feat: olm deployment helper (#546)

* wip: added olm-deployer

* wip

* wip: checkpoint

* wip

* wip: working version

* reorg test manifests

* impl owner ref

* Added readme, update manifests, successful run

* reorg modules

* wip

* test env

* copy resources

* add secret op lib crate

* patch namespace

* Revert "add secret op lib crate"

This reverts commit acee691.

* added test for namespace patch

* cargo fmt

* added owner name cli param

* obtain clusterrole by label selector

* olm creates multiple clusterroles per subscription

* delete tests in favor of olm manifests

* modify DynamicObjects in place and reduce cloning

* added keep_alive cli option

* sleep forever

* fix lint

* Update inline docs.

* Drop the op_version arg in favor of the csv name.

* Update changelog.

* fix typos

* update readme to mention oci.stackable.tech

Author: razvan

CHANGELOG.md

@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
 - Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
+- OLM deployment helper ([#546]).
 
 ### Changed
 
@@ -22,6 +23,7 @@ All notable changes to this project will be documented in this file.
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552
 [#544]: https://github.com/stackabletech/secret-operator/pull/544
+[#546]: https://github.com/stackabletech/secret-operator/pull/546
 
 ## [24.11.1] - 2025-01-10
 

Cargo.lock

@@ -20,8 +20,8 @@ clap = "4.5"
 futures = { version = "0.3", features = ["compat"] }
 h2 = "0.4"
 ldap3 = { version = "0.11", default-features = false, features = [
-    "gssapi",
-    "tls",
+  "gssapi",
+  "tls",
 ] }
 libc = "0.2"
 native-tls = "0.2"
@@ -49,6 +49,7 @@ tonic-build = "0.12"
 tonic-reflection = "0.12"
 tracing = "0.1"
 tracing-subscriber = "0.3"
+walkdir = "2.5.0"
 uuid = { version = "1.10.0", features = ["v4"] }
 yasna = "0.5"
 

Cargo.toml

@@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-operator-deployer
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+      tolerations:
+      - key: keep-out
+        value: "yes"
+        operator: Equal
+        effect: NoSchedule

nginx-deployment.yaml

@@ -0,0 +1,23 @@
+[package]
+name = "olm-deployer"
+description = "OLM deployment helper."
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+edition.workspace = true
+repository.workspace = true
+publish = false
+
+[dependencies]
+anyhow.workspace = true
+clap.workspace = true
+tokio.workspace = true
+tracing.workspace = true
+stackable-operator.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+serde_yaml.workspace = true
+walkdir.workspace = true
+
+[build-dependencies]
+built.workspace = true

rust/olm-deployer/Cargo.toml

@@ -0,0 +1,26 @@
+# How to test
+
+Requirements:
+
+1. An OpenShift cluster.
+2. Checkout the branch `secret-olm-deployer` from the [operators](https://github.com/stackabletech/openshift-certified-operators/tree/secret-olm-deployer) repo.
+3. Clone the `stackable-utils` [repo](https://github.com/stackabletech/stackable-utils)
+
+Install the secret operator using OLM and the `olm-deployer`. From the `stackable-utils` repo, run:
+
+```bash
+$ ./olm/build-bundles.sh -c $HOME/repo/stackable/openshift-certified-operators -r 24.11.0 -o secret -d
+...
+```
+
+[!NOTE]
+Bundle images are published to `oci.stackable.tech` so you need to log in there first.
+
+The secret op and all it's dependencies should be installed and running in the `stackable-operators` namespace.
+
+Run the integration tests:
+
+```bash
+$ ./scripts/run-tests --skip-operator secret --test-suite openshift
+...
+```

rust/olm-deployer/README.md

@@ -0,0 +1,3 @@
+fn main() {
+    built::write_built_file().unwrap();
+}

rust/olm-deployer/build.rs

@@ -0,0 +1,75 @@
+use anyhow::{bail, Result};
+use stackable_operator::kube::{api::DynamicObject, ResourceExt};
+
+pub fn data_field_as_mut<'a>(
+    value: &'a mut serde_json::Value,
+    pointer: &str,
+) -> Result<&'a mut serde_json::Value> {
+    match value.pointer_mut(pointer) {
+        Some(field) => Ok(field),
+        x => bail!("invalid pointer {pointer} for object {x:?}"),
+    }
+}
+
+pub fn container<'a>(
+    target: &'a mut DynamicObject,
+    container_name: &str,
+) -> anyhow::Result<&'a mut serde_json::Value> {
+    let tname = target.name_any();
+    let path = "template/spec/containers".split("/");
+    match get_or_create(target.data.pointer_mut("/spec").unwrap(), path)? {
+        serde_json::Value::Array(containers) => {
+            for c in containers {
+                if c.is_object() {
+                    if let Some(serde_json::Value::String(name)) = c.get("name") {
+                        if container_name == name {
+                            return Ok(c);
+                        }
+                    }
+                } else {
+                    anyhow::bail!("container is not a object: {:?}", c);
+                }
+            }
+            anyhow::bail!("container named {container_name} not found");
+        }
+        _ => anyhow::bail!("no containers found in object {tname}"),
+    }
+}
+
+/// Returns the object nested in `root` by traversing the `path` of nested keys.
+/// Creates any missing objects in path.
+/// In case of success, the returned value is either the existing object or
+/// serde_json::Value::Null.
+/// Returns an error if any of the nested objects has a type other than map.
+pub fn get_or_create<'a, 'b, I>(
+    root: &'a mut serde_json::Value,
+    path: I,
+) -> anyhow::Result<&'a mut serde_json::Value>
+where
+    I: IntoIterator<Item = &'b str>,
+{
+    let mut iter = path.into_iter();
+    match iter.next() {
+        None => Ok(root),
+        Some(first) => {
+            let new_root = get_or_insert_default_object(root, first)?;
+            get_or_create(new_root, iter)
+        }
+    }
+}
+
+/// Given a map object create or return the object corresponding to the given `key`.
+fn get_or_insert_default_object<'a>(
+    value: &'a mut serde_json::Value,
+    key: &str,
+) -> anyhow::Result<&'a mut serde_json::Value> {
+    let map = match value {
+        serde_json::Value::Object(map) => map,
+        x @ serde_json::Value::Null => {
+            *x = serde_json::json!({});
+            x.as_object_mut().unwrap()
+        }
+        x => anyhow::bail!("invalid type {x:?}, expected map"),
+    };
+    Ok(map.entry(key).or_insert_with(|| serde_json::Value::Null))
+}