Merge pull request #638 from jhadvig/bz2055494

Bug 2055494: console-operator should report Upgradeable False when SAN-less certs are used

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: golang-1.15
+  tag: golang-1.16

go.mod

@@ -1,6 +1,6 @@
 module github.com/openshift/console-operator
 
-go 1.15
+go 1.16
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
@@ -9,21 +9,22 @@ require (
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/go-test/deep v1.0.5
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/openshift/api v0.0.0-20210729103544-e4a0474d1519
-	github.com/openshift/build-machinery-go v0.0.0-20211221160956-02e5d5c59eb9
-	github.com/openshift/client-go v0.0.0-20210112160336-8889f8b15bd6
-	github.com/openshift/library-go v0.0.0-20210330121117-68dd4a4c9d9e
+	github.com/openshift/api v0.0.0-20210831091943-07e756545ac1
+	github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37
+	github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7
+	github.com/openshift/library-go v0.0.0-20220119132903-b5557aacc264
 	github.com/pkg/profile v1.4.0 // indirect
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.21.0 // indirect
-	k8s.io/apimachinery v0.21.1
-	k8s.io/client-go v0.21.0
-	k8s.io/component-base v0.21.0
-	k8s.io/klog/v2 v2.8.0
+	k8s.io/api v0.22.2
+	k8s.io/apimachinery v0.22.2
+	k8s.io/client-go v0.22.2
+	k8s.io/component-base v0.22.2
+	k8s.io/klog/v2 v2.9.0
 )
 
-// points to temporary-watch-reduction-patch-1.21 to pick up k/k/pull/101102 - please remove it once the pr merges and a new Z release is cut
-replace k8s.io/apiserver => github.com/openshift/kubernetes-apiserver v0.0.0-20210419140141-620426e63a99
+replace (
+	google.golang.org/grpc => google.golang.org/grpc v1.40.0
+	k8s.io/apiserver => github.com/openshift/kubernetes-apiserver v0.0.0-20211019154525-d47792cfd13b // points to openshift-apiserver-4.9-kubernetes-1.22.2
+)

pkg/console/controllers/downloadsdeployment/controller.go

@@ -121,7 +121,7 @@ func (c *DownloadsDeploymentSyncController) SyncDownloadsDeployment(ctx context.
 	updatedOperatorConfig := operatorConfig.DeepCopy()
 	requiredDownloadsDeployment := deploymentsub.DefaultDownloadsDeployment(updatedOperatorConfig, infrastructureConfig)
 
-	return resourceapply.ApplyDeployment(
+	return resourceapply.ApplyDeployment(ctx,
 		c.deploymentClient,
 		controllerContext.Recorder(),
 		requiredDownloadsDeployment,

pkg/console/controllers/route/controller.go

@@ -128,12 +128,14 @@ func (c *RouteSyncController) Sync(ctx context.Context, controllerContext factor
 	// route into inaccessible state.
 	_, customRouteErrReason, customRouteErr := c.SyncCustomRoute(ctx, routeConfig, controllerContext)
 	statusHandler.AddConditions(status.HandleProgressingOrDegraded("CustomRouteSync", customRouteErrReason, customRouteErr))
+	statusHandler.AddCondition(status.HandleUpgradable("CustomRouteSync", customRouteErrReason, customRouteErr))
 	if customRouteErr != nil {
 		return statusHandler.FlushAndReturn(customRouteErr)
 	}
 
 	_, defaultRouteErrReason, defaultRouteErr := c.SyncDefaultRoute(ctx, routeConfig, controllerContext)
 	statusHandler.AddConditions(status.HandleProgressingOrDegraded("DefaultRouteSync", defaultRouteErrReason, defaultRouteErr))
+	statusHandler.AddCondition(status.HandleUpgradable("DefaultRouteSync", defaultRouteErrReason, defaultRouteErr))
 
