From a2c952cff74e127ae0c140cf324bd274a9085368 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 13:37:22 -0400 Subject: [PATCH 01/55] WIP: first pass helm config Signed-off-by: Todd Short --- helm/experimental-e2e.yaml | 23 + helm/experimental.yaml | 18 + helm/olmv1/.helmignore | 23 + helm/olmv1/Chart.yaml | 24 + helm/olmv1/templates/00-namespace.yml | 11 + ...ustercatalogs.olm.operatorframework.io.yml | 400 ++++++++++++ ...terextensions.olm.operatorframework.io.yml | 573 ++++++++++++++++++ ...mv1-system-catalogd-controller-manager.yml | 12 + ...operator-controller-controller-manager.yml | 9 + ...1-system-catalogd-leader-election-role.yml | 45 ++ ...ole-olmv1-system-catalogd-manager-role.yml | 20 + ...erator-controller-leader-election-role.yml | 42 ++ ...ystem-operator-controller-manager-role.yml | 32 + .../09-clusterrole-catalogd-manager-role.yml | 36 ++ ...10-clusterrole-catalogd-metrics-reader.yml | 17 + .../11-clusterrole-catalogd-proxy-role.yml | 25 + ...ontroller-clusterextension-editor-role.yml | 22 + ...ontroller-clusterextension-viewer-role.yml | 18 + ...rrole-operator-controller-manager-role.yml | 63 ++ ...ole-operator-controller-metrics-reader.yml | 14 + ...terrole-operator-controller-proxy-role.yml | 22 + ...m-catalogd-leader-election-rolebinding.yml | 21 + ...v1-system-catalogd-manager-rolebinding.yml | 21 + ...controller-leader-election-rolebinding.yml | 18 + ...perator-controller-manager-rolebinding.yml | 18 + ...lebinding-catalogd-manager-rolebinding.yml | 20 + ...rolebinding-catalogd-proxy-rolebinding.yml | 20 + ...perator-controller-manager-rolebinding.yml | 17 + ...-operator-controller-proxy-rolebinding.yml | 17 + ...igmap-olmv1-system-e2e-registries-conf.yml | 14 + ...-service-olmv1-system-catalogd-service.yml | 28 + ...mv1-system-operator-controller-service.yml | 19 + ...tvolumeclaim-olmv1-system-e2e-coverage.yml | 15 + ...mv1-system-catalogd-controller-manager.yml | 124 ++++ ...operator-controller-controller-manager.yml | 138 +++++ .../31-certificate-cert-manager-olmv1-ca.yml | 23 + ...ate-olmv1-system-catalogd-service-cert.yml | 22 + ...33-certificate-olmv1-system-olmv1-cert.yml | 21 + .../templates/34-clusterissuer-olmv1-ca.yml | 11 + ...5-issuer-cert-manager-self-sign-issuer.yml | 11 + ...mv1-system-catalogd-controller-manager.yml | 26 + ...-olmv1-system-default-deny-all-traffic.yml | 13 + ...operator-controller-controller-manager.yml | 22 + ...pod-olmv1-system-e2e-coverage-copy-pod.yml | 37 ++ ...atalogd-mutating-webhook-configuration.yml | 37 ++ helm/olmv1/templates/_helpers.tpl | 70 +++ helm/olmv1/values.yaml | 56 ++ helm/standard-e2e.yaml | 11 + helm/standard.yaml | 6 + 49 files changed, 2305 insertions(+) create mode 100644 helm/experimental-e2e.yaml create mode 100644 helm/experimental.yaml create mode 100644 helm/olmv1/.helmignore create mode 100644 helm/olmv1/Chart.yaml create mode 100644 helm/olmv1/templates/00-namespace.yml create mode 100644 helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml create mode 100644 helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml create mode 100644 helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml create mode 100644 helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml create mode 100644 helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml create mode 100644 helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml create mode 100644 helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml create mode 100644 helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml create mode 100644 helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml create mode 100644 helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml create mode 100644 helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml create mode 100644 helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml create mode 100644 helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml create mode 100644 helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml create mode 100644 helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml create mode 100644 helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml create mode 100644 helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml create mode 100644 helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml create mode 100644 helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml create mode 100644 helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml create mode 100644 helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml create mode 100644 helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml create mode 100644 helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml create mode 100644 helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml create mode 100644 helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml create mode 100644 helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml create mode 100644 helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml create mode 100644 helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml create mode 100644 helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml create mode 100644 helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml create mode 100644 helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml create mode 100644 helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml create mode 100644 helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml create mode 100644 helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml create mode 100644 helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml create mode 100644 helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml create mode 100644 helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml create mode 100644 helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml create mode 100644 helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml create mode 100644 helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml create mode 100644 helm/olmv1/templates/_helpers.tpl create mode 100644 helm/olmv1/values.yaml create mode 100644 helm/standard-e2e.yaml create mode 100644 helm/standard.yaml diff --git a/helm/experimental-e2e.yaml b/helm/experimental-e2e.yaml new file mode 100644 index 000000000..7045bad73 --- /dev/null +++ b/helm/experimental-e2e.yaml @@ -0,0 +1,23 @@ +# Default values for operator-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +components: + e2e: + enabled: true + +features: + apiV1MetasHandler: + enabled: true + webhookProviderCertManager: + enabled: true + singleOwnNamespaceInstallSupport: + enabled: true + preflightPermissions: + enabled: true + helmChartSupport: + enabled: true + +# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +featureSet: experimental-e2e diff --git a/helm/experimental.yaml b/helm/experimental.yaml new file mode 100644 index 000000000..1269d7ffc --- /dev/null +++ b/helm/experimental.yaml @@ -0,0 +1,18 @@ +# Default values for operator-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +features: + apiV1MetasHandler: + enabled: true + webhookProviderCertManager: + enabled: true + singleOwnNamespaceInstallSupport: + enabled: true + preflightPermissions: + enabled: true + helmChartSupport: + enabled: true + +# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +featureSet: experimental diff --git a/helm/olmv1/.helmignore b/helm/olmv1/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/helm/olmv1/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/olmv1/Chart.yaml b/helm/olmv1/Chart.yaml new file mode 100644 index 000000000..d4a9f0973 --- /dev/null +++ b/helm/olmv1/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: olmv1 +description: A Helm chart for OLMv1 + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.3.0" diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml new file mode 100644 index 000000000..f0323e0b8 --- /dev/null +++ b/helm/olmv1/templates/00-namespace.yml @@ -0,0 +1,11 @@ +{{/* this is a common component */}} +apiVersion: v1 +kind: Namespace +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + {{- include "olmv1.labels" . | nindent 4 }} + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + name: {{ .Values.namespaces.olmv1 }} diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml new file mode 100644 index 000000000..d66dab8e3 --- /dev/null +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -0,0 +1,400 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + {{- include "olmv1.annotations" . | nindent 4}} + olm.operatorframework.io/generator: experimental + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml new file mode 100644 index 000000000..49f0a22f5 --- /dev/null +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -0,0 +1,573 @@ +{{- if .Values.components.operatorController.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + {{- include "olmv1.annotations" . | nindent 4}} + olm.operatorframework.io/generator: experimental + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml new file mode 100644 index 000000000..77ef1892c --- /dev/null +++ b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml @@ -0,0 +1,12 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml new file mode 100644 index 000000000..afed56fd9 --- /dev/null +++ b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml @@ -0,0 +1,9 @@ +{{- if .Values.components.operatorController.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml new file mode 100644 index 000000000..e342d8607 --- /dev/null +++ b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml @@ -0,0 +1,45 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role + namespace: {{ .Values.namespaces.olmv1 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml new file mode 100644 index 000000000..15048e927 --- /dev/null +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -0,0 +1,20 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: catalogd-manager-role + namespace: {{ .Values.namespaces.olmv1 }} +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml new file mode 100644 index 000000000..b953de888 --- /dev/null +++ b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml @@ -0,0 +1,42 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-leader-election-role + namespace: {{ .Values.namespaces.olmv1 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml new file mode 100644 index 000000000..badde9b85 --- /dev/null +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -0,0 +1,32 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-manager-role + namespace: {{ .Values.namespaces.olmv1 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml new file mode 100644 index 000000000..11ece13c5 --- /dev/null +++ b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml @@ -0,0 +1,36 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: catalogd-manager-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update +{{- end }} diff --git a/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml new file mode 100644 index 000000000..dd804d1d1 --- /dev/null +++ b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml @@ -0,0 +1,17 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-metrics-reader +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{- end }} diff --git a/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml new file mode 100644 index 000000000..fb6a4a5ca --- /dev/null +++ b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml @@ -0,0 +1,25 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +{{- end }} diff --git a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml new file mode 100644 index 000000000..c6e392d6d --- /dev/null +++ b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml @@ -0,0 +1,22 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-clusterextension-editor-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml new file mode 100644 index 000000000..ab394081e --- /dev/null +++ b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml @@ -0,0 +1,18 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-clusterextension-viewer-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml new file mode 100644 index 000000000..136ee6362 --- /dev/null +++ b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml @@ -0,0 +1,63 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-manager-role +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +{{- end }} diff --git a/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml new file mode 100644 index 000000000..ccec8898e --- /dev/null +++ b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml @@ -0,0 +1,14 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-metrics-reader +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{- end }} diff --git a/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml new file mode 100644 index 000000000..93132883b --- /dev/null +++ b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml @@ -0,0 +1,22 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +{{- end }} diff --git a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml new file mode 100644 index 000000000..4ae1d22f2 --- /dev/null +++ b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml @@ -0,0 +1,21 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-rolebinding + namespace: {{ .Values.namespaces.olmv1 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: catalogd-leader-election-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml new file mode 100644 index 000000000..24568b1ff --- /dev/null +++ b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml @@ -0,0 +1,21 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding + namespace: {{ .Values.namespaces.olmv1 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml new file mode 100644 index 000000000..74741bbc5 --- /dev/null +++ b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml @@ -0,0 +1,18 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-leader-election-rolebinding + namespace: {{ .Values.namespaces.olmv1 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-leader-election-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml new file mode 100644 index 000000000..9eca3c398 --- /dev/null +++ b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml @@ -0,0 +1,18 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-manager-rolebinding + namespace: {{ .Values.namespaces.olmv1 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml new file mode 100644 index 000000000..735f47aba --- /dev/null +++ b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml @@ -0,0 +1,20 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml new file mode 100644 index 000000000..8a7a62811 --- /dev/null +++ b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml @@ -0,0 +1,20 @@ +{{- if .Values.components.catalogd.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-proxy-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml new file mode 100644 index 000000000..2d875e297 --- /dev/null +++ b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -0,0 +1,17 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml new file mode 100644 index 000000000..7a8894870 --- /dev/null +++ b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml @@ -0,0 +1,17 @@ +{{- if .Values.components.operatorController.enabled }} +{{/* Probably want to include this as a file somehow */}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-controller-proxy-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml new file mode 100644 index 000000000..53ca06e02 --- /dev/null +++ b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml @@ -0,0 +1,14 @@ +{{- if .Values.components.e2e.enabled }} +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: e2e-registries-conf + namespace: {{ .Values.namespaces.olmv1 }} +{{- end }} diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml new file mode 100644 index 000000000..fdb46159f --- /dev/null +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -0,0 +1,28 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1 }} +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 + selector: + control-plane: catalogd-controller-manager +{{- end }} diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml new file mode 100644 index 000000000..5e6785105 --- /dev/null +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -0,0 +1,19 @@ +{{- if .Values.components.operatorController.enabled }} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + labels: + control-plane: operator-controller-controller-manager + name: operator-controller-service + namespace: {{ .Values.namespaces.olmv1 }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: operator-controller-controller-manager +{{- end }} diff --git a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml new file mode 100644 index 000000000..f2aaa0bdd --- /dev/null +++ b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml @@ -0,0 +1,15 @@ +{{- if .Values.components.e2e.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: e2e-coverage + namespace: {{ .Values.namespaces.olmv1 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +{{- end }} diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml new file mode 100644 index 000000000..282929b16 --- /dev/null +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -0,0 +1,124 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kubectl.kubernetes.io/default-logs-container: manager + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + control-plane: catalogd-controller-manager + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +spec: + minReadySeconds: 5 + replicas: 1 + selector: + matchLabels: + control-plane: catalogd-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + {{- include "olmv1.annotations" . | nindent 8 }} + labels: + control-plane: catalogd-controller-manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.{{ .Values.namespaces.olmv1 }}.svc + {{- if .Values.features.apiV1MetasHandler.enabled }} + - --feature-gates=APIV1MetasHandler=true + {{- end }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + {{- if .Values.components.e2e.enabled }} + env: + - name: GOCOVERDIR + value: /e2e-coverage + {{- end }} + image: "{{ .Values.components.catalogd.image.repository }}:{{ .Values.components.catalogd.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.components.catalogd.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + {{- if .Values.components.e2e.enabled }} + - mountPath: /e2e-coverage + name: e2e-coverage-volume + {{- end }} + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs/ + name: olmv1-certificate + readOnly: true + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: catalogd-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + {{- if .Values.components.e2e.enabled }} + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + {{- end }} + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + secretName: catalogd-service-cert-git-version + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version +{{- end }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml new file mode 100644 index 000000000..1749e0348 --- /dev/null +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -0,0 +1,138 @@ +{{- if .Values.components.operatorController.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kubectl.kubernetes.io/default-logs-container: manager + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + control-plane: operator-controller-controller-manager + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: operator-controller-controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + {{- include "olmv1.annotations" . | nindent 8 }} + labels: + control-plane: operator-controller-controller-manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + {{- if .Values.features.apiV1MetasHandler.enabled }} + - --feature-gates=WebhookProviderCertManager=true + {{- end }} + {{- if .Values.features.singleOwnNamespaceInstallSupport.enabled }} + - --feature-gates=SingleOwnNamespaceInstallSupport=true + {{- end }} + {{- if .Values.features.preflightPermissions.enabled }} + - --feature-gates=PreflightPermissions=true + {{- end }} + {{- if .Values.features.helmChartSupport.enabled }} + - --feature-gates=HelmChartSupport=true + {{- end }} + - --catalogd-cas-dir=/var/certs + - --pull-cas-dir=/var/certs + - --tls-cert=/var/certs/tls.cert + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + {{- if .Values.components.e2e.enabled }} + env: + - name: GOCOVERDIR + value: /e2e-coverage + {{- end }} + image: "{{ .Values.components.operatorController.image.repository }}:{{ .Values.components.operatorController.image.tag | default .Chart.AppVersion }}" + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: {{ .Values.components.operatorController.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + {{- if .Values.components.e2e.enabled }} + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + {{- end }} + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs/ + name: olmv1-certificate + readOnly: true + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: operator-controller-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + {{- if .Values.components.e2e.enabled }} + - configMap: + name: e2e-registries-conf + name: e2e-registries-conf + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + {{- end }} + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + - key: tls.crt + path: tls.cert + - key: tls.key + path: tls.key + optional: false + secretName: olmv1-cert +{{- end }} diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml new file mode 100644 index 000000000..98baa11e5 --- /dev/null +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -0,0 +1,23 @@ +{{- if .Values.components.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + name: olmv1-ca + namespace: {{ .Values.namespaces.certManager }} +spec: + commonName: olmv1-ca + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: self-sign-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: olmv1-ca + secretTemplate: + annotations: + cert-manager.io/allow-direct-injection: "true" +{{- end }} diff --git a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml new file mode 100644 index 000000000..97e2a32dd --- /dev/null +++ b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml @@ -0,0 +1,22 @@ +{{- if .Values.components.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: catalogd-service-cert + namespace: {{ .Values.namespaces.olmv1 }} +spec: + dnsNames: + - localhost + - catalogd-service.{{ .Values.namespaces.olmv1 }}.svc + - catalogd-service.{{ .Values.namespaces.olmv1 }}.svc.cluster.local + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: olmv1-ca + privateKey: + algorithm: ECDSA + size: 256 + secretName: catalogd-service-cert-git-version +{{- end }} diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml new file mode 100644 index 000000000..9e0fa0141 --- /dev/null +++ b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml @@ -0,0 +1,21 @@ +{{- if .Values.components.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: olmv1-cert + namespace: {{ .Values.namespaces.olmv1 }} +spec: + dnsNames: + - operator-controller-service.{{ .Values.namespaces.olmv1 }}.svc + - operator-controller-service.{{ .Values.namespaces.olmv1 }}.svc.cluster.local + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: olmv1-ca + privateKey: + algorithm: ECDSA + size: 256 + secretName: olmv1-cert +{{- end }} diff --git a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml new file mode 100644 index 000000000..f78646c3e --- /dev/null +++ b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml @@ -0,0 +1,11 @@ +{{- if .Values.components.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: olmv1-ca +spec: + ca: + secretName: olmv1-ca +{{- end }} diff --git a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml new file mode 100644 index 000000000..f0e77ccfd --- /dev/null +++ b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml @@ -0,0 +1,11 @@ +{{- if .Values.components.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: self-sign-issuer + namespace: {{ .Values.namespaces.certManager }} +spec: + selfSigned: {} +{{- end }} diff --git a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml new file mode 100644 index 000000000..6ba57f82e --- /dev/null +++ b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -0,0 +1,26 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: catalogd-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + control-plane: catalogd-controller-manager + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml new file mode 100644 index 000000000..8ba38d588 --- /dev/null +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -0,0 +1,13 @@ +{{/* this is a common component */}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: default-deny-all-traffic + namespace: {{ .Values.namespaces.olmv1 }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml new file mode 100644 index 000000000..69704ade0 --- /dev/null +++ b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -0,0 +1,22 @@ +{{- if .Values.components.operatorController.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: operator-controller-controller-manager + namespace: {{ .Values.namespaces.olmv1 }} +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + control-plane: operator-controller-controller-manager + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml new file mode 100644 index 000000000..36ca26902 --- /dev/null +++ b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml @@ -0,0 +1,37 @@ +{{- if .Values.components.e2e.enabled }} +apiVersion: v1 +kind: Pod +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4}} + name: e2e-coverage-copy-pod + namespace: {{ .Values.namespaces.olmv1 }} +spec: + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true +{{- end }} diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml new file mode 100644 index 000000000..03e3b9fcf --- /dev/null +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -0,0 +1,37 @@ +{{- if .Values.components.catalogd.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + {{- if .Values.components.certManager.enabled }} + cert-manager.io/inject-ca-from-secret: {{ .Values.namespaces.certManager }}/olmv1-ca + {{- end }} + {{- include "olmv1.annotations" . | nindent 4}} + name: catalogd-mutating-webhook-configuration +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1 }} + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + matchConditions: + - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' + name: MissingOrIncorrectMetadataNameLabel + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 +{{- end }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl new file mode 100644 index 000000000..8731b378e --- /dev/null +++ b/helm/olmv1/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "olmv1.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "olmv1.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "olmv1.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "olmv1.labels" -}} +helm.sh/chart: {{ include "olmv1.chart" . }} +{{ include "olmv1.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: olm +{{- end }} + +{{/* +Common annoations +*/}} +{{- define "olmv1.annotations" -}} +olm.operatorframework.io/feature-set: {{ .Values.featureSet }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "olmv1.selectorLabels" -}} +app.kubernetes.io/name: {{ include "olmv1.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "olmv1.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "olmv1.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml new file mode 100644 index 000000000..58dd9f744 --- /dev/null +++ b/helm/olmv1/values.yaml @@ -0,0 +1,56 @@ +# Default values for operator-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +components: + operatorController: + enabled: true + image: + repository: quay.io/operator-framework/operator-controller + pullPolicy: IfNotPresent + tag: devel + catalogd: + enabled: true + image: + repository: quay.io/operator-framework/catalogd + pullPolicy: IfNotPresent + tag: devel + certManager: + enabled: true + e2e: + enabled: false + +features: + apiV1MetasHandler: + enabled: false + webhookProviderCertManager: + enabled: false + singleOwnNamespaceInstallSupport: + enabled: false + preflightPermissions: + enabled: false + helmChartSupport: + enabled: false + +# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +featureSet: standard + +# The set of namespaces +namespaces: + olmv1: olmv1-system + certManager: cert-manager + +# Pod-level security context +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# Container-level security context +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/helm/standard-e2e.yaml b/helm/standard-e2e.yaml new file mode 100644 index 000000000..0ad2fb6b0 --- /dev/null +++ b/helm/standard-e2e.yaml @@ -0,0 +1,11 @@ +# Default values for operator-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +components: + e2e: + enabled: true + +# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +featureSet: standard-e2e diff --git a/helm/standard.yaml b/helm/standard.yaml new file mode 100644 index 000000000..5a007aadf --- /dev/null +++ b/helm/standard.yaml @@ -0,0 +1,6 @@ +# Default values for operator-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +featureSet: standard From 267dd3cdd2d084a92a07f81b4dd18ea7c7f87657 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 14:26:53 -0400 Subject: [PATCH 02/55] WIP: fixup labels Signed-off-by: Todd Short --- Makefile | 6 +++ helm/olmv1/templates/00-namespace.yml | 1 + ...ustercatalogs.olm.operatorframework.io.yml | 2 +- ...terextensions.olm.operatorframework.io.yml | 2 +- ...mv1-system-catalogd-controller-manager.yml | 4 +- ...operator-controller-controller-manager.yml | 5 ++- ...1-system-catalogd-leader-election-role.yml | 4 +- ...ole-olmv1-system-catalogd-manager-role.yml | 5 ++- ...erator-controller-leader-election-role.yml | 5 ++- ...ystem-operator-controller-manager-role.yml | 5 ++- .../09-clusterrole-catalogd-manager-role.yml | 5 ++- ...10-clusterrole-catalogd-metrics-reader.yml | 4 +- .../11-clusterrole-catalogd-proxy-role.yml | 4 +- ...ontroller-clusterextension-editor-role.yml | 5 ++- ...ontroller-clusterextension-viewer-role.yml | 5 ++- ...rrole-operator-controller-manager-role.yml | 5 ++- ...ole-operator-controller-metrics-reader.yml | 5 ++- ...terrole-operator-controller-proxy-role.yml | 5 ++- ...m-catalogd-leader-election-rolebinding.yml | 4 +- ...v1-system-catalogd-manager-rolebinding.yml | 4 +- ...controller-leader-election-rolebinding.yml | 5 ++- ...perator-controller-manager-rolebinding.yml | 5 ++- ...lebinding-catalogd-manager-rolebinding.yml | 4 +- ...rolebinding-catalogd-proxy-rolebinding.yml | 4 +- ...perator-controller-manager-rolebinding.yml | 5 ++- ...-operator-controller-proxy-rolebinding.yml | 5 ++- ...igmap-olmv1-system-e2e-registries-conf.yml | 5 ++- ...-service-olmv1-system-catalogd-service.yml | 5 ++- ...mv1-system-operator-controller-service.yml | 4 +- ...tvolumeclaim-olmv1-system-e2e-coverage.yml | 5 ++- ...mv1-system-catalogd-controller-manager.yml | 2 + ...operator-controller-controller-manager.yml | 2 + .../31-certificate-cert-manager-olmv1-ca.yml | 3 ++ ...ate-olmv1-system-catalogd-service-cert.yml | 5 ++- ...33-certificate-olmv1-system-olmv1-cert.yml | 5 ++- .../templates/34-clusterissuer-olmv1-ca.yml | 5 ++- ...5-issuer-cert-manager-self-sign-issuer.yml | 5 ++- ...mv1-system-catalogd-controller-manager.yml | 5 ++- ...-olmv1-system-default-deny-all-traffic.yml | 5 ++- ...operator-controller-controller-manager.yml | 5 ++- ...pod-olmv1-system-e2e-coverage-copy-pod.yml | 5 ++- ...atalogd-mutating-webhook-configuration.yml | 5 ++- helm/olmv1/templates/_helpers.tpl | 39 +------------------ 43 files changed, 139 insertions(+), 84 deletions(-) diff --git a/Makefile b/Makefile index 67c876a59..2c1cde3ac 100644 --- a/Makefile +++ b/Makefile @@ -166,6 +166,12 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST) $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST) +helm-manifests: #EXHELP WIP: Make manifests via helm + helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @find api cmd hack internal -name "zz_generated.deepcopy.go" -delete # Need to delete the files for them to be generated properly diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml index f0323e0b8..cc7d3923a 100644 --- a/helm/olmv1/templates/00-namespace.yml +++ b/helm/olmv1/templates/00-namespace.yml @@ -5,6 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: + app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index d66dab8e3..421515282 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -4,7 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} olm.operatorframework.io/generator: experimental name: clustercatalogs.olm.operatorframework.io spec: diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index 49f0a22f5..ea39435f8 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -4,7 +4,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} olm.operatorframework.io/generator: experimental name: clusterextensions.olm.operatorframework.io spec: diff --git a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml index 77ef1892c..96bfdf9b4 100644 --- a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml @@ -3,10 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager namespace: {{ .Values.namespaces.olmv1 }} {{- end }} diff --git a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml index afed56fd9..5d1cbcc59 100644 --- a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml @@ -3,7 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager namespace: {{ .Values.namespaces.olmv1 }} {{- end }} diff --git a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml index e342d8607..bb2b23c24 100644 --- a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml +++ b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-leader-election-role namespace: {{ .Values.namespaces.olmv1 }} rules: diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 15048e927..45bf57d2a 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-role namespace: {{ .Values.namespaces.olmv1 }} rules: diff --git a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml index b953de888..38d10cbda 100644 --- a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml +++ b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labeles: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-leader-election-role namespace: {{ .Values.namespaces.olmv1 }} rules: diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index badde9b85..08388421b 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-role namespace: {{ .Values.namespaces.olmv1 }} rules: diff --git a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml index 11ece13c5..0f65d4360 100644 --- a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml +++ b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-role rules: - apiGroups: diff --git a/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml index dd804d1d1..dff10502f 100644 --- a/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml +++ b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-metrics-reader rules: - nonResourceURLs: diff --git a/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml index fb6a4a5ca..73d5efe20 100644 --- a/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml +++ b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-proxy-role rules: - apiGroups: diff --git a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml index c6e392d6d..7c093cfc3 100644 --- a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml +++ b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller06 + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-clusterextension-editor-role rules: - apiGroups: diff --git a/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml index ab394081e..c2c8a3c73 100644 --- a/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml +++ b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-clusterextension-viewer-role rules: - apiGroups: diff --git a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml index 136ee6362..05986c016 100644 --- a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-role rules: - apiGroups: diff --git a/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml index ccec8898e..ae2ee2231 100644 --- a/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml +++ b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-metrics-reader rules: - nonResourceURLs: diff --git a/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml index 93132883b..d87b0ff05 100644 --- a/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml +++ b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-proxy-role rules: - apiGroups: diff --git a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml index 4ae1d22f2..e13ec9c84 100644 --- a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-leader-election-rolebinding namespace: {{ .Values.namespaces.olmv1 }} roleRef: diff --git a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml index 24568b1ff..f806c8791 100644 --- a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-rolebinding namespace: {{ .Values.namespaces.olmv1 }} roleRef: diff --git a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml index 74741bbc5..108fc079c 100644 --- a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-leader-election-rolebinding namespace: {{ .Values.namespaces.olmv1 }} roleRef: diff --git a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml index 9eca3c398..2d24f8252 100644 --- a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-rolebinding namespace: {{ .Values.namespaces.olmv1 }} roleRef: diff --git a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml index 735f47aba..24f28bb33 100644 --- a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml index 8a7a62811..0a019b07a 100644 --- a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml +++ b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml @@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml index 2d875e297..c4e6b86ab 100644 --- a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml index 7a8894870..a2e23cc95 100644 --- a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml +++ b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml @@ -4,7 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml index 53ca06e02..d1178dc25 100644 --- a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml +++ b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml @@ -8,7 +8,10 @@ data: kind: ConfigMap metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} name: e2e-registries-conf namespace: {{ .Values.namespaces.olmv1 }} {{- end }} diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index fdb46159f..250b1a6f4 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -3,10 +3,11 @@ apiVersion: v1 kind: Service metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: + control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-service namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index 5e6785105..88791e0bd 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -3,9 +3,11 @@ apiVersion: v1 kind: Service metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-service namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml index f2aaa0bdd..d21b601a1 100644 --- a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml +++ b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml @@ -3,7 +3,10 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} name: e2e-coverage namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 282929b16..80f491c15 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -7,6 +7,8 @@ metadata: {{- include "olmv1.annotations" . | nindent 4 }} labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 1749e0348..eb4213617 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -7,6 +7,8 @@ metadata: {{- include "olmv1.annotations" . | nindent 4 }} labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml index 98baa11e5..c3237a51c 100644 --- a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -4,6 +4,9 @@ kind: Certificate metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: olmv1 + {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-ca namespace: {{ .Values.namespaces.certManager }} spec: diff --git a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml index 97e2a32dd..c5cdbd3c1 100644 --- a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml +++ b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml @@ -3,7 +3,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-service-cert namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml index 9e0fa0141..00e5ab04b 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml @@ -3,7 +3,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: olmv1 + {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-cert namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml index f78646c3e..f572c40b1 100644 --- a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml +++ b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml @@ -3,7 +3,10 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: olmv1 + {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-ca spec: ca: diff --git a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml index f0e77ccfd..4208b87ef 100644 --- a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml +++ b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml @@ -3,7 +3,10 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: olmv1 + {{- include "olmv1.labels" . | nindent 4 }} name: self-sign-issuer namespace: {{ .Values.namespaces.certManager }} spec: diff --git a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml index 6ba57f82e..19d419ed9 100644 --- a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -3,7 +3,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml index 8ba38d588..03ce22aa3 100644 --- a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -3,7 +3,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: olmv1 + {{- include "olmv1.labels" . | nindent 4 }} name: default-deny-all-traffic namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml index 69704ade0..2b807e88c 100644 --- a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -3,7 +3,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml index 36ca26902..3a2085032 100644 --- a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml +++ b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml @@ -3,7 +3,10 @@ apiVersion: v1 kind: Pod metadata: annotations: - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: e2e + {{- include "olmv1.labels" . | nindent 4 }} name: e2e-coverage-copy-pod namespace: {{ .Values.namespaces.olmv1 }} spec: diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 03e3b9fcf..68cc87004 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -6,7 +6,10 @@ metadata: {{- if .Values.components.certManager.enabled }} cert-manager.io/inject-ca-from-secret: {{ .Values.namespaces.certManager }}/olmv1-ca {{- end }} - {{- include "olmv1.annotations" . | nindent 4}} + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-mutating-webhook-configuration webhooks: - admissionReviewVersions: diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 8731b378e..83352c327 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -5,24 +5,6 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "olmv1.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - {{/* Create chart name and version as used by the chart label. */}} @@ -35,7 +17,7 @@ Common labels */}} {{- define "olmv1.labels" -}} helm.sh/chart: {{ include "olmv1.chart" . }} -{{ include "olmv1.selectorLabels" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -49,22 +31,3 @@ Common annoations {{- define "olmv1.annotations" -}} olm.operatorframework.io/feature-set: {{ .Values.featureSet }} {{- end }} - -{{/* -Selector labels -*/}} -{{- define "olmv1.selectorLabels" -}} -app.kubernetes.io/name: {{ include "olmv1.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "olmv1.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "olmv1.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} From 3f07abcd73104ead7e838cb268ad34707ba9ad23 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 14:58:20 -0400 Subject: [PATCH 03/55] WIP: Fix typo Signed-off-by: Todd Short --- ...le-olmv1-system-operator-controller-leader-election-role.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml index 38d10cbda..7a6590b1d 100644 --- a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml +++ b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml @@ -5,7 +5,7 @@ kind: Role metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - labeles: + labels: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-leader-election-role From 05e87297f1aec0ff73b0d80ac89ff35fa939693f Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 15:20:56 -0400 Subject: [PATCH 04/55] WIP: insert CRDs from source Signed-off-by: Todd Short --- .../crds/experimental.clustercatalog.crd.yaml | 442 +++++++++++++ .../experimental.clusterextension.crd.yaml | 590 ++++++++++++++++++ .../crds/standard.clustercatalog.crd.yaml | 442 +++++++++++++ .../crds/standard.clusterextension.crd.yaml | 590 ++++++++++++++++++ ...ustercatalogs.olm.operatorframework.io.yml | 404 +----------- ...terextensions.olm.operatorframework.io.yml | 577 +---------------- 6 files changed, 2076 insertions(+), 969 deletions(-) create mode 100644 helm/olmv1/crds/experimental.clustercatalog.crd.yaml create mode 100644 helm/olmv1/crds/experimental.clusterextension.crd.yaml create mode 100644 helm/olmv1/crds/standard.clustercatalog.crd.yaml create mode 100644 helm/olmv1/crds/standard.clusterextension.crd.yaml diff --git a/helm/olmv1/crds/experimental.clustercatalog.crd.yaml b/helm/olmv1/crds/experimental.clustercatalog.crd.yaml new file mode 100644 index 000000000..2d5722a47 --- /dev/null +++ b/helm/olmv1/crds/experimental.clustercatalog.crd.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/crds/experimental.clusterextension.crd.yaml b/helm/olmv1/crds/experimental.clusterextension.crd.yaml new file mode 100644 index 000000000..162683603 --- /dev/null +++ b/helm/olmv1/crds/experimental.clusterextension.crd.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/crds/standard.clustercatalog.crd.yaml b/helm/olmv1/crds/standard.clustercatalog.crd.yaml new file mode 100644 index 000000000..cde14b13b --- /dev/null +++ b/helm/olmv1/crds/standard.clustercatalog.crd.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/crds/standard.clusterextension.crd.yaml b/helm/olmv1/crds/standard.clusterextension.crd.yaml new file mode 100644 index 000000000..18faa5978 --- /dev/null +++ b/helm/olmv1/crds/standard.clusterextension.crd.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index 421515282..56e5e35e4 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -1,400 +1,8 @@ {{- if .Values.components.catalogd.enabled }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - {{- include "olmv1.annotations" . | nindent 4 }} - olm.operatorframework.io/generator: experimental - name: clustercatalogs.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterCatalog - listKind: ClusterCatalogList - plural: clustercatalogs - singular: clustercatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} +{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{ .Files.Get "crds/standard.clustercatalog.crd.yaml" }} +{{- end }} +{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{ .Files.Get "crds/experimental.clustercatalog.crd.yaml" }} +{{- end }} {{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index ea39435f8..586c85b19 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -1,573 +1,8 @@ {{- if .Values.components.operatorController.enabled }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - {{- include "olmv1.annotations" . | nindent 4 }} - olm.operatorframework.io/generator: experimental - name: clusterextensions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtension - listKind: ClusterExtensionList - plural: clusterextensions - singular: clusterextension - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} +{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{ .Files.Get "crds/standard.clusterextension.crd.yaml" }} +{{- end }} +{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{ .Files.Get "crds/experimental.clusterextension.crd.yaml" }} +{{- end }} {{- end }} From 82c9345b282dfc7a480af455c5ff2cedeacdfb1f Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 15:41:40 -0400 Subject: [PATCH 05/55] WIP: pulling in CRDs as files Signed-off-by: Todd Short --- Makefile | 13 +- .../crds/experimental.clustercatalog.crd.yaml | 442 ------------- .../experimental.clusterextension.crd.yaml | 590 ------------------ .../crds/standard.clustercatalog.crd.yaml | 442 ------------- .../crds/standard.clusterextension.crd.yaml | 590 ------------------ ...ustercatalogs.olm.operatorframework.io.yml | 4 +- ...terextensions.olm.operatorframework.io.yml | 4 +- 7 files changed, 13 insertions(+), 2072 deletions(-) delete mode 100644 helm/olmv1/crds/experimental.clustercatalog.crd.yaml delete mode 100644 helm/olmv1/crds/experimental.clusterextension.crd.yaml delete mode 100644 helm/olmv1/crds/standard.clustercatalog.crd.yaml delete mode 100644 helm/olmv1/crds/standard.clusterextension.crd.yaml diff --git a/Makefile b/Makefile index 2c1cde3ac..92feb2b10 100644 --- a/Makefile +++ b/Makefile @@ -166,11 +166,16 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST) $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST) +BASE_COPY := helm/olmv1/base helm-manifests: #EXHELP WIP: Make manifests via helm - helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + rm -rf $(BASE_COPY) + mkdir -p $(BASE_COPY) + cp -r config/base/* $(BASE_COPY) + helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST:.yaml=-helm.yaml) + helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST:.yaml=-helm.yaml) + helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST:.yaml=-helm.yaml) + helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST:.yaml=-helm.yaml) + rm -rf $(BASE_COPY) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/helm/olmv1/crds/experimental.clustercatalog.crd.yaml b/helm/olmv1/crds/experimental.clustercatalog.crd.yaml deleted file mode 100644 index 2d5722a47..000000000 --- a/helm/olmv1/crds/experimental.clustercatalog.crd.yaml +++ /dev/null @@ -1,442 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/generator: experimental - name: clustercatalogs.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterCatalog - listKind: ClusterCatalogList - plural: clustercatalogs - singular: clustercatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm/olmv1/crds/experimental.clusterextension.crd.yaml b/helm/olmv1/crds/experimental.clusterextension.crd.yaml deleted file mode 100644 index 162683603..000000000 --- a/helm/olmv1/crds/experimental.clusterextension.crd.yaml +++ /dev/null @@ -1,590 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/generator: experimental - name: clusterextensions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtension - listKind: ClusterExtensionList - plural: clusterextensions - singular: clusterextension - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm/olmv1/crds/standard.clustercatalog.crd.yaml b/helm/olmv1/crds/standard.clustercatalog.crd.yaml deleted file mode 100644 index cde14b13b..000000000 --- a/helm/olmv1/crds/standard.clustercatalog.crd.yaml +++ /dev/null @@ -1,442 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/generator: standard - name: clustercatalogs.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterCatalog - listKind: ClusterCatalogList - plural: clustercatalogs - singular: clustercatalog - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm/olmv1/crds/standard.clusterextension.crd.yaml b/helm/olmv1/crds/standard.clusterextension.crd.yaml deleted file mode 100644 index 18faa5978..000000000 --- a/helm/olmv1/crds/standard.clusterextension.crd.yaml +++ /dev/null @@ -1,590 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/generator: standard - name: clusterextensions.olm.operatorframework.io -spec: - group: olm.operatorframework.io - names: - kind: ClusterExtension - listKind: ClusterExtensionList - plural: clusterextensions - singular: clusterextension - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index 56e5e35e4..ec0d6b8f9 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -1,8 +1,8 @@ {{- if .Values.components.catalogd.enabled }} {{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} -{{ .Files.Get "crds/standard.clustercatalog.crd.yaml" }} +{{ .Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" }} {{- end }} {{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} -{{ .Files.Get "crds/experimental.clustercatalog.crd.yaml" }} +{{ .Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml" }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index 586c85b19..43dcf06f4 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -1,8 +1,8 @@ {{- if .Values.components.operatorController.enabled }} {{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} -{{ .Files.Get "crds/standard.clusterextension.crd.yaml" }} +{{ .Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml" }} {{- end }} {{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} -{{ .Files.Get "crds/experimental.clusterextension.crd.yaml" }} +{{ .Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml" }} {{- end }} {{- end }} From c7ca3db3d084fb46cbadcf52ca5e2fe978a8f620 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 15:59:35 -0400 Subject: [PATCH 06/55] WIP: Update manifests Signed-off-by: Todd Short --- Makefile | 16 +- manifests/experimental-e2e.yaml | 1679 ++++++++++++++++++------------- manifests/experimental.yaml | 1440 +++++++++++++++----------- manifests/standard-e2e.yaml | 1607 +++++++++++++++++------------ manifests/standard.yaml | 1430 +++++++++++++++----------- 5 files changed, 3612 insertions(+), 2560 deletions(-) diff --git a/Makefile b/Makefile index 92feb2b10..0c74e6f14 100644 --- a/Makefile +++ b/Makefile @@ -144,6 +144,7 @@ tidy: KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac +BASE_COPY := helm/olmv1/base # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files # So we have to generate them together and then move them into place manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. @@ -161,20 +162,13 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - $(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_E2E_OVERLAY) > $(STANDARD_E2E_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST) - $(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST) - -BASE_COPY := helm/olmv1/base -helm-manifests: #EXHELP WIP: Make manifests via helm rm -rf $(BASE_COPY) mkdir -p $(BASE_COPY) cp -r config/base/* $(BASE_COPY) - helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST:.yaml=-helm.yaml) - helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST:.yaml=-helm.yaml) - helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST:.yaml=-helm.yaml) - helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST:.yaml=-helm.yaml) + helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) rm -rf $(BASE_COPY) .PHONY: generate diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index a91833bd7..de45388fb 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1,20 +1,185 @@ +--- +# Source: olmv1/templates/00-namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- +# Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + control-plane: catalogd-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + control-plane: operator-controller-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-registries-conf + namespace: olmv1-system +--- +# Source: olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-coverage + namespace: olmv1-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +--- +# Source: olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +617,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clusterextensions.olm.operatorframework.io spec: @@ -1043,573 +1208,730 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - labels: - app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system ---- +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental name: catalogd-manager-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/11-clusterrole-catalogd-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller06 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-manager-role rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system + name: catalogd-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role + kind: ClusterRole + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system + name: catalogd-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role + kind: ClusterRole + name: catalogd-proxy-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role + kind: ClusterRole + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding - namespace: olmv1-system + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-manager-role + kind: ClusterRole + name: operator-controller-proxy-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-role + namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role + namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: catalogd-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role + kind: Role + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-rolebinding + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- -apiVersion: v1 -data: - registries.conf: | - [[registry]] - prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" - location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" -kind: ConfigMap +# Source: olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-registries-conf + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding namespace: olmv1-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/26-service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: + control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: control-plane: catalogd-controller-manager --- +# Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 selector: control-plane: operator-controller-controller-manager --- +# Source: olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 -kind: PersistentVolumeClaim +kind: Pod metadata: annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-coverage + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-coverage-copy-pod namespace: olmv1-system spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Mi + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true --- +# Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: annotations: kubectl.kubernetes.io/default-logs-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1622,7 +1944,7 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: catalogd-controller-manager spec: @@ -1630,74 +1952,70 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --feature-gates=APIV1MetasHandler=true - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: GOCOVERDIR - value: /e2e-coverage - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --feature-gates=APIV1MetasHandler=true + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/catalogd:devel" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1705,32 +2023,39 @@ spec: serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + secretName: catalogd-service-cert-git-version + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: annotations: kubectl.kubernetes.io/default-logs-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1742,7 +2067,7 @@ spec: metadata: annotations: kubectl.kubernetes.io/default-container: manager - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: operator-controller-controller-manager spec: @@ -1750,74 +2075,75 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --feature-gates=WebhookProviderCertManager=true - - --feature-gates=SingleOwnNamespaceInstallSupport=true - - --feature-gates=PreflightPermissions=true - - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - env: - - name: GOCOVERDIR - value: /e2e-coverage - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/containers - name: e2e-registries-conf - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --feature-gates=WebhookProviderCertManager=true + - --feature-gates=SingleOwnNamespaceInstallSupport=true + - --feature-gates=PreflightPermissions=true + - --feature-gates=HelmChartSupport=true + - --catalogd-cas-dir=/var/certs + - --pull-cas-dir=/var/certs + - --tls-cert=/var/certs/tls.cert + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/operator-controller:devel" + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1825,33 +2151,41 @@ spec: serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 volumes: - - configMap: + - configMap: + name: e2e-registries-conf name: e2e-registries-conf - name: e2e-registries-conf - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + - key: tls.crt + path: tls.cert + - key: tls.key + path: tls.key + optional: false + secretName: olmv1-cert --- +# Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1870,18 +2204,26 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1892,17 +2234,25 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1913,153 +2263,80 @@ spec: size: 256 secretName: olmv1-cert --- +# Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: e2e-coverage-copy-pod - namespace: olmv1-system -spec: - containers: - - command: - - sleep - - infinity - image: busybox:1.36 - name: tar - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - readOnly: true - restartPolicy: Never - securityContext: - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - readOnly: true ---- +# Source: olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: experimental + olm.operatorframework.io/feature-set: experimental-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + matchConditions: + - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' + name: MissingOrIncorrectMetadataNameLabel + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 00dc14153..ab0ab93c9 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1,20 +1,142 @@ +--- +# Source: olmv1/templates/00-namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- +# Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + control-plane: catalogd-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + control-plane: operator-controller-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +574,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: experimental olm.operatorframework.io/generator: experimental name: clusterextensions.olm.operatorframework.io spec: @@ -1043,520 +1165,647 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system + name: catalogd-manager-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/11-clusterrole-catalogd-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-proxy-role rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller06 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: catalogd-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: operator-controller-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-clusterextension-editor-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-clusterextension-viewer-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-proxy-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-controller-proxy-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-role + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role + namespace: olmv1-system rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: catalogd-manager-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: operator-controller-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-manager-role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/26-service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: + control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: control-plane: catalogd-controller-manager --- +# Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: @@ -1564,17 +1813,24 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 selector: control-plane: operator-controller-controller-manager --- +# Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1583,6 +1839,12 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1603,70 +1865,65 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --feature-gates=APIV1MetasHandler=true - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --feature-gates=APIV1MetasHandler=true + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + image: "quay.io/operator-framework/catalogd:devel" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1674,21 +1931,22 @@ spec: serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + secretName: catalogd-service-cert-git-version + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1697,6 +1955,12 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1716,67 +1980,68 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --feature-gates=WebhookProviderCertManager=true - - --feature-gates=SingleOwnNamespaceInstallSupport=true - - --feature-gates=PreflightPermissions=true - - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --feature-gates=WebhookProviderCertManager=true + - --feature-gates=SingleOwnNamespaceInstallSupport=true + - --feature-gates=PreflightPermissions=true + - --feature-gates=HelmChartSupport=true + - --catalogd-cas-dir=/var/certs + - --pull-cas-dir=/var/certs + - --tls-cert=/var/certs/tls.cert + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + image: "quay.io/operator-framework/operator-controller:devel" + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1784,27 +2049,35 @@ spec: serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + - key: tls.crt + path: tls.cert + - key: tls.key + path: tls.key + optional: false + secretName: olmv1-cert --- +# Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1823,18 +2096,26 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1845,17 +2126,25 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1866,117 +2155,80 @@ spec: size: 256 secretName: olmv1-cert --- +# Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- +# Source: olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: experimental + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + matchConditions: + - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' + name: MissingOrIncorrectMetadataNameLabel + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 1f46a03d4..5d711dbdc 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1,20 +1,185 @@ +--- +# Source: olmv1/templates/00-namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- +# Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + control-plane: catalogd-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + control-plane: operator-controller-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml +apiVersion: v1 +data: + registries.conf: | + [[registry]] + prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" + location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" +kind: ConfigMap +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-registries-conf + namespace: olmv1-system +--- +# Source: olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-coverage + namespace: olmv1-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Mi +--- +# Source: olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard-e2e olm.operatorframework.io/generator: standard name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +617,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard-e2e olm.operatorframework.io/generator: standard name: clusterextensions.olm.operatorframework.io spec: @@ -1043,190 +1208,49 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - labels: - app.kubernetes.io/name: catalogd - app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-controller-manager - namespace: olmv1-system ---- +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-leader-election-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-role - namespace: olmv1-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e name: catalogd-manager-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1234,14 +1258,19 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/11-clusterrole-catalogd-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1249,327 +1278,577 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller06 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-manager-role rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system + name: catalogd-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role + kind: ClusterRole + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system + name: catalogd-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role + kind: ClusterRole + name: catalogd-proxy-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role + kind: ClusterRole + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-rolebinding - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-manager-role + kind: ClusterRole + name: operator-controller-proxy-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-role + namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role + namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +--- +# Source: olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: catalogd-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role + kind: Role + name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-proxy-rolebinding + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- -apiVersion: v1 -data: - registries.conf: | - [[registry]] - prefix = "mirrored-registry.operator-controller-e2e.svc.cluster.local:5000" - location = "docker-registry.operator-controller-e2e.svc.cluster.local:5000" -kind: ConfigMap +# Source: olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: e2e-registries-conf + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding namespace: olmv1-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/26-service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: + control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: control-plane: catalogd-controller-manager --- +# Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: @@ -1577,31 +1856,68 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 selector: control-plane: operator-controller-controller-manager --- +# Source: olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 -kind: PersistentVolumeClaim +kind: Pod metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e - name: e2e-coverage + labels: + app.kubernetes.io/name: e2e + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: e2e-coverage-copy-pod namespace: olmv1-system spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 64Mi + containers: + - command: + - sleep + - infinity + image: busybox:1.36 + name: tar + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + readOnly: true + restartPolicy: Never + securityContext: + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumes: + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + readOnly: true --- +# Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1610,6 +1926,12 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1630,73 +1952,69 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: GOCOVERDIR - value: /e2e-coverage - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/catalogd:devel" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1704,24 +2022,25 @@ spec: serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + secretName: catalogd-service-cert-git-version + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1730,6 +2049,12 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1749,70 +2074,71 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - env: - - name: GOCOVERDIR - value: /e2e-coverage - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/containers - name: e2e-registries-conf - - mountPath: /e2e-coverage - name: e2e-coverage-volume - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --catalogd-cas-dir=/var/certs + - --pull-cas-dir=/var/certs + - --tls-cert=/var/certs/tls.cert + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + env: + - name: GOCOVERDIR + value: /e2e-coverage + image: "quay.io/operator-framework/operator-controller:devel" + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/containers + name: e2e-registries-conf + - mountPath: /e2e-coverage + name: e2e-coverage-volume + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1820,33 +2146,41 @@ spec: serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 volumes: - - configMap: + - configMap: + name: e2e-registries-conf name: e2e-registries-conf - name: e2e-registries-conf - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + - name: e2e-coverage-volume + persistentVolumeClaim: + claimName: e2e-coverage + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + - key: tls.crt + path: tls.cert + - key: tls.key + path: tls.key + optional: false + secretName: olmv1-cert --- +# Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1865,18 +2199,26 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1887,17 +2229,25 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1908,153 +2258,80 @@ spec: size: 256 secretName: olmv1-cert --- +# Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - name: e2e-coverage-copy-pod - namespace: olmv1-system -spec: - containers: - - command: - - sleep - - infinity - image: busybox:1.36 - name: tar - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /e2e-coverage - name: e2e-coverage-volume - readOnly: true - restartPolicy: Never - securityContext: - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - volumes: - - name: e2e-coverage-volume - persistentVolumeClaim: - claimName: e2e-coverage - readOnly: true ---- +# Source: olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: standard-e2e + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + matchConditions: + - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' + name: MissingOrIncorrectMetadataNameLabel + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 diff --git a/manifests/standard.yaml b/manifests/standard.yaml index b4c70c252..0a9560ea3 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1,20 +1,142 @@ +--- +# Source: olmv1/templates/00-namespace.yml apiVersion: v1 kind: Namespace metadata: annotations: olm.operatorframework.io/feature-set: standard labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- +# Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 7443 + protocol: TCP + - port: 8443 + protocol: TCP + - port: 9443 + protocol: TCP + podSelector: + matchLabels: + control-plane: catalogd-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: default-deny-all-traffic + namespace: olmv1-system +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +spec: + egress: + - {} + ingress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + control-plane: operator-controller-controller-manager + policyTypes: + - Ingress + - Egress +--- +# Source: olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-controller-manager + namespace: olmv1-system +--- +# Source: olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard olm.operatorframework.io/generator: standard name: clustercatalogs.olm.operatorframework.io spec: @@ -452,12 +574,12 @@ spec: subresources: status: {} --- +# Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - olm.operatorframework.io/feature-set: standard olm.operatorframework.io/generator: standard name: clusterextensions.olm.operatorframework.io spec: @@ -1043,520 +1165,647 @@ spec: subresources: status: {} --- -apiVersion: v1 -kind: ServiceAccount +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-controller-manager - namespace: olmv1-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: operator-controller-controller-manager - namespace: olmv1-system + name: catalogd-manager-role +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update --- +# Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-role - namespace: olmv1-system + name: catalogd-metrics-reader rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/11-clusterrole-catalogd-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: catalogd-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-proxy-role rules: -- apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-leader-election-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller06 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-clusterextension-editor-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- +# Source: olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-manager-role - namespace: olmv1-system + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-clusterextension-viewer-role rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard - name: catalogd-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch --- +# Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-metrics-reader + name: operator-controller-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- +# Source: olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-role + name: operator-controller-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- +# Source: olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-clusterextension-editor-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-manager-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-clusterextension-viewer-role -rules: -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - watch + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-proxy-role +subjects: + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: operator-controller-manager-role -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update -- apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-controller-proxy-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-proxy-role + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-role + namespace: olmv1-system rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-leader-election-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: catalogd-manager-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: catalogd + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: catalogd-manager-role -subjects: -- kind: ServiceAccount - name: catalogd-controller-manager + name: operator-controller-leader-election-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-leader-election-rolebinding - namespace: olmv1-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: operator-controller-leader-election-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role namespace: olmv1-system +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch --- +# Source: olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard - name: operator-controller-manager-rolebinding + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + name: catalogd-leader-election-rolebinding namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-controller-manager-role + name: catalogd-leader-election-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: catalogd-manager-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: catalogd-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-proxy-rolebinding + name: operator-controller-leader-election-rolebinding + namespace: olmv1-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-proxy-role + kind: Role + name: operator-controller-leader-election-role subjects: -- kind: ServiceAccount - name: catalogd-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-manager-role -subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager namespace: olmv1-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: operator-controller-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: operator-controller-proxy-role + kind: Role + name: operator-controller-manager-role subjects: -- kind: ServiceAccount - name: operator-controller-controller-manager - namespace: olmv1-system + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system --- +# Source: olmv1/templates/26-service-olmv1-system-catalogd-service.yml apiVersion: v1 kind: Service metadata: annotations: olm.operatorframework.io/feature-set: standard labels: + control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system spec: ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: webhook - port: 9443 - protocol: TCP - targetPort: 9443 - - name: metrics - port: 7443 - protocol: TCP - targetPort: 7443 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: webhook + port: 9443 + protocol: TCP + targetPort: 9443 + - name: metrics + port: 7443 + protocol: TCP + targetPort: 7443 selector: control-plane: catalogd-controller-manager --- +# Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 kind: Service metadata: @@ -1564,17 +1813,24 @@ metadata: olm.operatorframework.io/feature-set: standard labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system spec: ports: - - name: https - port: 8443 - protocol: TCP - targetPort: 8443 + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 selector: control-plane: operator-controller-controller-manager --- +# Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1583,6 +1839,12 @@ metadata: olm.operatorframework.io/feature-set: standard labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system spec: @@ -1603,69 +1865,64 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --leader-elect - - --metrics-bind-address=:7443 - - --external-address=catalogd-service.$(POD_NAMESPACE).svc - - --tls-cert=/var/certs/tls.crt - - --tls-key=/var/certs/tls.key - - --pull-cas-dir=/var/ca-certs - command: - - ./catalogd - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache/ - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs - name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate - readOnly: true + - args: + - --leader-elect + - --metrics-bind-address=:7443 + - --external-address=catalogd-service.olmv1-system.svc + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --pull-cas-dir=/var/ca-certs + command: + - ./catalogd + image: "quay.io/operator-framework/catalogd:devel" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/cache/ + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1673,21 +1930,22 @@ spec: serviceAccountName: catalogd-controller-manager terminationGracePeriodSeconds: 10 volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: catalogserver-certs - secret: - secretName: catalogd-service-cert-git-version - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - optional: false - secretName: catalogd-service-cert-git-version + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: catalogserver-certs + secret: + secretName: catalogd-service-cert-git-version + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 kind: Deployment metadata: @@ -1696,6 +1954,12 @@ metadata: olm.operatorframework.io/feature-set: standard labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system spec: @@ -1715,63 +1979,64 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8443 - - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert - - --tls-key=/var/certs/tls.key - command: - - /operator-controller - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/cache - name: cache - - mountPath: /tmp - name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate - readOnly: true + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --leader-elect + - --catalogd-cas-dir=/var/certs + - --pull-cas-dir=/var/certs + - --tls-cert=/var/certs/tls.cert + - --tls-key=/var/certs/tls.key + command: + - /operator-controller + image: "quay.io/operator-framework/operator-controller:devel" + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/cache + name: cache + - mountPath: /tmp + name: tmp + - mountPath: /var/certs/ + name: olmv1-certificate + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -1779,27 +2044,35 @@ spec: serviceAccountName: operator-controller-controller-manager terminationGracePeriodSeconds: 10 volumes: - - emptyDir: {} - name: cache - - emptyDir: {} - name: tmp - - name: olmv1-certificate - secret: - items: - - key: ca.crt - path: olm-ca.crt - - key: tls.crt - path: tls.cert - - key: tls.key - path: tls.key - optional: false - secretName: olmv1-cert + - emptyDir: {} + name: cache + - emptyDir: {} + name: tmp + - name: olmv1-certificate + secret: + items: + - key: ca.crt + path: olm-ca.crt + - key: tls.crt + path: tls.cert + - key: tls.key + path: tls.key + optional: false + secretName: olmv1-cert --- +# Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager spec: @@ -1818,18 +2091,26 @@ spec: annotations: cert-manager.io/allow-direct-injection: "true" --- +# Source: olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system spec: dnsNames: - - localhost - - catalogd-service.olmv1-system.svc - - catalogd-service.olmv1-system.svc.cluster.local + - localhost + - catalogd-service.olmv1-system.svc + - catalogd-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1840,17 +2121,25 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- +# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system spec: dnsNames: - - operator-controller-service.olmv1-system.svc - - operator-controller-service.olmv1-system.svc.cluster.local + - operator-controller-service.olmv1-system.svc + - operator-controller-service.olmv1-system.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer @@ -1861,117 +2150,80 @@ spec: size: 256 secretName: olmv1-cert --- +# Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: olmv1-ca spec: ca: secretName: olmv1-ca --- +# Source: olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml apiVersion: cert-manager.io/v1 kind: Issuer metadata: annotations: olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: olmv1 + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager spec: selfSigned: {} --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: catalogd-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 7443 - protocol: TCP - - port: 8443 - protocol: TCP - - port: 9443 - protocol: TCP - podSelector: - matchLabels: - control-plane: catalogd-controller-manager - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: default-deny-all-traffic - namespace: olmv1-system -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - name: operator-controller-controller-manager - namespace: olmv1-system -spec: - egress: - - {} - ingress: - - ports: - - port: 8443 - protocol: TCP - podSelector: - matchLabels: - control-plane: operator-controller-controller-manager - policyTypes: - - Ingress - - Egress ---- +# Source: olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca olm.operatorframework.io/feature-set: standard + labels: + app.kubernetes.io/name: catalogd + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm name: catalogd-mutating-webhook-configuration webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: olmv1-system - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' - in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] - != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: olmv1-system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + matchConditions: + - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' + name: MissingOrIncorrectMetadataNameLabel + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 From 989e7c5b94899448f71d39808feeff53007be621 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 16:10:44 -0400 Subject: [PATCH 07/55] WIP: clean trailing whitespace Signed-off-by: Todd Short --- helm/experimental-e2e.yaml | 2 +- helm/experimental.yaml | 2 +- helm/standard-e2e.yaml | 2 +- helm/standard.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/experimental-e2e.yaml b/helm/experimental-e2e.yaml index 7045bad73..56dab4e5b 100644 --- a/helm/experimental-e2e.yaml +++ b/helm/experimental-e2e.yaml @@ -18,6 +18,6 @@ features: enabled: true helmChartSupport: enabled: true - + # This can be one of: standard, standard-e2e, experimental, or experimental-e2e featureSet: experimental-e2e diff --git a/helm/experimental.yaml b/helm/experimental.yaml index 1269d7ffc..9fbe68c8e 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -13,6 +13,6 @@ features: enabled: true helmChartSupport: enabled: true - + # This can be one of: standard, standard-e2e, experimental, or experimental-e2e featureSet: experimental diff --git a/helm/standard-e2e.yaml b/helm/standard-e2e.yaml index 0ad2fb6b0..e85e380f5 100644 --- a/helm/standard-e2e.yaml +++ b/helm/standard-e2e.yaml @@ -6,6 +6,6 @@ components: e2e: enabled: true - + # This can be one of: standard, standard-e2e, experimental, or experimental-e2e featureSet: standard-e2e diff --git a/helm/standard.yaml b/helm/standard.yaml index 5a007aadf..9e5f0fa34 100644 --- a/helm/standard.yaml +++ b/helm/standard.yaml @@ -1,6 +1,6 @@ # Default values for operator-controller. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - + # This can be one of: standard, standard-e2e, experimental, or experimental-e2e featureSet: standard From b14859aca5442b97984eddacda03c0ba23e3b765 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 18 Jul 2025 17:23:10 -0400 Subject: [PATCH 08/55] WIP: more parameterization Signed-off-by: Todd Short --- helm/olmv1/templates/00-namespace.yml | 10 ++++--- ...mv1-system-catalogd-controller-manager.yml | 2 +- ...operator-controller-controller-manager.yml | 2 +- ...1-system-catalogd-leader-election-role.yml | 2 +- ...ole-olmv1-system-catalogd-manager-role.yml | 2 +- ...erator-controller-leader-election-role.yml | 2 +- ...ystem-operator-controller-manager-role.yml | 2 +- ...m-catalogd-leader-election-rolebinding.yml | 4 +-- ...v1-system-catalogd-manager-rolebinding.yml | 4 +-- ...controller-leader-election-rolebinding.yml | 4 +-- ...perator-controller-manager-rolebinding.yml | 4 +-- ...lebinding-catalogd-manager-rolebinding.yml | 2 +- ...rolebinding-catalogd-proxy-rolebinding.yml | 2 +- ...perator-controller-manager-rolebinding.yml | 2 +- ...-operator-controller-proxy-rolebinding.yml | 2 +- ...igmap-olmv1-system-e2e-registries-conf.yml | 2 +- ...-service-olmv1-system-catalogd-service.yml | 2 +- ...mv1-system-operator-controller-service.yml | 2 +- ...tvolumeclaim-olmv1-system-e2e-coverage.yml | 2 +- ...mv1-system-catalogd-controller-manager.yml | 26 +++++++++++++++++-- ...operator-controller-controller-manager.yml | 24 ++++++++++++++++- .../31-certificate-cert-manager-olmv1-ca.yml | 2 +- ...ate-olmv1-system-catalogd-service-cert.yml | 6 ++--- ...33-certificate-olmv1-system-olmv1-cert.yml | 6 ++--- ...5-issuer-cert-manager-self-sign-issuer.yml | 2 +- ...mv1-system-catalogd-controller-manager.yml | 2 +- ...-olmv1-system-default-deny-all-traffic.yml | 2 +- ...operator-controller-controller-manager.yml | 2 +- ...pod-olmv1-system-e2e-coverage-copy-pod.yml | 2 +- ...atalogd-mutating-webhook-configuration.yml | 4 +-- helm/olmv1/values.yaml | 20 ++++++++++++-- 31 files changed, 108 insertions(+), 44 deletions(-) diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml index cc7d3923a..7b054e3e0 100644 --- a/helm/olmv1/templates/00-namespace.yml +++ b/helm/olmv1/templates/00-namespace.yml @@ -4,9 +4,13 @@ kind: Namespace metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} + {{- with .Values.namespaces.olmv1.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest - name: {{ .Values.namespaces.olmv1 }} + {{- with .Values.namespaces.olmv1.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml index 96bfdf9b4..3c69f5162 100644 --- a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml @@ -8,5 +8,5 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml index 5d1cbcc59..67cd4c3a0 100644 --- a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml @@ -8,5 +8,5 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml index bb2b23c24..9f689a4c9 100644 --- a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml +++ b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-leader-election-role - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} rules: - apiGroups: - "" diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 45bf57d2a..862e68edf 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-role - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} rules: - apiGroups: - "" diff --git a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml index 7a6590b1d..75d0f25c1 100644 --- a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml +++ b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-leader-election-role - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} rules: - apiGroups: - "" diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index 08388421b..d9cc94678 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-role - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} rules: - apiGroups: - "" diff --git a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml index e13ec9c84..00b091354 100644 --- a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-leader-election-rolebinding - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml index f806c8791..e60cb285a 100644 --- a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-manager-rolebinding - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml index 108fc079c..533f7da0f 100644 --- a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-leader-election-rolebinding - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml index 2d24f8252..3978cfb8b 100644 --- a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-manager-rolebinding - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml index 24f28bb33..998988869 100644 --- a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml @@ -16,5 +16,5 @@ roleRef: subjects: - kind: ServiceAccount name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml index 0a019b07a..9476c51bb 100644 --- a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml +++ b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml @@ -16,5 +16,5 @@ roleRef: subjects: - kind: ServiceAccount name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml index c4e6b86ab..8ea8a3b2f 100644 --- a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -16,5 +16,5 @@ roleRef: subjects: - kind: ServiceAccount name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml index a2e23cc95..60e8c6ed1 100644 --- a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml +++ b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml @@ -16,5 +16,5 @@ roleRef: subjects: - kind: ServiceAccount name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml index d1178dc25..f073d1adc 100644 --- a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml +++ b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml @@ -13,5 +13,5 @@ metadata: app.kubernetes.io/name: e2e {{- include "olmv1.labels" . | nindent 4 }} name: e2e-registries-conf - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} {{- end }} diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index 250b1a6f4..6695c18a0 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-service - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: ports: - name: https diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index 88791e0bd..106edd557 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-service - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: ports: - name: https diff --git a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml index d21b601a1..90251855d 100644 --- a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml +++ b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: e2e {{- include "olmv1.labels" . | nindent 4 }} name: e2e-coverage - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: accessModes: - ReadWriteOnce diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 80f491c15..274f41f91 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: minReadySeconds: 5 replicas: 1 @@ -45,7 +45,7 @@ spec: - args: - --leader-elect - --metrics-bind-address=:7443 - - --external-address=catalogd-service.{{ .Values.namespaces.olmv1 }}.svc + - --external-address=catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc {{- if .Values.features.apiV1MetasHandler.enabled }} - --feature-gates=APIV1MetasHandler=true {{- end }} @@ -92,11 +92,16 @@ spec: name: cache - mountPath: /tmp name: tmp + {{- if .Values.components.certManager.enabled }} - mountPath: /var/certs name: catalogserver-certs - mountPath: /var/ca-certs/ name: olmv1-certificate readOnly: true + {{- end }} + {{- with .Values.components.catalogd.volumeMounts }} + {{- toYaml . | nindent }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -113,6 +118,7 @@ spec: name: cache - emptyDir: {} name: tmp + {{- if .Values.components.certManager.enabled }} - name: catalogserver-certs secret: secretName: catalogd-service-cert-git-version @@ -123,4 +129,20 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version + {{- end }} + {{- with .Values.components.catalogd.volumes }} + {{- toYaml . | indent 8 }} + {{- end }} + {{- with .Values.components.catalogd.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.components.catalogd.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.components.catalogd.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index eb4213617..27a3c5066 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: replicas: 1 selector: @@ -104,9 +104,14 @@ spec: name: cache - mountPath: /tmp name: tmp + {{- if .Values.components.certManager.enabled }} - mountPath: /var/certs/ name: olmv1-certificate readOnly: true + {{- end }} + {{- with .Values.components.operatorController.volumeMounts }} + {{- toYaml . | nindent }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -126,6 +131,7 @@ spec: name: cache - emptyDir: {} name: tmp + {{- if .Values.components.certManager.enabled }} - name: olmv1-certificate secret: items: @@ -137,4 +143,20 @@ spec: path: tls.key optional: false secretName: olmv1-cert + {{- end }} + {{- with .Values.components.operatorController.volumes }} + {{- toYaml . | indent 8 }} + {{- end }} + {{- with .Values.components.operatorController.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.components.operatorController.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.components.operatorController.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml index c3237a51c..8118e1f4a 100644 --- a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-ca - namespace: {{ .Values.namespaces.certManager }} + namespace: {{ .Values.namespaces.certManager.name }} spec: commonName: olmv1-ca isCA: true diff --git a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml index c5cdbd3c1..8291a9343 100644 --- a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml +++ b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml @@ -8,12 +8,12 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-service-cert - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: dnsNames: - localhost - - catalogd-service.{{ .Values.namespaces.olmv1 }}.svc - - catalogd-service.{{ .Values.namespaces.olmv1 }}.svc.cluster.local + - catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc + - catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml index 00e5ab04b..fcb6de3e2 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml @@ -8,11 +8,11 @@ metadata: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-cert - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: dnsNames: - - operator-controller-service.{{ .Values.namespaces.olmv1 }}.svc - - operator-controller-service.{{ .Values.namespaces.olmv1 }}.svc.cluster.local + - operator-controller-service.{{ .Values.namespaces.olmv1.name }}.svc + - operator-controller-service.{{ .Values.namespaces.olmv1.name }}.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer diff --git a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml index 4208b87ef..29b215e2c 100644 --- a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml +++ b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} name: self-sign-issuer - namespace: {{ .Values.namespaces.certManager }} + namespace: {{ .Values.namespaces.certManager.name }} spec: selfSigned: {} {{- end }} diff --git a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml index 19d419ed9..b96ac66c5 100644 --- a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: egress: - {} diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml index 03ce22aa3..67ded54d7 100644 --- a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} name: default-deny-all-traffic - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: podSelector: {} policyTypes: diff --git a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml index 2b807e88c..3dc3911b1 100644 --- a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: egress: - {} diff --git a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml index 3a2085032..f792a8acb 100644 --- a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml +++ b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/name: e2e {{- include "olmv1.labels" . | nindent 4 }} name: e2e-coverage-copy-pod - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} spec: containers: - command: diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 68cc87004..6de54e6a8 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -4,7 +4,7 @@ kind: MutatingWebhookConfiguration metadata: annotations: {{- if .Values.components.certManager.enabled }} - cert-manager.io/inject-ca-from-secret: {{ .Values.namespaces.certManager }}/olmv1-ca + cert-manager.io/inject-ca-from-secret: {{ .Values.namespaces.certManager.name }}/olmv1-ca {{- end }} {{- include "olmv1.annotations" . | nindent 4 }} labels: @@ -17,7 +17,7 @@ webhooks: clientConfig: service: name: catalogd-service - namespace: {{ .Values.namespaces.olmv1 }} + namespace: {{ .Values.namespaces.olmv1.name }} path: /mutate-olm-operatorframework-io-v1-clustercatalog port: 9443 failurePolicy: Fail diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 58dd9f744..c3fb5056d 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -10,12 +10,22 @@ components: repository: quay.io/operator-framework/operator-controller pullPolicy: IfNotPresent tag: devel + volumeMounts: {} + volumes: {} + affinity: {} + nodeSelector: {} + tolerations: {} catalogd: enabled: true image: repository: quay.io/operator-framework/catalogd pullPolicy: IfNotPresent tag: devel + volumeMounts: {} + volumes: {} + affinity: {} + nodeSelector: {} + tolerations: {} certManager: enabled: true e2e: @@ -38,8 +48,14 @@ featureSet: standard # The set of namespaces namespaces: - olmv1: olmv1-system - certManager: cert-manager + olmv1: + name: olmv1-system + labels: + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + annotations: {} + certManager: + name: cert-manager # Pod-level security context podSecurityContext: From 0449f660a303485c4ad287c719f6f27da690c94b Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 09:23:55 -0400 Subject: [PATCH 09/55] WIP: Add podArguments and service.annotations Signed-off-by: Todd Short --- .../templates/26-service-olmv1-system-catalogd-service.yml | 3 +++ .../27-service-olmv1-system-operator-controller-service.yml | 3 +++ ...-deployment-olmv1-system-catalogd-controller-manager.yml | 3 +++ ...-olmv1-system-operator-controller-controller-manager.yml | 3 +++ helm/olmv1/values.yaml | 6 ++++++ 5 files changed, 18 insertions(+) diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index 6695c18a0..6ced60bae 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -4,6 +4,9 @@ kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} + {{- with .Values.components.catalogd.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index 106edd557..86e096716 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -4,6 +4,9 @@ kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} + {{- with .Values.components.operatorController.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 274f41f91..f70690c55 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -52,6 +52,9 @@ spec: - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - --pull-cas-dir=/var/ca-certs + {{- with .Values.components.operatorController.podArguments }} + {{- toYaml . | nindent 12 }} + {{- end }} command: - ./catalogd {{- if .Values.components.e2e.enabled }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 27a3c5066..376fc72eb 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -61,6 +61,9 @@ spec: - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert - --tls-key=/var/certs/tls.key + {{- with .Values.components.catalogd.podArguments }} + {{- toYaml . | nindent 12 }} + {{- end }} command: - /operator-controller {{- if .Values.components.e2e.enabled }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index c3fb5056d..01363159e 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -15,6 +15,9 @@ components: affinity: {} nodeSelector: {} tolerations: {} + podArguments: {} + service: + annotations: {} catalogd: enabled: true image: @@ -26,6 +29,9 @@ components: affinity: {} nodeSelector: {} tolerations: {} + podArguments: {} + service: + annotations: {} certManager: enabled: true e2e: From ef7b65dbcab189f440a17f048354de094b90828c Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 10:38:56 -0400 Subject: [PATCH 10/55] WIP: Initial moving of generated files to helm Signed-off-by: Todd Short --- Makefile | 20 +- hack/tools/update-crds.sh | 2 +- hack/tools/update-yaml-labels-annotations.sh | 23 + ....operatorframework.io_clustercatalogs.yaml | 442 +++++++++++++ ....operatorframework.io_clustercatalogs.yaml | 442 +++++++++++++ .../base/catalogd/rbac/experimental/role.yaml | 56 ++ .../base/catalogd/rbac/standard/role.yaml | 56 ++ .../webhook/experimental/manifests.yaml | 31 + .../catalogd/webhook/standard/manifests.yaml | 31 + ...peratorframework.io_clusterextensions.yaml | 590 ++++++++++++++++++ ...peratorframework.io_clusterextensions.yaml | 590 ++++++++++++++++++ .../rbac/experimental/role.yaml | 95 +++ .../rbac/standard/role.yaml | 95 +++ 13 files changed, 2464 insertions(+), 9 deletions(-) create mode 100755 hack/tools/update-yaml-labels-annotations.sh create mode 100644 helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml create mode 100644 helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml create mode 100644 helm/olmv1/base/catalogd/rbac/experimental/role.yaml create mode 100644 helm/olmv1/base/catalogd/rbac/standard/role.yaml create mode 100644 helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml create mode 100644 helm/olmv1/base/catalogd/webhook/standard/manifests.yaml create mode 100644 helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml create mode 100644 helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml create mode 100644 helm/olmv1/base/operator-controller/rbac/experimental/role.yaml create mode 100644 helm/olmv1/base/operator-controller/rbac/standard/role.yaml diff --git a/Makefile b/Makefile index 0c74e6f14..daeabb104 100644 --- a/Makefile +++ b/Makefile @@ -141,13 +141,19 @@ tidy: go mod tidy .PHONY: manifests -KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac -KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook -KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac -BASE_COPY := helm/olmv1/base +KUSTOMIZE_CATD_RBAC_DIR := helm/olmv1/base/catalogd/rbac +KUSTOMIZE_CATD_WEBHOOKS_DIR := helm/olmv1/base/catalogd/webhook +KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files # So we have to generate them together and then move them into place manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. + mkdir -p helm/olmv1/base/catalogd/rbac + mkdir -p helm/olmv1/base/catalogd/crd/standard + mkdir -p helm/olmv1/base/catalogd/crd/experimental + mkdir -p helm/olmv1/base/catalogd/webhook + mkdir -p helm/olmv1/base/operator-controller/rbac + mkdir -p helm/olmv1/base/operator-controller/crd/standard + mkdir -p helm/olmv1/base/operator-controller/crd/experimental # Generate CRDs via our own generator hack/tools/update-crds.sh # Generate the remaining operator-controller standard manifests @@ -160,16 +166,14 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, # Generate the remaining catalogd experimental manifests $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental + # Update base config to include helm templates + ./hack/tools/update-yaml-labels-annotations.