openshift · openshift-merge-robot · Nov 16, 2020 · Nov 13, 2020 · Oct 5, 2020
diff --git a/api/v1/updateservice_types.go b/api/v1/updateservice_types.go
@@ -38,6 +38,12 @@ type UpdateServiceStatus struct {
 	// +patchStrategy=merge
 	// +kubebuilder:validation:Optional
 	Conditions []conditionsv1.Condition `json:"conditions,omitempty"  patchStrategy:"merge" patchMergeKey:"type"`
+
+	// policyEngineURI is the external URI which exposes the policy
+	// engine.  Available paths from this URI include:
+	//
+	// * /api/upgrades_info/v1/graph, with the update graph recommendations.
+	PolicyEngineURI string `json:"policyEngineURI,optional"`
 }
 
 // Condition Types

diff --git a/...ator.openshift.io_updateservices_crd.yaml → ...operator.openshift.io_updateservices.yaml b/...ator.openshift.io_updateservices_crd.yaml → ...operator.openshift.io_updateservices.yaml
@@ -1,6 +1,11 @@
+
+---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
   name: updateservices.updateservice.operator.openshift.io
 spec:
   group: updateservice.operator.openshift.io
@@ -14,7 +19,7 @@ spec:
     status: {}
   validation:
     openAPIV3Schema:
-      description: UpdateService is the Schema for a UpdateService service.
+      description: UpdateService is the Schema for the updateservices API.
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation
@@ -27,26 +32,29 @@ spec:
             submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
           type: string
         metadata:
+          description: 'metadata is standard object metadata.  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
           type: object
         spec:
-          description: UpdateServiceSpec defines the desired state of UpdateService
+          description: spec is the desired state of the UpdateService service.  The
+            operator will work to ensure that the desired configuration is applied
+            to the cluster.
           properties:
             graphDataImage:
-              description: GraphDataImage is a container image that contains the UpdateService
-                graph data. The data is copied to /var/lib/updateservice/graph-data.
+              description: graphDataImage is a container image that contains the UpdateService
+                graph data.
               type: string
             registry:
-              description: Registry is the container registry to use, such as "quay.io".
+              description: registry is the container registry to use, such as "quay.io".
               type: string
             replicas:
-              description: Replicas is the number of pods to run. When >=2, a PodDisruptionBudget
+              description: replicas is the number of pods to run. When >=2, a PodDisruptionBudget
                 will ensure that voluntary disruption leaves at least one Pod running
                 at all times.
               format: int32
               minimum: 1
               type: integer
             repository:
-              description: Repository is the repository to use in the Registry, such
+              description: repository is the repository to use in the Registry, such
                 as "openshift-release-dev/ocp-release"
               type: string
           required:
@@ -56,7 +64,8 @@ spec:
           - repository
           type: object
         status:
-          description: UpdateServiceStatus defines the observed state of UpdateService
+          description: status contains information about the current state of the
+            UpdateService service.
           properties:
             conditions:
               description: Conditions describe the state of the UpdateService resource.
@@ -85,10 +94,26 @@ spec:
                 - type
                 type: object
               type: array
+            policyEngineURI:
+              description: "policyEngineURI is the external URI which exposes the
+                policy engine.  Available paths from this URI include: \n * /api/upgrades_info/v1/graph,
+                with the update graph recommendations."
+              type: string
+          required:
+          - policyEngineURI
           type: object
+      required:
+      - metadata
+      - spec
       type: object
   version: v1
   versions:
   - name: v1
     served: true
     storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -2,7 +2,7 @@
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
-- bases/updateservice.operator.openshift.io_updateservices_crd.yaml
+- bases/updateservice.operator.openshift.io_updateservices.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -61,18 +61,6 @@ rules:
   - deployments/finalizers
   verbs:
   - update
-- apiGroups:
-  - updateservice.operator.openshift.io
-  resources:
-  - '*'
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - config.openshift.io
   resources:
@@ -111,69 +99,6 @@ rules:
   - patch
   - update
   - watch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  creationTimestamp: null
-  name: updateservice-operator
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - endpoints
-  - events
-  - persistentvolumeclaims
-  - pods
-  - secrets
-  - services
-  - services/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-- apiGroups:
-  - apps
-  resources:
-  - daemonsets
-  - deployments
-  - replicasets
-  - statefulsets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - replicasets
-  verbs:
-  - get
-- apiGroups:
-  - apps
-  resourceNames:
-  - updateservice-operator
-  resources:
-  - deployments/finalizers
-  verbs:
-  - update
 - apiGroups:
   - updateservice.operator.openshift.io
   resources:
@@ -186,22 +111,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - servicemonitors
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
diff --git a/controllers/updateservice_controller.go b/controllers/updateservice_controller.go
@@ -29,6 +29,7 @@ import (
 	routev1 "github.com/openshift/api/route/v1"
 	cv1 "github.com/openshift/cincinnati-operator/api/v1"
 	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
+	"github.com/openshift/library-go/pkg/route/routeapihelpers"
 )
 
