Merge pull request #356 from openshift-bot/synchronize-upstream

NO-ISSUE: Synchronize From Upstream Repositories

Author: openshift-merge-bot[bot]

codecov.yml

@@ -10,6 +10,10 @@ coverage:
       default:
         target: auto
         threshold: 2%
+    patch:
+      default:
+        target: auto
+        threshold: 1%
   paths:
     - "api/"
     - "cmd/"

commitchecker.yaml

@@ -1,4 +1,4 @@
-expectedMergeBase: f5dc9a98ae9939e9706b813fa1b45faf74688d2b
+expectedMergeBase: 532c306780513a0e5ffb2d96a9eca0b882cc5a7d
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

docs/draft/api-reference/network-policies.md

@@ -0,0 +1,94 @@
+# NetworkPolicy in OLMv1
+
+## Overview
+
+OLMv1 uses [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to secure communication between components, restricting network traffic to only what's necessary for proper functionality. 
+
+* The catalogd NetworkPolicy is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/catalogd/manager/network_policy.yaml).
+* The operator-controller is implemented [here](https://github.com/operator-framework/operator-controller/blob/main/config/base/operator-controller/manager/network_policy.yaml).
+
+This document explains the details of `NetworkPolicy` implementation for the core components.
+
+
+## Implementation Overview
+
+NetworkPolicy is implemented for both catalogd and operator-controller components to:
+
+* Restrict incoming (ingress) traffic to only required ports and services
+* Control outgoing (egress) traffic patterns
+
+Each component has a dedicated NetworkPolicy that applies to its respective pod through label selectors:
+
+* For catalogd: `control-plane=catalogd-controller-manager`
+* For operator-controller: `control-plane=operator-controller-controller-manager`
+
+### Catalogd NetworkPolicy
+
+- Ingress Rules
+Catalogd exposes three services, and its NetworkPolicy allows ingress traffic to the following TCP ports:
+
+* 7443: Metrics server for Prometheus metrics
+* 8443: Catalogd HTTPS server for catalog metadata API
+* 9443: Webhook server for Mutating Admission Webhook implementation
+
+All other ingress traffic to the catalogd pod is blocked.
+
+- Egress Rules
+Catalogd needs to communicate with:
+
+* The Kubernetes API server
+* Image registries specified in ClusterCatalog objects
+
+Currently, all egress traffic from catalogd is allowed, to support communication with arbitrary image registries that aren't known at install time.
+
+### Operator-Controller NetworkPolicy
+
+- Ingress Rules
+Operator-controller exposes one service, and its NetworkPolicy allows ingress traffic to:
+
+* 8443: Metrics server for Prometheus metrics
+
+All other ingress traffic to the operator-controller pod is blocked.
+
+- Egress Rules
+Operator-controller needs to communicate with:
+
+* The Kubernetes API server
+* Catalogd's HTTPS server (on port 8443)
+* Image registries specified in bundle metadata
+
+Currently, all egress traffic from operator-controller is allowed to support communication with arbitrary image registries that aren't known at install time.
+
+## Security Considerations
+
+The current implementation focuses on securing ingress traffic while allowing all egress traffic. This approach:
+
+* Prevents unauthorized incoming connections
+* Allows communication with arbitrary image registries
+* Establishes a foundation for future refinements to egress rules
+
+While allowing all egress does present some security risks, this implementation provides significant security improvements over having no network policies at all.
+
+## Troubleshooting Network Issues
+
+If you encounter network connectivity issues after deploying OLMv1, consider the following:
+
+* Verify NetworkPolicy support: Ensure your cluster has a CNI plugin that supports NetworkPolicy. If your Kubernetes cluster is using a Container Network Interface (CNI) plugin that doesn't support NetworkPolicy, then the NetworkPolicy resources you create will be completely ignored and have no effect whatsoever on traffic flow.
+* Check pod labels: Confirm that catalogd and operator-controller pods have the correct labels for NetworkPolicy selection:
+
+```bash
+# Verify catalogd pod labels
+kubectl get pods -n olmv1-system --selector=control-plane=catalogd-controller-manager
+
+# Verify operator-controller pod labels
+kubectl get pods -n olmv1-system --selector=control-plane=operator-controller-controller-manager
+
+# Compare with actual pod names
+kubectl get pods -n olmv1-system | grep -E 'catalogd|operator-controller'
+```
+* Inspect logs: Check component logs for connection errors
+
+For more comprehensive information on NetworkPolicy, see: 
+
+- How NetworkPolicy is implemented with [network plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) via the Container Network Interface (CNI)
+- Installing [Network Policy Providers](https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/) documentation.

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11
 	github.com/operator-framework/api v0.31.0
 	github.com/operator-framework/helm-operator-plugins v0.8.0
-	github.com/operator-framework/operator-registry v1.54.0
+	github.com/operator-framework/operator-registry v1.55.0
 	github.com/prometheus/client_golang v1.22.0
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
@@ -235,7 +235,7 @@ require (
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34 // indirect
-	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