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - rm -rf $(BASE_COPY) - mkdir -p $(BASE_COPY) - cp -r config/base/* $(BASE_COPY) helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST) helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) - rm -rf $(BASE_COPY) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/hack/tools/update-crds.sh b/hack/tools/update-crds.sh index 8627784fe..6b74141d6 100755 --- a/hack/tools/update-crds.sh +++ b/hack/tools/update-crds.sh @@ -42,7 +42,7 @@ for b in ${!modules[@]}; do # will not be generated for the standard channel - so we check the expected generated # file exists before copying it. FILE="${CRD_TMP}/${c}/${crds[${b}]}" - [[ -e "${FILE}" ]] && cp "${FILE}" config/base/${modules[${b}]}/crd/${c} + [[ -e "${FILE}" ]] && cp "${FILE}" helm/olmv1/base/${modules[${b}]}/crd/${c} done done diff --git a/hack/tools/update-yaml-labels-annotations.sh b/hack/tools/update-yaml-labels-annotations.sh new file mode 100755 index 000000000..7621dfe5d --- /dev/null +++ b/hack/tools/update-yaml-labels-annotations.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -x + +filelist=( + helm/olmv1/base/catalogd/rbac/experimental/*.yaml + helm/olmv1/base/catalogd/rbac/standard/*.yaml + helm/olmv1/base/catalogd/webhook/experimental/*.yaml + helm/olmv1/base/catalogd/webhook/standard/*.yaml + helm/olmv1/base/operator-controller/rbac/experimental/*.yaml + helm/olmv1/base/operator-controller/rbac/standard/*.yaml +) + +for f in "${filelist[@]}"; do + # Put in the temporary items + yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" + yq -i '.metadata.labels.replaceMe = "labels"' "${f}" + # Replace with helm template - must be done last or yq will complain about the file format + sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annoations" | nindent 4 }}/g' "${f}" + sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" | nindent 4 }}/g' "${f}" + # Delete sed's backup file + rm "${f}.bak" +done diff --git a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml new file mode 100644 index 000000000..2d5722a47 --- /dev/null +++ b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml new file mode 100644 index 000000000..cde14b13b --- /dev/null +++ b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml @@ -0,0 +1,442 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clustercatalogs.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterCatalog + listKind: ClusterCatalogList + plural: clustercatalogs + singular: clustercatalog + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml new file mode 100644 index 000000000..ee242973c --- /dev/null +++ b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: olmv1-system + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch diff --git a/helm/olmv1/base/catalogd/rbac/standard/role.yaml b/helm/olmv1/base/catalogd/rbac/standard/role.yaml new file mode 100644 index 000000000..ee242973c --- /dev/null +++ b/helm/olmv1/base/catalogd/rbac/standard/role.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: olmv1-system + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch diff --git a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml new file mode 100644 index 000000000..9d20a551a --- /dev/null +++ b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 diff --git a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml new file mode 100644 index 000000000..9d20a551a --- /dev/null +++ b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-olm-operatorframework-io-v1-clustercatalog + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml new file mode 100644 index 000000000..162683603 --- /dev/null +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: experimental + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml new file mode 100644 index 000000000..18faa5978 --- /dev/null +++ b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml @@ -0,0 +1,590 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + olm.operatorframework.io/generator: standard + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml new file mode 100644 index 000000000..becd033e5 --- /dev/null +++ b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml @@ -0,0 +1,95 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: olmv1-system + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch diff --git a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml new file mode 100644 index 000000000..becd033e5 --- /dev/null +++ b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml @@ -0,0 +1,95 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: olmv1-system + annotations: + {{- include "olmv1.annoations" | nindent 4 }} + labels: + {{- include "olmv1.labels" | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch From 6993116ac573a245a620f7a625e1511479f626c3 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 14:15:37 -0400 Subject: [PATCH 11/55] WIP: Patch base for helm use Signed-off-by: Todd Short --- Makefile | 10 +- hack/tools/patch-base-for-helm.sh | 67 + hack/tools/update-yaml-labels-annotations.sh | 23 - ....operatorframework.io_clustercatalogs.yaml | 737 +++--- ....operatorframework.io_clustercatalogs.yaml | 737 +++--- .../base/catalogd/rbac/experimental/role.yaml | 20 +- .../base/catalogd/rbac/standard/role.yaml | 20 +- .../webhook/experimental/manifests.yaml | 18 +- .../catalogd/webhook/standard/manifests.yaml | 18 +- ...peratorframework.io_clusterextensions.yaml | 1090 +++++---- ...peratorframework.io_clusterextensions.yaml | 1090 +++++---- .../rbac/experimental/role.yaml | 20 +- .../rbac/standard/role.yaml | 20 +- ...ustercatalogs.olm.operatorframework.io.yml | 4 +- ...terextensions.olm.operatorframework.io.yml | 4 +- ...ole-olmv1-system-catalogd-manager-role.yml | 27 +- ...ystem-operator-controller-manager-role.yml | 39 +- .../09-clusterrole-catalogd-manager-role.yml | 39 - ...ontroller-clusterextension-editor-role.yml | 2 +- ...rrole-operator-controller-manager-role.yml | 66 - ...atalogd-mutating-webhook-configuration.yml | 44 +- manifests/experimental-e2e.yaml | 2053 ++++++++--------- manifests/experimental.yaml | 2053 ++++++++--------- manifests/standard-e2e.yaml | 2053 ++++++++--------- manifests/standard.yaml | 2053 ++++++++--------- 25 files changed, 5941 insertions(+), 6366 deletions(-) create mode 100755 hack/tools/patch-base-for-helm.sh delete mode 100755 hack/tools/update-yaml-labels-annotations.sh delete mode 100644 helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml delete mode 100644 helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml diff --git a/Makefile b/Makefile index daeabb104..ba4bff42e 100644 --- a/Makefile +++ b/Makefile @@ -157,17 +157,17 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, # Generate CRDs via our own generator hack/tools/update-crds.sh # Generate the remaining operator-controller standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard + $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard # Generate the remaining operator-controller experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental + $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental # Generate the remaining catalogd standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard + $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard # Generate the remaining catalogd experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental + $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental # Update base config to include helm templates - ./hack/tools/update-yaml-labels-annotations.sh + ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh new file mode 100755 index 000000000..d42e25c74 --- /dev/null +++ b/hack/tools/patch-base-for-helm.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +set -x + +# Patch catalogd rbac +catalogd_rbac_filelist=( + helm/olmv1/base/catalogd/rbac/experimental/*.yaml + helm/olmv1/base/catalogd/rbac/standard/*.yaml +) +for f in "${catalogd_rbac_filelist[@]}"; do + yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" + rm "${f}.bak" +done + +# Patch operator-controller rbac +operator_controller_rbac_filelist=( + helm/olmv1/base/operator-controller/rbac/experimental/*.yaml + helm/olmv1/base/operator-controller/rbac/standard/*.yaml +) +for f in "${operator_controller_rbac_filelist[@]}"; do + yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}" + rm "${f}.bak" +done + +# Patch catalogd webhook +catalogd_webhook_filelist=( + helm/olmv1/base/catalogd/webhook/experimental/*.yaml + helm/olmv1/base/catalogd/webhook/standard/*.yaml +) +for f in "${catalogd_webhook_filelist[@]}"; do + yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" + yq -i '.metadata.name = "catalogd-mutating-webhook-configuration"' "${f}" + # This really only applies to cert-manager configs, but it's an annotation + yq -i '.metadata.annotations["cert-manager.io/inject-ca-from-secret"] = "cert-manager/olmv1-ca"' "${f}" + yq -i '.webhooks[0].clientConfig.service.namespace = "olmv1-system"' "${f}" + yq -i '.webhooks[0].clientConfig.service.name = "catalogd-service"' "${f}" + yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}" + yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}" + yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}" + rm "${f}.bak" +done + +# Patch everything genericly +filelist=( + helm/olmv1/base/catalogd/rbac/experimental/*.yaml + helm/olmv1/base/catalogd/rbac/standard/*.yaml + helm/olmv1/base/catalogd/crd/experimental/*.yaml + helm/olmv1/base/catalogd/crd/standard/*.yaml + helm/olmv1/base/catalogd/webhook/experimental/*.yaml + helm/olmv1/base/catalogd/webhook/standard/*.yaml + helm/olmv1/base/operator-controller/rbac/experimental/*.yaml + helm/olmv1/base/operator-controller/rbac/standard/*.yaml + helm/olmv1/base/operator-controller/crd/experimental/*.yaml + helm/olmv1/base/operator-controller/crd/standard/*.yaml +) + +for f in "${filelist[@]}"; do + # Patch in the temporary items + yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" + yq -i '.metadata.labels.replaceMe = "labels"' "${f}" + # Replace with helm template - must be done last or yq will complain about the file format + sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" + sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" + sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}" + # Delete sed's backup file + rm "${f}.bak" +done diff --git a/hack/tools/update-yaml-labels-annotations.sh b/hack/tools/update-yaml-labels-annotations.sh deleted file mode 100755 index 7621dfe5d..000000000 --- a/hack/tools/update-yaml-labels-annotations.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -set -x - -filelist=( - helm/olmv1/base/catalogd/rbac/experimental/*.yaml - helm/olmv1/base/catalogd/rbac/standard/*.yaml - helm/olmv1/base/catalogd/webhook/experimental/*.yaml - helm/olmv1/base/catalogd/webhook/standard/*.yaml - helm/olmv1/base/operator-controller/rbac/experimental/*.yaml - helm/olmv1/base/operator-controller/rbac/standard/*.yaml -) - -for f in "${filelist[@]}"; do - # Put in the temporary items - yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" - yq -i '.metadata.labels.replaceMe = "labels"' "${f}" - # Replace with helm template - must be done last or yq will complain about the file format - sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annoations" | nindent 4 }}/g' "${f}" - sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" | nindent 4 }}/g' "${f}" - # Delete sed's backup file - rm "${f}.bak" -done diff --git a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml index 2d5722a47..e9df20ccb 100644 --- a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml +++ b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml @@ -5,7 +5,10 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + {{- include "olmv1.annotations" . | nindent 4 }} name: clustercatalogs.olm.operatorframework.io + labels: + {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -15,428 +18,384 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. - Allowed values are "Available" and "Unavailable" and omitted. + Allowed values are "Available" and "Unavailable" and omitted. - When omitted, the default value is "Available". + When omitted, the default value is "Available". - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - When omitted, the default priority is 0 because that is the zero value of integers. + When omitted, the default priority is 0 because that is the zero value of integers. - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + A reference can be broken down into 3 parts - the domain, name, and identifier. - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - The only allowed value is "Image". + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - The current condition types are Serving and Progressing. + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + The only allowed value is "Image". - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Image type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - type type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - ref: + lastTransitionTime: description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The only allowed value is "Image". + The only allowed value is "Image". - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. - It is expected that clients append the path for the endpoint they wish - to access. + It is expected that clients append the path for the endpoint they wish + to access. - Currently, only a single endpoint is served and is accessible at the path - /api/v1. + Currently, only a single endpoint is served and is accessible at the path + /api/v1. - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml index cde14b13b..fb662143c 100644 --- a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml +++ b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml @@ -5,7 +5,10 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + {{- include "olmv1.annotations" . | nindent 4 }} name: clustercatalogs.olm.operatorframework.io + labels: + {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -15,428 +18,384 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. - Allowed values are "Available" and "Unavailable" and omitted. + Allowed values are "Available" and "Unavailable" and omitted. - When omitted, the default value is "Available". + When omitted, the default value is "Available". - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - When omitted, the default priority is 0 because that is the zero value of integers. + When omitted, the default priority is 0 because that is the zero value of integers. - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + A reference can be broken down into 3 parts - the domain, name, and identifier. - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - The only allowed value is "Image". + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - The current condition types are Serving and Progressing. + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + The only allowed value is "Image". - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Image type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - type type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - ref: + lastTransitionTime: description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The only allowed value is "Image". + The only allowed value is "Image". - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. - It is expected that clients append the path for the endpoint they wish - to access. + It is expected that clients append the path for the endpoint they wish + to access. - Currently, only a single endpoint is served and is accessible at the path - /api/v1. + Currently, only a single endpoint is served and is accessible at the path + /api/v1. - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml index ee242973c..4d03fa3e4 100644 --- a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml +++ b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml @@ -2,11 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-manager-role labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - olm.operatorframework.io @@ -38,12 +39,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: manager-role - namespace: olmv1-system - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/helm/olmv1/base/catalogd/rbac/standard/role.yaml b/helm/olmv1/base/catalogd/rbac/standard/role.yaml index ee242973c..4d03fa3e4 100644 --- a/helm/olmv1/base/catalogd/rbac/standard/role.yaml +++ b/helm/olmv1/base/catalogd/rbac/standard/role.yaml @@ -2,11 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-manager-role labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - olm.operatorframework.io @@ -38,12 +39,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: manager-role - namespace: olmv1-system - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml index 9d20a551a..d32a0719f 100644 --- a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml +++ b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml @@ -2,19 +2,22 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: mutating-webhook-configuration - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-mutating-webhook-configuration labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: - v1 clientConfig: service: - name: webhook-service - namespace: system + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1.name }} path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 failurePolicy: Fail name: inject-metadata-name.olm.operatorframework.io rules: @@ -29,3 +32,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml index 9d20a551a..d32a0719f 100644 --- a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml +++ b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml @@ -2,19 +2,22 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: mutating-webhook-configuration - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: catalogd-mutating-webhook-configuration labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: - v1 clientConfig: service: - name: webhook-service - namespace: system + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1.name }} path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 failurePolicy: Fail name: inject-metadata-name.olm.operatorframework.io rules: @@ -29,3 +32,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml index 162683603..9247e26cf 100644 --- a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml @@ -5,7 +5,10 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + {{- include "olmv1.annotations" . | nindent 4 }} name: clusterextensions.olm.operatorframework.io + labels: + {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -15,576 +18,557 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml index 18faa5978..d2d87d5df 100644 --- a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml @@ -5,7 +5,10 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + {{- include "olmv1.annotations" . | nindent 4 }} name: clusterextensions.olm.operatorframework.io + labels: + {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -15,576 +18,557 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml index becd033e5..7a5ea0eae 100644 --- a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml +++ b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml @@ -2,11 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: operator-controller-manager-role labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" @@ -65,12 +66,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: manager-role - namespace: olmv1-system - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: operator-controller-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml index becd033e5..7a5ea0eae 100644 --- a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml +++ b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml @@ -2,11 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: operator-controller-manager-role labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" @@ -65,12 +66,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: manager-role - namespace: olmv1-system - annotations: - {{- include "olmv1.annoations" | nindent 4 }} + name: operator-controller-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} labels: - {{- include "olmv1.labels" | nindent 4 }} + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index ec0d6b8f9..6039f2ccc 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -1,8 +1,8 @@ {{- if .Values.components.catalogd.enabled }} {{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} -{{ .Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml" }} +{{ tpl (.Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml") . }} {{- end }} {{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} -{{ .Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml" }} +{{ tpl (.Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index 43dcf06f4..11597bd7e 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -1,8 +1,8 @@ {{- if .Values.components.operatorController.enabled }} {{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} -{{ .Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml" }} +{{ tpl (.Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml") . }} {{- end }} {{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} -{{ .Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml" }} +{{ tpl (.Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 862e68edf..284580d77 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -1,23 +1,8 @@ {{- if .Values.components.catalogd.enabled }} -{{/* Probably want to include this as a file somehow */}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - name: catalogd-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} -rules: - - apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch +{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{ tpl (.Files.Get "base/catalogd/rbac/standard/role.yaml") . }} +{{- end }} +{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{ tpl (.Files.Get "base/catalogd/rbac/experimental/role.yaml") . }} +{{- end }} {{- end }} diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index d9cc94678..d289775e6 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -1,35 +1,8 @@ {{- if .Values.components.operatorController.enabled }} -{{/* Probably want to include this as a file somehow */}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} - labels: - app.kubernetes.io/name: operator-controller - {{- include "olmv1.labels" . | nindent 4 }} - name: operator-controller-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch +{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{ tpl (.Files.Get "base/operator-controller/rbac/standard/role.yaml") . }} +{{- end }} +{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{ tpl (.Files.Get "base/operator-controller/rbac/experimental/role.yaml") . }} +{{- end }} {{- end }} diff --git a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml deleted file mode 100644 index 0f65d4360..000000000 --- a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.components.catalogd.enabled }} -{{/* Probably want to include this as a file somehow */}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - name: catalogd-manager-role -rules: - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update -{{- end }} diff --git a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml index 7c093cfc3..e215de337 100644 --- a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml +++ b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml @@ -6,7 +6,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: operator-controller06 + app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-clusterextension-editor-role rules: diff --git a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml deleted file mode 100644 index 05986c016..000000000 --- a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if .Values.components.operatorController.enabled }} -{{/* Probably want to include this as a file somehow */}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} - labels: - app.kubernetes.io/name: operator-controller - {{- include "olmv1.labels" . | nindent 4 }} - name: operator-controller-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch -{{- end }} diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 6de54e6a8..75a70598d 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -1,40 +1,8 @@ {{- if .Values.components.catalogd.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - {{- if .Values.components.certManager.enabled }} - cert-manager.io/inject-ca-from-secret: {{ .Values.namespaces.certManager.name }}/olmv1-ca - {{- end }} - {{- include "olmv1.annotations" . | nindent 4 }} - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - name: catalogd-mutating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: {{ .Values.namespaces.olmv1.name }} - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 +{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{ tpl (.Files.Get "base/catalogd/webhook/standard/manifests.yaml") . }} +{{- end }} +{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{ tpl (.Files.Get "base/catalogd/webhook/experimental/manifests.yaml") . }} +{{- end }} {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index de45388fb..2107806b2 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -181,7 +181,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + olm.operatorframework.io/feature-set: experimental-e2e name: clustercatalogs.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -191,431 +198,387 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - pollIntervalMinutes: + lastTransitionTime: description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 type: integer - ref: + reason: description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. properties: - lastTransitionTime: + image: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. enum: - - "True" - - "False" - - Unknown + - Image type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - base type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -624,7 +587,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + olm.operatorframework.io/feature-set: experimental-e2e name: clusterextensions.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -634,586 +604,566 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- -# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: experimental-e2e + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1221,7 +1171,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role + annotations: + olm.operatorframework.io/feature-set: experimental-e2e rules: - apiGroups: - olm.operatorframework.io @@ -1250,6 +1201,75 @@ rules: - patch - update --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental-e2e +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1350,75 +1370,6 @@ rules: - list - watch --- -# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental-e2e - labels: - app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: olm - name: operator-controller-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1611,8 +1562,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: experimental-e2e + name: catalogd-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1620,8 +1571,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: experimental-e2e rules: - apiGroups: - "" @@ -1685,8 +1636,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: experimental-e2e + name: operator-controller-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 @@ -1694,8 +1645,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: experimental-e2e rules: - apiGroups: - "" @@ -2303,9 +2254,7 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: experimental-e2e + name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -2313,7 +2262,9 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + olm.operatorframework.io/feature-set: experimental-e2e webhooks: - admissionReviewVersions: - v1 @@ -2324,9 +2275,6 @@ webhooks: path: /mutate-olm-operatorframework-io-v1-clustercatalog port: 9443 failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel name: inject-metadata-name.olm.operatorframework.io rules: - apiGroups: @@ -2340,3 +2288,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index ab0ab93c9..92afdfc5c 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -138,7 +138,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + olm.operatorframework.io/feature-set: experimental name: clustercatalogs.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -148,431 +155,387 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - pollIntervalMinutes: + lastTransitionTime: description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 type: integer - ref: + reason: description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. properties: - lastTransitionTime: + image: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. enum: - - "True" - - "False" - - Unknown + - Image type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - base type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -581,7 +544,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental + olm.operatorframework.io/feature-set: experimental name: clusterextensions.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -591,586 +561,566 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- -# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: experimental + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1178,7 +1128,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role + annotations: + olm.operatorframework.io/feature-set: experimental rules: - apiGroups: - olm.operatorframework.io @@ -1207,6 +1158,75 @@ rules: - patch - update --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1307,75 +1327,6 @@ rules: - list - watch --- -# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: experimental - labels: - app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: olm - name: operator-controller-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1568,8 +1519,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: experimental + name: catalogd-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1577,8 +1528,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: experimental rules: - apiGroups: - "" @@ -1642,8 +1593,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: experimental + name: operator-controller-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 @@ -1651,8 +1602,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: experimental rules: - apiGroups: - "" @@ -2195,9 +2146,7 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: experimental + name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -2205,7 +2154,9 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + olm.operatorframework.io/feature-set: experimental webhooks: - admissionReviewVersions: - v1 @@ -2216,9 +2167,6 @@ webhooks: path: /mutate-olm-operatorframework-io-v1-clustercatalog port: 9443 failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel name: inject-metadata-name.olm.operatorframework.io rules: - apiGroups: @@ -2232,3 +2180,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 5d711dbdc..45e772df6 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -181,7 +181,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + olm.operatorframework.io/feature-set: standard-e2e name: clustercatalogs.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -191,431 +198,387 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - pollIntervalMinutes: + lastTransitionTime: description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 type: integer - ref: + reason: description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. properties: - lastTransitionTime: + image: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. enum: - - "True" - - "False" - - Unknown + - Image type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - base type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -624,7 +587,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + olm.operatorframework.io/feature-set: standard-e2e name: clusterextensions.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -634,586 +604,566 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- -# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1221,7 +1171,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role + annotations: + olm.operatorframework.io/feature-set: standard-e2e rules: - apiGroups: - olm.operatorframework.io @@ -1250,6 +1201,75 @@ rules: - patch - update --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard-e2e +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1350,75 +1370,6 @@ rules: - list - watch --- -# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e - labels: - app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: olm - name: operator-controller-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1611,8 +1562,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e + name: catalogd-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1620,8 +1571,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: standard-e2e rules: - apiGroups: - "" @@ -1685,8 +1636,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: standard-e2e + name: operator-controller-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 @@ -1694,8 +1645,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: standard-e2e rules: - apiGroups: - "" @@ -2298,9 +2249,7 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: standard-e2e + name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -2308,7 +2257,9 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + olm.operatorframework.io/feature-set: standard-e2e webhooks: - admissionReviewVersions: - v1 @@ -2319,9 +2270,6 @@ webhooks: path: /mutate-olm-operatorframework-io-v1-clustercatalog port: 9443 failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel name: inject-metadata-name.olm.operatorframework.io rules: - apiGroups: @@ -2335,3 +2283,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 0a9560ea3..69bc4b956 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -138,7 +138,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + olm.operatorframework.io/feature-set: standard name: clustercatalogs.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -148,431 +155,387 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" + - message: tag is invalid. the tag must not be more than 127 characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' + - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - pollIntervalMinutes: + lastTransitionTime: description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 type: integer - ref: + reason: description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != - "" - - message: tag is invalid. the tag must not be more than 127 - characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').substring(1).size() <= 127 - : true) : true' - - message: tag is invalid. valid tags must begin with a word - character (alphanumeric + "_") followed by word characters - or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') - != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') - : true) : true' - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' required: - - ref + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based - image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) - : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved source based on the source type. properties: - lastTransitionTime: + image: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' + - message: digest is not valid. the encoded string must be at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' + - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' + required: + - ref + type: object + type: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. enum: - - "True" - - "False" - - Unknown + - Image type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - base type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved - source based on the source type. - properties: - image: - description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must - be alphanumeric characters (lowercase and uppercase) separated - by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain - lowercase alphanumeric characters separated only by the - ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') - != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms - must start with an uppercase or lowercase alpha character - followed by alphanumeric characters and may contain the - "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') - : true' - - message: digest is not valid. the encoded string must be - at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() - >= 32 : true' - - message: digest is not valid. the encoded string must only - contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') - : true' - required: - - ref - type: object - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image - type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) - : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the - catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() - == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -581,7 +544,14 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard + olm.operatorframework.io/feature-set: standard name: clusterextensions.olm.operatorframework.io + labels: + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -591,586 +561,566 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state - of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when - preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is - specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable - rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain - only lowercase alphanumeric characters, hyphens (-) or periods - (.), start and end with an alphanumeric character, and be - no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: - catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. + Allowed values are "None" or "Strict". The default value is "Strict". - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. - - Allowed values are "Catalog" - - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. - enum: - - Catalog - type: string - required: - - sourceType - type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden - otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? - has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state - of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. properties: - lastTransitionTime: + name: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf + - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog + catalog: + packageName: example-package + properties: + catalog: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: + maxLength: 253 + type: string + x-kubernetes-validations: + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. + + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + - Catalog type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - sourceType type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation - status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current state of this API Resource. properties: - name: + lastTransitionTime: description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric - character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: + message: description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - name - - version + - lastTransitionTime + - message + - reason + - status + - type type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. + properties: + name: + description: |- + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + type: string + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: + description: |- + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. + type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") + required: + - name + - version + type: object + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- -# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml +# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - olm.operatorframework.io/feature-set: standard + name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1178,7 +1128,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role + annotations: + olm.operatorframework.io/feature-set: standard rules: - apiGroups: - olm.operatorframework.io @@ -1207,6 +1158,75 @@ rules: - patch - update --- +# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1307,75 +1327,6 @@ rules: - list - watch --- -# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - olm.operatorframework.io/feature-set: standard - labels: - app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: olm - name: operator-controller-manager-role -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1568,8 +1519,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: standard + name: catalogd-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -1577,8 +1528,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: standard rules: - apiGroups: - "" @@ -1642,8 +1593,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - olm.operatorframework.io/feature-set: standard + name: operator-controller-manager-role + namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 @@ -1651,8 +1602,8 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-manager-role - namespace: olmv1-system + annotations: + olm.operatorframework.io/feature-set: standard rules: - apiGroups: - "" @@ -2190,9 +2141,7 @@ spec: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca - olm.operatorframework.io/feature-set: standard + name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 @@ -2200,7 +2149,9 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: catalogd-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + olm.operatorframework.io/feature-set: standard webhooks: - admissionReviewVersions: - v1 @@ -2211,9 +2162,6 @@ webhooks: path: /mutate-olm-operatorframework-io-v1-clustercatalog port: 9443 failurePolicy: Fail - matchConditions: - - expression: '''name'' in object.metadata && (!has(object.metadata.labels) || !(''olm.operatorframework.io/metadata.name'' in object.metadata.labels) || object.metadata.labels[''olm.operatorframework.io/metadata.name''] != object.metadata.name)' - name: MissingOrIncorrectMetadataNameLabel name: inject-metadata-name.olm.operatorframework.io rules: - apiGroups: @@ -2227,3 +2175,6 @@ webhooks: - clustercatalogs sideEffects: None timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' From 74d91e200a0ee8063a393c557993da560f92370f Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 14:39:57 -0400 Subject: [PATCH 12/55] WIP: some cleanup Signed-off-by: Todd Short --- Makefile | 7 ------- manifests/experimental-e2e.yaml | 2 +- manifests/experimental.yaml | 2 +- manifests/standard-e2e.yaml | 2 +- manifests/standard.yaml | 2 +- 5 files changed, 4 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index ba4bff42e..7e0225482 100644 --- a/Makefile +++ b/Makefile @@ -147,13 +147,6 @@ KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files # So we have to generate them together and then move them into place manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. - mkdir -p helm/olmv1/base/catalogd/rbac - mkdir -p helm/olmv1/base/catalogd/crd/standard - mkdir -p helm/olmv1/base/catalogd/crd/experimental - mkdir -p helm/olmv1/base/catalogd/webhook - mkdir -p helm/olmv1/base/operator-controller/rbac - mkdir -p helm/olmv1/base/operator-controller/crd/standard - mkdir -p helm/olmv1/base/operator-controller/crd/experimental # Generate CRDs via our own generator hack/tools/update-crds.sh # Generate the remaining operator-controller standard manifests diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 2107806b2..f0c477a92 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1325,7 +1325,7 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental-e2e labels: - app.kubernetes.io/name: operator-controller06 + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 92afdfc5c..b4a13e159 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1282,7 +1282,7 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - app.kubernetes.io/name: operator-controller06 + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 45e772df6..edc1ced58 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1325,7 +1325,7 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - app.kubernetes.io/name: operator-controller06 + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 69bc4b956..7cabd0201 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1282,7 +1282,7 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - app.kubernetes.io/name: operator-controller06 + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" From 2d62802bd9495fe79950b6aff666d0d70e40ad64 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 16:26:51 -0400 Subject: [PATCH 13/55] WIP: change featureSet definition Signed-off-by: Todd Short --- helm/experimental-e2e.yaml | 4 ++-- helm/experimental.yaml | 2 +- ...cedefinition-clustercatalogs.olm.operatorframework.io.yml | 5 ++--- ...definition-clusterextensions.olm.operatorframework.io.yml | 5 ++--- .../templates/06-role-olmv1-system-catalogd-manager-role.yml | 5 ++--- ...08-role-olmv1-system-operator-controller-manager-role.yml | 5 ++--- ...configuration-catalogd-mutating-webhook-configuration.yml | 5 ++--- helm/olmv1/templates/_helpers.tpl | 2 +- helm/olmv1/values.yaml | 2 +- helm/standard-e2e.yaml | 4 ++-- 10 files changed, 17 insertions(+), 22 deletions(-) diff --git a/helm/experimental-e2e.yaml b/helm/experimental-e2e.yaml index 56dab4e5b..be2f53b3a 100644 --- a/helm/experimental-e2e.yaml +++ b/helm/experimental-e2e.yaml @@ -19,5 +19,5 @@ features: helmChartSupport: enabled: true -# This can be one of: standard, standard-e2e, experimental, or experimental-e2e -featureSet: experimental-e2e +# This can be one of: standard or experimental +featureSet: experimental diff --git a/helm/experimental.yaml b/helm/experimental.yaml index 9fbe68c8e..b6ede550e 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -14,5 +14,5 @@ features: helmChartSupport: enabled: true -# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +# This can be one of: standard or experimental featureSet: experimental diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index 6039f2ccc..c5cdff426 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -1,8 +1,7 @@ {{- if .Values.components.catalogd.enabled }} -{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{- if (eq .Values.featureSet "standard") }} {{ tpl (.Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml") . }} -{{- end }} -{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{- else if (eq .Values.featureSet "experimental") }} {{ tpl (.Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index 11597bd7e..188ba5d74 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -1,8 +1,7 @@ {{- if .Values.components.operatorController.enabled }} -{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{- if (eq .Values.featureSet "standard") }} {{ tpl (.Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml") . }} -{{- end }} -{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{- else if (eq .Values.featureSet "experimental") }} {{ tpl (.Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 284580d77..c5537bf10 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -1,8 +1,7 @@ {{- if .Values.components.catalogd.enabled }} -{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{- if (eq .Values.featureSet "standard") }} {{ tpl (.Files.Get "base/catalogd/rbac/standard/role.yaml") . }} -{{- end }} -{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{- else if (eq .Values.featureSet "experimental") }} {{ tpl (.Files.Get "base/catalogd/rbac/experimental/role.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index d289775e6..a824b0b6b 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -1,8 +1,7 @@ {{- if .Values.components.operatorController.enabled }} -{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{- if (eq .Values.featureSet "standard") }} {{ tpl (.Files.Get "base/operator-controller/rbac/standard/role.yaml") . }} -{{- end }} -{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{- else if (eq .Values.featureSet "experimental") }} {{ tpl (.Files.Get "base/operator-controller/rbac/experimental/role.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 75a70598d..ffa80774c 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -1,8 +1,7 @@ {{- if .Values.components.catalogd.enabled }} -{{- if or (eq .Values.featureSet "standard") (eq .Values.featureSet "standard-e2e") }} +{{- if (eq .Values.featureSet "standard") }} {{ tpl (.Files.Get "base/catalogd/webhook/standard/manifests.yaml") . }} -{{- end }} -{{- if or (eq .Values.featureSet "experimental") (eq .Values.featureSet "experimental-e2e") }} +{{- else if (eq .Values.featureSet "experimental") }} {{ tpl (.Files.Get "base/catalogd/webhook/experimental/manifests.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 83352c327..356951281 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -29,5 +29,5 @@ app.kubernetes.io/part-of: olm Common annoations */}} {{- define "olmv1.annotations" -}} -olm.operatorframework.io/feature-set: {{ .Values.featureSet }} +olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}} {{- end }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 01363159e..28e699284 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -49,7 +49,7 @@ features: helmChartSupport: enabled: false -# This can be one of: standard, standard-e2e, experimental, or experimental-e2e +# This can be one of: standard or experimental featureSet: standard # The set of namespaces diff --git a/helm/standard-e2e.yaml b/helm/standard-e2e.yaml index e85e380f5..e389ebebb 100644 --- a/helm/standard-e2e.yaml +++ b/helm/standard-e2e.yaml @@ -7,5 +7,5 @@ components: e2e: enabled: true -# This can be one of: standard, standard-e2e, experimental, or experimental-e2e -featureSet: standard-e2e +# This can be one of: standard or experimental +featureSet: standard From 4933e748f500375b63cf42298b21e32236f4140d Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 16:42:05 -0400 Subject: [PATCH 14/55] WIP: layer helm values files Signed-off-by: Todd Short --- Makefile | 6 +++--- helm/{standard-e2e.yaml => e2e.yaml} | 5 +---- helm/experimental-e2e.yaml | 23 ----------------------- helm/experimental.yaml | 2 +- helm/olmv1/values.yaml | 2 +- helm/standard.yaml | 6 ------ 6 files changed, 6 insertions(+), 38 deletions(-) rename helm/{standard-e2e.yaml => e2e.yaml} (58%) delete mode 100644 helm/experimental-e2e.yaml delete mode 100644 helm/standard.yaml diff --git a/Makefile b/Makefile index 7e0225482..c3bd6a9e8 100644 --- a/Makefile +++ b/Makefile @@ -163,10 +163,10 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - helm template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/standard-e2e.yaml > $(STANDARD_E2E_MANIFEST) + helm template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/experimental-e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + helm template olmv1 helm/olmv1 --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/helm/standard-e2e.yaml b/helm/e2e.yaml similarity index 58% rename from helm/standard-e2e.yaml rename to helm/e2e.yaml index e389ebebb..d3acb6b74 100644 --- a/helm/standard-e2e.yaml +++ b/helm/e2e.yaml @@ -1,4 +1,4 @@ -# Default values for operator-controller. +# e2e values for OLMv1. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -6,6 +6,3 @@ components: e2e: enabled: true - -# This can be one of: standard or experimental -featureSet: standard diff --git a/helm/experimental-e2e.yaml b/helm/experimental-e2e.yaml deleted file mode 100644 index be2f53b3a..000000000 --- a/helm/experimental-e2e.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Default values for operator-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# List of components to include -components: - e2e: - enabled: true - -features: - apiV1MetasHandler: - enabled: true - webhookProviderCertManager: - enabled: true - singleOwnNamespaceInstallSupport: - enabled: true - preflightPermissions: - enabled: true - helmChartSupport: - enabled: true - -# This can be one of: standard or experimental -featureSet: experimental diff --git a/helm/experimental.yaml b/helm/experimental.yaml index b6ede550e..7a70a2824 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -1,4 +1,4 @@ -# Default values for operator-controller. +# experimental values for OLMv1. # This is a YAML-formatted file. # Declare variables to be passed into your templates. diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 28e699284..6619563e3 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -1,4 +1,4 @@ -# Default values for operator-controller. +# Default values for OLMv1. # This is a YAML-formatted file. # Declare variables to be passed into your templates. diff --git a/helm/standard.yaml b/helm/standard.yaml deleted file mode 100644 index 9e5f0fa34..000000000 --- a/helm/standard.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Default values for operator-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# This can be one of: standard, standard-e2e, experimental, or experimental-e2e -featureSet: standard From 5915d76ec9c649033eda487dad397a17c411981d Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 21 Jul 2025 16:42:41 -0400 Subject: [PATCH 15/55] WIP: patch script fixups Signed-off-by: Todd Short --- hack/tools/patch-base-for-helm.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh index d42e25c74..f5917ca1d 100755 --- a/hack/tools/patch-base-for-helm.sh +++ b/hack/tools/patch-base-for-helm.sh @@ -1,7 +1,5 @@ #!