 	// warn if deprecated configuration of custom domain for 'console' route is set on the console-operator config
 	if (len(operatorConfig.Spec.Route.Hostname) != 0 || len(operatorConfig.Spec.Route.Secret.Name) != 0) && c.routeName == api.OpenShiftConsoleRouteName {

pkg/console/controllers/route/controller_test.go

@@ -15,32 +15,96 @@ import (
 	routesub "github.com/openshift/console-operator/pkg/console/subresource/route"
 )
 
+// bash script for genereting valid certificate and key is placed
+// scripts/gencert.sh
+// Usage of this script is:
+// $ CRT_CN="client.com" CRT_SAN="DNS.1:www.client.com,DNS.2:admin.client.com,IP.1:192.168.1.10,IP.2:10.0.0.234" ./gencert.sh
+
 const (
 	validCertificate = `-----BEGIN CERTIFICATE-----
-MIICRzCCAfGgAwIBAgIJAIydTIADd+yqMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
-BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE
-CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRswGQYD
-VQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTIwIBcNMTcwNDI2MjMyNDU4WhgPMjExNzA0
-MDIyMzI0NThaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNV
-BAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J
-VCBEZXBhcnRtZW50MRswGQYDVQQDDBJ0ZXN0LWNlcnRpZmljYXRlLTIwXDANBgkq
-hkiG9w0BAQEFAANLADBIAkEAuiRet28DV68Dk4A8eqCaqgXmymamUEjW/DxvIQqH
-3lbhtm8BwSnS9wUAajSLSWiq3fci2RbRgaSPjUrnbOHCLQIDAQABo1AwTjAdBgNV
-HQ4EFgQU0vhI4OPGEOqT+VAWwxdhVvcmgdIwHwYDVR0jBBgwFoAU0vhI4OPGEOqT
-+VAWwxdhVvcmgdIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANBALNeJGDe
-nV5cXbp9W1bC12Tc8nnNXn4ypLE2JTQAvyp51zoZ8hQoSnRVx/VCY55Yu+br8gQZ
-+tW+O/PoE7B3tuY=
+MIIFeDCCA2CgAwIBAgIJALcdZxainrkZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAkZSMQ4wDAYDVQQHDAVQYXJpczEOMAwGA1UECgwFRnJudG4xDzANBgNVBAsM
+BkRldk9wczETMBEGA1UEAwwKY2xpZW50LmNvbTAeFw0yMjAyMjEyMDMwNDBaFw0z
+MjAyMTkyMDMwNDBaMFMxCzAJBgNVBAYTAkZSMQ4wDAYDVQQHDAVQYXJpczEOMAwG
+A1UECgwFRnJudG4xDzANBgNVBAsMBkRldk9wczETMBEGA1UEAwwKY2xpZW50LmNv
+bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL67+rJxMnDUAR/hflT2
+am5iMWhs1pQ3s6K0kxyqN1FcF+CzrjPEwO+qcuDw1j2UILxMqcEm+dQ3v8S6/Yaj
+l2wigsyk8Hvknle1qpZSYM7ODKZsQTcW/Qiu+xGTetdoik4/ij1tcxB/2Bfdjp0f
+EzxtH+sp6KDNkT4UqMKWyGZG2/UNuTB+Tgj+RrSoBfjJ/kngDm43rBi7yLTK33SJ
