add network policy for bundle unpack pods

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

pkg/controller/bundle/bundle_unpacker.go

@@ -48,8 +48,8 @@ const (
 	// attempting to recreate a failed unpack job for a bundle.
 	BundleUnpackRetryMinimumIntervalAnnotationKey = "operatorframework.io/bundle-unpack-min-retry-interval"
 
-	// bundleUnpackRefLabel is used to filter for all unpack jobs for a specific bundle.
-	bundleUnpackRefLabel = "operatorframework.io/bundle-unpack-ref"
+	// BundleUnpackRefLabel is used to filter for all unpack jobs or pods for a specific bundle.
+	BundleUnpackRefLabel = "operatorframework.io/bundle-unpack-ref"
 )
 
 type BundleUnpackResult struct {
@@ -98,7 +98,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 		ObjectMeta: metav1.ObjectMeta{
 			Labels: map[string]string{
 				install.OLMManagedLabelKey: install.OLMManagedLabelValue,
-				bundleUnpackRefLabel:       cmRef.Name,
+				BundleUnpackRefLabel:       cmRef.Name,
 			},
 		},
 		Spec: batchv1.JobSpec{
@@ -108,6 +108,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 					Name: cmRef.Name,
 					Labels: map[string]string{
 						install.OLMManagedLabelKey: install.OLMManagedLabelValue,
+						BundleUnpackRefLabel:       cmRef.Name,
 					},
 				},
 				Spec: corev1.PodSpec{
@@ -665,7 +666,7 @@ func (c *ConfigMapUnpacker) ensureConfigmap(csRef *corev1.ObjectReference, name
 func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (job *batchv1.Job, err error) {
 	fresh := c.job(cmRef, bundlePath, secrets, timeout)
 	var jobs, toDelete []*batchv1.Job
-	jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name})
+	jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{BundleUnpackRefLabel: cmRef.Name})
 	if err != nil {
 		return
 	}
@@ -676,7 +677,7 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath
 		return
 	}
 	if jobWithoutLabel != nil {
-		_, labelExists := jobWithoutLabel.Labels[bundleUnpackRefLabel]
+		_, labelExists := jobWithoutLabel.Labels[BundleUnpackRefLabel]
 		if !labelExists {
 			jobs = append(jobs, jobWithoutLabel)
 		}

pkg/controller/bundle/bundle_unpacker_test.go

@@ -208,7 +208,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      pathHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: pathHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: pathHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -444,7 +444,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      digestHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: digestHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: digestHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -718,7 +718,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      digestHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: digestHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: digestHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -987,7 +987,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      pathHash,
 							Namespace: "ns-a",
-							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: pathHash},
+							Labels:    map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: pathHash},
 							OwnerReferences: []metav1.OwnerReference{
 								{
 									APIVersion:         "v1",
@@ -1990,7 +1990,7 @@ func TestSortUnpackJobs(t *testing.T) {
 		return &batchv1.Job{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   name,
-				Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: "test"},
+				Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: "test"},
 			},
 			Status: batchv1.JobStatus{
 				Conditions: conditions,
@@ -2000,7 +2000,7 @@ func TestSortUnpackJobs(t *testing.T) {
 	nilConditionJob := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   "nc",
-			Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, bundleUnpackRefLabel: "test"},
+			Labels: map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue, BundleUnpackRefLabel: "test"},
 		},
 		Status: batchv1.JobStatus{
 			Conditions: nil,

pkg/controller/operators/catalog/operator_test.go

@@ -1277,10 +1277,11 @@ func TestSyncCatalogSources(t *testing.T) {
 				pod(t, *grpcCatalog),
 				service(grpcCatalog.GetName(), grpcCatalog.GetNamespace()),
 				serviceAccount(grpcCatalog.GetName(), grpcCatalog.GetNamespace(), "", objectReference("init secret")),
-				networkPolicy(grpcCatalog, map[string]string{
+				grpcServerNetworkPolicy(grpcCatalog, map[string]string{
 					reconciler.CatalogSourceLabelKey: grpcCatalog.GetName(),
 					install.OLMManagedLabelKey:       install.OLMManagedLabelValue,
 				}),
+				unpackBundlesNetworkPolicy(grpcCatalog),
 			},
 			existingSources: []sourceAddress{
 				{
@@ -2335,8 +2336,11 @@ func configMap(name, namespace string) *corev1.ConfigMap {
 	}
 }
 
