stackrox · misberner · May 18, 2021 · May 18, 2021 · May 20, 2021 · May 20, 2021
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,3 +1,5 @@
+upstream-triage:
+  - "./*"
 area/main-binary:
   - 'main.go'
   - 'internal/**/*'

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,11 +1,7 @@
 name: CI
 
 on:
-  push:
-    branches:
-      - '**'
-  pull_request:
-    branches: [ main ]
+  - push
 
 jobs:
 

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,13 +1,14 @@
 name: Deploy
 
-on:
-  push:
-    branches:
-      - '**'
-    tags:
-      - 'v*'
-  pull_request:
-    branches: [ main ]
+# Disabled as we don't need docker images to use the helm-operator as a library.
+#on:
+#  push:
+#    branches:
+#      - '**'
+#    tags:
+#      - 'v*'
+#  pull_request:
+#    branches: [ main ]
 
 jobs:
   goreleaser:

diff --git a/README.md b/README.md
@@ -1,6 +1,47 @@
 # helm-operator
 
-[![Build Status](https://github.com/joelanford/helm-operator/workflows/CI/badge.svg?branch=master)
-[![Coverage Status](https://coveralls.io/repos/github/joelanford/helm-operator/badge.svg?branch=master)](https://coveralls.io/github/joelanford/helm-operator?branch=master)
+![Build Status](https://github.com/stackrox/helm-operator/workflows/CI/badge.svg?branch=main)
+
+Experimental refactoring of the operator-framework's helm operator.
+
+## Why a fork?
+
+The Helm operator type automates Helm chart operations
+by mapping the [values](https://helm.sh/docs/chart_template_guide/values_files/) of a Helm chart exactly to a 
+`CustomResourceDefinition` and defining its watched resources in a `watches.yaml` 
+[configuration](https://sdk.operatorframework.io/docs/building-operators/helm/tutorial/#watch-the-nginx-cr) file.
+
+For creating a [Level II+](https://sdk.operatorframework.io/docs/advanced-topics/operator-capabilities/operator-capabilities/) operator 
+that reuses an already existing Helm chart, we need a [hybrid](https://github.com/operator-framework/operator-sdk/issues/670)
+between the Go and Helm operator types.
+
+The hybrid approach allows adding customizations to the Helm operator, such as:
+- value mapping based on cluster state, or 
+- executing code in specific events.
+
+## Quick start
+
+- Add this module as a replace directive to your `go.mod`:
+
+  ```
+  go mod edit -replace=github.com/joelanford/helm-operator=github.com/stackrox/helm-operator@main
+  ```
+
+  For example:
+
+  ```go
+  chart, err := loader.Load("path/to/chart")
+  if err != nil {
+     panic(err)
+  }
+
+  reconciler := reconciler.New(
+     reconciler.WithChart(*chart),
+     reconciler.WithGroupVersionKind(gvk),
+  )
+
+  if err := reconciler.SetupWithManager(mgr); err != nil {
+     panic(fmt.Sprintf("unable to create reconciler: %s", err))
+  }
+  ```
 
-Experimental refactoring of the operator-framework's helm operator
diff --git a/internal/cmd/run/cmd.go b/internal/cmd/run/cmd.go
@@ -169,7 +169,7 @@ func (r *run) run(cmd *cobra.Command) {
 			os.Exit(1)
 		}
 
-		if err := r.SetupWithManager(mgr); err != nil {
+		if err := r.SetupWithManager(mgr, reconciler.SetupOpts{}); err != nil {
 			log.Error(err, "unable to create controller", "controller", "Helm")
 			os.Exit(1)
 		}

diff --git a/pkg/annotation/annotation.go b/pkg/annotation/annotation.go
@@ -14,6 +14,30 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package annotation allows to set custom install, upgrade or uninstall options on custom resource objects with annotations.
+// To create custom annotations implement the Install, Upgrade or Uninstall interface.
+//
+// Example:
+//
+// To disable hooks based on annotations the InstallDisableHooks is passed to the reconciler as an option.
+//
+//    r, err := reconciler.New(
+//	    reconciler.WithChart(*w.Chart),
+//	    reconciler.WithGroupVersionKind(w.GroupVersionKind),
+//	    reconciler.WithInstallAnnotations(annotation.InstallDisableHooks{}),
+//	  )
+//
+// If the reconciler detects an annotation named "helm.sdk.operatorframework.io/install-disable-hooks"
+// on the watched custom resource, it sets the install.DisableHooks option to the annotations value. For more information
+// take a look at the InstallDisableHooks.InstallOption method.
+//
+//   kind: OperatorHelmKind
+//   apiVersion: test.example.com/v1
+//   metadata:
+//     name: nginx-sample
+//     annotations:
+//       "helm.sdk.operatorframework.io/install-disable-hooks": true
+//
 package annotation
 
 import (
@@ -30,27 +54,24 @@ var (
 	DefaultUninstallAnnotations = []Uninstall{UninstallDescription{}, UninstallDisableHooks{}}
 )
 