/bin/bash -set -x - # Patch catalogd rbac catalogd_rbac_filelist=( helm/olmv1/base/catalogd/rbac/experimental/*.yaml @@ -9,7 +7,7 @@ catalogd_rbac_filelist=( ) for f in "${catalogd_rbac_filelist[@]}"; do yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" - rm "${f}.bak" + rm -f "${f}.bak" done # Patch operator-controller rbac @@ -19,7 +17,7 @@ operator_controller_rbac_filelist=( ) for f in "${operator_controller_rbac_filelist[@]}"; do yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}" - rm "${f}.bak" + rm -f "${f}.bak" done # Patch catalogd webhook @@ -37,7 +35,7 @@ for f in "${catalogd_webhook_filelist[@]}"; do yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}" yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}" yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}" - rm "${f}.bak" + rm -f "${f}.bak" done # Patch everything genericly @@ -58,10 +56,10 @@ for f in "${filelist[@]}"; do # Patch in the temporary items yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" yq -i '.metadata.labels.replaceMe = "labels"' "${f}" - # Replace with helm template - must be done last or yq will complain about the file format + # Replace with helm template - must be done last or yq will complain about the file formXat sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}" # Delete sed's backup file - rm "${f}.bak" + rm -f "${f}.bak" done From b937551a91c7fd003b85bf00249a53aa87fdc7dc Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 22 Jul 2025 10:36:50 -0400 Subject: [PATCH 16/55] WIP: Add support for updating clusterRoles/Roles Signed-off-by: Todd Short --- hack/tools/patch-base-for-helm.sh | 21 +++++++++++---- .../base/catalogd/rbac/experimental/role.yaml | 2 ++ .../base/catalogd/rbac/standard/role.yaml | 2 ++ .../rbac/experimental/role.yaml | 2 ++ .../rbac/standard/role.yaml | 2 ++ helm/olmv1/templates/_helpers.tpl | 27 +++++++++++++++++++ helm/olmv1/values.yaml | 8 ++++++ 7 files changed, 59 insertions(+), 5 deletions(-) diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh index f5917ca1d..f00f24092 100755 --- a/hack/tools/patch-base-for-helm.sh +++ b/hack/tools/patch-base-for-helm.sh @@ -1,5 +1,11 @@ #!/bin/bash +# This script patches the kubebuilder generated files to make them ready for helm +# The patching is done via a combination of `yq` to add valid YAML to the appropriate location +# and then `sed` is used to replace some text with Helm templating. +# This can't be done in one step because `yq` (or `kustomize` for that matter) can't manipulate +# YAML once helm templating has been added. + # Patch catalogd rbac catalogd_rbac_filelist=( helm/olmv1/base/catalogd/rbac/experimental/*.yaml @@ -7,7 +13,8 @@ catalogd_rbac_filelist=( ) for f in "${catalogd_rbac_filelist[@]}"; do yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" - rm -f "${f}.bak" + yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "catalogd-role-rules"})' "${f}" + yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "catalogd-cluster-role-rules"})' "${f}" done # Patch operator-controller rbac @@ -17,7 +24,8 @@ operator_controller_rbac_filelist=( ) for f in "${operator_controller_rbac_filelist[@]}"; do yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}" - rm -f "${f}.bak" + yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "operator-controller-role-rules"})' "${f}" + yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "operator-controller-cluster-role-rules"})' "${f}" done # Patch catalogd webhook @@ -35,10 +43,9 @@ for f in "${catalogd_webhook_filelist[@]}"; do yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}" yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}" yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}" - rm -f "${f}.bak" done -# Patch everything genericly +# Patch everything generically filelist=( helm/olmv1/base/catalogd/rbac/experimental/*.yaml helm/olmv1/base/catalogd/rbac/standard/*.yaml @@ -56,10 +63,14 @@ for f in "${filelist[@]}"; do # Patch in the temporary items yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" yq -i '.metadata.labels.replaceMe = "labels"' "${f}" - # Replace with helm template - must be done last or yq will complain about the file formXat + # Replace with helm template - must be done last or yq will complain about the file format sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}" + sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}" + sed -i.bak 's/- replaceMe: catalogd-cluster-role-rules/{{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}/g' "${f}" + sed -i.bak 's/- replaceMe: operator-controller-role-rules/{{- include "olmv1.operatorController.role.rules" . | nindent 2 }}/g' "${f}" + sed -i.bak 's/- replaceMe: operator-controller-cluster-role-rules/{{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}/g' "${f}" # Delete sed's backup file rm -f "${f}.bak" done diff --git a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml index 4d03fa3e4..e8017964a 100644 --- a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml +++ b/helm/olmv1/base/catalogd/rbac/experimental/role.yaml @@ -35,6 +35,7 @@ rules: - get - patch - update + {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -56,3 +57,4 @@ rules: - get - list - watch + {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/base/catalogd/rbac/standard/role.yaml b/helm/olmv1/base/catalogd/rbac/standard/role.yaml index 4d03fa3e4..e8017964a 100644 --- a/helm/olmv1/base/catalogd/rbac/standard/role.yaml +++ b/helm/olmv1/base/catalogd/rbac/standard/role.yaml @@ -35,6 +35,7 @@ rules: - get - patch - update + {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -56,3 +57,4 @@ rules: - get - list - watch + {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml index 7a5ea0eae..c55469f56 100644 --- a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml +++ b/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml @@ -62,6 +62,7 @@ rules: verbs: - list - watch + {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -95,3 +96,4 @@ rules: - get - list - watch + {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml index 7a5ea0eae..c55469f56 100644 --- a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml +++ b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml @@ -62,6 +62,7 @@ rules: verbs: - list - watch + {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -95,3 +96,4 @@ rules: - get - list - watch + {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 356951281..f0387c1ca 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -31,3 +31,30 @@ Common annoations {{- define "olmv1.annotations" -}} olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}} {{- end }} + +{{/* +Insertion of additional rules for RBAC +*/}} +{{- define "olmv1.catalogd.role.rules" -}} +{{- with .Values.components.catalogd.rules }} +{{- toYamlPretty . }} +{{- end }} +{{- end }} + +{{- define "olmv1.catalogd.clusterRole.rules" -}} +{{- with .Values.components.catalogd.clusterRole.rules }} +{{- toYamlPretty . }} +{{- end }} +{{- end }} + +{{- define "olmv1.operatorController.role.rules" -}} +{{- with .Values.components.operatorController.role.rules }} +{{- toYamlPretty . }} +{{- end }} +{{- end }} + +{{- define "olmv1.operatorController.clusterRole.rules" -}} +{{- with .Values.components.operatorController.clusterRole.rules }} +{{- toYamlPretty . }} +{{- end }} +{{- end }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 6619563e3..ef478d8fa 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -18,6 +18,10 @@ components: podArguments: {} service: annotations: {} + clusterRole: + rules: {} + role: + rules: {} catalogd: enabled: true image: @@ -32,6 +36,10 @@ components: podArguments: {} service: annotations: {} + clusterRole: + rules: {} + role: + rules: {} certManager: enabled: true e2e: From bdfd233f6065e05253ef67068071e0cb56439ced Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 22 Jul 2025 10:42:18 -0400 Subject: [PATCH 17/55] WIP: add deployment layer Signed-off-by: Todd Short --- ...mv1-system-catalogd-controller-manager.yml | 16 +++---- ...operator-controller-controller-manager.yml | 14 +++---- helm/olmv1/values.yaml | 42 ++++++++++--------- 3 files changed, 37 insertions(+), 35 deletions(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index f70690c55..a3ae98380 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -52,7 +52,7 @@ spec: - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - --pull-cas-dir=/var/ca-certs - {{- with .Values.components.operatorController.podArguments }} + {{- with .Values.components.catalogd.deployment.podArguments }} {{- toYaml . | nindent 12 }} {{- end }} command: @@ -62,8 +62,8 @@ spec: - name: GOCOVERDIR value: /e2e-coverage {{- end }} - image: "{{ .Values.components.catalogd.image.repository }}:{{ .Values.components.catalogd.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.components.catalogd.image.pullPolicy }} + image: "{{ .Values.components.catalogd.deployment.image.repository }}:{{ .Values.components.catalogd.deployment.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.components.catalogd.deployment.image.pullPolicy }} livenessProbe: httpGet: path: /healthz @@ -102,7 +102,7 @@ spec: name: olmv1-certificate readOnly: true {{- end }} - {{- with .Values.components.catalogd.volumeMounts }} + {{- with .Values.components.catalogd.deployment.volumeMounts }} {{- toYaml . | nindent }} {{- end }} {{- with .Values.podSecurityContext }} @@ -133,18 +133,18 @@ spec: optional: false secretName: catalogd-service-cert-git-version {{- end }} - {{- with .Values.components.catalogd.volumes }} + {{- with .Values.components.catalogd.deployment.volumes }} {{- toYaml . | indent 8 }} {{- end }} - {{- with .Values.components.catalogd.nodeSelector }} + {{- with .Values.components.catalogd.deployment.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.catalogd.affinity }} + {{- with .Values.components.catalogd.deployment.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.catalogd.tolerations }} + {{- with .Values.components.catalogd.deployment.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 376fc72eb..e998a9ce5 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -71,9 +71,9 @@ spec: - name: GOCOVERDIR value: /e2e-coverage {{- end }} - image: "{{ .Values.components.operatorController.image.repository }}:{{ .Values.components.operatorController.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.components.operatorController.deployment.image.repository }}:{{ .Values.components.operatorController.deployment.image.tag | default .Chart.AppVersion }}" image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: {{ .Values.components.operatorController.image.pullPolicy }} + imagePullPolicy: {{ .Values.components.operatorController.deployment.image.pullPolicy }} livenessProbe: httpGet: path: /healthz @@ -112,7 +112,7 @@ spec: name: olmv1-certificate readOnly: true {{- end }} - {{- with .Values.components.operatorController.volumeMounts }} + {{- with .Values.components.operatorController.deployment.volumeMounts }} {{- toYaml . | nindent }} {{- end }} {{- with .Values.podSecurityContext }} @@ -147,18 +147,18 @@ spec: optional: false secretName: olmv1-cert {{- end }} - {{- with .Values.components.operatorController.volumes }} + {{- with .Values.components.operatorController.deployment.volumes }} {{- toYaml . | indent 8 }} {{- end }} - {{- with .Values.components.operatorController.nodeSelector }} + {{- with .Values.components.operatorController.deployment.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.operatorController.affinity }} + {{- with .Values.components.operatorController.deployment.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.operatorController.tolerations }} + {{- with .Values.components.operatorController.deployment.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index ef478d8fa..5c5629656 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -6,16 +6,17 @@ components: operatorController: enabled: true - image: - repository: quay.io/operator-framework/operator-controller - pullPolicy: IfNotPresent - tag: devel - volumeMounts: {} - volumes: {} - affinity: {} - nodeSelector: {} - tolerations: {} - podArguments: {} + deployment: + image: + repository: quay.io/operator-framework/operator-controller + pullPolicy: IfNotPresent + tag: devel + volumeMounts: {} + volumes: {} + affinity: {} + nodeSelector: {} + tolerations: {} + podArguments: {} service: annotations: {} clusterRole: @@ -24,16 +25,17 @@ components: rules: {} catalogd: enabled: true - image: - repository: quay.io/operator-framework/catalogd - pullPolicy: IfNotPresent - tag: devel - volumeMounts: {} - volumes: {} - affinity: {} - nodeSelector: {} - tolerations: {} - podArguments: {} + deployment: + image: + repository: quay.io/operator-framework/catalogd + pullPolicy: IfNotPresent + tag: devel + volumeMounts: {} + volumes: {} + affinity: {} + nodeSelector: {} + tolerations: {} + podArguments: {} service: annotations: {} clusterRole: From 944b303e286a38b0d7c39d9a2d7eb805de327752 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 14:43:52 -0400 Subject: [PATCH 18/55] WIP: Fix value arrays, add pod env, update image Signed-off-by: Todd Short --- ...mv1-system-catalogd-controller-manager.yml | 11 ++++-- ...operator-controller-controller-manager.yml | 13 +++++-- helm/olmv1/values.yaml | 38 +++++++++---------- 3 files changed, 35 insertions(+), 27 deletions(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index a3ae98380..f482c6a4d 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -57,13 +57,18 @@ spec: {{- end }} command: - ./catalogd - {{- if .Values.components.e2e.enabled }} + {{- if or .Values.components.e2e.enabled .Values.components.catalogd.deployment.env }} env: + {{- end }} + {{- if .Values.components.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - image: "{{ .Values.components.catalogd.deployment.image.repository }}:{{ .Values.components.catalogd.deployment.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.components.catalogd.deployment.image.pullPolicy }} + {{- with .Values.components.catalogd.deployment.env}} + {{- toYamlPretty . | nindent 12 }} + {{- end }} + image: "{{ .Values.components.catalogd.deployment.image }}" + imagePullPolicy: {{ .Values.components.catalogd.deployment.imagePullPolicy }} livenessProbe: httpGet: path: /healthz diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index e998a9ce5..9765c1528 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -62,18 +62,23 @@ spec: - --tls-cert=/var/certs/tls.cert - --tls-key=/var/certs/tls.key {{- with .Values.components.catalogd.podArguments }} - {{- toYaml . | nindent 12 }} + {{- toYamlPretty . | nindent 12 }} {{- end }} command: - /operator-controller - {{- if .Values.components.e2e.enabled }} + {{- if or .Values.components.e2e.enabled .Values.components.operatorController.deployment.env }} env: + {{- end }} + {{- if .Values.components.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - image: "{{ .Values.components.operatorController.deployment.image.repository }}:{{ .Values.components.operatorController.deployment.image.tag | default .Chart.AppVersion }}" + {{- with .Values.components.operatorController.deployment.env }} + {{- toYamlPretty . | nindent 12 }} + {{- end }} + image: "{{ .Values.components.operatorController.deployment.image }}" image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: {{ .Values.components.operatorController.deployment.image.pullPolicy }} + imagePullPolicy: {{ .Values.components.operatorController.deployment.imagePullPolicy }} livenessProbe: httpGet: path: /healthz diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 5c5629656..3f44b5532 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -7,41 +7,39 @@ components: operatorController: enabled: true deployment: - image: - repository: quay.io/operator-framework/operator-controller - pullPolicy: IfNotPresent - tag: devel - volumeMounts: {} - volumes: {} + image: quay.io/operator-framework/operator-controller:devel + imagePullPolicy: IfNotPresent + volumeMounts: [] + volumes: [] affinity: {} nodeSelector: {} - tolerations: {} - podArguments: {} + tolerations: [] + podArguments: [] + env: [] service: annotations: {} clusterRole: - rules: {} + rules: [] role: - rules: {} + rules: [] catalogd: enabled: true deployment: - image: - repository: quay.io/operator-framework/catalogd - pullPolicy: IfNotPresent - tag: devel - volumeMounts: {} - volumes: {} + image: quay.io/operator-framework/catalogd:devel + imagePullPolicy: IfNotPresent + volumeMounts: [] + volumes: [] affinity: {} nodeSelector: {} - tolerations: {} - podArguments: {} + tolerations: [] + podArguments: [] + env: [] service: annotations: {} clusterRole: - rules: {} + rules: [] role: - rules: {} + rules: [] certManager: enabled: true e2e: From b1f89f6b0659c18c68119bd62b53da18a7da47da Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 15:11:24 -0400 Subject: [PATCH 19/55] WIP: Fix some indents Signed-off-by: Todd Short --- ...29-deployment-olmv1-system-catalogd-controller-manager.yml | 4 ++-- ...nt-olmv1-system-operator-controller-controller-manager.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index f482c6a4d..d61a87f39 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -108,7 +108,7 @@ spec: readOnly: true {{- end }} {{- with .Values.components.catalogd.deployment.volumeMounts }} - {{- toYaml . | nindent }} + {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.podSecurityContext }} securityContext: @@ -139,7 +139,7 @@ spec: secretName: catalogd-service-cert-git-version {{- end }} {{- with .Values.components.catalogd.deployment.volumes }} - {{- toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.components.catalogd.deployment.nodeSelector }} nodeSelector: diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 9765c1528..9b4c552ec 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -118,7 +118,7 @@ spec: readOnly: true {{- end }} {{- with .Values.components.operatorController.deployment.volumeMounts }} - {{- toYaml . | nindent }} + {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.podSecurityContext }} securityContext: @@ -153,7 +153,7 @@ spec: secretName: olmv1-cert {{- end }} {{- with .Values.components.operatorController.deployment.volumes }} - {{- toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.components.operatorController.deployment.nodeSelector }} nodeSelector: From 343905e8a4045d0d9140a4912f8b9a21512c9085 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 15:49:25 -0400 Subject: [PATCH 20/55] WIP: update default-deny-all policy Signed-off-by: Todd Short --- .../37-networkpolicy-olmv1-system-default-deny-all-traffic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml index 67ded54d7..0f7be2558 100644 --- a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} - name: default-deny-all-traffic + name: operator-controller-default-deny-all-traffic namespace: {{ .Values.namespaces.olmv1.name }} spec: podSelector: {} From 9f9118bf5c6fb68956162ad6273b8826e8d4b687 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 16:31:15 -0400 Subject: [PATCH 21/55] WIP: Add support for podLabels and priorityClassName Signed-off-by: Todd Short --- ...ment-olmv1-system-catalogd-controller-manager.yml | 9 ++++++++- ...system-operator-controller-controller-manager.yml | 7 +++++++ helm/olmv1/values.yaml | 4 ++++ manifests/experimental-e2e.yaml | 12 +++++++++++- manifests/experimental.yaml | 12 +++++++++++- manifests/standard-e2e.yaml | 12 +++++++++++- manifests/standard.yaml | 12 +++++++++++- 7 files changed, 63 insertions(+), 5 deletions(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index d61a87f39..7b9eee7b2 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -24,7 +24,14 @@ spec: {{- include "olmv1.annotations" . | nindent 8 }} labels: control-plane: catalogd-controller-manager + {{- include "olmv1.labels" . | nindent 8 }} + {{- with .Values.components.catalogd.deployment.podLabels }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} spec: + {{- if .Values.components.catalogd.deployment.priorityClassName }} + priorityClassName: {{ .Values.components.catalogd.deployment.priorityClassName }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -64,7 +71,7 @@ spec: - name: GOCOVERDIR value: /e2e-coverage {{- end }} - {{- with .Values.components.catalogd.deployment.env}} + {{- with .Values.components.catalogd.deployment.env }} {{- toYamlPretty . | nindent 12 }} {{- end }} image: "{{ .Values.components.catalogd.deployment.image }}" diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 9b4c552ec..b7a083b64 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -23,7 +23,14 @@ spec: {{- include "olmv1.annotations" . | nindent 8 }} labels: control-plane: operator-controller-controller-manager + {{- include "olmv1.labels" . | nindent 8 }} + {{- with .Values.components.operatorController.deployment.podLabels }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} spec: + {{- if .Values.components.operatorController.deployment.priorityClassName }} + priorityClassName: {{ .Values.components.operatorController.deployment.priorityClassName }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 3f44b5532..fc1d63f09 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -15,6 +15,8 @@ components: nodeSelector: {} tolerations: [] podArguments: [] + podLabels: {} + priorityClassName: "" env: [] service: annotations: {} @@ -33,6 +35,8 @@ components: nodeSelector: {} tolerations: [] podArguments: [] + podLabels: {} + priorityClassName: "" env: [] service: annotations: {} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index f0c477a92..52c449eff 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: default-deny-all-traffic + name: operator-controller-default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} @@ -1898,6 +1898,11 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: catalogd-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: @@ -2021,6 +2026,11 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: operator-controller-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index b4a13e159..52cd4621d 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: default-deny-all-traffic + name: operator-controller-default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} @@ -1811,6 +1811,11 @@ spec: olm.operatorframework.io/feature-set: experimental labels: control-plane: catalogd-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: @@ -1926,6 +1931,11 @@ spec: olm.operatorframework.io/feature-set: experimental labels: control-plane: operator-controller-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index edc1ced58..698604622 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: default-deny-all-traffic + name: operator-controller-default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} @@ -1898,6 +1898,11 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: catalogd-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: @@ -2020,6 +2025,11 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: operator-controller-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 7cabd0201..ed5455434 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: default-deny-all-traffic + name: operator-controller-default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} @@ -1811,6 +1811,11 @@ spec: olm.operatorframework.io/feature-set: standard labels: control-plane: catalogd-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: @@ -1925,6 +1930,11 @@ spec: olm.operatorframework.io/feature-set: standard labels: control-plane: operator-controller-controller-manager + helm.sh/chart: olmv1-0.1.0 + app.kubernetes.io/instance: olmv1 + app.kubernetes.io/version: "1.3.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: olm spec: affinity: nodeAffinity: From cf380828ef2b105c6aa2cd44ca1aea33d2663bac Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 16:38:31 -0400 Subject: [PATCH 22/55] WIP: Add podAnnotations Signed-off-by: Todd Short --- ...29-deployment-olmv1-system-catalogd-controller-manager.yml | 4 ++++ ...nt-olmv1-system-operator-controller-controller-manager.yml | 4 ++++ helm/olmv1/values.yaml | 2 ++ manifests/experimental-e2e.yaml | 2 ++ manifests/experimental.yaml | 2 ++ manifests/standard-e2e.yaml | 2 ++ manifests/standard.yaml | 2 ++ 7 files changed, 18 insertions(+) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 7b9eee7b2..c07ee439e 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -22,8 +22,12 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} + {{- with .Values.components.catalogd.deployment.podAnnotations }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.catalogd.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index b7a083b64..ac2bdbe20 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -21,8 +21,12 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} + {{- with .Values.components.operatorController.deployment.podAnnotations }} + {{- toYamlPretty . | nindent 8 }} + {{- end }} labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.operatorController.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index fc1d63f09..289ef9593 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -16,6 +16,7 @@ components: tolerations: [] podArguments: [] podLabels: {} + podAnnotations: {} priorityClassName: "" env: [] service: @@ -36,6 +37,7 @@ components: tolerations: [] podArguments: [] podLabels: {} + podAnnotations: {} priorityClassName: "" env: [] service: diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 52c449eff..ae3d3aaf9 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1898,6 +1898,7 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" @@ -2026,6 +2027,7 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 52cd4621d..1b3d045ef 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1811,6 +1811,7 @@ spec: olm.operatorframework.io/feature-set: experimental labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" @@ -1931,6 +1932,7 @@ spec: olm.operatorframework.io/feature-set: experimental labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 698604622..0867eacca 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1898,6 +1898,7 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" @@ -2025,6 +2026,7 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" diff --git a/manifests/standard.yaml b/manifests/standard.yaml index ed5455434..50a68f560 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1811,6 +1811,7 @@ spec: olm.operatorframework.io/feature-set: standard labels: control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" @@ -1930,6 +1931,7 @@ spec: olm.operatorframework.io/feature-set: standard labels: control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller helm.sh/chart: olmv1-0.1.0 app.kubernetes.io/instance: olmv1 app.kubernetes.io/version: "1.3.0" From 9352c06eef67eea507a1a71c8f393637d998714c Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 23 Jul 2025 17:07:20 -0400 Subject: [PATCH 23/55] WIP: arg fixes, certManager, opcon Signed-off-by: Todd Short --- ...29-deployment-olmv1-system-catalogd-controller-manager.yml | 2 ++ ...nt-olmv1-system-operator-controller-controller-manager.yml | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index c07ee439e..8e780d230 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -60,9 +60,11 @@ spec: {{- if .Values.features.apiV1MetasHandler.enabled }} - --feature-gates=APIV1MetasHandler=true {{- end }} + {{- if .Values.components.certManager.enabled }} - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - --pull-cas-dir=/var/ca-certs + {{- end }} {{- with .Values.components.catalogd.deployment.podArguments }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index ac2bdbe20..fab0c6034 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -68,11 +68,13 @@ spec: {{- if .Values.features.helmChartSupport.enabled }} - --feature-gates=HelmChartSupport=true {{- end }} + {{- if .Values.components.certManager.enabled }} - --catalogd-cas-dir=/var/certs - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert - --tls-key=/var/certs/tls.key - {{- with .Values.components.catalogd.podArguments }} + {{- end }} + {{- with .Values.components.operatorController.deployment.podArguments }} {{- toYamlPretty . | nindent 12 }} {{- end }} command: From 2dffcbf4ea006c17e000e13a898311dd1a381b05 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 10:41:03 -0400 Subject: [PATCH 24/55] WIP: Add helm version check Until we can get helm to install via bingo, we'll have to rely on a local install of helm, so have a minimum version check. Signed-off-by: Todd Short --- Makefile | 1 + hack/tools/helm-version-check.sh | 34 ++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100755 hack/tools/helm-version-check.sh diff --git a/Makefile b/Makefile index c3bd6a9e8..717397dce 100644 --- a/Makefile +++ b/Makefile @@ -163,6 +163,7 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) + hack/tools/helm-version-check.sh helm template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) helm template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) diff --git a/hack/tools/helm-version-check.sh b/hack/tools/helm-version-check.sh new file mode 100755 index 000000000..6dec1d09d --- /dev/null +++ b/hack/tools/helm-version-check.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +HELM=$(command -v helm) +if [ -z "${HELM}" ]; then + echo "helm command not found" + exit 1 +fi + +WANT_VER_MAJOR=3 +WANT_VER_MINOR=18 + +LONG_VER=$(${HELM} version | sed -E 's/.*Version:"([0-9]*\.[0-9]*\.[0-9]*)".*/\1/') + +OLDIFS="${IFS}" +IFS='.' HELM_VER=(${LONG_VER}) +IFS="${OLDIFS}" + +if [ ${#HELM_VER[*]} -ne 3 ]; then + echo "Invalid helm version: ${HELM_VER}" + exit 1 +fi + +HELM_MAJOR=${HELM_VER[0]} +HELM_MINOR=${HELM_VER[1]} + +if [ "${HELM_MAJOR}" -ne "${WANT_VER_MAJOR}" ]; then + echo "Expecting helm version ${WANT_VER_MAJOR}.x, found ${LONG_VER}" + exit 1 +fi + +if [ "${HELM_MINOR}" -lt "${WANT_VER_MINOR}" ]; then + echo "Expecting helm minimum version ${WANT_VER_MAJOR}.${WANT_VER_MINOR}.x, found ${LONG_VER}" + exit 1 +fi From b49bdfe7dba68bee12b2a76492fb0b347e5d9aca Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 10:47:49 -0400 Subject: [PATCH 25/55] WIP: Add helm to bingo Signed-off-by: Todd Short --- .bingo/Variables.mk | 6 + .bingo/helm.mod | 5 + .bingo/helm.sum | 303 +++++++++++++++++++++++++++++++++++++++++++ .bingo/variables.env | 2 + Makefile | 10 +- 5 files changed, 321 insertions(+), 5 deletions(-) create mode 100644 .bingo/helm.mod create mode 100644 .bingo/helm.sum diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk index f45005fe9..926b0ca2a 100644 --- a/.bingo/Variables.mk +++ b/.bingo/Variables.mk @@ -53,6 +53,12 @@ $(GORELEASER): $(BINGO_DIR)/goreleaser.mod @echo "(re)installing $(GOBIN)/goreleaser-v1.26.2" @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=goreleaser.mod -o=$(GOBIN)/goreleaser-v1.26.2 "github.com/goreleaser/goreleaser" +HELM := $(GOBIN)/helm-v3.18.4 +$(HELM): $(BINGO_DIR)/helm.mod + @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. + @echo "(re)installing $(GOBIN)/helm-v3.18.4" + @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=helm.mod -o=$(GOBIN)/helm-v3.18.4 "helm.sh/helm/v3/cmd/helm" + KIND := $(GOBIN)/kind-v0.29.0 $(KIND): $(BINGO_DIR)/kind.mod @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. diff --git a/.bingo/helm.mod b/.bingo/helm.mod new file mode 100644 index 000000000..649a7a624 --- /dev/null +++ b/.bingo/helm.mod @@ -0,0 +1,5 @@ +module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT + +go 1.24.4 + +require helm.sh/helm/v3 v3.18.4 // cmd/helm diff --git a/.bingo/helm.sum b/.bingo/helm.sum new file mode 100644 index 000000000..4477f0392 --- /dev/null +++ b/.bingo/helm.sum @@ -0,0 +1,303 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= +github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= +github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= +github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= +github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE= +github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= +github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= +github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= +github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= +github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= +github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= +github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= +github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o= +github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= +golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= +golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= +golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= +golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= +golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= +google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ= +helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI= +k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY= +k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs= +k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8= +k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8= +k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY= +k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= +k8s.io/apiserver v0.33.2 h1:KGTRbxn2wJagJowo29kKBp4TchpO1DRO3g+dB/KOJN4= +k8s.io/apiserver v0.33.2/go.mod h1:9qday04wEAMLPWWo9AwqCZSiIn3OYSZacDyu/AcoM/M= +k8s.io/cli-runtime v0.33.2 h1:koNYQKSDdq5AExa/RDudXMhhtFasEg48KLS2KSAU74Y= +k8s.io/cli-runtime v0.33.2/go.mod h1:gnhsAWpovqf1Zj5YRRBBU7PFsRc6NkEkwYNQE+mXL88= +k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E= +k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo= +k8s.io/component-base v0.33.2 h1:sCCsn9s/dG3ZrQTX/Us0/Sx2R0G5kwa0wbZFYoVp/+0= +k8s.io/component-base v0.33.2/go.mod h1:/41uw9wKzuelhN+u+/C59ixxf4tYQKW7p32ddkYNe2k= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= +k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= +k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y= +k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= +k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= +oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= +sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= +sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= +sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= +sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= +sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= +sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/.bingo/variables.env b/.bingo/variables.env index 4c3be1e52..4b2163cdb 100644 --- a/.bingo/variables.env +++ b/.bingo/variables.env @@ -20,6 +20,8 @@ GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6" GORELEASER="${GOBIN}/goreleaser-v1.26.2" +HELM="${GOBIN}/helm-v3.18.4" + KIND="${GOBIN}/kind-v0.29.0" KUSTOMIZE="${GOBIN}/kustomize-v5.6.0" diff --git a/Makefile b/Makefile index 717397dce..80fad5a89 100644 --- a/Makefile +++ b/Makefile @@ -146,7 +146,7 @@ KUSTOMIZE_CATD_WEBHOOKS_DIR := helm/olmv1/base/catalogd/webhook KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files # So we have to generate them together and then move them into place -manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. +manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. # Generate CRDs via our own generator hack/tools/update-crds.sh # Generate the remaining operator-controller standard manifests @@ -164,10 +164,10 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) hack/tools/helm-version-check.sh - helm template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) - helm template olmv1 helm/olmv1 --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. From 8eac83bc278d4dbdb7010d549dfd7aea550482dd Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 10:48:23 -0400 Subject: [PATCH 26/55] Revert "WIP: Add helm version check" This reverts commit 002c03fa99879a2effe85a461818fce00792fb36. --- Makefile | 1 - hack/tools/helm-version-check.sh | 34 -------------------------------- 2 files changed, 35 deletions(-) delete mode 100755 hack/tools/helm-version-check.sh diff --git a/Makefile b/Makefile index 80fad5a89..a462f64e0 100644 --- a/Makefile +++ b/Makefile @@ -163,7 +163,6 @@ manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, Clus ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - hack/tools/helm-version-check.sh $(HELM) template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) $(HELM) template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) $(HELM) template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) diff --git a/hack/tools/helm-version-check.sh b/hack/tools/helm-version-check.sh deleted file mode 100755 index 6dec1d09d..000000000 --- a/hack/tools/helm-version-check.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -HELM=$(command -v helm) -if [ -z "${HELM}" ]; then - echo "helm command not found" - exit 1 -fi - -WANT_VER_MAJOR=3 -WANT_VER_MINOR=18 - -LONG_VER=$(${HELM} version | sed -E 's/.*Version:"([0-9]*\.[0-9]*\.[0-9]*)".*/\1/') - -OLDIFS="${IFS}" -IFS='.' HELM_VER=(${LONG_VER}) -IFS="${OLDIFS}" - -if [ ${#HELM_VER[*]} -ne 3 ]; then - echo "Invalid helm version: ${HELM_VER}" - exit 1 -fi - -HELM_MAJOR=${HELM_VER[0]} -HELM_MINOR=${HELM_VER[1]} - -if [ "${HELM_MAJOR}" -ne "${WANT_VER_MAJOR}" ]; then - echo "Expecting helm version ${WANT_VER_MAJOR}.x, found ${LONG_VER}" - exit 1 -fi - -if [ "${HELM_MINOR}" -lt "${WANT_VER_MINOR}" ]; then - echo "Expecting helm minimum version ${WANT_VER_MAJOR}.${WANT_VER_MINOR}.x, found ${LONG_VER}" - exit 1 -fi From 2383c933b5ba2fcd64d19d9f0812b228a333c777 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 11:25:41 -0400 Subject: [PATCH 27/55] WIP: fix e2e: had to rename networkpolicy Signed-off-by: Todd Short --- test/e2e/network_policy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go index 0f3979d23..f20820351 100644 --- a/test/e2e/network_policy_test.go +++ b/test/e2e/network_policy_test.go @@ -182,7 +182,7 @@ func TestNetworkPolicyJustifications(t *testing.T) { allowedNetworkPolicies["operator-controller-default-deny-all-traffic"] = denyAllPolicySpec } else { t.Log("Detected single-namespace configuration, expecting one 'default-deny-all-traffic' policy.") - allowedNetworkPolicies["default-deny-all-traffic"] = denyAllPolicySpec + allowedNetworkPolicies["operator-controller-default-deny-all-traffic"] = denyAllPolicySpec t.Log("Detected single-namespace configuration, expecting 'prometheus' policy.") allowedNetworkPolicies["prometheus"] = prometheuSpec } From ad74ad34b15f8d48086f767bc2638ffd1e1aa704 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 11:32:44 -0400 Subject: [PATCH 28/55] WIP: use 1.24.3 for bingo Signed-off-by: Todd Short --- .bingo/helm.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bingo/helm.mod b/.bingo/helm.mod index 649a7a624..5c54ed421 100644 --- a/.bingo/helm.mod +++ b/.bingo/helm.mod @@ -1,5 +1,5 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT -go 1.24.4 +go 1.24.3 require helm.sh/helm/v3 v3.18.4 // cmd/helm From 31855020be6a1a1ae19126b0672bb57061f1d133 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 13:10:21 -0400 Subject: [PATCH 29/55] WIP: tilt support Signed-off-by: Todd Short --- .tilt-support | 2 +- Tiltfile | 2 +- ...mv1-system-catalogd-controller-manager.yml | 6 ++++++ ...operator-controller-controller-manager.yml | 6 ++++++ helm/olmv1/values.yaml | 2 ++ helm/tilt.yaml | 20 +++++++++++++++++++ 6 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 helm/tilt.yaml diff --git a/.tilt-support b/.tilt-support index 858ad3ef0..9cb01b152 100644 --- a/.tilt-support +++ b/.tilt-support @@ -150,4 +150,4 @@ def deploy_repo(data, tags="", debug=True): local_port = repo['starting_debug_port'] build_binary(reponame, repo['binary'], repo['deps'], repo['image'], tags, debug) k8s_resource(repo['deployment'], port_forwards=['{}:30000'.format(local_port)]) - process_yaml(kustomize(data['yaml'])) + process_yaml(helm('helm/olmv1', name="olmv1", values=[data['yaml']])) diff --git a/Tiltfile b/Tiltfile index 622d7aae6..d736b8f94 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,7 +17,7 @@ olmv1 = { 'starting_debug_port': 30000, }, }, - 'yaml': 'config/overlays/tilt-local-dev', + 'yaml': 'helm/tilt.yaml', } deploy_repo(olmv1, '-tags containers_image_openpgp') diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 8e780d230..c7c0d1e85 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -54,7 +54,9 @@ spec: - linux containers: - args: + {{- if not .Values.features.tilt.enabled }} - --leader-elect + {{- end }} - --metrics-bind-address=:7443 - --external-address=catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc {{- if .Values.features.apiV1MetasHandler.enabled }} @@ -82,19 +84,23 @@ spec: {{- end }} image: "{{ .Values.components.catalogd.deployment.image }}" imagePullPolicy: {{ .Values.components.catalogd.deployment.imagePullPolicy }} + {{- if not .Values.features.tilt.enabled }} livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 + {{- end }} name: manager + {{- if not .Values.features.tilt.enabled }} readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 + {{- end }} resources: requests: cpu: 100m diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index fab0c6034..7b7701322 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -55,7 +55,9 @@ spec: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 + {{- if not .Values.features.tilt.enabled }} - --leader-elect + {{- end }} {{- if .Values.features.apiV1MetasHandler.enabled }} - --feature-gates=WebhookProviderCertManager=true {{- end }} @@ -92,19 +94,23 @@ spec: image: "{{ .Values.components.operatorController.deployment.image }}" image: quay.io/operator-framework/operator-controller:devel imagePullPolicy: {{ .Values.components.operatorController.deployment.imagePullPolicy }} + {{- if not .Values.features.tilt.enabled }} livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 + {{- end }} name: manager + {{- if not .Values.features.tilt.enabled }} readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 + {{- end }} resources: requests: cpu: 10m diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 289ef9593..7935dbecf 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -52,6 +52,8 @@ components: enabled: false features: + tilt: + enabled: false apiV1MetasHandler: enabled: false webhookProviderCertManager: diff --git a/helm/tilt.yaml b/helm/tilt.yaml new file mode 100644 index 000000000..84ebb09b5 --- /dev/null +++ b/helm/tilt.yaml @@ -0,0 +1,20 @@ +# experimental values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +features: + tilt: + enabled: true + apiV1MetasHandler: + enabled: true + webhookProviderCertManager: + enabled: true + singleOwnNamespaceInstallSupport: + enabled: true + preflightPermissions: + enabled: true + helmChartSupport: + enabled: true + +# This can be one of: standard or experimental +featureSet: experimental From 4c3f03f6d54026ed9fd6563b5487672043d9c298 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 14:44:20 -0400 Subject: [PATCH 30/55] WIP: add kustomize dependency to prometheus Signed-off-by: Todd Short --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a462f64e0..263f1eea6 100644 --- a/Makefile +++ b/Makefile @@ -286,7 +286,7 @@ test-experimental-e2e: run image-registry prometheus experimental-e2e e2e e2e-me .PHONY: prometheus prometheus: PROMETHEUS_NAMESPACE := olmv1-system prometheus: PROMETHEUS_VERSION := v0.83.0 -prometheus: #EXHELP Deploy Prometheus into specified namespace +prometheus: $(KUSTOMIZE) #EXHELP Deploy Prometheus into specified namespace ./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION) # The output alerts.out file contains any alerts, pending or firing, collected during a test run in json format. From 0b897d7561458f06f16c898d0c38683e890697ea Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 16:00:33 -0400 Subject: [PATCH 31/55] Revert "WIP: fix e2e: had to rename networkpolicy" This reverts commit 2c4b525380e1c5480cf757c87a9f5acaa7f130f6. --- test/e2e/network_policy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go index f20820351..0f3979d23 100644 --- a/test/e2e/network_policy_test.go +++ b/test/e2e/network_policy_test.go @@ -182,7 +182,7 @@ func TestNetworkPolicyJustifications(t *testing.T) { allowedNetworkPolicies["operator-controller-default-deny-all-traffic"] = denyAllPolicySpec } else { t.Log("Detected single-namespace configuration, expecting one 'default-deny-all-traffic' policy.") - allowedNetworkPolicies["operator-controller-default-deny-all-traffic"] = denyAllPolicySpec + allowedNetworkPolicies["default-deny-all-traffic"] = denyAllPolicySpec t.Log("Detected single-namespace configuration, expecting 'prometheus' policy.") allowedNetworkPolicies["prometheus"] = prometheuSpec } From f23dfb7217aff34dfa03c71be6ea19bf68c8fda5 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 16:25:40 -0400 Subject: [PATCH 32/55] WIP: redo default network policy Signed-off-by: Todd Short --- ...rkpolicy-olmv1-system-default-deny-all-traffic.yml | 2 +- helm/olmv1/templates/_helpers.tpl | 11 +++++++++++ manifests/experimental-e2e.yaml | 2 +- manifests/experimental.yaml | 2 +- manifests/standard-e2e.yaml | 2 +- manifests/standard.yaml | 2 +- 6 files changed, 16 insertions(+), 5 deletions(-) diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml index 0f7be2558..dddcd90c1 100644 --- a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} - name: operator-controller-default-deny-all-traffic + name: {{ include "component.name.prefix" . -}}default-deny-all-traffic namespace: {{ .Values.namespaces.olmv1.name }} spec: podSelector: {} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index f0387c1ca..8ddb4846a 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -12,6 +12,17 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Return the name of the active component for a prefix, but _only_ if one is enabled +*/}} +{{- define "component.name.prefix" -}} +{{- if and (.Values.components.operatorController.enabled) (not .Values.components.catalogd.enabled) }} +operator-controller- +{{- else if and (not .Values.components.operatorController.enabled) (.Values.components.catalogd.enabled) }} +catalogd- +{{- end }} +{{- end }} + {{/* Common labels */}} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index ae3d3aaf9..dbdc34b02 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-default-deny-all-traffic + name: default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 1b3d045ef..11f1123dc 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-default-deny-all-traffic + name: default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 0867eacca..16a95a4fe 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-default-deny-all-traffic + name: default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 50a68f560..aa277a2a3 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -62,7 +62,7 @@ metadata: app.kubernetes.io/version: "1.3.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: olm - name: operator-controller-default-deny-all-traffic + name: default-deny-all-traffic namespace: olmv1-system spec: podSelector: {} From ee8fd54ab50769aa8f272b73da5b28e5d0a939c3 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 16:39:43 -0400 Subject: [PATCH 33/55] WIP: Fix prefix Signed-off-by: Todd Short --- helm/olmv1/templates/_helpers.tpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 8ddb4846a..f498341d1 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -16,12 +16,12 @@ Create chart name and version as used by the chart label. Return the name of the active component for a prefix, but _only_ if one is enabled */}} {{- define "component.name.prefix" -}} -{{- if and (.Values.components.operatorController.enabled) (not .Values.components.catalogd.enabled) }} +{{- if and (.Values.components.operatorController.enabled) (not .Values.components.catalogd.enabled) -}} operator-controller- -{{- else if and (not .Values.components.operatorController.enabled) (.Values.components.catalogd.enabled) }} +{{- else if and (not .Values.components.operatorController.enabled) (.Values.components.catalogd.enabled) -}} catalogd- -{{- end }} -{{- end }} +{{- end -}} +{{- end -}} {{/* Common labels From a2feff796063185316cd516b51c4a4fcaeb5fd72 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 17:04:33 -0400 Subject: [PATCH 34/55] WIP: Add webhook annotations config Signed-off-by: Todd Short --- hack/tools/patch-base-for-helm.sh | 4 ++-- .../base/catalogd/webhook/experimental/manifests.yaml | 2 +- helm/olmv1/base/catalogd/webhook/standard/manifests.yaml | 2 +- helm/olmv1/templates/_helpers.tpl | 7 +++++++ helm/olmv1/values.yaml | 3 +++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh index f00f24092..eca6b0aa1 100755 --- a/hack/tools/patch-base-for-helm.sh +++ b/hack/tools/patch-base-for-helm.sh @@ -36,8 +36,7 @@ catalogd_webhook_filelist=( for f in "${catalogd_webhook_filelist[@]}"; do yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" yq -i '.metadata.name = "catalogd-mutating-webhook-configuration"' "${f}" - # This really only applies to cert-manager configs, but it's an annotation - yq -i '.metadata.annotations["cert-manager.io/inject-ca-from-secret"] = "cert-manager/olmv1-ca"' "${f}" + yq -i '.metadata.annotations["catalogd-webhook-annotations"] = "replaceMe"' "${f}" yq -i '.webhooks[0].clientConfig.service.namespace = "olmv1-system"' "${f}" yq -i '.webhooks[0].clientConfig.service.name = "catalogd-service"' "${f}" yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}" @@ -65,6 +64,7 @@ for f in "${filelist[@]}"; do yq -i '.metadata.labels.replaceMe = "labels"' "${f}" # Replace with helm template - must be done last or yq will complain about the file format sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" + sed -i.bak 's/catalogd-webhook-annotations: replaceMe/{{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }}/g' "${f}" sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}" sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}" diff --git a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml index d32a0719f..e4f243f1c 100644 --- a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml +++ b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: diff --git a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml index d32a0719f..e4f243f1c 100644 --- a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml +++ b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index f498341d1..193403611 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -43,6 +43,13 @@ Common annoations olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}} {{- end }} +{{/* +Annotations for Catalogd Webhooks +*/}} +{{- define "olmv1.catalogd.webhook.annotations" -}} +cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca +{{- end }} + {{/* Insertion of additional rules for RBAC */}} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 7935dbecf..6de04f978 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -46,6 +46,9 @@ components: rules: [] role: rules: [] + webhook: + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca certManager: enabled: true e2e: From 3b47559cc5498e88c8a4b8fbbbf336beef1cd3e9 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 24 Jul 2025 17:24:57 -0400 Subject: [PATCH 35/55] WIP: fix webhook annotations Signed-off-by: Todd Short --- Makefile | 8 ++++---- helm/olmv1/templates/_helpers.tpl | 4 +++- helm/olmv1/values.yaml | 3 +-- helm/standard.yaml | 10 ++++++++++ 4 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 helm/standard.yaml diff --git a/Makefile b/Makefile index 263f1eea6..70a27681f 100644 --- a/Makefile +++ b/Makefile @@ -163,10 +163,10 @@ manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, Clus ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - $(HELM) template olmv1 helm/olmv1 > $(STANDARD_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 193403611..603e63daa 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -47,7 +47,9 @@ olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.co Annotations for Catalogd Webhooks */}} {{- define "olmv1.catalogd.webhook.annotations" -}} -cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca +{{- with .Values.components.catalogd.webhook.annotations }} +{{- toYamlPretty . }} +{{- end }} {{- end }} {{/* diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 6de04f978..1ab62e828 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -47,8 +47,7 @@ components: role: rules: [] webhook: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + annotations: {} certManager: enabled: true e2e: diff --git a/helm/standard.yaml b/helm/standard.yaml new file mode 100644 index 000000000..45275a51c --- /dev/null +++ b/helm/standard.yaml @@ -0,0 +1,10 @@ +# Default values for OLMv1. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# List of components to include +components: + catalogd: + webhook: + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca From 1d14342bd04f3bc871f2d316e254ca9d99de68de Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 25 Jul 2025 13:56:48 -0400 Subject: [PATCH 36/55] WIP: rename standard values file to cert-manager Signed-off-by: Todd Short --- Makefile | 8 ++++---- helm/{standard.yaml => cert-manager.yaml} | 2 ++ helm/olmv1/values.yaml | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) rename helm/{standard.yaml => cert-manager.yaml} (89%) diff --git a/Makefile b/Makefile index 70a27681f..f767498d9 100644 --- a/Makefile +++ b/Makefile @@ -163,10 +163,10 @@ manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, Clus ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) - $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml > $(STANDARD_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) - $(HELM) template olmv1 helm/olmv1 --values helm/standard.