Add configuration flag for disabling operator CRD creation/update (zalando#1733)

dpeckett · Damian Peckett · web-flow · commit fe340192cabc · 2022-01-13T15:20:04.000+01:00
* Make CRD registration configurable and drop RBAC permissions when CRD registration is disabled
* add generated deep copy functions

Co-authored-by: Damian Peckett &lt;d.peckett_admin@mgmt.innovo-cloud.de&gt;
diff --git a/charts/postgres-operator/crds/operatorconfigurations.yaml b/charts/postgres-operator/crds/operatorconfigurations.yaml
@@ -64,6 +64,9 @@ spec:
               docker_image:
                 type: string
                 default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p3"
+              enable_crd_registration:
+                type: boolean
+                default: true
               enable_crd_validation:
                 type: boolean
                 default: true
diff --git a/charts/postgres-operator/templates/clusterrole.yaml b/charts/postgres-operator/templates/clusterrole.yaml
@@ -40,10 +40,12 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
-  - create
   - get
+{{- if toString .Values.configGeneral.enable_crd_registration | eq "true" }}
+  - create
   - patch
   - update
+{{- end }}
 # to send events to the CRs
 - apiGroups:
   - ""
diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml
@@ -20,6 +20,8 @@ enableJsonLogging: false
 
 # general configuration parameters
 configGeneral:
+  # the deployment should create/update the CRDs
+  enable_crd_registration: true
   # choose if deployment creates/updates CRDs with OpenAPIV3Validation
   enable_crd_validation: true
   # update only the statefulsets without immediately doing the rolling update
diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
@@ -70,6 +70,10 @@ Variable names are underscore-separated words.
 
 Those are top-level keys, containing both leaf keys and groups.
 
+* **enable_crd_registration**
+  Instruct the operator to create/update the CRDs. If disabled the operator will rely on the CRDs being managed separately.
+  The default is `true`.
+
 * **enable_crd_validation**
   toggles if the operator will create or update CRDs with
   [OpenAPI v3 schema validation](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#validation)
diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml
@@ -35,6 +35,7 @@ data:
   docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p3
   # downscaler_annotations: "deployment-time,downscaler/*"
   # enable_admin_role_for_users: "true"
+  # enable_crd_registration: "true"
   # enable_crd_validation: "true"
   # enable_cross_namespace_secret: "false"
   # enable_database_access: "true"
diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml
@@ -62,6 +62,9 @@ spec:
               docker_image:
                 type: string
                 default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p3"
+              enable_crd_registration:
+                type: boolean
+                default: true
               enable_crd_validation:
                 type: boolean
                 default: true
diff --git a/manifests/postgresql-operator-default-configuration.yaml b/manifests/postgresql-operator-default-configuration.yaml
@@ -4,6 +4,7 @@ metadata:
   name: postgresql-operator-default-configuration
 configuration:
   docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p3
+  # enable_crd_registration: true
   # enable_crd_validation: true
   # enable_lazy_spilo_upgrade: false
   enable_pgversion_env_var: true
diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go
@@ -946,6 +946,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 					"docker_image": {
 						Type: "string",
 					},
+					"enable_crd_registration": {
+						Type: "boolean",
+					},
 					"enable_crd_validation": {
 						Type: "boolean",
 					},
diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@@ -215,6 +215,7 @@ type OperatorLogicalBackupConfiguration struct {
 
 // OperatorConfigurationData defines the operation config
 type OperatorConfigurationData struct {
+	EnableCRDRegistration      *bool                              `json:"enable_crd_registration,omitempty"`
 	EnableCRDValidation        *bool                              `json:"enable_crd_validation,omitempty"`
 	EnableLazySpiloUpgrade     bool                               `json:"enable_lazy_spilo_upgrade,omitempty"`
 	EnablePgVersionEnvVar      bool                               `json:"enable_pgversion_env_var,omitempty"`
diff --git a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -309,8 +309,10 @@ func (c *Controller) initController() {
 	c.controllerID = os.Getenv("CONTROLLER_ID")
 
 	if configObjectName := os.Getenv("POSTGRES_OPERATOR_CONFIGURATION_OBJECT"); configObjectName != "" {
-		if err := c.createConfigurationCRD(c.opConfig.EnableCRDValidation); err != nil {
-			c.logger.Fatalf("could not register Operator Configuration CustomResourceDefinition: %v", err)
+		if c.opConfig.EnableCRDRegistration != nil && *c.opConfig.EnableCRDRegistration {
+			if err := c.createConfigurationCRD(c.opConfig.EnableCRDValidation); err != nil {
+				c.logger.Fatalf("could not register Operator Configuration CustomResourceDefinition: %v", err)
+			}
 		}
 		if cfg, err := c.readOperatorConfigurationFromCRD(spec.GetOperatorNamespace(), configObjectName); err != nil {
 			c.logger.Fatalf("unable to read operator configuration: %v", err)
@@ -325,8 +327,10 @@ func (c *Controller) initController() {
 
 	c.modifyConfigFromEnvironment()
 
-	if err := c.createPostgresCRD(c.opConfig.EnableCRDValidation); err != nil {
-		c.logger.Fatalf("could not register Postgres CustomResourceDefinition: %v", err)
+	if c.opConfig.EnableCRDRegistration != nil && *c.opConfig.EnableCRDRegistration {
+		if err := c.createPostgresCRD(c.opConfig.EnableCRDValidation); err != nil {
+			c.logger.Fatalf("could not register Postgres CustomResourceDefinition: %v", err)
+		}
 	}
 
 	c.initSharedInformers()
diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go
@@ -33,6 +33,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result := &config.Config{}
 
 	// general config
+	result.EnableCRDRegistration = util.CoalesceBool(fromCRD.EnableCRDRegistration, util.True())
 	result.EnableCRDValidation = util.CoalesceBool(fromCRD.EnableCRDValidation, util.True())
 	result.EnableLazySpiloUpgrade = fromCRD.EnableLazySpiloUpgrade
 	result.EnablePgVersionEnvVar = fromCRD.EnablePgVersionEnvVar
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
@@ -14,11 +14,12 @@ import (
 
 // CRD describes CustomResourceDefinition specific configuration parameters
 type CRD struct {
-	ReadyWaitInterval   time.Duration `name:"ready_wait_interval" default:"4s"`
-	ReadyWaitTimeout    time.Duration `name:"ready_wait_timeout" default:"30s"`
-	ResyncPeriod        time.Duration `name:"resync_period" default:"30m"`
-	RepairPeriod        time.Duration `name:"repair_period" default:"5m"`
-	EnableCRDValidation *bool         `name:"enable_crd_validation" default:"true"`
+	ReadyWaitInterval     time.Duration `name:"ready_wait_interval" default:"4s"`
+	ReadyWaitTimeout      time.Duration `name:"ready_wait_timeout" default:"30s"`
+	ResyncPeriod          time.Duration `name:"resync_period" default:"30m"`
+	RepairPeriod          time.Duration `name:"repair_period" default:"5m"`
+	EnableCRDRegistration *bool         `name:"enable_crd_registration" default:"true"`
+	EnableCRDValidation   *bool         `name:"enable_crd_validation" default:"true"`
 }
 
 // Resources describes kubernetes resource specific configuration parameters
