diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk index f45005fe96..926b0ca2a9 100644 --- a/.bingo/Variables.mk +++ b/.bingo/Variables.mk @@ -53,6 +53,12 @@ $(GORELEASER): $(BINGO_DIR)/goreleaser.mod @echo "(re)installing $(GOBIN)/goreleaser-v1.26.2" @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=goreleaser.mod -o=$(GOBIN)/goreleaser-v1.26.2 "github.com/goreleaser/goreleaser" +HELM := $(GOBIN)/helm-v3.18.4 +$(HELM): $(BINGO_DIR)/helm.mod + @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. + @echo "(re)installing $(GOBIN)/helm-v3.18.4" + @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=helm.mod -o=$(GOBIN)/helm-v3.18.4 "helm.sh/helm/v3/cmd/helm" + KIND := $(GOBIN)/kind-v0.29.0 $(KIND): $(BINGO_DIR)/kind.mod @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. diff --git a/.bingo/helm.mod b/.bingo/helm.mod new file mode 100644 index 0000000000..5c54ed4210 --- /dev/null +++ b/.bingo/helm.mod @@ -0,0 +1,5 @@ +module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT + +go 1.24.3 + +require helm.sh/helm/v3 v3.18.4 // cmd/helm diff --git a/.bingo/helm.sum b/.bingo/helm.sum new file mode 100644 index 0000000000..4477f0392d --- /dev/null +++ b/.bingo/helm.sum @@ -0,0 +1,303 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= +github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= +github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= +github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= +github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE= +github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= +github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= +github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= +github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= +github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= +github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= +github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o= +github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= +golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= +golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= +golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= +golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= +golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= +google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ= +helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI= +k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY= +k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs= +k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8= +k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8= +k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY= +k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= +k8s.io/apiserver v0.33.2 h1:KGTRbxn2wJagJowo29kKBp4TchpO1DRO3g+dB/KOJN4= +k8s.io/apiserver v0.33.2/go.mod h1:9qday04wEAMLPWWo9AwqCZSiIn3OYSZacDyu/AcoM/M= +k8s.io/cli-runtime v0.33.2 h1:koNYQKSDdq5AExa/RDudXMhhtFasEg48KLS2KSAU74Y= +k8s.io/cli-runtime v0.33.2/go.mod h1:gnhsAWpovqf1Zj5YRRBBU7PFsRc6NkEkwYNQE+mXL88= +k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E= +k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo= +k8s.io/component-base v0.33.2 h1:sCCsn9s/dG3ZrQTX/Us0/Sx2R0G5kwa0wbZFYoVp/+0= +k8s.io/component-base v0.33.2/go.mod h1:/41uw9wKzuelhN+u+/C59ixxf4tYQKW7p32ddkYNe2k= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= +k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y= +k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= +oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= +sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= +sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= +sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= +sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= +sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= +sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/.bingo/variables.env b/.bingo/variables.env index 4c3be1e529..4b2163cdb5 100644 --- a/.bingo/variables.env +++ b/.bingo/variables.env @@ -20,6 +20,8 @@ GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6" GORELEASER="${GOBIN}/goreleaser-v1.26.2" +HELM="${GOBIN}/helm-v3.18.4" + KIND="${GOBIN}/kind-v0.29.0" KUSTOMIZE="${GOBIN}/kustomize-v5.6.0" diff --git a/.tilt-support b/.tilt-support index 858ad3ef0b..9cb01b1526 100644 --- a/.tilt-support +++ b/.tilt-support @@ -150,4 +150,4 @@ def deploy_repo(data, tags="", debug=True): local_port = repo['starting_debug_port'] build_binary(reponame, repo['binary'], repo['deps'], repo['image'], tags, debug) k8s_resource(repo['deployment'], port_forwards=['{}:30000'.format(local_port)]) - process_yaml(kustomize(data['yaml'])) + process_yaml(helm('helm/olmv1', name="olmv1", values=[data['yaml']])) diff --git a/Makefile b/Makefile index d0cf6051e1..47fbbddfaf 100644 --- a/Makefile +++ b/Makefile @@ -141,30 +141,21 @@ tidy: go mod tidy .PHONY: manifests -KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac -KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook -KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac +KUSTOMIZE_CATD_RBAC_DIR := helm/olmv1/base/catalogd/rbac +KUSTOMIZE_CATD_WEBHOOKS_DIR := helm/olmv1/base/catalogd/webhook +KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files # So we have to generate them together and then move them into place -manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. +manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. # Generate CRDs via our own generator hack/tools/update-crds.sh - # Generate the remaining operator-controller standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard - # Generate the remaining operator-controller experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental - # Generate the remaining catalogd standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard - # Generate the remaining catalogd experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - $(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_E2E_OVERLAY) > $(STANDARD_E2E_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml > $(STANDARD_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/tilt.yaml > /dev/null .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @@ -284,7 +275,7 @@ test-experimental-e2e: run image-registry prometheus experimental-e2e e2e e2e-co .PHONY: prometheus prometheus: PROMETHEUS_NAMESPACE := olmv1-system prometheus: PROMETHEUS_VERSION := v0.83.0 -prometheus: #EXHELP Deploy Prometheus into specified namespace +prometheus: $(KUSTOMIZE) #EXHELP Deploy Prometheus into specified namespace ./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION) .PHONY: test-extension-developer-e2e diff --git a/Tiltfile b/Tiltfile index 622d7aae6f..d736b8f94d 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,7 +17,7 @@ olmv1 = { 'starting_debug_port': 30000, }, }, - 'yaml': 'config/overlays/tilt-local-dev', + 'yaml': 'helm/tilt.yaml', } deploy_repo(olmv1, '-tags containers_image_openpgp') diff --git a/docs/draft/api-reference/network-policies.md b/docs/draft/api-reference/network-policies.md index 9f36eaae1b..82afe8e2c4 100644 --- a/docs/draft/api-reference/network-policies.md +++ b/docs/draft/api-reference/network-policies.md @@ -19,8 +19,8 @@ NetworkPolicy is implemented for both catalogd and operator-controller component Each component has a dedicated NetworkPolicy that applies to its respective pod through label selectors: -* For catalogd: `control-plane=catalogd-controller-manager` -* For operator-controller: `control-plane=operator-controller-controller-manager` +* For catalogd: `app.kubernetes.io/name=catalogd` +* For operator-controller: `app.kubernetes.io/name=operator-controller` ### Catalogd NetworkPolicy @@ -78,10 +78,10 @@ If you encounter network connectivity issues after deploying OLMv1, consider the ```bash # Verify catalogd pod labels -kubectl get pods -n olmv1-system --selector=control-plane=catalogd-controller-manager +kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=catalogd # Verify operator-controller pod labels -kubectl get pods -n olmv1-system --selector=control-plane=operator-controller-controller-manager +kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=operator-controller # Compare with actual pod names kubectl get pods -n olmv1-system | grep -E 'catalogd|operator-controller' diff --git a/docs/draft/howto/consuming-metrics.md b/docs/draft/howto/consuming-metrics.md index 3cae15bb09..ccefbee6c2 100644 --- a/docs/draft/howto/consuming-metrics.md +++ b/docs/draft/howto/consuming-metrics.md @@ -226,7 +226,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: operator-controller-controller-manager + apps.kubernetes.io/name: operator-controller name: controller-manager-metrics-monitor namespace: olmv1-system spec: @@ -251,7 +251,7 @@ spec: key: tls.key selector: matchLabels: - control-plane: operator-controller-controller-manager + apps.kubernetes.io/name: operator-controller EOF ``` @@ -268,7 +268,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: catalogd-controller-manager + apps.kubernetes.io/name: catalogd name: catalogd-metrics-monitor namespace: olmv1-system spec: @@ -298,4 +298,4 @@ EOF ``` [prometheus-operator]: https://github.com/prometheus-operator/kube-prometheus -[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ \ No newline at end of file +[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ diff --git a/docs/draft/howto/enable-helm-chart-support.md b/docs/draft/howto/enable-helm-chart-support.md index 1a528fcf9d..44d083707c 100644 --- a/docs/draft/howto/enable-helm-chart-support.md +++ b/docs/draft/howto/enable-helm-chart-support.md @@ -24,7 +24,7 @@ To enable the Helm Chart support feature gate, you need to patch the `operator-c 2. **Wait for the controller manager pods to be ready:** ```bash - $ kubectl -n olmv1-system wait --for condition=ready pods -l control-plane=operator-controller-controller-manager + $ kubectl -n olmv1-system wait --for condition=ready pods -l apps.kubernetes.io/name=operator-controller ``` Once the above wait condition is met, the `HelmChartSupport` feature gate should be enabled in operator controller. diff --git a/docs/draft/howto/profiling_with_pprof.md b/docs/draft/howto/profiling_with_pprof.md index 23ec7f7af9..01c0969d48 100644 --- a/docs/draft/howto/profiling_with_pprof.md +++ b/docs/draft/howto/profiling_with_pprof.md @@ -21,7 +21,7 @@ The following steps are examples to demonstrate the required changes to enable P 1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8082` flag: ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=operator-controller -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "add", @@ -127,7 +127,7 @@ go tool pprof -http=:8080 ./operator-controller-profile.pprof 1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8083` flag: ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=catalogd -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "add", @@ -235,7 +235,7 @@ go tool pprof -http=:8080 ./catalogd-profile.pprof 1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint. ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=operator-controller -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "replace", @@ -266,7 +266,7 @@ kubectl delete pod curl-oper-con-pprof -n olmv1-system 1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint. ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=catalogd -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "replace", @@ -294,4 +294,4 @@ re-start the deployment `kubectl rollout restart deployment -n olmv1-system cata kubectl delete pod curl-catalogd-pprof -n olmv1-system ``` -[pprof]: https://github.com/google/pprof/blob/main/doc/README.md \ No newline at end of file +[pprof]: https://github.com/google/pprof/blob/main/doc/README.md diff --git a/hack/tools/update-crds.sh b/hack/tools/update-crds.sh index 8627784fe5..6b74141d6f 100755 --- a/hack/tools/update-crds.sh +++ b/hack/tools/update-crds.sh @@ -42,7 +42,7 @@ for b in ${!modules[@]}; do # will not be generated for the standard channel - so we check the expected generated # file exists before copying it. FILE="${CRD_TMP}/${c}/${crds[${b}]}" - [[ -e "${FILE}" ]] && cp "${FILE}" config/base/${modules[${b}]}/crd/${c} + [[ -e "${FILE}" ]] && cp "${FILE}" helm/olmv1/base/${modules[${b}]}/crd/${c} done done diff --git a/helm/cert-manager.yaml b/helm/cert-manager.yaml new file mode 100644 index 0000000000..a57a36f3ca --- /dev/null +++ b/helm/cert-manager.yaml @@ -0,0 +1,8 @@ +# Default values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +options: + certManager: + enabled: true diff --git a/helm/e2e.yaml b/helm/e2e.yaml new file mode 100644 index 0000000000..11d51ddad9 --- /dev/null +++ b/helm/e2e.yaml @@ -0,0 +1,8 @@ +# e2e values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +options: + e2e: + enabled: true diff --git a/helm/experimental.yaml b/helm/experimental.yaml new file mode 100644 index 0000000000..d1812afcb3 --- /dev/null +++ b/helm/experimental.yaml @@ -0,0 +1,22 @@ +# experimental values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of enabled experimental features for operator-controller +# Use with {{- if has "FeatureGate" .Value.operatorControllerFeatures }} +# to pull in resources or additions +operatorControllerFeatures: + - WebhookProviderCertManager + - SingleOwnNamespaceInstallSupport + - PreflightPermissions + - HelmChartSupport + +# List of enabled experimental features for catalogd +# Use with {{- if has "FeatureGate" .Value.catalogdFeatures }} +# to pull in resources or additions +catalogdFeatures: + - APIV1MetasHandler + +# This can be one of: standard or experimental +options: + featureSet: experimental diff --git a/helm/olmv1/.helmignore b/helm/olmv1/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/helm/olmv1/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/olmv1/Chart.yaml b/helm/olmv1/Chart.yaml new file mode 100644 index 0000000000..d4a9f0973f --- /dev/null +++ b/helm/olmv1/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: olmv1 +description: A Helm chart for OLMv1 + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.3.0" diff --git a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml new file mode 100644 index 0000000000..2d5722a47d --- /dev/null +++ b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml new file mode 100644 index 0000000000..cde14b13b1 --- /dev/null +++ b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml new file mode 100644 index 0000000000..162683603d --- /dev/null +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml new file mode 100644 index 0000000000..18faa59789 --- /dev/null +++ b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl new file mode 100644 index 0000000000..89cb398934 --- /dev/null +++ b/helm/olmv1/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "olmv1.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "olmv1.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Return the name of the active component for a prefix, but _only_ if one is enabled +*/}} +{{- define "component.name.prefix" -}} +{{- if and (.Values.options.operatorController.enabled) (not .Values.options.catalogd.enabled) -}} +operator-controller- +{{- else if and (not .Values.options.operatorController.enabled) (.Values.options.catalogd.enabled) -}} +catalogd- +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "olmv1.labels" -}} +app.kubernetes.io/part-of: olm +{{- end }} + +{{/* +Common annoations +*/}} +{{- define "olmv1.annotations" -}} +olm.operatorframework.io/feature-set: {{ .Values.options.featureSet -}}{{- if .Values.options.e2e.enabled -}}-e2e{{- end -}} +{{- end }} + +{{/* +Insertion of additional rules for RBAC +*/}} + +{{/* +Returns "operator-controller", "catalogd" or "olmv1" depending on enabled components +*/}} +{{- define "olmv1.label.name" -}} +{{- if (and .Values.options.operatorController.enabled (not .Values.options.catalogd.enabled)) -}} +operator-controller +{{- else if (and (not .Values.options.operatorController.enabled) .Values.options.catalogd.enabled) -}} +catalogd +{{- else -}} +olmv1 +{{- end -}} +{{- end -}} + +{{/* +When rendering with OpenShift, only one of the main components (catalogd, operatorController) +should be enabled +*/}} +{{- if .Values.options.openshift.enabled -}} +{{- if and .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +{{- fail "When rendering Openshift, only one of {catalogd, operatorController} should also be enabled" -}} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/certificate-cert-manager-olmv1-ca.yml new file mode 100644 index 0000000000..7b3c2396a1 --- /dev/null +++ b/helm/olmv1/templates/certificate-cert-manager-olmv1-ca.yml @@ -0,0 +1,27 @@ +{{- if .Values.options.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: olmv1-ca + namespace: {{ .Values.namespaces.certManager.name }} +spec: + commonName: olmv1-ca + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: self-sign-issuer + privateKey: + algorithm: ECDSA + rotationPolicy: Always + size: 256 + secretName: olmv1-ca + secretTemplate: + annotations: + cert-manager.io/allow-direct-injection: "true" +{{- end }} diff --git a/helm/olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml new file mode 100644 index 0000000000..7c6311eedf --- /dev/null +++ b/helm/olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml @@ -0,0 +1,26 @@ +{{- if .Values.options.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + name: catalogd-service-cert + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + dnsNames: + - localhost + - catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc + - catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc.cluster.local + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: olmv1-ca + privateKey: + algorithm: ECDSA + rotationPolicy: Always + size: 256 + secretName: catalogd-service-cert-git-version +{{- end }} diff --git a/helm/olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml b/helm/olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml new file mode 100644 index 0000000000..2ac8371935 --- /dev/null +++ b/helm/olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml @@ -0,0 +1,25 @@ +{{- if .Values.options.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-cert + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + dnsNames: + - operator-controller-service.{{ .Values.namespaces.olmv1.name }}.svc + - operator-controller-service.