diff --git a/Makefile b/Makefile index c5c4c4f61..234c13cae 100644 --- a/Makefile +++ b/Makefile @@ -71,11 +71,6 @@ else $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) endif -KUSTOMIZE_STANDARD_OVERLAY := config/overlays/standard -KUSTOMIZE_STANDARD_E2E_OVERLAY := config/overlays/standard-e2e -KUSTOMIZE_EXPERIMENTAL_OVERLAY := config/overlays/experimental -KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY := config/overlays/experimental-e2e - export STANDARD_RELEASE_MANIFEST := operator-controller.yaml export STANDARD_RELEASE_INSTALL := install.sh export EXPERIMENTAL_RELEASE_MANIFEST := operator-controller-experimental.yaml @@ -204,8 +199,8 @@ bingo-upgrade: $(BINGO) #EXHELP Upgrade tools .PHONY: verify-crd-compatibility CRD_DIFF_ORIGINAL_REF := git://main?path= CRD_DIFF_UPDATED_REF := file:// -CRD_DIFF_OPCON_SOURCE := config/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml -CRD_DIFF_CATD_SOURCE := config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml +CRD_DIFF_OPCON_SOURCE := helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml +CRD_DIFF_CATD_SOURCE := helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml CRD_DIFF_CONFIG := crd-diff-config.yaml verify-crd-compatibility: $(CRD_DIFF) manifests $(CRD_DIFF) --config="${CRD_DIFF_CONFIG}" "${CRD_DIFF_ORIGINAL_REF}${CRD_DIFF_OPCON_SOURCE}" ${CRD_DIFF_UPDATED_REF}${CRD_DIFF_OPCON_SOURCE} diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index d24c20b01..1776b9b65 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -20,6 +20,7 @@ aliases: - thetechnick - tmshort - trgeiger + - pedjak api-approvers: - grokspawn diff --git a/api/v1/clustercatalog_types_test.go b/api/v1/clustercatalog_types_test.go index 0e61e94f2..71a64bc9e 100644 --- a/api/v1/clustercatalog_types_test.go +++ b/api/v1/clustercatalog_types_test.go @@ -20,7 +20,7 @@ import ( "sigs.k8s.io/yaml" ) -const crdFilePath = "../../config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" +const crdFilePath = "../../helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" func TestImageSourceCELValidationRules(t *testing.T) { validators := fieldValidatorsFromFile(t, crdFilePath) diff --git a/api/v1/clusterextensionrevision_types.go b/api/v1/clusterextensionrevision_types.go index f06b1e262..b94abd107 100644 --- a/api/v1/clusterextensionrevision_types.go +++ b/api/v1/clusterextensionrevision_types.go @@ -49,19 +49,22 @@ type ClusterExtensionRevisionSpec struct { // +kubebuilder:validation:Enum=Active;Paused;Archived // +kubebuilder:validation:XValidation:rule="oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived' && oldSelf == self", message="can not un-archive" LifecycleState ClusterExtensionRevisionLifecycleState `json:"lifecycleState,omitempty"` - // Revision number orders changes over time, must always be previous revision +1. + // Revision is a sequence number representing a specific revision of the ClusterExtension instance. + // Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + // a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. // // +kubebuilder:validation:Required + // +kubebuilder:validation:Minimum:=1 // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="revision is immutable" Revision int64 `json:"revision"` // Phases are groups of objects that will be applied at the same time. - // All objects in the a phase will have to pass their probes in order to progress to the next phase. + // All objects in the phase will have to pass their probes in order to progress to the next phase. // - // +kubebuilder:validation:Required // +kubebuilder:validation:XValidation:rule="self == oldSelf || oldSelf.size() == 0", message="phases is immutable" // +listType=map // +listMapKey=name - Phases []ClusterExtensionRevisionPhase `json:"phases"` + // +optional + Phases []ClusterExtensionRevisionPhase `json:"phases,omitempty"` // Previous references previous revisions that objects can be adopted from. // // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="previous is immutable" @@ -104,6 +107,7 @@ type ClusterExtensionRevisionObject struct { // already existing on the cluster or even owned by another controller. // // +kubebuilder:default="Prevent" + // +optional CollisionProtection CollisionProtection `json:"collisionProtection,omitempty"` } diff --git a/api/v1/clusterextensionrevision_types_test.go b/api/v1/clusterextensionrevision_types_test.go new file mode 100644 index 000000000..9792826fb --- /dev/null +++ b/api/v1/clusterextensionrevision_types_test.go @@ -0,0 +1,142 @@ +package v1 + +import ( + "context" + "fmt" + "testing" + + "github.com/stretchr/testify/require" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestClusterExtensionRevisionImmutability(t *testing.T) { + c := newClient(t) + ctx := context.Background() + i := 0 + for name, tc := range map[string]struct { + spec ClusterExtensionRevisionSpec + updateFunc func(*ClusterExtensionRevision) + allowed bool + }{ + "revision is immutable": { + spec: ClusterExtensionRevisionSpec{ + Revision: 1, + }, + updateFunc: func(cer *ClusterExtensionRevision) { + cer.Spec.Revision = 2 + }, + }, + "phases may be initially empty": { + spec: ClusterExtensionRevisionSpec{ + Revision: 1, + Phases: []ClusterExtensionRevisionPhase{}, + }, + updateFunc: func(cer *ClusterExtensionRevision) { + cer.Spec.Phases = []ClusterExtensionRevisionPhase{ + { + Name: "foo", + Objects: []ClusterExtensionRevisionObject{}, + }, + } + }, + allowed: true, + }, + "phases may be initially unset": { + spec: ClusterExtensionRevisionSpec{ + Revision: 1, + }, + updateFunc: func(cer *ClusterExtensionRevision) { + cer.Spec.Phases = []ClusterExtensionRevisionPhase{ + { + Name: "foo", + Objects: []ClusterExtensionRevisionObject{}, + }, + } + }, + allowed: true, + }, + "phases are immutable if not empty": { + spec: ClusterExtensionRevisionSpec{ + Revision: 1, + Phases: []ClusterExtensionRevisionPhase{ + { + Name: "foo", + Objects: []ClusterExtensionRevisionObject{}, + }, + }, + }, + updateFunc: func(cer *ClusterExtensionRevision) { + cer.Spec.Phases = []ClusterExtensionRevisionPhase{ + { + Name: "foo2", + Objects: []ClusterExtensionRevisionObject{}, + }, + } + }, + }, + } { + t.Run(name, func(t *testing.T) { + cer := &ClusterExtensionRevision{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("foo%d", i), + }, + Spec: tc.spec, + } + i = i + 1 + require.NoError(t, c.Create(ctx, cer)) + tc.updateFunc(cer) + err := c.Update(ctx, cer) + if tc.allowed && err != nil { + t.Fatal("expected update to succeed, but got:", err) + } + if !tc.allowed && !errors.IsInvalid(err) { + t.Fatal("expected update to fail due to invalid payload, but got:", err) + } + }) + } +} + +func TestClusterExtensionRevisionValidity(t *testing.T) { + c := newClient(t) + ctx := context.Background() + i := 0 + for name, tc := range map[string]struct { + spec ClusterExtensionRevisionSpec + valid bool + }{ + "revision cannot be negative": { + spec: ClusterExtensionRevisionSpec{ + Revision: -1, + }, + valid: false, + }, + "revision cannot be zero": { + spec: ClusterExtensionRevisionSpec{}, + valid: false, + }, + "revision must be positive": { + spec: ClusterExtensionRevisionSpec{ + Revision: 1, + }, + valid: true, + }, + } { + t.Run(name, func(t *testing.T) { + cer := &ClusterExtensionRevision{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("bar%d", i), + }, + Spec: tc.spec, + } + i = i + 1 + err := c.Create(ctx, cer) + if tc.valid && err != nil { + t.Fatal("expected create to succeed, but got:", err) + } + if !tc.valid && !errors.IsInvalid(err) { + t.Fatal("expected create to fail due to invalid payload, but got:", err) + } + }) + } +} diff --git a/api/v1/suite_test.go b/api/v1/suite_test.go new file mode 100644 index 000000000..bc7a0c22b --- /dev/null +++ b/api/v1/suite_test.go @@ -0,0 +1,61 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "log" + "os" + "testing" + + "github.com/stretchr/testify/require" + apimachineryruntime "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/operator-framework/operator-controller/test" +) + +func newScheme(t *testing.T) *apimachineryruntime.Scheme { + sch := apimachineryruntime.NewScheme() + require.NoError(t, AddToScheme(sch)) + return sch +} + +func newClient(t *testing.T) client.Client { + cl, err := client.New(config, client.Options{Scheme: newScheme(t)}) + require.NoError(t, err) + require.NotNil(t, cl) + return cl +} + +var config *rest.Config + +func TestMain(m *testing.M) { + testEnv := test.NewEnv() + + var err error + config, err = testEnv.Start() + utilruntime.Must(err) + if config == nil { + log.Panic("expected cfg to not be nil") + } + + code := m.Run() + utilruntime.Must(testEnv.Stop()) + os.Exit(code) +} diff --git a/commitchecker.yaml b/commitchecker.yaml index ba47d14b7..f9c98c8b4 100644 --- a/commitchecker.yaml +++ b/commitchecker.yaml @@ -1,4 +1,4 @@ -expectedMergeBase: 33fdce258350eb563885ee41da087491a15829bd +expectedMergeBase: 0faf118ce37219d518ed380d76101fc3a083a3dd upstreamBranch: main upstreamOrg: operator-framework upstreamRepo: operator-controller diff --git a/config/README.md b/config/README.md index 24652b9a4..6fe4ab889 100644 --- a/config/README.md +++ b/config/README.md @@ -1,87 +1,5 @@ # OPERATOR-CONTROLLER CONFIGURATION -The main kustomize targets are all located in the `config/overlays` directory. These are the directories that should be passed to kustomize: - -e.g. -``` -kustomize build config/overlays/standard > standard.yaml -``` - -# Overlays - -All other directories are in support of of these overlays. - -## config/overlays/basic-olm - -This includes basic support for an insecure (non-TLS) OLMv1 deployment. - -## config/overlays/standard - -This includes support for a secure (i.e. with TLS) configuration of OLMv1. This configuration requires cert-manager. - -This configuration is used to generate `manifests/standard.yaml`. - -## config/overlays/standard-e2e - -This provides additional configuration support for end-to-end testing, including code coverage. This configuration requires cert-manager. - -This configuration is used to generate `manifests/standard-e2e.yaml`. - -## config/overlays/prometheus - -Overlay containing manifest files which enable prometheus scraping of the catalogd and operator-controller pods. Used during e2e runs to measure performance over the lifetime of the test. - -These manifests will not end up in the `manifests/` folder, as they must be applied in two distinct steps to avoid issues with applying prometheus CRDs and CRs simultaneously. - -Performance alert settings can be found in: `config/overlays/prometheus/prometheus_rule.yaml` - -## config/overlays/experimental - -This provides additional configuration used to support experimental features, including CRDs. This configuration requires cert-manager. - -This configuration is used to generate `manifests/experimental.yaml`. - -## config/overlays/experimental-e2e - -This provides experimental configuration and support for end-to-end testing, includng code coverage. This configuration requires cert-manager. - -This configuration is used to generate `manifests/experimental-e2e.yaml`. - -## config/overlays/tilt-local-dev - -This provides configuration for Tilt debugging support. - -# Components - -Components are the kustomize configuration building blocks. - -## config/components/base - -This directory provides multiple configurations for organizing the base configuration into standard and experimental configurations. - -:bangbang: *The following rules should be followed when configurating a feature:* - -* Feature components that are GA'd and should be part of the standard manifest should be listed in `config/components/base/common/kustomization.yaml`. This `commmon` kustomization file is included by *both* the **standard** and **experimental** configurations. -* Feature components that are still experimental and should be part of the standard manifest should be listed only in `config/components/base/experimental/kustomization.yaml`. - -## config/components/features - -This directory contains contains configuration for features (experimental or otherwise). - -:bangbang: *Feature configuration should be placed into a subdirectory here.* - -## config/components/cert-manager - -This directory provides configuration for using cert-manager with OLMv1. - -## config/components/e2e - -This directory provides configuration for end-to-end testing of OLMv1. - -# Base Configuration - -The `config/base` directory contains the base kubebuilder-generated configuration, along with CRDs. - -# Samples +## Samples The `config/samples` directory contains example ClusterCatalog and ClusterExtension resources. diff --git a/config/base/catalogd/crd/OWNERS b/config/base/catalogd/crd/OWNERS deleted file mode 100644 index 71df7cfc5..000000000 --- a/config/base/catalogd/crd/OWNERS +++ /dev/null @@ -1,2 +0,0 @@ -approvers: - - api-approvers diff --git a/config/base/catalogd/crd/experimental/kustomization.yaml b/config/base/catalogd/crd/experimental/kustomization.yaml deleted file mode 100644 index 2069f1c13..000000000 --- a/config/base/catalogd/crd/experimental/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- olm.operatorframework.io_clustercatalogs.yaml diff --git a/config/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml b/config/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml deleted file mode 100644 index c78a57b92..000000000 --- a/config/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml +++ /dev/null @@ -1,442 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - olm.operatorframework.io/generator: experimental - name: clustercatalogs.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterCatalog - listKind: ClusterCatalogList - plural: clustercatalogs - singular: clustercatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/base/catalogd/crd/kustomization.yaml b/config/base/catalogd/crd/kustomization.yaml deleted file mode 100644 index 5d7501c33..000000000 --- a/config/base/catalogd/crd/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This kustomization picks the standard CRD by default -# If the experimental CRD is desired, select that directory explicitly -resources: -- standard diff --git a/config/base/catalogd/crd/standard/kustomization.yaml b/config/base/catalogd/crd/standard/kustomization.yaml deleted file mode 100644 index 2069f1c13..000000000 --- a/config/base/catalogd/crd/standard/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- olm.operatorframework.io_clustercatalogs.yaml diff --git a/config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml b/config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml deleted file mode 100644 index 94f1d7121..000000000 --- a/config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml +++ /dev/null @@ -1,442 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - olm.operatorframework.io/generator: standard - name: clustercatalogs.