Merge pull request openshift#298 from sanchezl/disable-image-pull-sec…

…ret-generation API-1642: Do not generate image pull secrets for internal registry when internal registry is disabled.
neisw · Oct 23, 2023 · 3fb9157 · 3fb9157
2 parents af00d48 + 02b1cb3
commit 3fb9157
Show file tree

Hide file tree

Showing 105 changed files with 1,134 additions and 4,642 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.20-openshift-4.15 AS builder
 WORKDIR /go/src/github.com/openshift/cluster-openshift-controller-manager-operator
 COPY . .
-RUN make
+RUN GO_COMPLIANCE_INFO=0 make
 
 FROM registry.ci.openshift.org/ocp/4.15:base
 COPY --from=builder /go/src/github.com/openshift/cluster-openshift-controller-manager-operator/cluster-openshift-controller-manager-operator /usr/bin/

diff --git a/Makefile b/Makefile
@@ -4,7 +4,6 @@ all: build
 # Include the library makefile
 include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
 	golang.mk \
-	targets/openshift/bindata.mk \
 	targets/openshift/images.mk \
 )
 
@@ -18,18 +17,7 @@ GO_TEST_PACKAGES :=./pkg/... ./cmd/...
 # $2 - Dockerfile path
 # $3 - context directory for image build
 # It will generate target "image-$(1)" for builing the image an binding it as a prerequisite to target "images".
-$(call build-image,ocp-cluster-openshift-controller-manager-operator,$(IMAGE_REGISTRY)/ocp/4.3:cluster-openshift-controller-manager-operator,./Dockerfile.rhel7,.)
-
-# This will call a macro called "add-bindata" which will generate bindata specific targets based on the parameters:
-# $0 - macro name
-# $1 - target suffix
-# $2 - input dirs
-# $3 - prefix
-# $4 - pkg
-# $5 - output
-# It will generate targets {update,verify}-bindata-$(1) logically grouping them in unsuffixed versions of these targets
-# and also hooked into {update,verify}-generated for broader integration.
-$(call add-bindata,v3.11.0,./bindata/v3.11.0/...,bindata,v311_00_assets,pkg/operator/v311_00_assets/bindata.go)
+$(call build-image,ocp-cluster-openshift-controller-manager-operator,$(IMAGE_REGISTRY)/ocp/4.3:cluster-openshift-controller-manager-operator,./Dockerfile,.)
 
 test-e2e: GO_TEST_PACKAGES :=./test/e2e/...
 test-e2e: GO_TEST_FLAGS += -v -count=1

diff --git a/bindata/assets.go b/bindata/assets.go
@@ -0,0 +1,24 @@
+package bindata
+
+import (
+	"embed"
+)
+
+//go:embed assets/*
+var f embed.FS
+
+// Asset reads and returns the content of the named file.
+func Asset(name string) ([]byte, error) {
+	return f.ReadFile(name)
+}
+
+// MustAsset reads and returns the content of the named file or panics
+// if something went wrong.