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml > $(STANDARD_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/helm/standard.yaml b/helm/cert-manager.yaml similarity index 89% rename from helm/standard.yaml rename to helm/cert-manager.yaml index 45275a51c..e3219f4e9 100644 --- a/helm/standard.yaml +++ b/helm/cert-manager.yaml @@ -8,3 +8,5 @@ components: webhook: annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + certManager: + enabled: true diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 1ab62e828..0324898a5 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -49,7 +49,7 @@ components: webhook: annotations: {} certManager: - enabled: true + enabled: false e2e: enabled: false From 8bc11b6f1ba527a7fa20640da8285bbfda3d868f Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 11:25:54 -0400 Subject: [PATCH 37/55] WIP: Remove helm labels Signed-off-by: Todd Short --- helm/olmv1/templates/_helpers.tpl | 8 +- manifests/experimental-e2e.yaml | 347 +++++++++++++++--------------- manifests/experimental.yaml | 323 ++++++++++++++------------- manifests/standard-e2e.yaml | 347 +++++++++++++++--------------- manifests/standard.yaml | 323 ++++++++++++++------------- 5 files changed, 668 insertions(+), 680 deletions(-) diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 603e63daa..60cbe642a 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -27,12 +27,12 @@ catalogd- Common labels */}} {{- define "olmv1.labels" -}} -helm.sh/chart: {{ include "olmv1.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} +{{/* helm.sh/chart: {{ include "olmv1.chart" . }} */}} +{{/* app.kubernetes.io/instance: {{ .Release.Name }} */}} {{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{/* app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} */}} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} +{{/* app.kubernetes.io/managed-by: {{ .Release.Service }} */}} app.kubernetes.io/part-of: olm {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index dbdc34b02..0ba4cafcf 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -7,10 +7,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest @@ -24,10 +24,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -57,10 +57,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -78,10 +78,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -107,10 +107,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -123,10 +123,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -144,10 +144,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-registries-conf namespace: olmv1-system @@ -160,10 +160,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-coverage namespace: olmv1-system @@ -184,10 +184,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e name: clustercatalogs.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -590,10 +590,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e name: clusterextensions.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1166,10 +1166,10 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1208,10 +1208,10 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1278,10 +1278,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1298,10 +1298,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1326,10 +1326,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1354,10 +1354,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1378,10 +1378,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1398,10 +1398,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1426,10 +1426,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1449,10 +1449,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1472,10 +1472,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1495,10 +1495,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1518,10 +1518,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1566,10 +1566,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1592,10 +1592,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1640,10 +1640,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1678,10 +1678,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1702,10 +1702,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1726,10 +1726,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1750,10 +1750,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1775,10 +1775,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1808,10 +1808,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1832,10 +1832,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-coverage-copy-pod namespace: olmv1-system @@ -1878,10 +1878,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1899,10 +1899,10 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2008,10 +2008,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -2028,10 +2028,10 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2144,10 +2144,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2160,7 +2160,6 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2175,10 +2174,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2193,7 +2192,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2205,10 +2203,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2222,7 +2220,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-cert --- @@ -2234,10 +2231,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2252,10 +2249,10 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2269,10 +2266,10 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 11f1123dc..96e626158 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -7,10 +7,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest @@ -24,10 +24,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -57,10 +57,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -78,10 +78,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -107,10 +107,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -123,10 +123,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -141,10 +141,10 @@ metadata: olm.operatorframework.io/feature-set: experimental name: clustercatalogs.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -547,10 +547,10 @@ metadata: olm.operatorframework.io/feature-set: experimental name: clusterextensions.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1123,10 +1123,10 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1165,10 +1165,10 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1235,10 +1235,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1255,10 +1255,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1283,10 +1283,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1311,10 +1311,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1335,10 +1335,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1355,10 +1355,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1383,10 +1383,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1406,10 +1406,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1429,10 +1429,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1452,10 +1452,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1475,10 +1475,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1523,10 +1523,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1549,10 +1549,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1597,10 +1597,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1635,10 +1635,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1659,10 +1659,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1683,10 +1683,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1707,10 +1707,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1732,10 +1732,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1765,10 +1765,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1791,10 +1791,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1812,10 +1812,10 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -1913,10 +1913,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -1933,10 +1933,10 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2036,10 +2036,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2052,7 +2052,6 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2067,10 +2066,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2085,7 +2084,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2097,10 +2095,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2114,7 +2112,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-cert --- @@ -2126,10 +2123,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2144,10 +2141,10 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2161,10 +2158,10 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 16a95a4fe..570e26f2b 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -7,10 +7,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest @@ -24,10 +24,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -57,10 +57,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -78,10 +78,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -107,10 +107,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -123,10 +123,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -144,10 +144,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-registries-conf namespace: olmv1-system @@ -160,10 +160,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-coverage namespace: olmv1-system @@ -184,10 +184,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e name: clustercatalogs.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -590,10 +590,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e name: clusterextensions.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1166,10 +1166,10 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1208,10 +1208,10 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1278,10 +1278,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1298,10 +1298,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1326,10 +1326,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1354,10 +1354,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1378,10 +1378,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1398,10 +1398,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1426,10 +1426,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1449,10 +1449,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1472,10 +1472,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1495,10 +1495,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1518,10 +1518,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1566,10 +1566,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1592,10 +1592,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1640,10 +1640,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1678,10 +1678,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1702,10 +1702,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1726,10 +1726,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1750,10 +1750,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1775,10 +1775,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1808,10 +1808,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1832,10 +1832,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: e2e-coverage-copy-pod namespace: olmv1-system @@ -1878,10 +1878,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1899,10 +1899,10 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2007,10 +2007,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -2027,10 +2027,10 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2139,10 +2139,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2155,7 +2155,6 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2170,10 +2169,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2188,7 +2187,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2200,10 +2198,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2217,7 +2215,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-cert --- @@ -2229,10 +2226,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2247,10 +2244,10 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2264,10 +2261,10 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/standard.yaml b/manifests/standard.yaml index aa277a2a3..433b6a3c7 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -7,10 +7,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest @@ -24,10 +24,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -57,10 +57,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -78,10 +78,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -107,10 +107,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -123,10 +123,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -141,10 +141,10 @@ metadata: olm.operatorframework.io/feature-set: standard name: clustercatalogs.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -547,10 +547,10 @@ metadata: olm.operatorframework.io/feature-set: standard name: clusterextensions.olm.operatorframework.io labels: - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1123,10 +1123,10 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1165,10 +1165,10 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1235,10 +1235,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1255,10 +1255,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1283,10 +1283,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1311,10 +1311,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1335,10 +1335,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1355,10 +1355,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1383,10 +1383,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1406,10 +1406,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1429,10 +1429,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1452,10 +1452,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1475,10 +1475,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1523,10 +1523,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1549,10 +1549,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1597,10 +1597,10 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1635,10 +1635,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1659,10 +1659,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1683,10 +1683,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1707,10 +1707,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1732,10 +1732,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1765,10 +1765,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1791,10 +1791,10 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1812,10 +1812,10 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -1912,10 +1912,10 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -1932,10 +1932,10 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm spec: affinity: @@ -2031,10 +2031,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2047,7 +2047,6 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2062,10 +2061,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2080,7 +2079,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2092,10 +2090,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2109,7 +2107,6 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA - rotationPolicy: Always size: 256 secretName: olmv1-cert --- @@ -2121,10 +2118,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2139,10 +2136,10 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2156,10 +2153,10 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - helm.sh/chart: olmv1-0.1.0 - app.kubernetes.io/instance: olmv1 - app.kubernetes.io/version: "1.3.0" - app.kubernetes.io/managed-by: Helm + + + + app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca From b80731483941d6438f82ac85f19d7d2cbf609919 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 11:31:00 -0400 Subject: [PATCH 38/55] WIP: add rotationPolicy to certs Signed-off-by: Todd Short --- helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml | 1 + .../32-certificate-olmv1-system-catalogd-service-cert.yml | 1 + .../olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml | 1 + manifests/experimental-e2e.yaml | 3 +++ manifests/experimental.yaml | 3 +++ manifests/standard-e2e.yaml | 3 +++ manifests/standard.yaml | 3 +++ 7 files changed, 15 insertions(+) diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml index 8118e1f4a..d0b232597 100644 --- a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -18,6 +18,7 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: diff --git a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml index 8291a9343..1b2bc9132 100644 --- a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml +++ b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml @@ -20,6 +20,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version {{- end }} diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml index fcb6de3e2..571972019 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml @@ -19,6 +19,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-cert {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 0ba4cafcf..5467daacd 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -2160,6 +2160,7 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2192,6 +2193,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2220,6 +2222,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-cert --- diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 96e626158..fb56d4ca5 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -2052,6 +2052,7 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2084,6 +2085,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2112,6 +2114,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-cert --- diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 570e26f2b..8177be5a8 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -2155,6 +2155,7 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2187,6 +2188,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2215,6 +2217,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-cert --- diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 433b6a3c7..240fcd4f7 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -2047,6 +2047,7 @@ spec: name: self-sign-issuer privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-ca secretTemplate: @@ -2079,6 +2080,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: catalogd-service-cert-git-version --- @@ -2107,6 +2109,7 @@ spec: name: olmv1-ca privateKey: algorithm: ECDSA + rotationPolicy: Always size: 256 secretName: olmv1-cert --- From 4b7376f16ef6988cd5a858d4fc093d0dcdb0b824 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 11:52:21 -0400 Subject: [PATCH 39/55] WIP: Remove generation of rbac and webhooks Signed-off-by: Todd Short --- Makefile | 10 ---- hack/tools/patch-base-for-helm.sh | 48 ------------------- .../core/clustercatalog_controller.go | 6 --- .../webhook/cluster_catalog_webhook.go | 4 -- .../controllers/clustercatalog_controller.go | 2 - .../clusterextension_controller.go | 11 ----- 6 files changed, 81 deletions(-) diff --git a/Makefile b/Makefile index f767498d9..bf76be15b 100644 --- a/Makefile +++ b/Makefile @@ -149,16 +149,6 @@ KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. # Generate CRDs via our own generator hack/tools/update-crds.sh - # Generate the remaining operator-controller standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard - # Generate the remaining operator-controller experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental - # Generate the remaining catalogd standard manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard - # Generate the remaining catalogd experimental manifests - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental - $(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental # Update base config to include helm templates ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh index eca6b0aa1..dd62e2c8e 100755 --- a/hack/tools/patch-base-for-helm.sh +++ b/hack/tools/patch-base-for-helm.sh @@ -7,53 +7,11 @@ # YAML once helm templating has been added. # Patch catalogd rbac -catalogd_rbac_filelist=( - helm/olmv1/base/catalogd/rbac/experimental/*.yaml - helm/olmv1/base/catalogd/rbac/standard/*.yaml -) -for f in "${catalogd_rbac_filelist[@]}"; do - yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" - yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "catalogd-role-rules"})' "${f}" - yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "catalogd-cluster-role-rules"})' "${f}" -done - -# Patch operator-controller rbac -operator_controller_rbac_filelist=( - helm/olmv1/base/operator-controller/rbac/experimental/*.yaml - helm/olmv1/base/operator-controller/rbac/standard/*.yaml -) -for f in "${operator_controller_rbac_filelist[@]}"; do - yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}" - yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "operator-controller-role-rules"})' "${f}" - yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "operator-controller-cluster-role-rules"})' "${f}" -done - -# Patch catalogd webhook -catalogd_webhook_filelist=( - helm/olmv1/base/catalogd/webhook/experimental/*.yaml - helm/olmv1/base/catalogd/webhook/standard/*.yaml -) -for f in "${catalogd_webhook_filelist[@]}"; do - yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}" - yq -i '.metadata.name = "catalogd-mutating-webhook-configuration"' "${f}" - yq -i '.metadata.annotations["catalogd-webhook-annotations"] = "replaceMe"' "${f}" - yq -i '.webhooks[0].clientConfig.service.namespace = "olmv1-system"' "${f}" - yq -i '.webhooks[0].clientConfig.service.name = "catalogd-service"' "${f}" - yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}" - yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}" - yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}" -done # Patch everything generically filelist=( - helm/olmv1/base/catalogd/rbac/experimental/*.yaml - helm/olmv1/base/catalogd/rbac/standard/*.yaml helm/olmv1/base/catalogd/crd/experimental/*.yaml helm/olmv1/base/catalogd/crd/standard/*.yaml - helm/olmv1/base/catalogd/webhook/experimental/*.yaml - helm/olmv1/base/catalogd/webhook/standard/*.yaml - helm/olmv1/base/operator-controller/rbac/experimental/*.yaml - helm/olmv1/base/operator-controller/rbac/standard/*.yaml helm/olmv1/base/operator-controller/crd/experimental/*.yaml helm/olmv1/base/operator-controller/crd/standard/*.yaml ) @@ -64,13 +22,7 @@ for f in "${filelist[@]}"; do yq -i '.metadata.labels.replaceMe = "labels"' "${f}" # Replace with helm template - must be done last or yq will complain about the file format sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" - sed -i.bak 's/catalogd-webhook-annotations: replaceMe/{{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }}/g' "${f}" sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" - sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}" - sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}" - sed -i.bak 's/- replaceMe: catalogd-cluster-role-rules/{{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}/g' "${f}" - sed -i.bak 's/- replaceMe: operator-controller-role-rules/{{- include "olmv1.operatorController.role.rules" . | nindent 2 }}/g' "${f}" - sed -i.bak 's/- replaceMe: operator-controller-cluster-role-rules/{{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}/g' "${f}" # Delete sed's backup file rm -f "${f}.bak" done diff --git a/internal/catalogd/controllers/core/clustercatalog_controller.go b/internal/catalogd/controllers/core/clustercatalog_controller.go index 32ed52e0a..b720af850 100644 --- a/internal/catalogd/controllers/core/clustercatalog_controller.go +++ b/internal/catalogd/controllers/core/clustercatalog_controller.go @@ -76,12 +76,6 @@ type storedCatalogData struct { observedGeneration int64 } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs/finalizers,verbs=update -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=get;list;watch -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch - // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. // diff --git a/internal/catalogd/webhook/cluster_catalog_webhook.go b/internal/catalogd/webhook/cluster_catalog_webhook.go index a19a62e73..3aea45d5d 100644 --- a/internal/catalogd/webhook/cluster_catalog_webhook.go +++ b/internal/catalogd/webhook/cluster_catalog_webhook.go @@ -11,10 +11,6 @@ import ( ocv1 "github.com/operator-framework/operator-controller/api/v1" ) -// +kubebuilder:webhook:admissionReviewVersions={v1},failurePolicy=Fail,groups=olm.operatorframework.io,mutating=true,name=inject-metadata-name.olm.operatorframework.io,path=/mutate-olm-operatorframework-io-v1-clustercatalog,resources=clustercatalogs,verbs=create;update,versions=v1,sideEffects=None,timeoutSeconds=10 - -// +kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch;patch;update - // ClusterCatalog wraps the external v1.ClusterCatalog type and implements admission.Defaulter type ClusterCatalog struct{} diff --git a/internal/operator-controller/controllers/clustercatalog_controller.go b/internal/operator-controller/controllers/clustercatalog_controller.go index bd4e82787..0654d83e7 100644 --- a/internal/operator-controller/controllers/clustercatalog_controller.go +++ b/internal/operator-controller/controllers/clustercatalog_controller.go @@ -45,8 +45,6 @@ type ClusterCatalogReconciler struct { CatalogCachePopulator CatalogCachePopulator } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=get;list;watch - func (r *ClusterCatalogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { l := log.FromContext(ctx).WithName("cluster-catalog") ctx = log.IntoContext(ctx, l) diff --git a/internal/operator-controller/controllers/clusterextension_controller.go b/internal/operator-controller/controllers/clusterextension_controller.go index 24824bfd1..fb278a1c3 100644 --- a/internal/operator-controller/controllers/clusterextension_controller.go +++ b/internal/operator-controller/controllers/clusterextension_controller.go @@ -90,17 +90,6 @@ type InstalledBundleGetter interface { GetInstalledBundle(ctx context.Context, ext *ocv1.ClusterExtension) (*InstalledBundle, error) } -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions,verbs=get;list;watch;update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/status,verbs=update;patch -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensions/finalizers,verbs=update -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=secrets,verbs=create;update;patch;delete;deletecollection;get;list;watch -//+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create -//+kubebuilder:rbac:namespace=olmv1-system,groups=core,resources=serviceaccounts,verbs=get;list;watch -//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch - -//+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch - // The operator controller needs to watch all the bundle objects and reconcile accordingly. Though not ideal, but these permissions are required. // This has been taken from rukpak, and an issue was created before to discuss it: https://github.com/operator-framework/rukpak/issues/800. func (r *ClusterExtensionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { From 53f4c5614a44e110b59771efff6ad6847775925f Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 12:05:56 -0400 Subject: [PATCH 40/55] WIP: pull rbac/webhooks back into templates Signed-off-by: Todd Short --- .../base/catalogd/rbac/standard/role.yaml | 60 -------- .../webhook/experimental/manifests.yaml | 37 ----- .../catalogd/webhook/standard/manifests.yaml | 37 ----- .../rbac/standard/role.yaml | 99 ------------ ...ole-olmv1-system-catalogd-manager-role.yml | 26 +++- ...ystem-operator-controller-manager-role.yml | 38 ++++- .../09-clusterrole-catalogd-manager-role.yml} | 25 +-- ...role-operator-controller-manager-role.yml} | 37 +---- ...atalogd-mutating-webhook-configuration.yml | 41 ++++- manifests/experimental-e2e.yaml | 142 +++++++++--------- manifests/experimental.yaml | 142 +++++++++--------- manifests/standard-e2e.yaml | 142 +++++++++--------- manifests/standard.yaml | 142 +++++++++--------- 13 files changed, 378 insertions(+), 590 deletions(-) delete mode 100644 helm/olmv1/base/catalogd/rbac/standard/role.yaml delete mode 100644 helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml delete mode 100644 helm/olmv1/base/catalogd/webhook/standard/manifests.yaml delete mode 100644 helm/olmv1/base/operator-controller/rbac/standard/role.yaml rename helm/olmv1/{base/catalogd/rbac/experimental/role.yaml => templates/09-clusterrole-catalogd-manager-role.yml} (61%) rename helm/olmv1/{base/operator-controller/rbac/experimental/role.yaml => templates/14-clusterrole-operator-controller-manager-role.yml} (65%) diff --git a/helm/olmv1/base/catalogd/rbac/standard/role.yaml b/helm/olmv1/base/catalogd/rbac/standard/role.yaml deleted file mode 100644 index e8017964a..000000000 --- a/helm/olmv1/base/catalogd/rbac/standard/role.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: catalogd-manager-role - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs/status - verbs: - - get - - patch - - update - {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: catalogd-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch - {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml b/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml deleted file mode 100644 index e4f243f1c..000000000 --- a/helm/olmv1/base/catalogd/webhook/experimental/manifests.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: catalogd-mutating-webhook-configuration - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} - {{- include "olmv1.annotations" . | nindent 4 }} -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: {{ .Values.namespaces.olmv1.name }} - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 - matchConditions: - - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml b/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml deleted file mode 100644 index e4f243f1c..000000000 --- a/helm/olmv1/base/catalogd/webhook/standard/manifests.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: catalogd-mutating-webhook-configuration - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} - {{- include "olmv1.annotations" . | nindent 4 }} -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: catalogd-service - namespace: {{ .Values.namespaces.olmv1.name }} - path: /mutate-olm-operatorframework-io-v1-clustercatalog - port: 9443 - failurePolicy: Fail - name: inject-metadata-name.olm.operatorframework.io - rules: - - apiGroups: - - olm.operatorframework.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustercatalogs - sideEffects: None - timeoutSeconds: 10 - matchConditions: - - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' diff --git a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml b/helm/olmv1/base/operator-controller/rbac/standard/role.yaml deleted file mode 100644 index c55469f56..000000000 --- a/helm/olmv1/base/operator-controller/rbac/standard/role.yaml +++ /dev/null @@ -1,99 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: operator-controller-manager-role - labels: - app.kubernetes.io/name: operator-controller - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch - {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: operator-controller-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} - labels: - app.kubernetes.io/name: operator-controller - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index c5537bf10..85db31d39 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -1,7 +1,23 @@ {{- if .Values.components.catalogd.enabled }} -{{- if (eq .Values.featureSet "standard") }} -{{ tpl (.Files.Get "base/catalogd/rbac/standard/role.yaml") . }} -{{- else if (eq .Values.featureSet "experimental") }} -{{ tpl (.Files.Get "base/catalogd/rbac/experimental/role.yaml") . }} -{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: catalogd-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch + {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} {{- end }} diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index a824b0b6b..50658fa5b 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -1,7 +1,35 @@ {{- if .Values.components.operatorController.enabled }} -{{- if (eq .Values.featureSet "standard") }} -{{ tpl (.Files.Get "base/operator-controller/rbac/standard/role.yaml") . }} -{{- else if (eq .Values.featureSet "experimental") }} -{{ tpl (.Files.Get "base/operator-controller/rbac/experimental/role.yaml") . }} -{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-controller-manager-role + namespace: {{ .Values.namespaces.olmv1.name }} + labels: + app.kubernetes.io/name: operator-controller + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} {{- end }} diff --git a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml similarity index 61% rename from helm/olmv1/base/catalogd/rbac/experimental/role.yaml rename to helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml index e8017964a..772f202da 100644 --- a/helm/olmv1/base/catalogd/rbac/experimental/role.yaml +++ b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml @@ -1,4 +1,4 @@ ---- +{{- if .Values.components.catalogd.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -36,25 +36,4 @@ rules: - patch - update {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: catalogd-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} - labels: - app.kubernetes.io/name: catalogd - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch - {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} +{{- end }} diff --git a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml similarity index 65% rename from helm/olmv1/base/operator-controller/rbac/experimental/role.yaml rename to helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml index c55469f56..a73e25356 100644 --- a/helm/olmv1/base/operator-controller/rbac/experimental/role.yaml +++ b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml @@ -1,4 +1,4 @@ ---- +{{- if .Values.components.operatorController.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -63,37 +63,4 @@ rules: - list - watch {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: operator-controller-manager-role - namespace: {{ .Values.namespaces.olmv1.name }} - labels: - app.kubernetes.io/name: operator-controller - {{- include "olmv1.labels" . | nindent 4 }} - annotations: - {{- include "olmv1.annotations" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} +{{- end }} diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index ffa80774c..849fdeb48 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -1,7 +1,38 @@ {{- if .Values.components.catalogd.enabled }} -{{- if (eq .Values.featureSet "standard") }} -{{ tpl (.Files.Get "base/catalogd/webhook/standard/manifests.yaml") . }} -{{- else if (eq .Values.featureSet "experimental") }} -{{ tpl (.Files.Get "base/catalogd/webhook/experimental/manifests.yaml") . }} -{{- end }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: catalogd-mutating-webhook-configuration + labels: + app.kubernetes.io/name: catalogd + {{- include "olmv1.labels" . | nindent 4 }} + annotations: + {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} + {{- include "olmv1.annotations" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: catalogd-service + namespace: {{ .Values.namespaces.olmv1.name }} + path: /mutate-olm-operatorframework-io-v1-clustercatalog + port: 9443 + failurePolicy: Fail + name: inject-metadata-name.olm.operatorframework.io + rules: + - apiGroups: + - olm.operatorframework.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - clustercatalogs + sideEffects: None + timeoutSeconds: 10 + matchConditions: + - name: MissingOrIncorrectMetadataNameLabel + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 5467daacd..8e1c6b24e 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1159,7 +1159,7 @@ spec: subresources: status: {} --- -# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1201,75 +1201,6 @@ rules: - patch - update --- -# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: operator-controller-manager-role - labels: - app.kubernetes.io/name: operator-controller - - - - - app.kubernetes.io/part-of: olm - annotations: - olm.operatorframework.io/feature-set: experimental-e2e -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1370,6 +1301,75 @@ rules: - list - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + + + + + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental-e2e +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -2302,4 +2302,4 @@ webhooks: timeoutSeconds: 10 matchConditions: - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index fb56d4ca5..81e153135 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1116,7 +1116,7 @@ spec: subresources: status: {} --- -# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1158,75 +1158,6 @@ rules: - patch - update --- -# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: operator-controller-manager-role - labels: - app.kubernetes.io/name: operator-controller - - - - - app.kubernetes.io/part-of: olm - annotations: - olm.operatorframework.io/feature-set: experimental -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1327,6 +1258,75 @@ rules: - list - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + + + + + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: experimental +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -2194,4 +2194,4 @@ webhooks: timeoutSeconds: 10 matchConditions: - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 8177be5a8..deb92f114 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1159,7 +1159,7 @@ spec: subresources: status: {} --- -# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1201,75 +1201,6 @@ rules: - patch - update --- -# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: operator-controller-manager-role - labels: - app.kubernetes.io/name: operator-controller - - - - - app.kubernetes.io/part-of: olm - annotations: - olm.operatorframework.io/feature-set: standard-e2e -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1370,6 +1301,75 @@ rules: - list - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + + + + + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard-e2e +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -2297,4 +2297,4 @@ webhooks: timeoutSeconds: 10 matchConditions: - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 240fcd4f7..2b34fa764 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1116,7 +1116,7 @@ spec: subresources: status: {} --- -# Source: olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +# Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1158,75 +1158,6 @@ rules: - patch - update --- -# Source: olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: operator-controller-manager-role - labels: - app.kubernetes.io/name: operator-controller - - - - - app.kubernetes.io/part-of: olm - annotations: - olm.operatorframework.io/feature-set: standard -rules: - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - olm.operatorframework.io - resources: - - clustercatalogs - verbs: - - get - - list - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/finalizers - verbs: - - update - - apiGroups: - - olm.operatorframework.io - resources: - - clusterextensions/status - verbs: - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - list - - watch ---- # Source: olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -1327,6 +1258,75 @@ rules: - list - watch --- +# Source: olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-controller-manager-role + labels: + app.kubernetes.io/name: operator-controller + + + + + app.kubernetes.io/part-of: olm + annotations: + olm.operatorframework.io/feature-set: standard +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - olm.operatorframework.io + resources: + - clustercatalogs + verbs: + - get + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch +--- # Source: olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -2189,4 +2189,4 @@ webhooks: timeoutSeconds: 10 matchConditions: - name: MissingOrIncorrectMetadataNameLabel - expression: '"name" in object.metadata && (!has(object.metadata.labels) || !("olm.operatorframework.io/metadata.name" in object.metadata.labels) || object.metadata.labels["olm.operatorframework.io/metadata.name"] != object.metadata.name)' + expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)" From 15132214e73afec75fc1f2b9df75de0db364e457 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 13:19:14 -0400 Subject: [PATCH 41/55] WIP: reduced cert-manifests values file Signed-off-by: Todd Short --- helm/cert-manager.yaml | 4 ---- ...iguration-catalogd-mutating-webhook-configuration.yml | 4 +++- helm/olmv1/templates/_helpers.tpl | 9 --------- 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/helm/cert-manager.yaml b/helm/cert-manager.yaml index e3219f4e9..20bfd9801 100644 --- a/helm/cert-manager.yaml +++ b/helm/cert-manager.yaml @@ -4,9 +4,5 @@ # List of components to include components: - catalogd: - webhook: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca certManager: enabled: true diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 849fdeb48..1c463dc2b 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -7,7 +7,9 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} annotations: - {{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }} + {{- if .Values.components.certManager.enabled }} + cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca + {{- end }} {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 60cbe642a..331065c9d 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -43,15 +43,6 @@ Common annoations olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}} {{- end }} -{{/* -Annotations for Catalogd Webhooks -*/}} -{{- define "olmv1.catalogd.webhook.annotations" -}} -{{- with .Values.components.catalogd.webhook.annotations }} -{{- toYamlPretty . }} -{{- end }} -{{- end }} - {{/* Insertion of additional rules for RBAC */}} From bf81a14fd483f2497241fef693fbe980b7f7f2d6 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 15:05:09 -0400 Subject: [PATCH 42/55] WIP: Consolidate deployments; add downstream ns labels, nodeSelector, tolerations Signed-off-by: Todd Short --- helm/olmv1/templates/00-namespace.yml | 10 +- ...ole-olmv1-system-catalogd-manager-role.yml | 1 - ...ystem-operator-controller-manager-role.yml | 1 - ...mv1-system-catalogd-controller-manager.yml | 48 +----- ...operator-controller-controller-manager.yml | 47 +----- helm/olmv1/templates/_helpers.tpl | 11 -- helm/olmv1/values.yaml | 78 +++++---- manifests/experimental-e2e.yaml | 155 +++++++++++------- manifests/experimental.yaml | 155 +++++++++++------- manifests/standard-e2e.yaml | 155 +++++++++++------- manifests/standard.yaml | 155 +++++++++++------- 11 files changed, 445 insertions(+), 371 deletions(-) diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml index 7b054e3e0..a34e87946 100644 --- a/helm/olmv1/templates/00-namespace.yml +++ b/helm/olmv1/templates/00-namespace.yml @@ -5,12 +5,18 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} {{- with .Values.namespaces.olmv1.annotations }} - {{- toYaml . | nindent 4 }} + {{- toYamlPretty . | nindent 4 }} {{- end }} labels: app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/warn-version: latest {{- include "olmv1.labels" . | nindent 4 }} {{- with .Values.namespaces.olmv1.labels }} - {{- toYaml . | nindent 4 }} + {{- toYamlPretty . | nindent 4 }} {{- end }} name: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 85db31d39..99576fd05 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -19,5 +19,4 @@ rules: - get - list - watch - {{- include "olmv1.catalogd.role.rules" . | nindent 2 }} {{- end }} diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index 50658fa5b..0a3a02796 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -31,5 +31,4 @@ rules: - get - list - watch - {{- include "olmv1.operatorController.role.rules" . | nindent 2 }} {{- end }} diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index c7c0d1e85..6fc5aef7e 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -33,25 +33,6 @@ spec: {{- toYamlPretty . | nindent 8 }} {{- end }} spec: - {{- if .Values.components.catalogd.deployment.priorityClassName }} - priorityClassName: {{ .Values.components.catalogd.deployment.priorityClassName }} - {{- end }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: {{- if not .Values.features.tilt.enabled }} @@ -83,7 +64,6 @@ spec: {{- toYamlPretty . | nindent 12 }} {{- end }} image: "{{ .Values.components.catalogd.deployment.image }}" - imagePullPolicy: {{ .Values.components.catalogd.deployment.imagePullPolicy }} {{- if not .Values.features.tilt.enabled }} livenessProbe: httpGet: @@ -105,11 +85,6 @@ spec: requests: cpu: 100m memory: 200Mi - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: {{- if .Values.components.e2e.enabled }} - mountPath: /e2e-coverage @@ -127,14 +102,12 @@ spec: readOnly: true {{- end }} {{- with .Values.components.catalogd.deployment.volumeMounts }} - {{- toYaml . | nindent 12 }} + {{- toYamlPretty . | nindent 12 }} {{- end }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- with .Values.deployments.containerSpec }} + {{- toYamlPretty . | nindent 10 }} + {{- end }} serviceAccountName: catalogd-controller-manager - terminationGracePeriodSeconds: 10 volumes: {{- if .Values.components.e2e.enabled }} - name: e2e-coverage-volume @@ -160,16 +133,7 @@ spec: {{- with .Values.components.catalogd.deployment.volumes }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.catalogd.deployment.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.components.catalogd.deployment.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.components.catalogd.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} + {{- with .Values.deployments.templateSpec }} + {{- toYamlPretty . | nindent 6 }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 7b7701322..d224f6efd 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -32,25 +32,6 @@ spec: {{- toYamlPretty . | nindent 8 }} {{- end }} spec: - {{- if .Values.components.operatorController.deployment.priorityClassName }} - priorityClassName: {{ .Values.components.operatorController.deployment.priorityClassName }} - {{- end }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --health-probe-bind-address=:8081 @@ -92,8 +73,6 @@ spec: {{- toYamlPretty . | nindent 12 }} {{- end }} image: "{{ .Values.components.operatorController.deployment.image }}" - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: {{ .Values.components.operatorController.deployment.imagePullPolicy }} {{- if not .Values.features.tilt.enabled }} livenessProbe: httpGet: @@ -115,11 +94,6 @@ spec: requests: cpu: 10m memory: 64Mi - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: {{- if .Values.components.e2e.enabled }} - mountPath: /etc/containers @@ -139,12 +113,10 @@ spec: {{- with .Values.components.operatorController.deployment.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- with .Values.deployments.containerSpec }} + {{- toYaml . | nindent 10 }} + {{- end }} serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 volumes: {{- if .Values.components.e2e.enabled }} - configMap: @@ -174,16 +146,7 @@ spec: {{- with .Values.components.operatorController.deployment.volumes }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.components.operatorController.deployment.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.components.operatorController.deployment.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.components.operatorController.deployment.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} + {{- with .Values.deployments.templateSpec }} + {{- toYamlPretty . | nindent 6 }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 331065c9d..8a4466d8b 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -46,11 +46,6 @@ olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.co {{/* Insertion of additional rules for RBAC */}} -{{- define "olmv1.catalogd.role.rules" -}} -{{- with .Values.components.catalogd.rules }} -{{- toYamlPretty . }} -{{- end }} -{{- end }} {{- define "olmv1.catalogd.clusterRole.rules" -}} {{- with .Values.components.catalogd.clusterRole.rules }} @@ -58,12 +53,6 @@ Insertion of additional rules for RBAC {{- end }} {{- end }} -{{- define "olmv1.operatorController.role.rules" -}} -{{- with .Values.components.operatorController.role.rules }} -{{- toYamlPretty . }} -{{- end }} -{{- end }} - {{- define "olmv1.operatorController.clusterRole.rules" -}} {{- with .Values.components.operatorController.clusterRole.rules }} {{- toYamlPretty . }} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 0324898a5..3266f0cfe 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -8,16 +8,11 @@ components: enabled: true deployment: image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent volumeMounts: [] volumes: [] - affinity: {} - nodeSelector: {} - tolerations: [] podArguments: [] podLabels: {} podAnnotations: {} - priorityClassName: "" env: [] service: annotations: {} @@ -29,23 +24,16 @@ components: enabled: true deployment: image: quay.io/operator-framework/catalogd:devel - imagePullPolicy: IfNotPresent volumeMounts: [] volumes: [] - affinity: {} - nodeSelector: {} - tolerations: [] podArguments: [] podLabels: {} podAnnotations: {} - priorityClassName: "" env: [] service: annotations: {} clusterRole: rules: [] - role: - rules: [] webhook: annotations: {} certManager: @@ -74,23 +62,57 @@ featureSet: standard namespaces: olmv1: name: olmv1-system - labels: - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest + podSecurityProfile: restricted + labels: {} annotations: {} certManager: name: cert-manager -# Pod-level security context -podSecurityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - -# Container-level security context -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true +# Common deployment values for operator-controller and catalogd +deployments: + templateSpec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 + containerSpec: + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 8e1c6b24e..cab2a2ad5 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -7,13 +7,17 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- # Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -1905,22 +1909,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --leader-elect @@ -1936,7 +1924,6 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/catalogd:devel" - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1954,13 +1941,6 @@ spec: requests: cpu: 100m memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /e2e-coverage name: e2e-coverage-volume @@ -1973,12 +1953,15 @@ spec: - mountPath: /var/ca-certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: catalogd-controller-manager - terminationGracePeriodSeconds: 10 volumes: - name: e2e-coverage-volume persistentVolumeClaim: @@ -1997,6 +1980,42 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 @@ -2034,22 +2053,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --health-probe-bind-address=:8081 @@ -2069,8 +2072,6 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/operator-controller:devel" - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -2088,13 +2089,6 @@ spec: requests: cpu: 10m memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/containers name: e2e-registries-conf @@ -2107,12 +2101,15 @@ spec: - mountPath: /var/certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 volumes: - configMap: name: e2e-registries-conf @@ -2135,6 +2132,42 @@ spec: path: tls.key optional: false secretName: olmv1-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 81e153135..a051d494a 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -7,13 +7,17 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- # Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -1818,22 +1822,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --leader-elect @@ -1846,7 +1834,6 @@ spec: command: - ./catalogd image: "quay.io/operator-framework/catalogd:devel" - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1864,13 +1851,6 @@ spec: requests: cpu: 100m memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/cache/ name: cache @@ -1881,12 +1861,15 @@ spec: - mountPath: /var/ca-certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: catalogd-controller-manager - terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: cache @@ -1902,6 +1885,42 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 @@ -1939,22 +1958,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --health-probe-bind-address=:8081 @@ -1971,8 +1974,6 @@ spec: command: - /operator-controller image: "quay.io/operator-framework/operator-controller:devel" - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1990,13 +1991,6 @@ spec: requests: cpu: 10m memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/cache name: cache @@ -2005,12 +1999,15 @@ spec: - mountPath: /var/certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: cache @@ -2027,6 +2024,42 @@ spec: path: tls.key optional: false secretName: olmv1-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index deb92f114..5c7773518 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -7,13 +7,17 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- # Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -1905,22 +1909,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --leader-elect @@ -1935,7 +1923,6 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/catalogd:devel" - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1953,13 +1940,6 @@ spec: requests: cpu: 100m memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /e2e-coverage name: e2e-coverage-volume @@ -1972,12 +1952,15 @@ spec: - mountPath: /var/ca-certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: catalogd-controller-manager - terminationGracePeriodSeconds: 10 volumes: - name: e2e-coverage-volume persistentVolumeClaim: @@ -1996,6 +1979,42 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 @@ -2033,22 +2052,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --health-probe-bind-address=:8081 @@ -2064,8 +2067,6 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/operator-controller:devel" - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -2083,13 +2084,6 @@ spec: requests: cpu: 10m memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/containers name: e2e-registries-conf @@ -2102,12 +2096,15 @@ spec: - mountPath: /var/certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 volumes: - configMap: name: e2e-registries-conf @@ -2130,6 +2127,42 @@ spec: path: tls.key optional: false secretName: olmv1-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 2b34fa764..5b7db1a77 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -7,13 +7,17 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest app.kubernetes.io/part-of: olm - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/enforce-version: latest name: olmv1-system --- # Source: olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -1818,22 +1822,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --leader-elect @@ -1845,7 +1833,6 @@ spec: command: - ./catalogd image: "quay.io/operator-framework/catalogd:devel" - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1863,13 +1850,6 @@ spec: requests: cpu: 100m memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/cache/ name: cache @@ -1880,12 +1860,15 @@ spec: - mountPath: /var/ca-certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: catalogd-controller-manager - terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: cache @@ -1901,6 +1884,42 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml apiVersion: apps/v1 @@ -1938,22 +1957,6 @@ spec: app.kubernetes.io/part-of: olm spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux containers: - args: - --health-probe-bind-address=:8081 @@ -1966,8 +1969,6 @@ spec: command: - /operator-controller image: "quay.io/operator-framework/operator-controller:devel" - image: quay.io/operator-framework/operator-controller:devel - imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -1985,13 +1986,6 @@ spec: requests: cpu: 10m memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/cache name: cache @@ -2000,12 +1994,15 @@ spec: - mountPath: /var/certs/ name: olmv1-certificate readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: operator-controller-controller-manager - terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: cache @@ -2022,6 +2019,42 @@ spec: path: tls.key optional: false secretName: olmv1-cert + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 --- # Source: olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml apiVersion: cert-manager.io/v1 From 59563c6217274fc6580937e930db5e9f0b5e2440 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 15:23:25 -0400 Subject: [PATCH 43/55] WIP: Get rid of blank lines in generated manifests Signed-off-by: Todd Short --- helm/olmv1/templates/_helpers.tpl | 6 -- manifests/experimental-e2e.yaml | 172 ------------------------------ manifests/experimental.yaml | 160 --------------------------- manifests/standard-e2e.yaml | 172 ------------------------------ manifests/standard.yaml | 160 --------------------------- 5 files changed, 670 deletions(-) diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 8a4466d8b..f61e7976c 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -27,12 +27,6 @@ catalogd- Common labels */}} {{- define "olmv1.labels" -}} -{{/* helm.sh/chart: {{ include "olmv1.chart" . }} */}} -{{/* app.kubernetes.io/instance: {{ .Release.Name }} */}} -{{- if .Chart.AppVersion }} -{{/* app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} */}} -{{- end }} -{{/* app.kubernetes.io/managed-by: {{ .Release.Service }} */}} app.kubernetes.io/part-of: olm {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index cab2a2ad5..a2a6f683c 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -13,10 +13,6 @@ metadata: pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest - - - - app.kubernetes.io/part-of: olm name: olmv1-system --- @@ -28,10 +24,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -61,10 +53,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -82,10 +70,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -111,10 +95,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -127,10 +107,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -148,10 +124,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-registries-conf namespace: olmv1-system @@ -164,10 +136,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-coverage namespace: olmv1-system @@ -188,10 +156,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e name: clustercatalogs.