openshift · bertinatto · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025
diff --git a/Makefile b/Makefile
@@ -7,6 +7,7 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
 	targets/openshift/images.mk \
 	targets/openshift/deps.mk \
 	targets/openshift/operator/telepresence.mk \
+	targets/openshift/operator/mom.mk \
 )
 
 # Exclude e2e tests from unit testing

diff --git a/cmd/cluster-kube-controller-manager-operator/main.go b/cmd/cluster-kube-controller-manager-operator/main.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"k8s.io/cli-runtime/pkg/genericiooptions"
 	"k8s.io/component-base/cli"
 
 	"github.com/openshift/library-go/pkg/operator/staticpod/certsyncpod"
@@ -16,6 +17,7 @@ import (
 	"github.com/openshift/cluster-kube-controller-manager-operator/pkg/cmd/recoverycontroller"
 	"github.com/openshift/cluster-kube-controller-manager-operator/pkg/cmd/render"
 	"github.com/openshift/cluster-kube-controller-manager-operator/pkg/cmd/resourcegraph"
+	"github.com/openshift/cluster-kube-controller-manager-operator/pkg/cmd/mom"
 	"github.com/openshift/cluster-kube-controller-manager-operator/pkg/operator"
 )
 
@@ -35,13 +37,18 @@ func NewSSCSCommand(ctx context.Context) *cobra.Command {
 		},
 	}
 
+	ioStreams := genericiooptions.IOStreams{In: os.Stdin, Out: os.Stdout, ErrOut: os.Stderr}
+
 	cmd.AddCommand(operatorcmd.NewOperator())
 	cmd.AddCommand(render.NewRenderCommand(nil))
 	cmd.AddCommand(installerpod.NewInstaller(ctx))
 	cmd.AddCommand(prune.NewPrune())
 	cmd.AddCommand(resourcegraph.NewResourceChainCommand())
 	cmd.AddCommand(certsyncpod.NewCertSyncControllerCommand(operator.CertConfigMaps, operator.CertSecrets))
 	cmd.AddCommand(recoverycontroller.NewCertRecoveryControllerCommand(ctx))
+	cmd.AddCommand(mom.NewInputResourcesCommand(ioStreams))
+	cmd.AddCommand(mom.NewOutputResourcesCommand(ioStreams))
+	cmd.AddCommand(mom.NewApplyConfigurationCommand(ioStreams))
 
 	return cmd
 }
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
 	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
 	github.com/openshift/library-go v0.0.0-20251104164011-e9c2485b059c
+	github.com/openshift/multi-operator-manager v0.0.0-20250930141021-05cb0b9abdb4
 	github.com/prometheus/client_golang v1.22.0
 	github.com/prometheus/common v0.62.0
 	github.com/spf13/cobra v1.9.1
@@ -26,9 +27,13 @@ require (
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 )
 
+require k8s.io/cli-runtime v0.30.2
+
 require (
 	cel.dev/expr v0.24.0 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/PaesslerAG/gval v1.2.3 // indirect
+	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -76,6 +81,7 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect

diff --git a/go.sum b/go.sum
@@ -2,6 +2,12 @@ cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
+github.com/PaesslerAG/gval v1.2.3 h1:Z3B/zLyWvqxjUtkIOEkFauqLnQn8Q37F1Q+uAjLXgMw=
+github.com/PaesslerAG/gval v1.2.3/go.mod h1:XRFLwvmkTEdYziLdaCeCa5ImcGVrfQbeNUbVR+C6xac=
+github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
+github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk=
+github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -167,6 +173,8 @@ github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlp
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
 github.com/openshift/library-go v0.0.0-20251104164011-e9c2485b059c h1:fCvbOJjMSbJaDK53vBo2nCL0xpvqO2zuvFyJxI0HTgM=
 github.com/openshift/library-go v0.0.0-20251104164011-e9c2485b059c/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
+github.com/openshift/multi-operator-manager v0.0.0-20250930141021-05cb0b9abdb4 h1:OWsZlBMtkYhFrZJ9FzlvwIYs1N/JrPKTwyBk45TWLOU=
+github.com/openshift/multi-operator-manager v0.0.0-20250930141021-05cb0b9abdb4/go.mod h1:gzGgjkInMrsF0XNUpVYQDo0LS6ojxFfrg2DkQbJy9lI=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -190,6 +198,8 @@ github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfm
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
+github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
@@ -345,6 +355,8 @@ k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
 k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
 k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA=
 k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0=
+k8s.io/cli-runtime v0.30.2 h1:ooM40eEJusbgHNEqnHziN9ZpLN5U4WcQGsdLKVxpkKE=
+k8s.io/cli-runtime v0.30.2/go.mod h1:Y4g/2XezFyTATQUbvV5WaChoUGhojv/jZAtdp5Zkm0A=
 k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
 k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
 k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A=

