Add configuration flag for disabling operator CRD creation/update (#1733)

* Make CRD registration configurable and drop RBAC permissions when CRD registration is disabled * add generated deep copy functions Co-authored-by: Damian Peckett <d.peckett_admin@mgmt.innovo-cloud.de>
2022-01-13 15:20:04 +01:00 · 2022-01-13 15:20:04 +01:00 · fe340192ca
parent b4155bc8fb
commit fe340192ca
13 changed files with 41 additions and 10 deletions
--- a/charts/postgres-operator/crds/operatorconfigurations.yaml
+++ b/charts/postgres-operator/crds/operatorconfigurations.yaml
@ -64,6 +64,9 @@ spec:
              docker_image:
                type: string
                default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p3"
+              enable_crd_registration:
+                type: boolean
+                default: true
              enable_crd_validation:
                type: boolean
                default: true
--- a/charts/postgres-operator/templates/clusterrole.yaml
+++ b/charts/postgres-operator/templates/clusterrole.yaml
@ -40,10 +40,12 @@ rules:
  resources:
  - customresourcedefinitions
  verbs:
-  - create
  - get
+{{- if toString .Values.configGeneral.enable_crd_registration | eq "true" }}
+  - create
  - patch
  - update
+{{- end }}
 # to send events to the CRs
 - apiGroups:
  - ""
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@ -20,6 +20,8 @@ enableJsonLogging: false

 # general configuration parameters
 configGeneral:
+  # the deployment should create/update the CRDs
+  enable_crd_registration: true
  # choose if deployment creates/updates CRDs with OpenAPIV3Validation
  enable_crd_validation: true
  # update only the statefulsets without immediately doing the rolling update
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@ -70,6 +70,10 @@ Variable names are underscore-separated words.

 Those are top-level keys, containing both leaf keys and groups.

+* **enable_crd_registration**
+  Instruct the operator to create/update the CRDs. If disabled the operator will rely on the CRDs being managed separately.
+  The default is `true`.
+
 * **enable_crd_validation**
  toggles if the operator will create or update CRDs with
  [OpenAPI v3 schema validation](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#validation)
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -35,6 +35,7 @@ data:
  docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p3
  # downscaler_annotations: "deployment-time,downscaler/*"
  # enable_admin_role_for_users: "true"
+  # enable_crd_registration: "true"
  # enable_crd_validation: "true"
  # enable_cross_namespace_secret: "false"
  # enable_database_access: "true"
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@ -62,6 +62,9 @@ spec:
              docker_image:
                type: string
                default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p3"
+              enable_crd_registration:
+                type: boolean
+                default: true
              enable_crd_validation:
                type: boolean
                default: true
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@ -4,6 +4,7 @@ metadata:
  name: postgresql-operator-default-configuration
 configuration:
  docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p3
+  # enable_crd_registration: true
  # enable_crd_validation: true
  # enable_lazy_spilo_upgrade: false
  enable_pgversion_env_var: true
--- a/pkg/apis/acid.zalan.do/v1/crds.go
+++ b/pkg/apis/acid.zalan.do/v1/crds.go
@ -946,6 +946,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 					"docker_image": {
 						Type: "string",
 					},
+					"enable_crd_registration": {
+						Type: "boolean",
+					},
 					"enable_crd_validation": {
 						Type: "boolean",
 					},
--- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
+++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@ -215,6 +215,7 @@ type OperatorLogicalBackupConfiguration struct {

 // OperatorConfigurationData defines the operation config
 type OperatorConfigurationData struct {
+	EnableCRDRegistration      *bool                              `json:"enable_crd_registration,omitempty"`
 	EnableCRDValidation        *bool                              `json:"enable_crd_validation,omitempty"`
 	EnableLazySpiloUpgrade     bool                               `json:"enable_lazy_spilo_upgrade,omitempty"`
 	EnablePgVersionEnvVar      bool                               `json:"enable_pgversion_env_var,omitempty"`
--- a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
@ -367,6 +367,11 @@ func (in *OperatorConfiguration) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OperatorConfigurationData) DeepCopyInto(out *OperatorConfigurationData) {
 	*out = *in
+	if in.EnableCRDRegistration != nil {
+		in, out := &in.EnableCRDRegistration, &out.EnableCRDRegistration
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EnableCRDValidation != nil {
 		in, out := &in.EnableCRDValidation, &out.EnableCRDValidation
 		*out = new(bool)
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -309,9 +309,11 @@ func (c *Controller) initController() {
 	c.controllerID = os.Getenv("CONTROLLER_ID")

 	if configObjectName := os.Getenv("POSTGRES_OPERATOR_CONFIGURATION_OBJECT"); configObjectName != "" {
+		if c.opConfig.EnableCRDRegistration != nil && *c.opConfig.EnableCRDRegistration {
 			if err := c.createConfigurationCRD(c.opConfig.EnableCRDValidation); err != nil {
 				c.logger.Fatalf("could not register Operator Configuration CustomResourceDefinition: %v", err)
 			}
+		}
 		if cfg, err := c.readOperatorConfigurationFromCRD(spec.GetOperatorNamespace(), configObjectName); err != nil {
 			c.logger.Fatalf("unable to read operator configuration: %v", err)
 		} else {
@ -325,9 +327,11 @@ func (c *Controller) initController() {

 	c.modifyConfigFromEnvironment()

+	if c.opConfig.EnableCRDRegistration != nil && *c.opConfig.EnableCRDRegistration {
 		if err := c.createPostgresCRD(c.opConfig.EnableCRDValidation); err != nil {
 			c.logger.Fatalf("could not register Postgres CustomResourceDefinition: %v", err)
 		}
+	}

 	c.initSharedInformers()

--- a/pkg/controller/operator_config.go
+++ b/pkg/controller/operator_config.go
@ -33,6 +33,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result := &config.Config{}

 	// general config
+	result.EnableCRDRegistration = util.CoalesceBool(fromCRD.EnableCRDRegistration, util.True())
 	result.EnableCRDValidation = util.CoalesceBool(fromCRD.EnableCRDValidation, util.True())
 	result.EnableLazySpiloUpgrade = fromCRD.EnableLazySpiloUpgrade
 	result.EnablePgVersionEnvVar = fromCRD.EnablePgVersionEnvVar
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@ -18,6 +18,7 @@ type CRD struct {
 	ReadyWaitTimeout      time.Duration `name:"ready_wait_timeout" default:"30s"`
 	ResyncPeriod          time.Duration `name:"resync_period" default:"30m"`
 	RepairPeriod          time.Duration `name:"repair_period" default:"5m"`
+	EnableCRDRegistration *bool         `name:"enable_crd_registration" default:"true"`
 	EnableCRDValidation   *bool         `name:"enable_crd_validation" default:"true"`
 }