deployer:rte: make MachineConfig an opt-in

We're using MachineConfig for installing
custom SELinux policy.

We want to depracate the custom policy,
hence we make the MachineConfig as opt-in and
we're deploying/rendering it unless specifically
asked by the user.

Signed-off-by: Talor Itzhak <[email protected]>

pkg/commands/render.go

@@ -141,11 +141,12 @@ func makeUpdaterObjects(commonOpts *options.Options) ([]client.Object, string, e
 	}
 
 	opts := options.Updater{
-		PlatformVersion: commonOpts.UserPlatformVersion,
-		Platform:        commonOpts.UserPlatform,
-		RTEConfigData:   commonOpts.RTEConfigData,
-		DaemonSet:       options.ForDaemonSet(commonOpts),
-		EnableCRIHooks:  commonOpts.UpdaterCRIHooksEnable,
+		PlatformVersion:     commonOpts.UserPlatformVersion,
+		Platform:            commonOpts.UserPlatform,
+		RTEConfigData:       commonOpts.RTEConfigData,
+		DaemonSet:           options.ForDaemonSet(commonOpts),
+		EnableCRIHooks:      commonOpts.UpdaterCRIHooksEnable,
+		CustomSELinuxPolicy: commonOpts.UpdaterCustomSELinuxPolicy,
 	}
 	objs, err := updaters.GetObjects(opts, commonOpts.UpdaterType, namespace)
 	if err != nil {

pkg/deployer/updaters/objects.go

@@ -32,7 +32,7 @@ import (
 
 func GetObjects(opts options.Updater, updaterType, namespace string) ([]client.Object, error) {
 	if updaterType == RTE {
-		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks)
+		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks, opts.CustomSELinuxPolicy)
 		if err != nil {
 			return nil, err
 		}
@@ -58,7 +58,7 @@ func GetObjects(opts options.Updater, updaterType, namespace string) ([]client.O
 
 func getCreatableObjects(env *deployer.Environment, opts options.Updater, updaterType, namespace string) ([]objectwait.WaitableObject, error) {
 	if updaterType == RTE {
-		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks)
+		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks, opts.CustomSELinuxPolicy)
 		if err != nil {
 			return nil, err
 		}
@@ -84,7 +84,7 @@ func getCreatableObjects(env *deployer.Environment, opts options.Updater, update
 
 func getDeletableObjects(env *deployer.Environment, opts options.Updater, updaterType, namespace string) ([]objectwait.WaitableObject, error) {
 	if updaterType == RTE {
-		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks)
+		mf, err := rtemanifests.GetManifests(opts.Platform, opts.PlatformVersion, namespace, opts.EnableCRIHooks, opts.CustomSELinuxPolicy)
 		if err != nil {
 			return nil, err
 		}

pkg/manifests/rte/rte.go

@@ -68,7 +68,10 @@ func (mf Manifests) Clone() Manifests {
 	}
 
 	if mf.plat == platform.OpenShift {
-		ret.MachineConfig = mf.MachineConfig.DeepCopy()
+		//  MachineConfig is obsolete starting from 4.18v
+		if mf.MachineConfig != nil {
+			ret.MachineConfig = mf.MachineConfig.DeepCopy()
+		}
 		ret.SecurityContextConstraint = mf.SecurityContextConstraint.DeepCopy()
 	}
 
@@ -110,11 +113,13 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
 	if mf.plat == platform.OpenShift {
 		rteupdate.SecurityContext(ret.DaemonSet)
 
-		if opts.Name != "" {
-			ret.MachineConfig.Name = ocpupdate.MakeMachineConfigName(opts.Name)
-		}
-		if opts.MachineConfigPoolSelector != nil {
-			ret.MachineConfig.Labels = opts.MachineConfigPoolSelector.MatchLabels
+		if mf.MachineConfig != nil {
+			if opts.Name != "" {
+				ret.MachineConfig.Name = ocpupdate.MakeMachineConfigName(opts.Name)
+			}
+			if opts.MachineConfigPoolSelector != nil {
+				ret.MachineConfig.Labels = opts.MachineConfigPoolSelector.MatchLabels
+			}
 		}
 		ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraint, ret.ServiceAccount)
 	}
@@ -173,14 +178,16 @@ func New(plat platform.Platform) Manifests {
 	return mf
 }
 
-func GetManifests(plat platform.Platform, version platform.Version, namespace string, withCRIHooks bool) (Manifests, error) {
+func GetManifests(plat platform.Platform, version platform.Version, namespace string, withCRIHooks, withCustomSELinuxPolicy bool) (Manifests, error) {
 	var err error
 	mf := New(plat)
 
 	if plat == platform.OpenShift {
-		mf.MachineConfig, err = manifests.MachineConfig(manifests.ComponentResourceTopologyExporter, version, withCRIHooks)
-		if err != nil {
-			return mf, err
+		if withCustomSELinuxPolicy {
+			mf.MachineConfig, err = manifests.MachineConfig(manifests.ComponentResourceTopologyExporter, version, withCRIHooks)
+			if err != nil {
+				return mf, err
+			}
 		}
 
 		mf.SecurityContextConstraint, err = manifests.SecurityContextConstraint(manifests.ComponentResourceTopologyExporter)

pkg/manifests/rte/rte_test.go

@@ -56,7 +56,7 @@ func TestClone(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tc.mf, _ = GetManifests(tc.plat, tc.platVersion, "", true)
+		tc.mf, _ = GetManifests(tc.plat, tc.platVersion, "", true, true)
 		cMf := tc.mf.Clone()
 