+func MustAsset(name string) []byte {
+	data, err := f.ReadFile(name)
+	if err != nil {
+		panic(err)
+	}
+
+	return data
+}
diff --git a/...ift-controller-manager-defaultconfig.yaml → ...ift-controller-manager-defaultconfig.yaml b/...ift-controller-manager-defaultconfig.yaml → ...ift-controller-manager-defaultconfig.yaml
diff --git a/...ute-controller-manager-defaultconfig.yaml → ...ute-controller-manager-defaultconfig.yaml b/...ute-controller-manager-defaultconfig.yaml → ...ute-controller-manager-defaultconfig.yaml
diff --git a/...anager/buildconfigstatus-clusterrole.yaml → ...anager/buildconfigstatus-clusterrole.yaml b/...anager/buildconfigstatus-clusterrole.yaml → ...anager/buildconfigstatus-clusterrole.yaml
diff --git a/...buildconfigstatus-clusterrolebinding.yaml → ...buildconfigstatus-clusterrolebinding.yaml b/...buildconfigstatus-clusterrolebinding.yaml → ...buildconfigstatus-clusterrolebinding.yaml
diff --git a/...11.0/openshift-controller-manager/cm.yaml → ...sets/openshift-controller-manager/cm.yaml b/...11.0/openshift-controller-manager/cm.yaml → ...sets/openshift-controller-manager/cm.yaml
diff --git a/.../openshift-controller-manager/deploy.yaml → .../openshift-controller-manager/deploy.yaml b/.../openshift-controller-manager/deploy.yaml → .../openshift-controller-manager/deploy.yaml
diff --git a/...troller-manager/deployer-clusterrole.yaml → ...troller-manager/deployer-clusterrole.yaml b/...troller-manager/deployer-clusterrole.yaml → ...troller-manager/deployer-clusterrole.yaml
diff --git a/...-manager/deployer-clusterrolebinding.yaml → ...-manager/deployer-clusterrolebinding.yaml b/...-manager/deployer-clusterrolebinding.yaml → ...-manager/deployer-clusterrolebinding.yaml
diff --git a/...image-trigger-controller-clusterrole.yaml → ...image-trigger-controller-clusterrole.yaml b/...image-trigger-controller-clusterrole.yaml → ...image-trigger-controller-clusterrole.yaml
diff --git a/...rigger-controller-clusterrolebinding.yaml → ...rigger-controller-clusterrolebinding.yaml b/...rigger-controller-clusterrolebinding.yaml → ...rigger-controller-clusterrolebinding.yaml
diff --git a/...troller-manager/informer-clusterrole.yaml → ...troller-manager/informer-clusterrole.yaml b/...troller-manager/informer-clusterrole.yaml → ...troller-manager/informer-clusterrole.yaml
diff --git a/...-manager/informer-clusterrolebinding.yaml → ...-manager/informer-clusterrolebinding.yaml b/...-manager/informer-clusterrolebinding.yaml → ...-manager/informer-clusterrolebinding.yaml
diff --git a/...der-ingress-to-route-controller-role.yaml → ...der-ingress-to-route-controller-role.yaml b/...der-ingress-to-route-controller-role.yaml → ...der-ingress-to-route-controller-role.yaml
diff --git a/...ress-to-route-controller-rolebinding.yaml → ...ress-to-route-controller-rolebinding.yaml b/...ress-to-route-controller-rolebinding.yaml → ...ress-to-route-controller-rolebinding.yaml
diff --git a/...shift-controller-manager/leader-role.yaml → ...shift-controller-manager/leader-role.yaml b/...shift-controller-manager/leader-role.yaml → ...shift-controller-manager/leader-role.yaml
diff --git a/...ontroller-manager/leader-rolebinding.yaml → ...ontroller-manager/leader-rolebinding.yaml b/...ontroller-manager/leader-rolebinding.yaml → ...ontroller-manager/leader-rolebinding.yaml
diff --git a/...11.0/openshift-controller-manager/ns.yaml → ...sets/openshift-controller-manager/ns.yaml b/...11.0/openshift-controller-manager/ns.yaml → ...sets/openshift-controller-manager/ns.yaml
diff --git a/...t-controller-manager/old-leader-role.yaml → ...t-controller-manager/old-leader-role.yaml b/...t-controller-manager/old-leader-role.yaml → ...t-controller-manager/old-leader-role.yaml
diff --git a/...oller-manager/old-leader-rolebinding.yaml → ...oller-manager/old-leader-rolebinding.yaml b/...oller-manager/old-leader-rolebinding.yaml → ...oller-manager/old-leader-rolebinding.yaml
diff --git a/...oller-manager/openshift-global-ca-cm.yaml → ...oller-manager/openshift-global-ca-cm.yaml b/...oller-manager/openshift-global-ca-cm.yaml → ...oller-manager/openshift-global-ca-cm.yaml