diff --git a/pkg/cmd/mom/apply_configuration_command.go b/pkg/cmd/mom/apply_configuration_command.go
@@ -0,0 +1,47 @@
+package mom
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/openshift/multi-operator-manager/pkg/library/libraryapplyconfiguration"
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+)
+
+func NewApplyConfigurationCommand(streams genericiooptions.IOStreams) *cobra.Command {
+	return libraryapplyconfiguration.NewApplyConfigurationCommand(RunApplyConfiguration, runOutputResources, streams)
+}
+
+func RunApplyConfiguration(ctx context.Context, input libraryapplyconfiguration.ApplyConfigurationInput) (*libraryapplyconfiguration.ApplyConfigurationRunResult, libraryapplyconfiguration.AllDesiredMutationsGetter, error) {
+	// TODO: Implement operator reconciliation logic
+	//
+	// The manifestclient (input.ManagementClient) is a drop-in replacement for standard k8s clients.
+	// Pass it to your operator and run sync logic ONCE (not in a loop).
+	//
+	// Implementation steps:
+	// 1. Create operator client using input.ManagementClient (manifestclient)
+	// 2. Create informers from the manifestclient
+	// 3. Initialize the operator with these clients
+	// 4. Run sync logic ONCE (not in a control loop)
+	// 5. Return the result
+	//
+	// Example pattern:
+	//   operatorClient, dynamicInformers, err := genericoperatorclient.NewStaticPodOperatorClient(...)
+	//   if err != nil { return nil, nil, err }
+	//
+	//   // Create controllers with manifestclient-based informers
+	//   // Run sync once (not Start())
+	//   // Return result
+	//
+	// Reference implementation:
+	//   github.com/openshift/cluster-authentication-operator/pkg/cmd/mom/apply_configuration_command.go
+	//
+	// Key considerations:
+	// - Use input.ManagementClient instead of real k8s client
+	// - Use input.ManagementEventRecorder for events
+	// - Run sync ONCE, not in a loop
+	// - The manifestclient reads from input directory and writes to output directory
+
+	return nil, nil, fmt.Errorf("apply-configuration not yet implemented - see TODO comments above for implementation guidance")
+}
diff --git a/pkg/cmd/mom/input_resources_command.go b/pkg/cmd/mom/input_resources_command.go
@@ -0,0 +1,138 @@
+package mom
+
+import (
+	"context"
+
+	"github.com/openshift/multi-operator-manager/pkg/library/libraryinputresources"
+	"github.com/openshift/multi-operator-manager/pkg/library/libraryoutputresources"
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+)
+
+func NewInputResourcesCommand(streams genericiooptions.IOStreams) *cobra.Command {
+	return libraryinputresources.NewInputResourcesCommand(runInputResources, runOutputResources, streams)
+}
+
+func runInputResources(ctx context.Context) (*libraryinputresources.InputResources, error) {
+	return &libraryinputresources.InputResources{
+		ApplyConfigurationResources: libraryinputresources.ResourceList{
+			ExactResources: []libraryinputresources.ExactResourceID{
+				// Operator CR
+				libraryinputresources.ExactLowLevelOperator("kubecontrollermanagers"),
+
+				// Config resources
+				libraryinputresources.ExactConfigResource("infrastructures"),
+				libraryinputresources.ExactConfigResource("networks"),
+				libraryinputresources.ExactConfigResource("featuregates"),
+				libraryinputresources.ExactConfigResource("nodes"),
+				libraryinputresources.ExactConfigResource("proxies"),
+				libraryinputresources.ExactConfigResource("apiservers"),
+				libraryinputresources.ExactConfigResource("clusterversions"),
+
+				// Namespaces
+				libraryinputresources.ExactNamespace("openshift-config"),
+				libraryinputresources.ExactNamespace("openshift-config-managed"),
+				libraryinputresources.ExactNamespace("openshift-kube-controller-manager"),
+				libraryinputresources.ExactNamespace("openshift-kube-controller-manager-operator"),
+				libraryinputresources.ExactNamespace("kube-system"),
+				libraryinputresources.ExactNamespace("openshift-infra"),
+
+				// ConfigMaps that may be synced or referenced
+				libraryinputresources.ExactConfigMap("openshift-config", "cloud-provider-config"),
+				libraryinputresources.ExactConfigMap("openshift-config-managed", "kube-controller-cert-syncer-kubeconfig"),
+				libraryinputresources.ExactConfigMap("kube-system", "cluster-config-v1"),
+
+				// Secrets that may be synced or referenced
+				libraryinputresources.ExactSecret("openshift-config", "cloud-credentials"),
+			},
+		},
+	}, nil
+}
+
+// runOutputResources is defined here to support the input-resources command
+// This is shared with output_resources_command.go
+func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputResources, error) {
+	return &libraryoutputresources.OutputResources{
+		ConfigurationResources: libraryoutputresources.ResourceList{
+			ExactResources: []libraryoutputresources.ExactResourceID{},
+		},
+		ManagementResources: libraryoutputresources.ResourceList{
+			ExactResources: []libraryoutputresources.ExactResourceID{
+				// ClusterOperator status
+				libraryoutputresources.ExactClusterOperator("kube-controller-manager"),
+
+				// Namespaces managed by the operator
+				libraryoutputresources.ExactNamespace("openshift-kube-controller-manager"),
+				libraryoutputresources.ExactNamespace("openshift-kube-controller-manager-operator"),