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterCatalog - listKind: ClusterCatalogList - plural: clustercatalogs - singular: clustercatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/base/catalogd/kustomization.yaml b/config/base/catalogd/kustomization.yaml deleted file mode 100644 index 67e52bb9d..000000000 --- a/config/base/catalogd/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Does not include the CRD, which must be added separately (it's non-namespaced) -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namePrefix: catalogd- -resources: -- manager diff --git a/config/base/catalogd/manager/kustomization.yaml b/config/base/catalogd/manager/kustomization.yaml deleted file mode 100644 index 111cdf624..000000000 --- a/config/base/catalogd/manager/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -resources: -- manager.yaml -- service.yaml -- network_policy.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: controller - newName: quay.io/operator-framework/catalogd - newTag: devel diff --git a/config/base/catalogd/manager/manager.yaml b/config/base/catalogd/manager/manager.yaml deleted file mode 100644 index 06199f293..000000000 --- a/config/base/catalogd/manager/manager.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: olmv1-system - annotations: - kubectl.kubernetes.io/default-logs-container: manager - labels: - control-plane: catalogd-controller-manager -spec: - selector: - matchLabels: - control-plane: catalogd-controller-manager - replicas: 1 - minReadySeconds: 5 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: catalogd-controller-manager - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - command: - - ./catalogd - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: controller:latest - name: manager - volumeMounts: - - name: cache - mountPath: /var/cache/ - - name: tmp - mountPath: /tmp - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - imagePullPolicy: IfNotPresent - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cache - emptyDir: {} - - name: tmp - emptyDir: {} diff --git a/config/base/catalogd/manager/network_policy.yaml b/config/base/catalogd/manager/network_policy.yaml deleted file mode 100644 index 27df08193..000000000 --- a/config/base/catalogd/manager/network_policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: controller-manager - namespace: olmv1-system -spec: - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress - ingress: - - ports: - - protocol: TCP - port: 7443 # metrics - - protocol: TCP - port: 8443 # catalogd http server - - protocol: TCP - port: 9443 # webhook - egress: - - {} # Allows all egress traffic (needed to pull catalog images from arbitrary image registries) diff --git a/config/base/catalogd/manager/service.yaml b/config/base/catalogd/manager/service.yaml deleted file mode 100644 index 4f423ae42..000000000 --- a/config/base/catalogd/manager/service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: service - namespace: olmv1-system -spec: - selector: - control-plane: catalogd-controller-manager - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 8443 - - name: webhook - protocol: TCP - port: 9443 - targetPort: 9443 - - name: metrics - protocol: TCP - port: 7443 - targetPort: 7443 diff --git a/config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml b/config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index ab8871b2e..000000000 --- a/config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/base/catalogd/rbac/common/auth_proxy_role.yaml b/config/base/catalogd/rbac/common/auth_proxy_role.yaml deleted file mode 100644 index 3edf78f58..000000000 --- a/config/base/catalogd/rbac/common/auth_proxy_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml b/config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml deleted file mode 100644 index 1c44eec98..000000000 --- a/config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/catalogd/rbac/common/kustomization.yaml b/config/base/catalogd/rbac/common/kustomization.yaml deleted file mode 100644 index 7ea680d16..000000000 --- a/config/base/catalogd/rbac/common/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. -- service_account.yaml -- role_binding.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml -# The following RBAC configurations are used to protect -# the metrics endpoint with authn/authz. These configurations -# ensure that only authorized users and service accounts -# can access the metrics endpoint. Comment the following -# permissions if you want to disable this protection. -# More info: https://book.kubebuilder.io/reference/metrics.html -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml diff --git a/config/base/catalogd/rbac/common/leader_election_role.yaml b/config/base/catalogd/rbac/common/leader_election_role.yaml deleted file mode 100644 index 1b89e50a7..000000000 --- a/config/base/catalogd/rbac/common/leader_election_role.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/config/base/catalogd/rbac/common/leader_election_role_binding.yaml b/config/base/catalogd/rbac/common/leader_election_role_binding.yaml deleted file mode 100644 index 2f198acfa..000000000 --- a/config/base/catalogd/rbac/common/leader_election_role_binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/catalogd/rbac/common/role_binding.yaml b/config/base/catalogd/rbac/common/role_binding.yaml deleted file mode 100644 index 5ebca546b..000000000 --- a/config/base/catalogd/rbac/common/role_binding.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: manager-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: manager-role -subjects: - - kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/catalogd/rbac/common/service_account.yaml b/config/base/catalogd/rbac/common/service_account.yaml deleted file mode 100644 index 102667ae4..000000000 --- a/config/base/catalogd/rbac/common/service_account.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/part-of: olm - app.kubernetes.io/name: catalogd - name: controller-manager - namespace: olmv1-system diff --git a/config/base/catalogd/rbac/experimental/kustomization.yaml b/config/base/catalogd/rbac/experimental/kustomization.yaml deleted file mode 100644 index b7f92edf4..000000000 --- a/config/base/catalogd/rbac/experimental/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: catalogd- -resources: -- ../common -- role.yaml diff --git a/config/base/catalogd/rbac/experimental/role.yaml b/config/base/catalogd/rbac/experimental/role.yaml deleted file mode 100644 index c887c7c4f..000000000 --- a/config/base/catalogd/rbac/experimental/role.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch diff --git a/config/base/catalogd/rbac/kustomization.yaml b/config/base/catalogd/rbac/kustomization.yaml deleted file mode 100644 index 63c9d6895..000000000 --- a/config/base/catalogd/rbac/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This kustomization picks the standard rbac by default -# If the experimental rbac is desired, select that directory explicitly -resources: -- standard diff --git a/config/base/catalogd/rbac/standard/kustomization.yaml b/config/base/catalogd/rbac/standard/kustomization.yaml deleted file mode 100644 index f18de0c5b..000000000 --- a/config/base/catalogd/rbac/standard/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: catalogd- -resources: - - ../common - - role.yaml diff --git a/config/base/catalogd/rbac/standard/role.yaml b/config/base/catalogd/rbac/standard/role.yaml deleted file mode 100644 index c887c7c4f..000000000 --- a/config/base/catalogd/rbac/standard/role.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch diff --git a/config/base/catalogd/webhook/experimental/kustomization.yaml b/config/base/catalogd/webhook/experimental/kustomization.yaml deleted file mode 100644 index 65f0f61ef..000000000 --- a/config/base/catalogd/webhook/experimental/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -resources: -- manifests.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: catalogd- -patches: -- path: patch.yaml - target: - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - version: v1 diff --git a/config/base/catalogd/webhook/experimental/manifests.yaml b/config/base/catalogd/webhook/experimental/manifests.yaml deleted file mode 100644 index a5842de42..000000000 --- a/config/base/catalogd/webhook/experimental/manifests.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - failurePolicy: Fail - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 diff --git a/config/base/catalogd/webhook/experimental/patch.yaml b/config/base/catalogd/webhook/experimental/patch.yaml deleted file mode 100644 index ab8528c76..000000000 --- a/config/base/catalogd/webhook/experimental/patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# None of these values can be set via the kubebuilder directive, hence this patch -- op: replace - path: /webhooks/0/clientConfig/service/namespace - value: olmv1-system -- op: replace - path: /webhooks/0/clientConfig/service/name - value: catalogd-service -- op: add - path: /webhooks/0/clientConfig/service/port - value: 9443 -# Make sure there's a name defined, otherwise, we can't create a label. This could happen when generateName is set -# Then, if any of the conditions are true, create the label: -# 1. No labels exist -# 2. The olm.operatorframework.io/metadata.name label doesn't exist -# 3. The olm.operatorframework.io/metadata.name label doesn't match the name -- op: add - path: /webhooks/0/matchConditions - value: - - name: MissingOrIncorrectMetadataNameLabel - expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/config/base/catalogd/webhook/kustomization.yaml b/config/base/catalogd/webhook/kustomization.yaml deleted file mode 100644 index aa908830c..000000000 --- a/config/base/catalogd/webhook/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This kustomization picks the standard webhook by default -# If the experimental webhook is desired, select that directory explicitly -resources: -- standard diff --git a/config/base/catalogd/webhook/standard/kustomization.yaml b/config/base/catalogd/webhook/standard/kustomization.yaml deleted file mode 100644 index 65f0f61ef..000000000 --- a/config/base/catalogd/webhook/standard/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -resources: -- manifests.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: catalogd- -patches: -- path: patch.yaml - target: - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - version: v1 diff --git a/config/base/catalogd/webhook/standard/manifests.yaml b/config/base/catalogd/webhook/standard/manifests.yaml deleted file mode 100644 index a5842de42..000000000 --- a/config/base/catalogd/webhook/standard/manifests.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - failurePolicy: Fail - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 diff --git a/config/base/catalogd/webhook/standard/patch.yaml b/config/base/catalogd/webhook/standard/patch.yaml deleted file mode 100644 index ab8528c76..000000000 --- a/config/base/catalogd/webhook/standard/patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# None of these values can be set via the kubebuilder directive, hence this patch -- op: replace - path: /webhooks/0/clientConfig/service/namespace - value: olmv1-system -- op: replace - path: /webhooks/0/clientConfig/service/name - value: catalogd-service -- op: add - path: /webhooks/0/clientConfig/service/port - value: 9443 -# Make sure there's a name defined, otherwise, we can't create a label. This could happen when generateName is set -# Then, if any of the conditions are true, create the label: -# 1. No labels exist -# 2. The olm.operatorframework.io/metadata.name label doesn't exist -# 3. The olm.operatorframework.io/metadata.name label doesn't match the name -- op: add - path: /webhooks/0/matchConditions - value: - - name: MissingOrIncorrectMetadataNameLabel - expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/config/base/common/kustomization.yaml b/config/base/common/kustomization.yaml deleted file mode 100644 index be904a9ab..000000000 --- a/config/base/common/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- namespace.yaml -- network_policy.yaml diff --git a/config/base/common/namespace.yaml b/config/base/common/namespace.yaml deleted file mode 100644 index ede0bfd8f..000000000 --- a/config/base/common/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest - name: olmv1-system diff --git a/config/base/common/network_policy.yaml b/config/base/common/network_policy.yaml deleted file mode 100644 index e63015da3..000000000 --- a/config/base/common/network_policy.