{{ .Values.namespaces.olmv1.name }}.svc.cluster.local + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: olmv1-ca + privateKey: + algorithm: ECDSA + rotationPolicy: Always + size: 256 + secretName: operator-controller-cert +{{- end }} diff --git a/helm/olmv1/templates/clustercatalog-openshift-certified-operators.yml b/helm/olmv1/templates/clustercatalog-openshift-certified-operators.yml new file mode 100644 index 0000000000..b62aa9a102 --- /dev/null +++ b/helm/olmv1/templates/clustercatalog-openshift-certified-operators.yml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-certified-operators +spec: + priority: -200 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/certified-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/clustercatalog-openshift-community-operators.yml b/helm/olmv1/templates/clustercatalog-openshift-community-operators.yml new file mode 100644 index 0000000000..61cc8ff54f --- /dev/null +++ b/helm/olmv1/templates/clustercatalog-openshift-community-operators.yml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-community-operators +spec: + priority: -400 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/community-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/clustercatalog-openshift-redhat-marketplace.yml b/helm/olmv1/templates/clustercatalog-openshift-redhat-marketplace.yml new file mode 100644 index 0000000000..7d50ed5a8b --- /dev/null +++ b/helm/olmv1/templates/clustercatalog-openshift-redhat-marketplace.yml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-redhat-marketplace +spec: + priority: -300 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/redhat-marketplace-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/clustercatalog-openshift-redhat-operators.yml b/helm/olmv1/templates/clustercatalog-openshift-redhat-operators.yml new file mode 100644 index 0000000000..a9805e500c --- /dev/null +++ b/helm/olmv1/templates/clustercatalog-openshift-redhat-operators.yml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-redhat-operators +spec: + priority: -100 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/redhat-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/clusterissuer-olmv1-ca.yml b/helm/olmv1/templates/clusterissuer-olmv1-ca.yml new file mode 100644 index 0000000000..57573095fd --- /dev/null +++ b/helm/olmv1/templates/clusterissuer-olmv1-ca.yml @@ -0,0 +1,14 @@ +{{- if .Values.options.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: olmv1-ca +spec: + ca: + secretName: olmv1-ca +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/clusterrole-catalogd-manager-role.yml new file mode 100644 index 0000000000..fe43d1966f --- /dev/null +++ b/helm/olmv1/templates/clusterrole-catalogd-manager-role.yml @@ -0,0 +1,48 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: catalogd-manager-role + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update + {{- if .Values.options.openshift.enabled }} + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use + {{- end }} +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-common-metrics-reader.yml b/helm/olmv1/templates/clusterrole-common-metrics-reader.yml new file mode 100644 index 0000000000..069041955d --- /dev/null +++ b/helm/olmv1/templates/clusterrole-common-metrics-reader.yml @@ -0,0 +1,24 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $| nindent 4 }} + name: {{ $name -}}-metrics-reader +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-common-proxy-role.yml b/helm/olmv1/templates/clusterrole-common-proxy-role.yml new file mode 100644 index 0000000000..266348e2f3 --- /dev/null +++ b/helm/olmv1/templates/clusterrole-common-proxy-role.yml @@ -0,0 +1,32 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml b/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml new file mode 100644 index 0000000000..d70e9caf3a --- /dev/null +++ b/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml @@ -0,0 +1,25 @@ +{{- if .Values.options.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-clusterextension-editor-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml b/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml new file mode 100644 index 0000000000..9cd843b51d --- /dev/null +++ b/helm/olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml @@ -0,0 +1,21 @@ +{{- if .Values.options.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-clusterextension-viewer-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/clusterrole-operator-controller-manager-role.yml new file mode 100644 index 0000000000..dba3587aea --- /dev/null +++ b/helm/olmv1/templates/clusterrole-operator-controller-manager-role.yml @@ -0,0 +1,75 @@ +{{- if .Values.options.operatorController.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch + {{- if .Values.options.openshift.enabled }} + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use + {{- end }} +{{- end }} diff --git a/helm/olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml b/helm/olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml new file mode 100644 index 0000000000..c91da3ac37 --- /dev/null +++ b/helm/olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml @@ -0,0 +1,27 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $name -}}-manager-role +subjects: + - kind: ServiceAccount + name: {{ $name -}}-controller-manager + namespace: {{ $.Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml b/helm/olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml new file mode 100644 index 0000000000..b53096f139 --- /dev/null +++ b/helm/olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml @@ -0,0 +1,27 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $name -}}-proxy-role +subjects: + - kind: ServiceAccount + name: {{ $name -}}-controller-manager + namespace: {{ $.Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/configmap-olmv1-system-e2e-registries-conf.yml b/helm/olmv1/templates/configmap-olmv1-system-e2e-registries-conf.yml new file mode 100644 index 0000000000..d6fec9b5fb --- /dev/null +++ b/helm/olmv1/templates/configmap-olmv1-system-e2e-registries-conf.yml @@ -0,0 +1,17 @@ +{{- if .Values.options.e2e.enabled }} +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} + name: e2e-registries-conf + namespace: {{ .Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/configmap-openshift-trusted-ca.yml b/helm/olmv1/templates/configmap-openshift-trusted-ca.yml new file mode 100644 index 0000000000..b5fcf93138 --- /dev/null +++ b/helm/olmv1/templates/configmap-openshift-trusted-ca.yml @@ -0,0 +1,15 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + config.openshift.io/inject-trusted-cabundle: "true" + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-trusted-ca-bundle + namespace: {{ .Values.namespaces.olmv1.name }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml new file mode 100644 index 0000000000..079f39aa2b --- /dev/null +++ b/helm/olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -0,0 +1,7 @@ +{{- if .Values.options.catalogd.enabled }} +{{- if (eq .Values.options.featureSet "standard") }} +{{ tpl (.Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml") . }} +{{- else if (eq .Values.options.featureSet "experimental") }} +{{ tpl (.Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml") . }} +{{- end }} +{{- end }} diff --git a/helm/olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml new file mode 100644 index 0000000000..f3ce9b8643 --- /dev/null +++ b/helm/olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -0,0 +1,7 @@ +{{- if .Values.options.operatorController.enabled }} +{{- if (eq .Values.options.featureSet "standard") }} +{{ tpl (.Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml") . }} +{{- else if (eq .Values.options.featureSet "experimental") }} +{{ tpl (.Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml") . }} +{{- end }} +{{- end }} diff --git a/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml new file mode 100644 index 0000000000..fba0b73c16 --- /dev/null +++ b/helm/olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml @@ -0,0 +1,185 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kubectl.kubernetes.io/default-logs-container: manager + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + minReadySeconds: 5 + replicas: 1 + selector: + matchLabels: + control-plane: catalogd-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + {{- include "olmv1.annotations" . | nindent 8 }} + {{- if .Values.options.openshift.enabled }} + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: privileged + {{- end }} + labels: + app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager + {{- include "olmv1.labels" . | nindent 8 }} + {{- with .Values.options.catalogd.deployment.podLabels }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} + spec: + containers: + - args: + {{- if not .Values.options.tilt.enabled }} + - --leader-elect + {{- end }} + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc + {{- range .Values.catalogdFeatures }} + - --feature-gates={{- . -}}=true + {{- end }} + {{- if .Values.options.certManager.enabled }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + {{- else if .Values.options.openshift.enabled }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --v=${LOG_VERBOSITY} + - --global-pull-secret=openshift-config/pull-secret + {{- end }} + command: + - ./catalogd + {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }} + env: + {{- if .Values.options.e2e.enabled }} + - name: GOCOVERDIR + value: /e2e-coverage + {{- end }} + {{- with .Values.options.openshift.enabled }} + - name: SSL_CERT_DIR + value: /var/ca-certs + {{- end }} + {{- end }} + image: "{{ .Values.options.catalogd.deployment.image }}" + name: manager + {{- if not .Values.options.tilt.