diff --git a/...ller-manager/openshift-service-ca-cm.yaml → ...ller-manager/openshift-service-ca-cm.yaml b/...ller-manager/openshift-service-ca-cm.yaml → ...ller-manager/openshift-service-ca-cm.yaml
diff --git a/...route-controller-manager-clusterrole.yaml → ...route-controller-manager-clusterrole.yaml b/...route-controller-manager-clusterrole.yaml → ...route-controller-manager-clusterrole.yaml
diff --git a/...ontroller-manager-clusterrolebinding.yaml → ...ontroller-manager-clusterrolebinding.yaml b/...ontroller-manager-clusterrolebinding.yaml → ...ontroller-manager-clusterrolebinding.yaml
diff --git a/...-manager/route-controller-manager-cm.yaml → ...-manager/route-controller-manager-cm.yaml b/...-manager/route-controller-manager-cm.yaml → ...-manager/route-controller-manager-cm.yaml
diff --git a/...ager/route-controller-manager-deploy.yaml → ...ager/route-controller-manager-deploy.yaml b/...ager/route-controller-manager-deploy.yaml → ...ager/route-controller-manager-deploy.yaml
diff --git a/...ress-to-route-controller-clusterrole.yaml → ...ress-to-route-controller-clusterrole.yaml b/...ress-to-route-controller-clusterrole.yaml → ...ress-to-route-controller-clusterrole.yaml
diff --git a/...-route-controller-clusterrolebinding.yaml → ...-route-controller-clusterrolebinding.yaml b/...-route-controller-clusterrolebinding.yaml → ...-route-controller-clusterrolebinding.yaml
diff --git a/...route-controller-manager-leader-role.yaml → ...route-controller-manager-leader-role.yaml b/...route-controller-manager-leader-role.yaml → ...route-controller-manager-leader-role.yaml
diff --git a/...ontroller-manager-leader-rolebinding.yaml → ...ontroller-manager-leader-rolebinding.yaml b/...ontroller-manager-leader-rolebinding.yaml → ...ontroller-manager-leader-rolebinding.yaml
diff --git a/...-manager/route-controller-manager-ns.yaml → ...-manager/route-controller-manager-ns.yaml b/...-manager/route-controller-manager-ns.yaml → ...-manager/route-controller-manager-ns.yaml
diff --git a/...-manager/route-controller-manager-sa.yaml → ...-manager/route-controller-manager-sa.yaml b/...-manager/route-controller-manager-sa.yaml → ...-manager/route-controller-manager-sa.yaml
diff --git a/...-controller-manager-separate-sa-role.yaml → ...-controller-manager-separate-sa-role.yaml b/...-controller-manager-separate-sa-role.yaml → ...-controller-manager-separate-sa-role.yaml
diff --git a/...ller-manager-separate-sa-rolebinding.yaml → ...ller-manager-separate-sa-rolebinding.yaml b/...ller-manager-separate-sa-rolebinding.yaml → ...ller-manager-separate-sa-rolebinding.yaml
diff --git a/...ntroller-manager-servicemonitor-role.yaml → ...ntroller-manager-servicemonitor-role.yaml b/...ntroller-manager-servicemonitor-role.yaml → ...ntroller-manager-servicemonitor-role.yaml
diff --git a/...r-manager-servicemonitor-rolebinding.yaml → ...r-manager-servicemonitor-rolebinding.yaml b/...r-manager-servicemonitor-rolebinding.yaml → ...r-manager-servicemonitor-rolebinding.yaml
diff --git a/...manager/route-controller-manager-svc.yaml → ...manager/route-controller-manager-svc.yaml b/...manager/route-controller-manager-svc.yaml → ...manager/route-controller-manager-svc.yaml
diff --git a/...ller-manager-tokenreview-clusterrole.yaml → ...ller-manager-tokenreview-clusterrole.yaml b/...ller-manager-tokenreview-clusterrole.yaml → ...ller-manager-tokenreview-clusterrole.yaml
diff --git a/...nager-tokenreview-clusterrolebinding.yaml → ...nager-tokenreview-clusterrolebinding.yaml b/...nager-tokenreview-clusterrolebinding.yaml → ...nager-tokenreview-clusterrolebinding.yaml
diff --git a/...11.0/openshift-controller-manager/sa.yaml → ...sets/openshift-controller-manager/sa.yaml b/...11.0/openshift-controller-manager/sa.yaml → ...sets/openshift-controller-manager/sa.yaml
diff --git a/...-controller-manager/separate-sa-role.yaml → ...-controller-manager/separate-sa-role.yaml b/...-controller-manager/separate-sa-role.yaml → ...-controller-manager/separate-sa-role.yaml
diff --git a/...ller-manager/separate-sa-rolebinding.yaml → ...ller-manager/separate-sa-rolebinding.yaml b/...ller-manager/separate-sa-rolebinding.yaml → ...ller-manager/separate-sa-rolebinding.yaml