-func networkPolicy(catSrc *v1alpha1.CatalogSource, matchLabels map[string]string) *networkingv1.NetworkPolicy {
-	return reconciler.DesiredRegistryNetworkPolicy(catSrc, matchLabels)
+func grpcServerNetworkPolicy(catSrc *v1alpha1.CatalogSource, matchLabels map[string]string) *networkingv1.NetworkPolicy {
+	return reconciler.DesiredGRPCServerNetworkPolicy(catSrc, matchLabels)
+}
+func unpackBundlesNetworkPolicy(catSrc *v1alpha1.CatalogSource) *networkingv1.NetworkPolicy {
+	return reconciler.DesiredUnpackBundlesNetworkPolicy(catSrc)
 }
 
 func objectReference(name string) *corev1.ObjectReference {

pkg/controller/registry/reconciler/configmap.go

@@ -122,8 +122,13 @@ func (s *configMapCatalogSourceDecorator) Pod(image string, defaultPodSecurityCo
 	ownerutil.AddOwner(pod, s.CatalogSource, false, true)
 	return pod, nil
 }
-func (s *configMapCatalogSourceDecorator) NetworkPolicy() *networkingv1.NetworkPolicy {
-	return DesiredRegistryNetworkPolicy(s.CatalogSource, s.Labels())
+
+func (s *configMapCatalogSourceDecorator) GRPCServerNetworkPolicy() *networkingv1.NetworkPolicy {
+	return DesiredGRPCServerNetworkPolicy(s.CatalogSource, s.Labels())
+}
+
+func (s *configMapCatalogSourceDecorator) UnpackBundlesNetworkPolicy() *networkingv1.NetworkPolicy {
+	return DesiredUnpackBundlesNetworkPolicy(s.CatalogSource)
 }
 
 func (s *configMapCatalogSourceDecorator) ServiceAccount() *corev1.ServiceAccount {
@@ -214,11 +219,21 @@ func (c *ConfigMapRegistryReconciler) currentService(source configMapCatalogSour
 	return service, nil
 }
 
-func (c *ConfigMapRegistryReconciler) currentNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
-	npName := source.NetworkPolicy().GetName()
+func (c *ConfigMapRegistryReconciler) currentGRPCServerNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
+	npName := source.GRPCServerNetworkPolicy().GetName()
+	np, err := c.Lister.NetworkingV1().NetworkPolicyLister().NetworkPolicies(source.GetNamespace()).Get(npName)
+	if err != nil {
+		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find grpc server network policy in cache")
+		return nil
+	}
+	return np
+}
+
+func (c *ConfigMapRegistryReconciler) currentUnpackBundlesNetworkPolicy(source configMapCatalogSourceDecorator) *networkingv1.NetworkPolicy {
+	npName := source.UnpackBundlesNetworkPolicy().GetName()
 	np, err := c.Lister.NetworkingV1().NetworkPolicyLister().NetworkPolicies(source.GetNamespace()).Get(npName)
 	if err != nil {
-		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find network policy in cache")
+		logrus.WithField("networkPolicy", npName).WithError(err).Debug("couldn't find unpack bundles network policy in cache")
 		return nil
 	}
 	return np
@@ -342,8 +357,11 @@ func (c *ConfigMapRegistryReconciler) EnsureRegistryServer(logger *logrus.Entry,
 	}
 
