Update NSS metadata to pass RH certification (#364)

* update NSS metadata to pass RH certification

Signed-off-by: YuChen <[email protected]>

* add opernshift annotation

Signed-off-by: YuChen <[email protected]>

* update image in config manager

Signed-off-by: YuChen <[email protected]>

---------

Signed-off-by: YuChen <[email protected]>

Author: YCShen1010

Dockerfile

@@ -25,6 +25,7 @@ FROM docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-l
 
 ARG VCS_REF
 ARG VCS_URL
+ARG RELEASE_VERSION
 
 LABEL org.label-schema.vendor="IBM" \
   org.label-schema.name="IBM Namespace Scope Operator" \
@@ -34,7 +35,10 @@ LABEL org.label-schema.vendor="IBM" \
   org.label-schema.license="Licensed Materials - Property of IBM" \
   org.label-schema.schema-version="1.0" \
   name="IBM Namespace Scope Operator" \
+  maintainer="IBM" \
   vendor="IBM" \
+  version=$RELEASE_VERSION \
+  release=$RELEASE_VERSION \
   description="This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster." \
   summary="This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster."
 

Makefile

@@ -22,6 +22,7 @@ KUSTOMIZE ?= $(shell which kustomize)
 YQ_VERSION=3.4.0
 KUSTOMIZE_VERSION=v3.8.7
 OPERATOR_SDK_VERSION=v1.32.0
+OPENSHIFT_VERSIONS ?= v4.12-v4.17
 
 GOPATH=$(HOME)/go/bin/
 
@@ -64,6 +65,7 @@ endif
 
 # Default image repo
 QUAY_REGISTRY ?= quay.io/opencloudio
+ICR_REIGSTRY ?= icr.io/cpopen
 
 ifeq ($(BUILD_LOCALLY),0)
 ARTIFACTORYA_REGISTRY ?= "docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-integration-docker-local/ibmcom"
@@ -75,11 +77,9 @@ endif
 OPERATOR_IMAGE_NAME ?= ibm-namespace-scope-operator
 # Current Operator bundle image name
 BUNDLE_IMAGE_NAME ?= ibm-namespace-scope-operator-bundle
-# Current Operator version
-OPERATOR_VERSION ?= 4.2.13
 
 # Options for 'bundle-build'
-CHANNELS ?= v4.0
+CHANNELS ?= v4.2
 DEFAULT_CHANNEL ?= v4.0
 ifneq ($(origin CHANNELS), undefined)
 BUNDLE_CHANNELS := --channels=$(CHANNELS)
@@ -89,8 +89,8 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
 endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
-# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true"
+# Generate CRDs using v1, which is the recommended version for Kubernetes 1.16+.
+CRD_OPTIONS ?= "crd:crdVersions=v1"
 
 ifeq ($(BUILD_LOCALLY),0)
     export CONFIG_DOCKER_TARGET = config-docker
@@ -125,11 +125,11 @@ uninstall: manifests ## Uninstall CRDs from a cluster
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
 deploy: manifests ## Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-	cd config/manager && $(KUSTOMIZE) edit set image ibm-namespace-scope-operator=$(QUAY_REGISTRY)/$(OPERATOR_IMAGE_NAME):$(OPERATOR_VERSION)
+	cd config/manager && $(KUSTOMIZE) edit set image icr.io/cpopen/ibm-namespace-scope-operator=$(QUAY_REGISTRY)/$(OPERATOR_IMAGE_NAME):$(RELEASE_VERSION)
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
 undeploy: ## Undeploy controller in the configured Kubernetes cluster in ~/.kube/config
-	cd config/manager && $(KUSTOMIZE) edit set image ibm-namespace-scope-operator=$(QUAY_REGISTRY)/$(OPERATOR_IMAGE_NAME):$(OPERATOR_VERSION)
+	cd config/manager && $(KUSTOMIZE) edit set image icr.io/cpopen/ibm-namespace-scope-operator=$(QUAY_REGISTRY)/$(OPERATOR_IMAGE_NAME):$(RELEASE_VERSION)
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 
 kustomize: ## Install kustomize
@@ -190,10 +190,12 @@ generate: controller-gen ## Generate code e.g. API etc.
 generate-csv-manifests: operator-sdk ## Generate CSV manifests
 	$(OPERATOR_SDK) generate kustomize manifests
 