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: { } - policyTypes: - - Ingress - - Egress - diff --git a/config/base/operator-controller/crd/OWNERS b/config/base/operator-controller/crd/OWNERS deleted file mode 100644 index 71df7cfc5..000000000 --- a/config/base/operator-controller/crd/OWNERS +++ /dev/null @@ -1,2 +0,0 @@ -approvers: - - api-approvers diff --git a/config/base/operator-controller/crd/experimental/kustomization.yaml b/config/base/operator-controller/crd/experimental/kustomization.yaml deleted file mode 100644 index f0315ce34..000000000 --- a/config/base/operator-controller/crd/experimental/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: -- olm.operatorframework.io_clusterextensions.yaml -- olm.operatorframework.io_clusterextensionrevisions.yaml diff --git a/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml b/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml deleted file mode 100644 index bd95361a0..000000000 --- a/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml +++ /dev/null @@ -1,204 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/generator: experimental - name: clusterextensionrevisions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtensionRevision - listKind: ClusterExtensionRevisionList - plural: clusterextensionrevisions - singular: clusterextensionrevision - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtensionRevision is the Schema for the clusterextensionrevisions - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - lifecycleState: - default: Active - description: Specifies the lifecycle state of the ClusterExtensionRevision. - enum: - - Active - - Paused - - Archived - type: string - x-kubernetes-validations: - - message: can not un-archive - rule: oldSelf == 'Active' || oldSelf == 'Paused' || oldSelf == 'Archived' - && oldSelf == self - phases: - description: |- - Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. - items: - description: |- - ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. - properties: - name: - description: Name identifies this phase. - maxLength: 63 - pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ - type: string - objects: - description: Objects are a list of all the objects within this - phase. - items: - description: ClusterExtensionRevisionObject contains an object - and settings for it. - properties: - collisionProtection: - default: Prevent - description: |- - CollisionProtection controls whether OLM can adopt and modify objects - already existing on the cluster or even owned by another controller. - type: string - object: - type: object - x-kubernetes-embedded-resource: true - x-kubernetes-preserve-unknown-fields: true - required: - - object - type: object - type: array - required: - - name - - objects - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: phases is immutable - rule: self == oldSelf || oldSelf.size() == 0 - previous: - description: Previous references previous revisions that objects can - be adopted from. - items: - properties: - name: - type: string - uid: - description: |- - UID is a type that holds unique ID values, including UUIDs. Because we - don't ONLY use UUIDs, this is an alias to string. Being a type captures - intent and helps make sure that UIDs and names do not get conflated. - type: string - required: - - name - - uid - type: object - type: array - x-kubernetes-validations: - - message: previous is immutable - rule: self == oldSelf - revision: - description: Revision number orders changes over time, must always - be previous revision +1. - format: int64 - type: integer - x-kubernetes-validations: - - message: revision is immutable - rule: self == oldSelf - required: - - phases - - revision - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml deleted file mode 100644 index 4cae796a6..000000000 --- a/config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml +++ /dev/null @@ -1,624 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - olm.operatorframework.io/generator: experimental - name: clusterextensions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtension - listKind: ClusterExtensionList - plural: clusterextensions - singular: clusterextension - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - config: - description: |- - config contains optional configuration values applied during rendering of the - ClusterExtension's manifests. Values can be specified inline. - - config is optional. When not specified, the default configuration of the resolved bundle will be used. - properties: - configType: - description: |- - configType is a required reference to the type of configuration source. - - Allowed values are "Inline" - - When this field is set to "Inline", the cluster extension configuration is defined inline within the - ClusterExtension resource. - enum: - - Inline - type: string - inline: - description: |- - inline contains JSON or YAML values specified directly in the - ClusterExtension. - - inline must be set if configType is 'Inline'. - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - configType - type: object - x-kubernetes-validations: - - message: inline is required when configType is Inline, and forbidden - otherwise - rule: 'has(self.configType) && self.configType == ''Inline'' ?has(self.inline) - : !has(self.inline)' - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/base/operator-controller/crd/kustomization.yaml b/config/base/operator-controller/crd/kustomization.yaml deleted file mode 100644 index 5d7501c33..000000000 --- a/config/base/operator-controller/crd/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This kustomization picks the standard CRD by default -# If the experimental CRD is desired, select that directory explicitly -resources: -- standard diff --git a/config/base/operator-controller/crd/standard/kustomization.yaml b/config/base/operator-controller/crd/standard/kustomization.yaml deleted file mode 100644 index 1c4db41af..000000000 --- a/config/base/operator-controller/crd/standard/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- olm.operatorframework.io_clusterextensions.yaml diff --git a/config/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/config/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml deleted file mode 100644 index a0983e41f..000000000 --- a/config/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml +++ /dev/null @@ -1,590 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - olm.operatorframework.io/generator: standard - name: clusterextensions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtension - listKind: ClusterExtensionList - plural: clusterextensions - singular: clusterextension - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/base/operator-controller/kustomization.yaml b/config/base/operator-controller/kustomization.yaml deleted file mode 100644 index 4622afa97..000000000 --- a/config/base/operator-controller/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Does not include the CRD, which must be added separately (it's non-namespaced) -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namePrefix: operator-controller- -resources: -- manager diff --git a/config/base/operator-controller/manager/kustomization.yaml b/config/base/operator-controller/manager/kustomization.yaml deleted file mode 100644 index b480ada69..000000000 --- a/config/base/operator-controller/manager/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- manager.yaml -- service.yaml -- network_policy.yaml - -images: -- name: controller - newName: quay.io/operator-framework/operator-controller - newTag: devel diff --git a/config/base/operator-controller/manager/manager.yaml b/config/base/operator-controller/manager/manager.yaml deleted file mode 100644 index dda835cf3..000000000 --- a/config/base/operator-controller/manager/manager.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: olmv1-system - annotations: - kubectl.kubernetes.io/default-logs-container: manager - labels: - control-plane: operator-controller-controller-manager -spec: - selector: - matchLabels: - control-plane: operator-controller-controller-manager - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: operator-controller-controller-manager - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - command: - - /operator-controller - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=:8443" - - "--leader-elect" - image: controller:latest - imagePullPolicy: IfNotPresent - name: manager - volumeMounts: - - name: cache - mountPath: /var/cache - - name: tmp - mountPath: /tmp - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - "ALL" - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cache - emptyDir: {} - - name: tmp - emptyDir: { } diff --git a/config/base/operator-controller/manager/network_policy.yaml b/config/base/operator-controller/manager/network_policy.yaml deleted file mode 100644 index 1659cea05..000000000 --- a/config/base/operator-controller/manager/network_policy.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: controller-manager - namespace: olmv1-system -spec: - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress - ingress: - - ports: - - protocol: TCP - port: 8443 # metrics - egress: - - {} # Allows all egress traffic (needed to pull bundle images from arbitrary image registries) diff --git a/config/base/operator-controller/manager/service.yaml b/config/base/operator-controller/manager/service.yaml deleted file mode 100644 index 752f62f8f..000000000 --- a/config/base/operator-controller/manager/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: service - namespace: olmv1-system - labels: - control-plane: operator-controller-controller-manager -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - control-plane: operator-controller-controller-manager diff --git a/config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml b/config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 51a75db47..000000000 --- a/config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/base/operator-controller/rbac/common/auth_proxy_role.yaml b/config/base/operator-controller/rbac/common/auth_proxy_role.yaml deleted file mode 100644 index 80e1857c5..000000000 --- a/config/base/operator-controller/rbac/common/auth_proxy_role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/base/operator-controller/rbac/common/auth_proxy_role_binding.yaml b/config/base/operator-controller/rbac/common/auth_proxy_role_binding.yaml deleted file mode 100644 index 976e53bcd..000000000 --- a/config/base/operator-controller/rbac/common/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/operator-controller/rbac/common/clusterextension_editor_role.yaml b/config/base/operator-controller/rbac/common/clusterextension_editor_role.yaml deleted file mode 100644 index 61cd61ce3..000000000 --- a/config/base/operator-controller/rbac/common/clusterextension_editor_role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# permissions for end users to edit cluster extensions. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: clusterextension-editor-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch diff --git a/config/base/operator-controller/rbac/common/clusterextension_viewer_role.yaml b/config/base/operator-controller/rbac/common/clusterextension_viewer_role.yaml deleted file mode 100644 index bee8b9d9e..000000000 --- a/config/base/operator-controller/rbac/common/clusterextension_viewer_role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# permissions for end users to view cluster extensions. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: clusterextension-viewer-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch diff --git a/config/base/operator-controller/rbac/common/kustomization.yaml b/config/base/operator-controller/rbac/common/kustomization.yaml deleted file mode 100644 index e81be963a..000000000 --- a/config/base/operator-controller/rbac/common/kustomization.yaml +++ /dev/null @@ -1,26 +0,0 @@ -resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. -- service_account.yaml -- role_binding.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml - -# The following resources are pre-defined roles for editors and viewers -# of APIs provided by this project. -- clusterextension_editor_role.yaml -- clusterextension_viewer_role.yaml - -# The following RBAC configurations are used to protect -# the metrics endpoint with authn/authz. These configurations -# ensure that only authorized users and service accounts -# can access the metrics endpoint. Comment the following -# permissions if you want to disable this protection. -# More info: https://book.kubebuilder.io/reference/metrics.html -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml - diff --git a/config/base/operator-controller/rbac/common/leader_election_role.yaml b/config/base/operator-controller/rbac/common/leader_election_role.yaml deleted file mode 100644 index ef2d330fd..000000000 --- a/config/base/operator-controller/rbac/common/leader_election_role.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/config/base/operator-controller/rbac/common/leader_election_role_binding.yaml b/config/base/operator-controller/rbac/common/leader_election_role_binding.yaml deleted file mode 100644 index f0c49d7fd..000000000 --- a/config/base/operator-controller/rbac/common/leader_election_role_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/operator-controller/rbac/common/role_binding.yaml b/config/base/operator-controller/rbac/common/role_binding.yaml deleted file mode 100644 index 430b599b3..000000000 --- a/config/base/operator-controller/rbac/common/role_binding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: manager-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: manager-role -subjects: - - kind: ServiceAccount - name: controller-manager - namespace: olmv1-system diff --git a/config/base/operator-controller/rbac/common/service_account.yaml b/config/base/operator-controller/rbac/common/service_account.yaml deleted file mode 100644 index 22f830f73..000000000 --- a/config/base/operator-controller/rbac/common/service_account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: controller-manager - namespace: olmv1-system diff --git a/config/base/operator-controller/rbac/experimental/kustomization.yaml b/config/base/operator-controller/rbac/experimental/kustomization.yaml deleted file mode 100644 index 7d430c538..000000000 --- a/config/base/operator-controller/rbac/experimental/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: operator-controller- -resources: - - ../common - - role.yaml diff --git a/config/base/operator-controller/rbac/experimental/role.yaml b/config/base/operator-controller/rbac/experimental/role.yaml deleted file mode 100644 index ea0d24fd0..000000000 --- a/config/base/operator-controller/rbac/experimental/role.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/finalizers - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensionrevisions/status - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch diff --git a/config/base/operator-controller/rbac/kustomization.yaml b/config/base/operator-controller/rbac/kustomization.yaml deleted file mode 100644 index 63c9d6895..000000000 --- a/config/base/operator-controller/rbac/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# This kustomization picks the standard rbac by default -# If the experimental rbac is desired, select that directory explicitly -resources: -- standard diff --git a/config/base/operator-controller/rbac/standard/kustomization.yaml b/config/base/operator-controller/rbac/standard/kustomization.yaml deleted file mode 100644 index 7d430c538..000000000 --- a/config/base/operator-controller/rbac/standard/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -namePrefix: operator-controller- -resources: - - ../common - - role.yaml diff --git a/config/base/operator-controller/rbac/standard/role.yaml b/config/base/operator-controller/rbac/standard/role.yaml deleted file mode 100644 index bb1cbe626..000000000 --- a/config/base/operator-controller/rbac/standard/role.yaml +++ /dev/null @@ -1,87 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch diff --git a/config/catalogs/nginx-ingress/kustomization.yaml b/config/catalogs/nginx-ingress/kustomization.yaml deleted file mode 100644 index 7bdced5d6..000000000 --- a/config/catalogs/nginx-ingress/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- ../default -- resources/nginx_ingress.yaml -- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml diff --git a/config/catalogs/nginx-ingress/resources/nginx_ingress.yaml b/config/catalogs/nginx-ingress/resources/nginx_ingress.yaml deleted file mode 100644 index 81f775fba..000000000 --- a/config/catalogs/nginx-ingress/resources/nginx_ingress.