operator-sdk install

[Kevin Serikstad]

Hi,

At my company, we have certain company-specific annotations that we must add to our namespaces or cluster policies will forbid deployments from using the namespaces.  If I pre-create the namespaces and attempt the install, operator-sdk thinks OLM is already installed and fails.

Is there some way to customize the installation procedure for olm (i.e. operator-sdk olm install) to allow for required annotations? I do not see any indication there is in the cli usage pages or online documentation.

Thanks.

Kevin Serikstad

[James Hewitt-Thomas]

Can you provide some more detail on the commands you are running and the output you see?

I expect raising an issue is the right thing to do.

James

--
You received this message because you are subscribed to the Google Groups "operator-framework-olm-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to operator-framework-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/operator-framework-olm-dev/309d6dc7-b6d7-4934-941a-13bf374e5573n%40googlegroups.com.

[Serikstad, Kevin (CCI-Atlanta)]

Hi James,

 

Thanks for the response. Here is some additional detail.

 

PROBLEM SUMMARY

 

Some of our Kubernetes policies require add specific annotations in our namespace. Since the operator-sdk CLI install does not allow you to customize or pre-create a namespace, there does not appear to be a way to use operator-sdk to install OLM into our clusters.

 

To use operator-sdk, operator-sdk would either need to support an option like “--skip-namespace-creation” (i.e. use already created namespaces) or provide the ability to customize namespace parameters to use in creation.

 

ERROR CONDITIONS

 

Below are the two error conditions I encounter when attempting to use operator-sdk against our Kubernete clusters with namespace policy restrictions.

 

1. POLICY-VIOLATION-RELATED FAILURE DUE TO OUR K8S POLICIES: operator-sdk olm install receives error due to my companies namespace annotation policy since our namespaces must be created with certain annotations defined:

 

$ operator-sdk olm install

I0524 14:33:46.496132   17714 request.go:690] Waited for 1.005756055s due to client-side throttling, not priority and fairness, request: GET:https://x.x.x.x:443/apis/expansion.gatekeeper.sh/v1alpha1?timeout=32s

INFO[0002] Fetching CRDs for version "latest"

INFO[0002] Fetching resources for resolved version "latest"

I0524 14:33:57.083058   17714 request.go:690] Waited for 1.0245034s due to client-side throttling, not priority and fairness, request: GET:https://x.x.x.x:443/apis/status.gatekeeper.sh/v1beta1?timeout=32s

INFO[0021] Creating CRDs and resources

INFO[0021]   Creating CustomResourceDefinition "catalogsources.operators.coreos.com"

INFO[0022]   Creating CustomResourceDefinition "clusterserviceversions.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "installplans.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "olmconfigs.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "operatorconditions.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "operatorgroups.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "operators.operators.coreos.com"

INFO[0023]   Creating CustomResourceDefinition "subscriptions.operators.coreos.com"

INFO[0024]   Creating Namespace "olm"

FATA[0024] Failed to install OLM version "latest": failed to create CRDs and resources: admission webhook denied the request: [require-app-namespace-annotations] you must provide annotation(s): {"Txxx", "bxxx", "xxx"}

 

2. FAILURE WITH PRE-CREATED NAMESPACES: operator-sdk olm install errors namespaces it wishes to use already exist.

 

Note: I verified no other OLM resources were installed outside of the namespaces (crds, etc.) and I only get the error if I pre-create the namespaces.

 

$ operator-sdk olm install

I0524 14:18:52.546191   16757 request.go:690] Waited for 1.046234816s due to client-side throttling, not priority and fairness, request: GET:https://x.x.x.x:443/apis/anthos.gke.io/v1alpha1?timeout=32s

INFO[0003] Fetching CRDs for version "latest"

INFO[0003] Fetching resources for resolved version "latest"

FATA[0007] Failed to install OLM version "latest": detected existing OLM resources: OLM must be completely uninstalled before installation.

 

SOLUTIONS/HANDLING

1. I see that I can generate a K8s deployment using the package_release.sh script as per the instructions in the Installing OLM README.md in the repo.  I have started going down that path by creating the deployment and modifying the generated namespace yaml manifests

 

Reference: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/install/install.md

 

2. Create an enhancement request to support customization of namespaces (annotations, specifically) during OLM installation.

 

I will create an ISSUE if I am wrong about the lack of customization for OLM installs via operator-sdk. I would also note that even with the verbose flag, error messages do not specifically tell me that the pre-existing namespaces represent the “detected existing OLM resources”, which might represent an additional enhancement request.

 

Kevin Serikstad

Enterprise Data Platform Services

Cox Communications, Inc.

e: kevin.s...@cox.com

[James Hewitt-Thomas]

The install command essentially downloads two files from a release (https://github.com/operator-framework/operator-lifecycle-manager/releases) - crds.yaml and olm.yaml. If _any_ of the resources in olm.yaml, including the namespace, exist then it won't attempt to reinstall.

There actually isn't a good upgrade story for how to upgrade OLM at the moment either, just as an aside.

Yes, I recommend raising an issue, although you're in quite a unique situation and I expect that if you may have to propose changes yourself.

James