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- end }} + resources: + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + {{- if .Values.options.e2e.enabled }} + - mountPath: /e2e-coverage + name: e2e-coverage-volume + {{- end }} + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + {{- if .Values.options.certManager.enabled }} + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + {{- else if .Values.options.openshift.enabled }} + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + - mountPath: /etc/containers + name: etc-containers + readOnly: true + - mountPath: /etc/docker + name: etc-docker + readOnly: true + {{- end }} + {{- with .Values.deployments.containerSpec }} + {{- toYamlPretty . | nindent 10 }} + {{- end }} + serviceAccountName: catalogd-controller-manager + volumes: + {{- if .Values.options.e2e.enabled }} + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + {{- end }} + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + {{- if .Values.options.certManager.enabled }} + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogd-service-cert-git-version + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version + {{- else if .Values.options.openshift.enabled }} + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogserver-cert + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: catalogd-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + - hostPath: + path: /etc/containers + type: Directory + name: etc-containers + - hostPath: + path: /etc/docker + type: Directory + name: etc-docker + {{- end }} + {{- with .Values.deployments.templateSpec }} + {{- toYamlPretty . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml new file mode 100644 index 0000000000..c3e0730ace --- /dev/null +++ b/helm/olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml @@ -0,0 +1,192 @@ +{{- if .Values.options.operatorController.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kubectl.kubernetes.io/default-logs-container: manager + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: operator-controller-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + {{- include "olmv1.annotations" . | nindent 8 }} + {{- if .Values.options.openshift.enabled }} + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: privileged + {{- end }} + labels: + app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager + {{- include "olmv1.labels" . | nindent 8 }} + {{- with .Values.options.operatorController.deployment.podLabels }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + {{- if not .Values.options.tilt.enabled }} + - --leader-elect + {{- end }} + {{- range .Values.operatorControllerFeatures }} + - --feature-gates={{- . -}}=true + {{- end }} + {{- if .Values.options.certManager.enabled }} + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + {{- else if .Values.options.openshift.enabled }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --catalogd-cas-dir=/var/ca-certs + - --v=${LOG_VERBOSITY} + - --global-pull-secret=openshift-config/pull-secret + {{- end }} + command: + - /operator-controller + {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }} + env: + {{- if .Values.options.e2e.enabled }} + - name: GOCOVERDIR + value: /e2e-coverage + {{- end }} + {{- if .Values.options.openshift.enabled }} + - name: SSL_CERT_DIR + value: /var/ca-certs + {{- end }} + {{- end }} + image: "{{ .Values.options.operatorController.deployment.image }}" + name: manager + {{- if not .Values.options.tilt.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- end }} + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + {{- if .Values.options.e2e.enabled }} + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + {{- end }} + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + {{- if .Values.options.certManager.enabled }} + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + {{- else if .Values.options.openshift.enabled }} + - mountPath: /var/certs + name: operator-controller-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + - mountPath: /etc/containers + name: etc-containers + readOnly: true + - mountPath: /etc/docker + name: etc-docker + readOnly: true + {{- end }} + {{- with .Values.deployments.containerSpec }} + {{- toYaml . | nindent 10 }} + {{- end }} + serviceAccountName: operator-controller-controller-manager + volumes: + {{- if .Values.options.e2e.enabled }} + - configMap: + name: e2e-registries-conf + name: e2e-registries-conf + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + {{- end }} + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + {{- if .Values.options.certManager.enabled }} + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert + {{- else if .Values.options.openshift.enabled }} + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: operator-controller-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + - hostPath: + path: /etc/containers + type: Directory + name: etc-containers + - hostPath: + path: /etc/docker + type: Directory + name: etc-docker + {{- end }} + {{- with .Values.deployments.templateSpec }} + {{- toYamlPretty . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/helm/olmv1/templates/issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/issuer-cert-manager-self-sign-issuer.yml new file mode 100644 index 0000000000..283e62c266 --- /dev/null +++ b/helm/olmv1/templates/issuer-cert-manager-self-sign-issuer.yml @@ -0,0 +1,14 @@ +{{- if .Values.options.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: self-sign-issuer + namespace: {{ .Values.namespaces.certManager.name }} +spec: + selfSigned: {} +{{- end }} diff --git a/helm/olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml new file mode 100644 index 0000000000..95077c9ffe --- /dev/null +++ b/helm/olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -0,0 +1,43 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- if .Values.options.certManager.enabled }} + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- end }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/inject-cabundle: "true" + {{- end }} + {{- include "olmv1.annotations" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1.name }} + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" +{{- end }} diff --git a/helm/olmv1/templates/namespace.yml b/helm/olmv1/templates/namespace.yml new file mode 100644 index 0000000000..4624909d9d --- /dev/null +++ b/helm/olmv1/templates/namespace.yml @@ -0,0 +1,24 @@ +{{/* this is a common component */}} +apiVersion: v1 +kind: Namespace +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + openshift.io/node-selector: "" + workload.openshift.io/allowed: management + {{- end }} + labels: + {{- $psProfile := ternary "privileged" "restricted" .Values.options.openshift.enabled }} + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + pod-security.kubernetes.io/audit: {{ $psProfile }} + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: {{ $psProfile }} + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: {{ $psProfile }} + pod-security.kubernetes.io/warn-version: latest + {{- include "olmv1.labels" . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + openshift.io/cluster-monitoring: "true" + {{- end }} + name: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml new file mode 100644 index 0000000000..9c63ab376a --- /dev/null +++ b/helm/olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -0,0 +1,29 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: catalogd + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/helm/olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml new file mode 100644 index 0000000000..e39a84a880 --- /dev/null +++ b/helm/olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -0,0 +1,16 @@ +{{/* this is a common component */}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "component.name.prefix" . -}}default-deny-all-traffic + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/helm/olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml new file mode 100644 index 0000000000..e91a7e55dd --- /dev/null +++ b/helm/olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -0,0 +1,25 @@ +{{- if .Values.options.operatorController.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: operator-controller + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/helm/olmv1/templates/persistentvolumeclaim-olmv1-system-e2e-coverage.yml b/helm/olmv1/templates/persistentvolumeclaim-olmv1-system-e2e-coverage.yml new file mode 100644 index 0000000000..6f5c83fced --- /dev/null +++ b/helm/olmv1/templates/persistentvolumeclaim-olmv1-system-e2e-coverage.yml @@ -0,0 +1,18 @@ +{{- if .Values.options.e2e.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} + name: e2e-coverage + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +{{- end }} diff --git a/helm/olmv1/templates/pod-olmv1-system-e2e-coverage-copy-pod.yml b/helm/olmv1/templates/pod-olmv1-system-e2e-coverage-copy-pod.yml new file mode 100644 index 0000000000..fa4b11acaa --- /dev/null +++ b/helm/olmv1/templates/pod-olmv1-system-e2e-coverage-copy-pod.yml @@ -0,0 +1,40 @@ +{{- if .Values.options.e2e.enabled }} +apiVersion: v1 +kind: Pod +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} + name: e2e-coverage-copy-pod + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true +{{- end }} diff --git a/helm/olmv1/templates/role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/role-olmv1-system-catalogd-manager-role.yml new file mode 100644 index 0000000000..09cec7c0c2 --- /dev/null +++ b/helm/olmv1/templates/role-olmv1-system-catalogd-manager-role.yml @@ -0,0 +1,22 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/role-olmv1-system-common-leader-election-role.yml b/helm/olmv1/templates/role-olmv1-system-common-leader-election-role.yml new file mode 100644 index 0000000000..84b3074152 --- /dev/null +++ b/helm/olmv1/templates/role-olmv1-system-common-leader-election-role.yml @@ -0,0 +1,52 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-leader-election-role + namespace: {{ $.Values.namespaces.olmv1.name }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/helm/olmv1/templates/role-olmv1-system-metrics-monitor-role.yml b/helm/olmv1/templates/role-olmv1-system-metrics-monitor-role.yml new file mode 100644 index 0000000000..0a452d6b90 --- /dev/null +++ b/helm/olmv1/templates/role-olmv1-system-metrics-monitor-role.yml @@ -0,0 +1,25 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-role + namespace: {{ .Values.namespaces.olmv1.name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml new file mode 100644 index 0000000000..2e31957d30 --- /dev/null +++ b/helm/olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml @@ -0,0 +1,34 @@ +{{- if .Values.options.operatorController.