Clean up v3 leftover resources (#2267)

* delete webhook and secretshare Signed-off-by: YuChen <[email protected]> * delete webhook configurations Signed-off-by: YuChen <[email protected]> * delete all the resources from services namesapce Signed-off-by: YuChen <[email protected]> * delete webhook and secretshare related resources Signed-off-by: YuChen <[email protected]> * add SA, Roles, Rolebindings cluster scope permission Signed-off-by: YuChen <[email protected]> * delete podpreset and update its permission Signed-off-by: YuChen <[email protected]> * correct role and clusterole Signed-off-by: YuChen <[email protected]> --------- Signed-off-by: YuChen <[email protected]>
IBM · Oct 31, 2024 · a0cf4d3 · a0cf4d3
1 parent bcbd0ec
commit a0cf4d3
Show file tree

Hide file tree

Showing 5 changed files with 263 additions and 5 deletions.
diff --git a/bundle/manifests/ibm-common-service-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-common-service-operator.clusterserviceversion.yaml
@@ -23,7 +23,7 @@ metadata:
     capabilities: Seamless Upgrades
     cloudPakThemesVersion: styles467.css
     containerImage: icr.io/cpopen/common-service-operator:latest
-    createdAt: "2024-04-11T02:45:28Z"
+    createdAt: "2024-10-31T05:22:07Z"
     description: The IBM Cloud Pak foundational services operator is used to deploy IBM foundational services.
     nss.operator.ibm.com/managed-operators: ibm-common-service-operator
     nss.operator.ibm.com/managed-webhooks: ""
@@ -309,6 +309,19 @@ spec:
                 - infrastructures
               verbs:
                 - get
+            - apiGroups:
+                - rbac.authorization.k8s.io
+              resources:
+                - clusterrolebindings
+                - clusterroles
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
           serviceAccountName: ibm-common-service-operator
       deployments:
         - label:
@@ -453,6 +466,7 @@ spec:
                 - statefulsets
                 - daemonsets
               verbs:
+                - delete
                 - get
                 - list
                 - patch
@@ -554,6 +568,51 @@ spec:
                 - elasticstacks
               verbs:
                 - delete
+            - apiGroups:
+                - ""
+              resources:
+                - serviceaccounts
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
+            - apiGroups:
+                - rbac.authorization.k8s.io
+              resources:
+                - rolebindings
+                - roles
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
+            - apiGroups:
+                - operator.ibm.com
+              resources:
+                - podpresets
+              verbs:
+                - get
+                - delete
+                - list
+            - apiGroups:
+                - ibmcpcs.ibm.com
+              resources:
+                - secretshares
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
           serviceAccountName: ibm-common-service-operator
     strategy: deployment
   installModes:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -66,6 +66,19 @@ rules:
   - config.openshift.io
   resources:
   - infrastructures
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -108,6 +121,7 @@ rules:
   - statefulsets
   - daemonsets
   verbs:
+  - delete
   - get
   - list
   - patch
@@ -212,3 +226,49 @@ rules:
   - elasticstacks
   verbs:
   - delete
+# Delete ServiceAccount, RoleBinding, Role, secretshares
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.ibm.com
+  verbs:
+  - get
+  - delete
+  - list
+  resources:
+  - podpresets
+- apiGroups:
+  - ibmcpcs.ibm.com
+  resources:
+  - secretshares
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/controllers/bootstrap/init.go b/controllers/bootstrap/init.go
@@ -29,7 +29,10 @@ import (
 	utilyaml "github.com/ghodss/yaml"
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"golang.org/x/mod/semver"
+	admv1 "k8s.io/api/admissionregistration/v1"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -52,6 +55,7 @@ import (
 	"github.com/IBM/ibm-common-service-operator/controllers/constant"
 	"github.com/IBM/ibm-common-service-operator/controllers/deploy"
 	nssv1 "github.com/IBM/ibm-namespace-scope-operator/v4/api/v1"
+	ssv1 "github.com/IBM/ibm-secretshare-operator/api/v1"
 	odlm "github.com/IBM/operand-deployment-lifecycle-manager/v4/api/v1alpha1"
 
 	certmanagerv1 "github.com/ibm/ibm-cert-manager-operator/apis/cert-manager/v1"
@@ -197,6 +201,13 @@ func (b *Bootstrap) InitResources(instance *apiv3.CommonService, forceUpdateODLM
 		return err
 	}
 