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: catalogd-ingress - namespace: olmv1-system -spec: - ingressClassName: nginx - rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: catalogd-service - port: - number: 80 diff --git a/config/components/base/common/kustomization.yaml b/config/components/base/common/kustomization.yaml deleted file mode 100644 index c71105d79..000000000 --- a/config/components/base/common/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -# resources contains the minimal required base, EXCEPT CRDs -resources: -- ../../../base/catalogd -- ../../../base/operator-controller -- ../../../base/common -# components should include any GA'd features (none as of now) -# they should not be listed in the standard config, as they will be excluded from the experimental manifest -components: diff --git a/config/components/base/experimental/kustomization.yaml b/config/components/base/experimental/kustomization.yaml deleted file mode 100644 index f69e0e973..000000000 --- a/config/components/base/experimental/kustomization.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -# Pull in the experimental CRDs -resources: -- ../../../base/catalogd/crd/experimental -- ../../../base/catalogd/rbac/experimental -- ../../../base/catalogd/webhook/experimental -- ../../../base/operator-controller/crd/experimental -- ../../../base/operator-controller/rbac/experimental -# Pull in the component(s) common to standard and experimental -components: -- ../common -# EXPERIMENTAL FEATURES ARE LISTED HERE -- ../../features/webhook-provider-certmanager -- ../../features/single-own-namespace -- ../../features/preflight-permissions -- ../../features/apiv1-metas-handler -- ../../features/helm-chart -- ../../features/boxcutter-runtime -# This one is downstream only, so we shant use it -# - ../../features/webhook-provider-openshift-serviceca diff --git a/config/components/base/standard/kustomization.yaml b/config/components/base/standard/kustomization.yaml deleted file mode 100644 index 84ce224c0..000000000 --- a/config/components/base/standard/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -# Pull in the standard CRDs -resources: -- ../../../base/catalogd/crd/standard -- ../../../base/catalogd/rbac/standard -- ../../../base/catalogd/webhook/standard -- ../../../base/operator-controller/crd/standard -- ../../../base/operator-controller/rbac/standard -# Pull in the component(s) common to standard and experimental -components: -- ../common -# GA'D FEATURES ARE LISTED IN THE COMMON CONFIG, NOT HERE diff --git a/config/components/cert-manager/ca/issuers.yaml b/config/components/cert-manager/ca/issuers.yaml deleted file mode 100644 index 7725ebff0..000000000 --- a/config/components/cert-manager/ca/issuers.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: self-sign-issuer - namespace: cert-manager -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: olmv1-ca - namespace: cert-manager -spec: - isCA: true - commonName: olmv1-ca - secretName: olmv1-ca - secretTemplate: - annotations: - cert-manager.io/allow-direct-injection: "true" - privateKey: - rotationPolicy: Always - algorithm: ECDSA - size: 256 - issuerRef: - name: self-sign-issuer - kind: Issuer - group: cert-manager.io ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: olmv1-ca -spec: - ca: - secretName: olmv1-ca diff --git a/config/components/cert-manager/ca/kustomization.yaml b/config/components/cert-manager/ca/kustomization.yaml deleted file mode 100644 index 5cbe13ad2..000000000 --- a/config/components/cert-manager/ca/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -# No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces! -resources: -- issuers.yaml diff --git a/config/components/cert-manager/catalogd/kustomization.yaml b/config/components/cert-manager/catalogd/kustomization.yaml deleted file mode 100644 index 1e14d0abf..000000000 --- a/config/components/cert-manager/catalogd/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: -- resources/certificate.yaml -patches: -- target: - kind: Service - labelSelector: app.kubernetes.io/name=catalogd - path: patches/catalogd_service_port.yaml -- target: - kind: Deployment - labelSelector: control-plane=catalogd-controller-manager - path: patches/manager_deployment_certs.yaml -- target: - kind: Deployment - labelSelector: control-plane=catalogd-controller-manager - path: patches/manager_deployment_cacerts.yaml -- target: - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - version: v1 - path: patches/catalogd_webhook.yaml diff --git a/config/components/cert-manager/catalogd/patches/catalogd_service_port.yaml b/config/components/cert-manager/catalogd/patches/catalogd_service_port.yaml deleted file mode 100644 index b5b88bb47..000000000 --- a/config/components/cert-manager/catalogd/patches/catalogd_service_port.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- op: replace - path: /spec/ports/0/port - value: 443 -- op: replace - path: /spec/ports/0/name - value: https \ No newline at end of file diff --git a/config/components/cert-manager/catalogd/patches/catalogd_webhook.yaml b/config/components/cert-manager/catalogd/patches/catalogd_webhook.yaml deleted file mode 100644 index cf1a39ec3..000000000 --- a/config/components/cert-manager/catalogd/patches/catalogd_webhook.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: add - path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret - value: cert-manager/olmv1-ca diff --git a/config/components/cert-manager/catalogd/patches/manager_deployment_cacerts.yaml b/config/components/cert-manager/catalogd/patches/manager_deployment_cacerts.yaml deleted file mode 100644 index 6b0816706..000000000 --- a/config/components/cert-manager/catalogd/patches/manager_deployment_cacerts.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"olmv1-certificate", "secret":{"secretName":"catalogd-service-cert-git-version", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}]}} -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"} -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--pull-cas-dir=/var/ca-certs" diff --git a/config/components/cert-manager/catalogd/patches/manager_deployment_certs.yaml b/config/components/cert-manager/catalogd/patches/manager_deployment_certs.yaml deleted file mode 100644 index 3d8b33ac3..000000000 --- a/config/components/cert-manager/catalogd/patches/manager_deployment_certs.yaml +++ /dev/null @@ -1,12 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"catalogserver-certs", "secret":{"secretName":"catalogd-service-cert-git-version"}} -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"catalogserver-certs", "mountPath":"/var/certs"} -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls-cert=/var/certs/tls.crt" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls-key=/var/certs/tls.key" diff --git a/config/components/cert-manager/catalogd/resources/certificate.yaml b/config/components/cert-manager/catalogd/resources/certificate.yaml deleted file mode 100644 index 561dbe44e..000000000 --- a/config/components/cert-manager/catalogd/resources/certificate.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: catalogd-service-cert - namespace: olmv1-system -spec: - secretName: catalogd-service-cert-git-version - dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local - privateKey: - rotationPolicy: Always - algorithm: ECDSA - size: 256 - issuerRef: - kind: ClusterIssuer - group: cert-manager.io - name: olmv1-ca diff --git a/config/components/cert-manager/kustomization.yaml b/config/components/cert-manager/kustomization.yaml deleted file mode 100644 index 2b3eed68e..000000000 --- a/config/components/cert-manager/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -# No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces! -components: -- catalogd -- operator-controller -# ca must be last, other components will overwrite the namespace -- ca diff --git a/config/components/cert-manager/operator-controller/kustomization.yaml b/config/components/cert-manager/operator-controller/kustomization.yaml deleted file mode 100644 index 9f276280f..000000000 --- a/config/components/cert-manager/operator-controller/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: -- resources/manager_cert.yaml -patches: -- target: - kind: Deployment - name: controller-manager - labelSelector: control-plane=operator-controller-controller-manager - path: patches/manager_deployment_cert.yaml diff --git a/config/components/cert-manager/operator-controller/patches/manager_deployment_cert.yaml b/config/components/cert-manager/operator-controller/patches/manager_deployment_cert.yaml deleted file mode 100644 index 8fbdb5592..000000000 --- a/config/components/cert-manager/operator-controller/patches/manager_deployment_cert.yaml +++ /dev/null @@ -1,18 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"olmv1-certificate", "secret":{"secretName":"olmv1-cert", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}, {"key": "tls.crt", "path": "tls.cert"}, {"key": "tls.key", "path": "tls.key"}]}} -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/"} -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--catalogd-cas-dir=/var/certs" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--pull-cas-dir=/var/certs" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls-cert=/var/certs/tls.cert" -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls-key=/var/certs/tls.key" diff --git a/config/components/cert-manager/operator-controller/resources/manager_cert.yaml b/config/components/cert-manager/operator-controller/resources/manager_cert.yaml deleted file mode 100644 index cbea2243e..000000000 --- a/config/components/cert-manager/operator-controller/resources/manager_cert.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: olmv1-cert - namespace: olmv1-system -spec: - secretName: olmv1-cert - dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local - privateKey: - rotationPolicy: Always - algorithm: ECDSA - size: 256 - issuerRef: - name: olmv1-ca - kind: ClusterIssuer - group: cert-manager.io diff --git a/config/components/e2e/coverage/catalogd_manager_e2e_coverage_patch.yaml b/config/components/e2e/coverage/catalogd_manager_e2e_coverage_patch.yaml deleted file mode 100644 index 254766e54..000000000 --- a/config/components/e2e/coverage/catalogd_manager_e2e_coverage_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: catalogd-controller-manager - namespace: olmv1-system -spec: - template: - spec: - containers: - - name: manager - env: - - name: GOCOVERDIR - value: /e2e-coverage - volumeMounts: - - name: e2e-coverage-volume - mountPath: /e2e-coverage - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage diff --git a/config/components/e2e/coverage/kustomization.yaml b/config/components/e2e/coverage/kustomization.yaml deleted file mode 100644 index 7679914bd..000000000 --- a/config/components/e2e/coverage/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: -- manager_e2e_coverage_pvc.yaml -- manager_e2e_coverage_copy_pod.yaml -patches: -- path: operator_controller_manager_e2e_coverage_patch.yaml -- path: catalogd_manager_e2e_coverage_patch.yaml diff --git a/config/components/e2e/coverage/manager_e2e_coverage_copy_pod.yaml b/config/components/e2e/coverage/manager_e2e_coverage_copy_pod.yaml deleted file mode 100644 index 5c5c97bf7..000000000 --- a/config/components/e2e/coverage/manager_e2e_coverage_copy_pod.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: e2e-coverage-copy-pod - namespace: olmv1-system -spec: - restartPolicy: Never - securityContext: - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - containers: - - name: tar - image: busybox:1.36 - command: ["sleep", "infinity"] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: e2e-coverage-volume - mountPath: /e2e-coverage - readOnly: true - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - readOnly: true diff --git a/config/components/e2e/coverage/manager_e2e_coverage_pvc.yaml b/config/components/e2e/coverage/manager_e2e_coverage_pvc.yaml deleted file mode 100644 index 02c84acfd..000000000 --- a/config/components/e2e/coverage/manager_e2e_coverage_pvc.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: e2e-coverage - namespace: olmv1-system -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Mi diff --git a/config/components/e2e/coverage/operator_controller_manager_e2e_coverage_patch.yaml b/config/components/e2e/coverage/operator_controller_manager_e2e_coverage_patch.yaml deleted file mode 100644 index 171a1607c..000000000 --- a/config/components/e2e/coverage/operator_controller_manager_e2e_coverage_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - template: - spec: - containers: - - name: manager - env: - - name: GOCOVERDIR - value: /e2e-coverage - volumeMounts: - - name: e2e-coverage-volume - mountPath: /e2e-coverage - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage diff --git a/config/components/e2e/kustomization.yaml b/config/components/e2e/kustomization.yaml deleted file mode 100644 index 8809ed0f6..000000000 --- a/config/components/e2e/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -components: -- coverage -- registries-conf diff --git a/config/components/e2e/registries-conf/kustomization.yaml b/config/components/e2e/registries-conf/kustomization.yaml deleted file mode 100644 index ecb6bd1ba..000000000 --- a/config/components/e2e/registries-conf/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: -- registries_conf_configmap.yaml -patches: -- path: manager_e2e_registries_conf_patch.yaml diff --git a/config/components/e2e/registries-conf/manager_e2e_registries_conf_patch.yaml b/config/components/e2e/registries-conf/manager_e2e_registries_conf_patch.yaml deleted file mode 100644 index aa08a3d24..000000000 --- a/config/components/e2e/registries-conf/manager_e2e_registries_conf_patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - template: - spec: - containers: - - name: manager - volumeMounts: - - name: e2e-registries-conf - mountPath: /etc/containers - volumes: - - name: e2e-registries-conf - configMap: - name: e2e-registries-conf diff --git a/config/components/e2e/registries-conf/registries_conf_configmap.yaml b/config/components/e2e/registries-conf/registries_conf_configmap.yaml deleted file mode 100644 index e216113a7..000000000 --- a/config/components/e2e/registries-conf/registries_conf_configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: e2e-registries-conf - namespace: olmv1-system -data: - registries.conf: | - [[registry]] - prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" - location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" diff --git a/config/components/features/apiv1-metas-handler/kustomization.yaml b/config/components/features/apiv1-metas-handler/kustomization.yaml deleted file mode 100644 index 0253e2624..000000000 --- a/config/components/features/apiv1-metas-handler/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# kustomization file for catalogd APIv1 metas handler -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: catalogd-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/apiv1-metas-handler/patches/enable-featuregate.yaml b/config/components/features/apiv1-metas-handler/patches/enable-featuregate.yaml deleted file mode 100644 index 46aa22153..000000000 --- a/config/components/features/apiv1-metas-handler/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable APIv1 meta handler feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=APIV1MetasHandler=true" diff --git a/config/components/features/boxcutter-runtime/cluster_role_binding.yaml b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml deleted file mode 100644 index e4a77f41f..000000000 --- a/config/components/features/boxcutter-runtime/cluster_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: operator-controller-boxcutter-cluster-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system \ No newline at end of file diff --git a/config/components/features/boxcutter-runtime/kustomization.yaml b/config/components/features/boxcutter-runtime/kustomization.yaml deleted file mode 100644 index bb8922d09..000000000 --- a/config/components/features/boxcutter-runtime/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# DO NOT ADD A NAMESPACE HERE ---- -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -resources: - - cluster_role_binding.yaml -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/boxcutter-runtime/patches/enable-featuregate.yaml b/config/components/features/boxcutter-runtime/patches/enable-featuregate.yaml deleted file mode 100644 index 97f8b89be..000000000 --- a/config/components/features/boxcutter-runtime/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable Boxcutter runtime feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=BoxcutterRuntime=true" diff --git a/config/components/features/helm-chart/kustomization.yaml b/config/components/features/helm-chart/kustomization.yaml deleted file mode 100644 index d075a1121..000000000 --- a/config/components/features/helm-chart/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# DO NOT ADD A NAMESPACE HERE ---- -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/helm-chart/patches/enable-featuregate.yaml b/config/components/features/helm-chart/patches/enable-featuregate.yaml deleted file mode 100644 index e961f75b6..000000000 --- a/config/components/features/helm-chart/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable Helm chart support feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=HelmChartSupport=true" diff --git a/config/components/features/preflight-permissions/kustomization.yaml b/config/components/features/preflight-permissions/kustomization.yaml deleted file mode 100644 index ef8a882a3..000000000 --- a/config/components/features/preflight-permissions/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# kustomization file for preflight permissions support -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/preflight-permissions/patches/enable-featuregate.yaml b/config/components/features/preflight-permissions/patches/enable-featuregate.yaml deleted file mode 100644 index 0bec86a1b..000000000 --- a/config/components/features/preflight-permissions/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable preflight permissions feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=PreflightPermissions=true" diff --git a/config/components/features/single-own-namespace/kustomization.yaml b/config/components/features/single-own-namespace/kustomization.yaml deleted file mode 100644 index 51e433d8e..000000000 --- a/config/components/features/single-own-namespace/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# kustomization file for single/own namespace install support -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/single-own-namespace/patches/enable-featuregate.yaml b/config/components/features/single-own-namespace/patches/enable-featuregate.yaml deleted file mode 100644 index e091c01fa..000000000 --- a/config/components/features/single-own-namespace/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable single/own namespace install support feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=SingleOwnNamespaceInstallSupport=true" diff --git a/config/components/features/synthetic-user-permissions/kustomization.yaml b/config/components/features/synthetic-user-permissions/kustomization.yaml deleted file mode 100644 index 8db8f5449..000000000 --- a/config/components/features/synthetic-user-permissions/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# kustomization file for OLMv1 support for synthetic auth -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml - - target: - kind: ClusterRole - name: operator-controller-manager-role - path: patches/impersonate-perms.yaml diff --git a/config/components/features/synthetic-user-permissions/patches/enable-featuregate.yaml b/config/components/features/synthetic-user-permissions/patches/enable-featuregate.yaml deleted file mode 100644 index fb6c84fa4..000000000 --- a/config/components/features/synthetic-user-permissions/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable synthetic-user feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=SyntheticPermissions=true" diff --git a/config/components/features/synthetic-user-permissions/patches/impersonate-perms.yaml b/config/components/features/synthetic-user-permissions/patches/impersonate-perms.yaml deleted file mode 100644 index f3854ea2a..000000000 --- a/config/components/features/synthetic-user-permissions/patches/impersonate-perms.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# enable synthetic-user feature gate -- op: add - path: /rules/- - value: - apiGroups: - - "" - resources: - - groups - - users - verbs: - - impersonate diff --git a/config/components/features/webhook-provider-certmanager/kustomization.yaml b/config/components/features/webhook-provider-certmanager/kustomization.yaml deleted file mode 100644 index 028d104c3..000000000 --- a/config/components/features/webhook-provider-certmanager/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# kustomization file for cert-manager backed OLMv1 support for installation of bundles with webhooks -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/webhook-provider-certmanager/patches/enable-featuregate.yaml b/config/components/features/webhook-provider-certmanager/patches/enable-featuregate.yaml deleted file mode 100644 index ba47fa37c..000000000 --- a/config/components/features/webhook-provider-certmanager/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable cert-manager backed webhook support feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=WebhookProviderCertManager=true" diff --git a/config/components/features/webhook-provider-openshift-serviceca/kustomization.yaml b/config/components/features/webhook-provider-openshift-serviceca/kustomization.yaml deleted file mode 100644 index 6b0fe2684..000000000 --- a/config/components/features/webhook-provider-openshift-serviceca/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# kustomization file for openshift-serviceca backed OLMv1 support for installation of bundles with webhooks -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/enable-featuregate.yaml diff --git a/config/components/features/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml b/config/components/features/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml deleted file mode 100644 index e1fa435cd..000000000 --- a/config/components/features/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# enable openshift-serviceca backed webhook support feature gate -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--feature-gates=WebhookProviderOpenshiftServiceCA=true" diff --git a/config/overlays/basic-olm/kustomization.yaml b/config/overlays/basic-olm/kustomization.yaml deleted file mode 100644 index 6b3089ceb..000000000 --- a/config/overlays/basic-olm/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# kustomization file for based, non-secure OLMv1 -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: basic-olm -components: -- ../../components/base/standard diff --git a/config/overlays/experimental-e2e/kustomization.yaml b/config/overlays/experimental-e2e/kustomization.yaml deleted file mode 100644 index 000b3a81e..000000000 --- a/config/overlays/experimental-e2e/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# kustomization file for all the experimental e2e's -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: experimental -components: -- ../../components/base/experimental -- ../../components/e2e -# This must be last due to namespace overwrite issues of the ca -- ../../components/cert-manager diff --git a/config/overlays/experimental/kustomization.yaml b/config/overlays/experimental/kustomization.yaml deleted file mode 100644 index 984df9f44..000000000 --- a/config/overlays/experimental/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# kustomization file for secure OLMv1 -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: experimental -components: -- ../../components/base/experimental -# This must be last due to namespace overwrite issues of the ca -- ../../components/cert-manager diff --git a/config/overlays/prometheus/auth_token.yaml b/config/overlays/prometheus/auth_token.yaml deleted file mode 100644 index e0939c4e0..000000000 --- a/config/overlays/prometheus/auth_token.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: prometheus-metrics-token - namespace: system - annotations: - kubernetes.io/service-account.name: prometheus diff --git a/config/overlays/prometheus/catalogd_service_monitor.yaml b/config/overlays/prometheus/catalogd_service_monitor.yaml deleted file mode 100644 index 21aa6d770..000000000 --- a/config/overlays/prometheus/catalogd_service_monitor.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: catalogd-controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - path: /metrics - port: metrics - interval: 10s - scheme: https - authorization: - credentials: - name: prometheus-metrics-token - key: token - tlsConfig: - # NAMESPACE_PLACEHOLDER replaced by replacements in kustomization.yaml - serverName: catalogd-service.NAMESPACE_PLACEHOLDER.svc - insecureSkipVerify: false - ca: - secret: - # CATALOGD_SERVICE_CERT must be replaced by envsubst - name: catalogd-service-cert-git-version - key: ca.crt - cert: - secret: - name: catalogd-service-cert-git-version - key: tls.crt - keySecret: - name: catalogd-service-cert-git-version - key: tls.key - selector: - matchLabels: - app.kubernetes.io/name: catalogd diff --git a/config/overlays/prometheus/kubelet_service_monitor.yaml b/config/overlays/prometheus/kubelet_service_monitor.yaml deleted file mode 100644 index 6c540c581..000000000 --- a/config/overlays/prometheus/kubelet_service_monitor.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: kubelet - namespace: system - labels: - k8s-app: kubelet -spec: - jobLabel: k8s-app - endpoints: - - port: https-metrics - scheme: https - path: /metrics - interval: 10s - honorLabels: true - tlsConfig: - insecureSkipVerify: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - metricRelabelings: - - action: keep - sourceLabels: [pod,container] - regex: (operator-controller|catalogd).*;manager - - port: https-metrics - scheme: https - path: /metrics/cadvisor - interval: 10s - honorLabels: true - tlsConfig: - insecureSkipVerify: true - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - metricRelabelings: - - action: keep - sourceLabels: [pod,container] - regex: (operator-controller|catalogd).*;manager - selector: - matchLabels: - k8s-app: kubelet - namespaceSelector: - matchNames: - - kube-system diff --git a/config/overlays/prometheus/kustomization.yaml b/config/overlays/prometheus/kustomization.yaml deleted file mode 100644 index 96a0503d3..000000000 --- a/config/overlays/prometheus/kustomization.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: olmv1-system -resources: -- prometheus.yaml -- catalogd_service_monitor.yaml -- kubelet_service_monitor.yaml -- operator_controller_service_monitor.yaml -- prometheus_rule.yaml -- auth_token.yaml -- network_policy.yaml -- service.yaml -- rbac -replacements: -- source: - kind: ServiceMonitor - name: catalogd-controller-manager-metrics-monitor - fieldPath: metadata.namespace - targets: - - select: - kind: ServiceMonitor - name: catalogd-controller-manager-metrics-monitor - fieldPaths: - - spec.endpoints.0.tlsConfig.serverName - options: - delimiter: '.' - index: 1 - - select: - kind: ServiceMonitor - name: operator-controller-controller-manager-metrics-monitor - fieldPaths: - - spec.endpoints.0.tlsConfig.serverName - options: - delimiter: '.' - index: 1 diff --git a/config/overlays/prometheus/network_policy.yaml b/config/overlays/prometheus/network_policy.yaml deleted file mode 100644 index 5fe716799..000000000 --- a/config/overlays/prometheus/network_policy.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: prometheus - namespace: system -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus - policyTypes: - - Egress - - Ingress - egress: - - {} # Allows all egress traffic for metrics requests - ingress: - - {} # Allows us to query prometheus diff --git a/config/overlays/prometheus/operator_controller_service_monitor.yaml b/config/overlays/prometheus/operator_controller_service_monitor.yaml deleted file mode 100644 index b35c5de75..000000000 --- a/config/overlays/prometheus/operator_controller_service_monitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: operator-controller-controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - path: /metrics - interval: 10s - port: https - scheme: https - authorization: - credentials: - name: prometheus-metrics-token - key: token - tlsConfig: - # NAMESPACE_PLACEHOLDER replaced by replacements in kustomization.yaml - serverName: operator-controller-service.NAMESPACE_PLACEHOLDER.svc - insecureSkipVerify: false - ca: - secret: - name: olmv1-cert - key: ca.crt - cert: - secret: - name: olmv1-cert - key: tls.crt - keySecret: - name: olmv1-cert - key: tls.key - selector: - matchLabels: - control-plane: operator-controller-controller-manager diff --git a/config/overlays/prometheus/prometheus.yaml b/config/overlays/prometheus/prometheus.yaml deleted file mode 100644 index 9686f63ad..000000000 --- a/config/overlays/prometheus/prometheus.