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-controller-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/role-openshift-config-manager-role.yml b/helm/olmv1/templates/role-openshift-config-manager-role.yml new file mode 100644 index 0000000000..6557cba1fc --- /dev/null +++ b/helm/olmv1/templates/role-openshift-config-manager-role.yml @@ -0,0 +1,24 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-manager-role + namespace: openshift-config +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml b/helm/olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml new file mode 100644 index 0000000000..d8ab8f1178 --- /dev/null +++ b/helm/olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml @@ -0,0 +1,28 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-leader-election-rolebinding + namespace: {{ $.Values.namespaces.olmv1.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name -}}-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ $name -}}-controller-manager + namespace: {{ $.Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml b/helm/olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml new file mode 100644 index 0000000000..a8846104ab --- /dev/null +++ b/helm/olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml @@ -0,0 +1,28 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-manager-rolebinding + namespace: {{ $.Values.namespaces.olmv1.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name -}}-manager-role +subjects: + - kind: ServiceAccount + name: {{ $name -}}-controller-manager + namespace: {{ $.Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/rolebinding-olmv1-system-metrics-monitor-rolebinding.yml b/helm/olmv1/templates/rolebinding-olmv1-system-metrics-monitor-rolebinding.yml new file mode 100644 index 0000000000..18ec318a2a --- /dev/null +++ b/helm/olmv1/templates/rolebinding-olmv1-system-metrics-monitor-rolebinding.yml @@ -0,0 +1,22 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-rolebinding + namespace: {{ .Values.namespaces.olmv1.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-role +subjects: + - kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/rolebinding-openshift-config-manager-rolebinding.yml b/helm/olmv1/templates/rolebinding-openshift-config-manager-rolebinding.yml new file mode 100644 index 0000000000..2209f5c579 --- /dev/null +++ b/helm/olmv1/templates/rolebinding-openshift-config-manager-rolebinding.yml @@ -0,0 +1,22 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-manager-rolebinding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "olmv1.label.name" . -}}-manager-role +subjects: +- kind: ServiceAccount + name: {{ include "olmv1.label.name" . -}}-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/service-olmv1-system-catalogd-service.yml new file mode 100644 index 0000000000..eca9593995 --- /dev/null +++ b/helm/olmv1/templates/service-olmv1-system-catalogd-service.yml @@ -0,0 +1,31 @@ +{{- if .Values.options.catalogd.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: catalogserver-cert + {{- end }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 + selector: + app.kubernetes.io/name: catalogd +{{- end }} diff --git a/helm/olmv1/templates/service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/service-olmv1-system-operator-controller-service.yml new file mode 100644 index 0000000000..714894f4e5 --- /dev/null +++ b/helm/olmv1/templates/service-olmv1-system-operator-controller-service.yml @@ -0,0 +1,23 @@ +{{- if .Values.options.operatorController.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert + {{- end }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + name: operator-controller-service + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + ports: + - name: metrics + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: operator-controller +{{- end }} diff --git a/helm/olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml b/helm/olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml new file mode 100644 index 0000000000..f29464ede3 --- /dev/null +++ b/helm/olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml @@ -0,0 +1,20 @@ +{{- $options := list }} +{{- if .Values.options.catalogd.enabled }} +{{- $options = append $options "catalogd" }} +{{- end }} +{{- if .Values.options.operatorController.enabled }} +{{- $options = append $options "operator-controller" }} +{{- end }} +{{- range $index, $name := $options }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- include "olmv1.annotations" $ | nindent 4 }} + labels: + app.kubernetes.io/name: {{ $name }} + {{- include "olmv1.labels" $ | nindent 4 }} + name: {{ $name -}}-controller-manager + namespace: {{ $.Values.namespaces.olmv1.name }} +{{- end }} diff --git a/helm/olmv1/templates/servicemonitor-olmv1-system-metrics-monitor.yml b/helm/olmv1/templates/servicemonitor-olmv1-system-metrics-monitor.yml new file mode 100644 index 0000000000..a5bb357c37 --- /dev/null +++ b/helm/olmv1/templates/servicemonitor-olmv1-system-metrics-monitor.yml @@ -0,0 +1,33 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + openshift.io/cluster-monitoring: 'true' + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + path: /metrics + port: metrics + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: {{ include "olmv1.label.name" . -}}-service.{{ .Values.namespaces.olmv1.name }}.svc + namespaceSelector: + matchNames: + - {{ .Values.namespaces.olmv1.name }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml new file mode 100644 index 0000000000..e896f2530f --- /dev/null +++ b/helm/olmv1/values.yaml @@ -0,0 +1,84 @@ +# Default values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +options: + operatorController: + enabled: true + deployment: + image: quay.io/operator-framework/operator-controller:devel + catalogd: + enabled: true + deployment: + image: quay.io/operator-framework/catalogd:devel + certManager: + enabled: false + e2e: + enabled: false + tilt: + enabled: false + openshift: + enabled: false + # This can be one of: standard or experimental + featureSet: standard + +operatorControllerFeatures: [] +catalogdFeatures: [] + + +# The set of namespaces +namespaces: + olmv1: + name: olmv1-system + certManager: + name: cert-manager + +# Common deployment values for operator-controller and catalogd +deployments: + templateSpec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 + containerSpec: + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError diff --git a/helm/tilt.yaml b/helm/tilt.yaml new file mode 100644 index 0000000000..f72d2b8e4b --- /dev/null +++ b/helm/tilt.yaml @@ -0,0 +1,20 @@ +# experimental values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Tilt is an exeption to the multi-values case, +# as the Tilt runner only accepts a single values fle + +options: + tilt: + enabled: true + featureSet: experimental + +operatorControllerFeatures: + - WebhookProviderCertManager + - SingleOwnNamespaceInstallSupport + - PreflightPermissions + - HelmChartSupport + +catalogdFeatures: + - APIV1MetasHandler diff --git a/internal/catalogd/controllers/core/clustercatalog_controller.go b/internal/catalogd/controllers/core/clustercatalog_controller.go index 32ed52e0a8..b720af8503 100644 --- a/internal/catalogd/controllers/core/clustercatalog_controller.go +++ b/internal/catalogd/controllers/core/clustercatalog_controller.go @@ -76,12 +76,6 @@ type storedCatalogData struct { observedGeneration int64 } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/finalizers,verbs=update -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=get;list;watch -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch - // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. // diff --git a/internal/catalogd/webhook/cluster_catalog_webhook.go b/internal/catalogd/webhook/cluster_catalog_webhook.go index a19a62e732..3aea45d5d7 100644 --- a/internal/catalogd/webhook/cluster_catalog_webhook.go +++ b/internal/catalogd/webhook/cluster_catalog_webhook.go @@ -11,10 +11,6 @@ import ( ocv1 "github.com/operator-framework/operator-controller/api/v1" ) -// +kubebuilder:webhook:admissionReviewVersions={v1},failurePolicy=Fail,groups=olm.operatorframework.io,mutating=true,name=inject-metadata-name.olm.operatorframework.io,path=/mutate-olm-operatorframework-io-v1-clustercatalog,resources=clustercatalogs,verbs=create;update,versions=v1,sideEffects=None,timeoutSeconds=10 - -// +kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;patch;update - // ClusterCatalog wraps the external v1.ClusterCatalog type and implements admission.Defaulter type ClusterCatalog struct{} diff --git a/internal/operator-controller/controllers/clustercatalog_controller.go b/internal/operator-controller/controllers/clustercatalog_controller.go index bd4e827871..0654d83e7a 100644 --- a/internal/operator-controller/controllers/clustercatalog_controller.go +++ b/internal/operator-controller/controllers/clustercatalog_controller.go @@ -45,8 +45,6 @@ type ClusterCatalogReconciler struct { CatalogCachePopulator CatalogCachePopulator } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch - func (r *ClusterCatalogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { l := log.FromContext(ctx).WithName("cluster-catalog") ctx = log.IntoContext(ctx, l) diff --git a/internal/operator-controller/controllers/clusterextension_controller.go b/internal/operator-controller/controllers/clusterextension_controller.go index 24824bfd12..fb278a1c37 100644 --- a/internal/operator-controller/controllers/clusterextension_controller.go +++ b/internal/operator-controller/controllers/clusterextension_controller.go @@ -90,17 +90,6 @@ type InstalledBundleGetter interface { GetInstalledBundle(ctx context.Context, ext *ocv1.ClusterExtension) (*InstalledBundle, error) } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch;update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=create;update;patch;delete;deletecollection;get;list;watch -//+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch -//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch - -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch - // The operator controller needs to watch all the bundle objects and reconcile accordingly. Though not ideal, but these permissions are required. // This has been taken from rukpak, and an issue was created before to discuss it: https://github.com/operator-framework/rukpak/issues/800. func (r *ClusterExtensionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index a91833bd75..ef44deca4b 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1,20 +1,157 @@ +--- +# Source: olmv1/templates/namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - app.kubernetes.io/part-of: olm + app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + app.kubernetes.io/part-of: olm name: olmv1-system --- +# Source: olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: catalogd + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: operator-controller + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/configmap-olmv1-system-e2e-registries-conf.yml +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-registries-conf + namespace: olmv1-system +--- +# Source: olmv1/templates/persistentvolumeclaim-olmv1-system-e2e-coverage.yml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-coverage + namespace: olmv1-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +--- +# Source: olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +589,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clusterextensions.olm.operatorframework.io spec: @@ -1043,511 +1180,539 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: experimental + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system + olm.operatorframework.io/feature-set: experimental-e2e +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-metrics-reader rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: catalogd-proxy-role rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: experimental name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-metrics-reader + olm.operatorframework.io/feature-set: experimental-e2e rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role + kind: ClusterRole + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system + name: catalogd-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role + kind: ClusterRole + name: catalogd-proxy-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role + kind: ClusterRole + name: operator-controller-proxy-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/role-olmv1-system-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental-e2e +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-manager-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: operator-controller-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: + name: operator-controller-manager-role + namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: catalogd-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-rolebinding + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- -apiVersion: v1 -data: - registries.conf: | - [[registry]] - prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" - location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" -kind: ConfigMap +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-registries-conf + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding namespace: olmv1-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm @@ -1555,61 +1720,91 @@ metadata: namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- +# Source: olmv1/templates/service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: metrics + port: 8443 + protocol: TCP + targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- +# Source: olmv1/templates/pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 -kind: PersistentVolumeClaim +kind: Pod metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-coverage + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-coverage-copy-pod namespace: olmv1-system spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Mi + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true --- +# Source: olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: annotations: kubectl.kubernetes.io/default-logs-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1622,115 +1817,136 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: + app.kubernetes.io/name: catalogd control-plane: catalogd-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --feature-gates=APIV1MetasHandler=true + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/catalogd:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: catalogd-controller-manager + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogd-service-cert-git-version + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --feature-gates=APIV1MetasHandler=true - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: GOCOVERDIR - value: /e2e-coverage - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: annotations: kubectl.kubernetes.io/default-logs-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1742,116 +1958,145 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: + app.kubernetes.io/name: operator-controller control-plane: operator-controller-controller-manager + app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --feature-gates=WebhookProviderCertManager=true - - --feature-gates=SingleOwnNamespaceInstallSupport=true - - --feature-gates=PreflightPermissions=true - - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - env: - - name: GOCOVERDIR - value: /e2e-coverage - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/containers + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --feature-gates=WebhookProviderCertManager=true + - --feature-gates=SingleOwnNamespaceInstallSupport=true + - --feature-gates=PreflightPermissions=true + - --feature-gates=HelmChartSupport=true + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/operator-controller:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: operator-controller-controller-manager + volumes: + - configMap: + name: e2e-registries-conf name: e2e-registries-conf - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} name: cache - - mountPath: /tmp + - emptyDir: {} name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - configMap: - name: e2e-registries-conf - name: e2e-registries-conf - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1870,18 +2115,22 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1892,17 +2141,21 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: olmv1-cert + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1911,155 +2164,70 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- +# Source: olmv1/templates/clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-coverage-copy-pod - namespace: olmv1-system -spec: - containers: - - command: - - sleep - - infinity - image: busybox:1.36 - name: tar - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - readOnly: true - restartPolicy: Never - securityContext: - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - readOnly: true ---- +# Source: olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: experimental - name: catalogd-mutating-webhook-configuration + olm.operatorframework.io/feature-set: experimental-e2e webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 00dc141531..c8788f67c7 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1,20 +1,122 @@ +--- +# Source: olmv1/templates/namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/part-of: olm + app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + app.kubernetes.io/part-of: olm name: olmv1-system --- +# Source: olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: catalogd + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: operator-controller + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +554,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clusterextensions.olm.operatorframework.io spec: @@ -1043,429 +1145,496 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: experimental + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-metrics-reader rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-role rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: operator-controller-clusterextension-editor-role rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-clusterextension-viewer-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-proxy-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-proxy-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/role-olmv1-system-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role + namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role name: catalogd-leader-election-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding + name: operator-controller-leader-election-role namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-controller-manager-role namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-rolebinding + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-leader-election-role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-manager-role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental @@ -1473,63 +1642,37 @@ metadata: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental name: operator-controller-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: @@ -1542,39 +1685,42 @@ metadata: namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- +# Source: olmv1/templates/service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: metrics + port: 8443 + protocol: TCP + targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- +# Source: olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1582,7 +1728,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1597,98 +1744,117 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental labels: + app.kubernetes.io/name: catalogd control-plane: catalogd-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --feature-gates=APIV1MetasHandler=true + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + image: "quay.io/operator-framework/catalogd:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: catalogd-controller-manager + volumes: + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogd-service-cert-git-version + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --feature-gates=APIV1MetasHandler=true - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1696,7 +1862,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1710,101 +1877,130 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental labels: + app.kubernetes.io/name: operator-controller control-plane: operator-controller-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --feature-gates=WebhookProviderCertManager=true + - --feature-gates=SingleOwnNamespaceInstallSupport=true + - --feature-gates=PreflightPermissions=true + - --feature-gates=HelmChartSupport=true + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + image: "quay.io/operator-framework/operator-controller:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: operator-controller-controller-manager + volumes: + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --feature-gates=WebhookProviderCertManager=true - - --feature-gates=SingleOwnNamespaceInstallSupport=true - - --feature-gates=PreflightPermissions=true - - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1823,18 +2019,22 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1845,17 +2045,21 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: olmv1-cert + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1864,119 +2068,70 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- +# Source: olmv1/templates/clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- +# Source: olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: experimental - name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 1f46a03d47..e9591e5fa1 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1,20 +1,157 @@ +--- +# Source: olmv1/templates/namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - app.kubernetes.io/part-of: olm + app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + app.kubernetes.io/part-of: olm name: olmv1-system --- +# Source: olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: catalogd + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: operator-controller + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/configmap-olmv1-system-e2e-registries-conf.yml +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-registries-conf + namespace: olmv1-system +--- +# Source: olmv1/templates/persistentvolumeclaim-olmv1-system-e2e-coverage.yml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-coverage + namespace: olmv1-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +--- +# Source: olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard-e2e olm.operatorframework.io/generator: standard name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +589,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard-e2e olm.operatorframework.io/generator: standard name: clusterextensions.olm.operatorframework.io spec: @@ -1043,190 +1180,77 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-controller-manager - namespace: olmv1-system +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-manager-role + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-metrics-reader rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1235,314 +1259,455 @@ metadata: labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: catalogd-proxy-role rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system + name: catalogd-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role + kind: ClusterRole + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role + kind: ClusterRole + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role + kind: ClusterRole + name: catalogd-proxy-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-rolebinding - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-manager-role + kind: ClusterRole + name: operator-controller-proxy-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/role-olmv1-system-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard-e2e +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: catalogd-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-role + namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-controller-manager-role + namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard-e2e +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: catalogd-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-proxy-rolebinding + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- -apiVersion: v1 -data: - registries.conf: | - [[registry]] - prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" - location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" -kind: ConfigMap +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: e2e-registries-conf + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding namespace: olmv1-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: @@ -1555,53 +1720,82 @@ metadata: namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- +# Source: olmv1/templates/service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: metrics + port: 8443 + protocol: TCP + targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- +# Source: olmv1/templates/pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 -kind: PersistentVolumeClaim +kind: Pod metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: e2e-coverage + labels: + app.kubernetes.io/name: e2e + app.kubernetes.io/part-of: olm + name: e2e-coverage-copy-pod namespace: olmv1-system spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Mi + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true --- +# Source: olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1609,7 +1803,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1624,104 +1819,124 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: + app.kubernetes.io/name: catalogd control-plane: catalogd-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/catalogd:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: catalogd-controller-manager + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogd-service-cert-git-version + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: GOCOVERDIR - value: /e2e-coverage - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1729,7 +1944,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1743,110 +1959,139 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: + app.kubernetes.io/name: operator-controller control-plane: operator-controller-controller-manager + app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - env: - - name: GOCOVERDIR - value: /e2e-coverage - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/containers + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/operator-controller:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: operator-controller-controller-manager + volumes: + - configMap: + name: e2e-registries-conf name: e2e-registries-conf - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} name: cache - - mountPath: /tmp + - emptyDir: {} name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - configMap: - name: e2e-registries-conf - name: e2e-registries-conf - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1865,18 +2110,22 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1887,17 +2136,21 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: olmv1-cert + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1906,155 +2159,70 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- +# Source: olmv1/templates/clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: e2e-coverage-copy-pod - namespace: olmv1-system -spec: - containers: - - command: - - sleep - - infinity - image: busybox:1.36 - name: tar - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - readOnly: true - restartPolicy: Never - securityContext: - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - readOnly: true ---- +# Source: olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/standard.yaml b/manifests/standard.yaml index b4c70c252d..9c69dbaf18 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1,20 +1,122 @@ +--- +# Source: olmv1/templates/namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/part-of: olm + app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + app.kubernetes.io/part-of: olm name: olmv1-system --- +# Source: olmv1/templates/networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: catalogd + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: operator-controller + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/serviceaccount-olmv1-system-common-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard