openshift
diff --git a/‎cmd/operator-controller/main.go‎
Lines changed: 4 additions & 2 deletions b/‎cmd/operator-controller/main.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎commitchecker.yaml‎
Lines changed: 1 addition & 1 deletion b/‎commitchecker.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/draft/howto/single-ownnamespace-install.md‎
Lines changed: 105 additions & 0 deletions b/‎docs/draft/howto/single-ownnamespace-install.md‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 4 deletions b/‎go.sum‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎hack/demo/generate-asciidemo.sh‎
Lines changed: 1 addition & 1 deletion b/‎hack/demo/generate-asciidemo.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎hack/demo/own-namespace-demo.sh‎
Lines changed: 43 additions & 0 deletions b/‎hack/demo/own-namespace-demo.sh‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎hack/demo/resources/own-namespace-demo.yaml‎
Lines changed: 16 additions & 0 deletions b/‎hack/demo/resources/own-namespace-demo.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎hack/demo/resources/single-namespace-demo.yaml‎
Lines changed: 16 additions & 0 deletions b/‎hack/demo/resources/single-namespace-demo.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎hack/demo/single-own-namespace.sh‎
Lines changed: 46 additions & 0 deletions b/‎hack/demo/single-own-namespace.sh‎
Lines changed: 46 additions & 0 deletions
@@ -65,6 +65,7 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/finalizers"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/resolve"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/scheme"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
@@ -407,8 +408,9 @@ func run() error {
 	}
 
 	helmApplier := &applier.Helm{
-		ActionClientGetter: acg,
-		Preflights:         preflights,
+		ActionClientGetter:  acg,
+		Preflights:          preflights,
+		BundleToHelmChartFn: convert.RegistryV1ToHelmChart,
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
 