+xfCmsqDpYLKfKKL0z2pu1YuurehHkwsg/hGojCOchlao2+C1XR8wwR6X8orggRs3
+prX7rahychyja4xOxoNHPuByKLF5oHgd0ev4li4B3a3JFiF3hEQ6RGL/1DeykRHp
+5RBmajxVatUK8ioFTy6ZO6e+DOFV93CZLjer+gzgyir9V40aKx/WFaeXXB0K61ji
+U1UAXKPv6x4uvAftX69gOqQiqL351/FcuGzyIvII93/dj/8yEsNnR+TRVrtMBwVT
+wxKD2GOjpyBOFK/IDG4xDTJrL0Hofp/weOVqBC1ND9r2zIt4XYcrOS10ozHEKijP
+wRWvDlmJP9+gF4O9S/RGdDnNf5Esz5geMWgak0lpgtnPWZLMWF/MIOAT1SQcTeXg
+j7U8c0xN+xvRz5DetR86Ogpk5ISct/9r5QjL4I+U5kXhQ6EFOsJvOtC5AjoPD/xE
+oZ52LfBOafifJCjZeHTlIqc1AgMBAAGjTzBNMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+NwYDVR0RBDAwLoIOd3d3LmNsaWVudC5jb22CEGFkbWluLmNsaWVudC5jb22HBMCo
+AQqHBAoAAOowDQYJKoZIhvcNAQELBQADggIBAANCCg6FQGzDZtpOuQ/LVkBqoPoN
+QGexM4V+0S6V/UprSj/uTSAYMzLrZ2fvQUEWXkov62PypuzEKxSgmFEFKZM+JUIg
+X8Dq/ZV96zEbBw8HeOdh+mvy/xgDUfD/omOKrcKDPMsELsnH2mfkF76M7muMG81Y
+JdO+286ANwkNqgrSKTOq3f3Uj+DG43VI3YntDpd06/Xx2nlUQHVvmX9kr8/LhFQN
+IsHrRnGGKCX8VQjLu0nFpelEXY5hHwtkv14xVcaB/6d7PhecIp5YyaTJ+XvAfJHJ
+ddJ7F9W1gzIuGxBiwnX71y5xhPGVn77EaqFk16mkOlwDNY1g5JerufYnp9WxtOUL
+qMNGFyYByx0KAzUyLcku2jSF60km4amDfNrNp5orYAF15O2kMbRWJpne9XHMWlD0
+GkfUHJ1vTQas9WLOLkhU3yrPfu6eCeD0ZApFZCCwCDwxQe6tYYZxTtY62PsbJSj/
+0z+nwxDw5Xz6S04cLeHrMm256YMZ8wstqYfAhBP/ebsBpWhfmy7OyqVrklIUvhAJ
+Hsae7UGaTMb1TT4y4AHqC+RIl110qktG+3zGDY8Eldo5QSHmhJEWfpi1bIYPMhJe
+nx86qQawaIL9ybNc++xnFnfx8LAGoTe/SVP7ZjbRsklbcPbRS8Cm76ZCm1yG+3By
+HyvPeYndFocYvy0v
 -----END CERTIFICATE-----`
-	validKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAuiRet28DV68Dk4A8
-eqCaqgXmymamUEjW/DxvIQqH3lbhtm8BwSnS9wUAajSLSWiq3fci2RbRgaSPjUrn
-bOHCLQIDAQABAkEArDR1g9IqD3aUImNikDgAngbzqpAokOGyMoxeavzpEaFOgCzi
-gi7HF7yHRmZkUt8CzdEvnHSqRjFuaaB0gGA+AQIhAOc8Z1h8ElLRSqaZGgI3jCTp
-Izx9HNY//U5NGrXD2+ttAiEAzhOqkqI4+nDab7FpiD7MXI6fO549mEXeVBPvPtsS
-OcECIQCIfkpOm+ZBBpO3JXaJynoqK4gGI6ALA/ik6LSUiIlfPQIhAISjd9hlfZME
-bDQT1r8Q3Gx+h9LRqQeHgPBQ3F5ylqqBAiBaJ0hkYvrIdWxNlcLqD3065bJpHQ4S
-WQkuZUQN1M/Xvg==
------END RSA PRIVATE KEY-----`
+	validKey = `-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC+u/qycTJw1AEf
+4X5U9mpuYjFobNaUN7OitJMcqjdRXBfgs64zxMDvqnLg8NY9lCC8TKnBJvnUN7/E
+uv2Go5dsIoLMpPB75J5XtaqWUmDOzgymbEE3Fv0IrvsRk3rXaIpOP4o9bXMQf9gX
+3Y6dHxM8bR/rKeigzZE+FKjClshmRtv1Dbkwfk4I/ka0qAX4yf5J4A5uN6wYu8i0