 var log = logf.Log.WithName("controller_updateservice")
@@ -122,23 +123,15 @@ type UpdateServiceReconciler struct {
 	operandImage string
 }
 
-// +kubebuilder:rbac:groups="",namespace="updateservice-operator",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets,verbs=create;delete;get;list;patch;update;watch
-// +kubebuilder:rbac:groups="apps",namespace="updateservice-operator",resources=deployments;daemonsets;replicasets;statefulsets,verbs=create;delete;get;list;patch;update;watch
-// +kubebuilder:rbac:groups="monitoring.coreos.com",namespace="updateservice-operator",resources=servicemonitors,verbs=create;get
-// +kubebuilder:rbac:groups="apps",namespace="updateservice-operator",resourceNames=updateservice-operator,resources=deployments/finalizers,verbs=update
-// +kubebuilder:rbac:groups="",namespace="updateservice-operator",resources=pods,verbs=get
-// +kubebuilder:rbac:groups="apps",namespace="updateservice-operator",resources=replicasets;deployments,verbs=get
-// +kubebuilder:rbac:groups="policy",namespace="updateservice-operator",resources=poddisruptionbudgets,verbs=create;delete;get;list;patch;update;watch
-// +kubebuilder:rbac:groups=updateservice.operator.openshift.io,namespace="updateservice-operator",resources=*,verbs=create;delete;get;list;patch;update;watch
-// +kubebuilder:rbac:groups=config.openshift.io,resources=images,verbs=get;list;watch
-// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=create;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get
 // +kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="apps",resourceNames=updateservice-operator,resources=deployments/finalizers,verbs=update
 // +kubebuilder:rbac:groups="apps",resources=deployments;daemonsets;replicasets;statefulsets,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="apps",resources=replicasets;deployments,verbs=get
-// +kubebuilder:rbac:groups="",resources=pods,verbs=get
 // +kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors,verbs=create;get
-// +kubebuilder:rbac:groups="apps",resourceNames=updateservice-operator,resources=deployments/finalizers,verbs=update
 // +kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=config.openshift.io,resources=images,verbs=get;list;watch
+// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=create;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=updateservice.operator.openshift.io,resources=*,verbs=create;delete;get;list;patch;update;watch
 
 func (r *UpdateServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
@@ -575,6 +568,12 @@ func (r *UpdateServiceReconciler) ensurePolicyEngineRoute(ctx context.Context, r
 		return err
 	}
 
+	if uri, _, err := routeapihelpers.IngressURI(found, ""); err == nil {
+		instance.Status.PolicyEngineURI = uri.String()
+	} else {
+		handleErr(reqLogger, &instance.Status, "RouteIngressFailed", err)
+	}
+
 	updated := found.DeepCopy()
 	// Keep found tls for later use
 	tls := updated.Spec.TLS

diff --git a/docs/disconnected-cincinnati-operator.md b/docs/disconnected-cincinnati-operator.md
@@ -234,55 +234,21 @@ You might want to review the documentation around disconnected registries to lea
           graphDataImage: "${DISCONNECTED_REGISTRY}/cincinnati/cincinnati-graph-data-container:latest"
         EOF
         ~~~
-3. Check the cincinnati service
+3. Wait for a public route, polling until:
 