@@ -1,4 +1,4 @@
-expectedMergeBase: 1573846c2525313a388666f54b7ca73097252893
+expectedMergeBase: a6de9f94e085989a086459f2b5325a5cd27424b0
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller
@@ -0,0 +1,105 @@
+## Description
+
+!!! note
+This feature is still in *alpha* the `SingleOwnNamespaceInstallSupport` feature-gate must be enabled to make use of it.
+See the instructions below on how to enable it.
+
+---
+
+A component of OLMv0's multi-tenancy feature is its support of four [*installModes*](https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/#targetnamespaces-and-their-relationship-to-installmodes):
+for operator installation:
+
+ - *OwnNamespace*: If supported, the operator can be configured to watch for events in the namespace it is deployed in.
+ - *SingleNamespace*: If supported, the operator can be configured to watch for events in a single namespace that the operator is not deployed in.
+ - *MultiNamespace*: If supported, the operator can be configured to watch for events in more than one namespace.
+ - *AllNamespaces*: If supported, the operator can be configured to watch for events in all namespaces.
+
+OLMv1 will not attempt multi-tenancy (see [design decisions document](../../project/olmv1_design_decisions.md)) and will think of operators
+as globally installed, i.e. in OLMv0 parlance, as installed in *AllNamespaces* mode. However, there are operators that
+were intended only for the *SingleNamespace* and *OwnNamespace* install modes. In order to make these operators installable in v1 while they
+transition to the new model, v1 is adding support for these two new *installModes*. It should be noted that, in line with v1's no multi-tenancy policy,
+users will not be able to install the same operator multiple times, and that in future iterations of the registry bundle format will not
+include *installModes*.
+
+## Demos
+
+### SingleNamespace Install
+
+[![SingleNamespace Install Demo](https://asciinema.org/a/w1IW0xWi1S9cKQFb9jnR07mgh.svg)](https://asciinema.org/a/w1IW0xWi1S9cKQFb9jnR07mgh)
+
+### OwnNamespace Install
+
+[![OwnNamespace Install Demo](https://asciinema.org/a/Rxx6WUwAU016bXFDW74XLcM5i.svg)](https://asciinema.org/a/Rxx6WUwAU016bXFDW74XLcM5i)
+
+## Enabling the Feature-Gate
+
+!!! tip
+
+This guide assumes OLMv1 is already installed. If that is not the case,
+you can follow the [getting started](../../getting-started/olmv1_getting_started.md) guide to install OLMv1.
+
+---
+
+Patch the `operator-controller` `Deployment` adding `--feature-gates=SingleOwnNamespaceInstallSupport=true` to the
+controller container arguments:
+
+```terminal title="Enable SingleOwnNamespaceInstallSupport feature-gate"
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]'
+```
+
+Wait for `Deployment` rollout:
+
+```terminal title="Wait for Deployment rollout"
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+```
+
+## Configuring the `ClusterExtension`
+
+A `ClusterExtension` can be configured to install bundle in `Single-` or `OwnNamespace` mode through the
+`olm.operatorframework.io/watch-namespace: <namespace>` annotation. The *installMode* is inferred in the following way:
+
+ - *AllNamespaces*: `<namespace>` is empty, or the annotation is not present
+ - *OwnNamespace*: `<namespace>` is the install namespace (i.e. `.spec.namespace`)
+ - *SingleNamespace*: `<namespace>` not the install namespace
+
+### Examples
+
+``` terminal title="SingleNamespace install mode example"
+kubectl apply -f - <<EOF
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: argocd
+  annotations:
+    olm.operatorframework.io/watch-namespace: argocd-watch
+spec:
+  namespace: argocd
+  serviceAccount:
+    name: argocd-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: argocd-operator
+      version: 0.2.1 # Update to version 0.2.1
+    EOF
+```
+
+``` terminal title="OwnNamespace install mode example"
+kubectl apply -f - <<EOF
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: argocd
+  annotations:
+    olm.operatorframework.io/watch-namespace: argocd
+spec:
+  namespace: argocd
+  serviceAccount:
+    name: argocd-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: argocd-operator
+      version: 0.2.1 # Update to version 0.2.1
+    EOF
+```
@@ -7,7 +7,7 @@ require (
 	github.com/BurntSushi/toml v1.4.0
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/blang/semver/v4 v4.0.0
-	github.com/containerd/containerd v1.7.25
+	github.com/containerd/containerd v1.7.26
 	github.com/containers/image/v5 v5.33.1
 	github.com/fsnotify/fsnotify v1.8.0
 	github.com/go-logr/logr v1.4.2
@@ -70,7 +70,7 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/containerd/ttrpc v1.2.5 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.0 // indirect
 	github.com/containers/common v0.61.0 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 
@@ -87,8 +87,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
-github.com/containerd/containerd v1.7.25 h1:khEQOAXOEJalRO228yzVsuASLH42vT7DIo9Ss+9SMFQ=
-github.com/containerd/containerd v1.7.25/go.mod h1:tWfHzVI0azhw4CT2vaIjsb2CoV4LJ9PrMPaULAr21Ok=
+github.com/containerd/containerd v1.7.26 h1:3cs8K2RHlMQaPifLqgRyI4VBkoldNdEw62cb7qQga7k=
+github.com/containerd/containerd v1.7.26/go.mod h1:m4JU0E+h0ebbo9yXD7Hyt+sWnc8tChm7MudCjj4jRvQ=
 github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
 github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
 github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
@@ -103,8 +103,8 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
-github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU=
-github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
+github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
 github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso=
 github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
 github.com/containers/common v0.61.0 h1:j/84PTqZIKKYy42OEJsZmjZ4g4Kq2ERuC3tqp2yWdh4=
 
@@ -3,6 +3,7 @@
 trap cleanup SIGINT SIGTERM EXIT
 
 SCRIPTPATH="$( cd -- "$(dirname "$0")" > /dev/null 2>&1 ; pwd -P )"
+export DEMO_RESOURCE_DIR="${SCRIPTPATH}/resources"
 
 check_prereq() {
     prog=$1
@@ -80,7 +81,6 @@ for prereq in "asciinema curl"; do
     check_prereq ${prereq}
 done
 
-
 curl https://raw.githubusercontent.com/zechris/asciinema-rec_script/main/bin/asciinema-rec_script -o ${WKDIR}/asciinema-rec_script
 chmod +x ${WKDIR}/asciinema-rec_script
 screencast=${WKDIR}/${DEMO_NAME}.cast ${WKDIR}/asciinema-rec_script ${SCRIPTPATH}/${DEMO_SCRIPT}
 