+yt90icXwprKg6WCynyii9M9qbtWLrq3oR5MLIP4RqIwjnIZWqNvgtV0fMMEel/KK
+4IEbN6a1+62ocnIco2uMTsaDRz7gciixeaB4HdHr+JYuAd2tyRYhd4REOkRi/9Q3
+spER6eUQZmo8VWrVCvIqBU8umTunvgzhVfdwmS43q/oM4Moq/VeNGisf1hWnl1wd
+CutY4lNVAFyj7+seLrwH7V+vYDqkIqi9+dfxXLhs8iLyCPd/3Y//MhLDZ0fk0Va7
+TAcFU8MSg9hjo6cgThSvyAxuMQ0yay9B6H6f8HjlagQtTQ/a9syLeF2HKzktdKMx
+xCooz8EVrw5ZiT/foBeDvUv0RnQ5zX+RLM+YHjFoGpNJaYLZz1mSzFhfzCDgE9Uk
+HE3l4I+1PHNMTfsb0c+Q3rUfOjoKZOSEnLf/a+UIy+CPlOZF4UOhBTrCbzrQuQI6
+Dw/8RKGedi3wTmn4nyQo2Xh05SKnNQIDAQABAoICACWbdvDcNO/ePWKF2ZzzAUVG
+gytt2llbKkY4iJEsVr/qAqNBimWWs9wNpZ0In5WAsXuvOgFlp/jaDSvDGt4DP4YI
+v/WNyAUFrNrqbPo6v+/G3OOrkKhGFhoyNjre82epqyuGh8FY5Ukpi/gYrVf5mpdd
+hN+fYcji/3JYLHZBuL3B1vjYfd076jMHv/U69AJ8AXGbhfzhaUNvM0HChpC54Zdz
+puDnYzOVAjQvRP5dYCmshYm5IxscpDvjGc6jvDE2FjSWTggqWsmneCE95vbw4CQd
+vb3q4ukWp8wAdE/KKnGi0Lc9nhBRAOUgHKxxnb34Wi67HA8/1eAXRUa+JLB9h7Z+
+6zIF/GMZHcUR51Y2k5ePddZ4SKqjdAiEs8EUqlQLSqiPypfCGsShCBvntR+Gjhue
+p/cQheDl8DuL8vtFOrFy3C4nVECmijdztaAuNhkxNpKCf7zdizbFyBWu9+sjsom2
+2JY9Ten/CfErVxIeB3wQcIk2c4BZtvuPEiSAsClAE7WMk8+Ohxt0pHCrXAXoLwaG
+eGDh80INLbi3FNbqbJlAQP8rmF7FAo2LvjkkrE9LH4Qu9BYIieXuwucm7ofACHnF
+cqh8BvD/eg37CZjBgKiq0aFA7NxE+7mcoYBo9EiPfOzoIyS2o+iPaK6uaBKRKLaC
+j4eP97qwPQ3dDrEksuW5AoIBAQDkZmgC9qX12YRyGf3IPQUQ5KuHj+xCOFmx/nrV
+iVeBMfVlUVzYzqfWFgFkrTCnpoGcO8A9C3/9smC9xGBzK6sUEj4pZZur7CUJt2AA
+V0p7KlSEjTfPdcML6H/LMOc5tvVRLytu3KN6zwal5zda7zTGIXA1l18mHYD1Tn9V
+gtg22hC8nB1GLZ2mL5zM7VfEsEki9sHS1/8om0goP44nefdxiPpHh9SgitI9jQXX
+TTIG1nPDb79bJxFSVlJCfkBAMgr2Nqg5TjWvmh9o137NaUhJQ6r6yisebogBHYpv
+aakto9URExmTT3OKNUAM7rxx8ZQDKWb9E3d6H0S7NjFUBFgzAoIBAQDVyGCP0htm
+Ylc1X74mqXv78C+A/9i7oKPWAA1XJEiyBPJafSIwJFrFf7NJqiSraG8hpoBlPBF/
+CB41OPspAgDAqHe9snvUzCmE3hTKacd8UJfWAsO2aF+kP+ysbcowcLoTMeUo8Nsb
+i2RS1iOEvaCc62TqerYq2cMxHq/ugPd+CUUKGgGuZI3KaX3o10duQvJlhY62NHJt
+RGguWysPBPa0Ce/Bv4jm0mWO0IS7bXvklqEQ6DYA2I4eZKuyoYNXiRhYxYmZdhS4
+okvqmf7Sxn4gVmX2whoo7mN25hrZtxCP2vwS5p9ano1WZf8O89zIR//EAUjw/YoP
+bhYekJflMjr3AoIBABqvYE2gVamQvWm7YaxIfNQJc4UGKrtd7BTgv6c9Qa0Fkj9B
+L1DhbDiWH5mMppef25rOXFqFgnG4qpbhX8d0/ar9qqeZiIOgtn8ZHq1LhZc4TeGi
+wjeJ8bztcCjkUM+scaMHmNJ+EtehYox1pEEKm6bed0a7pdFFNzDx9+ycufhGqBfx
+QXZWlAm7nF1RCaUgV5svK1wgAl7TLa4OJuSz2lY4g81hsFUFgyTP2jPagBLOcX4P
+C1NyEBMHpNrB923IqwEzR5pSafFXV34fV2BWgayVrF9ayYjnrxo6QldcB/keICG7