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -594,10 +558,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e name: clusterextensions.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1170,10 +1130,6 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1213,10 +1169,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1233,10 +1185,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1261,10 +1209,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1289,10 +1233,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1312,10 +1252,6 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1382,10 +1318,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1402,10 +1334,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1430,10 +1358,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1453,10 +1377,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1476,10 +1396,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1499,10 +1415,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1522,10 +1434,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1570,10 +1478,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1596,10 +1500,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1644,10 +1544,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental-e2e @@ -1682,10 +1578,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1706,10 +1598,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1730,10 +1618,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1754,10 +1638,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1779,10 +1659,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1812,10 +1688,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1836,10 +1708,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-coverage-copy-pod namespace: olmv1-system @@ -1882,10 +1750,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1903,10 +1767,6 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2027,10 +1887,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -2047,10 +1903,6 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2177,10 +2029,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2208,10 +2056,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2238,10 +2082,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2267,10 +2107,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2285,10 +2121,6 @@ metadata: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2302,10 +2134,6 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index a051d494a..9f8e1e3db 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -13,10 +13,6 @@ metadata: pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest - - - - app.kubernetes.io/part-of: olm name: olmv1-system --- @@ -28,10 +24,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -61,10 +53,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -82,10 +70,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -111,10 +95,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -127,10 +107,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -145,10 +121,6 @@ metadata: olm.operatorframework.io/feature-set: experimental name: clustercatalogs.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -551,10 +523,6 @@ metadata: olm.operatorframework.io/feature-set: experimental name: clusterextensions.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1127,10 +1095,6 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1170,10 +1134,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1190,10 +1150,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1218,10 +1174,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1246,10 +1198,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1269,10 +1217,6 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1339,10 +1283,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1359,10 +1299,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1387,10 +1323,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1410,10 +1342,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1433,10 +1361,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1456,10 +1380,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1479,10 +1399,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1527,10 +1443,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1553,10 +1465,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1601,10 +1509,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: experimental @@ -1639,10 +1543,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1663,10 +1563,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1687,10 +1583,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1711,10 +1603,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1736,10 +1624,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1769,10 +1653,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1795,10 +1675,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1816,10 +1692,6 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -1932,10 +1804,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -1952,10 +1820,6 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2069,10 +1933,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2100,10 +1960,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2130,10 +1986,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2159,10 +2011,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2177,10 +2025,6 @@ metadata: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2194,10 +2038,6 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 5c7773518..98e97d98a 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -13,10 +13,6 @@ metadata: pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest - - - - app.kubernetes.io/part-of: olm name: olmv1-system --- @@ -28,10 +24,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -61,10 +53,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -82,10 +70,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -111,10 +95,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -127,10 +107,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -148,10 +124,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-registries-conf namespace: olmv1-system @@ -164,10 +136,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-coverage namespace: olmv1-system @@ -188,10 +156,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e name: clustercatalogs.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -594,10 +558,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e name: clusterextensions.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1170,10 +1130,6 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1213,10 +1169,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1233,10 +1185,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1261,10 +1209,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1289,10 +1233,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1312,10 +1252,6 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1382,10 +1318,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1402,10 +1334,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1430,10 +1358,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1453,10 +1377,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1476,10 +1396,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1499,10 +1415,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1522,10 +1434,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1570,10 +1478,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1596,10 +1500,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1644,10 +1544,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard-e2e @@ -1682,10 +1578,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1706,10 +1598,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1730,10 +1618,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1754,10 +1638,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1779,10 +1659,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1812,10 +1688,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1836,10 +1708,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: e2e - - - - app.kubernetes.io/part-of: olm name: e2e-coverage-copy-pod namespace: olmv1-system @@ -1882,10 +1750,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1903,10 +1767,6 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2026,10 +1886,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -2046,10 +1902,6 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2172,10 +2024,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2203,10 +2051,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2233,10 +2077,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2262,10 +2102,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2280,10 +2116,6 @@ metadata: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2297,10 +2129,6 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 5b7db1a77..839c54cad 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -13,10 +13,6 @@ metadata: pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest - - - - app.kubernetes.io/part-of: olm name: olmv1-system --- @@ -28,10 +24,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -61,10 +53,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: default-deny-all-traffic namespace: olmv1-system @@ -82,10 +70,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -111,10 +95,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -127,10 +107,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -145,10 +121,6 @@ metadata: olm.operatorframework.io/feature-set: standard name: clustercatalogs.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -551,10 +523,6 @@ metadata: olm.operatorframework.io/feature-set: standard name: clusterextensions.olm.operatorframework.io labels: - - - - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io @@ -1127,10 +1095,6 @@ metadata: name: catalogd-manager-role labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1170,10 +1134,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-metrics-reader rules: @@ -1190,10 +1150,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-role rules: @@ -1218,10 +1174,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-editor-role rules: @@ -1246,10 +1198,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-clusterextension-viewer-role rules: @@ -1269,10 +1217,6 @@ metadata: name: operator-controller-manager-role labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1339,10 +1283,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-metrics-reader rules: @@ -1359,10 +1299,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-role rules: @@ -1387,10 +1323,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding roleRef: @@ -1410,10 +1342,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-proxy-rolebinding roleRef: @@ -1433,10 +1361,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding roleRef: @@ -1456,10 +1380,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-proxy-rolebinding roleRef: @@ -1479,10 +1399,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-role namespace: olmv1-system @@ -1527,10 +1443,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1553,10 +1465,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-role namespace: olmv1-system @@ -1601,10 +1509,6 @@ metadata: namespace: olmv1-system labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm annotations: olm.operatorframework.io/feature-set: standard @@ -1639,10 +1543,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-leader-election-rolebinding namespace: olmv1-system @@ -1663,10 +1563,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-manager-rolebinding namespace: olmv1-system @@ -1687,10 +1583,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: operator-controller-leader-election-rolebinding namespace: olmv1-system @@ -1711,10 +1603,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-manager-rolebinding namespace: olmv1-system @@ -1736,10 +1624,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service namespace: olmv1-system @@ -1769,10 +1653,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-service namespace: olmv1-system @@ -1795,10 +1675,6 @@ metadata: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-controller-manager namespace: olmv1-system @@ -1816,10 +1692,6 @@ spec: labels: control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -1931,10 +1803,6 @@ metadata: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm name: operator-controller-controller-manager namespace: olmv1-system @@ -1951,10 +1819,6 @@ spec: labels: control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller - - - - app.kubernetes.io/part-of: olm spec: containers: @@ -2064,10 +1928,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca namespace: cert-manager @@ -2095,10 +1955,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm name: catalogd-service-cert namespace: olmv1-system @@ -2125,10 +1981,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-cert namespace: olmv1-system @@ -2154,10 +2006,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: olmv1-ca spec: @@ -2172,10 +2020,6 @@ metadata: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: olmv1 - - - - app.kubernetes.io/part-of: olm name: self-sign-issuer namespace: cert-manager @@ -2189,10 +2033,6 @@ metadata: name: catalogd-mutating-webhook-configuration labels: app.kubernetes.io/name: catalogd - - - - app.kubernetes.io/part-of: olm annotations: cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca From 1a26dd08c7b7aaa933b29ad418e94c8d35365e1c Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 15:57:31 -0400 Subject: [PATCH 44/55] WIP: update volumes to be consistent with downstream Signed-off-by: Todd Short --- ...mv1-system-catalogd-controller-manager.yml | 12 +++-- ...operator-controller-controller-manager.yml | 28 +++++++---- ...olmv1-system-operator-controller-cert.yml} | 4 +- manifests/experimental-e2e.yaml | 46 ++++++++++++------- manifests/experimental.yaml | 46 ++++++++++++------- manifests/standard-e2e.yaml | 46 ++++++++++++------- manifests/standard.yaml | 46 ++++++++++++------- 7 files changed, 149 insertions(+), 79 deletions(-) rename helm/olmv1/templates/{33-certificate-olmv1-system-olmv1-cert.yml => 33-certificate-olmv1-system-operator-controller-cert.yml} (90%) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 6fc5aef7e..f7c63ed91 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -97,8 +97,8 @@ spec: {{- if .Values.components.certManager.enabled }} - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate + - mountPath: /var/ca-certs + name: ca-certs readOnly: true {{- end }} {{- with .Values.components.catalogd.deployment.volumeMounts }} @@ -121,8 +121,14 @@ spec: {{- if .Values.components.certManager.enabled }} - name: catalogserver-certs secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: catalogd-service-cert-git-version - - name: olmv1-certificate + - name: ca-certs secret: items: - key: ca.crt diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index d224f6efd..340d21e0c 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -52,9 +52,9 @@ spec: - --feature-gates=HelmChartSupport=true {{- end }} {{- if .Values.components.certManager.enabled }} - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key {{- end }} {{- with .Values.components.operatorController.deployment.podArguments }} @@ -106,8 +106,11 @@ spec: - mountPath: /tmp name: tmp {{- if .Values.components.certManager.enabled }} - - mountPath: /var/certs/ - name: olmv1-certificate + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs readOnly: true {{- end }} {{- with .Values.components.operatorController.deployment.volumeMounts }} @@ -131,17 +134,22 @@ spec: - emptyDir: {} name: tmp {{- if .Values.components.certManager.enabled }} - - name: olmv1-certificate + - name: operator-controller-certs secret: items: - - key: ca.crt - path: olm-ca.crt - key: tls.crt - path: tls.cert + path: tls.crt - key: tls.key path: tls.key optional: false - secretName: olmv1-cert + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert {{- end }} {{- with .Values.components.operatorController.deployment.volumes }} {{- toYaml . | nindent 8 }} diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml similarity index 90% rename from helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml rename to helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml index 571972019..146b49192 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 {{- include "olmv1.labels" . | nindent 4 }} - name: olmv1-cert + name: operator-controller-cert namespace: {{ .Values.namespaces.olmv1.name }} spec: dnsNames: @@ -21,5 +21,5 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert {{- end }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index a2a6f683c..e835fdfa8 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1810,8 +1810,8 @@ spec: name: tmp - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1832,8 +1832,14 @@ spec: name: tmp - name: catalogserver-certs secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: catalogd-service-cert-git-version - - name: olmv1-certificate + - name: ca-certs secret: items: - key: ca.crt @@ -1914,9 +1920,9 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key command: - /operator-controller @@ -1950,8 +1956,11 @@ spec: name: cache - mountPath: /tmp name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1973,17 +1982,22 @@ spec: name: cache - emptyDir: {} name: tmp - - name: olmv1-certificate + - name: operator-controller-certs secret: items: - - key: ca.crt - path: olm-ca.crt - key: tls.crt - path: tls.cert + path: tls.crt - key: tls.key path: tls.key optional: false - secretName: olmv1-cert + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2074,7 +2088,7 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- -# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +# Source: olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -2083,7 +2097,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 app.kubernetes.io/part-of: olm - name: olmv1-cert + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: @@ -2097,7 +2111,7 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- # Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 9f8e1e3db..2c781290a 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1730,8 +1730,8 @@ spec: name: tmp - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1749,8 +1749,14 @@ spec: name: tmp - name: catalogserver-certs secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: catalogd-service-cert-git-version - - name: olmv1-certificate + - name: ca-certs secret: items: - key: ca.crt @@ -1831,9 +1837,9 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key command: - /operator-controller @@ -1860,8 +1866,11 @@ spec: name: cache - mountPath: /tmp name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1877,17 +1886,22 @@ spec: name: cache - emptyDir: {} name: tmp - - name: olmv1-certificate + - name: operator-controller-certs secret: items: - - key: ca.crt - path: olm-ca.crt - key: tls.crt - path: tls.cert + path: tls.crt - key: tls.key path: tls.key optional: false - secretName: olmv1-cert + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -1978,7 +1992,7 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- -# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +# Source: olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -1987,7 +2001,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 app.kubernetes.io/part-of: olm - name: olmv1-cert + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: @@ -2001,7 +2015,7 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- # Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 98e97d98a..538731d4f 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1809,8 +1809,8 @@ spec: name: tmp - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1831,8 +1831,14 @@ spec: name: tmp - name: catalogserver-certs secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: catalogd-service-cert-git-version - - name: olmv1-certificate + - name: ca-certs secret: items: - key: ca.crt @@ -1909,9 +1915,9 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key command: - /operator-controller @@ -1945,8 +1951,11 @@ spec: name: cache - mountPath: /tmp name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1968,17 +1977,22 @@ spec: name: cache - emptyDir: {} name: tmp - - name: olmv1-certificate + - name: operator-controller-certs secret: items: - - key: ca.crt - path: olm-ca.crt - key: tls.crt - path: tls.cert + path: tls.crt - key: tls.key path: tls.key optional: false - secretName: olmv1-cert + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -2069,7 +2083,7 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- -# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +# Source: olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -2078,7 +2092,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 app.kubernetes.io/part-of: olm - name: olmv1-cert + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: @@ -2092,7 +2106,7 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- # Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 839c54cad..83c14dd04 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1729,8 +1729,8 @@ spec: name: tmp - mountPath: /var/certs name: catalogserver-certs - - mountPath: /var/ca-certs/ - name: olmv1-certificate + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1748,8 +1748,14 @@ spec: name: tmp - name: catalogserver-certs secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false secretName: catalogd-service-cert-git-version - - name: olmv1-certificate + - name: ca-certs secret: items: - key: ca.crt @@ -1826,9 +1832,9 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - --leader-elect - - --catalogd-cas-dir=/var/certs - - --pull-cas-dir=/var/certs - - --tls-cert=/var/certs/tls.cert + - --catalogd-cas-dir=/var/ca-certs + - --pull-cas-dir=/var/ca-certs + - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key command: - /operator-controller @@ -1855,8 +1861,11 @@ spec: name: cache - mountPath: /tmp name: tmp - - mountPath: /var/certs/ - name: olmv1-certificate + - mountPath: /var/certs + name: operator-controller-certs + readOnly: true + - mountPath: /var/ca-certs + name: ca-certs readOnly: true imagePullPolicy: IfNotPresent securityContext: @@ -1872,17 +1881,22 @@ spec: name: cache - emptyDir: {} name: tmp - - name: olmv1-certificate + - name: operator-controller-certs secret: items: - - key: ca.crt - path: olm-ca.crt - key: tls.crt - path: tls.cert + path: tls.crt - key: tls.key path: tls.key optional: false - secretName: olmv1-cert + secretName: operator-controller-cert + - name: ca-certs + secret: + items: + - key: ca.crt + path: olm-ca.crt + optional: false + secretName: operator-controller-cert affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -1973,7 +1987,7 @@ spec: size: 256 secretName: catalogd-service-cert-git-version --- -# Source: olmv1/templates/33-certificate-olmv1-system-olmv1-cert.yml +# Source: olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -1982,7 +1996,7 @@ metadata: labels: app.kubernetes.io/name: olmv1 app.kubernetes.io/part-of: olm - name: olmv1-cert + name: operator-controller-cert namespace: olmv1-system spec: dnsNames: @@ -1996,7 +2010,7 @@ spec: algorithm: ECDSA rotationPolicy: Always size: 256 - secretName: olmv1-cert + secretName: operator-controller-cert --- # Source: olmv1/templates/34-clusterissuer-olmv1-ca.yml apiVersion: cert-manager.io/v1 From d03b6e49b3944c076ad95a589e524eae205ef8b5 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 29 Jul 2025 16:19:15 -0400 Subject: [PATCH 45/55] WIP: use a list of feature-gates Signed-off-by: Todd Short --- helm/experimental.yaml | 25 +++++++++++-------- ...mv1-system-catalogd-controller-manager.yml | 10 ++++---- ...operator-controller-controller-manager.yml | 19 ++++---------- helm/olmv1/values.yaml | 19 +++++--------- helm/tilt.yaml | 24 ++++++++---------- 5 files changed, 41 insertions(+), 56 deletions(-) diff --git a/helm/experimental.yaml b/helm/experimental.yaml index 7a70a2824..92435ea5d 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -2,17 +2,20 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -features: - apiV1MetasHandler: - enabled: true - webhookProviderCertManager: - enabled: true - singleOwnNamespaceInstallSupport: - enabled: true - preflightPermissions: - enabled: true - helmChartSupport: - enabled: true +# List of enabled experimental features for operator-controller +# Use with {{- if has "FeatureGate" .Value.operatorControllerFeatures }} +# to pull in resources or additions +operatorControllerFeatures: + - WebhookProviderCertManager + - SingleOwnNamespaceInstallSupport + - PreflightPermissions + - HelmChartSupport + +# List of enabled experimental features for catalogd +# Use with {{- if has "FeatureGate" .Value.catalogdFeatures }} +# to pull in resources or additions +catalogdFeatures: + - APIV1MetasHandler # This can be one of: standard or experimental featureSet: experimental diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index f7c63ed91..6c9bc1b8e 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -35,13 +35,13 @@ spec: spec: containers: - args: - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} - --leader-elect {{- end }} - --metrics-bind-address=:7443 - --external-address=catalogd-service.{{ .Values.namespaces.olmv1.name }}.svc - {{- if .Values.features.apiV1MetasHandler.enabled }} - - --feature-gates=APIV1MetasHandler=true + {{- range .Values.catalogdFeatures }} + - --feature-gates={{- . -}}=true {{- end }} {{- if .Values.components.certManager.enabled }} - --tls-cert=/var/certs/tls.crt @@ -64,7 +64,7 @@ spec: {{- toYamlPretty . | nindent 12 }} {{- end }} image: "{{ .Values.components.catalogd.deployment.image }}" - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} livenessProbe: httpGet: path: /healthz @@ -73,7 +73,7 @@ spec: periodSeconds: 20 {{- end }} name: manager - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} readinessProbe: httpGet: path: /readyz diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 340d21e0c..34d2731ad 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -36,20 +36,11 @@ spec: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} - --leader-elect {{- end }} - {{- if .Values.features.apiV1MetasHandler.enabled }} - - --feature-gates=WebhookProviderCertManager=true - {{- end }} - {{- if .Values.features.singleOwnNamespaceInstallSupport.enabled }} - - --feature-gates=SingleOwnNamespaceInstallSupport=true - {{- end }} - {{- if .Values.features.preflightPermissions.enabled }} - - --feature-gates=PreflightPermissions=true - {{- end }} - {{- if .Values.features.helmChartSupport.enabled }} - - --feature-gates=HelmChartSupport=true + {{- range .Values.operatorControllerFeatures }} + - --feature-gates={{- . -}}=true {{- end }} {{- if .Values.components.certManager.enabled }} - --catalogd-cas-dir=/var/ca-certs @@ -73,7 +64,7 @@ spec: {{- toYamlPretty . | nindent 12 }} {{- end }} image: "{{ .Values.components.operatorController.deployment.image }}" - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} livenessProbe: httpGet: path: /healthz @@ -82,7 +73,7 @@ spec: periodSeconds: 20 {{- end }} name: manager - {{- if not .Values.features.tilt.enabled }} + {{- if not .Values.tilt.enabled }} readinessProbe: httpGet: path: /readyz diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 3266f0cfe..c63a483f0 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -41,19 +41,12 @@ components: e2e: enabled: false -features: - tilt: - enabled: false - apiV1MetasHandler: - enabled: false - webhookProviderCertManager: - enabled: false - singleOwnNamespaceInstallSupport: - enabled: false - preflightPermissions: - enabled: false - helmChartSupport: - enabled: false + +tilt: + enabled: false + +operatorControllerFeatures: [] +catalogdFeatures: [] # This can be one of: standard or experimental featureSet: standard diff --git a/helm/tilt.yaml b/helm/tilt.yaml index 84ebb09b5..a28911e1a 100644 --- a/helm/tilt.yaml +++ b/helm/tilt.yaml @@ -2,19 +2,17 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -features: - tilt: - enabled: true - apiV1MetasHandler: - enabled: true - webhookProviderCertManager: - enabled: true - singleOwnNamespaceInstallSupport: - enabled: true - preflightPermissions: - enabled: true - helmChartSupport: - enabled: true +tilt: + enabled: true + +operatorControllerFeatures: + - WebhookProviderCertManager + - SingleOwnNamespaceInstallSupport + - PreflightPermissions + - HelmChartSupport + +catalogdFeatures: + - APIV1MetasHandler # This can be one of: standard or experimental featureSet: experimental From 352acf6d6ed598f0014bba8eb9c02e3193a91178 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 30 Jul 2025 09:13:16 -0400 Subject: [PATCH 46/55] WIP: Update common component name Signed-off-by: Todd Short --- helm/olmv1/templates/00-namespace.yml | 2 +- .../31-certificate-cert-manager-olmv1-ca.yml | 2 +- ...ficate-olmv1-system-operator-controller-cert.yml | 2 +- helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml | 2 +- .../35-issuer-cert-manager-self-sign-issuer.yml | 2 +- ...policy-olmv1-system-default-deny-all-traffic.yml | 2 +- helm/olmv1/templates/_helpers.tpl | 13 +++++++++++++ 7 files changed, 19 insertions(+), 6 deletions(-) diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml index a34e87946..d009d2474 100644 --- a/helm/olmv1/templates/00-namespace.yml +++ b/helm/olmv1/templates/00-namespace.yml @@ -8,7 +8,7 @@ metadata: {{- toYamlPretty . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} pod-security.kubernetes.io/audit: {{ .Values.namespaces.olmv1.podSecurityProfile }} pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: {{ .Values.namespaces.olmv1.podSecurityProfile }} diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml index d0b232597..6412afa20 100644 --- a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -5,7 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-ca namespace: {{ .Values.namespaces.certManager.name }} diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml index 146b49192..33284d018 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml @@ -5,7 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-cert namespace: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml index f572c40b1..f0fb86161 100644 --- a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml +++ b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml @@ -5,7 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} {{- include "olmv1.labels" . | nindent 4 }} name: olmv1-ca spec: diff --git a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml index 29b215e2c..d458ce83e 100644 --- a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml +++ b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml @@ -5,7 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} {{- include "olmv1.labels" . | nindent 4 }} name: self-sign-issuer namespace: {{ .Values.namespaces.certManager.name }} diff --git a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml index dddcd90c1..e39a84a88 100644 --- a/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml +++ b/helm/olmv1/templates/37-networkpolicy-olmv1-system-default-deny-all-traffic.yml @@ -5,7 +5,7 @@ metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} labels: - app.kubernetes.io/name: olmv1 + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} {{- include "olmv1.labels" . | nindent 4 }} name: {{ include "component.name.prefix" . -}}default-deny-all-traffic namespace: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index f61e7976c..8657fbf1d 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -52,3 +52,16 @@ Insertion of additional rules for RBAC {{- toYamlPretty . }} {{- end }} {{- end }} + +{{/* +Returns "operator-controller", "catalogd" or "olmv1" depending on enabled components +*/}} +{{- define "olmv1.label.name" -}} +{{- if (and .Values.components.operatorController.enabled (not .Values.components.catalogd.enabled)) -}} +operator-controller +{{- else if (and (not .Values.components.operatorController.enabled) .Values.components.catalogd.enabled) -}} +catalogd +{{- else -}} +olmv1 +{{- end -}} +{{- end -}} \ No newline at end of file From a011338622bb7e19f8ac29f0ee531c8bfec5326a Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 30 Jul 2025 09:49:23 -0400 Subject: [PATCH 47/55] WIP: remove control-plane label Signed-off-by: Todd Short --- docs/draft/api-reference/network-policies.md | 8 ++++---- docs/draft/howto/consuming-metrics.md | 8 ++++---- docs/draft/howto/enable-helm-chart-support.md | 2 +- docs/draft/howto/profiling_with_pprof.md | 10 +++++----- ...6-service-olmv1-system-catalogd-service.yml | 3 +-- ...lmv1-system-operator-controller-service.yml | 3 +-- ...lmv1-system-catalogd-controller-manager.yml | 4 +--- ...-operator-controller-controller-manager.yml | 4 +--- ...lmv1-system-catalogd-controller-manager.yml | 2 +- ...-operator-controller-controller-manager.yml | 2 +- manifests/experimental-e2e.yaml | 18 ++++++------------ manifests/experimental.yaml | 18 ++++++------------ manifests/standard-e2e.yaml | 18 ++++++------------ manifests/standard.yaml | 18 ++++++------------ test/e2e/metrics_test.go | 4 ++-- test/e2e/network_policy_test.go | 8 ++++---- test/upgrade-e2e/post_upgrade_test.go | 10 +++++----- 17 files changed, 55 insertions(+), 85 deletions(-) diff --git a/docs/draft/api-reference/network-policies.md b/docs/draft/api-reference/network-policies.md index 9f36eaae1..82afe8e2c 100644 --- a/docs/draft/api-reference/network-policies.md +++ b/docs/draft/api-reference/network-policies.md @@ -19,8 +19,8 @@ NetworkPolicy is implemented for both catalogd and operator-controller component Each component has a dedicated NetworkPolicy that applies to its respective pod through label selectors: -* For catalogd: `control-plane=catalogd-controller-manager` -* For operator-controller: `control-plane=operator-controller-controller-manager` +* For catalogd: `app.kubernetes.io/name=catalogd` +* For operator-controller: `app.kubernetes.io/name=operator-controller` ### Catalogd NetworkPolicy @@ -78,10 +78,10 @@ If you encounter network connectivity issues after deploying OLMv1, consider the ```bash # Verify catalogd pod labels -kubectl get pods -n olmv1-system --selector=control-plane=catalogd-controller-manager +kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=catalogd # Verify operator-controller pod labels -kubectl get pods -n olmv1-system --selector=control-plane=operator-controller-controller-manager +kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=operator-controller # Compare with actual pod names kubectl get pods -n olmv1-system | grep -E 'catalogd|operator-controller' diff --git a/docs/draft/howto/consuming-metrics.md b/docs/draft/howto/consuming-metrics.md index 3cae15bb0..ccefbee6c 100644 --- a/docs/draft/howto/consuming-metrics.md +++ b/docs/draft/howto/consuming-metrics.md @@ -226,7 +226,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: operator-controller-controller-manager + apps.kubernetes.io/name: operator-controller name: controller-manager-metrics-monitor namespace: olmv1-system spec: @@ -251,7 +251,7 @@ spec: key: tls.key selector: matchLabels: - control-plane: operator-controller-controller-manager + apps.kubernetes.io/name: operator-controller EOF ``` @@ -268,7 +268,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: catalogd-controller-manager + apps.kubernetes.io/name: catalogd name: catalogd-metrics-monitor namespace: olmv1-system spec: @@ -298,4 +298,4 @@ EOF ``` [prometheus-operator]: https://github.com/prometheus-operator/kube-prometheus -[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ \ No newline at end of file +[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ diff --git a/docs/draft/howto/enable-helm-chart-support.md b/docs/draft/howto/enable-helm-chart-support.md index 1a528fcf9..44d083707 100644 --- a/docs/draft/howto/enable-helm-chart-support.md +++ b/docs/draft/howto/enable-helm-chart-support.md @@ -24,7 +24,7 @@ To enable the Helm Chart support feature gate, you need to patch the `operator-c 2. **Wait for the controller manager pods to be ready:** ```bash - $ kubectl -n olmv1-system wait --for condition=ready pods -l control-plane=operator-controller-controller-manager + $ kubectl -n olmv1-system wait --for condition=ready pods -l apps.kubernetes.io/name=operator-controller ``` Once the above wait condition is met, the `HelmChartSupport` feature gate should be enabled in operator controller. diff --git a/docs/draft/howto/profiling_with_pprof.md b/docs/draft/howto/profiling_with_pprof.md index 23ec7f7af..01c0969d4 100644 --- a/docs/draft/howto/profiling_with_pprof.md +++ b/docs/draft/howto/profiling_with_pprof.md @@ -21,7 +21,7 @@ The following steps are examples to demonstrate the required changes to enable P 1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8082` flag: ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=operator-controller -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "add", @@ -127,7 +127,7 @@ go tool pprof -http=:8080 ./operator-controller-profile.pprof 1. Run the following command to patch the Deployment and add the `--pprof-bind-address=:8083` flag: ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=catalogd -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "add", @@ -235,7 +235,7 @@ go tool pprof -http=:8080 ./catalogd-profile.pprof 1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint. ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=operator-controller-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=operator-controller -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "replace", @@ -266,7 +266,7 @@ kubectl delete pod curl-oper-con-pprof -n olmv1-system 1. Run the following command to bind to `--pprof-bind-address` the value `0` in order to disable the endpoint. ```shell -kubectl patch deployment $(kubectl get deployments -n olmv1-system -l control-plane=catalogd-controller-manager -o jsonpath='{.items[0].metadata.name}') \ +kubectl patch deployment $(kubectl get deployments -n olmv1-system -l apps.kubernetes.io/name=catalogd -o jsonpath='{.items[0].metadata.name}') \ -n olmv1-system --type='json' -p='[ { "op": "replace", @@ -294,4 +294,4 @@ re-start the deployment `kubectl rollout restart deployment -n olmv1-system cata kubectl delete pod curl-catalogd-pprof -n olmv1-system ``` -[pprof]: https://github.com/google/pprof/blob/main/doc/README.md \ No newline at end of file +[pprof]: https://github.com/google/pprof/blob/main/doc/README.md diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index 6ced60bae..8da5c9a81 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -8,7 +8,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-service @@ -28,5 +27,5 @@ spec: protocol: TCP targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd {{- end }} diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index 86e096716..c7910d972 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -8,7 +8,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-service @@ -20,5 +19,5 @@ spec: protocol: TCP targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller {{- end }} diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 6c9bc1b8e..f91fc3efe 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager {{- include "olmv1.annotations" . | nindent 4 }} labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} name: catalogd-controller-manager @@ -16,7 +15,7 @@ spec: replicas: 1 selector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd template: metadata: annotations: @@ -26,7 +25,6 @@ spec: {{- toYamlPretty . | nindent 8 }} {{- end }} labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.catalogd.deployment.podLabels }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 34d2731ad..aed64ae12 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -6,7 +6,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager {{- include "olmv1.annotations" . | nindent 4 }} labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 4 }} name: operator-controller-controller-manager @@ -15,7 +14,7 @@ spec: replicas: 1 selector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller template: metadata: annotations: @@ -25,7 +24,6 @@ spec: {{- toYamlPretty . | nindent 8 }} {{- end }} labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.operatorController.deployment.podLabels }} diff --git a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml index b96ac66c5..43e48a2b5 100644 --- a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -22,7 +22,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd policyTypes: - Ingress - Egress diff --git a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml index 3dc3911b1..f0f3bcbea 100644 --- a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -18,7 +18,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller policyTypes: - Ingress - Egress diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index e835fdfa8..624651159 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -40,7 +40,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd policyTypes: - Ingress - Egress @@ -82,7 +82,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller policyTypes: - Ingress - Egress @@ -1657,7 +1657,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-service @@ -1677,7 +1676,7 @@ spec: protocol: TCP targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- # Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 @@ -1686,7 +1685,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-service @@ -1698,7 +1696,7 @@ spec: protocol: TCP targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- # Source: olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 @@ -1748,7 +1746,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-controller-manager @@ -1758,14 +1755,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm spec: @@ -1891,7 +1887,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-controller-manager @@ -1900,14 +1895,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm spec: diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 2c781290a..b1772f1bf 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -40,7 +40,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd policyTypes: - Ingress - Egress @@ -82,7 +82,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller policyTypes: - Ingress - Egress @@ -1622,7 +1622,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-service @@ -1642,7 +1641,7 @@ spec: protocol: TCP targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- # Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 @@ -1651,7 +1650,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: experimental labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-service @@ -1663,7 +1661,7 @@ spec: protocol: TCP targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- # Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 @@ -1673,7 +1671,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-controller-manager @@ -1683,14 +1680,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm spec: @@ -1808,7 +1804,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-controller-manager @@ -1817,14 +1812,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: experimental labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm spec: diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 538731d4f..49336dc17 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -40,7 +40,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd policyTypes: - Ingress - Egress @@ -82,7 +82,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller policyTypes: - Ingress - Egress @@ -1657,7 +1657,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-service @@ -1677,7 +1676,7 @@ spec: protocol: TCP targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- # Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 @@ -1686,7 +1685,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-service @@ -1698,7 +1696,7 @@ spec: protocol: TCP targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- # Source: olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml apiVersion: v1 @@ -1748,7 +1746,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-controller-manager @@ -1758,14 +1755,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm spec: @@ -1890,7 +1886,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-controller-manager @@ -1899,14 +1894,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard-e2e labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm spec: diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 83c14dd04..7401607d9 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -40,7 +40,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd policyTypes: - Ingress - Egress @@ -82,7 +82,7 @@ spec: protocol: TCP podSelector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller policyTypes: - Ingress - Egress @@ -1622,7 +1622,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-service @@ -1642,7 +1641,7 @@ spec: protocol: TCP targetPort: 7443 selector: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd --- # Source: olmv1/templates/27-service-olmv1-system-operator-controller-service.yml apiVersion: v1 @@ -1651,7 +1650,6 @@ metadata: annotations: olm.operatorframework.io/feature-set: standard labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-service @@ -1663,7 +1661,7 @@ spec: protocol: TCP targetPort: 8443 selector: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller --- # Source: olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml apiVersion: apps/v1 @@ -1673,7 +1671,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm name: catalogd-controller-manager @@ -1683,14 +1680,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: catalogd-controller-manager + app.kubernetes.io/name: catalogd template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: catalogd-controller-manager app.kubernetes.io/name: catalogd app.kubernetes.io/part-of: olm spec: @@ -1807,7 +1803,6 @@ metadata: kubectl.kubernetes.io/default-logs-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm name: operator-controller-controller-manager @@ -1816,14 +1811,13 @@ spec: replicas: 1 selector: matchLabels: - control-plane: operator-controller-controller-manager + app.kubernetes.io/name: operator-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: manager olm.operatorframework.io/feature-set: standard labels: - control-plane: operator-controller-controller-manager app.kubernetes.io/name: operator-controller app.kubernetes.io/part-of: olm spec: diff --git a/test/e2e/metrics_test.go b/test/e2e/metrics_test.go index 4a88c3dca..ffc93c696 100644 --- a/test/e2e/metrics_test.go +++ b/test/e2e/metrics_test.go @@ -32,7 +32,7 @@ import ( func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) { client := utils.FindK8sClient(t) curlNamespace := createRandomNamespace(t, client) - componentNamespace := getComponentNamespace(t, client, "control-plane=operator-controller-controller-manager") + componentNamespace := getComponentNamespace(t, client, "app.kubernetes.io/name=operator-controller") metricsURL := fmt.Sprintf("https://operator-controller-service.%s.svc.cluster.local:8443/metrics", componentNamespace) config := NewMetricsTestConfig( @@ -52,7 +52,7 @@ func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) { func TestCatalogdMetricsExportedEndpoint(t *testing.T) { client := utils.FindK8sClient(t) curlNamespace := createRandomNamespace(t, client) - componentNamespace := getComponentNamespace(t, client, "control-plane=catalogd-controller-manager") + componentNamespace := getComponentNamespace(t, client, "app.kubernetes.io/name=catalogd") metricsURL := fmt.Sprintf("https://catalogd-service.