diff --git a/...ntroller-manager/servicemonitor-role.yaml → ...ntroller-manager/servicemonitor-role.yaml b/...ntroller-manager/servicemonitor-role.yaml → ...ntroller-manager/servicemonitor-role.yaml
diff --git a/...r-manager/servicemonitor-rolebinding.yaml → ...r-manager/servicemonitor-rolebinding.yaml b/...r-manager/servicemonitor-rolebinding.yaml → ...r-manager/servicemonitor-rolebinding.yaml
diff --git a/...1.0/openshift-controller-manager/svc.yaml → ...ets/openshift-controller-manager/svc.yaml b/...1.0/openshift-controller-manager/svc.yaml → ...ets/openshift-controller-manager/svc.yaml
diff --git a/...ller-manager/tokenreview-clusterrole.yaml → ...ller-manager/tokenreview-clusterrole.yaml b/...ller-manager/tokenreview-clusterrole.yaml → ...ller-manager/tokenreview-clusterrole.yaml
diff --git a/...nager/tokenreview-clusterrolebinding.yaml → ...nager/tokenreview-clusterrolebinding.yaml b/...nager/tokenreview-clusterrolebinding.yaml → ...nager/tokenreview-clusterrolebinding.yaml
diff --git a/dependencymagnet/doc.go b/dependencymagnet/doc.go
@@ -6,6 +6,5 @@
 package dependencymagnet
 
 import (
-	_ "github.com/go-bindata/go-bindata/go-bindata"
 	_ "github.com/openshift/build-machinery-go"
 )
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-bindata/go-bindata v3.1.2+incompatible
+	github.com/google/go-cmp v0.5.9
 	github.com/openshift/api v0.0.0-20231018090736-41ecc021ff27
 	github.com/openshift/build-machinery-go v0.0.0-20230824093055-6a18da01283c
 	github.com/openshift/client-go v0.0.0-20231018150822-6e226e2825a6
@@ -43,7 +43,6 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.16.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
@@ -105,19 +104,11 @@ require (
 	k8s.io/apiserver v0.28.2 // indirect
 	k8s.io/kms v0.28.2 // indirect
 	k8s.io/kube-aggregator v0.28.2 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/kube-openapi v0.0.0-20230918164632-68afd615200d // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
-
-replace (
-	k8s.io/api => k8s.io/api v0.28.3
-	k8s.io/apimachinery => k8s.io/apimachinery v0.28.3
-	k8s.io/client-go => k8s.io/client-go v0.28.3
-	k8s.io/component-base => k8s.io/component-base v0.28.3
-	vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787
-)
diff --git a/go.sum b/go.sum
@@ -95,8 +95,6 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-bindata/go-bindata v3.1.2+incompatible h1:5vjJMVhowQdPzjE1LdxyFF7YFTXg5IgGVW4gBr5IbvE=
-github.com/go-bindata/go-bindata v3.1.2+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -659,8 +657,8 @@ k8s.io/kms v0.28.2 h1:KhG63LHopCdzs1oKA1j+NWleuIXudgOyCqJo4yi3GaM=
 k8s.io/kms v0.28.2/go.mod h1:iAjgIqBrV2+8kmsjbbgUkAyKSuYq5g1dW9knpt6OhaE=
 k8s.io/kube-aggregator v0.28.2 h1:tCjAfB1p/v18yD2NpegNQRuahzyA/szFfcRARnpjDeo=
 k8s.io/kube-aggregator v0.28.2/go.mod h1:g4hZVjC4KhJtZHV2pyiRBiU6AdBA/sAjh9Y9GJC/SbU=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
-k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/kube-openapi v0.0.0-20230918164632-68afd615200d h1:/CFeJBjBrZvHX09rObS2+2iEEDevMWYc1v3aIYAjIYI=
+k8s.io/kube-openapi v0.0.0-20230918164632-68afd615200d/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

diff --git a/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go b/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go
@@ -10,15 +10,16 @@ import (
 	operatorv1informers "github.com/openshift/client-go/operator/informers/externalversions"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/configobserver"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation"
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation/builds"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation/controllers"
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation/deployimages"
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation/images"
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation/network"
-	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 )
 
 // NewConfigObserver initializes a new configuration observer.