 	//TODO: if any of these error out, we should write a status back (possibly set RegistryServiceStatus to nil so they get recreated)
-	if err := c.ensureNetworkPolicy(source); err != nil {
-		return pkgerrors.Wrapf(err, "error ensuring network policy: %s", source.GetName())
+	if err := c.ensureGRPCServerNetworkPolicy(source); err != nil {
+		return pkgerrors.Wrapf(err, "error ensuring grpc server network policy: %s", source.GetName())
+	}
+	if err := c.ensureUnpackBundlesNetworkPolicy(source); err != nil {
+		return pkgerrors.Wrapf(err, "error ensuring unpack bundles network policy: %s", source.GetName())
 	}
 	if err := c.ensureServiceAccount(source, overwrite); err != nil {
 		return pkgerrors.Wrapf(err, "error ensuring service account: %s", source.serviceAccountName())
@@ -382,17 +400,28 @@ func (c *ConfigMapRegistryReconciler) EnsureRegistryServer(logger *logrus.Entry,
 	return nil
 }
 
-func (c *ConfigMapRegistryReconciler) ensureNetworkPolicy(source configMapCatalogSourceDecorator) error {
-	networkPolicy := source.NetworkPolicy()
-	if currentNetworkPolicy := c.currentNetworkPolicy(source); currentNetworkPolicy != nil {
-		if sanitizedDeepEqual(networkPolicy, currentNetworkPolicy) {
+func (c *ConfigMapRegistryReconciler) ensureGRPCServerNetworkPolicy(source configMapCatalogSourceDecorator) error {
+	desired := source.GRPCServerNetworkPolicy()
+	current := c.currentGRPCServerNetworkPolicy(source)
+	return c.ensureNetworkPolicy(desired, current)
+}
+
+func (c *ConfigMapRegistryReconciler) ensureUnpackBundlesNetworkPolicy(source configMapCatalogSourceDecorator) error {
+	desired := source.UnpackBundlesNetworkPolicy()
+	current := c.currentUnpackBundlesNetworkPolicy(source)
+	return c.ensureNetworkPolicy(desired, current)
+}
+
+func (c *ConfigMapRegistryReconciler) ensureNetworkPolicy(desired, current *networkingv1.NetworkPolicy) error {
+	if current != nil {
+		if sanitizedDeepEqual(desired, current) {
 			return nil
 		}
-		if err := c.OpClient.DeleteNetworkPolicy(networkPolicy.GetNamespace(), networkPolicy.GetName(), metav1.NewDeleteOptions(0)); err != nil && !apierrors.IsNotFound(err) {
+		if err := c.OpClient.DeleteNetworkPolicy(current.GetNamespace(), current.GetName(), metav1.NewDeleteOptions(0)); err != nil && !apierrors.IsNotFound(err) {
 			return err
 		}
 	}
-	_, err := c.OpClient.CreateNetworkPolicy(networkPolicy)
+	_, err := c.OpClient.CreateNetworkPolicy(desired)
 	return err
 }
 
@@ -528,14 +557,26 @@ func (c *ConfigMapRegistryReconciler) CheckRegistryServer(logger *logrus.Entry,
 	// Check on registry resources
 	// TODO: more complex checks for resources
 	// TODO: add gRPC health check
-	np := c.currentNetworkPolicy(source)
+	np := c.currentGRPCServerNetworkPolicy(source)
+	if np == nil {
+		logger.Error("registry service not healthy: could not get grpc server network policy")
+		healthy = false
+		return
+	}
+	if !sanitizedDeepEqual(source.GRPCServerNetworkPolicy(), np) {
+		logger.Error("registry service not healthy: unexpected grpc server network policy")
+		healthy = false
+		return
+	}
+
+	np = c.currentUnpackBundlesNetworkPolicy(source)
 	if np == nil {
-		logger.Error("registry service not healthy: could not get network policy")
+		logger.Error("registry service not healthy: could not get unpack bundles network policy")
 		healthy = false
 		return
 	}
-	if !sanitizedDeepEqual(source.NetworkPolicy(), np) {
-		logger.Error("registry service not healthy: unexpected network policy")
+	if !sanitizedDeepEqual(source.UnpackBundlesNetworkPolicy(), np) {
+		logger.Error("registry service not healthy: unexpected unpack bundles network policy")
 		healthy = false
 		return
 	}