%s.svc.cluster.local:7443/metrics", componentNamespace) config := NewMetricsTestConfig( diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go index 0f3979d23..d6b913a4f 100644 --- a/test/e2e/network_policy_test.go +++ b/test/e2e/network_policy_test.go @@ -20,8 +20,8 @@ import ( const ( minJustificationLength = 40 - catalogdManagerSelector = "control-plane=catalogd-controller-manager" - operatorManagerSelector = "control-plane=operator-controller-controller-manager" + catalogdManagerSelector = "app.kubernetes.io/name=catalogd" + operatorManagerSelector = "app.kubernetes.io/name=operator-controller" catalogdMetricsPort = 7443 catalogdWebhookPort = 9443 catalogServerPort = 8443 @@ -88,7 +88,7 @@ var prometheuSpec = allowedPolicyDefinition{ // Ref: https://docs.google.com/document/d/1bHEEWzA65u-kjJFQRUY1iBuMIIM1HbPy4MeDLX4NI3o/edit?usp=sharing var allowedNetworkPolicies = map[string]allowedPolicyDefinition{ "catalogd-controller-manager": { - selector: metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}}, + selector: metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "catalogd"}}, policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, ingressRule: ingressRule{ ports: []portWithJustification{ @@ -116,7 +116,7 @@ var allowedNetworkPolicies = map[string]allowedPolicyDefinition{ }, }, "operator-controller-controller-manager": { - selector: metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}}, + selector: metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "operator-controller"}}, policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, ingressRule: ingressRule{ ports: []portWithJustification{ diff --git a/test/upgrade-e2e/post_upgrade_test.go b/test/upgrade-e2e/post_upgrade_test.go index 221182bb6..abddee78d 100644 --- a/test/upgrade-e2e/post_upgrade_test.go +++ b/test/upgrade-e2e/post_upgrade_test.go @@ -31,7 +31,7 @@ func TestClusterCatalogUnpacking(t *testing.T) { ctx := context.Background() t.Log("Checking that the controller-manager deployment is updated") - managerLabelSelector := labels.Set{"control-plane": "catalogd-controller-manager"} + managerLabelSelector := labels.Set{"app.kubernetes.io/name": "catalogd"} var managerDeployment appsv1.Deployment require.EventuallyWithT(t, func(ct *assert.CollectT) { var managerDeployments appsv1.DeploymentList @@ -103,11 +103,11 @@ func TestClusterExtensionAfterOLMUpgrade(t *testing.T) { // wait for catalogd deployment to finish t.Log("Wait for catalogd deployment to be ready") - catalogdManagerPod := waitForDeployment(t, ctx, "catalogd-controller-manager") + catalogdManagerPod := waitForDeployment(t, ctx, "catalogd") // wait for operator-controller deployment to finish t.Log("Wait for operator-controller deployment to be ready") - managerPod := waitForDeployment(t, ctx, "operator-controller-controller-manager") + managerPod := waitForDeployment(t, ctx, "operator-controller") t.Log("Wait for acquired leader election") // Average case is under 1 minute but in the worst case: (previous leader crashed) @@ -188,12 +188,12 @@ func TestClusterExtensionAfterOLMUpgrade(t *testing.T) { }, time.Minute, time.Second) } -// waitForDeployment checks that the updated deployment with the given control-plane label +// waitForDeployment checks that the updated deployment with the given app.kubernetes.io/name label // has reached the desired number of replicas and that the number pods matches that number // i.e. no old pods remain. It will return a pointer to the first pod. This is only necessary // to facilitate the mitigation put in place for https://github.com/operator-framework/operator-controller/issues/1626 func waitForDeployment(t *testing.T, ctx context.Context, controlPlaneLabel string) *corev1.Pod { - deploymentLabelSelector := labels.Set{"control-plane": controlPlaneLabel}.AsSelector() + deploymentLabelSelector := labels.Set{"app.kubernetes.io/name": controlPlaneLabel}.AsSelector() t.Log("Checking that the deployment is updated") var desiredNumReplicas int32 From 5ef762c74ccd67e90dc982b79ce12383c0bec4e5 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 30 Jul 2025 10:56:32 -0400 Subject: [PATCH 48/55] WIP: Add webhook annotation Signed-off-by: Todd Short --- ...okconfiguration-catalogd-mutating-webhook-configuration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 1c463dc2b..e4520189b 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -10,6 +10,9 @@ metadata: {{- if .Values.components.certManager.enabled }} cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca {{- end }} + {{- with .Values.components.catalogd.webhook.annotations }} + {{- toYamlPretty . | nindent 4 }} + {{- end }} {{- include "olmv1.annotations" . | nindent 4 }} webhooks: - admissionReviewVersions: From 37062fe6dbb11e385cd98c50202548e0caf84a21 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 30 Jul 2025 15:01:11 -0400 Subject: [PATCH 49/55] WIP: fix control-plane label for deployments Signed-off-by: Todd Short --- ...-deployment-olmv1-system-catalogd-controller-manager.yml | 3 ++- ...-olmv1-system-operator-controller-controller-manager.yml | 3 ++- manifests/experimental-e2e.yaml | 6 ++++-- manifests/experimental.yaml | 6 ++++-- manifests/standard-e2e.yaml | 6 ++++-- manifests/standard.yaml | 6 ++++-- 6 files changed, 20 insertions(+), 10 deletions(-) diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index f91fc3efe..522acb3a8 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -15,7 +15,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager template: metadata: annotations: @@ -26,6 +26,7 @@ spec: {{- end }} labels: app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.catalogd.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index aed64ae12..3767581cd 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -14,7 +14,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager template: metadata: annotations: @@ -25,6 +25,7 @@ spec: {{- end }} labels: app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager {{- include "olmv1.labels" . | nindent 8 }} {{- with .Values.components.operatorController.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 624651159..64d5df09c 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1755,7 +1755,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager template: metadata: annotations: @@ -1763,6 +1763,7 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager app.kubernetes.io/part-of: olm spec: containers: @@ -1895,7 +1896,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager template: metadata: annotations: @@ -1903,6 +1904,7 @@ spec: olm.operatorframework.io/feature-set: experimental-e2e labels: app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager app.kubernetes.io/part-of: olm spec: containers: diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index b1772f1bf..d8ea692db 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1680,7 +1680,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager template: metadata: annotations: @@ -1688,6 +1688,7 @@ spec: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager app.kubernetes.io/part-of: olm spec: containers: @@ -1812,7 +1813,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager template: metadata: annotations: @@ -1820,6 +1821,7 @@ spec: olm.operatorframework.io/feature-set: experimental labels: app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager app.kubernetes.io/part-of: olm spec: containers: diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index 49336dc17..c9594feec 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1755,7 +1755,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager template: metadata: annotations: @@ -1763,6 +1763,7 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager app.kubernetes.io/part-of: olm spec: containers: @@ -1894,7 +1895,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager template: metadata: annotations: @@ -1902,6 +1903,7 @@ spec: olm.operatorframework.io/feature-set: standard-e2e labels: app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager app.kubernetes.io/part-of: olm spec: containers: diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 7401607d9..16bdab544 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1680,7 +1680,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager template: metadata: annotations: @@ -1688,6 +1688,7 @@ spec: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: catalogd + control-plane: catalogd-controller-manager app.kubernetes.io/part-of: olm spec: containers: @@ -1811,7 +1812,7 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager template: metadata: annotations: @@ -1819,6 +1820,7 @@ spec: olm.operatorframework.io/feature-set: standard labels: app.kubernetes.io/name: operator-controller + control-plane: operator-controller-controller-manager app.kubernetes.io/part-of: olm spec: containers: From 353b35119f65d6f0135f3a71e40d82edf78eda42 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Wed, 30 Jul 2025 16:12:24 -0400 Subject: [PATCH 50/55] WIP: Update values locations; add build of tilt Signed-off-by: Todd Short --- Makefile | 1 + helm/cert-manager.yaml | 2 +- helm/e2e.yaml | 2 +- helm/experimental.yaml | 3 +- ...ustercatalogs.olm.operatorframework.io.yml | 6 ++-- ...terextensions.olm.operatorframework.io.yml | 6 ++-- ...mv1-system-catalogd-controller-manager.yml | 2 +- ...operator-controller-controller-manager.yml | 2 +- ...1-system-catalogd-leader-election-role.yml | 2 +- ...ole-olmv1-system-catalogd-manager-role.yml | 2 +- ...erator-controller-leader-election-role.yml | 2 +- ...ystem-operator-controller-manager-role.yml | 2 +- .../09-clusterrole-catalogd-manager-role.yml | 2 +- ...10-clusterrole-catalogd-metrics-reader.yml | 2 +- .../11-clusterrole-catalogd-proxy-role.yml | 2 +- ...ontroller-clusterextension-editor-role.yml | 2 +- ...ontroller-clusterextension-viewer-role.yml | 2 +- ...rrole-operator-controller-manager-role.yml | 2 +- ...ole-operator-controller-metrics-reader.yml | 2 +- ...terrole-operator-controller-proxy-role.yml | 2 +- ...m-catalogd-leader-election-rolebinding.yml | 2 +- ...v1-system-catalogd-manager-rolebinding.yml | 2 +- ...controller-leader-election-rolebinding.yml | 2 +- ...perator-controller-manager-rolebinding.yml | 2 +- ...lebinding-catalogd-manager-rolebinding.yml | 2 +- ...rolebinding-catalogd-proxy-rolebinding.yml | 2 +- ...perator-controller-manager-rolebinding.yml | 2 +- ...-operator-controller-proxy-rolebinding.yml | 2 +- ...igmap-olmv1-system-e2e-registries-conf.yml | 2 +- ...-service-olmv1-system-catalogd-service.yml | 4 +-- ...mv1-system-operator-controller-service.yml | 4 +-- ...tvolumeclaim-olmv1-system-e2e-coverage.yml | 2 +- ...mv1-system-catalogd-controller-manager.yml | 36 +++++++++---------- ...operator-controller-controller-manager.yml | 36 +++++++++---------- .../31-certificate-cert-manager-olmv1-ca.yml | 2 +- ...ate-olmv1-system-catalogd-service-cert.yml | 2 +- ...-olmv1-system-operator-controller-cert.yml | 2 +- .../templates/34-clusterissuer-olmv1-ca.yml | 2 +- ...5-issuer-cert-manager-self-sign-issuer.yml | 2 +- ...mv1-system-catalogd-controller-manager.yml | 2 +- ...operator-controller-controller-manager.yml | 2 +- ...pod-olmv1-system-e2e-coverage-copy-pod.yml | 2 +- ...atalogd-mutating-webhook-configuration.yml | 6 ++-- helm/olmv1/templates/_helpers.tpl | 14 ++++---- helm/olmv1/values.yaml | 10 +++--- helm/tilt.yaml | 9 +++-- 46 files changed, 101 insertions(+), 102 deletions(-) diff --git a/Makefile b/Makefile index bf76be15b..139adfbe1 100644 --- a/Makefile +++ b/Makefile @@ -157,6 +157,7 @@ manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, Clus $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST) $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST) $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST) + $(HELM) template olmv1 helm/olmv1 --values helm/tilt.yaml > /dev/null .PHONY: generate generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/helm/cert-manager.yaml b/helm/cert-manager.yaml index 20bfd9801..a57a36f3c 100644 --- a/helm/cert-manager.yaml +++ b/helm/cert-manager.yaml @@ -3,6 +3,6 @@ # Declare variables to be passed into your templates. # List of components to include -components: +options: certManager: enabled: true diff --git a/helm/e2e.yaml b/helm/e2e.yaml index d3acb6b74..11d51ddad 100644 --- a/helm/e2e.yaml +++ b/helm/e2e.yaml @@ -3,6 +3,6 @@ # Declare variables to be passed into your templates. # List of components to include -components: +options: e2e: enabled: true diff --git a/helm/experimental.yaml b/helm/experimental.yaml index 92435ea5d..d1812afcb 100644 --- a/helm/experimental.yaml +++ b/helm/experimental.yaml @@ -18,4 +18,5 @@ catalogdFeatures: - APIV1MetasHandler # This can be one of: standard or experimental -featureSet: experimental +options: + featureSet: experimental diff --git a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml index c5cdff426..079f39aa2 100644 --- a/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/01-customresourcedefinition-clustercatalogs.olm.operatorframework.io.yml @@ -1,7 +1,7 @@ -{{- if .Values.components.catalogd.enabled }} -{{- if (eq .Values.featureSet "standard") }} +{{- if .Values.options.catalogd.enabled }} +{{- if (eq .Values.options.featureSet "standard") }} {{ tpl (.Files.Get "base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml") . }} -{{- else if (eq .Values.featureSet "experimental") }} +{{- else if (eq .Values.options.featureSet "experimental") }} {{ tpl (.Files.Get "base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml index 188ba5d74..f3ce9b864 100644 --- a/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml +++ b/helm/olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml @@ -1,7 +1,7 @@ -{{- if .Values.components.operatorController.enabled }} -{{- if (eq .Values.featureSet "standard") }} +{{- if .Values.options.operatorController.enabled }} +{{- if (eq .Values.options.featureSet "standard") }} {{ tpl (.Files.Get "base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml") . }} -{{- else if (eq .Values.featureSet "experimental") }} +{{- else if (eq .Values.options.featureSet "experimental") }} {{ tpl (.Files.Get "base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml") . }} {{- end }} {{- end }} diff --git a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml index 3c69f5162..bb403d1c6 100644 --- a/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/03-serviceaccount-olmv1-system-catalogd-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml index 67cd4c3a0..327f729a0 100644 --- a/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/04-serviceaccount-olmv1-system-operator-controller-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml index 9f689a4c9..93aea42d1 100644 --- a/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml +++ b/helm/olmv1/templates/05-role-olmv1-system-catalogd-leader-election-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml index 99576fd05..09cec7c0c 100644 --- a/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml +++ b/helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml index 75d0f25c1..f9ab3b9cb 100644 --- a/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml +++ b/helm/olmv1/templates/07-role-olmv1-system-operator-controller-leader-election-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml index 0a3a02796..2e31957d3 100644 --- a/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml index 772f202da..4d033c402 100644 --- a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml +++ b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml index dff10502f..884ddfc65 100644 --- a/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml +++ b/helm/olmv1/templates/10-clusterrole-catalogd-metrics-reader.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml index 73d5efe20..46463e988 100644 --- a/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml +++ b/helm/olmv1/templates/11-clusterrole-catalogd-proxy-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml index e215de337..d70e9caf3 100644 --- a/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml +++ b/helm/olmv1/templates/12-clusterrole-operator-controller-clusterextension-editor-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml index c2c8a3c73..9cd843b51 100644 --- a/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml +++ b/helm/olmv1/templates/13-clusterrole-operator-controller-clusterextension-viewer-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml index a73e25356..ab5cb847f 100644 --- a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml index ae2ee2231..b07acc395 100644 --- a/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml +++ b/helm/olmv1/templates/15-clusterrole-operator-controller-metrics-reader.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml index d87b0ff05..d0e03a7a1 100644 --- a/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml +++ b/helm/olmv1/templates/16-clusterrole-operator-controller-proxy-role.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml index 00b091354..4221f1041 100644 --- a/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/17-rolebinding-olmv1-system-catalogd-leader-election-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml index e60cb285a..30140b23d 100644 --- a/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/18-rolebinding-olmv1-system-catalogd-manager-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml index 533f7da0f..dde53cfbd 100644 --- a/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml +++ b/helm/olmv1/templates/19-rolebinding-olmv1-system-operator-controller-leader-election-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml index 3978cfb8b..a04dc4d53 100644 --- a/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/20-rolebinding-olmv1-system-operator-controller-manager-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml index 998988869..5936fd2f3 100644 --- a/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml +++ b/helm/olmv1/templates/21-clusterrolebinding-catalogd-manager-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml index 9476c51bb..8e1790155 100644 --- a/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml +++ b/helm/olmv1/templates/22-clusterrolebinding-catalogd-proxy-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml index 8ea8a3b2f..6aa8bd3bb 100644 --- a/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/23-clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml index 60e8c6ed1..d7e1021ad 100644 --- a/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml +++ b/helm/olmv1/templates/24-clusterrolebinding-operator-controller-proxy-rolebinding.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} {{/* Probably want to include this as a file somehow */}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml index f073d1adc..d6fec9b5f 100644 --- a/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml +++ b/helm/olmv1/templates/25-configmap-olmv1-system-e2e-registries-conf.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.e2e.enabled }} +{{- if .Values.options.e2e.enabled }} apiVersion: v1 data: registries.conf: | diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index 8da5c9a81..110f9d1be 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -1,10 +1,10 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: v1 kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - {{- with .Values.components.catalogd.service.annotations }} + {{- with .Values.options.catalogd.service.annotations }} {{- toYaml . | nindent 4 }} {{- end }} labels: diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index c7910d972..2d985da22 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -1,10 +1,10 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: v1 kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - {{- with .Values.components.operatorController.service.annotations }} + {{- with .Values.options.operatorController.service.annotations }} {{- toYaml . | nindent 4 }} {{- end }} labels: diff --git a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml index 90251855d..6f5c83fce 100644 --- a/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml +++ b/helm/olmv1/templates/28-persistentvolumeclaim-olmv1-system-e2e-coverage.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.e2e.enabled }} +{{- if .Values.options.e2e.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 522acb3a8..35473e6d7 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -21,20 +21,20 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} - {{- with .Values.components.catalogd.deployment.podAnnotations }} + {{- with .Values.options.catalogd.deployment.podAnnotations }} {{- toYamlPretty . | nindent 8 }} {{- end }} labels: app.kubernetes.io/name: catalogd control-plane: catalogd-controller-manager {{- include "olmv1.labels" . | nindent 8 }} - {{- with .Values.components.catalogd.deployment.podLabels }} + {{- with .Values.options.catalogd.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} {{- end }} spec: containers: - args: - {{- if not .Values.tilt.enabled }} + {{- if not .Values.options.tilt.enabled }} - --leader-elect {{- end }} - --metrics-bind-address=:7443 @@ -42,28 +42,28 @@ spec: {{- range .Values.catalogdFeatures }} - --feature-gates={{- . -}}=true {{- end }} - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - --pull-cas-dir=/var/ca-certs {{- end }} - {{- with .Values.components.catalogd.deployment.podArguments }} + {{- with .Values.options.catalogd.deployment.podArguments }} {{- toYaml . | nindent 12 }} {{- end }} command: - ./catalogd - {{- if or .Values.components.e2e.enabled .Values.components.catalogd.deployment.env }} + {{- if or .Values.options.e2e.enabled .Values.options.catalogd.deployment.env }} env: {{- end }} - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - {{- with .Values.components.catalogd.deployment.env }} + {{- with .Values.options.catalogd.deployment.env }} {{- toYamlPretty . | nindent 12 }} {{- end }} - image: "{{ .Values.components.catalogd.deployment.image }}" - {{- if not .Values.tilt.enabled }} + image: "{{ .Values.options.catalogd.deployment.image }}" + {{- if not .Values.options.tilt.enabled }} livenessProbe: httpGet: path: /healthz @@ -72,7 +72,7 @@ spec: periodSeconds: 20 {{- end }} name: manager - {{- if not .Values.tilt.enabled }} + {{- if not .Values.options.tilt.enabled }} readinessProbe: httpGet: path: /readyz @@ -85,7 +85,7 @@ spec: cpu: 100m memory: 200Mi volumeMounts: - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - mountPath: /e2e-coverage name: e2e-coverage-volume {{- end }} @@ -93,14 +93,14 @@ spec: name: cache - mountPath: /tmp name: tmp - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - mountPath: /var/certs name: catalogserver-certs - mountPath: /var/ca-certs name: ca-certs readOnly: true {{- end }} - {{- with .Values.components.catalogd.deployment.volumeMounts }} + {{- with .Values.options.catalogd.deployment.volumeMounts }} {{- toYamlPretty . | nindent 12 }} {{- end }} {{- with .Values.deployments.containerSpec }} @@ -108,7 +108,7 @@ spec: {{- end }} serviceAccountName: catalogd-controller-manager volumes: - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - name: e2e-coverage-volume persistentVolumeClaim: claimName: e2e-coverage @@ -117,7 +117,7 @@ spec: name: cache - emptyDir: {} name: tmp - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - name: catalogserver-certs secret: items: @@ -135,7 +135,7 @@ spec: optional: false secretName: catalogd-service-cert-git-version {{- end }} - {{- with .Values.components.catalogd.deployment.volumes }} + {{- with .Values.options.catalogd.deployment.volumes }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployments.templateSpec }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 3767581cd..50adcd774 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -20,14 +20,14 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} - {{- with .Values.components.operatorController.deployment.podAnnotations }} + {{- with .Values.options.operatorController.deployment.podAnnotations }} {{- toYamlPretty . | nindent 8 }} {{- end }} labels: app.kubernetes.io/name: operator-controller control-plane: operator-controller-controller-manager {{- include "olmv1.labels" . | nindent 8 }} - {{- with .Values.components.operatorController.deployment.podLabels }} + {{- with .Values.options.operatorController.deployment.podLabels }} {{- toYamlPretty . | nindent 8 }} {{- end }} spec: @@ -35,35 +35,35 @@ spec: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8443 - {{- if not .Values.tilt.enabled }} + {{- if not .Values.options.tilt.enabled }} - --leader-elect {{- end }} {{- range .Values.operatorControllerFeatures }} - --feature-gates={{- . -}}=true {{- end }} - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - --catalogd-cas-dir=/var/ca-certs - --pull-cas-dir=/var/ca-certs - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key {{- end }} - {{- with .Values.components.operatorController.deployment.podArguments }} + {{- with .Values.options.operatorController.deployment.podArguments }} {{- toYamlPretty . | nindent 12 }} {{- end }} command: - /operator-controller - {{- if or .Values.components.e2e.enabled .Values.components.operatorController.deployment.env }} + {{- if or .Values.options.e2e.enabled .Values.options.operatorController.deployment.env }} env: {{- end }} - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - {{- with .Values.components.operatorController.deployment.env }} + {{- with .Values.options.operatorController.deployment.env }} {{- toYamlPretty . | nindent 12 }} {{- end }} - image: "{{ .Values.components.operatorController.deployment.image }}" - {{- if not .Values.tilt.enabled }} + image: "{{ .Values.options.operatorController.deployment.image }}" + {{- if not .Values.options.tilt.enabled }} livenessProbe: httpGet: path: /healthz @@ -72,7 +72,7 @@ spec: periodSeconds: 20 {{- end }} name: manager - {{- if not .Values.tilt.enabled }} + {{- if not .Values.options.tilt.enabled }} readinessProbe: httpGet: path: /readyz @@ -85,7 +85,7 @@ spec: cpu: 10m memory: 64Mi volumeMounts: - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - mountPath: /etc/containers name: e2e-registries-conf - mountPath: /e2e-coverage @@ -95,7 +95,7 @@ spec: name: cache - mountPath: /tmp name: tmp - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - mountPath: /var/certs name: operator-controller-certs readOnly: true @@ -103,7 +103,7 @@ spec: name: ca-certs readOnly: true {{- end }} - {{- with .Values.components.operatorController.deployment.volumeMounts }} + {{- with .Values.options.operatorController.deployment.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.deployments.containerSpec }} @@ -111,7 +111,7 @@ spec: {{- end }} serviceAccountName: operator-controller-controller-manager volumes: - {{- if .Values.components.e2e.enabled }} + {{- if .Values.options.e2e.enabled }} - configMap: name: e2e-registries-conf name: e2e-registries-conf @@ -123,7 +123,7 @@ spec: name: cache - emptyDir: {} name: tmp - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} - name: operator-controller-certs secret: items: @@ -141,7 +141,7 @@ spec: optional: false secretName: operator-controller-cert {{- end }} - {{- with .Values.components.operatorController.deployment.volumes }} + {{- with .Values.options.operatorController.deployment.volumes }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployments.templateSpec }} diff --git a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml index 6412afa20..7b3c2396a 100644 --- a/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml +++ b/helm/olmv1/templates/31-certificate-cert-manager-olmv1-ca.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.certManager.enabled }} +{{- if .Values.options.certManager.enabled }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml index 1b2bc9132..7c6311eed 100644 --- a/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml +++ b/helm/olmv1/templates/32-certificate-olmv1-system-catalogd-service-cert.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.certManager.enabled }} +{{- if .Values.options.certManager.enabled }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml index 33284d018..2ac837193 100644 --- a/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml +++ b/helm/olmv1/templates/33-certificate-olmv1-system-operator-controller-cert.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.certManager.enabled }} +{{- if .Values.options.certManager.enabled }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: diff --git a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml index f0fb86161..57573095f 100644 --- a/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml +++ b/helm/olmv1/templates/34-clusterissuer-olmv1-ca.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.certManager.enabled }} +{{- if .Values.options.certManager.enabled }} apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: diff --git a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml index d458ce83e..283e62c26 100644 --- a/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml +++ b/helm/olmv1/templates/35-issuer-cert-manager-self-sign-issuer.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.certManager.enabled }} +{{- if .Values.options.certManager.enabled }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: diff --git a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml index 43e48a2b5..9c63ab376 100644 --- a/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/36-networkpolicy-olmv1-system-catalogd-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml index f0f3bcbea..e91a7e55d 100644 --- a/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/38-networkpolicy-olmv1-system-operator-controller-controller-manager.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.operatorController.enabled }} +{{- if .Values.options.operatorController.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml index f792a8acb..fa4b11aca 100644 --- a/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml +++ b/helm/olmv1/templates/39-pod-olmv1-system-e2e-coverage-copy-pod.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.e2e.enabled }} +{{- if .Values.options.e2e.enabled }} apiVersion: v1 kind: Pod metadata: diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index e4520189b..20bf61f33 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -1,4 +1,4 @@ -{{- if .Values.components.catalogd.enabled }} +{{- if .Values.options.catalogd.enabled }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -7,10 +7,10 @@ metadata: app.kubernetes.io/name: catalogd {{- include "olmv1.labels" . | nindent 4 }} annotations: - {{- if .Values.components.certManager.enabled }} + {{- if .Values.options.certManager.enabled }} cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca {{- end }} - {{- with .Values.components.catalogd.webhook.annotations }} + {{- with .Values.options.catalogd.webhook.annotations }} {{- toYamlPretty . | nindent 4 }} {{- end }} {{- include "olmv1.annotations" . | nindent 4 }} diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 8657fbf1d..e326ce0a2 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -16,9 +16,9 @@ Create chart name and version as used by the chart label. Return the name of the active component for a prefix, but _only_ if one is enabled */}} {{- define "component.name.prefix" -}} -{{- if and (.Values.components.operatorController.enabled) (not .Values.components.catalogd.enabled) -}} +{{- if and (.Values.options.operatorController.enabled) (not .Values.options.catalogd.enabled) -}} operator-controller- -{{- else if and (not .Values.components.operatorController.enabled) (.Values.components.catalogd.enabled) -}} +{{- else if and (not .Values.options.operatorController.enabled) (.Values.options.catalogd.enabled) -}} catalogd- {{- end -}} {{- end -}} @@ -34,7 +34,7 @@ app.kubernetes.io/part-of: olm Common annoations */}} {{- define "olmv1.annotations" -}} -olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.components.e2e.enabled -}}-e2e{{- end -}} +olm.operatorframework.io/feature-set: {{ .Values.options.featureSet -}}{{- if .Values.options.e2e.enabled -}}-e2e{{- end -}} {{- end }} {{/* @@ -42,13 +42,13 @@ Insertion of additional rules for RBAC */}} {{- define "olmv1.catalogd.clusterRole.rules" -}} -{{- with .Values.components.catalogd.clusterRole.rules }} +{{- with .Values.options.catalogd.clusterRole.rules }} {{- toYamlPretty . }} {{- end }} {{- end }} {{- define "olmv1.operatorController.clusterRole.rules" -}} -{{- with .Values.components.operatorController.clusterRole.rules }} +{{- with .Values.options.operatorController.clusterRole.rules }} {{- toYamlPretty . }} {{- end }} {{- end }} @@ -57,9 +57,9 @@ Insertion of additional rules for RBAC Returns "operator-controller", "catalogd" or "olmv1" depending on enabled components */}} {{- define "olmv1.label.name" -}} -{{- if (and .Values.components.operatorController.enabled (not .Values.components.catalogd.enabled)) -}} +{{- if (and .Values.options.operatorController.enabled (not .Values.options.catalogd.enabled)) -}} operator-controller -{{- else if (and (not .Values.components.operatorController.enabled) .Values.components.catalogd.enabled) -}} +{{- else if (and (not .Values.options.operatorController.enabled) .Values.options.catalogd.enabled) -}} catalogd {{- else -}} olmv1 diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index c63a483f0..45b10cded 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # List of components to include -components: +options: operatorController: enabled: true deployment: @@ -40,16 +40,14 @@ components: enabled: false e2e: enabled: false - - -tilt: - enabled: false + tilt: + enabled: false + featureSet: standard operatorControllerFeatures: [] catalogdFeatures: [] # This can be one of: standard or experimental -featureSet: standard # The set of namespaces namespaces: diff --git a/helm/tilt.yaml b/helm/tilt.yaml index a28911e1a..e9856a1ad 100644 --- a/helm/tilt.yaml +++ b/helm/tilt.yaml @@ -2,8 +2,10 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -tilt: - enabled: true +options: + tilt: + enabled: true + featureSet: experimental operatorControllerFeatures: - WebhookProviderCertManager @@ -13,6 +15,3 @@ operatorControllerFeatures: catalogdFeatures: - APIV1MetasHandler - -# This can be one of: standard or experimental -featureSet: experimental From 6352532cdc2bca20048b9f51f3cfc093a3568cdc Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 31 Jul 2025 08:52:04 -0400 Subject: [PATCH 51/55] WIP: Add comment to tilt.yaml Signed-off-by: Todd Short --- helm/tilt.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm/tilt.yaml b/helm/tilt.yaml index e9856a1ad..f72d2b8e4 100644 --- a/helm/tilt.yaml +++ b/helm/tilt.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Tilt is an exeption to the multi-values case, +# as the Tilt runner only accepts a single values fle + options: tilt: enabled: true From dadb202dd19d13f08e78263f4b4e45bb817acf6d Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 31 Jul 2025 16:37:14 -0400 Subject: [PATCH 52/55] WIP: Add openshift resources Signed-off-by: Todd Short --- helm/olmv1/templates/_helpers.tpl | 12 ++++++- .../olmv1/templates/metrics_monitor_role.yaml | 25 ++++++++++++++ .../metrics_monitor_rolebinding.yaml | 22 +++++++++++++ .../metrics_monitor_servicemonitor.yaml | 33 +++++++++++++++++++ .../openshift-certified-operators.yaml | 13 ++++++++ .../openshift-community-operators.yaml | 13 ++++++++ .../openshift-config_manager_role.yaml | 24 ++++++++++++++ .../openshift-config_manager_rolebinding.yaml | 22 +++++++++++++ .../openshift-redhat-marketplace.yaml | 13 ++++++++ .../templates/openshift-redhat-operators.yaml | 13 ++++++++ .../olmv1/templates/trusted_ca_configmap.yaml | 15 +++++++++ helm/olmv1/values.yaml | 2 ++ 12 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 helm/olmv1/templates/metrics_monitor_role.yaml create mode 100644 helm/olmv1/templates/metrics_monitor_rolebinding.yaml create mode 100644 helm/olmv1/templates/metrics_monitor_servicemonitor.yaml create mode 100644 helm/olmv1/templates/openshift-certified-operators.yaml create mode 100644 helm/olmv1/templates/openshift-community-operators.yaml create mode 100644 helm/olmv1/templates/openshift-config_manager_role.yaml create mode 100644 helm/olmv1/templates/openshift-config_manager_rolebinding.yaml create mode 100644 helm/olmv1/templates/openshift-redhat-marketplace.yaml create mode 100644 helm/olmv1/templates/openshift-redhat-operators.yaml create mode 100644 helm/olmv1/templates/trusted_ca_configmap.yaml diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index e326ce0a2..488a41af9 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -64,4 +64,14 @@ catalogd {{- else -}} olmv1 {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +When rendering with OpenShift, only one of the main components (catalogd, operatorController) +should be enabled +*/}} +{{- if .Values.options.openshift.enabled -}} +{{- if and .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +{{- fail "When rendering Openshift, only one of {catalogd, operatorController} should also be enabled" -}} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/metrics_monitor_role.yaml b/helm/olmv1/templates/metrics_monitor_role.yaml new file mode 100644 index 000000000..0a452d6b9 --- /dev/null +++ b/helm/olmv1/templates/metrics_monitor_role.yaml @@ -0,0 +1,25 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-role + namespace: {{ .Values.namespaces.olmv1.name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/metrics_monitor_rolebinding.yaml b/helm/olmv1/templates/metrics_monitor_rolebinding.yaml new file mode 100644 index 000000000..18ec318a2 --- /dev/null +++ b/helm/olmv1/templates/metrics_monitor_rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-rolebinding + namespace: {{ .Values.namespaces.olmv1.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "olmv1.label.name" . -}}-metrics-monitor-role +subjects: + - kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/metrics_monitor_servicemonitor.yaml b/helm/olmv1/templates/metrics_monitor_servicemonitor.yaml new file mode 100644 index 000000000..a5bb357c3 --- /dev/null +++ b/helm/olmv1/templates/metrics_monitor_servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + openshift.io/cluster-monitoring: 'true' + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-metrics-monitor + namespace: {{ .Values.namespaces.olmv1.name }} +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + path: /metrics + port: metrics + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + certFile: /etc/prometheus/secrets/metrics-client-certs/tls.crt + keyFile: /etc/prometheus/secrets/metrics-client-certs/tls.key + serverName: {{ include "olmv1.label.name" . -}}-service.{{ .Values.namespaces.olmv1.name }}.svc + namespaceSelector: + matchNames: + - {{ .Values.namespaces.olmv1.name }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/openshift-certified-operators.yaml b/helm/olmv1/templates/openshift-certified-operators.yaml new file mode 100644 index 000000000..b62aa9a10 --- /dev/null +++ b/helm/olmv1/templates/openshift-certified-operators.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-certified-operators +spec: + priority: -200 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/certified-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/openshift-community-operators.yaml b/helm/olmv1/templates/openshift-community-operators.yaml new file mode 100644 index 000000000..61cc8ff54 --- /dev/null +++ b/helm/olmv1/templates/openshift-community-operators.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-community-operators +spec: + priority: -400 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/community-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/openshift-config_manager_role.yaml b/helm/olmv1/templates/openshift-config_manager_role.yaml new file mode 100644 index 000000000..6557cba1f --- /dev/null +++ b/helm/olmv1/templates/openshift-config_manager_role.yaml @@ -0,0 +1,24 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-manager-role + namespace: openshift-config +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/openshift-config_manager_rolebinding.yaml b/helm/olmv1/templates/openshift-config_manager_rolebinding.yaml new file mode 100644 index 000000000..2209f5c57 --- /dev/null +++ b/helm/olmv1/templates/openshift-config_manager_rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-manager-rolebinding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "olmv1.label.name" . -}}-manager-role +subjects: +- kind: ServiceAccount + name: {{ include "olmv1.label.name" . -}}-controller-manager + namespace: {{ .Values.namespaces.olmv1.name }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/templates/openshift-redhat-marketplace.yaml b/helm/olmv1/templates/openshift-redhat-marketplace.yaml new file mode 100644 index 000000000..7d50ed5a8 --- /dev/null +++ b/helm/olmv1/templates/openshift-redhat-marketplace.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-redhat-marketplace +spec: + priority: -300 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/redhat-marketplace-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/openshift-redhat-operators.yaml b/helm/olmv1/templates/openshift-redhat-operators.yaml new file mode 100644 index 000000000..a9805e500 --- /dev/null +++ b/helm/olmv1/templates/openshift-redhat-operators.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.options.openshift.enabled .Values.options.catalogd.enabled -}} +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: openshift-redhat-operators +spec: + priority: -100 + source: + type: Image + image: + pollIntervalMinutes: 10 + ref: registry.redhat.io/redhat/redhat-operator-index:v4.19 +{{- end -}} diff --git a/helm/olmv1/templates/trusted_ca_configmap.yaml b/helm/olmv1/templates/trusted_ca_configmap.yaml new file mode 100644 index 000000000..b5fcf9313 --- /dev/null +++ b/helm/olmv1/templates/trusted_ca_configmap.yaml @@ -0,0 +1,15 @@ +{{- if .Values.options.openshift.enabled -}} +{{- if or .Values.options.catalogd.enabled .Values.options.operatorController.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + {{- include "olmv1.annotations" . | nindent 4 }} + labels: + config.openshift.io/inject-trusted-cabundle: "true" + app.kubernetes.io/name: {{ include "olmv1.label.name" . }} + {{- include "olmv1.labels" . | nindent 4 }} + name: {{ include "olmv1.label.name" . -}}-trusted-ca-bundle + namespace: {{ .Values.namespaces.olmv1.name }} +{{- end -}} +{{- end -}} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 45b10cded..6732a3e96 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -42,6 +42,8 @@ options: enabled: false tilt: enabled: false + openshift: + enabled: false featureSet: standard operatorControllerFeatures: [] From c002f114acc84d7065eb88356f6206d5564bafc3 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 1 Aug 2025 13:54:17 -0400 Subject: [PATCH 53/55] WIP: Integrate openshift resources Signed-off-by: Todd Short --- helm/olmv1/templates/00-namespace.yml | 16 ++-- .../09-clusterrole-catalogd-manager-role.yml | 11 ++- ...rrole-operator-controller-manager-role.yml | 11 ++- ...-service-olmv1-system-catalogd-service.yml | 4 +- ...mv1-system-operator-controller-service.yml | 4 +- ...mv1-system-catalogd-controller-manager.yml | 83 ++++++++++++++----- ...operator-controller-controller-manager.yml | 78 +++++++++++++---- ...atalogd-mutating-webhook-configuration.yml | 4 +- helm/olmv1/templates/_helpers.tpl | 12 --- helm/olmv1/values.yaml | 31 +------ manifests/experimental-e2e.yaml | 4 +- manifests/experimental.yaml | 4 +- manifests/standard-e2e.yaml | 4 +- manifests/standard.yaml | 4 +- 14 files changed, 167 insertions(+), 103 deletions(-) diff --git a/helm/olmv1/templates/00-namespace.yml b/helm/olmv1/templates/00-namespace.yml index d009d2474..4624909d9 100644 --- a/helm/olmv1/templates/00-namespace.yml +++ b/helm/olmv1/templates/00-namespace.yml @@ -4,19 +4,21 @@ kind: Namespace metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - {{- with .Values.namespaces.olmv1.annotations }} - {{- toYamlPretty . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + openshift.io/node-selector: "" + workload.openshift.io/allowed: management {{- end }} labels: + {{- $psProfile := ternary "privileged" "restricted" .Values.options.openshift.enabled }} app.kubernetes.io/name: {{ include "olmv1.label.name" . }} - pod-security.kubernetes.io/audit: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/audit: {{ $psProfile }} pod-security.kubernetes.io/audit-version: latest - pod-security.kubernetes.io/enforce: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/enforce: {{ $psProfile }} pod-security.kubernetes.io/enforce-version: latest - pod-security.kubernetes.io/warn: {{ .Values.namespaces.olmv1.podSecurityProfile }} + pod-security.kubernetes.io/warn: {{ $psProfile }} pod-security.kubernetes.io/warn-version: latest {{- include "olmv1.labels" . | nindent 4 }} - {{- with .Values.namespaces.olmv1.labels }} - {{- toYamlPretty . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + openshift.io/cluster-monitoring: "true" {{- end }} name: {{ .Values.namespaces.olmv1.name }} diff --git a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml index 4d033c402..fe43d1966 100644 --- a/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml +++ b/helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml @@ -35,5 +35,14 @@ rules: - get - patch - update - {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }} + {{- if .Values.options.openshift.enabled }} + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use + {{- end }} {{- end }} diff --git a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml index ab5cb847f..dba3587ae 100644 --- a/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml @@ -62,5 +62,14 @@ rules: verbs: - list - watch - {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }} + {{- if .Values.options.openshift.enabled }} + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use + {{- end }} {{- end }} diff --git a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml index 110f9d1be..eca959399 100644 --- a/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml +++ b/helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml @@ -4,8 +4,8 @@ kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - {{- with .Values.options.catalogd.service.annotations }} - {{- toYaml . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: catalogserver-cert {{- end }} labels: app.kubernetes.io/name: catalogd diff --git a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml index 2d985da22..20df4bf3d 100644 --- a/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml +++ b/helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml @@ -4,8 +4,8 @@ kind: Service metadata: annotations: {{- include "olmv1.annotations" . | nindent 4 }} - {{- with .Values.options.operatorController.service.annotations }} - {{- toYaml . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert {{- end }} labels: app.kubernetes.io/name: operator-controller diff --git a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml index 35473e6d7..fba0b73c1 100644 --- a/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml +++ b/helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml @@ -21,8 +21,9 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} - {{- with .Values.options.catalogd.deployment.podAnnotations }} - {{- toYamlPretty . | nindent 8 }} + {{- if .Values.options.openshift.enabled }} + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: privileged {{- end }} labels: app.kubernetes.io/name: catalogd @@ -46,23 +47,27 @@ spec: - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - --pull-cas-dir=/var/ca-certs - {{- end }} - {{- with .Values.options.catalogd.deployment.podArguments }} - {{- toYaml . | nindent 12 }} + {{- else if .Values.options.openshift.enabled }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --v=${LOG_VERBOSITY} + - --global-pull-secret=openshift-config/pull-secret {{- end }} command: - ./catalogd - {{- if or .Values.options.e2e.enabled .Values.options.catalogd.deployment.env }} + {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }} env: - {{- end }} {{- if .Values.options.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - {{- with .Values.options.catalogd.deployment.env }} - {{- toYamlPretty . | nindent 12 }} + {{- with .Values.options.openshift.enabled }} + - name: SSL_CERT_DIR + value: /var/ca-certs + {{- end }} {{- end }} image: "{{ .Values.options.catalogd.deployment.image }}" + name: manager {{- if not .Values.options.tilt.enabled }} livenessProbe: httpGet: @@ -70,9 +75,6 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - {{- end }} - name: manager - {{- if not .Values.options.tilt.enabled }} readinessProbe: httpGet: path: /readyz @@ -99,13 +101,22 @@ spec: - mountPath: /var/ca-certs name: ca-certs readOnly: true + {{- else if .Values.options.openshift.enabled }} + - mountPath: /var/certs + name: catalogserver-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + - mountPath: /etc/containers + name: etc-containers + readOnly: true + - mountPath: /etc/docker + name: etc-docker + readOnly: true {{- end }} - {{- with .Values.options.catalogd.deployment.volumeMounts }} - {{- toYamlPretty . | nindent 12 }} - {{- end }} - {{- with .Values.deployments.containerSpec }} - {{- toYamlPretty . | nindent 10 }} - {{- end }} + {{- with .Values.deployments.containerSpec }} + {{- toYamlPretty . | nindent 10 }} + {{- end }} serviceAccountName: catalogd-controller-manager volumes: {{- if .Values.options.e2e.enabled }} @@ -134,9 +145,39 @@ spec: path: olm-ca.crt optional: false secretName: catalogd-service-cert-git-version - {{- end }} - {{- with .Values.options.catalogd.deployment.volumes }} - {{- toYaml . | nindent 8 }} + {{- else if .Values.options.openshift.enabled }} + - name: catalogserver-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: catalogserver-cert + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: catalogd-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + - hostPath: + path: /etc/containers + type: Directory + name: etc-containers + - hostPath: + path: /etc/docker + type: Directory + name: etc-docker {{- end }} {{- with .Values.deployments.templateSpec }} {{- toYamlPretty . | nindent 6 }} diff --git a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml index 50adcd774..c3e0730ac 100644 --- a/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml +++ b/helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml @@ -20,8 +20,9 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager {{- include "olmv1.annotations" . | nindent 8 }} - {{- with .Values.options.operatorController.deployment.podAnnotations }} - {{- toYamlPretty . | nindent 8 }} + {{- if .Values.options.openshift.enabled }} + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: privileged {{- end }} labels: app.kubernetes.io/name: operator-controller @@ -46,23 +47,28 @@ spec: - --pull-cas-dir=/var/ca-certs - --tls-cert=/var/certs/tls.crt - --tls-key=/var/certs/tls.key - {{- end }} - {{- with .Values.options.operatorController.deployment.podArguments }} - {{- toYamlPretty . | nindent 12 }} + {{- else if .Values.options.openshift.enabled }} + - --tls-cert=/var/certs/tls.crt + - --tls-key=/var/certs/tls.key + - --catalogd-cas-dir=/var/ca-certs + - --v=${LOG_VERBOSITY} + - --global-pull-secret=openshift-config/pull-secret {{- end }} command: - /operator-controller - {{- if or .Values.options.e2e.enabled .Values.options.operatorController.deployment.env }} + {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }} env: - {{- end }} {{- if .Values.options.e2e.enabled }} - name: GOCOVERDIR value: /e2e-coverage {{- end }} - {{- with .Values.options.operatorController.deployment.env }} - {{- toYamlPretty . | nindent 12 }} + {{- if .Values.options.openshift.enabled }} + - name: SSL_CERT_DIR + value: /var/ca-certs + {{- end }} {{- end }} image: "{{ .Values.options.operatorController.deployment.image }}" + name: manager {{- if not .Values.options.tilt.enabled }} livenessProbe: httpGet: @@ -70,9 +76,6 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - {{- end }} - name: manager - {{- if not .Values.options.tilt.enabled }} readinessProbe: httpGet: path: /readyz @@ -102,9 +105,18 @@ spec: - mountPath: /var/ca-certs name: ca-certs readOnly: true - {{- end }} - {{- with .Values.options.operatorController.deployment.volumeMounts }} - {{- toYaml . | nindent 12 }} + {{- else if .Values.options.openshift.enabled }} + - mountPath: /var/certs + name: operator-controller-certs + - mountPath: /var/ca-certs + name: ca-certs + readOnly: true + - mountPath: /etc/containers + name: etc-containers + readOnly: true + - mountPath: /etc/docker + name: etc-docker + readOnly: true {{- end }} {{- with .Values.deployments.containerSpec }} {{- toYaml . | nindent 10 }} @@ -140,9 +152,39 @@ spec: path: olm-ca.crt optional: false secretName: operator-controller-cert - {{- end }} - {{- with .Values.options.operatorController.deployment.volumes }} - {{- toYaml . | nindent 8 }} + {{- else if .Values.options.openshift.enabled }} + - name: operator-controller-certs + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: operator-controller-cert + - name: ca-certs + projected: + sources: + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: operator-controller-trusted-ca-bundle + optional: false + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + optional: false + - hostPath: + path: /etc/containers + type: Directory + name: etc-containers + - hostPath: + path: /etc/docker + type: Directory + name: etc-docker {{- end }} {{- with .Values.deployments.templateSpec }} {{- toYamlPretty . | nindent 6 }} diff --git a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml index 20bf61f33..95077c9ff 100644 --- a/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml +++ b/helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml @@ -10,8 +10,8 @@ metadata: {{- if .Values.options.certManager.enabled }} cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca {{- end }} - {{- with .Values.options.catalogd.webhook.annotations }} - {{- toYamlPretty . | nindent 4 }} + {{- if .Values.options.openshift.enabled }} + service.beta.openshift.io/inject-cabundle: "true" {{- end }} {{- include "olmv1.annotations" . | nindent 4 }} webhooks: diff --git a/helm/olmv1/templates/_helpers.tpl b/helm/olmv1/templates/_helpers.tpl index 488a41af9..89cb39893 100644 --- a/helm/olmv1/templates/_helpers.tpl +++ b/helm/olmv1/templates/_helpers.tpl @@ -41,18 +41,6 @@ olm.operatorframework.io/feature-set: {{ .Values.options.featureSet -}}{{- if .V Insertion of additional rules for RBAC */}} -{{- define "olmv1.catalogd.clusterRole.rules" -}} -{{- with .Values.options.catalogd.clusterRole.rules }} -{{- toYamlPretty . }} -{{- end }} -{{- end }} - -{{- define "olmv1.operatorController.clusterRole.rules" -}} -{{- with .Values.options.operatorController.clusterRole.rules }} -{{- toYamlPretty . }} -{{- end }} -{{- end }} - {{/* Returns "operator-controller", "catalogd" or "olmv1" depending on enabled components */}} diff --git a/helm/olmv1/values.yaml b/helm/olmv1/values.yaml index 6732a3e96..e896f2530 100644 --- a/helm/olmv1/values.yaml +++ b/helm/olmv1/values.yaml @@ -8,34 +8,10 @@ options: enabled: true deployment: image: quay.io/operator-framework/operator-controller:devel - volumeMounts: [] - volumes: [] - podArguments: [] - podLabels: {} - podAnnotations: {} - env: [] - service: - annotations: {} - clusterRole: - rules: [] - role: - rules: [] catalogd: enabled: true deployment: image: quay.io/operator-framework/catalogd:devel - volumeMounts: [] - volumes: [] - podArguments: [] - podLabels: {} - podAnnotations: {} - env: [] - service: - annotations: {} - clusterRole: - rules: [] - webhook: - annotations: {} certManager: enabled: false e2e: @@ -44,20 +20,17 @@ options: enabled: false openshift: enabled: false + # This can be one of: standard or experimental featureSet: standard operatorControllerFeatures: [] catalogdFeatures: [] - -# This can be one of: standard or experimental + # The set of namespaces namespaces: olmv1: name: olmv1-system - podSecurityProfile: restricted - labels: {} - annotations: {} certManager: name: cert-manager diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 64d5df09c..6a73e3104 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1781,13 +1781,13 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/catalogd:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -1926,13 +1926,13 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/operator-controller:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index d8ea692db..86bd7054c 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1703,13 +1703,13 @@ spec: command: - ./catalogd image: "quay.io/operator-framework/catalogd:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -1840,13 +1840,13 @@ spec: command: - /operator-controller image: "quay.io/operator-framework/operator-controller:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index c9594feec..b77dcf0f5 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -1780,13 +1780,13 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/catalogd:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -1921,13 +1921,13 @@ spec: - name: GOCOVERDIR value: /e2e-coverage image: "quay.io/operator-framework/operator-controller:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz diff --git a/manifests/standard.yaml b/manifests/standard.yaml index 16bdab544..baeed9ca4 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -1702,13 +1702,13 @@ spec: command: - ./catalogd image: "quay.io/operator-framework/catalogd:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz @@ -1835,13 +1835,13 @@ spec: command: - /operator-controller image: "quay.io/operator-framework/operator-controller:devel" + name: manager livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager readinessProbe: httpGet: path: /readyz From 48519d305204453554f41ae5359faf85facc75a8 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 1 Aug 2025 14:36:38 -0400 Subject: [PATCH 54/55] WIP: remove CRD patching Signed-off-by: Todd Short --- Makefile | 2 -- hack/tools/patch-base-for-helm.sh | 28 ---------------------------- 2 files changed, 30 deletions(-) delete mode 100755 hack/tools/patch-base-for-helm.sh diff --git a/Makefile b/Makefile index 139adfbe1..f32272427 100644 --- a/Makefile +++ b/Makefile @@ -149,8 +149,6 @@ KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects. # Generate CRDs via our own generator hack/tools/update-crds.sh - # Update base config to include helm templates - ./hack/tools/patch-base-for-helm.sh # Generate manifests stored in source-control mkdir -p $(MANIFEST_HOME) $(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml > $(STANDARD_MANIFEST) diff --git a/hack/tools/patch-base-for-helm.sh b/hack/tools/patch-base-for-helm.sh deleted file mode 100755 index dd62e2c8e..000000000 --- a/hack/tools/patch-base-for-helm.