+// Install configures an install annotation.
 type Install interface {
 	Name() string
 	InstallOption(string) helmclient.InstallOption
 }
 
+// Upgrade configures an upgrade annotation.
 type Upgrade interface {
 	Name() string
 	UpgradeOption(string) helmclient.UpgradeOption
 }
 
+// Uninstall configures an uninstall annotation.
 type Uninstall interface {
 	Name() string
 	UninstallOption(string) helmclient.UninstallOption
 }
 
-type InstallDisableHooks struct {
-	CustomName string
-}
-
-var _ Install = &InstallDisableHooks{}
-
 const (
 	defaultDomain                    = "helm.sdk.operatorframework.io"
 	defaultInstallDisableHooksName   = defaultDomain + "/install-disable-hooks"
@@ -64,6 +85,12 @@ const (
 	defaultUninstallDescriptionName = defaultDomain + "/uninstall-description"
 )
 
+type InstallDisableHooks struct {
+	CustomName string
+}
+
+var _ Install = &InstallDisableHooks{}
+
 func (i InstallDisableHooks) Name() string {
 	if i.CustomName != "" {
 		return i.CustomName

diff --git a/pkg/client/actionclient.go b/pkg/client/actionclient.go
@@ -62,6 +62,7 @@ type ActionInterface interface {
 	Get(name string, opts ...GetOption) (*release.Release, error)
 	Install(name, namespace string, chrt *chart.Chart, vals map[string]interface{}, opts ...InstallOption) (*release.Release, error)
 	Upgrade(name, namespace string, chrt *chart.Chart, vals map[string]interface{}, opts ...UpgradeOption) (*release.Release, error)
+	MarkFailed(release *release.Release, reason string) error
 	Uninstall(name string, opts ...UninstallOption) (*release.UninstallReleaseResponse, error)
 	Reconcile(rel *release.Release) error
 }
@@ -163,6 +164,7 @@ func (c *actionClient) Upgrade(name, namespace string, chrt *chart.Chart, vals m
 		if rel != nil {
 			rollback := action.NewRollback(c.conf)
 			rollback.Force = true
+			rollback.MaxHistory = upgrade.MaxHistory
 
 			// As of Helm 2.13, if Upgrade returns a non-nil release, that
 			// means the release was also recorded in the release store.
@@ -179,6 +181,14 @@ func (c *actionClient) Upgrade(name, namespace string, chrt *chart.Chart, vals m
 	return rel, nil
 }
 
+func (c *actionClient) MarkFailed(rel *release.Release, reason string) error {
+	infoCopy := *rel.Info
+	releaseCopy := *rel
+	releaseCopy.Info = &infoCopy
+	releaseCopy.SetStatus(release.StatusFailed, reason)
+	return c.conf.Releases.Update(&releaseCopy)
+}
+
 func (c *actionClient) Uninstall(name string, opts ...UninstallOption) (*release.UninstallReleaseResponse, error) {
 	uninstall := action.NewUninstall(c.conf)
 	for _, o := range opts {

diff --git a/pkg/extensions/types.go b/pkg/extensions/types.go
@@ -0,0 +1,17 @@
+package extensions
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+// UpdateStatusFunc is a function that updates an unstructured status. If the status has been modified,
+// true must be returned, false otherwise.
+type UpdateStatusFunc func(*unstructured.Unstructured) bool
+
+// ReconcileExtension is an arbitrary extension that can be implemented to run either before
+// or after the main Helm reconciliation action.
+// An error returned by a ReconcileExtension will cause the Reconcile to fail, unlike a hook error.
+type ReconcileExtension func(context.Context, *unstructured.Unstructured, func(UpdateStatusFunc), logr.Logger) error
diff --git a/pkg/reconciler/internal/conditions/conditions.go b/pkg/reconciler/internal/conditions/conditions.go
@@ -41,6 +41,7 @@ const (
 	ReasonUpgradeError             = status.ConditionReason("UpgradeError")
 	ReasonReconcileError           = status.ConditionReason("ReconcileError")
 	ReasonUninstallError           = status.ConditionReason("UninstallError")
+	ReasonPendingError             = status.ConditionReason("PendingError")
 )
 
 func Initialized(stat corev1.ConditionStatus, reason status.ConditionReason, message interface{}) status.Condition {

diff --git a/pkg/reconciler/internal/fake/actionclient.go b/pkg/reconciler/internal/fake/actionclient.go
@@ -48,17 +48,19 @@ func (hcg *fakeActionClientGetter) ActionClientFor(_ crclient.Object) (client.Ac
 }
 