@@ -34,15 +35,19 @@ func NewConfigObserver(
 		operatorClient,
 		eventRecorder,
 		configobservation.Listers{
-			ImageConfigLister:  configInformers.Config().V1().Images().Lister(),
-			BuildConfigLister:  configInformers.Config().V1().Builds().Lister(),
-			NetworkLister:      configInformers.Config().V1().Networks().Lister(),
-			FeatureGateLister_: configInformers.Config().V1().FeatureGates().Lister(),
-			ConfigMapLister:    kubeInformersForOperatorNamespace.Core().V1().ConfigMaps().Lister(),
+			ImageConfigLister:     configInformers.Config().V1().Images().Lister(),
+			BuildConfigLister:     configInformers.Config().V1().Builds().Lister(),
+			NetworkLister:         configInformers.Config().V1().Networks().Lister(),
+			FeatureGateLister_:    configInformers.Config().V1().FeatureGates().Lister(),
+			ClusterVersionLister:  configInformers.Config().V1().ClusterVersions().Lister(),
+			ClusterOperatorLister: configInformers.Config().V1().ClusterOperators().Lister(),
+			ConfigMapLister:       kubeInformersForOperatorNamespace.Core().V1().ConfigMaps().Lister(),
 			PreRunCachesSynced: []cache.InformerSynced{
 				configInformers.Config().V1().Builds().Informer().HasSynced,
 				configInformers.Config().V1().Images().Informer().HasSynced,
 				configInformers.Config().V1().Networks().Informer().HasSynced,
+				configInformers.Config().V1().ClusterVersions().Informer().HasSynced,
+				configInformers.Config().V1().ClusterOperators().Informer().HasSynced,
 				kubeInformersForOperatorNamespace.Core().V1().ConfigMaps().Informer().HasSynced,
 				operatorConfigInformers.Operator().V1().OpenShiftControllerManagers().Informer().HasSynced,
 			},
@@ -53,6 +58,7 @@ func NewConfigObserver(
 		builds.ObserveBuildControllerConfig,
 		network.ObserveExternalIPAutoAssignCIDRs,
 		deployimages.ObserveControllerManagerImagesConfig,
+		controllers.ObserveControllers,
 		featuregates.NewObserveFeatureFlagsFunc(
 			sets.New[configv1.FeatureGateName]("BuildCSIVolumes"),
 			nil,

diff --git a/pkg/operator/configobservation/controllers/capability_builds.go b/pkg/operator/configobservation/controllers/capability_builds.go
@@ -0,0 +1,30 @@
+package controllers
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+	openshiftcontrolplanev1 "github.com/openshift/api/openshiftcontrolplane/v1"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation"
+)
+
+func disabledBuildControllers(listers configobservation.Listers) ([]openshiftcontrolplanev1.OpenShiftControllerName, error) {
+	cv, err := listers.ClusterVersionLister.Get("version")
+	if err != nil {
+		return nil, err
+	}
+	var capabilityEnabled bool
+	for _, capability := range cv.Status.Capabilities.EnabledCapabilities {
+		if capability == configv1.ClusterVersionCapabilityBuild {
+			capabilityEnabled = true
+			break
+		}
+	}
+	if capabilityEnabled {
+		return nil, nil
+	}
+	return []openshiftcontrolplanev1.OpenShiftControllerName{
+		openshiftcontrolplanev1.OpenShiftBuildController,
+		openshiftcontrolplanev1.OpenShiftBuildConfigChangeController,