olm.operatorframework.io/generator: standard name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +554,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard olm.operatorframework.io/generator: standard name: clusterextensions.olm.operatorframework.io spec: @@ -1043,429 +1145,496 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: standard + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-controller-manager - namespace: olmv1-system +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: catalogd-manager-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-leader-election-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-metrics-reader rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-role rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-common-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: catalogd-manager-role + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: operator-controller-clusterextension-editor-role rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-clusterextension-viewer-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-proxy-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/clusterrolebinding-common-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-proxy-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/role-olmv1-system-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role + namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role name: catalogd-leader-election-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/role-olmv1-system-common-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding + name: operator-controller-leader-election-role namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: olmv1/templates/role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-controller-manager-role namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-leader-election-rolebinding + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-leader-election-role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-manager-role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard @@ -1473,63 +1642,37 @@ metadata: app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/rolebinding-olmv1-system-common-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: standard name: operator-controller-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: @@ -1542,39 +1685,42 @@ metadata: namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- +# Source: olmv1/templates/service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: metrics + port: 8443 + protocol: TCP + targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- +# Source: olmv1/templates/deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1582,7 +1728,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1597,97 +1744,116 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard labels: + app.kubernetes.io/name: catalogd control-plane: catalogd-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + image: "quay.io/operator-framework/catalogd:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: catalogd-controller-manager + volumes: + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogd-service-cert-git-version + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1695,7 +1861,8 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1709,97 +1876,126 @@ spec: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard labels: + app.kubernetes.io/name: operator-controller control-plane: operator-controller-controller-manager + app.kubernetes.io/part-of: olm spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + image: "quay.io/operator-framework/operator-controller:devel" + name: manager + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: operator-controller-controller-manager + volumes: + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- +# Source: olmv1/templates/certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1818,18 +2014,22 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1840,17 +2040,21 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard - name: olmv1-cert + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1859,119 +2063,70 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- +# Source: olmv1/templates/clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- +# Source: olmv1/templates/mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: standard - name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/test/e2e/metrics_test.go b/test/e2e/metrics_test.go index 85908f4d56..fab831948e 100644 --- a/test/e2e/metrics_test.go +++ b/test/e2e/metrics_test.go @@ -32,7 +32,7 @@ import ( func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) { client := utils.FindK8sClient(t) curlNamespace := createRandomNamespace(t, client) - componentNamespace := getComponentNamespace(t, client, "control-plane=operator-controller-controller-manager") + componentNamespace := getComponentNamespace(t, client, "app.kubernetes.io/name=operator-controller") metricsURL := fmt.Sprintf("https://operator-controller-service.%s.svc.cluster.local:8443/metrics", componentNamespace) config := NewMetricsTestConfig( @@ -52,7 +52,7 @@ func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) { func TestCatalogdMetricsExportedEndpoint(t *testing.T) { client := utils.FindK8sClient(t) curlNamespace := createRandomNamespace(t, client) - componentNamespace := getComponentNamespace(t, client, "control-plane=catalogd-controller-manager") + componentNamespace := getComponentNamespace(t, client, "app.kubernetes.io/name=catalogd") metricsURL := fmt.Sprintf("https://catalogd-service.%s.svc.cluster.local:7443/metrics", componentNamespace) config := NewMetricsTestConfig( diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go index 0f3979d232..d6b913a4ff 100644 --- a/test/e2e/network_policy_test.go +++ b/test/e2e/network_policy_test.go @@ -20,8 +20,8 @@ import ( const ( minJustificationLength = 40 - catalogdManagerSelector = "control-plane=catalogd-controller-manager" - operatorManagerSelector = "control-plane=operator-controller-controller-manager" + catalogdManagerSelector = "app.kubernetes.io/name=catalogd" + operatorManagerSelector = "app.kubernetes.io/name=operator-controller" catalogdMetricsPort = 7443 catalogdWebhookPort = 9443 catalogServerPort = 8443 @@ -88,7 +88,7 @@ var prometheuSpec = allowedPolicyDefinition{ // Ref: https://docs.google.com/document/d/1bHEEWzA65u-kjJFQRUY1iBuMIIM1HbPy4MeDLX4NI3o/edit?usp=sharing var allowedNetworkPolicies = map[string]allowedPolicyDefinition{ "catalogd-controller-manager": { - selector: metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}}, + selector: metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "catalogd"}}, policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, ingressRule: ingressRule{ ports: []portWithJustification{ @@ -116,7 +116,7 @@ var allowedNetworkPolicies = map[string]allowedPolicyDefinition{ }, }, "operator-controller-controller-manager": { - selector: metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}}, + selector: metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "operator-controller"}}, policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, ingressRule: ingressRule{ ports: []portWithJustification{ diff --git a/test/upgrade-e2e/post_upgrade_test.go b/test/upgrade-e2e/post_upgrade_test.go index 221182bb68..abddee78d4 100644 --- a/test/upgrade-e2e/post_upgrade_test.go +++ b/test/upgrade-e2e/post_upgrade_test.go @@ -31,7 +31,7 @@ func TestClusterCatalogUnpacking(t *testing.T) { ctx := context.Background() t.Log("Checking that the controller-manager deployment is updated") - managerLabelSelector := labels.Set{"control-plane": "catalogd-controller-manager"} + managerLabelSelector := labels.Set{"app.kubernetes.io/name": "catalogd"} var managerDeployment appsv1.Deployment require.EventuallyWithT(t, func(ct *assert.CollectT) { var managerDeployments appsv1.DeploymentList @@ -103,11 +103,11 @@ func TestClusterExtensionAfterOLMUpgrade(t *testing.T) { // wait for catalogd deployment to finish t.Log("Wait for catalogd deployment to be ready") - catalogdManagerPod := waitForDeployment(t, ctx, "catalogd-controller-manager") + catalogdManagerPod := waitForDeployment(t, ctx, "catalogd") // wait for operator-controller deployment to finish t.Log("Wait for operator-controller deployment to be ready") - managerPod := waitForDeployment(t, ctx, "operator-controller-controller-manager") + managerPod := waitForDeployment(t, ctx, "operator-controller") t.Log("Wait for acquired leader election") // Average case is under 1 minute but in the worst case: (previous leader crashed) @@ -188,12 +188,12 @@ func TestClusterExtensionAfterOLMUpgrade(t *testing.T) { }, time.Minute, time.Second) } -// waitForDeployment checks that the updated deployment with the given control-plane label +// waitForDeployment checks that the updated deployment with the given app.kubernetes.io/name label // has reached the desired number of replicas and that the number pods matches that number // i.e. no old pods remain. It will return a pointer to the first pod. This is only necessary // to facilitate the mitigation put in place for https://github.com/operator-framework/operator-controller/issues/1626 func waitForDeployment(t *testing.T, ctx context.Context, controlPlaneLabel string) *corev1.Pod { - deploymentLabelSelector := labels.Set{"control-plane": controlPlaneLabel}.AsSelector() + deploymentLabelSelector := labels.Set{"app.kubernetes.io/name": controlPlaneLabel}.AsSelector() t.Log("Checking that the deployment is updated") var desiredNumReplicas int32