+koxkhwJJ0G7yYbAKYpmv96lv4dCx4Izi+wZu74MCggEBAKzDS9WuM9pfqp5Fi0Nv
+P/Tvu1QCbkHipcQxMpazidPjT391FIXXO0vT0S28w/mJYhXNmoE1M+Z2xwK307Dm
+H3mSK4IvlQb5HqxzVFXnegCqmKmofkUQwAnaZwdJilXvI1CTx994FXmDAkY3K2kA
+XaWyTVF4bXLfnHA7nm2d52QBVbu+HJG0TSnAarIaF22xyHXmotf4Nmi7GX4syvVO
+S5hfV1Q51wbCDLSHKlzVM4QdfnhNUCcK2n8RV/f5skyxS+2hZXuRA1naPoOOg3IO
+WqsDZ08suTtOuy7A8f3zhPzcOU2E9k6jRxEFSEPrKwbnuHfLmgi2vDWP/2wf6cCd
+AS0CggEAQuKLryhoQJ/n4CMxlEOoZkzsHb1w0rCHeEkJGBqZbGfisutI/T1qcVME
+mL6vB1Uculi+jl3I3mhmo7AX5xmhs779x9kBXHBcpA1x4Xmbz6kME9JHj7FQ75hJ
+bI1UTHsGhz1jHTkClTnb5kJMqx2yEXjXWgbdGWuaq7z+/UtnQ/LDMdmAaC0F0S90
+OwvveUCKJX/JW/KQoU4arRAZXMHlxSf67yGA+2DMSe+AY6GxYxtfxlNubHVZ6FfL
+75WHmz9UuWvXXyxGmNHB8ufTnlrj0hA0+vdLnbwG5bzvErK9pjlwNQ4ptWfTigoN
+Ry2ru3EBXmrEr5O2Hzhz4FdZrpDeNA==
+-----END PRIVATE KEY-----`
 	invalidCertificate = `
 -----BEGIN CERTIFICATE-----
 MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
@@ -52,6 +116,23 @@ yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
 MIIJKQIBAAKCAgEAw2jtDhf4X2W8182vtAiwXUk/Zr7mruiiFt3y4l7YRBXaazmI
 eIWaEkvN9O90gL09Cx5jgq6mP1pjCzHsEFhnICziFd1r+M3cMeb4EAqwMZ84
 -----END RSA PRIVATE KEY-----`
+	noSANCertificate = `-----BEGIN CERTIFICATE-----
+MIICrDCCAZQCCQDLyfaAArSAUTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAx4
+eGlhX3Rlc3RfY2EwIBcNMjIwMjIxMTcwNTU2WhgPMjI5NTEyMDcxNzA1NTZaMBcx
+FTATBgNVBAMMDHh4aWFfdGVzdF9jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKcOSfl9dvOfcQcUl5k9vMzL1UhqHOgs3vmQIF0Ht4tzxSo9gB2rHMhq
+uiOBtoA7BdhEA72Bp04Rx7sGrD0SntWgGEYBE3LaXiBgonKB+AwwC7svNxUVakW4
+3BDSogktgUo2njclex+Bjm3sNVrZm7JYPJ27MqHhtPBqeO28HGHTLizeNIkz1A5u
+vl3mzotQeacduCcLn3kFcT1hjzcHh89AqaMplHzJzeNnsIUMsYud0D3vxfhmoh17
+gzU2LJTMGmRDPsoV1DwRnDHWIaxGcz8tVox0M3ocTHjoyvMwKv23JqinURVqHnVg
+UZETxuNDrHEFaIhyWzFIOEAIaiJ9pO8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+pB+4nh22itJpBVJ4qgZ8HrI/t4PBW+gf+4XgnslfmvvE1tbuucADvu8b8LA1CwIa
++jqv9HM5jy2DdflwCOjMwkPK7TTq8WmaRM3x5Ys3mI0AMuZqXDch/A3tzVRKPdlo
+wo1jCYynYDQF2bHgeAIMAHVGUSZmOBBMGPYKV+CptYGm42Lel/9awC2IToyj1grA
+sbm/L8bzE4vkpMQPvcGnj2SEiEVFFAdKsrLe57HzKlJsaMH8Ow59CpYdQGqYTOew
+6UiC6O+gjsEV6Q6xcCoOow05ANsjo7S0y9u8UhxwiEtOE4D479b3tKnJp5CnkbUJ
+PSV0AWbZpYFnB2GMMXObPg==
+-----END CERTIFICATE-----`
 )
 
