openshift · openshift-merge-bot · Jun 13, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025
diff --git a/Makefile b/Makefile
@@ -83,7 +83,10 @@ export RELEASE_MANIFEST := operator-controller.yaml
 export RELEASE_INSTALL := install.sh
 export RELEASE_CATALOGS := default-catalogs.yaml
 
-CATALOGS_MANIFEST := ./config/catalogs/clustercatalogs/default-catalogs.yaml
+# List of manifests that are checked in
+MANIFEST_HOME := ./manifests
+STANDARD_MANIFEST := ./manifests/standard.yaml
+CATALOGS_MANIFEST := ./manifests/default-catalogs.yaml
 
 # Disable -j flag for make
 .NOTPARALLEL:
@@ -143,7 +146,7 @@ KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
 CRD_WORKING_DIR := crd_work_dir
 # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files
 # So we have to generate them together and then move them into place
-manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
+manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	mkdir $(CRD_WORKING_DIR)
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) crd paths="./api/v1/..." output:crd:artifacts:config=$(CRD_WORKING_DIR)
 	mv $(CRD_WORKING_DIR)/olm.operatorframework.io_clusterextensions.yaml $(KUSTOMIZE_OPCON_CRDS_DIR)
@@ -154,6 +157,9 @@ manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole,
 	# Generate the remaining catalogd manifests
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)
+	# Generate manifests stored in source-control
+	mkdir -p $(MANIFEST_HOME)
+	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) > $(STANDARD_MANIFEST)
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -296,8 +302,8 @@ kind-load: $(KIND) #EXHELP Loads the currently constructed images into the KIND
 .PHONY: kind-deploy
 kind-deploy: export MANIFEST := $(RELEASE_MANIFEST)
 kind-deploy: export DEFAULT_CATALOG := $(RELEASE_CATALOGS)
-kind-deploy: manifests $(KUSTOMIZE)
-	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | sed "s/cert-git-version/cert-$(VERSION)/g" > $(MANIFEST)
+kind-deploy: manifests
+	sed "s/cert-git-version/cert-$(VERSION)/g" $(STANDARD_MANIFEST) > $(MANIFEST)
 	cp $(CATALOGS_MANIFEST) $(DEFAULT_CATALOG)
 	envsubst '$$DEFAULT_CATALOG,$$CERT_MGR_VERSION,$$INSTALL_DEFAULT_CATALOGS,$$MANIFEST' < scripts/install.tpl.sh | bash -s
 
@@ -390,8 +396,9 @@ release: $(GORELEASER) #EXHELP Runs goreleaser for the operator-controller. By d
 .PHONY: quickstart
 quickstart: export MANIFEST := "https://github.com/operator-framework/operator-controller/releases/download/$(VERSION)/$(notdir $(RELEASE_MANIFEST))"
 quickstart: export DEFAULT_CATALOG := "https://github.com/operator-framework/operator-controller/releases/download/$(VERSION)/$(notdir $(RELEASE_CATALOGS))"
-quickstart: $(KUSTOMIZE) manifests #EXHELP Generate the unified installation release manifests and scripts.
-	$(KUSTOMIZE) build $(KUSTOMIZE_BUILD_DIR) | sed "s/cert-git-version/cert-$(VERSION)/g" | sed "s/:devel/:$(VERSION)/g" > $(RELEASE_MANIFEST)
+quickstart: manifests #EXHELP Generate the unified installation release manifests and scripts.
+	# Update the stored standard manifests for distribution
+	sed "s/:devel/:$(VERSION)/g" $(STANDARD_MANIFEST) | sed "s/cert-git-version/cert-$(VERSION)/g" > $(RELEASE_MANIFEST)
 	cp $(CATALOGS_MANIFEST) $(RELEASE_CATALOGS)
 	envsubst '$$DEFAULT_CATALOG,$$CERT_MGR_VERSION,$$INSTALL_DEFAULT_CATALOGS,$$MANIFEST' < scripts/install.tpl.sh > $(RELEASE_INSTALL)
 

diff --git a/cmd/catalogd/main.go b/cmd/catalogd/main.go
@@ -30,9 +30,6 @@ import (
 