pkg/controller/registry/reconciler/configmap_test.go

@@ -199,7 +199,8 @@ func objectsForCatalogSource(t *testing.T, catsrc *v1alpha1.CatalogSource) []run
 	switch catsrc.Spec.SourceType {
 	case v1alpha1.SourceTypeInternal, v1alpha1.SourceTypeConfigmap:
 		decorated := configMapCatalogSourceDecorator{catsrc, runAsUser}
-		np := decorated.NetworkPolicy()
+		grpcServerNetworkPolicy := decorated.GRPCServerNetworkPolicy()
+		unpackBundlesNetworkPolicy := decorated.UnpackBundlesNetworkPolicy()
 		service, err := decorated.Service()
 		if err != nil {
 			t.Fatal(err)
@@ -210,15 +211,17 @@ func objectsForCatalogSource(t *testing.T, catsrc *v1alpha1.CatalogSource) []run
 			t.Fatal(err)
 		}
 		objs = append(objs,
-			np,
+			grpcServerNetworkPolicy,
+			unpackBundlesNetworkPolicy,
 			pod,
 			service,
 			serviceAccount,
 		)
 	case v1alpha1.SourceTypeGrpc:
 		if catsrc.Spec.Image != "" {
 			decorated := grpcCatalogSourceDecorator{CatalogSource: catsrc, createPodAsUser: runAsUser, opmImage: ""}
-			np := decorated.NetworkPolicy()
+			grpcServerNetworkPolicy := decorated.GRPCServerNetworkPolicy()
+			unpackBundlesNetworkPolicy := decorated.UnpackBundlesNetworkPolicy()
 			serviceAccount := decorated.ServiceAccount()
 			service, err := decorated.Service()
 			if err != nil {
@@ -229,7 +232,8 @@ func objectsForCatalogSource(t *testing.T, catsrc *v1alpha1.CatalogSource) []run
 				t.Fatal(err)
 			}
 			objs = append(objs,
-				np,
+				grpcServerNetworkPolicy,
+				unpackBundlesNetworkPolicy,
 				pod,
 				service,
 				serviceAccount,
@@ -351,7 +355,7 @@ func TestConfigMapRegistryReconciler(t *testing.T) {
 			},
 		},
 		{
-			testName: "ExistingRegistry/BadNetworkPolicy",
+			testName: "ExistingRegistry/BadNetworkPolicies",
 			in: in{
 				cluster: cluster{
 					k8sObjs: append(setLabel(objectsForCatalogSource(t, validCatalogSource), &networkingv1.NetworkPolicy{}, CatalogSourceLabelKey, "wrongValue"), validConfigMap),
@@ -530,10 +534,15 @@ func TestConfigMapRegistryReconciler(t *testing.T) {
 			require.Equal(t, pod.GetLabels(), outPod.GetLabels())
 			require.Equal(t, pod.Spec, outPod.Spec)
 
-			np := decorated.NetworkPolicy()
-			outNp, err := client.KubernetesInterface().NetworkingV1().NetworkPolicies(np.GetNamespace()).Get(context.TODO(), np.GetName(), metav1.GetOptions{})
+			grpcServerNetworkPolicy := decorated.GRPCServerNetworkPolicy()
+			outGrpcServerNetworkPolicy, err := client.KubernetesInterface().NetworkingV1().NetworkPolicies(grpcServerNetworkPolicy.GetNamespace()).Get(context.TODO(), grpcServerNetworkPolicy.GetName(), metav1.GetOptions{})
 			require.NoError(t, err)
-			require.Equal(t, np, outNp)
+			require.Equal(t, grpcServerNetworkPolicy, outGrpcServerNetworkPolicy)
+
+			unpackBundlesNetworkPolicy := decorated.UnpackBundlesNetworkPolicy()
+			outUnpackBundlesNetworkPolicy, err := client.KubernetesInterface().NetworkingV1().NetworkPolicies(unpackBundlesNetworkPolicy.GetNamespace()).Get(context.TODO(), unpackBundlesNetworkPolicy.GetName(), metav1.GetOptions{})
+			require.NoError(t, err)
+			require.Equal(t, unpackBundlesNetworkPolicy, outUnpackBundlesNetworkPolicy)
 
 			service, err := decorated.Service()
 			require.NoError(t, err)