 type certificateData struct {
@@ -187,6 +268,22 @@ func TestValidateCustomCertSecret(t *testing.T) {
 				err:           fmt.Errorf("failed to verify custom key PEM: block RSA PRIVATE KEY is not valid key PEM"),
 			},
 		},
+		{
+			name: "Test custom cert secret with no SAN in certificate",
+			args: args{
+				secret: &corev1.Secret{
+					Type: corev1.SecretTypeTLS,
+					Data: map[string][]byte{
+						corev1.TLSCertKey:       []byte(noSANCertificate),
+						corev1.TLSPrivateKeyKey: []byte(validKey),
+					},
+				},
+			},
+			want: want{
+				customTLSCert: nil,
+				err:           fmt.Errorf("failed to verify custom certificate PEM: custom TLS certificate has no SAN"),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/console/controllers/service/controller.go

@@ -114,7 +114,7 @@ func (c *ServiceSyncController) Sync(ctx context.Context, controllerContext fact
 	routeConfig := routesub.NewRouteConfig(updatedOperatorConfig, ingressConfig, c.serviceName)
 
 	requiredSvc := c.getDefaultService()
-	_, _, svcErr := resourceapply.ApplyService(c.serviceClient, controllerContext.Recorder(), requiredSvc)
+	_, _, svcErr := resourceapply.ApplyService(ctx, c.serviceClient, controllerContext.Recorder(), requiredSvc)
 	statusHandler.AddConditions(status.HandleProgressingOrDegraded("ServiceSync", "FailedApply", svcErr))
 	if svcErr != nil {
 		return statusHandler.FlushAndReturn(svcErr)
@@ -137,7 +137,7 @@ func (c *ServiceSyncController) SyncRedirectService(ctx context.Context, routeCo
 		return "", nil
 	}
 	requiredRedirectService := c.getRedirectService()
-	_, _, redirectSvcErr := resourceapply.ApplyService(c.serviceClient, controllerContext.Recorder(), requiredRedirectService)
+	_, _, redirectSvcErr := resourceapply.ApplyService(ctx, c.serviceClient, controllerContext.Recorder(), requiredRedirectService)
 	if redirectSvcErr != nil {
 		return "FailedApply", redirectSvcErr
 	}

