Prevent csv-finalizer Job from being included in operator release yamls (#2063)

ddelnano · web-flow · commit 5c5e9dcb259c · 2024-12-18T12:35:46.000-05:00
Summary: Prevent csv-finalizer Job from being included in operator release yamls #2059 introduced a new Job that fixed helm's uninstall issues caused by OLM's recent csv-finalizer addition. This properly addressed the helm issues in #1917, however, it broke the `px` cli install process since the Job wasn't excluded from the operator release yamls. This results in `px-operator` namespace termination as the cli is trying to deploy the vizier since the Job runs unconditionally. This change also renames the `deleter_role.yaml` file since it seems to be accidentally included in the operator release yamls. Please see testing done for how this was determined to be extraneous. Relevant Issues: #1917 Type of change: /kind bug Test Plan: Verified the following - [x] `helm template` includes the `csv-finalizer` job ``` # Create dummy Chart.yaml to appease helm $ helm template --set deployOLM=true k8s/operator/helm/ | grep 'csv-deleter' # Source: pixie/templates/csv-deleter.yaml name: csv-deleter ``` - [x] `bazel build k8s/operator:operator_templates` no longer includes the `csv-finalizer` job or the `deleter_role.yaml` ``` $ tar -tf bazel-bin/k8s/operator/operator_templates.tar yamls/ yamls/crds/ yamls/crds/olm_crd.yaml yamls/crds/vizier_crd.yaml yamls/templates/ yamls/templates/00_olm.yaml yamls/templates/01_px_olm.yaml yamls/templates/02_catalog.yaml yamls/templates/03_subscription.yaml yamls/templates/04_vizier.yaml ``` - [x] Verified deleter role is excluded from `px deploy`'s extracted yaml. [This](https://github.com/pixie-io/pixie/blob/9effb349be7a42f8b45ca8fce6cbfdac619349ac/src/utils/shared/artifacts/yamls.go#L165-L170) code excludes anything that isn't a "crd" file or is isn't numerically prefixed, which means the deleter role isn't included for `px` cli deploys ``` $ px deploy --operator_version=0.1.7-pre-z1.0 -e . --deploy_key=<deploy_key> $ tree pixie_yamls/ pixie_yamls/ ├── 00_olm_crd.yaml ├── 01_vizier_crd.yaml ├── 02_olm.yaml ├── 03_px_olm.yaml ├── 04_catalog.yaml ├── 05_subscription.yaml └── 06_vizier.yaml 1 directory, 7 files ``` --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
diff --git a/k8s/operator/helm/templates/00_olm.yaml b/k8s/operator/helm/templates/00_olm.yaml
@@ -228,55 +228,4 @@ metadata:
 spec:
   targetNamespaces:
     - {{ .Values.olmNamespace }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: csv-deleter
-  namespace: {{ .Values.olmNamespace }}
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-spec:
-  template:
-    spec:
-      restartPolicy: Never
-      serviceAccountName: olm-operator-serviceaccount
-      containers:
-        - name: trigger-csv-finalizer
-          image: ghcr.io/pixie-io/pixie-oss-pixie-dev-public-curl:multiarch-7.87.0@sha256:f7f265d5c64eb4463a43a99b6bf773f9e61a50aaa7cefaf564f43e42549a01dd
-          command:
-            - /bin/sh
-            - -c
-            - |
-              NAMESPACE="{{ .Values.olmOperatorNamespace }}"
-              API_SERVER="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
-              CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-              TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-
-              DELETE_STATUS=$(curl --cacert $CA_CERT \
-                                    -H "Authorization: Bearer $TOKEN" \
-                                    -X DELETE -s \
-                                    -o /dev/null -w "%{http_code}" \
-                                    $API_SERVER/api/v1/namespaces/$NAMESPACE)
-
-              if [ "$DELETE_STATUS" -ne 200 ] && [ "$DELETE_STATUS" -ne 202 ]; then
-                echo "Failed to initiate deletion for namespace $NAMESPACE. HTTP status code: $DELETE_STATUS"
-                exit 1
-              fi
-
-              echo "Waiting for finalizer in $NAMESPACE to complete..."
-              while true; do
-                STATUS=$(curl --cacert $CA_CERT \
-                              -H "Authorization: Bearer $TOKEN" \
-                              -o /dev/null -w "%{http_code}" -s \
-                              $API_SERVER/api/v1/namespaces/$NAMESPACE)
-                if [ "$STATUS" = "404" ]; then
-                  echo "Namespace $NAMESPACE finalizer completed."
-                  break
-                else
-                  echo "Finalizer still running in $NAMESPACE. Retrying in 5 seconds..."
-                  sleep 5
-                fi
-              done
 {{- end}}
diff --git a/k8s/operator/helm/templates/csv-deleter.yaml b/k8s/operator/helm/templates/csv-deleter.yaml
@@ -0,0 +1,53 @@
+{{if .Values.deployOLM}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: csv-deleter
+  namespace: {{ .Values.olmNamespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: olm-operator-serviceaccount
+      containers:
+        - name: trigger-csv-finalizer
+          image: ghcr.io/pixie-io/pixie-oss-pixie-dev-public-curl:multiarch-7.87.0@sha256:f7f265d5c64eb4463a43a99b6bf773f9e61a50aaa7cefaf564f43e42549a01dd
+          command:
+            - /bin/sh
+            - -c
+            - |
+              NAMESPACE="{{ .Values.olmOperatorNamespace }}"
+              API_SERVER="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
+              CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+
+              DELETE_STATUS=$(curl --cacert $CA_CERT \
+                                    -H "Authorization: Bearer $TOKEN" \
+                                    -X DELETE -s \
+                                    -o /dev/null -w "%{http_code}" \
+                                    $API_SERVER/api/v1/namespaces/$NAMESPACE)
+
+              if [ "$DELETE_STATUS" -ne 200 ] && [ "$DELETE_STATUS" -ne 202 ]; then
+                echo "Failed to initiate deletion for namespace $NAMESPACE. HTTP status code: $DELETE_STATUS"
+                exit 1
+              fi
+
+              echo "Waiting for finalizer in $NAMESPACE to complete..."
+              while true; do
+                STATUS=$(curl --cacert $CA_CERT \
+                              -H "Authorization: Bearer $TOKEN" \
+                              -o /dev/null -w "%{http_code}" -s \
+                              $API_SERVER/api/v1/namespaces/$NAMESPACE)
+                if [ "$STATUS" = "404" ]; then
+                  echo "Namespace $NAMESPACE finalizer completed."
+                  break
+                else
+                  echo "Finalizer still running in $NAMESPACE. Retrying in 5 seconds..."
+                  sleep 5
+                fi
+              done
+{{- end}}
diff --git a/k8s/operator/helm/templates/deleter-role.yaml b/k8s/operator/helm/templates/deleter-role.yaml