-bundle: clis generate manifests ## Generate bundle manifests
+bundle: clis generate manifests ## Generate bundle manifests	
 	# Generate bundle manifests
-	- $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle \
-	-q --version $(OPERATOR_VERSION) $(BUNDLE_METADATA_OPTS)
+	cd config/manager && $(KUSTOMIZE) edit set image icr.io/cpopen/ibm-namespace-scope-operator=$(ICR_REIGSTRY)/$(OPERATOR_IMAGE_NAME):$(RELEASE_VERSION)
+	$(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle \
+	-q --version $(RELEASE_VERSION) $(BUNDLE_METADATA_OPTS)
+	- sed -i '$$a\\n# OpenShift annotations.\n  com.redhat.openshift.versions: $(OPENSHIFT_VERSIONS)' bundle/metadata/annotations.yaml
 	- $(OPERATOR_SDK) bundle validate ./bundle
 
 ##@ Test

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=ibm-namespace-scope-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=v4.2
-LABEL operators.operatorframework.io.bundle.channel.default.v1=v4.2
+LABEL operators.operatorframework.io.bundle.channel.default.v1=v4.0
 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v2

bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml

@@ -22,21 +22,21 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    containerImage: icr.io/cpopen/ibm-namespace-scope-operator:latest
-    createdAt: "2024-05-23T08:24:14Z"
-    olm.skipRange: '<4.2.13'
-    operators.openshift.io/infrastructure-features: '["disconnected"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.32.0
-    operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
-    repository: https://github.com/IBM/ibm-namespace-scope-operator
-    support: IBM
+    containerImage: icr.io/cpopen/ibm-namespace-scope-operator:4.2.13
+    createdAt: "2025-02-18T22:27:02Z"
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
     features.operators.openshift.io/proxy-aware: "false"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
+    olm.skipRange: <4.2.13
+    operators.openshift.io/infrastructure-features: '["disconnected"]'
+    operators.operatorframework.io/builder: operator-sdk-v1.32.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
+    repository: https://github.com/IBM/ibm-namespace-scope-operator
+    support: IBM
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.ppc64le: supported
@@ -132,7 +132,7 @@ spec:
                     fieldRef:
                       apiVersion: v1
                       fieldPath: metadata.namespace
-                image: icr.io/cpopen/ibm-namespace-scope-operator:latest
+                image: icr.io/cpopen/ibm-namespace-scope-operator:4.2.13
                 imagePullPolicy: IfNotPresent
                 name: ibm-namespace-scope-operator
                 resources:
@@ -144,15 +144,15 @@ spec:
                     ephemeral-storage: 256Mi
                     memory: 200Mi
                 securityContext:
-                  seccompProfile:
-                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     drop:
                     - ALL
                   privileged: false
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               serviceAccountName: ibm-namespace-scope-operator
               terminationGracePeriodSeconds: 10
       permissions:

bundle/manifests/operator.ibm.com_namespacescopes.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    controller-gen.kubebuilder.io/version: v0.17.2
   creationTimestamp: null
   name: namespacescopes.operator.ibm.com
 spec:
@@ -22,14 +22,19 @@ spec:
         description: NamespaceScope is the Schema for the namespacescopes API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -51,7 +56,8 @@ spec:
                 - enable
                 type: object
               license:
-                description: LicenseAcceptance defines the license specification in CSV
+                description: LicenseAcceptance defines the license specification in
+                  CSV
                 properties:
                   accept:
                     description: 'Accepting the license - URL: https://ibm.biz/integration-licenses'
@@ -60,18 +66,18 @@ spec:
                     description: The license key for this deployment.
                     type: string
                   license:
-                    description: The license being accepted where the component has multiple.
+                    description: The license being accepted where the component has
+                      multiple.
                     type: string
                   use:
                     description: The type of license being accepted.
                     type: string
                 type: object
               manualManagement:
-                description: Set the following to true to manually manage permissions
-                  for the NamespaceScope operator to extend control over other namespaces
-                  The operator may fail when trying to extend permissions to other
-                  namespaces, but the cluster administrator can correct this using
-                  the authorize-namespace command.
+                description: |-
+                  Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces
+                  The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the
+                  authorize-namespace command.
                 type: boolean
               namespaceMembers:
                 description: Namespaces that are part of this scope
@@ -126,5 +132,5 @@ status:
   acceptedNames:
     kind: ""
     plural: ""
-  conditions: []
-  storedVersions: []
+  conditions: null
+  storedVersions: null

bundle/metadata/annotations.yaml

@@ -4,12 +4,15 @@ annotations:
   operators.operatorframework.io.bundle.manifests.v1: manifests/
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: ibm-namespace-scope-operator
-  operators.operatorframework.io.bundle.channels.v1: v4.0
+  operators.operatorframework.io.bundle.channels.v1: v4.2
   operators.operatorframework.io.bundle.channel.default.v1: v4.0
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.31.0
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v2
 