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: Prometheus -metadata: - name: prometheus - namespace: system -spec: - logLevel: debug - serviceAccountName: prometheus - scrapeTimeout: 30s - scrapeInterval: 1m - securityContext: - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - ruleSelector: {} - serviceDiscoveryRole: EndpointSlice - serviceMonitorSelector: {} diff --git a/config/overlays/prometheus/prometheus_rule.yaml b/config/overlays/prometheus/prometheus_rule.yaml deleted file mode 100644 index b7e3fcdaf..000000000 --- a/config/overlays/prometheus/prometheus_rule.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: controller-alerts - namespace: system -spec: - groups: - - name: controller-panic - rules: - - alert: reconciler-panic - expr: controller_runtime_reconcile_panics_total{} > 0 - annotations: - description: "controller of pod {{ $labels.pod }} experienced panic(s); count={{ $value }}" - - alert: webhook-panic - expr: controller_runtime_webhook_panics_total{} > 0 - annotations: - description: "controller webhook of pod {{ $labels.pod }} experienced panic(s); count={{ $value }}" - - name: resource-usage - rules: - - alert: oom-events - expr: container_oom_events_total > 0 - annotations: - description: "container {{ $labels.container }} of pod {{ $labels.pod }} experienced OOM event(s); count={{ $value }}" - - alert: operator-controller-memory-growth - expr: deriv(sum(container_memory_working_set_bytes{pod=~"operator-controller.*",container="manager"})[5m:]) > 100_000 - for: 5m - keep_firing_for: 1d - annotations: - description: "operator-controller pod memory usage growing at a high rate for 5 minutes: {{ $value | humanize }}B/sec" - - alert: catalogd-memory-growth - expr: deriv(sum(container_memory_working_set_bytes{pod=~"catalogd.*",container="manager"})[5m:]) > 100_000 - for: 5m - keep_firing_for: 1d - annotations: - description: "catalogd pod memory usage growing at a high rate for 5 minutes: {{ $value | humanize }}B/sec" - - alert: operator-controller-memory-usage - expr: sum(container_memory_working_set_bytes{pod=~"operator-controller.*",container="manager"}) > 100_000_000 - for: 5m - keep_firing_for: 1d - annotations: - description: "operator-controller pod using high memory resources for the last 5 minutes: {{ $value | humanize }}B" - - alert: catalogd-memory-usage - expr: sum(container_memory_working_set_bytes{pod=~"catalogd.*",container="manager"}) > 75_000_000 - for: 5m - keep_firing_for: 1d - annotations: - description: "catalogd pod using high memory resources for the last 5 minutes: {{ $value | humanize }}B" - - alert: operator-controller-cpu-usage - expr: rate(container_cpu_usage_seconds_total{pod=~"operator-controller.*",container="manager"}[5m]) * 100 > 20 - for: 5m - keep_firing_for: 1d - annotations: - description: "operator-controller using high cpu resource for 5 minutes: {{ $value | printf \"%.2f\" }}%" - - alert: catalogd-cpu-usage - expr: rate(container_cpu_usage_seconds_total{pod=~"catalogd.*",container="manager"}[5m]) * 100 > 20 - for: 5m - keep_firing_for: 1d - annotations: - description: "catalogd using high cpu resources for 5 minutes: {{ $value | printf \"%.2f\" }}%" - - alert: operator-controller-api-call-rate - expr: sum(rate(rest_client_requests_total{job=~"operator-controller-service"}[5m])) > 10 - for: 5m - keep_firing_for: 1d - annotations: - description: "operator-controller making excessive API calls for 5 minutes: {{ $value | printf \"%.2f\" }}/sec" - - alert: catalogd-api-call-rate - expr: sum(rate(rest_client_requests_total{job=~"catalogd-service"}[5m])) > 5 - for: 5m - keep_firing_for: 1d - annotations: - description: "catalogd making excessive API calls for 5 minutes: {{ $value | printf \"%.2f\" }}/sec" diff --git a/config/overlays/prometheus/rbac/kustomization.yaml b/config/overlays/prometheus/rbac/kustomization.yaml deleted file mode 100644 index 566195983..000000000 --- a/config/overlays/prometheus/rbac/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: -- prometheus_service_account.yaml -- prometheus_cluster_role.yaml -- prometheus_cluster_rolebinding.yaml diff --git a/config/overlays/prometheus/rbac/prometheus_cluster_role.yaml b/config/overlays/prometheus/rbac/prometheus_cluster_role.yaml deleted file mode 100644 index 176c3b389..000000000 --- a/config/overlays/prometheus/rbac/prometheus_cluster_role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus -rules: -- apiGroups: [""] - resources: - - nodes - - nodes/metrics - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: - - configmaps - verbs: ["get"] -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: ["get", "list", "watch"] -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: ["get", "list", "watch"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] diff --git a/config/overlays/prometheus/rbac/prometheus_cluster_rolebinding.yaml b/config/overlays/prometheus/rbac/prometheus_cluster_rolebinding.yaml deleted file mode 100644 index bd93b45c7..000000000 --- a/config/overlays/prometheus/rbac/prometheus_cluster_rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus -subjects: -- kind: ServiceAccount - name: prometheus - namespace: system diff --git a/config/overlays/prometheus/rbac/prometheus_service_account.yaml b/config/overlays/prometheus/rbac/prometheus_service_account.yaml deleted file mode 100644 index df06091c9..000000000 --- a/config/overlays/prometheus/rbac/prometheus_service_account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus - namespace: system diff --git a/config/overlays/prometheus/service.yaml b/config/overlays/prometheus/service.yaml deleted file mode 100644 index 0d041e008..000000000 --- a/config/overlays/prometheus/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: prometheus-service - namespace: system -spec: - type: NodePort - ports: - - name: web - nodePort: 30900 - port: 9090 - protocol: TCP - targetPort: web - selector: - prometheus: prometheus diff --git a/config/overlays/standard-e2e/kustomization.yaml b/config/overlays/standard-e2e/kustomization.yaml deleted file mode 100644 index 4dc3c3f6c..000000000 --- a/config/overlays/standard-e2e/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# kustomization file for all the e2e's -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: standard-e2e -components: -- ../../components/base/standard -- ../../components/e2e -# This must be last due to namespace overwrite issues of the ca -- ../../components/cert-manager diff --git a/config/overlays/standard/kustomization.yaml b/config/overlays/standard/kustomization.yaml deleted file mode 100644 index 660025187..000000000 --- a/config/overlays/standard/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# kustomization file for secure OLMv1 -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: standard -components: -- ../../components/base/standard -# This must be last due to namespace overwrite issues of the ca -- ../../components/cert-manager diff --git a/config/overlays/tilt-local-dev/kustomization.yaml b/config/overlays/tilt-local-dev/kustomization.yaml deleted file mode 100644 index f0cc916a3..000000000 --- a/config/overlays/tilt-local-dev/kustomization.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# kustomization file for secure OLMv1 -# DO NOT ADD A NAMESPACE HERE -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonAnnotations: - olm.operatorframework.io/feature-set: tilt-experimental -components: -- ../../components/base/experimental -# This must be last due to namespace overwrite issues of the ca -- ../../components/cert-manager -patches: -- target: - kind: Deployment - name: operator-controller-controller-manager - path: patches/operator-controller.yaml -- target: - kind: Deployment - name: catalogd-controller-manager - path: patches/catalogd.yaml - diff --git a/config/overlays/tilt-local-dev/patches/catalogd.yaml b/config/overlays/tilt-local-dev/patches/catalogd.yaml deleted file mode 100644 index 4df906921..000000000 --- a/config/overlays/tilt-local-dev/patches/catalogd.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# remove livenessProbe and readinessProbe so container doesn't restart during breakpoints -- op: replace - path: /spec/template/spec/containers/0/livenessProbe - value: null -- op: replace - path: /spec/template/spec/containers/0/readinessProbe - value: null -- op: remove - # remove --leader-elect so container doesn't restart during breakpoints - path: /spec/template/spec/containers/0/args/0 diff --git a/config/overlays/tilt-local-dev/patches/operator-controller.yaml b/config/overlays/tilt-local-dev/patches/operator-controller.yaml deleted file mode 100644 index b273a0c9b..000000000 --- a/config/overlays/tilt-local-dev/patches/operator-controller.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# remove livenessProbe and readinessProbe so container doesn't restart during breakpoints -- op: replace - path: /spec/template/spec/containers/0/livenessProbe - value: null -- op: replace - path: /spec/template/spec/containers/0/readinessProbe - value: null -- op: remove - # remove --leader-elect so container doesn't restart during breakpoints - path: /spec/template/spec/containers/0/args/2 diff --git a/docs/draft/api-reference/network-policies.md b/docs/draft/api-reference/network-policies.md index 82afe8e2c..016825ebf 100644 --- a/docs/draft/api-reference/network-policies.md +++ b/docs/draft/api-reference/network-policies.md @@ -4,8 +4,8 @@ OLMv1 uses [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to secure communication between components, restricting network traffic to only what's necessary for proper functionality. -* The catalogd NetworkPolicy is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/catalogd/manager/network_policy.yaml). -* The operator-controller is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/operator-controller/manager/network_policy.yaml). +* The catalogd NetworkPolicy is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml). +* The operator-controller is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml). This document explains the details of `NetworkPolicy` implementation for the core components. diff --git a/hack/tools/crd-generator/main_test.go b/hack/tools/crd-generator/main_test.go index aa5635263..d2eb28d61 100644 --- a/hack/tools/crd-generator/main_test.go +++ b/hack/tools/crd-generator/main_test.go @@ -29,22 +29,22 @@ func TestRunGenerator(t *testing.T) { runGenerator(dir, controllerToolsVersion) f1 := filepath.Join(dir, "standard/olm.operatorframework.io_clusterextensions.yaml") - f2 := "config/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml" + f2 := "helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml" fmt.Printf("comparing: %s to %s\n", f1, f2) compareFiles(t, f1, f2) f1 = filepath.Join(dir, "standard/olm.operatorframework.io_clustercatalogs.yaml") - f2 = "config/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" + f2 = "helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" fmt.Printf("comparing: %s to %s\n", f1, f2) compareFiles(t, f1, f2) f1 = filepath.Join(dir, "experimental/olm.operatorframework.io_clusterextensions.yaml") - f2 = "config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml" + f2 = "helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml" fmt.Printf("comparing: %s to %s\n", f1, f2) compareFiles(t, f1, f2) f1 = filepath.Join(dir, "experimental/olm.operatorframework.io_clustercatalogs.yaml") - f2 = "config/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml" + f2 = "helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml" fmt.Printf("comparing: %s to %s\n", f1, f2) compareFiles(t, f1, f2) } diff --git a/hack/tools/update-crds.sh b/hack/tools/update-crds.sh index 6d7253449..e379b5989 100755 --- a/hack/tools/update-crds.sh +++ b/hack/tools/update-crds.sh @@ -19,6 +19,9 @@ channels=("standard" "experimental") # Create the temp output directories CRD_TMP=$(mktemp -d) +# Clean up the temp output directories +trap "rm -rf ${CRD_TMP}" EXIT + for c in ${channels[@]}; do mkdir -p ${CRD_TMP}/${c} done @@ -29,13 +32,6 @@ CONTROLLER_TOOLS_VER=$(go list -m sigs.k8s.io/controller-tools | awk '{print $2} # Generate the CRDs go run ./hack/tools/crd-generator ${CRD_TMP} ${CONTROLLER_TOOLS_VER} -# Create the destination directories for each base/channel combo -for c in ${channels[@]}; do - for b in ${modules[@]}; do - mkdir -p config/base/${b}/crd/${c} - done -done - # Copy the generated files for b in ${!modules[@]}; do for c in ${channels[@]}; do @@ -43,9 +39,11 @@ for b in ${!modules[@]}; do # will not be generated for the standard channel - so we check the expected generated # file exists before copying it. FILE="${CRD_TMP}/${c}/${crds[${b}]}" - [[ -e "${FILE}" ]] && cp "${FILE}" helm/olmv1/base/${modules[${b}]}/crd/${c} + DST="helm/olmv1/base/${modules[${b}]}/crd/${c}" + if [ -e "${FILE}" ]; then + echo "$(date '+%Y/%m/%d %T') ${FILE} --> ${DST}" + mkdir -p "${DST}" + cp "${FILE}" "${DST}" + fi done done - -# Clean up the temp output directories -rm -rf ${CRD_TMP} diff --git a/helm/OWNERS b/helm/OWNERS new file mode 100644 index 000000000..b44dad0ea --- /dev/null +++ b/helm/OWNERS @@ -0,0 +1,2 @@ +approvers: + - manifest-approvers diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml index a1575258a..89a6f646b 100644 --- a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml @@ -57,7 +57,7 @@ spec: phases: description: |- Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. + All objects in the phase will have to pass their probes in order to progress to the next phase. items: description: |- ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. @@ -122,15 +122,17 @@ spec: - message: previous is immutable rule: self == oldSelf revision: - description: Revision number orders changes over time, must always - be previous revision +1. + description: |- + Revision is a sequence number representing a specific revision of the ClusterExtension instance. + Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. format: int64 + minimum: 1 type: integer x-kubernetes-validations: - message: revision is immutable rule: self == oldSelf required: - - phases - revision type: object status: diff --git a/helm/tilt.yaml b/helm/tilt.yaml index f72d2b8e4..367ab0c29 100644 --- a/helm/tilt.yaml +++ b/helm/tilt.yaml @@ -2,10 +2,12 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# Tilt is an