Merge branch 'main' into backup/mc/new-config-2

Author: Moritz Clasmeier

internal/deployer/deployer.go

@@ -92,6 +92,10 @@ var (
 	}
 )
 
+const (
+	injectedCABundleConfigMap = "injected-cabundle-stackrox-central-services"
+)
+
 // Deployer is the base deployer for ACS
 type Deployer struct {
 	// Influencing roxies mode of operation.
@@ -202,6 +206,9 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
 		{Name: "central-db-backup", Kind: "pvc", OwnerName: centralCrName},
 		{Name: "admin-password", Kind: "secret"},
 		{Name: "scanner-db-password", Kind: "secret", OwnerName: centralCrName},
+		// In case the Cluster Network Operator has succeeded in re-creating the injectedCABundleConfigMap
+		// after our operator has already deleted it.
+		{Name: injectedCABundleConfigMap, Kind: "configmap"},
 	} {
 		d.logger.Dimf("Attempting to delete %s/%s", resource.Kind, resource.Name)
 		if resource.OwnerName != "" {
@@ -241,11 +248,7 @@ func (d *Deployer) preventOtherControllersFromReconciling(ctx context.Context) e
 }
 
 func (d *Deployer) preventCABundleInjection(ctx context.Context) error {
-	configMapName := "injected-cabundle-stackrox-central-services"
-
-	if !d.doesResourceExist(ctx, "configmap", configMapName, d.config.Central.Namespace) {
-		return nil
-	}
+	configMapName := injectedCABundleConfigMap
 
 	d.logger.Info("Removing CNO label from injected-cabundle ConfigMap to prevent CNO from injecting the CA bundle during cleanup")
 	_, err := d.runKubectl(ctx, k8s.KubectlOptions{

internal/deployer/operator_olm.go

@@ -72,26 +72,46 @@ func (d *Deployer) deployOperatorViaOLM(ctx context.Context) error {
 	return nil
 }
 
-// checkOLMInstalled checks if OLM is installed in the cluster.
+// checkOLMInstalled checks if OLM is installed in the cluster by verifying
+// the API server is ready to serve the required OLM resource types.
 func (d *Deployer) checkOLMInstalled(ctx context.Context) error {
-	// Check for OLM CRDs
-	requiredCRDs := []string{
+	requiredResources := []string{
 		"catalogsources.operators.coreos.com",
 		"subscriptions.operators.coreos.com",
 		"installplans.operators.coreos.com",
 		"clusterserviceversions.operators.coreos.com",
 	}
 
-	for _, crd := range requiredCRDs {
-		// TODO(ROX-34499): actually this is not the right way to check whether it's safe to create a resource of a given kind.
-		// A CRD can be present, but still being loaded or end up not accepted by the API server.
-		// Instead we should use the `kubectl api-resources` subcommand which exposes the status we're looking for.
-		_, err := d.runKubectl(ctx, k8s.KubectlOptions{
-			Args: []string{"get", "crd", crd},
-		})
-		if err != nil {
-			return fmt.Errorf("OLM not installed: CRD %s not found. Please install OLM first", crd)
+	result, err := d.runKubectl(ctx, k8s.KubectlOptions{
+		Args: []string{"api-resources", "--api-group=operators.coreos.com", "-o", "name"},
+	})
+	if err != nil {
+		if result.Stderr != "" {
+			d.logger.Error("kubectl stderr:")
+			for stderrLine := range strings.SplitSeq(result.Stderr, "\n") {
+				d.logger.Errorf("stderr: %s", stderrLine)
+			}
+		}
+		return fmt.Errorf("failed to query api-group operators.coreos.com: %w", err)
+	}
+
+	available := make(map[string]bool)
+	for line := range strings.SplitSeq(strings.TrimSpace(result.Stdout), "\n") {
+		name := strings.TrimSpace(line)
+		available[name] = true
+	}
+
+	var missingResources []string
+	for _, resource := range requiredResources {
+		if !available[resource] {
+			missingResources = append(missingResources, resource)
+		}
+	}
+	if len(missingResources) > 0 {
+		for _, resource := range missingResources {
+			d.logger.Errorf("OLM resource not served by the API server: %s", resource)
 		}
+		return fmt.Errorf("OLM is not properly installed, %d required resource(s) missing", len(missingResources))
 	}
 
 	d.logger.Success("✓ OLM detected in cluster")