 		if &cMf == &tc.mf {
@@ -97,7 +97,7 @@ func TestRender(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tc.mf, _ = GetManifests(tc.plat, tc.platVersion, "", true)
+		tc.mf, _ = GetManifests(tc.plat, tc.platVersion, "", true, true)
 		mfBeforeRender := tc.mf.Clone()
 		uMf, err := tc.mf.Render(options.UpdaterDaemon{})
 		if err != nil {
@@ -115,26 +115,33 @@ func TestRender(t *testing.T) {
 
 func TestGetManifestsOpenShift(t *testing.T) {
 	type testCase struct {
-		name string
-		// mf          Manifests
-		plat        platform.Platform
-		platVersion platform.Version
+		name                    string
+		plat                    platform.Platform
+		platVersion             platform.Version
+		withCustomSELinuxPolicy bool
 	}
 
 	testCases := []testCase{
 		{
-			name:        "openshift manifests 4.10",
-			plat:        platform.OpenShift,
-			platVersion: platform.Version("v4.10"),
+			name:                    "openshift manifests 4.10",
+			plat:                    platform.OpenShift,
+			platVersion:             platform.Version("v4.10"),
+			withCustomSELinuxPolicy: true,
 		},
 		{
-			name:        "openshift manifests 4.11",
+			name:                    "openshift manifests 4.11",
+			plat:                    platform.OpenShift,
+			platVersion:             platform.Version("v4.11"),
+			withCustomSELinuxPolicy: true,
+		},
+		{
+			name:        "openshift manifests 4.18",
 			plat:        platform.OpenShift,
-			platVersion: platform.Version("v4.11"),
+			platVersion: platform.Version("v4.18"),
 		},
 	}
 	for _, tc := range testCases {
-		mf, err := GetManifests(tc.plat, tc.platVersion, "test", true)
+		mf, err := GetManifests(tc.plat, tc.platVersion, "test", true, tc.withCustomSELinuxPolicy)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
 		}
@@ -143,10 +150,14 @@ func TestGetManifestsOpenShift(t *testing.T) {
 			t.Fatalf("no security context constraint is generated for the OpenShift platform")
 		}
 
-		if mf.MachineConfig == nil {
+		if tc.withCustomSELinuxPolicy && mf.MachineConfig == nil {
 			t.Fatalf("no machine config is generated for the OpenShift platform")
 		}
 
+		if !tc.withCustomSELinuxPolicy && mf.MachineConfig != nil {
+			t.Fatalf("machine config should not be generated for the OpenShift platform")
+		}
+
 		if mf.DaemonSet == nil {
 			t.Fatalf("no daemon set is generated for the OpenShift platform")
 		}

pkg/options/options.go

@@ -34,6 +34,7 @@ type Options struct {
 	UpdaterPFPEnable            bool
 	UpdaterNotifEnable          bool
 	UpdaterCRIHooksEnable       bool
+	UpdaterCustomSELinuxPolicy  bool
 	UpdaterSyncPeriod           time.Duration
 	UpdaterVerbose              int
 	SchedProfileName            string
@@ -88,12 +89,13 @@ type UpdaterDaemon struct {
 }
 
 type Updater struct {
-	Platform        platform.Platform
-	PlatformVersion platform.Version
-	WaitCompletion  bool
-	RTEConfigData   string
-	DaemonSet       DaemonSet
-	EnableCRIHooks  bool
+	Platform            platform.Platform
+	PlatformVersion     platform.Version
+	WaitCompletion      bool
+	RTEConfigData       string
+	DaemonSet           DaemonSet
+	EnableCRIHooks      bool
+	CustomSELinuxPolicy bool
 }
 
 func ForDaemonSet(commonOpts *Options) DaemonSet {

test/e2e/e2e_test.go

@@ -357,7 +357,7 @@ func dumpResourceTopologyExporterPods(ctx context.Context, cli client.Client) {
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
 	// TODO: autodetect the platform
-	mfs, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, true)
+	mfs, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, true, true)
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 	mfs, err = mfs.Render(options.UpdaterDaemon{
 		Namespace: ns.Name,

test/e2e/manifests.go

@@ -60,7 +60,7 @@ var _ = ginkgo.Describe("[ManifestFlow] Deployer rendering", ginkgo.Label("manif
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
 				enableCRIHooks := true
-				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks)
+				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks, true)
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 				mf, err = mf.Render(options.UpdaterDaemon{
 					Namespace: ns.Name,

test/e2e/negative.go

@@ -98,7 +98,7 @@ var _ = ginkgo.Describe("[NegativeFlow] Deployer execution with PFP disabled", g
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
 				enableCRIHooks := true
-				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks)
+				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks, true)
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 				mf, err = mf.Render(options.UpdaterDaemon{
 					Namespace: ns.Name,

test/e2e/positive.go

@@ -244,7 +244,7 @@ var _ = ginkgo.Describe("[PositiveFlow] Deployer execution", ginkgo.Label("posit
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
 				enableCRIHooks := true
-				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks)
+				mf, err := rte.GetManifests(platform.Kubernetes, platform.Version("1.23"), ns.Name, enableCRIHooks, true)
 				gomega.Expect(err).ToNot(gomega.HaveOccurred())
 				mf, err = mf.Render(options.UpdaterDaemon{
 					Namespace: ns.Name,