+		openshiftcontrolplanev1.OpenShiftBuilderServiceAccountController,
+	}, nil
+
+}
diff --git a/pkg/operator/configobservation/controllers/capability_deploymentconfigs.go b/pkg/operator/configobservation/controllers/capability_deploymentconfigs.go
@@ -0,0 +1,29 @@
+package controllers
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+	openshiftcontrolplanev1 "github.com/openshift/api/openshiftcontrolplane/v1"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation"
+)
+
+func disabledDeploymentConfigControllers(listers configobservation.Listers) ([]openshiftcontrolplanev1.OpenShiftControllerName, error) {
+	cv, err := listers.ClusterVersionLister.Get("version")
+	if err != nil {
+		return nil, err
+	}
+	var capabilityEnabled bool
+	for _, capability := range cv.Status.Capabilities.EnabledCapabilities {
+		if capability == configv1.ClusterVersionCapabilityDeploymentConfig {
+			capabilityEnabled = true
+			break
+		}
+	}
+	if capabilityEnabled {
+		return nil, nil
+	}
+	return []openshiftcontrolplanev1.OpenShiftControllerName{
+		openshiftcontrolplanev1.OpenShiftDeploymentConfigController,
+		openshiftcontrolplanev1.OpenShiftDeployerServiceAccountController,
+	}, nil
+
+}
diff --git a/pkg/operator/configobservation/controllers/capability_imageregistry.go b/pkg/operator/configobservation/controllers/capability_imageregistry.go
@@ -0,0 +1,50 @@
+package controllers
+
+import (
+	"fmt"
+
+	configv1 "github.com/openshift/api/config/v1"
+	openshiftcontrolplanev1 "github.com/openshift/api/openshiftcontrolplane/v1"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/klog/v2"
+)
+
+func disabledImageRegistryControllers(listers configobservation.Listers) ([]openshiftcontrolplanev1.OpenShiftControllerName, error) {
+	cv, err := listers.ClusterVersionLister.Get("version")
+	if err != nil {
+		return nil, err
+	}
+	var imageRegistryCapabilityEnabled bool
+	for _, capability := range cv.Status.Capabilities.EnabledCapabilities {
+		if capability == configv1.ClusterVersionCapabilityImageRegistry {
+			imageRegistryCapabilityEnabled = true
+			break
+		}
+	}
+	controllers := []openshiftcontrolplanev1.OpenShiftControllerName{
+		openshiftcontrolplanev1.OpenShiftServiceAccountPullSecretsController,
+	}
+	if !imageRegistryCapabilityEnabled {
+		return controllers, nil
+	}
+
+	co, err := listers.ClusterOperatorLister.Get("image-registry")
+	if err != nil && !errors.IsNotFound(err) {
+		return nil, fmt.Errorf("unable to retrieve clusteroperators.config.openshift.io/image-registry: %w", err)
+	}
+	if errors.IsNotFound(err) {
+		klog.V(4).Infof("clusteroperators.config.openshift.io/image-registry does not exist yet.")
+		return controllers, nil
+	}
+
+	// Check if internal image registry is "Removed". Any condition should do.
+	if len(co.Status.Conditions) == 0 {
+		return nil, fmt.Errorf("clusteroperators.config.openshift.io/image-registry conditions do not yet exist")
+	}
+	if co.Status.Conditions[0].Reason == "Removed" {
+		return controllers, nil
+	}
+	// ImageRegistry capability is enabled, and internal image registry is enabled, nothing to disable.
