NO-ISSUE: Synchronize From Upstream Repositories

Makefile

@@ -7,6 +7,7 @@ SHELL := /usr/bin/env bash -o pipefail
 .SHELLFLAGS := -ec
 export ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
+GOLANG_VERSION := $(shell sed -En 's/^go (.*)$$/\1/p' "go.mod")
 # Image URL to use all building/pushing image targets
 ifeq ($(origin IMAGE_REPO), undefined)
 IMAGE_REPO := quay.io/operator-framework/operator-controller
@@ -95,7 +96,8 @@ lint: $(GOLANGCI_LINT) #HELP Run golangci linter.
 
 .PHONY: tidy
 tidy: #HELP Update dependencies.
-	$(Q)go mod tidy
+	# Force tidy to use the version already in go.mod
+	$(Q)go mod tidy -go=$(GOLANG_VERSION)
 
 .PHONY: manifests
 manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
@@ -163,9 +165,8 @@ test-unit: $(SETUP_ENVTEST) #HELP Run the unit tests
                 $(UNIT_TEST_DIRS) \
                 -test.gocoverdir=$(ROOT_DIR)/coverage/unit
 
-E2E_REGISTRY_CERT_REF := ClusterIssuer/olmv1-ca # By default, we'll use a trusted CA for the registry.
 image-registry: ## Setup in-cluster image registry
-	./hack/test/image-registry.sh $(E2E_REGISTRY_NAMESPACE) $(E2E_REGISTRY_NAME) $(E2E_REGISTRY_CERT_REF)
+	./hack/test/image-registry.sh $(E2E_REGISTRY_NAMESPACE) $(E2E_REGISTRY_NAME)
 
 build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and push it to the image registry
 	./hack/test/build-push-e2e-catalog.sh $(E2E_REGISTRY_NAMESPACE) $(LOCAL_REGISTRY_HOST)/$(E2E_TEST_CATALOG_V1)
@@ -180,7 +181,6 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus
 test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e
 test-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/e2e
 test-e2e: GO_BUILD_FLAGS := -cover
-test-e2e: E2E_REGISTRY_CERT_REF := Issuer/selfsigned-issuer
 test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster
 
 .PHONY: extension-developer-e2e

commitchecker.yaml

@@ -1,4 +1,4 @@
-expectedMergeBase: 188858cbf3062ecf1e9dfcb37c3dc866a138db77
+expectedMergeBase: 33f6abf07c88435276ce298907ea7d72fabb2b06
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

config/components/registries-conf/registries_conf_configmap.yaml

@@ -6,6 +6,5 @@ metadata:
 data:
   registries.conf: |
     [[registry]]
-    prefix = "docker-registry.operator-controller-e2e.svc.cluster.local:5000"
-    insecure = true
+    prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000"
     location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000"

hack/test/image-registry.sh

@@ -16,31 +16,20 @@ Argument Descriptions:
     format of 'Issuer/<issuer-name>' or 'ClusterIssuer/<cluster-issuer-name>'
 "
 
-if [[ "$#" -ne 3 ]]; then
+if [[ "$#" -ne 2 ]]; then
   echo "Illegal number of arguments passed"
   echo "${help}"
   exit 1
 fi
 
 namespace=$1
 name=$2
-certRef=$3
-
-echo "CERT_REF: ${certRef}"
 
 kubectl apply -f - << EOF
 apiVersion: v1
 kind: Namespace
 metadata:
   name: ${namespace}
----
- apiVersion: cert-manager.io/v1
- kind: Issuer
- metadata:
-   name: selfsigned-issuer
-   namespace: ${namespace}
- spec:
-   selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -57,8 +46,8 @@ spec:
     algorithm: ECDSA
     size: 256
   issuerRef:
-    name: ${certRef#*/}
-    kind: ${certRef%/*}
+    name: olmv1-ca
+    kind: ClusterIssuer
     group: cert-manager.io
 ---
 apiVersion: apps/v1

