Merge branch 'main' into backup/mc/new-config-2

Moritz Clasmeier · Moritz Clasmeier · commit 5bcd644d6354 · 2026-05-11T14:02:11.000+02:00
diff --git a/internal/deployer/deployer.go b/internal/deployer/deployer.go
@@ -90,10 +90,10 @@ var (
 		"storageclasses",
 		"validatingwebhookconfigurations",
 	}
-)
 
-const (
-	injectedCABundleConfigMap = "injected-cabundle-stackrox-central-services"
+	injectedCABundleConfigMapPrefix         = "injected-cabundle-"
+	injectedCABundleConfigMapCentral        = injectedCABundleConfigMapPrefix + centralCrName
+	injectedCABundleConfigMapSecuredCluster = injectedCABundleConfigMapPrefix + securedClusterCrName
 )
 
 // Deployer is the base deployer for ACS
@@ -189,14 +189,13 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
 	// Pause reconciliation for other controllers, not just our RHACS operator.
 	// This is needed to ensure that there is no race causing the Cluster Network Operator
 	// to re-create the injected-ca-bundle ConfigMap during resource deletion.
-	err := d.preventOtherControllersFromReconciling(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to prevent other controllers from reconciling: %w", err)
+	if err := d.preventOtherControllersFromReconciling(ctx, component.Central); err != nil {
+		return fmt.Errorf("failed to prevent other controllers from reconciling Central resources: %w", err)
 	}
 
 	// Delete other resources by brute force.
 	resourceKinds := d.filterResourceKinds(allInstallableCentralResourceKinds)
-	err = d.deleteResources(ctx, d.config.Central.Namespace, resourceKinds, "-l=app.kubernetes.io/part-of=stackrox-central-services")
+	err := d.deleteResources(ctx, d.config.Central.Namespace, resourceKinds, "-l=app.kubernetes.io/part-of=stackrox-central-services")
 	if err != nil {
 		return err
 	}
@@ -206,9 +205,9 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
 		{Name: "central-db-backup", Kind: "pvc", OwnerName: centralCrName},
 		{Name: "admin-password", Kind: "secret"},
 		{Name: "scanner-db-password", Kind: "secret", OwnerName: centralCrName},
-		// In case the Cluster Network Operator has succeeded in re-creating the injectedCABundleConfigMap
+		// In case the Cluster Network Operator has succeeded in re-creating the injected-cabundle configmap
 		// after our operator has already deleted it.
-		{Name: injectedCABundleConfigMap, Kind: "configmap"},
+		{Name: injectedCABundleConfigMapCentral, Kind: "configmap"},
 	} {
 		d.logger.Dimf("Attempting to delete %s/%s", resource.Kind, resource.Name)
 		if resource.OwnerName != "" {
@@ -243,17 +242,22 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
 	return nil
 }
 
-func (d *Deployer) preventOtherControllersFromReconciling(ctx context.Context) error {
-	return d.preventCABundleInjection(ctx)
+func (d *Deployer) preventOtherControllersFromReconciling(ctx context.Context, comp component.Component) error {
+	switch comp {
+	case component.Central:
+		return d.preventCABundleInjection(ctx, injectedCABundleConfigMapCentral, d.config.Central.Namespace)
+	case component.SecuredCluster:
+		return d.preventCABundleInjection(ctx, injectedCABundleConfigMapSecuredCluster, d.config.SecuredCluster.Namespace)
+	default:
+		return nil
+	}
 }
 
-func (d *Deployer) preventCABundleInjection(ctx context.Context) error {
-	configMapName := injectedCABundleConfigMap
-
+func (d *Deployer) preventCABundleInjection(ctx context.Context, configMapName, namespace string) error {
 	d.logger.Info("Removing CNO label from injected-cabundle ConfigMap to prevent CNO from injecting the CA bundle during cleanup")
 	_, err := d.runKubectl(ctx, k8s.KubectlOptions{
 		Args: []string{
-			"label", "configmap", configMapName, "-n", d.config.Central.Namespace,
+			"label", "configmap", configMapName, "-n", namespace,
 			"config.openshift.io/inject-trusted-cabundle-",
 		},
 		IgnoreErrors: true,
@@ -285,6 +289,13 @@ func (d *Deployer) deleteSecuredClusterResources(ctx context.Context, wait bool)
 		}
 	}
 