     ~~~sh
-    curl --header 'Accept:application/json' https://$(oc -n "${NAMESPACE}" get route example-name-policy-engine-route -o jsonpath='{.spec.host}')/api/upgrades_info/v1/graph\?channel=stable-4.5 | jq
+    POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph}{"\n"}' cincinnati example-name)"
     ~~~
 
-    > **OUTPUT**
-    ~~~json
-    {
-      "nodes": [
-        {
-          "version": "4.5.3",
-          "payload": "my-disconnected-registry.example.com:5000/ocp4/release@sha256:eab93b4591699a5a4ff50ad3517892653f04fb840127895bb3609b3cc68f98f3",
-          "metadata": {
-            "description": "",
-            "io.openshift.upgrades.graph.release.channels": "candidate-4.5,fast-4.5,stable-4.5",
-            "io.openshift.upgrades.graph.release.manifestref": "sha256:eab93b4591699a5a4ff50ad3517892653f04fb840127895bb3609b3cc68f98f3",
-            "url": "https://access.redhat.com/errata/RHBA-2020:2956"
-          }
-        },
-        {
-          "version": "4.5.2",
-          "payload": "my-disconnected-registry.example.com:5000/ocp4/release@sha256:8f923b7b8efdeac619eb0e7697106c1d17dd3d262c49d8742b38600417cf7d1d",
-          "metadata": {
-            "description": "",
-            "io.openshift.upgrades.graph.previous.remove_regex": ".*",
-            "io.openshift.upgrades.graph.release.channels": "candidate-4.5,fast-4.5,stable-4.5",
-            "io.openshift.upgrades.graph.release.manifestref": "sha256:8f923b7b8efdeac619eb0e7697106c1d17dd3d262c49d8742b38600417cf7d1d",
-            "url": "https://access.redhat.com/errata/RHBA-2020:2909"
-          }
-        }
-      ],
-      "edges": [
-        [
-          1,
-          0
-        ]
-      ]
-    }
-    ~~~
+    gives a full URI.
 
 4. At this point we have Cincinnati working locally, but our cluster is still pointing to the public Cincinnati instance as we can see in the image below
 
     ![Cincinnati Public URL](assets/public-cincinnati.png)
 5. Patch the ClusterVersion to use our Cincinnati instance rather than the public one
 
     ~~~sh
-    CINCINNATI_ROUTE=$(oc -n "${NAMESPACE}" get route example-name-policy-engine-route -o jsonpath=https://'{.spec.host}'/api/upgrades_info/v1/graph)
-    PATCH="{\"spec\":{\"upstream\":\"${CINCINNATI_ROUTE}\"}}"
+    PATCH="{\"spec\":{\"upstream\":\"${POLICY_ENGINE_GRAPH_URI}\"}}"
     oc patch clusterversion version -p $PATCH --type merge
     ~~~
 6. Now that our cluster points to the local Cincinnati instance we will see the update available
@@ -313,7 +279,7 @@ You can print the graph for a specific channel in your Cincinnati instance using
 sudo dnf install -y graphviz
 curl -O https://raw.githubusercontent.com/openshift/cincinnati/master/hack/graph.sh
 chmod +x graph.sh
-curl --header 'Accept:application/json' "https://example-name-policy-engine-${NAMESPACE}.apps.mgmt-hub.e2e.bos.redhat.com/api/upgrades_info/v1/graph?channel=stable-4.5" | ./graph.sh | dot -Tpng > graph.png
+curl --header 'Accept:application/json' "${POLICY_ENGINE_GRAPH_URI}?channel=stable-4.5" | ./graph.sh | dot -Tpng > graph.png
 ~~~
 
 ## Mirror the release images