hack/tools/catalogs/README.md

@@ -0,0 +1,177 @@
+# Hack Catalog Tools
+
+This directory contains scripts that automate some of the tasks related to catalog interaction and bundle installation.
+
+---
+> [!WARNING]
+> These scripts are intended to help users navigate the catalog and produce installation RBAC until reliable tooling is available for OLM v1,
+> and to document the process in code for contributors. These scripts are not officially supported.
+> They are not meant to be used in production environments.
+---
+
+### Prerequisites
+
+To execute the scripts, the following tools are required:
+
+ * [jq](https://jqlang.github.io/jq/) to filter catalog data
+ * [yq](https://mikefarah.gitbook.io/yq/) to parse YAML
+ * [kubectl](https://kubernetes.io/docs/reference/kubectl/) to interact with the cluster running OLM v1
+ * [wget](https://www.gnu.org/software/wget/) to download the catalog data
+ * A container runtime, such as [podman](https://podman.io/) or [docker](https://www.docker.com/) to interact with bundle images.
+
+#### Container Runtime
+
+By default, the scripts use `podman` or `docker` as the container runtime. 
+If you use another container runtime, set the `CONTAINER_RUNTIME` environment variable to the path of the container runtime binary.
+
+### Tools
+
+---
+> [!NOTE]
+> All examples assume that the current working directory is the `hack/tools/catalogs` directory.
+---
+
+#### download-catalog
+
+Download a catalog from an unpacked ClusterCatalog running on a cluster reachable by `kubectl`.
+
+Example:
+
+  ```terminal
+  # Download the catalog from the operatorhubio ClusterCatalog
+  ./download-catalog operatorhubio
+  ```
+
+The downloaded catalog is saved to <catalog-name>-catalog.json in the current directory.
+
+#### list-compatible-bundles
+
+List (potential) OLM v1 compatible bundles from the catalog.
+
+Not all registry+v1 bundles made for OLM v0 are compatible with OLM v1. 
+Compatible bundles must meet the following criteria:
+ * Support for the 'AllNamespaces' install mode
+ * No webhooks
+ * No dependencies on other packages of GVKs
+ * The operator does not make use of OLM v0's [`OperatorCondition`](https://olm.operatorframework.io/docs/concepts/crds/operatorcondition/) API
+
+<!--- 
+TODO: Update link to OLM v1 limitations doc when it is available.
+-->
+For more information, see [OLM v1 limitations](../../../docs/refs/olm-v1-limitations.md).
+
+For some bundles, some of this criteria can only be determined by inspecting the contents bundle image. The script will return all bundles that are potentially compatible.
+
+Examples:
+
+  ``` terminal
+  # List (potentially) OLM v1 compatible bundles from the operatorhubio catalog
+  ./list-compatible-bundles < operatorhubio-catalog.json
+  ```
+
+  ``` terminal
+  # List (potentially) OLM v1 compatible bundles that contain 'argco' in the package name
+  # -r can be used with any regex supported by jq
+  ./list-compatible-bundles -r 'argocd' < operatorhubio-catalog.json
+  ```
+
+#### find-bundle-image
+
+Find the image for a bundle in the catalog.
+
+Example:
+
+  ``` terminal
+  # Get the image for the argocd-operator v0.6.0 bundle from the operatorhubio catalog
+  ./find-bundle-image argocd-operator 0.6.0 < operatorhubio-catalog.json
+  ```
+
+#### unpack-bundle
+
+Unpack a bundle image to a directory.
+
+Example:
+
+  ``` terminal
