02-deprecate-service-account

Author: joelanford

api/v1/clusterextension_types.go

@@ -66,14 +66,14 @@ type ClusterExtensionSpec struct {
 	// +required
 	Namespace string `json:"namespace"`
 
-	// serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster
-	// that are required to manage the extension.
-	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
-	// The ServiceAccount must exist in the namespace referenced in the spec.
-	// The serviceAccount field is required.
+	// serviceAccount was previously used to specify a ServiceAccount for managing the extension.
+	// This field is now deprecated and ignored. operator-controller uses its own ServiceAccount
+	// for all Kubernetes API interactions.
 	//
-	// +required
-	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
+	// Deprecated: This field is ignored. It will be removed in a future API version.
+	//
+	// +optional
+	ServiceAccount ServiceAccountReference `json:"serviceAccount,omitzero"`
 
 	// source is required and selects the installation source of content for this ClusterExtension.
 	// Set the sourceType field to perform the selection.
@@ -376,7 +376,10 @@ type CatalogFilter struct {
 	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
 }
 
-// ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension.
+// ServiceAccountReference identifies the serviceAccount used to install a ClusterExtension.
+//
+// Deprecated: This type is deprecated and will be removed in a future API version.
+// operator-controller now uses its own ServiceAccount for all operations.
 type ServiceAccountReference struct {
 	// name is a required, immutable reference to the name of the ServiceAccount used for installation
 	// and management of the content for the package specified in the packageName field.

api/v1/validation_test.go

@@ -23,9 +23,6 @@ func TestValidate(t *testing.T) {
 	}
 	defaultExtensionSpec := func(s *ClusterExtensionSpec) *ClusterExtensionSpec {
 		s.Namespace = "ns"
-		s.ServiceAccount = ServiceAccountReference{
-			Name: "sa",
-		}
 		s.Source = SourceConfig{
 			SourceType: SourceTypeCatalog,
 			Catalog: &CatalogFilter{

applyconfigurations/api/v1/clusterextensionspec.go

@@ -40,6 +40,7 @@ import (
 	"k8s.io/client-go/discovery/cached/memory"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 	"pkg.package-operator.run/boxcutter/managedcache"
@@ -59,7 +60,6 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
@@ -630,9 +630,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 	}
 	ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{
 		controllers.HandleFinalizers(c.finalizers),
-		controllers.ValidateClusterExtension(
-			controllers.ServiceAccountValidator(coreClient),
-		),
 		controllers.MigrateStorage(storageMigrator),
 		controllers.RetrieveRevisionStates(revisionStatesGetter),
 		controllers.ResolveBundle(c.resolver, c.mgr.GetClient()),
@@ -662,29 +659,19 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return fmt.Errorf("unable to add tracking cache to manager: %v", err)
 	}
 
-	cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig())
-	if err != nil {
-		return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err)
-	}
-	cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour))
-
-	revisionEngineFactory, err := controllers.NewDefaultRevisionEngineFactory(
+	revisionEngine := controllers.NewRevisionEngine(
 		c.mgr.GetScheme(),
 		trackingCache,
 		discoveryClient,
 		c.mgr.GetRESTMapper(),
 		fieldOwnerPrefix,
-		c.mgr.GetConfig(),
-		cerTokenGetter,
+		c.mgr.GetClient(),
 	)
-	if err != nil {
-		return fmt.Errorf("unable to create revision engine factory: %w", err)
-	}
 
 	if err = (&controllers.ClusterExtensionRevisionReconciler{
-		Client:                c.mgr.GetClient(),
-		RevisionEngineFactory: revisionEngineFactory,
-		TrackingCache:         trackingCache,
+		Client:         c.mgr.GetClient(),
+		RevisionEngine: revisionEngine,
+		TrackingCache:  trackingCache,
 	}).SetupWithManager(c.mgr); err != nil {
 		return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err)
 	}
@@ -696,19 +683,13 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 	if err != nil {
 		return fmt.Errorf("unable to create core client: %w", err)
 	}
-	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
-	clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
-	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
-		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
-	}
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(c.mgr.GetConfig(), c.mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, c.mgr.GetAPIReader(), cfg.systemNamespace)),
 		helmclient.ClientNamespaceMapper(func(obj client.Object) (string, error) {
 			ext := obj.(*ocv1.ClusterExtension)
 			return ext.Spec.Namespace, nil
 		}),
-		helmclient.ClientRestConfigMapper(clientRestConfigMapper),
 	)
 	if err != nil {
 		return fmt.Errorf("unable to create helm action config getter: %w", err)
@@ -727,7 +708,9 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 		preAuth = authorization.NewRBACPreAuthorizer(c.mgr.GetClient())
 	}
 
-	cm := contentmanager.NewManager(clientRestConfigMapper, c.mgr.GetConfig(), c.mgr.GetRESTMapper())
+	cm := contentmanager.NewManager(func(_ context.Context, _ client.Object, cfg *rest.Config) (*rest.Config, error) {
+		return cfg, nil
+	}, c.mgr.GetConfig(), c.mgr.GetRESTMapper())
 	err = c.finalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
 		ext := obj.(*ocv1.ClusterExtension)
 		err := cm.Delete(ext)
@@ -753,9 +736,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 	revisionStatesGetter := &controllers.HelmRevisionStatesGetter{ActionClientGetter: acg}
 	ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{
 		controllers.HandleFinalizers(c.finalizers),
-		controllers.ValidateClusterExtension(
-			controllers.ServiceAccountValidator(coreClient),
-		),
 		controllers.RetrieveRevisionStates(revisionStatesGetter),
 		controllers.ResolveBundle(c.resolver, c.mgr.GetClient()),
 		controllers.UnpackBundle(c.imagePuller, c.imageCache),