openshift OLM notes

# openshift OLM notes ###### tags: `notes` Operator Lifecycle Manager (OLM) * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/operators/index#olm-understanding-olm ![](https://hackmd.io/_uploads/B1mGijnBY.png) OLM runs by default in OpenShift Container Platform 4.7, which aids cluster administrators in installing, upgrading, and granting access to Operators running on their cluster. The OpenShift Container Platform web console provides management screens for cluster administrators to install Operators, as well as grant specific projects access to use the catalog of Operators available on the cluster. ![](https://hackmd.io/_uploads/ByNujsnHt.png) ### CSV * A cluster service version (CSV) represents a specific version of a running Operator on an OpenShift Container Platform cluster. * OLM requires this metadata about an Operator to ensure that it can be kept running safely on a cluster, and to provide information about how updates should be applied as new versions of the Operator are published. * A CSV is also a source of technical information required to run the Operator, such as which custom resources (CRs) it manages or depends on, RBAC rules, cluster requirements, and install strategies ### Catalog source * A catalog source represents a store of metadata, typically by referencing an index image stored in a container registry. Operator Lifecycle Manager (OLM) queries catalog sources to discover and install Operators and their dependencies. The OperatorHub in the OpenShift Container Platform web console also displays the Operators provided by catalog sources. * Example catalog source ```yaml apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: generation: 1 name: example-catalog <.> namespace: openshift-marketplace <.> spec: displayName: Example Catalog <.> image: quay.io/example-org/example-catalog:v1 <.> priority: -400 <.> publisher: Example Org sourceType: grpc <.> updateStrategy: registryPoll: <.> interval: 30m0s status: connectionState: address: example-catalog.openshift-marketplace.svc:50051 lastConnect: 2021-08-26T18:14:31Z lastObservedState: READY <.> latestImageRegistryPoll: 2021-08-26T18:46:25Z <.> registryService: <.> createdAt: 2021-08-26T16:16:37Z port: 50051 protocol: grpc serviceName: example-catalog serviceNamespace: openshift-marketplace ``` ### Subscription A subscription, defined by a Subscription object, represents an intention to install an Operator. It is the custom resource that relates an Operator to a catalog source. Subscriptions describe which channel of an Operator package to subscribe to, and whether to perform updates automatically or manually. If set to automatic, the subscription ensures Operator Lifecycle Manager (OLM) manages and upgrades the Operator to ensure that the latest version is always running in the cluster. ``` apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: example-operator namespace: example-namespace spec: channel: stable name: example-operator source: example-catalog sourceNamespace: openshift-marketplace ``` ### Install plan An install plan, defined by an InstallPlan object, describes a set of resources that Operator Lifecycle Manager (OLM) creates to install or upgrade to a specific version of an Operator. The version is defined by a cluster service version (CSV). ``` apiVersion: operators.coreos.com/v1alpha1 kind: InstallPlan metadata: name: install-abcde namespace: operators spec: approval: Automatic approved: true clusterServiceVersionNames: - my-operator.v1.0.1 generation: 1 status: ... catalogSources: [] conditions: - lastTransitionTime: '2021-01-01T20:17:27Z' lastUpdateTime: '2021-01-01T20:17:27Z' status: 'True' type: Installed phase: Complete plan: - resolving: my-operator.v1.0.1 resource: group: operators.coreos.com kind: ClusterServiceVersion manifest: >- ... name: my-operator.v1.0.1 sourceName: redhat-operators sourceNamespace: openshift-marketplace version: v1alpha1 status: Created - resolving: my-operator.v1.0.1 resource: group: apiextensions.k8s.io kind: CustomResourceDefinition manifest: >- ... name: webservers.web.servers.org sourceName: redhat-operators sourceNamespace: openshift-marketplace version: v1beta1 status: Created - resolving: my-operator.v1.0.1 resource: group: '' kind: ServiceAccount manifest: >- ... name: my-operator sourceName: redhat-operators sourceNamespace: openshift-marketplace version: v1 status: Created - resolving: my-operator.v1.0.1 resource: group: rbac.authorization.k8s.io kind: Role manifest: >- ... name: my-operator.v1.0.1-my-operator-6d7cbc6f57 sourceName: redhat-operators sourceNamespace: openshift-marketplace version: v1 status: Created - resolving: my-operator.v1.0.1 resource: group: rbac.authorization.k8s.io kind: RoleBinding manifest: >- ... name: my-operator.v1.0.1-my-operator-6d7cbc6f57 sourceName: redhat-operators sourceNamespace: openshift-marketplace version: v1 status: Created ``` ### Operator Registry API https://github.com/operator-framework/operator-registry ### Upgrade path <------- For an example upgrade scenario, consider an installed Operator corresponding to CSV version 0.1.1. OLM queries the catalog source and detects an upgrade in the subscribed channel with new CSV version 0.1.3 that replaces an older but not-installed CSV version 0.1.2, which in turn replaces the older and installed CSV version 0.1.1. However, sometimes this is not a safe operation to perform. There will be cases where a published version of an Operator should never be installed on a cluster if it has not already, for example because a version introduces a serious vulnerability. In those cases, OLM must consider two cluster states and provide an update graph that supports both: * The "bad" intermediate Operator has been seen by the cluster and installed. * The "bad" intermediate Operator has not yet been installed onto the cluster. ```yaml= apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: name: etcdoperator.v0.9.2 namespace: placeholder annotations: spec: displayName: etcd description: Etcd Operator replaces: etcdoperator.v0.9.0 skips: - etcdoperator.v0.9.1 ``` ``` apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: name: elasticsearch-operator.v4.1.2 namespace: <namespace> annotations: olm.skipRange: '>=4.1.0 <4.1.2' ``` ## Validating operator-sdk CSV bundle https://sdk.operatorframework.io/docs/olm-integration/generation/ ``` [whayutin@thinkdoe olm-catalog]$ pwd /home/whayutin/OPENSHIFT/git/DOWNSTREAM/oadp-operator-bundle/deploy/olm-catalog [whayutin@thinkdoe olm-catalog]$ operator-sdk bundle validate ./bundle --select-optional name=operatorhub INFO[0000] Found annotations file bundle-dir=bundle container-tool=docker INFO[0000] Could not find optional dependencies file bundle-dir=bundle container-tool=docker INFO[0000] All validation tests have completed successfully ``` ## Debug Operator install https://docs.openshift.com/container-platform/4.5/support/troubleshooting/troubleshooting-operator-issues.html * kubectl -n openshift-adp get installplans * oc get subs -n openshift-adp * oc describe sub oadp-operator -n openshift-adp ## Nice upstream docs * testing operators * https://github.com/operator-framework/community-operators/blob/master/docs/testing-operators.md * operator format, manifests && annotations * https://github.com/operator-framework/operator-registry/blob/master/docs/design/operator-bundle.md * building * https://github.com/operator-framework/operator-registry/tree/release-4.2#manifest-format ## to remove operator in full * uninstall operator from "installed operators" * admin -> cluster settings -> configuration -> Operator Hub -> global configurations -> sources * remove operator in question. * ![](https://hackmd.io/_uploads/H1ZKtL4UY.png) ## cli OLM install OADP * doc - https://github.com/openshift/oadp-operator/blob/master/docs/developer/olm_hacking.md * my customization ``` apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: oadp-operator-catalog namespace: openshift-marketplace spec: sourceType: grpc image: quay.io/rhn_engineering_whayutin/oadp-operator-index@sha256:f81339845fc610858b7dbb041b684241e8cfea90b2100e7b1d7873c46135658c displayName: OADP Operator Catalog publisher: grpc ``` * only enable content from internal sources ``` apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: brew-registry spec: repositoryDigestMirrors: - mirrors: - brew.registry.redhat.io source: registry.redhat.io - mirrors: - brew.registry.redhat.io source: registry.stage.redhat.io - mirrors: - brew.registry.redhat.io source: registry-proxy.engineering.redhat.com ``` * references: * https://learning.oreilly.com/library/view/kubernetes-operators/9781492048039/ch08.html#idm45261328970680 * https://github.com/operator-framework/operator-registry/tree/release-4.2#manifest-format