+  # Unpack the argocd-operator v0.6.0 bundle image to a temporary directory
+  ./unpack-bundle quay.io/operatorhubio/argocd-operator@sha256:d538c45a813b38ef0e44f40d279dc2653f97ca901fb660da5d7fe499d51ad3b3
+  ```
+
+  ``` terminal
+  # Unpack the argocd-operator v0.6.0 bundle image to a specific directory
+  ./unpack-bundle quay.io/operatorhubio/argocd-operator@sha256:d538c45a813b38ef0e44f40d279dc2653f97ca901fb660da5d7fe499d51ad3b3 -o argocd-manifests
+  ```
+
+#### is-bundle-supported
+
+Check if a bundle is supported by OLM v1 by inspecting the unpacked bundle manifests.
+
+<!--- 
+TODO: Update link to OLM v1 limitations doc when it is available.
+-->
+For more information on bundle support, see [OLM v1 limitations](../../../docs/refs/olm-v1-limitations.md).
+
+Example:
+
+  ``` terminal
+  # Check if the argocd-operator v0.6.0 bundle from the operatorhubio catalog is supported by OLM v1
+  ./is-bundle-supported argocd-manifests
+  ```
+
+  ``` terminal
+  # Find bundle image, unpack, and verify support in one command
+  ./find-bundle-image argocd-operator 0.6.0 < operatorhubio-catalog.json | ./unpack-bundle | ./is-bundle-supported
+  ```
+
+#### generate-manifests
+
+Generate RBAC or installation manifests for a bundle. The generated manifests can be templates or fully rendered manifests.
+
+The following options can be used to override resource naming defaults:
+  -n <namespace> Namespace where the extension is installed
+  -e <cluster-extension-name> - Name of the extension
+  -cr <cluster-role-name> - Name of the cluster role
+  -r <role-name> - Name of the role
+  -s <service-account-name> - Name of the service account
+  --template - Generate template manifests
+
+Default resource name format:
+  * Namespace: <cluster-extension-name>-system
+  * Extension name: <package-name>
+  * ClusterRole name: <service-account-name>-cluster-role
+  * Role name: <service-account-name>-installer-role
+  * ServiceAccount name: <package-name>-installer
+  * ClusterRoleBinding name: <cluster-role-name>-binding
+  * RoleBinding name: <role-name>-binding
+
+Use `--template` to generate templated manifests that can be customized before applying to the cluster. 
+Template manifests will contain the following template variables:
+
+Template Variables:
+* `${NAMESPACE}` - Namespace where the extension is installed
+* `${EXTENSION_NAME}` - Name of the extension
+* `${CLUSTER_ROLE_NAME}` - Name of the cluster role
+* `${ROLE_NAME}` - Name of the role
+* `${SERVICE_ACCOUNT_NAME}` - Name of the service account
+
+Examples:
+
+  ``` terminal
+  # Generate installation manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog
+  ./generate-manifests install argocd-operator 0.6.0 < operatorhubio-catalog.json
+  ```
+
+  ``` terminal
+  # Generate templated installation manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog
+  generate-manifests install argocd-operator 0.6.0 --template < operatorhubio-catalog.json
+  ```
+
+  ``` terminal
+  # Generate RBAC manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog
+  generate-manifests rbac argocd-operator 0.6.0 < operatorhubio-catalog.json
+  ```
+
+  ``` terminal
+  # Generate templated RBAC manifests for the argocd-operator v0.6.0 bundle from the operatorhubio catalog
+  generate-manifests rbac argocd-operator 0.6.0 --template < operatorhubio-catalog.json
+  ```