exeption to the multi-values case, -# as the Tilt runner only accepts a single values fle +# Tilt is an exception to the multi-values case, +# as the Tilt runner only accepts a single values file options: + certManager: + enabled: true tilt: enabled: true featureSet: experimental diff --git a/internal/operator-controller/controllers/suite_test.go b/internal/operator-controller/controllers/suite_test.go index ccd59f11f..02d538237 100644 --- a/internal/operator-controller/controllers/suite_test.go +++ b/internal/operator-controller/controllers/suite_test.go @@ -21,7 +21,6 @@ import ( "io/fs" "log" "os" - "path/filepath" "testing" "github.com/stretchr/testify/require" @@ -29,11 +28,11 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/rest" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" crfinalizer "sigs.k8s.io/controller-runtime/pkg/finalizer" ocv1 "github.com/operator-framework/operator-controller/api/v1" "github.com/operator-framework/operator-controller/internal/operator-controller/controllers" + "github.com/operator-framework/operator-controller/test" ) func newScheme(t *testing.T) *apimachineryruntime.Scheme { @@ -93,27 +92,7 @@ func newClientAndReconciler(t *testing.T) (client.Client, *controllers.ClusterEx var config *rest.Config func TestMain(m *testing.M) { - testEnv := &envtest.Environment{ - CRDDirectoryPaths: []string{ - filepath.Join("..", "..", "..", "config", "base", "operator-controller", "crd", "experimental"), - }, - ErrorIfCRDPathMissing: true, - } - - // ENVTEST-based tests require specific binaries. By default, these binaries are located - // in paths defined by controller-runtime. However, the `BinaryAssetsDirectory` needs - // to be explicitly set when running tests directly (e.g., debugging tests in an IDE) - // without using the Makefile targets. - // - // This is equivalent to configuring your IDE to export the `KUBEBUILDER_ASSETS` environment - // variable before each test execution. The following function simplifies this process - // by handling the configuration for you. - // - // To ensure the binaries are in the expected path without manual configuration, run: - // `make envtest-k8s-bins` - if getFirstFoundEnvTestBinaryDir() != "" { - testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() - } + testEnv := test.NewEnv() var err error config, err = testEnv.Start() @@ -126,15 +105,3 @@ func TestMain(m *testing.M) { utilruntime.Must(testEnv.Stop()) os.Exit(code) } - -// getFirstFoundEnvTestBinaryDir finds and returns the first directory under the given path. -func getFirstFoundEnvTestBinaryDir() string { - basePath := filepath.Join("..", "..", "bin", "envtest-binaries", "k8s") - entries, _ := os.ReadDir(basePath) - for _, entry := range entries { - if entry.IsDir() { - return filepath.Join(basePath, entry.Name()) - } - } - return "" -} diff --git a/internal/operator-controller/rukpak/render/registryv1/registryv1.go b/internal/operator-controller/rukpak/render/registryv1/registryv1.go index 6621a6ca4..1cfefbb8b 100644 --- a/internal/operator-controller/rukpak/render/registryv1/registryv1.go +++ b/internal/operator-controller/rukpak/render/registryv1/registryv1.go @@ -22,11 +22,13 @@ var BundleValidator = render.BundleValidator{ validators.CheckCRDResourceUniqueness, validators.CheckOwnedCRDExistence, validators.CheckPackageNameNotEmpty, + validators.CheckConversionWebhookSupport, validators.CheckWebhookDeploymentReferentialIntegrity, validators.CheckWebhookNameUniqueness, validators.CheckWebhookNameIsDNS1123SubDomain, validators.CheckConversionWebhookCRDReferenceUniqueness, validators.CheckConversionWebhooksReferenceOwnedCRDs, + validators.CheckWebhookRules, } // ResourceGenerators a slice of ResourceGenerators required to generate plain resource manifests for diff --git a/internal/operator-controller/rukpak/render/registryv1/registryv1_test.go b/internal/operator-controller/rukpak/render/registryv1/registryv1_test.go index c75f1d602..afe19d805 100644 --- a/internal/operator-controller/rukpak/render/registryv1/registryv1_test.go +++ b/internal/operator-controller/rukpak/render/registryv1/registryv1_test.go @@ -26,11 +26,13 @@ func Test_BundleValidatorHasAllValidationFns(t *testing.T) { validators.CheckCRDResourceUniqueness, validators.CheckOwnedCRDExistence, validators.CheckPackageNameNotEmpty, + validators.CheckConversionWebhookSupport, validators.CheckWebhookDeploymentReferentialIntegrity, validators.CheckWebhookNameUniqueness, validators.CheckWebhookNameIsDNS1123SubDomain, validators.CheckConversionWebhookCRDReferenceUniqueness, validators.CheckConversionWebhooksReferenceOwnedCRDs, + validators.CheckWebhookRules, } actualValidationFns := registryv1.BundleValidator diff --git a/internal/operator-controller/rukpak/render/registryv1/validators/validator.go b/internal/operator-controller/rukpak/render/registryv1/validators/validator.go index 61d0aad7c..60978aa83 100644 --- a/internal/operator-controller/rukpak/render/registryv1/validators/validator.go +++ b/internal/operator-controller/rukpak/render/registryv1/validators/validator.go @@ -101,21 +101,32 @@ func CheckPackageNameNotEmpty(rv1 *bundle.RegistryV1) []error { return nil } -// CheckWebhookSupport checks that if the bundle cluster service version declares webhook definitions -// that it is a singleton operator, i.e. that it only supports AllNamespaces mode. This keeps parity -// with OLMv0 behavior for conversion webhooks, +// CheckConversionWebhookSupport checks that if the bundle cluster service version declares conversion webhook definitions, +// that the bundle also only supports AllNamespaces install mode. This keeps parity with OLMv0 behavior for conversion webhooks, // https://github.com/operator-framework/operator-lifecycle-manager/blob/dfd0b2bea85038d3c0d65348bc812d297f16b8d2/pkg/controller/install/webhook.go#L193 -// Since OLMv1 considers APIs to be cluster-scoped, we initially extend this constraint to validating and mutating webhooks. -// While this might restrict the number of supported bundles, we can tackle the issue of relaxing this constraint in turn -// after getting the webhook support working. -func CheckWebhookSupport(rv1 *bundle.RegistryV1) []error { - if len(rv1.CSV.Spec.WebhookDefinitions) > 0 { +func CheckConversionWebhookSupport(rv1 *bundle.RegistryV1) []error { + var conversionWebhookNames []string + for _, wh := range rv1.CSV.Spec.WebhookDefinitions { + if wh.Type == v1alpha1.ConversionWebhook { + conversionWebhookNames = append(conversionWebhookNames, wh.GenerateName) + } + } + + if len(conversionWebhookNames) > 0 { supportedInstallModes := sets.Set[v1alpha1.InstallModeType]{} for _, mode := range rv1.CSV.Spec.InstallModes { - supportedInstallModes.Insert(mode.Type) + if mode.Supported { + supportedInstallModes.Insert(mode.Type) + } } + if len(supportedInstallModes) != 1 || !supportedInstallModes.Has(v1alpha1.InstallModeTypeAllNamespaces) { - return []error{errors.New("bundle contains webhook definitions but supported install modes beyond AllNamespaces")} + sortedModes := slices.Sorted(slices.Values(supportedInstallModes.UnsortedList())) + errs := make([]error, len(conversionWebhookNames)) + for i, webhookName := range conversionWebhookNames { + errs[i] = fmt.Errorf("bundle contains conversion webhook %q and supports install modes %v - conversion webhooks are only supported for bundles that only support AllNamespaces install mode", webhookName, sortedModes) + } + return errs } } @@ -264,3 +275,55 @@ func CheckWebhookNameIsDNS1123SubDomain(rv1 *bundle.RegistryV1) []error { } return errs } + +// forbiddenWebhookRuleAPIGroups contain the API groups that are forbidden for webhook configuration rules in OLMv1 +var forbiddenWebhookRuleAPIGroups = sets.New("olm.operatorframework.io", "*") + +// forbiddenAdmissionRegistrationResources contain the resources that are forbidden for webhook configuration rules +// for the admissionregistration.k8s.io api group +var forbiddenAdmissionRegistrationResources = sets.New( + "*", + "mutatingwebhookconfiguration", + "mutatingwebhookconfigurations", + "validatingwebhookconfiguration", + "validatingwebhookconfigurations", +) + +// CheckWebhookRules ensures webhook rules do not reference forbidden API groups or resources in line with OLMv0 behavior +// The following are forbidden, rules targeting: +// - all API groups (i.e. '*') +// - OLMv1 API group (i.e. 'olm.operatorframework.io') +// - all resources under the 'admissionregistration.k8s.io' API group +// - the 'ValidatingWebhookConfiguration' resource under the 'admissionregistration.k8s.io' API group +// - the 'MutatingWebhookConfiguration' resource under the 'admissionregistration.k8s.io' API group +// +// These boundaries attempt to reduce the blast radius of faulty webhooks and avoid deadlocks preventing the user +// from deleting OLMv1 resources installing and managing the faulty webhook, or deleting faulty admission webhook +// configurations. +// See https://github.com/operator-framework/operator-lifecycle-manager/blob/ccf0c4c91f1e7673e87f3a18947f9a1f88d48438/pkg/controller/install/webhook.go#L19 +// for more details +func CheckWebhookRules(rv1 *bundle.RegistryV1) []error { + var errs []error + for _, wh := range rv1.CSV.Spec.WebhookDefinitions { + // Rules are not used for conversion webhooks + if wh.Type == v1alpha1.ConversionWebhook { + continue + } + webhookName := wh.GenerateName + for _, rule := range wh.Rules { + for _, apiGroup := range rule.APIGroups { + if forbiddenWebhookRuleAPIGroups.Has(apiGroup) { + errs = append(errs, fmt.Errorf("webhook %q contains forbidden rule: admission webhook rules cannot reference API group %q", webhookName, apiGroup)) + } + if apiGroup == "admissionregistration.k8s.io" { + for _, resource := range rule.Resources { + if forbiddenAdmissionRegistrationResources.Has(strings.ToLower(resource)) { + errs = append(errs, fmt.Errorf("webhook %q contains forbidden rule: admission webhook rules cannot reference resource %q for API group %q", webhookName, resource, apiGroup)) + } + } + } + } + } + } + return errs +} diff --git a/internal/operator-controller/rukpak/render/registryv1/validators/validator_test.go b/internal/operator-controller/rukpak/render/registryv1/validators/validator_test.go index 6c1d7491b..135a942ec 100644 --- a/internal/operator-controller/rukpak/render/registryv1/validators/validator_test.go +++ b/internal/operator-controller/rukpak/render/registryv1/validators/validator_test.go @@ -5,6 +5,7 @@ import ( "testing" "github.com/stretchr/testify/require" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -250,10 +251,23 @@ func Test_CheckWebhookSupport(t *testing.T) { expectedErrs []error }{ { - name: "accepts bundles with validating webhook definitions when they only support AllNamespaces install mode", + name: "accepts bundles with conversion webhook definitions when they only support AllNamespaces install mode", bundle: &bundle.RegistryV1{ CSV: MakeCSV( WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ConversionWebhook, + }, + ), + ), + }, + }, + { + name: "accepts bundles with validating webhook definitions when they support more modes than AllNamespaces install mode", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace), WithWebhookDefinitions( v1alpha1.WebhookDescription{ Type: v1alpha1.ValidatingAdmissionWebhook, @@ -263,10 +277,10 @@ func Test_CheckWebhookSupport(t *testing.T) { }, }, { - name: "accepts bundles with mutating webhook definitions when they only support AllNamespaces install mode", + name: "accepts bundles with mutating webhook definitions when they support more modes than AllNamespaces install mode", bundle: &bundle.RegistryV1{ CSV: MakeCSV( - WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace), WithWebhookDefinitions( v1alpha1.WebhookDescription{ Type: v1alpha1.MutatingAdmissionWebhook, @@ -276,63 +290,339 @@ func Test_CheckWebhookSupport(t *testing.T) { }, }, { - name: "accepts bundles with conversion webhook definitions when they only support AllNamespaces install mode", + name: "rejects bundles with conversion webhook definitions when they support more modes than AllNamespaces install mode", bundle: &bundle.RegistryV1{ CSV: MakeCSV( - WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithInstallModeSupportFor(v1alpha1.InstallModeTypeSingleNamespace, v1alpha1.InstallModeTypeAllNamespaces), WithWebhookDefinitions( v1alpha1.WebhookDescription{ - Type: v1alpha1.ConversionWebhook, + GenerateName: "webhook-b", + Type: v1alpha1.ConversionWebhook, + }, + v1alpha1.WebhookDescription{ + GenerateName: "webhook-a", + Type: v1alpha1.ConversionWebhook, }, ), ), }, + expectedErrs: []error{ + errors.New("bundle contains conversion webhook \"webhook-b\" and supports install modes [AllNamespaces SingleNamespace] - conversion webhooks are only supported for bundles that only support AllNamespaces install mode"), + errors.New("bundle contains conversion webhook \"webhook-a\" and supports install modes [AllNamespaces SingleNamespace] - conversion webhooks are only supported for bundles that only support AllNamespaces install mode"), + }, }, + } { + t.Run(tc.name, func(t *testing.T) { + errs := validators.CheckConversionWebhookSupport(tc.bundle) + require.Equal(t, tc.expectedErrs, errs) + }) + } +} + +func Test_CheckWebhookRules(t *testing.T) { + for _, tc := range []struct { + name string + bundle *bundle.RegistryV1 + expectedErrs []error + }{ { - name: "rejects bundles with validating webhook definitions when they support more modes than AllNamespaces install mode", + name: "accepts bundles with webhook definitions without rules", bundle: &bundle.RegistryV1{ CSV: MakeCSV( - WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace), + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), WithWebhookDefinitions( v1alpha1.WebhookDescription{ Type: v1alpha1.ValidatingAdmissionWebhook, }, + v1alpha1.WebhookDescription{ + Type: v1alpha1.MutatingAdmissionWebhook, + }, ), ), }, - expectedErrs: []error{errors.New("bundle contains webhook definitions but supported install modes beyond AllNamespaces")}, }, { - name: "accepts bundles with mutating webhook definitions when they support more modes than AllNamespaces install mode", + name: "accepts bundles with webhook definitions with supported rules", bundle: &bundle.RegistryV1{ CSV: MakeCSV( - WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace), + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"appsv1"}, + Resources: []string{"deployments", "replicasets", "statefulsets"}, + }, + }, + }, + }, v1alpha1.WebhookDescription{ Type: v1alpha1.MutatingAdmissionWebhook, + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{""}, + Resources: []string{"services"}, + }, + }, + }, }, ), ), }, - expectedErrs: []error{errors.New("bundle contains webhook definitions but supported install modes beyond AllNamespaces")}, }, { - name: "accepts bundles with conversion webhook definitions when they support more modes than AllNamespaces install mode", + name: "reject bundles with webhook definitions with rules containing '*' api group", bundle: &bundle.RegistryV1{ CSV: MakeCSV( - WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces, v1alpha1.InstallModeTypeSingleNamespace), + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), WithWebhookDefinitions( v1alpha1.WebhookDescription{ - Type: v1alpha1.ConversionWebhook, + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-z", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + }, + }, + }, + }, + v1alpha1.WebhookDescription{ + Type: v1alpha1.MutatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"*"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-z\" contains forbidden rule: admission webhook rules cannot reference API group \"*\""), + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference API group \"*\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'olm.operatorframework.io' api group", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-z", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"olm.operatorframework.io"}, + }, + }, + }, + }, + v1alpha1.WebhookDescription{ + Type: v1alpha1.MutatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"olm.operatorframework.io"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-z\" contains forbidden rule: admission webhook rules cannot reference API group \"olm.operatorframework.io\""), + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference API group \"olm.operatorframework.