Add migration from helm to boxcutter revision

Author: thetechnick

api/v1/clusterextensionrevision_types.go

@@ -66,8 +66,27 @@ type ClusterExtensionRevisionObject struct {
 	// +kubebuilder:validation:EmbeddedResource
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Object unstructured.Unstructured `json:"object"`
+
+	CollisionProtection CollisionProtection `json:"collisionProtection"`
 }
 
+// CollisionProtection specifies if and how ownership collisions are prevented.
+type CollisionProtection string
+
+const (
+	// CollisionProtectionPrevent prevents owner collisions entirely
+	// by only allowing to work with objects itself has created.
+	CollisionProtectionPrevent CollisionProtection = "Prevent"
+	// CollisionProtectionIfNoController allows to patch and override
+	// objects already present if they are not owned by another controller.
+	CollisionProtectionIfNoController CollisionProtection = "IfNoController"
+	// CollisionProtectionNone allows to patch and override objects
+	// already present and owned by other controllers.
+	// Be careful! This setting may cause multiple controllers to fight over a resource,
+	// causing load on the API server and etcd.
+	CollisionProtectionNone CollisionProtection = "None"
+)
+
 type ClusterExtensionRevisionPrevious struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`

cmd/operator-controller/main.go

@@ -489,6 +489,28 @@ func getCertificateProvider() render.CertificateProvider {
 func setupBoxcutter(mgr manager.Manager, ceReconciler *controllers.ClusterExtensionReconciler, preflights []applier.Preflight) error {
 	certProvider := getCertificateProvider()
 
+	coreClient, err := corev1client.NewForConfig(mgr.GetConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create core client: %w", err)
+	}
+	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
+		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, mgr.GetAPIReader(), cfg.systemNamespace)),
+		helmclient.ClientNamespaceMapper(func(obj client.Object) (string, error) {
+			ext := obj.(*ocv1.ClusterExtension)
+			return ext.Spec.Namespace, nil
+		}),
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create helm action config getter: %w", err)
+	}
+
+	acg, err := action.NewWrappedActionClientGetter(cfgGetter,
+		helmclient.WithFailureRollbacks(false),
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create helm action client getter: %w", err)
+	}
+
 	// TODO: add support for preflight checks
 	// TODO: better scheme handling - which types do we want to support?
 	_ = apiextensionsv1.AddToScheme(mgr.GetScheme())
@@ -502,7 +524,8 @@ func setupBoxcutter(mgr manager.Manager, ceReconciler *controllers.ClusterExtens
 				CertificateProvider: certProvider,
 			},
 		},
-		Preflights: preflights,
+		Preflights:         preflights,
+		ActionClientGetter: acg,
 	}
 	ceReconciler.RevisionStatesGetter = &controllers.BoxcutterRevisionStatesGetter{Reader: mgr.GetClient()}
 

internal/operator-controller/applier/boxcutter.go

@@ -10,17 +10,23 @@ import (
 	"hash"
 	"io/fs"
 	"maps"
+	"regexp"
 	"slices"
+	"strings"
 
 	"github.com/davecgh/go-spew/spew"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/storage/driver"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/yaml"
 
+	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/controllers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
@@ -33,13 +39,57 @@ const (
 
 type ClusterExtensionRevisionGenerator interface {
 	GenerateRevision(bundleFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotations map[string]string) (*ocv1.ClusterExtensionRevision, error)
+	GenerateRevisionFromHelmRelease(
+		helmRelease *release.Release, ext *ocv1.ClusterExtension,
+		objectLabels, revisionAnnotations map[string]string,
+	) (*ocv1.ClusterExtensionRevision, error)
 }
 
 type SimpleRevisionGenerator struct {
 	Scheme         *runtime.Scheme
 	BundleRenderer BundleRenderer
 }
 
+func (r *SimpleRevisionGenerator) GenerateRevisionFromHelmRelease(
+	helmRelease *release.Release, ext *ocv1.ClusterExtension,
+	objectLabels, revisionAnnotations map[string]string,
+) (*ocv1.ClusterExtensionRevision, error) {
+	docs := splitYAMLDocuments(helmRelease.Manifest)
+	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(docs))
+	for _, doc := range docs {
+		obj := unstructured.Unstructured{}
+		if err := yaml.Unmarshal([]byte(doc), &obj); err != nil {
+			return nil, err
+		}
+
+		labels := maps.Clone(obj.GetLabels())
+		if labels == nil {
+			labels = map[string]string{}
+		}
+		maps.Copy(labels, objectLabels)
+		obj.SetLabels(labels)
+
+		objs = append(objs, ocv1.ClusterExtensionRevisionObject{Object: obj})
+	}
+
+	if revisionAnnotations == nil {
+		revisionAnnotations = map[string]string{}
+	}
+
+	// Build desired revision
+	return &ocv1.ClusterExtensionRevision{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: revisionAnnotations,
+			Labels: map[string]string{
+				controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
+			},
+		},
+		Spec: ocv1.ClusterExtensionRevisionSpec{
+			Phases: PhaseSort(objs),
+		},
+	}, nil
+}
+
 func (r *SimpleRevisionGenerator) GenerateRevision(bundleFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotations map[string]string) (*ocv1.ClusterExtensionRevision, error) {
 	// extract plain manifests
 	plain, err := r.BundleRenderer.Render(bundleFS, ext)
@@ -50,14 +100,12 @@ func (r *SimpleRevisionGenerator) GenerateRevision(bundleFS fs.FS, ext *ocv1.Clu
 	// objectLabels
 	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(plain))
 	for _, obj := range plain {
-		if len(obj.GetLabels()) > 0 {
-			labels := maps.Clone(obj.GetLabels())
-			if labels == nil {
-				labels = map[string]string{}
-			}
-			maps.Copy(labels, objectLabels)
-			obj.SetLabels(labels)
+		labels := maps.Clone(obj.GetLabels())
+		if labels == nil {
+			labels = map[string]string{}
 		}
+		maps.Copy(labels, objectLabels)
+		obj.SetLabels(labels)
 
 		gvk, err := apiutil.GVKForObject(obj, r.Scheme)
 		if err != nil {
@@ -99,6 +147,13 @@ type Boxcutter struct {
 	Scheme            *runtime.Scheme
 	RevisionGenerator ClusterExtensionRevisionGenerator
 	Preflights        []Preflight
+
+	// For Migration:
+	ActionClientGetter helmclient.ActionClientGetter
+}
+
+type helmReleaseGetter interface {
+	Get(name string, opts ...helmclient.GetOption) (*release.Release, error)
 }
 
 func (bc *Boxcutter) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotations map[string]string) (bool, string, error) {
@@ -145,6 +200,20 @@ func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust
 		state = StateNeedsUpgrade
 	}
 
+	if currentRevision == nil && len(existingRevisions) == 0 {
+		// Helm Migration
+		// There are no existing revisions, so maybe we have used the Helm Applier in the past.
+		// Check if there is a Helm Release on for the ClusterExtension and migrate it into an existing revision.
+		rev, ok, err := bc.migrateFromHelm(ctx, ext, objectLabels, revisionAnnotations)
+		if err != nil {
+			return false, "", err
+		}
+
+		if ok {
+			desiredRevision = rev
+		}
+	}
+
 	// Preflights
 	plainObjs := bc.getObjects(desiredRevision)
 	for _, preflight := range bc.Preflights {
@@ -216,6 +285,43 @@ func (bc *Boxcutter) apply(ctx context.Context, contentFS fs.FS, ext *ocv1.Clust
 	return true, "", nil
 }
 
+func (bc *Boxcutter) migrateFromHelm(
+	ctx context.Context, ext *ocv1.ClusterExtension,
+	objectLabels, revisionAnnotations map[string]string,
+) (
+	*ocv1.ClusterExtensionRevision, bool, error,
+) {
+	ac, err := bc.ActionClientGetter.ActionClientFor(ctx, ext)
+	if err != nil {
+		return nil, false, err
+	}
+
+	helmRelease, err := ac.Get(ext.GetName())
+	if errors.Is(err, driver.ErrReleaseNotFound) {
+		// no Helm Release -> no prior installation.
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+
+	docs := splitYAMLDocuments(helmRelease.Manifest)
+	objs := make([]unstructured.Unstructured, 0, len(docs))
+	for _, doc := range docs {
+		obj := unstructured.Unstructured{}
+		if err := yaml.Unmarshal([]byte(doc), &obj); err != nil {
+			return nil, false, err
+		}
+		objs = append(objs, obj)
+	}
+
+	rev, err := bc.RevisionGenerator.GenerateRevisionFromHelmRelease(helmRelease, ext, objectLabels, revisionAnnotations)
+	if err != nil {
+		return nil, false, err
+	}
+	return rev, true, nil
+}
+
 // getExistingRevisions returns the list of ClusterExtensionRevisions for a ClusterExtension with name extName in revision order (oldest to newest)
 func (bc *Boxcutter) getExistingRevisions(ctx context.Context, extName string) ([]ocv1.ClusterExtensionRevision, error) {
 	existingRevisionList := &ocv1.ClusterExtensionRevisionList{}
@@ -289,3 +395,13 @@ func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExten
 	}
 	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider))
 }
+
+var splitYAMLDocumentsRegEx = regexp.MustCompile(`(?m)^---$`)
+
+// Splits a YAML file into multiple documents.
+func splitYAMLDocuments(file string) (docs []string) {
+	for _, yamlDocument := range splitYAMLDocumentsRegEx.Split(string(strings.Trim(file, "---\n")), -1) {
+		docs = append(docs, strings.TrimSpace(string(yamlDocument)))
+	}
+	return docs
+}

internal/operator-controller/applier/boxcutter_test.go

@@ -10,6 +10,8 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/storage/driver"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -268,7 +270,7 @@ func TestBoxcutter_Apply(t *testing.T) {
 			UID:  "test-uid",
 		},
 	}
-	defaultDesiredHash := "faaeb52a1cb7c968c96278bc1cd804e50d3ae9faae08807c9279a5e569933ea0"
+	defaultDesiredHash := "347b93565df45eb39cc8a7f158d66163da553b78ed5ac89f4b300372db1942a6"
 	defaultDesiredRevision := &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-ext-1",
@@ -460,7 +462,7 @@ func TestBoxcutter_Apply(t *testing.T) {
 
 				assert.Equal(t, "test-ext-2", newRev.Name)
 				assert.Equal(t, int64(2), newRev.Spec.Revision)
-				assert.Equal(t, "ec8213d4061a75b55cd67a009d9cdeb1bdd6f503d4b3bb7b6cfea3a5233aad43", newRev.Annotations[applier.RevisionHashAnnotation])
+				assert.Equal(t, "6f681b6990c9939556392d2be3eb9389dd71e84fa051773a9aaf8cf8b34ff5b6", newRev.Annotations[applier.RevisionHashAnnotation])
 				require.Len(t, newRev.Spec.Previous, 1)
 				assert.Equal(t, "test-ext-1", newRev.Spec.Previous[0].Name)
 				assert.Equal(t, types.UID("rev-uid-1"), newRev.Spec.Previous[0].UID)
@@ -493,6 +495,9 @@ func TestBoxcutter_Apply(t *testing.T) {
 				Client:            fakeClient,
 				Scheme:            testScheme,
 				RevisionGenerator: tc.mockBuilder,
+				ActionClientGetter: &mockActionGetter{
+					getClientErr: driver.ErrReleaseNotFound,
+				},
 			}
 
 			// We need a dummy fs.FS
@@ -534,6 +539,13 @@ func (m *mockBundleRevisionBuilder) GenerateRevision(bundleFS fs.FS, ext *ocv1.C
 	return m.makeRevisionFunc(bundleFS, ext, objectLabels, revisionAnnotations)
 }
 
+func (m *mockBundleRevisionBuilder) GenerateRevisionFromHelmRelease(
+	helmRelease *release.Release, ext *ocv1.ClusterExtension,
+	objectLabels, revisionAnnotations map[string]string,
+) (*ocv1.ClusterExtensionRevision, error) {
+	return nil, nil
+}
+
 type mockBundleRenderer func(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error)
 
 func (f mockBundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) {

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -362,28 +362,6 @@ func (c *ClusterExtensionRevisionReconciler) removeFinalizer(ctx context.Context
 }
 
 func toBoxcutterRevision(rev *ocv1.ClusterExtensionRevision) (*boxcutter.Revision, []boxcutter.RevisionReconcileOption, []client.Object) {
-	r := &boxcutter.Revision{
-		Name:     rev.Name,
-		Owner:    rev,
-		Revision: rev.Spec.Revision,
-	}
-	for _, specPhase := range rev.Spec.Phases {
-		phase := boxcutter.Phase{Name: specPhase.Name}
-		for _, specObj := range specPhase.Objects {
-			obj := specObj.Object
-
-			labels := obj.GetLabels()
-			if labels == nil {
-				labels = map[string]string{}
-			}
-			labels[ClusterExtensionRevisionOwnerLabel] = rev.Labels[ClusterExtensionRevisionOwnerLabel]
-			obj.SetLabels(labels)
-
-			phase.Objects = append(phase.Objects, obj)
-		}
-		r.Phases = append(r.Phases, phase)
-	}
-
 	previous := make([]client.Object, 0, len(rev.Spec.Previous))
 	for _, specPrevious := range rev.Spec.Previous {
 		prev := &unstructured.Unstructured{}
@@ -421,6 +399,35 @@ func toBoxcutterRevision(rev *ocv1.ClusterExtensionRevision) (*boxcutter.Revisio
 			return false, []string{"not available or not fully updated"}
 		})),
 	}
+
+	r := &boxcutter.Revision{
+		Name:     rev.Name,
+		Owner:    rev,
+		Revision: rev.Spec.Revision,
+	}
+	for _, specPhase := range rev.Spec.Phases {
+		phase := boxcutter.Phase{Name: specPhase.Name}
+		for _, specObj := range specPhase.Objects {
+			obj := specObj.Object
+
+			labels := obj.GetLabels()
+			if labels == nil {
+				labels = map[string]string{}
+			}
+			labels[ClusterExtensionRevisionOwnerLabel] = rev.Labels[ClusterExtensionRevisionOwnerLabel]
+			obj.SetLabels(labels)
+
+			switch specObj.CollisionProtection {
+			case ocv1.CollisionProtectionIfNoController, ocv1.CollisionProtectionNone:
+				opts = append(opts, boxcutter.WithObjectReconcileOptions(
+					&obj, boxcutter.WithCollisionProtection(specObj.CollisionProtection)))
+			}
+
+			phase.Objects = append(phase.Objects, obj)
+		}
+		r.Phases = append(r.Phases, phase)
+	}
+
 	if rev.Spec.LifecycleState == ocv1.ClusterExtensionRevisionLifecycleStatePaused {
 		opts = append(opts, boxcutter.WithPaused{})
 	}