go.sum

@@ -406,8 +406,8 @@ github.com/operator-framework/helm-operator-plugins v0.8.0 h1:0f6HOQC5likkf0b/Ov
 github.com/operator-framework/helm-operator-plugins v0.8.0/go.mod h1:Sc+8bE38xTCgCChBUvtq/PxatEg9fAypr7S5iAw8nlA=
 github.com/operator-framework/operator-lib v0.17.0 h1:cbz51wZ9+GpWR1ZYP4CSKSSBxDlWxmmnseaHVZZjZt4=
 github.com/operator-framework/operator-lib v0.17.0/go.mod h1:TGopBxIE8L6E/Cojzo26R3NFp1eNlqhQNmzqhOblaLw=
-github.com/operator-framework/operator-registry v1.54.0 h1:/OGQnBlfVQglq8VzGJPIkqWMXOVSo+eu7owCgOqoBpU=
-github.com/operator-framework/operator-registry v1.54.0/go.mod h1:ll5r97EB+V2rVA58rdj8Hxmbo/osnw3f6D4Xq6bpWcE=
+github.com/operator-framework/operator-registry v1.55.0 h1:iXlv53fYyg2VtLqSDEalXD72/5Uzc7Rfx17j35+8plA=
+github.com/operator-framework/operator-registry v1.55.0/go.mod h1:8htDRYKWZ6UWjGMXbBdwwHefsJknodOiGLnpjxgAflw=
 github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
 github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
 github.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=
@@ -742,8 +742,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
-google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -807,8 +807,8 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
 oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
-oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c=
-oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg=
+oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
+oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1 h1:uOuSLOMBWkJH0TWa9X6l+mj5nZdm6Ay6Bli8HL8rNfk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=

test/e2e/cluster_extension_install_test.go

@@ -377,12 +377,6 @@ func TestClusterExtensionInstallRegistry(t *testing.T) {
 					assert.NotEmpty(ct, clusterExtension.Status.Install.Bundle)
 				}
 			}, pollDuration, pollInterval)
-
-			t.Log("By verifying that no templating occurs for registry+v1 bundle manifests")
-			cm := corev1.ConfigMap{}
-			require.NoError(t, c.Get(context.Background(), types.NamespacedName{Namespace: ns.Name, Name: "test-configmap"}, &cm))
-			require.Contains(t, cm.Annotations, "shouldNotTemplate")
-			require.Contains(t, cm.Annotations["shouldNotTemplate"], "{{ $labels.namespace }}")
 		})
 	}
 }
@@ -718,7 +712,7 @@ func TestClusterExtensionInstallReResolvesWhenCatalogIsPatched(t *testing.T) {
 
 	// patch imageRef tag on test-catalog image with v2 image
 	t.Log("By patching the catalog ImageRef to point to the v2 catalog")
-	updatedCatalogImage := fmt.Sprintf("%s/test-catalog:v2", os.Getenv("LOCAL_REGISTRY_HOST"))
+	updatedCatalogImage := fmt.Sprintf("%s/e2e/test-catalog:v2", os.Getenv("LOCAL_REGISTRY_HOST"))
 	err := patchTestCatalog(context.Background(), testCatalogName, updatedCatalogImage)
 	require.NoError(t, err)
 	require.EventuallyWithT(t, func(ct *assert.CollectT) {
@@ -730,15 +724,23 @@ func TestClusterExtensionInstallReResolvesWhenCatalogIsPatched(t *testing.T) {
 		}
 	}, pollDuration, pollInterval)
 
-	t.Log("By eventually reporting a successful resolution and bundle path")
+	t.Log("By eventually installing the package successfully")
 	require.EventuallyWithT(t, func(ct *assert.CollectT) {
 		assert.NoError(ct, c.Get(context.Background(), types.NamespacedName{Name: clusterExtension.Name}, clusterExtension))
-		cond := apimeta.FindStatusCondition(clusterExtension.Status.Conditions, ocv1.TypeProgressing)
+		cond := apimeta.FindStatusCondition(clusterExtension.Status.Conditions, ocv1.TypeInstalled)
 		if assert.NotNil(ct, cond) {
 			assert.Equal(ct, metav1.ConditionTrue, cond.Status)
 			assert.Equal(ct, ocv1.ReasonSucceeded, cond.Reason)
+			assert.Contains(ct, cond.Message, "Installed bundle")
+			assert.Contains(ct, clusterExtension.Status.Install.Bundle.Version, "2.0.0")
 		}
 	}, pollDuration, pollInterval)
+
+	t.Log("By verifying that no templating occurs for registry+v1 bundle manifests")
+	cm := corev1.ConfigMap{}
+	require.NoError(t, c.Get(context.Background(), types.NamespacedName{Namespace: ns.Name, Name: "test-configmap"}, &cm))
+	require.Contains(t, cm.Annotations, "shouldNotTemplate")
+	require.Contains(t, cm.Annotations["shouldNotTemplate"], "{{ $labels.namespace }}")
 }
 
 func TestClusterExtensionInstallReResolvesWhenNewCatalog(t *testing.T) {

testdata/images/bundles/test-operator/v1.0.0/manifests/bundle.configmap.yaml

@@ -2,11 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: test-configmap
-  annotations:
-    shouldNotTemplate: >
-      The namespace is {{ $labels.namespace }}. The templated
-      $labels.namespace is NOT expected to be processed by OLM's
-      rendering engine for registry+v1 bundles.
 data:
   version: "v1.0.0"
   name: "test-configmap"

testdata/images/bundles/test-operator/v2.0.0/manifests/bundle.configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  annotations:
+    shouldNotTemplate: >
+      The namespace is {{ $labels.namespace }}. The templated
+      $labels.namespace is NOT expected to be processed by OLM's
+      rendering engine for registry+v1 bundles.
+data:
+  version: "v2.0.0"
+  name: "test-configmap"

testdata/images/bundles/test-operator/v2.0.0/manifests/olm.operatorframework.com_olme2etest.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: olme2etests.olm.operatorframework.io
+spec:
+  group: olm.operatorframework.io
+  names:
+    kind: OLME2ETest
+    listKind: OLME2ETestList
+    plural: olme2etests
+    singular: olme2etest
+  scope: Cluster
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                testField:
+                  type: string