hack/tools/catalogs/download-catalog

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+SCRIPT_ROOT=$(dirname "$(realpath "$0")")
+source "${SCRIPT_ROOT}/lib/utils.sh"
+
+# Check required tools are installed
+assert-commands kubectl jq wget
+
+# ClusterCatalog coordinates
+: "${CATALOGD_CATALOGD_SERVICE_NAMESPACE:=olmv1-system}"
+: "${CATALOGD_SERVICE_NAME:=catalogd-catalogserver}"
+: "${CATALOGD_SERVICE_PORT:=443}" # Assumes the service uses HTTPS on port 443
+: "${CATALOGD_LOCAL_SERVICE_PORT:=8001}"
+
+echo "Namespace: $CATALOGD_CATALOGD_SERVICE_NAMESPACE"
+echo "Service Name: $CATALOGD_SERVICE_NAME"
+echo "Service Port: $CATALOGD_SERVICE_PORT"
+echo "Local Service Port: $CATALOGD_LOCAL_SERVICE_PORT"
+
+# Display usage
+usage() {
+    print-banner
+    echo ""
+    echo "Usage: $0 <catalog-name>"
+    echo ""
+    echo "Download catalog from a ClusterCatalog in a cluster reachable from KUBECONFIG"
+    echo "Downloaded catalog will be saved as <catalog-name>-catalog.json"
+    echo ""
+    echo "Example:"
+    echo "  $0 operatorhubio"
+}
+
+# Check if catalog name is provided
+if [ -z "$1" ]; then
+    usage
+    exit 1
+fi
+
+CATALOG_NAME="$1"
+
+# Check if the clustercatalog resource exists
+echo "Checking if ClusterCatalog $CATALOG_NAME exists..."
+CLUSTER_CATALOG=$(kubectl get clustercatalog "$CATALOG_NAME" -o json 2>/dev/null)
+if [ -z "$CLUSTER_CATALOG" ]; then
+    echo "ClusterCatalog $CATALOG_NAME does not exist."
+    exit 1
+fi
+
+# Check if the Unpacked condition is true
+UNPACKED_CONDITION=$(echo "$CLUSTER_CATALOG" | jq -r '.status.conditions[]? // [] | select(.type=="Unpacked") | .status')
+if [ "$UNPACKED_CONDITION" != "True" ]; then
+    echo "ClusterCatalog $CATALOG_NAME is not unpacked yet."
+    exit 1
+fi
+
+# Get the contentURL
+CONTENT_URL=$(echo "$CLUSTER_CATALOG" | jq -r '.status.contentURL')
+if [ -z "$CONTENT_URL" ]; then
+    echo "Content URL not found for ClusterCatalog $CATALOG_NAME."
+    exit 1
+fi
+
+# Start port forwarding
+echo "Starting kubectl port-forward to $CATALOGD_SERVICE_NAME on port $CATALOGD_LOCAL_SERVICE_PORT..."
+kubectl port-forward -n "$CATALOGD_CATALOGD_SERVICE_NAMESPACE" svc/"$CATALOGD_SERVICE_NAME" "$CATALOGD_LOCAL_SERVICE_PORT:$CATALOGD_SERVICE_PORT" &>/dev/null &
+PORT_FORWARD_PID=$!
+
+# Poll the service until it responds or timeout after 30 seconds
+timeout=30
+while ! curl -s "http://localhost:${CATALOGD_LOCAL_SERVICE_PORT}" >/dev/null; do
+  timeout=$((timeout - 1))
+  if [ $timeout -le 0 ]; then
+    echo "Port forwarding failed to start within 30 seconds."
+    kill $PORT_FORWARD_PID
+    exit 1
+  fi
+  sleep 1
+done
+
+# Modify the contentURL to hit localhost:<port>
+LOCAL_CONTENT_URL=${CONTENT_URL//https:\/\/$CATALOGD_SERVICE_NAME.$CATALOGD_CATALOGD_SERVICE_NAMESPACE.svc/https:\/\/localhost:$CATALOGD_LOCAL_SERVICE_PORT}
+echo "Found content URL: $CONTENT_URL"
+echo "Using local port: $CATALOGD_LOCAL_SERVICE_PORT"
+echo "Using local content URL: $LOCAL_CONTENT_URL"
+
+# shellcheck disable=SC2001
+# Download the catalog using wget
+echo "Downloading catalog from $LOCAL_CONTENT_URL..."
+wget --no-check-certificate "$LOCAL_CONTENT_URL" -O "${CATALOG_NAME}-catalog.json"
+
+# Stop the port forwarding
+echo "Stopping kubectl port-forward..."
+kill $PORT_FORWARD_PID
+
+echo "Catalog downloaded to ${CATALOG_NAME}-catalog.json"