bank-vaults icon indicating copy to clipboard operation
bank-vaults copied to clipboard
verified publisher icon bank-vaults

As an OKD/OCP user, I would like to have the Vault Operator available in "Community Operators"

Open RyuunoAelia opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe. The Vault Operator was published previously on upstream-community-operators (AKA operatorhub.io) here https://github.com/operator-framework/community-operators/pull/161 . This means that plain k8s OLM is able to install it. However, the OLM in OKD does not use operatorhub.io (and it is not a good idea to use operatorhub.io since OpenShift is a special k8s with a variant of PSPs enabled by default and other things). Would you please put an up-to-date version of the Vault operator in Red Hat OpenShift "Community Operators" ?

Describe the solution you'd like I understand that operatorhub.io vs. OKD "Community Operators" is confusing (I pointed that out a while back but they have other priorities)... So I will be as precise as possible.

operatorhub.io is the folder "upstream-community-operators" in the https://github.com/operator-framework/community-operators which currently holds the bansaicloud vault-operator v0.4.10 (precisely here -> https://github.com/operator-framework/community-operators/tree/master/upstream-community-operators/vault )

To get OpenShift 4.x (OKD and OCP) to be able to test and install the operator, it needs to be available in the "community-operators" folder of the same repository (here: https://github.com/operator-framework/community-operators/tree/master/community-operators ).

Describe alternatives you've considered

I can maintain my own private registry with an operator bundle I build myself (I already do it for rook-ceph due to unavoidable, unsupported features in OLM). But it is kind of a hassle for each user of OKD/OCP and Bansai Cloud Vault Operator to maintain its own private registry. And would help promote your solution if you made it available in OCP/OKD, too.

RyuunoAelia avatar May 12 '21 18:05 RyuunoAelia

@RyuunoAelia +1 we would like to see this as well.

willhaines avatar Feb 08 '22 21:02 willhaines

Any updates on this issue?

Currently there is a mix of non-official options available:

  • Community Operators: https://github.com/k8s-operatorhub/community-operators/tree/main/operators/vault
  • Community Operators: https://github.com/k8s-operatorhub/community-operators/tree/main/operators/vault-helm
  • OLM: https://github.com/redhat-openshift-ecosystem/community-operators-prod/tree/main/operators/vault-helm

raelga avatar Jun 30 '22 11:06 raelga

For our use case, we ended developing a new operator using the OperatorSDK Helm framework. It's actually a kind of meta-operator, when the operator image is built, it fetches the helm chart and stores it into the container image.

When deployed into a cluster, it allows every single configuration available in the helm chart using an OperatorConfig instance manifest to define the values.yaml. With that configuration, it renders, deploys and reconciles all the resources from the helm chart.

The code is available here:

https://github.com/3scale-ops/bank-vaults-helm-operator

Images are built on GH actions:

https://github.com/3scale-ops/bank-vaults-helm-operator/actions

And the images are pushed to quay.io:

A few things about the implementation:

  • When a new chart is available, we only need to run the download-helm-chart makefile target with the new VERSION and build the container operator (container-build), catalog and bundles images (bundle-publish). The helm chart code doesn't even needs to be in the repo, is fetched on build time in the GH action:
HELM_CHARTS_PATH=$(PWD)/helm-charts
HELM_CHART_REPO_NAME=banzaicloud-stable
HELM_CHART_REPO_URL=https://kubernetes-charts.banzaicloud.com
HELM_CHART_NAME=vault-operator
HELM_CHART_VERSION=$(shell echo $(VERSION) | sed 's/\([0-9.]\+\).*/\1/g')
download-helm-chart: helm ## Download original helm chart into operator directory helm-charts/
	@$(HELM) repo add $(HELM_CHART_REPO_NAME) $(HELM_CHART_REPO_URL) >/dev/null \
		|| { echo "Unable to add $(HELM_CHART_REPO_URL) reposirtory"; exit 1; }
	@test -d $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME) \
		|| { mkdir -p $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME); } \
		&& { find $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME) -delete; }
	@$(HELM) pull \
		--untar --untardir $(HELM_CHARTS_PATH) \
		--version=$(HELM_CHART_VERSION) $(HELM_CHART_REPO_NAME)/$(HELM_CHART_NAME) \
		&& echo "$(HELM_CHART_REPO_NAME)/$(HELM_CHART_NAME)@$(HELM_CHART_VERSION) downloaded to $(HELM_CHARTS_PATH)"
# Move vault CRDs to config manifests
	@mv $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME)/crds/crd.yaml \
		$(PWD)/config/crd/bases/vault.banzaicloud.com_crds.yaml \
		&& cd $(PWD)/config/crd/ \
		&& $(KUSTOMIZE) edit add resource bases/vault.banzaicloud.com_crds.yaml
# Remove all CRDs from helm chart
	@find $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME)/crds -name '*yaml' -delete
	@rmdir $(HELM_CHARTS_PATH)/$(HELM_CHART_NAME)/crds

https://github.com/3scale-ops/bank-vaults-helm-operator/blob/c7026fe703dd26b9379f1b60ac34587b1a7f1a9b/Makefile#L261-L283

Screenshot 2022-07-11 at 16 04 35 https://github.com/3scale-ops/bank-vaults-helm-operator/runs/7252897840?check_suite_focus=true

An example on how a release looks like is this PR https://github.com/3scale-ops/bank-vaults-helm-operator/pull/2/files. Everything in the bundle path is generated from the yamls in config. And most part of those config yamls are also generated from the information available on the helm charts.

  • CRDs are managed by OLM and shipped with the bundle, so they are removed from the Helm chart.

  • All the configurations available on the values.yaml are now available on the OperatorConfig resource:

apiVersion: operatorconfigs.operator.cert-manager.io/v1alpha1
kind: OperatorConfig
metadata:
  name: instance
spec:
  image:
    bankVaultsRepository: ghcr.io/banzaicloud/bank-vaults
    repository: ghcr.io/banzaicloud/vault-operator
  • Installation via OLM using the operator catalog:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: bank-vaults-helm-operator-catalog
  namespace: vault
spec:
  sourceType: grpc
  image: quay.io/3scale/bank-vaults-helm-operator-catalog:latest
  displayName: Bank Vaults Helm Operator
  updateStrategy:
    registryPoll:
      interval: 30m
---
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: vault
  namespace: vault
spec:
  targetNamespaces:
    - vault
 ---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: bank-vaults-helm-operator
  namespace: vault
spec:
  channel: stable
  installPlanApproval: Manual
  name: bank-vaults-helm-operator
  source: bank-vaults-helm-operator-catalog
  sourceNamespace: vault

https://github.com/3scale-ops/bank-vaults-helm-operator/blob/main/docs/install.md

raelga avatar Jul 11 '22 14:07 raelga