refactoring (and more changes in the copied kubernetes code)

Author: joelanford

Makefile

@@ -136,7 +136,6 @@ manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole,
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./catalogd/api/..."
 
 .PHONY: verify
 verify: tidy fmt generate manifests crd-ref-docs #HELP Verify all generated code is up-to-date.

api/v1/clusterextension_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1
 
 import (
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -454,6 +455,8 @@ type ClusterExtensionStatus struct {
 	//
 	// +optional
 	Install *ClusterExtensionInstallStatus `json:"install,omitempty"`
+
+	MissingRules map[string][]rbacv1.PolicyRule `json:"missingRules,omitempty"`
 }
 
 // ClusterExtensionInstallStatus is a representation of the status of the identified bundle.

cmd/operator-controller/main.go

@@ -415,9 +415,7 @@ func run() error {
 	helmApplier := &applier.Helm{
 		ActionClientGetter: acg,
 		Preflights:         preflights,
-		Authorizer:         authorization.NewRBACAuthorizer(mgr.GetClient()),
-		RuleResolver:       authorization.NewRBACRulesResolver(mgr.GetClient()),
-		RestMapper:         mgr.GetRESTMapper(),
+		PreAuthorizer:      authorization.NewRBACPreAuthorizer(mgr.GetClient()),
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -581,6 +581,58 @@ spec:
                 required:
                 - bundle
                 type: object
+              missingRules:
+                additionalProperties:
+                  items:
+                    description: |-
+                      PolicyRule holds information that describes a policy rule, but does not contain information
+                      about who the rule applies to or which namespace the rule applies to.
+                    properties:
+                      apiGroups:
+                        description: |-
+                          APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                          the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      nonResourceURLs:
+                        description: |-
+                          NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                          Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                          Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      resourceNames:
+                        description: ResourceNames is an optional white list of names
+                          that the rule applies to.  An empty set means that everything
+                          is allowed.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      resources:
+                        description: Resources is a list of resources this rule applies
+                          to. '*' represents all resources.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      verbs:
+                        description: Verbs is a list of Verbs that apply to ALL the
+                          ResourceKinds contained in this rule. '*' represents all
+                          verbs.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                    required:
+                    - verbs
+                    type: object
+                  type: array
+                type: object
             type: object
         type: object
     served: true

config/samples/crb.yaml

@@ -276,8 +276,6 @@ apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
   name: argocd
-  annotations:
-    rev: "1"
 spec:
   namespace: argocd
   serviceAccount: