Add initial version of managed-velero-operator

Author: cblecker

Makefile

@@ -12,3 +12,8 @@ default: gobuild
 
 .PHONY: docker-build
 docker-build: build
+
+.PHONY: generate
+generate:
+	operator-sdk generate k8s
+	operator-sdk generate openapi

build/Dockerfile

@@ -1,4 +1,9 @@
 FROM registry.svc.ci.openshift.org/openshift/release:golang-1.12 AS builder
+
+# Allow specifying a GOPROXY cache during build to speed up dependency resolution
+ARG GOPROXY
+ENV GOPROXY=$GOPROXY
+
 ENV OPERATOR_PATH=/go/src/github.com/openshift/managed-velero-operator
 COPY . ${OPERATOR_PATH}
 WORKDIR ${OPERATOR_PATH}
@@ -23,4 +28,4 @@ ENTRYPOINT ["/usr/local/bin/entrypoint"]
 USER ${USER_UID}
 
 LABEL io.openshift.managed.name="managed-velero-operator" \
-      io.openshift.managed.description="Operator to manage installation of Velero in OpenShift Managed environments"
+      io.openshift.managed.description="Operator to manage installation of Velero in managed OpenShift environments"

cmd/manager/main.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/openshift/managed-velero-operator/pkg/apis"
 	"github.com/openshift/managed-velero-operator/pkg/controller"
+	"github.com/openshift/managed-velero-operator/pkg/util/platform"
+	"github.com/openshift/managed-velero-operator/version"
 
 	"github.com/operator-framework/operator-sdk/pkg/k8sutil"
 	kubemetrics "github.com/operator-framework/operator-sdk/pkg/kube-metrics"
@@ -24,10 +26,16 @@ import (
 	"github.com/spf13/pflag"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
 	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
+
+	velerov1 "github.com/heptio/velero/pkg/apis/velero/v1"
+	configv1 "github.com/openshift/api/config/v1"
+	minterv1 "github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1"
+	apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 )
 
 // Change below variables to serve metrics on different host or port.
@@ -36,7 +44,13 @@ var (
 	metricsPort         int32 = 8383
 	operatorMetricsPort int32 = 8686
 )
-var log = logf.Log.WithName("cmd")
+
+var log = logf.Log.WithName(version.OperatorName)
+
+const ManagedVeleroOperatorNamespace = "openshift-velero"
+
+// supportedPlatforms is the list of platform supported by the operator
+var supportedPlatforms = []configv1.PlatformType{configv1.AWSPlatformType}
 
 func printVersion() {
 	log.Info(fmt.Sprintf("Go Version: %s", runtime.Version()))
@@ -67,9 +81,16 @@ func main() {
 
 	printVersion()
 
-	namespace, err := k8sutil.GetWatchNamespace()
+	namespace, err := k8sutil.GetOperatorNamespace()
 	if err != nil {
-		log.Error(err, "Failed to get watch namespace")
+		log.Error(err, "Failed to get operator namespace")
+		os.Exit(1)
+	}
+
+	// The operator makes assumptions about the namespace to configure Velero in.
+	// If the operator is deployed in a different namespace than expected, error.
+	if namespace != ManagedVeleroOperatorNamespace {
+		log.Error(fmt.Errorf("unexpected operator namespace: expected %s, got %s", ManagedVeleroOperatorNamespace, namespace), "")
 		os.Exit(1)
 	}
 
@@ -107,6 +128,49 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Add Custom Resource apis to scheme
+	if err := apiextv1beta1.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Add OpenShift config apis to scheme
+	if err := configv1.Install(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Add Cloud Credential apis to scheme
+	if err := minterv1.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Add Velero apis to scheme
+	if err := velerov1.SchemeBuilder.AddToScheme(mgr.GetScheme()); err != nil {
+		log.Error(err, "")
+		os.Exit(1)
+	}
+
+	// Grab platform status to determine where OpenShift is installed
+	platformClient, err := crclient.New(cfg, crclient.Options{Scheme: mgr.GetScheme()})
+	if err != nil {
+		log.Error(err, "Unable to create platform client")
+		os.Exit(1)
+	}
+	platformStatus, err := platform.GetPlatformStatus(platformClient)
+	if err != nil {
+		log.Error(err, "Failed to retrieve platform status")
+		os.Exit(1)
+	}
+
+	// Verify platform is in support platforms list.
+	// TODO: expand support to other platforms
+	if !platform.IsPlatformSupported(platformStatus.Type, supportedPlatforms) {
+		log.Error(fmt.Errorf("expected %v got %v", supportedPlatforms, platformStatus.Type), "Unsupported platform")
+		os.Exit(1)
+	}
+
 	// Setup all Controllers
 	if err := controller.AddToManager(mgr); err != nil {
 		log.Error(err, "")