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
@@ -61,8 +58,11 @@ import (
 	"github.com/operator-framework/operator-controller/internal/catalogd/serverutil"
 	"github.com/operator-framework/operator-controller/internal/catalogd/storage"
 	"github.com/operator-framework/operator-controller/internal/catalogd/webhook"
+	sharedcontrollers "github.com/operator-framework/operator-controller/internal/shared/controllers"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
+	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
+	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -246,17 +246,19 @@ func run(ctx context.Context) error {
 	cacheOptions := crcache.Options{
 		ByObject: map[client.Object]crcache.ByObject{},
 	}
-	if cfg.globalPullSecretKey != nil {
-		cacheOptions.ByObject[&corev1.Secret{}] = crcache.ByObject{
-			Namespaces: map[string]crcache.Config{
-				cfg.globalPullSecretKey.Namespace: {
-					LabelSelector: k8slabels.Everything(),
-					FieldSelector: fields.SelectorFromSet(map[string]string{
-						"metadata.name": cfg.globalPullSecretKey.Name,
-					}),
-				},
-			},
-		}
+
+	saKey, err := sautil.GetServiceAccount()
+	if err != nil {
+		setupLog.Error(err, "Failed to extract serviceaccount from JWT")
+		return err
+	}
+	setupLog.Info("Successfully extracted serviceaccount from JWT", "serviceaccount",
+		fmt.Sprintf("%s/%s", saKey.Namespace, saKey.Name))
+
+	err = pullsecretcache.SetupPullSecretCache(&cacheOptions, cfg.globalPullSecretKey, saKey)
+	if err != nil {
+		setupLog.Error(err, "Unable to setup pull-secret cache")
+		return err
 	}
 
 	// Create manager
@@ -312,7 +314,7 @@ func run(ctx context.Context) error {
 				DockerCertPath: cfg.pullCasDir,
 				OCICertPath:    cfg.pullCasDir,
 			}
-			if _, err := os.Stat(authFilePath); err == nil && cfg.globalPullSecretKey != nil {
+			if _, err := os.Stat(authFilePath); err == nil {
 				logger.Info("using available authentication information for pulling image")
 				srcContext.AuthFilePath = authFilePath
 			} else if os.IsNotExist(err) {
@@ -370,17 +372,16 @@ func run(ctx context.Context) error {
 		return err
 	}
 
-	if cfg.globalPullSecretKey != nil {
-		setupLog.Info("creating SecretSyncer controller for watching secret", "Secret", cfg.globalPullSecret)
-		err := (&corecontrollers.PullSecretReconciler{
-			Client:       mgr.GetClient(),
-			AuthFilePath: authFilePath,
-			SecretKey:    *cfg.globalPullSecretKey,
-		}).SetupWithManager(mgr)
-		if err != nil {
-			setupLog.Error(err, "unable to create controller", "controller", "SecretSyncer")
-			return err
-		}
+	setupLog.Info("creating SecretSyncer controller for watching secret", "Secret", cfg.globalPullSecret)
+	err = (&sharedcontrollers.PullSecretReconciler{
+		Client:            mgr.GetClient(),
+		AuthFilePath:      authFilePath,
+		SecretKey:         cfg.globalPullSecretKey,
+		ServiceAccountKey: saKey,
+	}).SetupWithManager(mgr)
+	if err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "SecretSyncer")
+		return err
 	}
 	//+kubebuilder:scaffold:builder
 

diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -30,10 +30,8 @@ import (
 
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/fields"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
@@ -71,9 +69,12 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/certproviders"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/registryv1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/scheme"
+	sharedcontrollers "github.com/operator-framework/operator-controller/internal/shared/controllers"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 	httputil "github.com/operator-framework/operator-controller/internal/shared/util/http"
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
+	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
+	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -217,17 +218,19 @@ func run() error {
 		},
 		DefaultLabelSelector: k8slabels.Nothing(),
 	}
-	if globalPullSecretKey != nil {
-		cacheOptions.ByObject[&corev1.Secret{}] = crcache.ByObject{
-			Namespaces: map[string]crcache.Config{
-				globalPullSecretKey.Namespace: {
-					LabelSelector: k8slabels.Everything(),
-					FieldSelector: fields.SelectorFromSet(map[string]string{
-						"metadata.name": globalPullSecretKey.Name,
-					}),
-				},
-			},
-		}
+
+	saKey, err := sautil.GetServiceAccount()
+	if err != nil {
+		setupLog.Error(err, "Failed to extract serviceaccount from JWT")
+		return err
+	}
+	setupLog.Info("Successfully extracted serviceaccount from JWT", "serviceaccount",
+		fmt.Sprintf("%s/%s", saKey.Namespace, saKey.Name))
+
+	err = pullsecretcache.SetupPullSecretCache(&cacheOptions, globalPullSecretKey, saKey)
+	if err != nil {
+		setupLog.Error(err, "Unable to setup pull-secret cache")
+		return err
 	}
 
