From 4c4684f92b6a018c796616f96ce023a02c64ce17 Mon Sep 17 00:00:00 2001
From: Todd Short <tshort@redhat.com>
Date: Fri, 12 Sep 2025 13:56:59 -0400
Subject: [PATCH] Use control-plane selectors in network-policies and tests for
 now

Until downstream is ready to use the "app.kubernetes.io/name" selector,
continue to use the "control-plane" selector in the tests.

Change the network-policies to use a "control-plane" selector (which is still
on pods because the Deployment selector is immutable).

This includes a revert of "Use old and new pod selectors during kustomize-to-helm transition"
This reverts #2214
This reverts commit 6e22e2b0595176c02df054566fc2b0c1f7fd3591.
---
 ...mv1-system-catalogd-controller-manager.yml |  2 +-
 ...operator-controller-controller-manager.yml |  2 +-
 manifests/experimental-e2e.yaml               |  4 +--
 manifests/experimental.yaml                   |  4 +--
 manifests/standard-e2e.yaml                   |  4 +--
 manifests/standard.yaml                       |  4 +--
 test/e2e/metrics_test.go                      | 26 ++++++++-----------
 test/e2e/network_policy_test.go               | 11 +++-----
 8 files changed, 25 insertions(+), 32 deletions(-)

diff --git a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml
index 9c63ab376..803e2c594 100644
--- a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml
+++ b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml
@@ -22,7 +22,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml
index e91a7e55d..fc85c57b8 100644
--- a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml
+++ b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml
@@ -18,7 +18,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml
index 8f2dfe197..9fd345a3d 100644
--- a/manifests/experimental-e2e.yaml
+++ b/manifests/experimental-e2e.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml
index 4e5f80c74..9658b7de8 100644
--- a/manifests/experimental.yaml
+++ b/manifests/experimental.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml
index ca7a68e05..3a8518092 100644
--- a/manifests/standard-e2e.yaml
+++ b/manifests/standard-e2e.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/standard.yaml b/manifests/standard.yaml
index 76b0d4f2a..55f0e28c3 100644
--- a/manifests/standard.yaml
+++ b/manifests/standard.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/test/e2e/metrics_test.go b/test/e2e/metrics_test.go
index 54ff41201..a95f16c2c 100644
--- a/test/e2e/metrics_test.go
+++ b/test/e2e/metrics_test.go
@@ -32,7 +32,7 @@ import (
 func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) {
 	client := utils.FindK8sClient(t)
 	curlNamespace := createRandomNamespace(t, client)
-	componentNamespace := getComponentNamespace(t, client, operatorManagerSelector)
+	componentNamespace := getComponentNamespace(t, client, "control-plane=operator-controller-controller-manager")
 	metricsURL := fmt.Sprintf("https://operator-controller-service.%s.svc.cluster.local:8443/metrics", componentNamespace)
 
 	config := NewMetricsTestConfig(
@@ -52,7 +52,7 @@ func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) {
 func TestCatalogdMetricsExportedEndpoint(t *testing.T) {
 	client := utils.FindK8sClient(t)
 	curlNamespace := createRandomNamespace(t, client)
-	componentNamespace := getComponentNamespace(t, client, catalogdManagerSelector)
+	componentNamespace := getComponentNamespace(t, client, "control-plane=catalogd-controller-manager")
 	metricsURL := fmt.Sprintf("https://catalogd-service.%s.svc.cluster.local:7443/metrics", componentNamespace)
 
 	config := NewMetricsTestConfig(
@@ -231,20 +231,16 @@ func createRandomNamespace(t *testing.T, client string) string {
 }
 
 // getComponentNamespace returns the namespace where operator-controller or catalogd is running
-func getComponentNamespace(t *testing.T, client string, selectors []string) string {
-	for _, selector := range selectors {
-		cmd := exec.Command(client, "get", "pods", "--all-namespaces", "--selector="+selector, "--output=jsonpath={.items[0].metadata.namespace}")
-		output, err := cmd.CombinedOutput()
-		if err != nil {
-			continue
-		}
-		namespace := string(bytes.TrimSpace(output))
-		if namespace != "" {
-			return namespace
-		}
+func getComponentNamespace(t *testing.T, client, selector string) string {
+	cmd := exec.Command(client, "get", "pods", "--all-namespaces", "--selector="+selector, "--output=jsonpath={.items[0].metadata.namespace}")
+	output, err := cmd.CombinedOutput()
+	require.NoError(t, err, "Error determining namespace: %s", string(output))
+
+	namespace := string(bytes.TrimSpace(output))
+	if namespace == "" {
+		t.Fatal("No namespace found for selector " + selector)
 	}
-	t.Fatalf("No namespace found for selectors: %v", selectors)
-	return ""
+	return namespace
 }
 
 func stdoutAndCombined(cmd *exec.Cmd) ([]byte, []byte, error) {
diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go
index ad35e72cb..00143df41 100644
--- a/test/e2e/network_policy_test.go
+++ b/test/e2e/network_policy_test.go
@@ -20,17 +20,14 @@ import (
 
 const (
 	minJustificationLength        = 40
+	catalogdManagerSelector       = "control-plane=catalogd-controller-manager"
+	operatorManagerSelector       = "control-plane=operator-controller-controller-manager"
 	catalogdMetricsPort           = 7443
 	catalogdWebhookPort           = 9443
 	catalogServerPort             = 8443
 	operatorControllerMetricsPort = 8443
 )
 
-var (
-	catalogdManagerSelector = []string{"app.kubernetes.io/name=catalogd", "control-plane=catalogd-controller-manager"}
-	operatorManagerSelector = []string{"app.kubernetes.io/name=operator-controller", "control-plane=operator-controller-controller-manager"}
-)
-
 type portWithJustification struct {
 	port          []networkingv1.NetworkPolicyPort
 	justification string
@@ -91,7 +88,7 @@ var prometheuSpec = allowedPolicyDefinition{
 // Ref: https://docs.google.com/document/d/1bHEEWzA65u-kjJFQRUY1iBuMIIM1HbPy4MeDLX4NI3o/edit?usp=sharing
 var allowedNetworkPolicies = map[string]allowedPolicyDefinition{
 	"catalogd-controller-manager": {
-		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "catalogd"}},
+		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}},
 		policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 		ingressRule: ingressRule{
 			ports: []portWithJustification{
@@ -119,7 +116,7 @@ var allowedNetworkPolicies = map[string]allowedPolicyDefinition{
 		},
 	},
 	"operator-controller-controller-manager": {
-		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "operator-controller"}},
+		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}},
 		policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 		ingressRule: ingressRule{
 			ports: []portWithJustification{