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and '*' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"*"}, + }, + }, + }, }, ), ), }, - expectedErrs: []error{errors.New("bundle contains webhook definitions but supported install modes beyond AllNamespaces")}, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"*\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'MutatingWebhookConfiguration' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"MutatingWebhookConfiguration"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"MutatingWebhookConfiguration\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'mutatingwebhookconfiguration' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"mutatingwebhookconfiguration"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"mutatingwebhookconfiguration\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'mutatingwebhookconfigurations' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"mutatingwebhookconfigurations"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"mutatingwebhookconfigurations\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'ValidatingWebhookConfiguration' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"ValidatingWebhookConfiguration"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"ValidatingWebhookConfiguration\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'validatingwebhookconfiguration' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"validatingwebhookconfiguration"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"validatingwebhookconfiguration\" for API group \"admissionregistration.k8s.io\""), + }, + }, + { + name: "reject bundles with webhook definitions with rules containing 'admissionregistration.k8s.io' api group and 'validatingwebhookconfigurations' resource", + bundle: &bundle.RegistryV1{ + CSV: MakeCSV( + WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces), + WithWebhookDefinitions( + v1alpha1.WebhookDescription{ + Type: v1alpha1.ValidatingAdmissionWebhook, + GenerateName: "webhook-a", + Rules: []admissionregistrationv1.RuleWithOperations{ + { + Rule: admissionregistrationv1.Rule{ + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{"validatingwebhookconfigurations"}, + }, + }, + }, + }, + ), + ), + }, + expectedErrs: []error{ + errors.New("webhook \"webhook-a\" contains forbidden rule: admission webhook rules cannot reference resource \"validatingwebhookconfigurations\" for API group \"admissionregistration.k8s.io\""), + }, }, } { t.Run(tc.name, func(t *testing.T) { - errs := validators.CheckWebhookSupport(tc.bundle) + errs := validators.CheckWebhookRules(tc.bundle) require.Equal(t, tc.expectedErrs, errs) }) } diff --git a/internal/operator-controller/rukpak/util/testing/testing.go b/internal/operator-controller/rukpak/util/testing/testing.go index f5c9b36a3..e544e546c 100644 --- a/internal/operator-controller/rukpak/util/testing/testing.go +++ b/internal/operator-controller/rukpak/util/testing/testing.go @@ -6,6 +6,7 @@ import ( "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/operator-framework/api/pkg/operators/v1alpha1" @@ -55,15 +56,22 @@ func WithOwnedCRDs(crdDesc ...v1alpha1.CRDDescription) CSVOption { } func WithInstallModeSupportFor(installModeType ...v1alpha1.InstallModeType) CSVOption { + var installModes = []v1alpha1.InstallModeType{ + v1alpha1.InstallModeTypeAllNamespaces, + v1alpha1.InstallModeTypeSingleNamespace, + v1alpha1.InstallModeTypeMultiNamespace, + v1alpha1.InstallModeTypeOwnNamespace, + } return func(csv *v1alpha1.ClusterServiceVersion) { - installModes := make([]v1alpha1.InstallMode, 0, len(installModeType)) - for _, t := range installModeType { - installModes = append(installModes, v1alpha1.InstallMode{ + supportedInstallModes := sets.New(installModeType...) + csvInstallModes := make([]v1alpha1.InstallMode, 0, len(installModeType)) + for _, t := range installModes { + csvInstallModes = append(csvInstallModes, v1alpha1.InstallMode{ Type: t, - Supported: true, + Supported: supportedInstallModes.Has(t), }) } - csv.Spec.InstallModes = installModes + csv.Spec.InstallModes = csvInstallModes } } diff --git a/internal/operator-controller/rukpak/util/testing/testing_test.go b/internal/operator-controller/rukpak/util/testing/testing_test.go index c8744cfa0..703cc0018 100644 --- a/internal/operator-controller/rukpak/util/testing/testing_test.go +++ b/internal/operator-controller/rukpak/util/testing/testing_test.go @@ -209,6 +209,14 @@ func Test_MakeCSV_WithInstallModeSupportFor(t *testing.T) { Type: v1alpha1.InstallModeTypeSingleNamespace, Supported: true, }, + { + Type: v1alpha1.InstallModeTypeMultiNamespace, + Supported: false, + }, + { + Type: v1alpha1.InstallModeTypeOwnNamespace, + Supported: false, + }, }, }, }, csv) diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index cb0ace956..3724dbee2 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -648,7 +648,7 @@ spec: phases: description: |- Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. + All objects in the phase will have to pass their probes in order to progress to the next phase. items: description: |- ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. @@ -713,15 +713,17 @@ spec: - message: previous is immutable rule: self == oldSelf revision: - description: Revision number orders changes over time, must always - be previous revision +1. + description: |- + Revision is a sequence number representing a specific revision of the ClusterExtension instance. + Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. format: int64 + minimum: 1 type: integer x-kubernetes-validations: - message: revision is immutable rule: self == oldSelf required: - - phases - revision type: object status: diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 9621e6a1a..69128a8b7 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -613,7 +613,7 @@ spec: phases: description: |- Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. + All objects in the phase will have to pass their probes in order to progress to the next phase. items: description: |- ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. @@ -678,15 +678,17 @@ spec: - message: previous is immutable rule: self == oldSelf revision: - description: Revision number orders changes over time, must always - be previous revision +1. + description: |- + Revision is a sequence number representing a specific revision of the ClusterExtension instance. + Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. format: int64 + minimum: 1 type: integer x-kubernetes-validations: - message: revision is immutable rule: self == oldSelf required: - - phases - revision type: object status: diff --git a/openshift/operator-controller/manifests-experimental.yaml b/openshift/operator-controller/manifests-experimental.yaml index c09c43e0c..a093720da 100644 --- a/openshift/operator-controller/manifests-experimental.yaml +++ b/openshift/operator-controller/manifests-experimental.yaml @@ -142,7 +142,7 @@ spec: phases: description: |- Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. + All objects in the phase will have to pass their probes in order to progress to the next phase. items: description: |- ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. @@ -204,14 +204,17 @@ spec: - message: previous is immutable rule: self == oldSelf revision: - description: Revision number orders changes over time, must always be previous revision +1. + description: |- + Revision is a sequence number representing a specific revision of the ClusterExtension instance. + Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. format: int64 + minimum: 1 type: integer x-kubernetes-validations: - message: revision is immutable rule: self == oldSelf required: - - phases - revision type: object status: diff --git a/openshift/operator-controller/manifests-experimental/05-customresourcedefinition-clusterextensionrevisions.olm.operatorframework.io.yml b/openshift/operator-controller/manifests-experimental/05-customresourcedefinition-clusterextensionrevisions.olm.operatorframework.io.yml index 363fecdb9..7348adc3e 100644 --- a/openshift/operator-controller/manifests-experimental/05-customresourcedefinition-clusterextensionrevisions.olm.operatorframework.io.yml +++ b/openshift/operator-controller/manifests-experimental/05-customresourcedefinition-clusterextensionrevisions.olm.operatorframework.io.yml @@ -55,7 +55,7 @@ spec: phases: description: |- Phases are groups of objects that will be applied at the same time. - All objects in the a phase will have to pass their probes in order to progress to the next phase. + All objects in the phase will have to pass their probes in order to progress to the next phase. items: description: |- ClusterExtensionRevisionPhase are groups of objects that will be applied at the same time. @@ -117,14 +117,17 @@ spec: - message: previous is immutable rule: self == oldSelf revision: - description: Revision number orders changes over time, must always be previous revision +1. + description: |- + Revision is a sequence number representing a specific revision of the ClusterExtension instance. + Must be positive. Each ClusterExtensionRevision of the same parent ClusterExtension needs to have + a unique value assigned. It is immutable after creation. The new revision number must always be previous revision +1. format: int64 + minimum: 1 type: integer x-kubernetes-validations: - message: revision is immutable rule: self == oldSelf required: - - phases - revision type: object status: diff --git a/requirements.txt b/requirements.txt index ec821077a..8d703a058 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ cssselect==1.3.0 ghp-import==2.1.0 idna==3.10 Jinja2==3.1.6 -lxml==6.0.1 +lxml==6.0.2 Markdown==3.9 markdown2==2.5.4 MarkupSafe==3.0.2 @@ -27,7 +27,7 @@ python-dateutil==2.9.0.post0 PyYAML==6.0.2 pyyaml_env_tag==1.1 readtime==3.0.0 -regex==2025.9.1 +regex==2025.9.18 requests==2.32.5 six==1.17.0 soupsieve==2.8 diff --git a/test/e2e/metrics_test.go b/test/e2e/metrics_test.go index a95f16c2c..e41827987 100644 --- a/test/e2e/metrics_test.go +++ b/test/e2e/metrics_test.go @@ -129,7 +129,7 @@ func (c *MetricsTestConfig) getServiceAccountToken(t *testing.T) string { func (c *MetricsTestConfig) createCurlMetricsPod(t *testing.T) { t.Logf("Creating curl pod (%s/%s) to validate the metrics endpoint", c.namespace, c.curlPodName) cmd := exec.Command(c.client, "run", c.curlPodName, - "--image=curlimages/curl:8.15.0", + "--image=quay.io/curl/curl:8.15.0", "--namespace", c.namespace, "--restart=Never", "--overrides", `{ @@ -137,7 +137,7 @@ func (c *MetricsTestConfig) createCurlMetricsPod(t *testing.T) { "terminationGradePeriodSeconds": 0, "containers": [{ "name": "curl", - "image": "curlimages/curl:8.15.0", + "image": "quay.io/curl/curl:8.15.0", "command": ["sh", "-c", "sleep 3600"], "securityContext": { "allowPrivilegeEscalation": false, diff --git a/test/utils.go b/test/utils.go new file mode 100644 index 000000000..22a50b2b8 --- /dev/null +++ b/test/utils.go @@ -0,0 +1,54 @@ +package test + +import ( + "os" + "path" + "path/filepath" + "runtime" + + "sigs.k8s.io/controller-runtime/pkg/envtest" +) + +// NewEnv creates a new envtest.Environment instance. +func NewEnv() *envtest.Environment { + testEnv := &envtest.Environment{ + CRDDirectoryPaths: []string{ + pathFromProjectRoot("helm/olmv1/base/operator-controller/crd/experimental"), + }, + ErrorIfCRDPathMissing: true, + } + // ENVTEST-based tests require specific binaries. By default, these binaries are located + // in paths defined by controller-runtime. However, the `BinaryAssetsDirectory` needs + // to be explicitly set when running tests directly (e.g., debugging tests in an IDE) + // without using the Makefile targets. + // + // This is equivalent to configuring your IDE to export the `KUBEBUILDER_ASSETS` environment + // variable before each test execution. The following function simplifies this process + // by handling the configuration for you. + // + // To ensure the binaries are in the expected path without manual configuration, run: + // `make envtest-k8s-bins` + if getFirstFoundEnvTestBinaryDir() != "" { + testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() + } + return testEnv +} + +// pathFromProjectRoot returns the absolute path to the given relative path from the project root. +func pathFromProjectRoot(relativePath string) string { + _, filename, _, _ := runtime.Caller(0) + p := path.Join(path.Dir(path.Dir(filename)), relativePath) + return p +} + +// getFirstFoundEnvTestBinaryDir finds and returns the first directory under the given path. +func getFirstFoundEnvTestBinaryDir() string { + basePath := pathFromProjectRoot(filepath.Join("bin", "envtest-binaries", "k8s")) + entries, _ := os.ReadDir(basePath) + for _, entry := range entries { + if entry.IsDir() { + return filepath.Join(basePath, entry.Name()) + } + } + return "" +}