 	metricsServerOptions := server.Options{}
@@ -360,7 +363,7 @@ func run() error {
 				OCICertPath:    cfg.pullCasDir,
 			}
 			logger := log.FromContext(ctx)
-			if _, err := os.Stat(authFilePath); err == nil && globalPullSecretKey != nil {
+			if _, err := os.Stat(authFilePath); err == nil {
 				logger.Info("using available authentication information for pulling image")
 				srcContext.AuthFilePath = authFilePath
 			} else if os.IsNotExist(err) {
@@ -482,17 +485,16 @@ func run() error {
 		return err
 	}
 
-	if globalPullSecretKey != nil {
-		setupLog.Info("creating SecretSyncer controller for watching secret", "Secret", cfg.globalPullSecret)
-		err := (&controllers.PullSecretReconciler{
-			Client:       mgr.GetClient(),
-			AuthFilePath: authFilePath,
-			SecretKey:    *globalPullSecretKey,
-		}).SetupWithManager(mgr)
-		if err != nil {
-			setupLog.Error(err, "unable to create controller", "controller", "SecretSyncer")
-			return err
-		}
+	setupLog.Info("creating SecretSyncer controller for watching secret", "Secret", cfg.globalPullSecret)
+	err = (&sharedcontrollers.PullSecretReconciler{
+		Client:            mgr.GetClient(),
+		AuthFilePath:      authFilePath,
+		SecretKey:         globalPullSecretKey,
+		ServiceAccountKey: saKey,
+	}).SetupWithManager(mgr)
+	if err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "SecretSyncer")
+		return err
 	}
 
 	//+kubebuilder:scaffold:builder

diff --git a/commitchecker.yaml b/commitchecker.yaml
@@ -1,4 +1,4 @@
-expectedMergeBase: 0c9f0b529d50666f0bd28cb6e34fecf090076235
+expectedMergeBase: efc6657e23a9f03ed370e73562c89b72d13ec605
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller
diff --git a/config/base/catalogd/rbac/role.yaml b/config/base/catalogd/rbac/role.yaml
@@ -30,3 +30,19 @@ rules:
   - get
   - patch
   - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/base/catalogd/rbac/role_binding.yaml b/config/base/catalogd/rbac/role_binding.yaml
@@ -13,3 +13,20 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: manager-rolebinding
+  namespace: system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager
+    namespace: system
diff --git a/config/base/operator-controller/rbac/role.yaml b/config/base/operator-controller/rbac/role.yaml
@@ -77,3 +77,11 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/components/coverage/catalogd_manager_e2e_coverage_patch.yaml b/config/components/coverage/catalogd_manager_e2e_coverage_patch.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: catalogd-controller-manager
+  namespace: olmv1-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        env:
+        - name: GOCOVERDIR
+          value: /e2e-coverage
+        volumeMounts:
+        - name: e2e-coverage-volume
+          mountPath: /e2e-coverage
+      volumes:
+      - name: e2e-coverage-volume
+        persistentVolumeClaim:
+          claimName: e2e-coverage
diff --git a/config/components/coverage/kustomization.yaml b/config/components/coverage/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
 - manager_e2e_coverage_pvc.yaml
 - manager_e2e_coverage_copy_pod.yaml
 patches:
-- path: manager_e2e_coverage_patch.yaml
+- path: operator_controller_manager_e2e_coverage_patch.yaml
+- path: catalogd_manager_e2e_coverage_patch.yaml
diff --git a/.../coverage/manager_e2e_coverage_patch.yaml → ...ontroller_manager_e2e_coverage_patch.yaml b/.../coverage/manager_e2e_coverage_patch.yaml → ...ontroller_manager_e2e_coverage_patch.yaml