+	mutatingWebhooks := []string{constant.CSWebhookConfig, constant.OperanReqConfig}
+	validatingWebhooks := []string{constant.CSMappingConfig}
+	if err := b.DeleteV3Resources(mutatingWebhooks, validatingWebhooks); err != nil {
+		klog.Errorf("Failed to delete v3 resources: %v", err)
+		return err
+	}
+
 	// Backward compatible for All Namespace Installation Mode upgrade
 	// Uninstall ODLM in servicesNamespace(ibm-common-services)
 	if b.CSData.CPFSNs != b.CSData.ServicesNs {
@@ -841,6 +852,124 @@ func (b *Bootstrap) CreateKeycloakThemesConfigMap() error {
 	return nil
 }
 
+func (b *Bootstrap) DeleteV3Resources(mutatingWebhooks, validatingWebhooks []string) error {
+
+	// Delete the list of MutatingWebhookConfigurations
+	for _, webhook := range mutatingWebhooks {
+		if err := b.deleteResource(&admv1.MutatingWebhookConfiguration{}, webhook, "", "MutatingWebhookConfiguration"); err != nil {
+			return err
+		}
+	}
+
+	// Delete the list of ValidatingWebhookConfiguration
+	for _, webhook := range validatingWebhooks {
+		if err := b.deleteResource(&admv1.ValidatingWebhookConfiguration{}, webhook, "", "ValidatingWebhookConfiguration"); err != nil {
+			return err
+		}
+	}
+
+	if err := b.deleteWebhookResources(); err != nil {
+		klog.Errorf("Error deleting webhook resources: %v", err)
+	}
+
+	if err := b.deleteSecretShareResources(); err != nil {
+		klog.Errorf("Error deleting secretshare resources: %v", err)
+	}
+	return nil
+}
+
+// deleteWebhookResources deletes resources related to ibm-common-service-webhook
+func (b *Bootstrap) deleteWebhookResources() error {
+	// Delete PodPreset (CR)
+	if err := b.deleteResource(&unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "operator.ibm.com/v1alpha1",
+			"kind":       "PodPreset",
+		},
+	}, constant.WebhookServiceName, b.CSData.ServicesNs, "PodPreset"); err != nil {
+		return err
+	}
+
+	// Delete ServiceAccount
+	if err := b.deleteResource(&corev1.ServiceAccount{}, constant.WebhookServiceName, b.CSData.ServicesNs, "ServiceAccount"); err != nil {
+		return err
+	}
+
+	// Delete Roles and RoleBindings
+	if err := b.deleteResource(&rbacv1.Role{}, constant.WebhookServiceName, b.CSData.ServicesNs, "Role"); err != nil {
+		return err
+	}
+
+	if err := b.deleteResource(&rbacv1.RoleBinding{}, constant.WebhookServiceName, b.CSData.ServicesNs, "RoleBinding"); err != nil {
+		return err
+	}
+
+	if err := b.deleteResource(&rbacv1.ClusterRole{}, constant.WebhookServiceName, "", "ClusterRole"); err != nil {
+		return err
+	}
+
+	if err := b.deleteResource(&rbacv1.ClusterRoleBinding{}, "ibm-common-service-webhook-"+b.CSData.ServicesNs, "", "ClusterRoleBinding"); err != nil {
+		return err
+	}
+
+	// Delete Deployment
+	if err := b.deleteResource(&appsv1.Deployment{}, constant.WebhookServiceName, b.CSData.ServicesNs, "Deployment"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// deleteSecretShareResources deletes resources related to secretshare
+func (b *Bootstrap) deleteSecretShareResources() error {
+	if err := b.deleteResource(&corev1.ServiceAccount{}, constant.Secretshare, b.CSData.ServicesNs, "ServiceAccount"); err != nil {
+		return err
+	}
+
+	// Delete SecretShare ClusterRole and ClusterRoleBinding
+	if err := b.deleteResource(&rbacv1.ClusterRole{}, constant.Secretshare, "", "ClusterRole"); err != nil {
+		return err
+	}
+
+	if err := b.deleteResource(&rbacv1.ClusterRoleBinding{}, "secretshare-"+b.CSData.ServicesNs, "", "ClusterRoleBinding"); err != nil {
+		return err
+	}
+
+	// Delete SecretShare Operator CR
+	if err := b.deleteResource(&ssv1.SecretShare{}, constant.MasterCR, b.CSData.ServicesNs, "SecretShare Operator CR"); err != nil {
+		return err
+	}
+
+	// Delete SecretShare Operator Deployment
+	if err := b.deleteResource(&appsv1.Deployment{}, constant.Secretshare, b.CSData.ServicesNs, "Deployment"); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (b *Bootstrap) deleteResource(resource client.Object, name, namespace string, resourceType string) error {
+	namespacedName := types.NamespacedName{Name: name}
+	if namespace != "" {
+		namespacedName.Namespace = namespace
+	}
+
+	if err := b.Client.Get(ctx, namespacedName, resource); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+		klog.Infof("%s %s/%s not found, skipping deletion", resourceType, namespace, name)
+		return nil
+	}
+
+	if err := b.Client.Delete(ctx, resource); err != nil {
+		klog.Errorf("Failed to delete %s %s/%s: %v", resourceType, namespace, name, err)
+		return err
+	}
+
+	klog.Infof("Successfully deleted %s %s/%s", resourceType, namespace, name)
+	return nil
+}
+
 // CreateCsMaps will create a new common-service-maps configmap if not exists
 func (b *Bootstrap) CreateCsMaps() error {
 