+				libraryoutputresources.ExactNamespace("openshift-infra"),
+
+				// Operator deployment and service
+				libraryoutputresources.ExactDeployment("openshift-kube-controller-manager-operator", "kube-controller-manager-operator"),
+				libraryoutputresources.ExactService("openshift-kube-controller-manager-operator", "kube-controller-manager-operator"),
+				libraryoutputresources.ExactServiceAccount("openshift-kube-controller-manager-operator", "kube-controller-manager-operator"),
+
+				// Static pod resources in target namespace
+				libraryoutputresources.ExactService("openshift-kube-controller-manager", "kube-controller-manager"),
+				libraryoutputresources.ExactServiceAccount("openshift-kube-controller-manager", "kube-controller-manager"),
+				libraryoutputresources.ExactServiceAccount("openshift-kube-controller-manager", "localhost-recovery-client"),
+				libraryoutputresources.ExactServiceAccount("openshift-kube-controller-manager", "kube-controller-manager-sa"),
+
+				// ConfigMaps
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "config"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "kube-controller-manager-pod"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "cluster-policy-controller-config"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "controller-manager-kubeconfig"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "kube-controller-cert-syncer-kubeconfig"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "serviceaccount-ca"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "service-ca"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "recycler-config"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "trusted-ca-bundle"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "aggregator-client-ca"),
+				libraryoutputresources.ExactConfigMap("openshift-kube-controller-manager", "client-ca"),
+
+				// Secrets
+				libraryoutputresources.ExactSecret("openshift-kube-controller-manager", "service-account-private-key"),
+				libraryoutputresources.ExactSecret("openshift-kube-controller-manager", "serving-cert"),
+				libraryoutputresources.ExactSecret("openshift-kube-controller-manager", "localhost-recovery-client-token"),
+				libraryoutputresources.ExactSecret("openshift-kube-controller-manager", "kube-controller-manager-client-cert-key"),
+				libraryoutputresources.ExactSecret("openshift-kube-controller-manager", "csr-signer"),
+
+				// Roles and RoleBindings in target namespace
+				libraryoutputresources.ExactRole("kube-system", "system:openshift:controller:cluster-policy-controller"),
+				libraryoutputresources.ExactRoleBinding("kube-system", "system:openshift:controller:cluster-policy-controller"),
+
+				// PodDisruptionBudget
+				libraryoutputresources.ExactPDB("openshift-kube-controller-manager-operator", "kube-controller-manager-operator"),
+			},
+			EventingNamespaces: []string{
+				"openshift-kube-controller-manager",
+				"openshift-kube-controller-manager-operator",
+			},
+		},
+		UserWorkloadResources: libraryoutputresources.ResourceList{
+			ExactResources: []libraryoutputresources.ExactResourceID{
+				// CSR-related resources
+				libraryoutputresources.ExactClusterRole("system:openshift:controller:cluster-csr-approver"),
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:controller:cluster-csr-approver"),
+
+				// Namespace security allocation controller
+				libraryoutputresources.ExactClusterRole("system:openshift:controller:namespace-security-allocation-controller"),
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:controller:namespace-security-allocation-controller"),
+
+				// PodSecurity admission label syncer controller
+				libraryoutputresources.ExactClusterRole("system:openshift:controller:podsecurity-admission-label-syncer-controller"),
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:controller:podsecurity-admission-label-syncer-controller"),
+
+				// PodSecurity admission label privileged namespaces syncer controller
+				libraryoutputresources.ExactClusterRole("system:openshift:controller:podsecurity-admission-label-privileged-namespaces-syncer-controller"),
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:controller:podsecurity-admission-label-privileged-namespaces-syncer-controller"),
+
+				// Localhost recovery
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:operator:kube-controller-manager-recovery"),
+
+				// Operator RBAC
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:operator:kube-controller-manager-operator"),
+			},
+		},
+	}, nil
+}
diff --git a/pkg/cmd/mom/output_resources_command.go b/pkg/cmd/mom/output_resources_command.go
@@ -0,0 +1,11 @@
+package mom
+
+import (
+	"github.com/openshift/multi-operator-manager/pkg/library/libraryoutputresources"
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+)
+
+func NewOutputResourcesCommand(streams genericiooptions.IOStreams) *cobra.Command {
+	return libraryoutputresources.NewOutputResourcesCommand(runOutputResources, streams)
+}
diff --git a/vendor/github.com/PaesslerAG/gval/.gitignore b/vendor/github.com/PaesslerAG/gval/.gitignore
diff --git a/vendor/github.com/PaesslerAG/gval/.travis.yml b/vendor/github.com/PaesslerAG/gval/.travis.yml
diff --git a/vendor/github.com/PaesslerAG/gval/LICENSE b/vendor/github.com/PaesslerAG/gval/LICENSE