 type ActionClient struct {
-	Gets       []GetCall
-	Installs   []InstallCall
-	Upgrades   []UpgradeCall
-	Uninstalls []UninstallCall
-	Reconciles []ReconcileCall
-
-	HandleGet       func() (*release.Release, error)
-	HandleInstall   func() (*release.Release, error)
-	HandleUpgrade   func() (*release.Release, error)
-	HandleUninstall func() (*release.UninstallReleaseResponse, error)
-	HandleReconcile func() error
+	Gets        []GetCall
+	Installs    []InstallCall
+	Upgrades    []UpgradeCall
+	MarkFaileds []MarkFailedCall
+	Uninstalls  []UninstallCall
+	Reconciles  []ReconcileCall
+
+	HandleGet        func() (*release.Release, error)
+	HandleInstall    func() (*release.Release, error)
+	HandleUpgrade    func() (*release.Release, error)
+	HandleMarkFailed func() error
+	HandleUninstall  func() (*release.UninstallReleaseResponse, error)
+	HandleReconcile  func() error
 }
 
 func NewActionClient() ActionClient {
@@ -109,6 +111,11 @@ type UpgradeCall struct {
 	Opts      []client.UpgradeOption
 }
 
+type MarkFailedCall struct {
+	Release *release.Release
+	Reason  string
+}
+
 type UninstallCall struct {
 	Name string
 	Opts []client.UninstallOption
@@ -133,6 +140,11 @@ func (c *ActionClient) Upgrade(name, namespace string, chrt *chart.Chart, vals m
 	return c.HandleUpgrade()
 }
 
+func (c *ActionClient) MarkFailed(rel *release.Release, reason string) error {
+	c.MarkFaileds = append(c.MarkFaileds, MarkFailedCall{rel, reason})
+	return c.HandleMarkFailed()
+}
+
 func (c *ActionClient) Uninstall(name string, opts ...client.UninstallOption) (*release.UninstallReleaseResponse, error) {
 	c.Uninstalls = append(c.Uninstalls, UninstallCall{name, opts})
 	return c.HandleUninstall()

diff --git a/pkg/reconciler/internal/hook/hook.go b/pkg/reconciler/internal/hook/hook.go
@@ -37,18 +37,22 @@ import (
 	"github.com/joelanford/helm-operator/pkg/manifestutil"
 )
 
-func NewDependentResourceWatcher(c controller.Controller, rm meta.RESTMapper) hook.PostHook {
+func NewDependentResourceWatcher(c controller.Controller, rm meta.RESTMapper, watchReleaseResources bool, extraWatches ...schema.GroupVersionKind) hook.PostHook {
 	return &dependentResourceWatcher{
-		controller: c,
-		restMapper: rm,
-		m:          sync.Mutex{},
-		watches:    make(map[schema.GroupVersionKind]struct{}),
+		controller:            c,
+		restMapper:            rm,
+		watchReleaseResources: watchReleaseResources,
+		extraWatches:          extraWatches,
+		m:                     sync.Mutex{},
+		watches:               make(map[schema.GroupVersionKind]struct{}),
 	}
 }
 
 type dependentResourceWatcher struct {
-	controller controller.Controller
-	restMapper meta.RESTMapper
+	controller            controller.Controller
+	restMapper            meta.RESTMapper
+	watchReleaseResources bool
+	extraWatches          []schema.GroupVersionKind
 
 	m       sync.Mutex
 	watches map[schema.GroupVersionKind]struct{}
@@ -58,16 +62,31 @@ func (d *dependentResourceWatcher) Exec(owner *unstructured.Unstructured, rel re
 	// using predefined functions for filtering events
 	dependentPredicate := predicate.DependentPredicateFuncs()
 
-	resources := releaseutil.SplitManifests(rel.Manifest)
-	d.m.Lock()
-	defer d.m.Unlock()
-	for _, r := range resources {
-		var obj unstructured.Unstructured
-		err := yaml.Unmarshal([]byte(r), &obj)
-		if err != nil {
-			return err
+	var allWatches []unstructured.Unstructured
+	if d.watchReleaseResources {
+		resources := releaseutil.SplitManifests(rel.Manifest)
+		for _, r := range resources {
+			var obj unstructured.Unstructured
+			err := yaml.Unmarshal([]byte(r), &obj)
+			if err != nil {
+				return err
+			}
+
+			allWatches = append(allWatches, obj)
 		}
+	}
 
+	// For extra watches, we only support same namespace
+	for _, extraWatchGVK := range d.extraWatches {
+		var obj unstructured.Unstructured
+		obj.SetGroupVersionKind(extraWatchGVK)
+		obj.SetNamespace(owner.GetNamespace())
+		allWatches = append(allWatches, obj)
+	}
+
+	d.m.Lock()
+	defer d.m.Unlock()
+	for _, obj := range allWatches {
 		depGVK := obj.GroupVersionKind()
 		if _, ok := d.watches[depGVK]; ok || depGVK.Empty() {
 			continue