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+#
+# Welcome to the OwnNamespace install mode demo
+#
+trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
+
+# enable 'SingleOwnNamespaceInstallSupport' feature gate
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]'
+
+# wait for operator-controller to become available
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+
+# create install namespace
+kubectl create ns argocd-system
+
+# create installer service account
+kubectl create serviceaccount -n argocd-system argocd-installer
+
+# give installer service account admin privileges (not for production environments)
+kubectl create clusterrolebinding argocd-installer-crb --clusterrole=cluster-admin --serviceaccount=argocd-system:argocd-installer
+
+# install cluster extension in own namespace install mode (watch-namespace == install namespace == argocd-system)
+cat ${DEMO_RESOURCE_DIR}/own-namespace-demo.yaml
+
+# apply cluster extension
+kubectl apply -f ${DEMO_RESOURCE_DIR}/own-namespace-demo.yaml
+
+# wait for cluster extension installation to succeed
+kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s"
+
+# check argocd-operator controller deployment pod template olm.targetNamespaces annotation
+kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.metadata.annotations.olm\.targetNamespaces}"
+
+# check for argocd-operator rbac in watch namespace
+kubectl get roles,rolebindings -n argocd-system -o name
+
+# get controller service-account name
+kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.spec.serviceAccount}"
+
+# check service account for role binding is the same as controller service-account
+rolebinding=$(kubectl get rolebindings -n argocd-system -o name | grep 'argocd-operator' | head -n 1)
+kubectl get -n argocd-system $rolebinding -o jsonpath='{.subjects}' | jq .[0]
@@ -0,0 +1,16 @@
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: argocd-operator
+  annotations:
+    # watch namespace is the same as intall namespace
+    olm.operatorframework.io/watch-namespace: argocd-system
+spec:
+  namespace: argocd-system
+  serviceAccount:
+    name: argocd-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: argocd-operator
+      version: 0.6.0
@@ -0,0 +1,16 @@
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: argocd-operator
+  annotations:
+    # watch-namespace is different from install namespace
+    olm.operatorframework.io/watch-namespace: argocd
+spec:
+  namespace: argocd-system
+  serviceAccount:
+    name: argocd-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: argocd-operator
+      version: 0.6.0
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+#
+# Welcome to the SingleNamespace install mode demo
+#
+trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
+
+# enable 'SingleOwnNamespaceInstallSupport' feature gate
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]'
+
+# wait for operator-controller to become available
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+
+# create install namespace
+kubectl create ns argocd-system
+
+# create installer service account
+kubectl create serviceaccount -n argocd-system argocd-installer
+
+# give installer service account admin privileges (not for production environments)
+kubectl create clusterrolebinding argocd-installer-crb --clusterrole=cluster-admin --serviceaccount=argocd-system:argocd-installer
+
+# create watch namespace
+kubectl create namespace argocd
+
+# install cluster extension in single namespace install mode (watch namespace != install namespace)
+cat ${DEMO_RESOURCE_DIR}/single-namespace-demo.yaml
+
+# apply cluster extension
+kubectl apply -f ${DEMO_RESOURCE_DIR}/single-namespace-demo.yaml
+
+# wait for cluster extension installation to succeed
+kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s"
+
+# check argocd-operator controller deployment pod template olm.targetNamespaces annotation
+kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.metadata.annotations.olm\.targetNamespaces}"
+
+# check for argocd-operator rbac in watch namespace
+kubectl get roles,rolebindings -n argocd -o name
+
+# get controller service-account name
+kubectl get deployments -n argocd-system argocd-operator-controller-manager -o jsonpath="{.spec.template.spec.serviceAccount}"
+
+# check service account for role binding is the controller deployment service account
+rolebinding=$(kubectl get rolebindings -n argocd -o name | grep 'argocd-operator' | head -n 1)
+kubectl get -n argocd $rolebinding -o jsonpath='{.subjects}' | jq .[0]