 @@ func (c *ConfigMapRegistryReconciler) EnsureRegistryServer(logger *logrus.Entry,
 	return nil
 }
 
-func (c *ConfigMapRegistryReconciler) ensureNetworkPolicy(source configMapCatalogSourceDecorator) error {
-	networkPolicy := source.NetworkPolicy()
-	if currentNetworkPolicy := c.currentNetworkPolicy(source); currentNetworkPolicy != nil {
-		if sanitizedDeepEqual(networkPolicy, currentNetworkPolicy) {
+func (c *ConfigMapRegistryReconciler) ensureGRPCServerNetworkPolicy(source configMapCatalogSourceDecorator) error {
+	desired := source.GRPCServerNetworkPolicy()
+	current := c.currentGRPCServerNetworkPolicy(source)
+	return c.ensureNetworkPolicy(desired, current)
+}
+
+func (c *ConfigMapRegistryReconciler) ensureUnpackBundlesNetworkPolicy(source configMapCatalogSourceDecorator) error {
+	desired := source.UnpackBundlesNetworkPolicy()
+	current := c.currentUnpackBundlesNetworkPolicy(source)
+	return c.ensureNetworkPolicy(desired, current)
+}
+
+func (c *ConfigMapRegistryReconciler) ensureNetworkPolicy(desired, current *networkingv1.NetworkPolicy) error {
+	if current != nil {
+		if isExpectedNetworkPolicy(desired, current) {
 			return nil
 		}
-		if err := c.OpClient.DeleteNetworkPolicy(networkPolicy.GetNamespace(), networkPolicy.GetName(), metav1.NewDeleteOptions(0)); err != nil && !apierrors.IsNotFound(err) {
+		if err := c.OpClient.DeleteNetworkPolicy(current.GetNamespace(), current.GetName(), metav1.NewDeleteOptions(0)); err != nil && !apierrors.IsNotFound(err) {
 			return err
 		}
 	}
-	_, err := c.OpClient.CreateNetworkPolicy(networkPolicy)
+	_, err := c.OpClient.CreateNetworkPolicy(desired)
 	return err
 }
 
@@ -528,14 +557,26 @@ func (c *ConfigMapRegistryReconciler) CheckRegistryServer(logger *logrus.Entry,
 	// Check on registry resources
 	// TODO: more complex checks for resources
 	// TODO: add gRPC health check
-	np := c.currentNetworkPolicy(source)
+	np := c.currentGRPCServerNetworkPolicy(source)
+	if np == nil {
+		logger.Error("registry service not healthy: could not get grpc server network policy")
+		healthy = false
+		return
+	}
+	if !isExpectedNetworkPolicy(source.GRPCServerNetworkPolicy(), np) {
+		logger.Error("registry service not healthy: unexpected grpc server network policy")
+		healthy = false
+		return
+	}
+
+	np = c.currentUnpackBundlesNetworkPolicy(source)
 	if np == nil {
-		logger.Error("registry service not healthy: could not get network policy")
+		logger.Error("registry service not healthy: could not get unpack bundles network policy")
 		healthy = false
 		return
 	}
-	if !sanitizedDeepEqual(source.NetworkPolicy(), np) {
-		logger.Error("registry service not healthy: unexpected network policy")
+	if !isExpectedNetworkPolicy(source.UnpackBundlesNetworkPolicy(), np) {
+		logger.Error("registry service not healthy: unexpected unpack bundles network policy")
 		healthy = false
 		return
 	}