+	return nil, nil
+}
diff --git a/pkg/operator/configobservation/controllers/observe_controllers.go b/pkg/operator/configobservation/controllers/observe_controllers.go
@@ -0,0 +1,95 @@
+package controllers
+
+import (
+	"fmt"
+
+	openshiftcontrolplanev1 "github.com/openshift/api/openshiftcontrolplane/v1"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/operator/configobservation"
+	"github.com/openshift/library-go/pkg/operator/configobserver"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+var allControllers = []string{
+	string(openshiftcontrolplanev1.OpenShiftServiceAccountController),
+	string(openshiftcontrolplanev1.OpenShiftDefaultRoleBindingsController),
+	string(openshiftcontrolplanev1.OpenShiftServiceAccountPullSecretsController),
+	string(openshiftcontrolplanev1.OpenShiftOriginNamespaceController),
+	string(openshiftcontrolplanev1.OpenShiftBuildController),
+	string(openshiftcontrolplanev1.OpenShiftBuildConfigChangeController),
+	string(openshiftcontrolplanev1.OpenShiftBuilderServiceAccountController),
+	string(openshiftcontrolplanev1.OpenShiftDeployerController),
+	string(openshiftcontrolplanev1.OpenShiftDeployerServiceAccountController),
+	string(openshiftcontrolplanev1.OpenShiftDeploymentConfigController),
+	string(openshiftcontrolplanev1.OpenShiftImageTriggerController),
+	string(openshiftcontrolplanev1.OpenShiftImageImportController),
+	string(openshiftcontrolplanev1.OpenShiftImageSignatureImportController),
+	string(openshiftcontrolplanev1.OpenShiftTemplateInstanceController),
+	string(openshiftcontrolplanev1.OpenShiftTemplateInstanceFinalizerController),
+	string(openshiftcontrolplanev1.OpenShiftUnidlingController),
+	// the following two controllers are now part of route-controller-manager, which split
+	// some crontollers off from  openshift-controller-manager, but still uses the same config.
+	string(openshiftcontrolplanev1.OpenShiftIngressIPController),
+	string(openshiftcontrolplanev1.OpenShiftIngressToRouteController),
+}
+
+type disabledControllersFunc func(listers configobservation.Listers) ([]openshiftcontrolplanev1.OpenShiftControllerName, error)
+
+var disabledControllerFuncs = []disabledControllersFunc{
+	disabledImageRegistryControllers,
+	disabledBuildControllers,
+	disabledDeploymentConfigControllers,
+}
+
+func ObserveControllers(genericListers configobserver.Listers, recorder events.Recorder, existingConfig map[string]interface{}) (map[string]interface{}, []error) {
+	listers := genericListers.(configobservation.Listers)
+	observedConfig := map[string]interface{}{}
+	var errs []error
+
+	previousValue, _, err := unstructured.NestedStringSlice(existingConfig, "controllers")
+	if err != nil {
+		return observedConfig, append(errs, fmt.Errorf("unable to parse existing controllers value: %w", err))
+	}
+	previousConfig := map[string]interface{}{}
+	unstructured.SetNestedStringSlice(previousConfig, previousValue, "controllers")
+
+	controllers := append([]string{}, allControllers...)
+	unstructured.SetNestedStringSlice(observedConfig, controllers, "controllers")
+
+	// compile list of controllers to disable
+	var disabledControllers []openshiftcontrolplanev1.OpenShiftControllerName
+	for _, getDisabledControllers := range disabledControllerFuncs {
+		disabled, err := getDisabledControllers(listers)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		disabledControllers = append(disabledControllers, disabled...)
+	}
+	if len(errs) > 0 {
+		return previousConfig, errs
+	}
+	// mark controllers as disabled
+	for _, name := range disabledControllers {
+		controllers = disableController(controllers, string(name))
+	}
+	controllersSort(controllers).Sort()
+	err = unstructured.SetNestedStringSlice(observedConfig, controllers, "controllers")
+	if err != nil {
+		return previousConfig, append(errs, fmt.Errorf("error setting controllers value: %w", err))
+	}
+	return observedConfig, nil
+}
+
+func disableController(controllers []string, controller string) []string {
+	for i, c := range controllers {
+		switch c {
+		case controller:
+			controllers[i] = "-" + controller
+			return controllers
+		case "-" + controller:
+			return controllers
+		}
+	}
+	return append(controllers, "-"+controller)
+}