Templates for InstallPlan Approver (#82)

* * Added templates for InstallPlan Approver * Added a small tweak to OperatorHub templates to allow picking specific version of operator * Changed filenames fro yaml to yml
redhat-cop · Jun 3, 2021 · 7979fd7 · 7979fd7
1 parent b4311a2
commit 7979fd7
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 0 deletions.
diff --git a/installplan-approver/installplan-approver-job-template.yml b/installplan-approver/installplan-approver-job-template.yml
@@ -0,0 +1,58 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+message: |-
+  The following Job has been created: ${NAME}
+metadata:
+  name: installplan-approver-job-template
+objects:
+- apiVersion: batch/v1
+  kind: Job
+  metadata:
+    name: ${NAME}
+    namespace: ${TARGET_NAMESPACE}
+  spec:
+    template:
+      spec:
+        containers:
+          - image: registry.redhat.io/openshift4/ose-cli:v4.4
+            command:
+              - /bin/bash
+              - -c
+              - |
+                export HOME=/tmp/approver
+                echo "Approving operator install.  Waiting a few seconds to make sure the InstallPlan gets created first."
+                sleep $SLEEP
+                oc project $NAMESPACE
+                for subscription in `oc get subscriptions.operators.coreos.com -o jsonpath='{.items[0].metadata.name}'`
+                do
+                  echo "Processing subscription '$subscription'"
+                  installplan=$(oc get subscriptions.operators.coreos.com --field-selector metadata.name=${subscription} -o jsonpath='{.items[0].status.installPlanRef.name}')
+                  echo "Check installplan approved status"
+                  oc get installplan $installplan -o jsonpath="{.spec.approved}"
+                  if [ "`oc get installplan $installplan -o jsonpath="{.spec.approved}"`" == "false" ]; then
+                    echo "Approving Subscription $subscription with install plan $installplan"
+                    oc patch installplan $installplan --type=json -p='[{"op":"replace","path": "/spec/approved", "value": true}]'
+                  else
+                    echo "Install Plan '$installplan' already approved"
+                  fi
+                done
+            imagePullPolicy: Always
+            name: installplan-approver
+            env:
+            - name: SLEEP
+              value: "20"
+            - name: NAMESPACE
+              value: ${TARGET_NAMESPACE}
+        dnsPolicy: ClusterFirst
+        restartPolicy: OnFailure
+        serviceAccount: installplan-approver-job
+        serviceAccountName: installplan-approver-job
+        terminationGracePeriodSeconds: 30
+parameters:
+- name: NAME
+  required: true
+  description: Name of the Job to create
+- name: TARGET_NAMESPACE
+  required: true
+  description: A namespace for the Job to target
diff --git a/installplan-approver/installplan-approver-role-binding-template.yml b/installplan-approver/installplan-approver-role-binding-template.yml
@@ -0,0 +1,30 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+message: |-
+  The following RoleBinding has been created: ${NAME}
+metadata:
+  name: rolebinding-template
+objects:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: ${NAME}
+    namespace: ${TARGET_NAMESPACE}
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: ${NAME}
+  subjects:
+    - kind: ServiceAccount
+      name: ${SUBJECT_NAME}
+parameters:
+- name: NAME
+  required: true
+  description: Name of the RoleBinding to create
+- name: TARGET_NAMESPACE
+  required: true
+  description: A namespace for the RoleBinding to target
+- name: SUBJECT_NAME
+  required: true 
+  description: A subject name for a RoleBinding 
diff --git a/installplan-approver/installplan-approver-role-template.yml b/installplan-approver/installplan-approver-role-template.yml
@@ -0,0 +1,30 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+message: |-
+  The following Role has been created: ${NAME}
+metadata:
+  name: operatorgroup-template
+objects:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: ${NAME}
+    namespace: ${TARGET_NAMESPACE}
+  rules:
+    - apiGroups:
+        - operators.coreos.com
+      resources:
+        - installplans
+        - subscriptions
+      verbs:
+        - get
+        - list
+        - patch
+parameters:
+- name: NAME
+  required: true
+  description: Name of the Role to create
+- name: TARGET_NAMESPACE
+  required: true
+  description: A namespace for the Role to target
diff --git a/operatorhub/subscription.yml b/operatorhub/subscription.yml
@@ -16,6 +16,7 @@ objects:
     name: ${OPERATOR_NAME}
     source: ${CATALOG_SOURCE_NAME}
     sourceNamespace: ${OPERATOR_NAMESPACE}
+    startingCSV: ${OPERATOR_VERSION}
 parameters:
 - name: NAME
   required: true
@@ -35,3 +36,6 @@ parameters:
 - name: CATALOG_SOURCE_NAME
   required: true
   description: Name of the catalog source item that was created
+- name: OPERATOR_VERSION
+  required: false
+  description: Version of the operator to be deployed