+	// Pause reconciliation for other controllers, not just our RHACS operator.
+	// This is needed to ensure that there is no race causing the Cluster Network Operator
+	// to re-create the injected-ca-bundle ConfigMap during resource deletion.
+	if err := d.preventOtherControllersFromReconciling(ctx, component.SecuredCluster); err != nil {
+		return fmt.Errorf("failed to prevent other controllers from reconciling SecuredCluster resources: %w", err)
+	}
+
 	// In the meantime, delete other resources by brute force.
 	resourceKinds := d.filterResourceKinds(allInstallableSecuredClusterResourceKinds)
 	err := d.deleteResources(ctx, d.config.SecuredCluster.Namespace, resourceKinds, "-l=app.kubernetes.io/part-of=stackrox-secured-cluster-services")
@@ -297,6 +308,9 @@ func (d *Deployer) deleteSecuredClusterResources(ctx context.Context, wait bool)
 		// We need to make sure that don't accidentally delete a scanner-db-password belonging to the central CR,
 		// when both are deployed into the same namespace.
 		{Name: "scanner-db-password", Kind: "secret", OwnerName: securedClusterCrName},
+		// In case the Cluster Network Operator has succeeded in re-creating the injected-cabundle configmap
+		// after our operator has already deleted it.
+		{Name: injectedCABundleConfigMapSecuredCluster, Kind: "configmap"},
 	} {
 		d.logger.Dimf("Attempting to delete %s/%s", resource.Kind, resource.Name)
 		if resource.OwnerName != "" {
diff --git a/internal/deployer/operator_olm.go b/internal/deployer/operator_olm.go
@@ -127,13 +127,6 @@ func (d *Deployer) getOperatorIndexImage() string {
 func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) error {
 	d.logger.Info("Creating CatalogSource...")
 
-	// Check if CatalogSource CRD supports securityContextConfig (OCP 4.14+).
-	hasSecurityContextConfig, err := d.catalogSourceSupportsSecurityContextConfig(ctx)
-	if err != nil {
-		d.logger.Warning("Could not check CatalogSource CRD capabilities, proceeding without securityContextConfig")
-		hasSecurityContextConfig = false
-	}
-
 	catalogSource := map[string]interface{}{
 		"apiVersion": "operators.coreos.com/v1alpha1",
 		"kind":       "CatalogSource",
@@ -145,24 +138,21 @@ func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) e
 			"sourceType":  "grpc",
 			"image":       indexImage,
 			"displayName": "StackRox Operator Index",
+			"grpcPodConfig": map[string]interface{}{
+				"securityContextConfig": "restricted",
+			},
 		},
 	}
 
-	// TODO(ROX-34499): Add security context config if supported.
-	if hasSecurityContextConfig {
-		spec := catalogSource["spec"].(map[string]interface{})
-		spec["grpcPodConfig"] = map[string]interface{}{
-			"securityContextConfig": "restricted",
-		}
-	}
-
 	yamlData, err := yaml.Marshal(catalogSource)
 	if err != nil {
 		return fmt.Errorf("failed to marshal CatalogSource: %w", err)
 	}
 
 	_, err = d.runKubectl(ctx, k8s.KubectlOptions{
-		Args:  []string{"apply", "-f", "-"},
+		// Apply with --validate=ignore because securityContextConfig may not
+		// be in the CatalogSource CRD schema.
+		Args:  []string{"apply", "--validate=ignore", "-f", "-"},
 		Stdin: bytes.NewReader(yamlData),
 	})
 	if err != nil {
@@ -173,20 +163,6 @@ func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) e
 	return nil
 }
 
-// catalogSourceSupportsSecurityContextConfig checks if the CatalogSource CRD supports securityContextConfig.
-func (d *Deployer) catalogSourceSupportsSecurityContextConfig(ctx context.Context) (bool, error) {
-	result, err := d.runKubectl(ctx, k8s.KubectlOptions{
-		Args: []string{"get", "crd", "catalogsources.operators.coreos.com", "-o", "yaml"},
-	})
-	if err != nil {
-		return false, err
-	}
-
-	// TODO(ROX-34499): this is overly optimistic and would incorrectly succeed if an api version
-	// that contains this had "serving: false"
-	return strings.Contains(result.Stdout, "securityContextConfig"), nil
-}
-
 // createOperatorGroup creates the OperatorGroup.
 func (d *Deployer) createOperatorGroup(ctx context.Context) error {
 	d.logger.Info("Creating OperatorGroup...")