@@ -1141,7 +1270,7 @@ func (b *Bootstrap) IsBYOCert() (bool, error) {
 		client.MatchingLabels(
 			map[string]string{"app.kubernetes.io/instance": "cs-ca-certificate"}),
 	}
-	if certerr := b.Reader.List(ctx, certList, opts...); err != nil {
+	if certerr := b.Reader.List(ctx, certList, opts...); certerr != nil {
 		return false, certerr
 	}
 
@@ -1287,15 +1416,15 @@ func (b *Bootstrap) CleanNamespaceScopeResources() error {
 	if isOpregAPI, err := b.CheckCRD(constant.OpregAPIGroupVersion, constant.OpregKind); err != nil {
 		klog.Errorf("Failed to check if %s CRD exists: %v", constant.OpregKind, err)
 		return err
-	} else if !isOpregAPI && err == nil {
+	} else if !isOpregAPI {
 		klog.Infof("%s CRD does not exist, skip checking no-op installMode", constant.OpregKind)
-	} else if isOpregAPI && err == nil {
+	} else if isOpregAPI {
 		// Get the common-service OperandRegistry
 		operandRegistry, err := b.GetOperandRegistry(ctx, constant.MasterCR, b.CSData.ServicesNs)
 		if err != nil {
 			klog.Errorf("Failed to get common-service OperandRegistry: %v", err)
 			return err
-		} else if err == nil && operandRegistry == nil {
+		} else if operandRegistry == nil {
 			klog.Infof("The common-service OperandRegistry is not found in the %s namespace, skip cleaning the NamespaceScope resources", b.CSData.ServicesNs)
 			return nil
 		}

diff --git a/controllers/constant/constant.go b/controllers/constant/constant.go
@@ -104,6 +104,14 @@ const (
 	OpconKind = "OperandConfig"
 	// DefaultHugePageAllocation is the default huge page allocation
 	DefaultHugePageAllocation = "100Mi"
+	// WebhookServiceName is the name of the webhook service used for v3 operator
+	WebhookServiceName = "ibm-common-service-webhook"
+	// Secretshare is the name of the secretshare
+	Secretshare = "secretshare"
+	// Some WebhookConfigurations
+	CSWebhookConfig = "ibm-common-service-webhook-configuration"
+	OperanReqConfig = "ibm-operandrequest-webhook-configuration"
+	CSMappingConfig = "ibm-cs-ns-mapping-webhook-configuration"
 )
 
 // CsOg is OperatorGroup constent for the common service operator

diff --git a/main.go b/main.go
@@ -24,6 +24,7 @@ import (
 	olmv1 "github.com/operator-framework/api/pkg/operators/v1"
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	operatorsv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1"
+	admv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -66,6 +67,7 @@ func init() {
 	utilruntime.Must(nssv1.AddToScheme(scheme))
 	utilruntime.Must(ssv1.AddToScheme(scheme))
 	utilruntime.Must(operatorv3.AddToScheme(scheme))
+	utilruntime.Must(admv1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 
 	utilruntime.Must(olmv1alpha1.AddToScheme(scheme))