pkg/console/operator/operator.go

@@ -270,7 +270,7 @@ func (c *consoleOperator) removeConsole(ctx context.Context, recorder events.Rec
 	// NOTE: CVO controls the deployment for downloads, console-operator cannot delete it.
 	errs = append(errs, c.deploymentClient.Deployments(api.TargetNamespace).Delete(ctx, deployment.Stub().Name, metav1.DeleteOptions{}))
 	// clear the console URL from the public config map in openshift-config-managed
-	_, _, updateConfigErr := resourceapply.ApplyConfigMap(c.configMapClient, recorder, configmap.EmptyPublicConfig())
+	_, _, updateConfigErr := resourceapply.ApplyConfigMap(ctx, c.configMapClient, recorder, configmap.EmptyPublicConfig())
 	errs = append(errs, updateConfigErr)
 
 	return utilerrors.FilterOut(utilerrors.NewAggregate(errs), errors.IsNotFound)

pkg/console/operator/sync_v400.go

@@ -170,7 +170,7 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		return statusHandler.FlushAndReturn(consoleConfigErr)
 	}
 
-	_, _, consolePublicConfigErr := co.SyncConsolePublicConfig(consoleURL.String(), controllerContext.Recorder())
+	_, _, consolePublicConfigErr := co.SyncConsolePublicConfig(ctx, consoleURL.String(), controllerContext.Recorder())
 	statusHandler.AddCondition(status.HandleDegraded("ConsolePublicConfigMap", "FailedApply", consolePublicConfigErr))
 	if consolePublicConfigErr != nil {
 		klog.Errorf("could not update public console config status: %v", consolePublicConfigErr)
@@ -225,9 +225,9 @@ func (co *consoleOperator) SyncConsoleConfig(ctx context.Context, consoleConfig
 	return consoleConfig, nil
 }
 
-func (co *consoleOperator) SyncConsolePublicConfig(consoleURL string, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+func (co *consoleOperator) SyncConsolePublicConfig(ctx context.Context, consoleURL string, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
 	requiredConfigMap := configmapsub.DefaultPublicConfig(consoleURL)
-	return resourceapply.ApplyConfigMap(co.configMapClient, recorder, requiredConfigMap)
+	return resourceapply.ApplyConfigMap(ctx, co.configMapClient, recorder, requiredConfigMap)
 }
 
 func (co *consoleOperator) SyncDeployment(
@@ -252,7 +252,7 @@ func (co *consoleOperator) SyncDeployment(
 	}
 	deploymentsub.LogDeploymentAnnotationChanges(co.deploymentClient, requiredDeployment, ctx)
 