   # Annotations for testing.
   operators.operatorframework.io.test.mediatype.v1: scorecard+v1
   operators.operatorframework.io.test.config.v1: tests/scorecard/
+
+# OpenShift annotations.
+  com.redhat.openshift.versions: v4.12-v4.17

config/crd/bases/operator.ibm.com_namespacescopes.yaml

@@ -1,11 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: namespacescopes.operator.ibm.com
 spec:
   group: operator.ibm.com
@@ -24,21 +22,32 @@ spec:
         description: NamespaceScope is the Schema for the namespacescopes API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
             description: NamespaceScopeSpec defines the desired state of NamespaceScope
             properties:
               configmapName:
-                description: ConfigMap name that will contain the list of namespaces to be watched
+                description: ConfigMap name that will contain the list of namespaces
+                  to be watched
                 type: string
               csvInjector:
-                description: When CSVInjector is enabled, operator will inject the watch namespace list into operator csv.
+                description: When CSVInjector is enabled, operator will inject the
+                  watch namespace list into operator csv.
                 properties:
                   enable:
                     default: true
@@ -47,7 +56,8 @@ spec:
                 - enable
                 type: object
               license:
-                description: LicenseAcceptance defines the license specification in CSV
+                description: LicenseAcceptance defines the license specification in
+                  CSV
                 properties:
                   accept:
                     description: 'Accepting the license - URL: https://ibm.biz/integration-licenses'
@@ -56,14 +66,18 @@ spec:
                     description: The license key for this deployment.
                     type: string
                   license:
-                    description: The license being accepted where the component has multiple.
+                    description: The license being accepted where the component has
+                      multiple.
                     type: string
                   use:
                     description: The type of license being accepted.
                     type: string
                 type: object
               manualManagement:
-                description: Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the authorize-namespace command.
+                description: |-
+                  Set the following to true to manually manage permissions for the NamespaceScope operator to extend control over other namespaces
+                  The operator may fail when trying to extend permissions to other namespaces, but the cluster administrator can correct this using the
+                  authorize-namespace command.
                 type: boolean
               namespaceMembers:
                 description: Namespaces that are part of this scope
@@ -73,10 +87,12 @@ spec:
               restartLabels:
                 additionalProperties:
                   type: string
-                description: Restart pods with the following labels when the namespace list changes
+                description: Restart pods with the following labels when the namespace
+                  list changes
                 type: object
               serviceAccountMembers:
-                description: ServiceAccountMembers are extra service accounts will be bond the roles from other namespaces
+                description: ServiceAccountMembers are extra service accounts will
+                  be bond the roles from other namespaces
                 items:
                   type: string
                 type: array
@@ -116,5 +132,5 @@ status:
   acceptedNames:
     kind: ""
     plural: ""
-  conditions: []
-  storedVersions: []
+  conditions: null
+  storedVersions: null

config/manager/kustomization.yaml

@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: icr.io/cpopen/ibm-namespace-scope-operator
+  newName: icr.io/cpopen/ibm-namespace-scope-operator
+  newTag: 4.2.13

config/manager/manager.yaml

@@ -46,7 +46,7 @@ spec:
       containers:
       - command:
         - /namespace-scope-operator-manager
-        image: icr.io/cpopen/ibm-namespace-scope-operator:latest
+        image: icr.io/cpopen/ibm-namespace-scope-operator:4.2.13
         imagePullPolicy: IfNotPresent
         name: ibm-namespace-scope-operator
         env:

config/manifests/bases/ibm-namespace-scope-operator.clusterserviceversion.yaml

@@ -4,8 +4,9 @@ metadata:
   annotations:
     alm-examples: '[]'
     capabilities: Seamless Upgrades
-    containerImage: icr.io/cpopen/ibm-namespace-scope-operator:latest
+    containerImage: icr.io/cpopen/ibm-namespace-scope-operator:4.2.13
     createdAt: "2020-11-2T15:38:33Z"
+    olm.skipRange: '<4.2.13'
     operators.openshift.io/infrastructure-features: '["disconnected"]'
     operators.operatorframework.io/builder: operator-sdk-v1.1.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v2