deploy/cluster_role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: managed-velero-operator
+  namespace: openshift-velero
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - infrastructures
+  verbs:
+  - get
+  - list
+  - watch

deploy/cluster_role_binding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: managed-velero-operator
+  namespace: openshift-velero
+subjects:
+- kind: ServiceAccount
+  name: managed-velero-operator
+  namespace: openshift-velero
+roleRef:
+  kind: ClusterRole
+  name: managed-velero-operator
+  apiGroup: rbac.authorization.k8s.io

deploy/crds/managed_v1alpha1_velero_cr.yaml

@@ -0,0 +1,5 @@
+apiVersion: managed.openshift.io/v1alpha1
+kind: Velero
+metadata:
+  name: cluster
+  namespace: openshift-velero

deploy/crds/managed_v1alpha1_velero_crd.yaml

@@ -0,0 +1,72 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: veleros.managed.openshift.io
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.s3Bucket.name
+    description: Name of the S3 bucket
+    name: Bucket
+    type: string
+  - JSONPath: .status.s3Bucket.provisioned
+    description: Has the S3 bucket been successfully provisioned
+    name: Provisioned
+    type: boolean
+  - JSONPath: .status.s3Bucket.lastSyncTimestamp
+    name: Last Sync
+    type: date
+  group: managed.openshift.io
+  names:
+    kind: Velero
+    listKind: VeleroList
+    plural: veleros
+    singular: velero
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          type: object
+        status:
+          properties:
+            s3Bucket:
+              description: S3Bucket contains details of the S3 storage bucket for
+                backups
+              properties:
+                lastSyncTimestamp:
+                  description: LastSyncTimestamp is the time that the bucket policy
+                    was last synced.
+                  format: date-time
+                  type: string
+                name:
+                  description: Name is the name of the S3 bucket created to store
+                    Velero backup details
+                  maxLength: 63
+                  type: string
+                provisioned:
+                  description: Provisioned is true once the bucket has been initially
+                    provisioned.
+                  type: boolean
+              required:
+              - provisioned
+              type: object
+          type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true

deploy/credential_request.yaml

@@ -0,0 +1,22 @@
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: managed-velero-operator-iam-credentials
+  namespace: openshift-velero
+spec:
+  secretRef:
+    name: managed-velero-operator-iam-credentials
+    namespace: openshift-velero
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - effect: Allow
+      action:
+      - s3:CreateBucket
+      - s3:ListBucket
+      - s3:PutBucketAcl
+      - s3:PutBucketPublicAccessBlock
+      - s3:PutEncryptionConfiguration
+      - s3:PutLifecycleConfiguration
+      resource: "*"

deploy/operator.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: managed-velero-operator
+  namespace: openshift-velero
 spec:
   replicas: 1
   selector:
@@ -21,10 +22,6 @@ spec:
           - managed-velero-operator
           imagePullPolicy: Always
           env:
-            - name: WATCH_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
             - name: POD_NAME
               valueFrom:
                 fieldRef:

deploy/role.yaml

@@ -1,7 +1,9 @@
-kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
+  creationTimestamp: null
   name: managed-velero-operator
+  namespace: openshift-velero
 rules:
 - apiGroups:
   - ""
@@ -15,7 +17,7 @@ rules:
   - configmaps
   - secrets
   verbs:
-  - "*"
+  - '*'
 - apiGroups:
   - apps
   resources:
@@ -24,22 +26,22 @@ rules:
   - replicasets
   - statefulsets
   verbs:
-  - "*"
+  - '*'
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
-  - "get"
-  - "create"
+  - get
+  - create
 - apiGroups:
   - apps
-  resources:
-  - deployments/finalizers
   resourceNames:
   - managed-velero-operator
+  resources:
+  - deployments/finalizers
   verbs:
-  - "update"
+  - update
 - apiGroups:
   - ""
   resources:
@@ -52,3 +54,23 @@ rules:
   - replicasets
   verbs:
   - get
+- apiGroups:
+  - managed.openshift.io
+  resources:
+  - veleros
+  - veleros/status
+  - veleros/finalizers
+  verbs:
+  - '*'
+- apiGroups:
+  - velero.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - cloudcredential.openshift.io
+  resources:
+  - credentialsrequests
+  verbs:
+  - '*'