-	deployment, deploymentChanged, applyDepErr := resourceapply.ApplyDeployment(
+	deployment, deploymentChanged, applyDepErr := resourceapply.ApplyDeployment(ctx,
 		co.deploymentClient,
 		recorder,
 		requiredDeployment,
@@ -289,7 +289,7 @@ func (co *consoleOperator) SyncOAuthClient(
 func (co *consoleOperator) SyncSecret(ctx context.Context, operatorConfig *operatorv1.Console, recorder events.Recorder) (*corev1.Secret, bool, error) {
 	secret, err := co.secretsClient.Secrets(api.TargetNamespace).Get(ctx, secretsub.Stub().Name, metav1.GetOptions{})
 	if apierrors.IsNotFound(err) || secretsub.GetSecretString(secret) == "" {
-		return resourceapply.ApplySecret(co.secretsClient, recorder, secretsub.DefaultSecret(operatorConfig, crypto.Random256BitsString()))
+		return resourceapply.ApplySecret(ctx, co.secretsClient, recorder, secretsub.DefaultSecret(operatorConfig, crypto.Random256BitsString()))
 	}
 	// any error should be returned & kill the sync loop
 	if err != nil {
@@ -345,7 +345,7 @@ func (co *consoleOperator) SyncConfigMap(
 	if err != nil {
 		return nil, false, "FailedConsoleConfigBuilder", err
 	}
-	cm, cmChanged, cmErr := resourceapply.ApplyConfigMap(co.configMapClient, recorder, defaultConfigmap)
+	cm, cmChanged, cmErr := resourceapply.ApplyConfigMap(ctx, co.configMapClient, recorder, defaultConfigmap)
 	if cmErr != nil {
 		return nil, false, "FailedApply", cmErr
 	}

pkg/console/starter/starter.go

@@ -25,7 +25,7 @@ import (
 	"github.com/openshift/console-operator/pkg/console/controllers/service"
 	"github.com/openshift/console-operator/pkg/console/operatorclient"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
-	"github.com/openshift/library-go/pkg/operator/management"
+	"github.com/openshift/library-go/pkg/operator/managementstatecontroller"
 	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
 	"github.com/openshift/library-go/pkg/operator/staleconditions"
 	"github.com/openshift/library-go/pkg/operator/status"
@@ -353,7 +353,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 
 	configUpgradeableController := unsupportedconfigoverridescontroller.NewUnsupportedConfigOverridesController(operatorClient, controllerContext.EventRecorder)
 	logLevelController := loglevel.NewClusterOperatorLoggingController(operatorClient, controllerContext.EventRecorder)
-	managementStateController := management.NewOperatorManagementStateController(api.ClusterOperatorName, operatorClient, controllerContext.EventRecorder)
+	managementStateController := managementstatecontroller.NewOperatorManagementStateController(api.ClusterOperatorName, operatorClient, controllerContext.EventRecorder)
 
 	for _, informer := range []interface {
 		Start(stopCh <-chan struct{})

pkg/console/status/status.go

@@ -54,6 +54,12 @@ func HandleAvailable(typePrefix string, reason string, err error) v1helpers.Upda
 	return v1helpers.UpdateConditionFn(condition)
 }
 
+func HandleUpgradable(typePrefix string, reason string, err error) v1helpers.UpdateStatusFunc {
+	conditionType := typePrefix + operatorsv1.OperatorStatusTypeUpgradeable
+	condition := handleCondition(conditionType, reason, err)
+	return v1helpers.UpdateConditionFn(condition)
+}
+
 // HandleProgressingOrDegraded exists until we remove type SyncError
 // If isSyncError
 // - Type suffix will be set to Progressing
@@ -91,7 +97,7 @@ func handleCondition(conditionTypeWithSuffix string, reason string, err error) o
 
 // Available is an inversion of the other conditions
 func setConditionValue(conditionType string, err error) operatorsv1.ConditionStatus {
-	if strings.HasSuffix(conditionType, operatorsv1.OperatorStatusTypeAvailable) {
+	if strings.HasSuffix(conditionType, operatorsv1.OperatorStatusTypeAvailable) || strings.HasSuffix(conditionType, operatorsv1.OperatorStatusTypeUpgradeable) {
 		if err != nil {
 			return operatorsv1.ConditionFalse
 		}