Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2061611

Summary: [upstream] The marker of KubeBuilder doesn't work if it is close to the code
Product: OpenShift Container Platform Reporter: Fan Jia <jfan>
Component: Operator SDKAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED ERRATA QA Contact: Fan Jia <jfan>
Severity: medium Docs Contact: Alex Dellapenta <adellape>
Priority: medium    
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: rbac markers not parsed correctly by controller-tools Consequence: rbac configuration not generated from markers in code Workaround (if any): Add a new line after the final rbac marker to allow the marker to be parsed correctly. Result: After new line is added, rbac markers are parsed correctly and configuration is generated correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:52:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fan Jia 2022-03-08 02:33:22 UTC 
Description of problem:
The marker of KubeBuilder doesn't work if it is close to the code. And no doc announce that the marker should have the blank-line before and after them.

Version-Release number of selected component (if applicable):
operator-sdk version: "v1.16.0-ocp", commit: "fb8834fb343f20bfd5931c6b9e036e7b01679ca1", kubernetes version: "v1.22", go version: "go1.17.5", GOOS: "linux", GOARCH: "amd64"


How reproducible:
always

Steps to Reproduce:
1.create one go operator memecached by https://docs.openshift.com/container-platform/4.9/operators/operator_sdk/golang/osdk-golang-tutorial.html
2. move the markers 
"// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;"
next to code 
"func (r *MemcachedReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
" in controllers/memcached_controller.go
like this:

'
// MemcachedReconciler reconciles a Memcached object
type MemcachedReconciler struct {
	client.Client
	Log    logr.Logger
	Scheme *runtime.Scheme
}

// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/finalizers,verbs=update

// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// TODO(user): Modify the Reconcile function to compare the state specified by
// the Memcached object against the actual cluster state, and then
// perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.7.0/pkg/reconcile
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;
func (r *MemcachedReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	log := r.Log.WithValues("memcached", req.NamespacedName)

	// Fetch the Memcached instance
	memcached := &cachev1alpha1.Memcached{}
	err := r.Get(ctx, req.NamespacedName, memcached)
	if err != nil {
......

3.make manifests

Actual results:
1. The generated config/rbac/role.yaml doesn't have the apps,pods related content.
The role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: manager-role
rules:
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/finalizers
  verbs:
  - update
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/status
  verbs:
  - get
  - patch
  - update

Expected results:
1. generate the yaml file with the apps,pods related content. Or notice the customers that the marker should have the blank-line before and after them like this (black line after the marker):

`
..............
	Scheme *runtime.Scheme
}

// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=cache.example.com,resources=memcacheds/finalizers,verbs=update
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;

// Reconcile is part of the main kubernetes reconciliation loop which aims to
...........
`


The expected role.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: manager-role
rules:
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/finalizers
  verbs:
  - update
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list

Additional info:
Comment 1 Jesus M. Rodriguez 2022-04-01 20:00:20 UTC 
Confirmed this happens. Looking at what the requirements are for these markers are.
Comment 2 Jesus M. Rodriguez 2022-04-01 20:43:27 UTC 
This is a known issue with `controller-gen`.  https://github.com/kubernetes-sigs/controller-tools/issues/436
Comment 3 Jesus M. Rodriguez 2022-04-01 20:45:47 UTC 
Another related issue with controller-gen https://github.com/kubernetes-sigs/controller-tools/issues/551
Comment 4 Jesus M. Rodriguez 2022-04-01 21:05:21 UTC 
Added an FAQ upstream to mention this known issue. We will not be fixing this in operator-sdk.
Comment 5 Jesus M. Rodriguez 2022-04-06 15:54:13 UTC 
This is merged into upstream master now. Once released it can be seen in the upstream sdk FAQ document: https://master.sdk.operatorframework.io/docs/faqs/
Comment 6 Fan Jia 2022-04-07 01:25:34 UTC 
verified.
Comment 9 errata-xmlrpc 2022-08-10 10:52:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069