Update README.md to include csvInjector info (#99)

Add additional clarification on the following:
1.  It's relationship to the Operator SDK, OLM and OperatorGroups.
2. The new csvInjector capability 
3. How to install independently without common services into any Operator namespace.

Author: cdjohnson

README.md

@@ -1,8 +1,8 @@
 # namespaceScope - Manage operator and operand authority across namespaces
 
-This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster.
+This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster, which is similar, but complementary to `OperatorGroups` that are available with Operator Lifecycle Manager (OLM).  By using the `NamespaceScope` operator with the `Own Namespace` `OperatorGroup` install mode, you can more easily manage the security domain of your Operators and the Operand namespaces.
 
-The operator runs in the namespace whose operator WATCH statements and roles/rolebindings are to be extended to other namespaces as specified in a NamespaceScope CR.
+The `NamespaceScope` operator runs in the namespace whose operator's `WATCH_NAMESPACES` and `Roles`/`RoleBindings` are to be extended to other namespaces (the Operand namespaces) as specified in a NamespaceScope CR.  `WATCH_NAMESPACES` is an enviromental variable that the Operator SDK uses in conjunction with OLM `ClusterServiceVersion` deployment to identify which namespaces to watch.  OLM will inject the namespaces into an annotation into the Operator's Deployment resource and then use the downward API to pass those values into the `WATCH_NAMESPACES` environment variable.  To avoid conflicts with OLM, the `NamespaceScope` operator instead stores the watched namespace list in a user-configurable `ConfigMap` and the Deployment instead mounts this `ConfigMap` as an environment variable.
 
 A sample CR is below:
 
@@ -23,26 +23,21 @@ spec:
   # Restart pods with the following labels when the namespace list changes
   restartLabels:
     intent: projected
+    
+  # Automatically inject the configmap into the ClusterServiceVersion, overriding the OLM OperatorGroup membership for those operators that have
+  # the nss.operator.ibm.com/managed-operators annotation defined.  This annotation is a comma-separate list of OLM operator package names that should
+  # be honored.  This should include the package of itself and any dependent operators that cannot be annotated (e.g. third-party operators)
+  csvInjector:
+    enable: true
   ```
 
 - The **namespaceMembers** contains a list of other namespace in the cluster that:
   - should be watched by operators running in the current namespace
-  - to which roles and rolebindings for service accounts in the current namespace should be authorized for service accounts in this namespace
+  - to which `Roles` and `RoleBindings` for `ServiceAccounts` in the current namespace should be authorized for `ServiceAccounts` in this namespace
 
 - The **namespaceMembers** list ALWAYS contains the current namespace whether specifically listed or not (it is implicit)
 
-- The **configmapName** identifies a ConfigMap that is created to contain a common-separated list of the namespaces to be watched in its **namespaces** key.  All operators that want to participate in namespace extension should be configured to watch the key on this configmap.  An example of this is in the operator deployment fragment below (the latest operator SDK support watching multiple namespaces in a comma-separated list). The configmap is created and maintained ONLY by the NamespaceScope operator.
-
-    ```
-    ...
-    env:
-      - name: WATCH_NAMESPACE
-        valueFrom:
-          configMapKeyRef:
-            name: namespace-scope
-            key: namespaces
-    ...
-    ```
+- The **configmapName** identifies a `ConfigMap` that is created to contain a common-separated list of the namespaces to be watched in its **namespaces** key.  
 
 - The **restartLabels** list specifies the labels for operator pods that are to be restarted when the namespace-scope list changes so they can reset their WATCH parameters.  The default label is "intent=projected". All operator Pods that are configured as above should also be labelled so that the operator will auto-restart them the configmap changes the list of namespaces to watch.  An example of this label is below.
 
@@ -64,7 +59,26 @@ spec:
         spec:
         ...
     ```
+- The **csvInjector** (default is false / disabled) automatically modifies any `ClusterServiceVersion` that appears in the current namespace with the `nss.operator.ibm.com/managed-operators` annotation to consume the `NamespaceScope` operator's `ConfigMap` specified by `configmapName` instead of the traditional downward API syntax scaffolded by the Operator SDK, allowing uninstrumented Operators to read the `NamespaceScope` watch namespaces.
 
+The following is an example of what is added and overridden in all `ClusterServiceVersion` resources in the namespace:
+
+    ```
+    ...
+    # This annotation must be added to the CSV for injection to occur.  Include THIS operator package and any dependant packages.
+    metadata:
+      annotations:
+        nss.operator.ibm.com/managed-operators: "my-operator1,my-thirdparty-operator"
+    ...
+    # This is injected
+    env:
+      - name: WATCH_NAMESPACE
+        valueFrom:
+          configMapKeyRef:
+            name: namespace-scope
+            key: namespaces
+    ...
+    ```
 
 ## How does it work
 
@@ -137,25 +151,59 @@ When the `NamespaceScope` CR is created/updated, it will:
     ```
 
 
-## How to manually deploy it
+## How to manually deploy the NamespaceScope Operator
 
 NOTE: This operator is part of the IBM Common Services and will be automatically installed. Following commands are only applicable when you want to deploy it without IBM Common Services.
 
+In this example, the `my-operators` namespace is the namespace that will contain your OLM-Deployed operators:
+
 ```
 git clone https://github.com/IBM/ibm-namespace-scope-operator.git
 cd ibm-namespace-scope-operator
 
-oc create ns ibm-common-services
+oc create ns my-operators
 
 oc apply -f deploy/operator.ibm.com_namespacescopes.yaml
-oc -n ibm-common-services apply -f deploy/service_account.yaml
-oc -n ibm-common-services apply -f deploy/role.yaml
-oc -n ibm-common-services apply -f deploy/role_binding.yaml
-oc -n ibm-common-services apply -f deploy/operator.yaml
+oc -n my-operators apply -f deploy/service_account.yaml
+oc -n my-operators apply -f deploy/role.yaml
+oc -n my-operators apply -f deploy/role_binding.yaml
+oc -n my-operators apply -f deploy/operator.yaml
+```
+
+Once the Operator is deployed, create a `NamespaceScope` custom resource (CR) in the Operators namespace to watch other Operand namespaces:
+
+```
+oc create ns my-operand-tenant1
+oc create ns my-operand-tenant2
+
+cat <<EOF | oc apply -n my-operators -f -
+apiVersion: operator.ibm.com/v1
+kind: NamespaceScope
+metadata:
+  name: my-operator
+spec:
+  # Namespaces that are part of this scope
+  namespaceMembers:
+  - my-operand-tenant1
+  - my-operand-tenant1
+
+  # ConfigMap name that will contain the list of namespaces to be watched
+  configmapName: namespace-scope
 
-oc -n ibm-common-services apply -f deploy/cr.yaml
+  # Restart pods with the following labels when the namespace list changes
+  restartLabels:
+    intent: projected
+
+  # Automatically inject the configmap into the ClusterServiceVersion, overriding the OLM OperatorGroup membership for those operators that have
+  # the nss.operator.ibm.com/managed-operators annotation defined.  This annotation is a comma-separate list of OLM operator package names that should
+  # be honored.  This should include the package of itself and any dependent operators that cannot be annotated (e.g. third-party operators)
+  csvInjector:
+    enable: true
+
+EOF
 ```
 
+
 ## Authorization and Permissions
 
 The **authorize-namespace.sh** script in the `scripts/` directory is used to set up roles and binding in a target namespace.