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -# This script patches the kubebuilder generated files to make them ready for helm -# The patching is done via a combination of `yq` to add valid YAML to the appropriate location -# and then `sed` is used to replace some text with Helm templating. -# This can't be done in one step because `yq` (or `kustomize` for that matter) can't manipulate -# YAML once helm templating has been added. - -# Patch catalogd rbac - -# Patch everything generically -filelist=( - helm/olmv1/base/catalogd/crd/experimental/*.yaml - helm/olmv1/base/catalogd/crd/standard/*.yaml - helm/olmv1/base/operator-controller/crd/experimental/*.yaml - helm/olmv1/base/operator-controller/crd/standard/*.yaml -) - -for f in "${filelist[@]}"; do - # Patch in the temporary items - yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}" - yq -i '.metadata.labels.replaceMe = "labels"' "${f}" - # Replace with helm template - must be done last or yq will complain about the file format - sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}" - sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}" - # Delete sed's backup file - rm -f "${f}.bak" -done From 5ae6a5238168c138161e092288b287e6e7b6ee9b Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 1 Aug 2025 14:41:44 -0400 Subject: [PATCH 55/55] WIP: Update manifests Signed-off-by: Todd Short --- ....operatorframework.io_clustercatalogs.yaml | 737 ++++--- ....operatorframework.io_clustercatalogs.yaml | 737 ++++--- ...peratorframework.io_clusterextensions.yaml | 1090 +++++----- ...peratorframework.io_clusterextensions.yaml | 1090 +++++----- manifests/experimental-e2e.yaml | 1869 +++++++++-------- manifests/experimental.yaml | 1869 +++++++++-------- manifests/standard-e2e.yaml | 1869 +++++++++-------- manifests/standard.yaml | 1869 +++++++++-------- 8 files changed, 5736 insertions(+), 5394 deletions(-) diff --git a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml index e9df20ccb..2d5722a47 100644 --- a/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml +++ b/helm/olmv1/base/catalogd/crd/experimental/olm.operatorframework.io_clustercatalogs.yaml @@ -5,10 +5,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - {{- include "olmv1.annotations" . | nindent 4 }} name: clustercatalogs.olm.operatorframework.io - labels: - {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -18,384 +15,428 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. - Allowed values are "Available" and "Unavailable" and omitted. + Allowed values are "Available" and "Unavailable" and omitted. - When omitted, the default value is "Available". + When omitted, the default value is "Available". - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - When omitted, the default priority is 0 because that is the zero value of integers. + When omitted, the default priority is 0 because that is the zero value of integers. - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. - A reference can be broken down into 3 parts - the domain, name, and identifier. + A reference can be broken down into 3 parts - the domain, name, and identifier. - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The only allowed value is "Image". + The only allowed value is "Image". - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. - The current condition types are Serving and Progressing. + The current condition types are Serving and Progressing. - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Image + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - image - - type + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - It is expected that clients append the path for the endpoint they wish - to access. + The only allowed value is "Image". - Currently, only a single endpoint is served and is accessible at the path - /api/v1. + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format + It is expected that clients append the path for the endpoint they wish + to access. - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml index fb662143c..cde14b13b 100644 --- a/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml +++ b/helm/olmv1/base/catalogd/crd/standard/olm.operatorframework.io_clustercatalogs.yaml @@ -5,10 +5,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - {{- include "olmv1.annotations" . | nindent 4 }} name: clustercatalogs.olm.operatorframework.io - labels: - {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -18,384 +15,428 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. - Allowed values are "Available" and "Unavailable" and omitted. + Allowed values are "Available" and "Unavailable" and omitted. - When omitted, the default value is "Available". + When omitted, the default value is "Available". - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - When omitted, the default priority is 0 because that is the zero value of integers. + When omitted, the default priority is 0 because that is the zero value of integers. - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. + properties: + pollIntervalMinutes: + description: |- + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. + When omitted, the image will not be polled for new content. + minimum: 1 + type: integer + ref: + description: |- + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. - A reference can be broken down into 3 parts - the domain, name, and identifier. + A reference can be broken down into 3 parts - the domain, name, and identifier. - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - The only allowed value is "Image". + The only allowed value is "Image". - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. - The current condition types are Serving and Progressing. + The current condition types are Serving and Progressing. - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Image + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - image - - type + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: - description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. - It is expected that clients append the path for the endpoint they wish - to access. + The only allowed value is "Image". - Currently, only a single endpoint is served and is accessible at the path - /api/v1. + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format + It is expected that clients append the path for the endpoint they wish + to access. - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' - required: - - base - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml index 9247e26cf..162683603 100644 --- a/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml @@ -5,10 +5,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - {{- include "olmv1.annotations" . | nindent 4 }} name: clusterextensions.olm.operatorframework.io - labels: - {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -18,557 +15,576 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. - Allowed values are "Catalog" + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml index d2d87d5df..18faa5978 100644 --- a/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml +++ b/helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml @@ -5,10 +5,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - {{- include "olmv1.annotations" . | nindent 4 }} name: clusterextensions.olm.operatorframework.io - labels: - {{- include "olmv1.labels" . | nindent 4 }} spec: group: olm.operatorframework.io names: @@ -18,557 +15,576 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. - Allowed values are "Catalog" + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. + + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 6a73e3104..94ee70b01 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -153,10 +153,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - olm.operatorframework.io/feature-set: experimental-e2e name: clustercatalogs.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -166,387 +163,431 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + pollIntervalMinutes: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 type: integer - reason: + ref: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - ref type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: + observedGeneration: description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - base + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -555,10 +596,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - olm.operatorframework.io/feature-set: experimental-e2e name: clusterextensions.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -568,560 +606,579 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - Allowed values are "Catalog" + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 86bd7054c..817b3e792 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -118,10 +118,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - olm.operatorframework.io/feature-set: experimental name: clustercatalogs.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -131,387 +128,431 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + pollIntervalMinutes: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 type: integer - reason: + ref: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - ref type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: + observedGeneration: description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - base + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -520,10 +561,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: experimental - olm.operatorframework.io/feature-set: experimental name: clusterextensions.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -533,560 +571,579 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - Allowed values are "Catalog" + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml index b77dcf0f5..211701847 100644 --- a/manifests/standard-e2e.yaml +++ b/manifests/standard-e2e.yaml @@ -153,10 +153,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - olm.operatorframework.io/feature-set: standard-e2e name: clustercatalogs.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -166,387 +163,431 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + pollIntervalMinutes: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 type: integer - reason: + ref: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - ref type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: + observedGeneration: description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - base + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -555,10 +596,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - olm.operatorframework.io/feature-set: standard-e2e name: clusterextensions.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -568,560 +606,579 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - Allowed values are "Catalog" + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/standard.yaml b/manifests/standard.yaml index baeed9ca4..a350f2c61 100644 --- a/manifests/standard.yaml +++ b/manifests/standard.yaml @@ -118,10 +118,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - olm.operatorframework.io/feature-set: standard name: clustercatalogs.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -131,387 +128,431 @@ spec: singular: clustercatalog scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.lastUnpacked - name: LastUnpacked - type: date - - jsonPath: .status.conditions[?(@.type=="Serving")].status - name: Serving - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - spec is the desired state of the ClusterCatalog. - spec is required. - The controller will work to ensure that the desired - catalog is unpacked and served over the catalog content HTTP server. - properties: - availabilityMode: - default: Available - description: |- - availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. - availabilityMode is optional. - - Allowed values are "Available" and "Unavailable" and omitted. - - When omitted, the default value is "Available". - - When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. - Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog - and its contents as usable. - - When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. - When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. - Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want - to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. - enum: - - Unavailable - - Available - type: string - priority: - default: 0 - description: |- - priority allows the user to define a priority for a ClusterCatalog. - priority is optional. - - A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. - A higher number means higher priority. - - It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. - When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. - - When omitted, the default priority is 0 because that is the zero value of integers. - - Negative numbers can be used to specify a priority lower than the default. - Positive numbers can be used to specify a priority higher than the default. - - The lowest possible value is -2147483648. - The highest possible value is 2147483647. - format: int32 - type: integer - source: - description: |- - source allows a user to define the source of a catalog. - A "catalog" contains information on content that can be installed on a cluster. - Providing a catalog source makes the contents of the catalog discoverable and usable by - other on-cluster components. - These on-cluster components may do a variety of things with this information, such as - presenting the content in a GUI dashboard or installing content from the catalog on the cluster. - The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. - For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. - source is a required field. - - Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: - - source: - type: Image - image: - ref: quay.io/operatorhubio/catalog:latest - properties: - image: - description: |- - image is used to configure how catalog contents are sourced from an OCI image. - This field is required when type is Image, and forbidden otherwise. - properties: - pollIntervalMinutes: - description: |- - pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. - pollIntervalMinutes is optional. - pollIntervalMinutes can not be specified when ref is a digest-based reference. - - When omitted, the image will not be polled for new content. - minimum: 1 - type: integer - ref: - description: |- - ref allows users to define the reference to a container image containing Catalog contents. - ref is required. - ref can not be more than 1000 characters. - - A reference can be broken down into 3 parts - the domain, name, and identifier. - - The domain is typically the registry where an image is located. - It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - Hyphenation is allowed, but the domain must start and end with alphanumeric characters. - Specifying a port to use is also allowed by adding the ":" character followed by numeric values. - The port must be the last value in the domain. - Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". - - The name is typically the repository in the registry where an image is located. - It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - Multiple names can be concatenated with the "/" character. - The domain and name are combined using the "/" character. - Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". - An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". - - The identifier is typically the tag or digest for an image reference and is present at the end of the reference. - It starts with a separator character used to distinguish the end of the name and beginning of the identifier. - For a digest-based reference, the "@" character is the separator. - For a tag-based reference, the ":" character is the separator. - An identifier is required in the reference. - - Digest-based references must contain an algorithm reference immediately after the "@" separator. - The algorithm reference must be followed by the ":" character and an encoded string. - The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". - The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. - - Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. - The tag must not be longer than 127 characters. - - An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" - An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest or a tag - rule: self.find('(@.*:)') != "" || self.find(':.*$') != "" - - message: tag is invalid. the tag must not be more than 127 characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').substring(1).size() <= 127 : true) : true' - - message: tag is invalid. valid tags must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters - rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') : true) : true' - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - x-kubernetes-validations: - - message: cannot specify pollIntervalMinutes while using digest-based image - rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) : true' - type: - description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", the ClusterCatalog content will be sourced from an OCI image. - When using an image source, the image field must be set and must be the only field defined for this type. - enum: - - Image - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - required: - - source - type: object - status: - description: |- - status contains information about the state of the ClusterCatalog such as: - - Whether or not the catalog contents are being served via the catalog content HTTP server - - Whether or not the ClusterCatalog is progressing to a new state - - A reference to the source from which the catalog contents were retrieved - properties: - conditions: - description: |- - conditions is a representation of the current state for this ClusterCatalog. - - The current condition types are Serving and Progressing. - - The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. - When it has a status of True and a reason of Available, the contents of the catalog are being served. - When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. - When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. - - The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. - When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. - When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. - When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. - - In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched - catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog - contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes - to the contents we identify that there are updates to the contents. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + - additionalPrinterColumns: + - jsonPath: .status.lastUnpacked + name: LastUnpacked + type: date + - jsonPath: .status.conditions[?(@.type=="Serving")].status + name: Serving + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterCatalog enables users to make File-Based Catalog (FBC) catalog data available to the cluster. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec is the desired state of the ClusterCatalog. + spec is required. + The controller will work to ensure that the desired + catalog is unpacked and served over the catalog content HTTP server. + properties: + availabilityMode: + default: Available + description: |- + availabilityMode allows users to define how the ClusterCatalog is made available to clients on the cluster. + availabilityMode is optional. + + Allowed values are "Available" and "Unavailable" and omitted. + + When omitted, the default value is "Available". + + When set to "Available", the catalog contents will be unpacked and served over the catalog content HTTP server. + Setting the availabilityMode to "Available" tells clients that they should consider this ClusterCatalog + and its contents as usable. + + When set to "Unavailable", the catalog contents will no longer be served over the catalog content HTTP server. + When set to this availabilityMode it should be interpreted the same as the ClusterCatalog not existing. + Setting the availabilityMode to "Unavailable" can be useful in scenarios where a user may not want + to delete the ClusterCatalog all together, but would still like it to be treated as if it doesn't exist. + enum: + - Unavailable + - Available + type: string + priority: + default: 0 + description: |- + priority allows the user to define a priority for a ClusterCatalog. + priority is optional. + + A ClusterCatalog's priority is used by clients as a tie-breaker between ClusterCatalogs that meet the client's requirements. + A higher number means higher priority. + + It is up to clients to decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements. + When deciding how to break the tie in this scenario, it is recommended that clients prompt their users for additional input. + + When omitted, the default priority is 0 because that is the zero value of integers. + + Negative numbers can be used to specify a priority lower than the default. + Positive numbers can be used to specify a priority higher than the default. + + The lowest possible value is -2147483648. + The highest possible value is 2147483647. + format: int32 + type: integer + source: + description: |- + source allows a user to define the source of a catalog. + A "catalog" contains information on content that can be installed on a cluster. + Providing a catalog source makes the contents of the catalog discoverable and usable by + other on-cluster components. + These on-cluster components may do a variety of things with this information, such as + presenting the content in a GUI dashboard or installing content from the catalog on the cluster. + The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format. + For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs. + source is a required field. + + Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image: + + source: + type: Image + image: + ref: quay.io/operatorhubio/catalog:latest + properties: + image: + description: |- + image is used to configure how catalog contents are sourced from an OCI image. + This field is required when type is Image, and forbidden otherwise. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: + pollIntervalMinutes: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 + pollIntervalMinutes allows the user to set the interval, in minutes, at which the image source should be polled for new content. + pollIntervalMinutes is optional. + pollIntervalMinutes can not be specified when ref is a digest-based reference. + + When omitted, the image will not be polled for new content. + minimum: 1 type: integer - reason: + ref: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + ref allows users to define the reference to a container image containing Catalog contents. + ref is required. + ref can not be more than 1000 characters. + + A reference can be broken down into 3 parts - the domain, name, and identifier. + + The domain is typically the registry where an image is located. + It must be alphanumeric characters (lowercase and uppercase) separated by the "." character. + Hyphenation is allowed, but the domain must start and end with alphanumeric characters. + Specifying a port to use is also allowed by adding the ":" character followed by numeric values. + The port must be the last value in the domain. + Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080". + + The name is typically the repository in the registry where an image is located. + It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. + Multiple names can be concatenated with the "/" character. + The domain and name are combined using the "/" character. + Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod". + An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog". + + The identifier is typically the tag or digest for an image reference and is present at the end of the reference. + It starts with a separator character used to distinguish the end of the name and beginning of the identifier. + For a digest-based reference, the "@" character is the separator. + For a tag-based reference, the ":" character is the separator. + An identifier is required in the reference. + + Digest-based references must contain an algorithm reference immediately after the "@" separator. + The algorithm reference must be followed by the ":" character and an encoded string. + The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. + Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58". + The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters. + + Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters. + The tag must not be longer than 127 characters. + + An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05" + An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest" + maxLength: 1000 type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest or a tag + rule: self.find('(@.*:)') != "" || self.find(':.*$') != + "" + - message: tag is invalid. the tag must not be more than 127 + characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').substring(1).size() <= 127 + : true) : true' + - message: tag is invalid. valid tags must begin with a word + character (alphanumeric + "_") followed by word characters + or ".", and "-" characters + rule: 'self.find(''(@.*:)'') == "" ? (self.find('':.*$'') + != "" ? self.find('':.*$'').matches('':[\\w][\\w.-]*$'') + : true) : true' + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' required: - - lastTransitionTime - - message - - reason - - status - - type + - ref type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - lastUnpacked: - description: |- - lastUnpacked represents the last time the contents of the - catalog were extracted from their source format. As an example, - when using an Image source, the OCI image will be pulled and the - image layers written to a file-system backed cache. We refer to the - act of this extraction from the source format as "unpacking". - format: date-time - type: string - resolvedSource: - description: resolvedSource contains information about the resolved source based on the source type. + x-kubernetes-validations: + - message: cannot specify pollIntervalMinutes while using digest-based + image + rule: 'self.ref.find(''(@.*:)'') != "" ? !has(self.pollIntervalMinutes) + : true' + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", the ClusterCatalog content will be sourced from an OCI image. + When using an image source, the image field must be set and must be the only field defined for this type. + enum: + - Image + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + required: + - source + type: object + status: + description: |- + status contains information about the state of the ClusterCatalog such as: + - Whether or not the catalog contents are being served via the catalog content HTTP server + - Whether or not the ClusterCatalog is progressing to a new state + - A reference to the source from which the catalog contents were retrieved + properties: + conditions: + description: |- + conditions is a representation of the current state for this ClusterCatalog. + + The current condition types are Serving and Progressing. + + The Serving condition is used to represent whether or not the contents of the catalog is being served via the HTTP(S) web server. + When it has a status of True and a reason of Available, the contents of the catalog are being served. + When it has a status of False and a reason of Unavailable, the contents of the catalog are not being served because the contents are not yet available. + When it has a status of False and a reason of UserSpecifiedUnavailable, the contents of the catalog are not being served because the catalog has been intentionally marked as unavailable. + + The Progressing condition is used to represent whether or not the ClusterCatalog is progressing or is ready to progress towards a new state. + When it has a status of True and a reason of Retrying, there was an error in the progression of the ClusterCatalog that may be resolved on subsequent reconciliation attempts. + When it has a status of True and a reason of Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing. + When it has a status of False and a reason of Blocked, there was an error in the progression of the ClusterCatalog that requires manual intervention for recovery. + + In the case that the Serving condition is True with reason Available and Progressing is True with reason Retrying, the previously fetched + catalog contents are still being served via the HTTP(S) web server while we are progressing towards serving a new version of the catalog + contents. This could occur when we've initially fetched the latest contents from the source for this catalog and when polling for changes + to the contents we identify that there are updates to the contents. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. properties: - image: + lastTransitionTime: description: |- - image is a field containing resolution information for a catalog sourced from an image. - This field must be set when type is Image, and forbidden otherwise. - properties: - ref: - description: |- - ref contains the resolved image digest-based reference. - The digest format is used so users can use other tooling to fetch the exact - OCI manifests that were used to extract the catalog contents. - maxLength: 1000 - type: string - x-kubernetes-validations: - - message: must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the "." character. - rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') - - message: a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters. - rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != "" - - message: must end with a digest - rule: self.find('(@.*:)') != "" - - message: digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters. - rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') : true' - - message: digest is not valid. the encoded string must be at least 32 characters - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() >= 32 : true' - - message: digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9) - rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') : true' - required: - - ref - type: object - type: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - type is a reference to the type of source the catalog is sourced from. - type is required. - - The only allowed value is "Image". - - When set to "Image", information about the resolved image source will be set in the 'image' field. - enum: - - Image + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string - required: - - image - - type - type: object - x-kubernetes-validations: - - message: image is required when source type is Image, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) : !has(self.image)' - urls: - description: urls contains the URLs that can be used to access the catalog. - properties: - base: + observedGeneration: description: |- - base is a cluster-internal URL that provides endpoints for - accessing the content of the catalog. - - It is expected that clients append the path for the endpoint they wish - to access. - - Currently, only a single endpoint is served and is accessible at the path - /api/v1. - - The endpoints served for the v1 API are: - - /all - this endpoint returns the entirety of the catalog contents in the FBC format - - As the needs of users and clients of the evolve, new endpoints may be added. - maxLength: 525 + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: scheme must be either http or https - rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() == "https") : true' required: - - base + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lastUnpacked: + description: |- + lastUnpacked represents the last time the contents of the + catalog were extracted from their source format. As an example, + when using an Image source, the OCI image will be pulled and the + image layers written to a file-system backed cache. We refer to the + act of this extraction from the source format as "unpacking". + format: date-time + type: string + resolvedSource: + description: resolvedSource contains information about the resolved + source based on the source type. + properties: + image: + description: |- + image is a field containing resolution information for a catalog sourced from an image. + This field must be set when type is Image, and forbidden otherwise. + properties: + ref: + description: |- + ref contains the resolved image digest-based reference. + The digest format is used so users can use other tooling to fetch the exact + OCI manifests that were used to extract the catalog contents. + maxLength: 1000 + type: string + x-kubernetes-validations: + - message: must start with a valid domain. valid domains must + be alphanumeric characters (lowercase and uppercase) separated + by the "." character. + rule: self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\b') + - message: a valid name is required. valid names must contain + lowercase alphanumeric characters separated only by the + ".", "_", "__", "-" characters. + rule: self.find('(\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') + != "" + - message: must end with a digest + rule: self.find('(@.*:)') != "" + - message: digest algorithm is not valid. valid algorithms + must start with an uppercase or lowercase alpha character + followed by alphanumeric characters and may contain the + "-", "_", "+", and "." characters. + rule: 'self.find(''(@.*:)'') != "" ? self.find(''(@.*:)'').matches(''(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])'') + : true' + - message: digest is not valid. the encoded string must be + at least 32 characters + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').substring(1).size() + >= 32 : true' + - message: digest is not valid. the encoded string must only + contain hex characters (A-F, a-f, 0-9) + rule: 'self.find(''(@.*:)'') != "" ? self.find('':.*$'').matches('':[0-9A-Fa-f]*$'') + : true' + required: + - ref + type: object + type: + description: |- + type is a reference to the type of source the catalog is sourced from. + type is required. + + The only allowed value is "Image". + + When set to "Image", information about the resolved image source will be set in the 'image' field. + enum: + - Image + type: string + required: + - image + - type + type: object + x-kubernetes-validations: + - message: image is required when source type is Image, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Image'' ? has(self.image) + : !has(self.image)' + urls: + description: urls contains the URLs that can be used to access the + catalog. + properties: + base: + description: |- + base is a cluster-internal URL that provides endpoints for + accessing the content of the catalog. + + It is expected that clients append the path for the endpoint they wish + to access. + + Currently, only a single endpoint is served and is accessible at the path + /api/v1. + + The endpoints served for the v1 API are: + - /all - this endpoint returns the entirety of the catalog contents in the FBC format + + As the needs of users and clients of the evolve, new endpoints may be added. + maxLength: 525 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: scheme must be either http or https + rule: 'isURL(self) ? (url(self).getScheme() == "http" || url(self).getScheme() + == "https") : true' + required: + - base + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/02-customresourcedefinition-clusterextensions.olm.operatorframework.io.yml apiVersion: apiextensions.k8s.io/v1 @@ -520,10 +561,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 olm.operatorframework.io/generator: standard - olm.operatorframework.io/feature-set: standard name: clusterextensions.olm.operatorframework.io - labels: - app.kubernetes.io/part-of: olm spec: group: olm.operatorframework.io names: @@ -533,560 +571,579 @@ spec: singular: clusterextension scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .status.install.bundle.name - name: Installed Bundle - type: string - - jsonPath: .status.install.bundle.version - name: Version - type: string - - jsonPath: .status.conditions[?(@.type=='Installed')].status - name: Installed - type: string - - jsonPath: .status.conditions[?(@.type=='Progressing')].status - name: Progressing - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ClusterExtension is the Schema for the clusterextensions API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is an optional field that defines the desired state of the ClusterExtension. - properties: - install: - description: |- - install is an optional field used to configure the installation options - for the ClusterExtension such as the pre-flight check configuration. - properties: - preflight: - description: |- - preflight is an optional field that can be used to configure the checks that are - run before installation or upgrade of the content for the package specified in the packageName field. - - When specified, it replaces the default preflight configuration for install/upgrade actions. - When not specified, the default configuration will be used. - properties: - crdUpgradeSafety: - description: |- - crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight - checks that run prior to upgrades of installed content. - - The CRD Upgrade Safety pre-flight check safeguards from unintended - consequences of upgrading a CRD, such as data loss. - properties: - enforcement: - description: |- - enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. - - Allowed values are "None" or "Strict". The default value is "Strict". - - When set to "None", the CRD Upgrade Safety pre-flight check will be skipped - when performing an upgrade operation. This should be used with caution as - unintended consequences such as data loss can occur. - - When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when - performing an upgrade operation. - enum: - - None - - Strict - type: string - required: - - enforcement - type: object - required: - - crdUpgradeSafety - type: object - x-kubernetes-validations: - - message: at least one of [crdUpgradeSafety] are required when preflight is specified - rule: has(self.crdUpgradeSafety) - type: object - x-kubernetes-validations: - - message: at least one of [preflight] are required when install is specified - rule: has(self.preflight) - namespace: - description: |- - namespace is a reference to a Kubernetes namespace. - This is the namespace in which the provided ServiceAccount must exist. - It also designates the default namespace where namespace-scoped resources - for the extension are applied to the cluster. - Some extensions may contain namespace-scoped resources to be applied in other namespaces. - This namespace must exist. - - namespace is required, immutable, and follows the DNS label standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), - start and end with an alphanumeric character, and be no longer than 63 characters - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 63 - type: string - x-kubernetes-validations: - - message: namespace is immutable + - additionalPrinterColumns: + - jsonPath: .status.install.bundle.name + name: Installed Bundle + type: string + - jsonPath: .status.install.bundle.version + name: Version + type: string + - jsonPath: .status.conditions[?(@.type=='Installed')].status + name: Installed + type: string + - jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is an optional field that defines the desired state + of the ClusterExtension. + properties: + install: + description: |- + install is an optional field used to configure the installation options + for the ClusterExtension such as the pre-flight check configuration. + properties: + preflight: + description: |- + preflight is an optional field that can be used to configure the checks that are + run before installation or upgrade of the content for the package specified in the packageName field. + + When specified, it replaces the default preflight configuration for install/upgrade actions. + When not specified, the default configuration will be used. + properties: + crdUpgradeSafety: + description: |- + crdUpgradeSafety is used to configure the CRD Upgrade Safety pre-flight + checks that run prior to upgrades of installed content. + + The CRD Upgrade Safety pre-flight check safeguards from unintended + consequences of upgrading a CRD, such as data loss. + properties: + enforcement: + description: |- + enforcement is a required field, used to configure the state of the CRD Upgrade Safety pre-flight check. + + Allowed values are "None" or "Strict". The default value is "Strict". + + When set to "None", the CRD Upgrade Safety pre-flight check will be skipped + when performing an upgrade operation. This should be used with caution as + unintended consequences such as data loss can occur. + + When set to "Strict", the CRD Upgrade Safety pre-flight check will be run when + performing an upgrade operation. + enum: + - None + - Strict + type: string + required: + - enforcement + type: object + required: + - crdUpgradeSafety + type: object + x-kubernetes-validations: + - message: at least one of [crdUpgradeSafety] are required when + preflight is specified + rule: has(self.crdUpgradeSafety) + type: object + x-kubernetes-validations: + - message: at least one of [preflight] are required when install is + specified + rule: has(self.preflight) + namespace: + description: |- + namespace is a reference to a Kubernetes namespace. + This is the namespace in which the provided ServiceAccount must exist. + It also designates the default namespace where namespace-scoped resources + for the extension are applied to the cluster. + Some extensions may contain namespace-scoped resources to be applied in other namespaces. + This namespace must exist. + + namespace is required, immutable, and follows the DNS label standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-), + start and end with an alphanumeric character, and be no longer than 63 characters + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 63 + type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf + - message: namespace must be a valid DNS1123 label + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") + serviceAccount: + description: |- + serviceAccount is a reference to a ServiceAccount used to perform all interactions + with the cluster that are required to manage the extension. + The ServiceAccount must be configured with the necessary permissions to perform these interactions. + The ServiceAccount must exist in the namespace referenced in the spec. + serviceAccount is required. + properties: + name: + description: |- + name is a required, immutable reference to the name of the ServiceAccount + to be used for installation and management of the content for the package + specified in the packageName field. + + This ServiceAccount must exist in the installNamespace. + + name follows the DNS subdomain standard as defined in [RFC 1123]. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-serviceaccount + - 123-serviceaccount + - 1-serviceaccount-2 + - someserviceaccount + - some.serviceaccount + + Some examples of invalid values are: + - -some-serviceaccount + - some-serviceaccount- + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: name is immutable rule: self == oldSelf - - message: namespace must be a valid DNS1123 label - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") - serviceAccount: - description: |- - serviceAccount is a reference to a ServiceAccount used to perform all interactions - with the cluster that are required to manage the extension. - The ServiceAccount must be configured with the necessary permissions to perform these interactions. - The ServiceAccount must exist in the namespace referenced in the spec. - serviceAccount is required. - properties: - name: - description: |- - name is a required, immutable reference to the name of the ServiceAccount - to be used for installation and management of the content for the package - specified in the packageName field. - - This ServiceAccount must exist in the installNamespace. - - name follows the DNS subdomain standard as defined in [RFC 1123]. - It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-serviceaccount - - 123-serviceaccount - - 1-serviceaccount-2 - - someserviceaccount - - some.serviceaccount - - Some examples of invalid values are: - - -some-serviceaccount - - some-serviceaccount- - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - maxLength: 253 - type: string - x-kubernetes-validations: - - message: name is immutable - rule: self == oldSelf - - message: name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - required: - - name - type: object - source: - description: |- - source is a required field which selects the installation source of content - for this ClusterExtension. Selection is performed by setting the sourceType. - - Catalog is currently the only implemented sourceType, and setting the - sourcetype to "Catalog" requires the catalog field to also be defined. - - Below is a minimal example of a source definition (in yaml): - - source: - sourceType: Catalog - catalog: - packageName: example-package - properties: + - message: name must be a valid DNS1123 subdomain. It must contain + only lowercase alphanumeric characters, hyphens (-) or periods + (.), start and end with an alphanumeric character, and be + no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + required: + - name + type: object + source: + description: |- + source is a required field which selects the installation source of content + for this ClusterExtension. Selection is performed by setting the sourceType. + + Catalog is currently the only implemented sourceType, and setting the + sourcetype to "Catalog" requires the catalog field to also be defined. + + Below is a minimal example of a source definition (in yaml): + + source: + sourceType: Catalog catalog: - description: |- - catalog is used to configure how information is sourced from a catalog. - This field is required when sourceType is "Catalog", and forbidden otherwise. - properties: - channels: - description: |- - channels is an optional reference to a set of channels belonging to - the package specified in the packageName field. - - A "channel" is a package-author-defined stream of updates for an extension. - - Each channel in the list must follow the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. No more than 256 channels can be specified. - - When specified, it is used to constrain the set of installable bundles and - the automated upgrade path. This constraint is an AND operation with the - version field. For example: - - Given channel is set to "foo" - - Given version is set to ">=1.0.0, <1.5.0" - - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable - - Automatic upgrades will be constrained to upgrade edges defined by the selected channel - - When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. - - Some examples of valid values are: - - 1.1.x - - alpha - - stable - - stable-v1 - - v1-stable - - dev-preview - - preview - - community - - Some examples of invalid values are: - - -some-channel - - some-channel- - - thisisareallylongchannelnamethatisgreaterthanthemaximumlength - - original_40 - - --default-channel - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 - items: - maxLength: 253 - type: string - x-kubernetes-validations: - - message: channels entries must be valid DNS1123 subdomains - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - maxItems: 256 - type: array - packageName: - description: |- - packageName is a reference to the name of the package to be installed - and is used to filter the content from catalogs. - - packageName is required, immutable, and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - - Some examples of valid values are: - - some-package - - 123-package - - 1-package-2 - - somepackage - - Some examples of invalid values are: - - -some-package - - some-package- - - thisisareallylongpackagenamethatisgreaterthanthemaximumlength - - some.package - - [RFC 1123]: https://tools.ietf.org/html/rfc1123 + packageName: example-package + properties: + catalog: + description: |- + catalog is used to configure how information is sourced from a catalog. + This field is required when sourceType is "Catalog", and forbidden otherwise. + properties: + channels: + description: |- + channels is an optional reference to a set of channels belonging to + the package specified in the packageName field. + + A "channel" is a package-author-defined stream of updates for an extension. + + Each channel in the list must follow the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. No more than 256 channels can be specified. + + When specified, it is used to constrain the set of installable bundles and + the automated upgrade path. This constraint is an AND operation with the + version field. For example: + - Given channel is set to "foo" + - Given version is set to ">=1.0.0, <1.5.0" + - Only bundles that exist in channel "foo" AND satisfy the version range comparison will be considered installable + - Automatic upgrades will be constrained to upgrade edges defined by the selected channel + + When unspecified, upgrade edges across all channels will be used to identify valid automatic upgrade paths. + + Some examples of valid values are: + - 1.1.x + - alpha + - stable + - stable-v1 + - v1-stable + - dev-preview + - preview + - community + + Some examples of invalid values are: + - -some-channel + - some-channel- + - thisisareallylongchannelnamethatisgreaterthanthemaximumlength + - original_40 + - --default-channel + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + items: maxLength: 253 type: string x-kubernetes-validations: - - message: packageName is immutable - rule: self == oldSelf - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - selector: - description: |- - selector is an optional field that can be used - to filter the set of ClusterCatalogs used in the bundle - selection process. - - When unspecified, all ClusterCatalogs will be used in - the bundle selection process. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string + - message: channels entries must be valid DNS1123 subdomains + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + maxItems: 256 + type: array + packageName: + description: |- + packageName is a reference to the name of the package to be installed + and is used to filter the content from catalogs. + + packageName is required, immutable, and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. + + Some examples of valid values are: + - some-package + - 123-package + - 1-package-2 + - somepackage + + Some examples of invalid values are: + - -some-package + - some-package- + - thisisareallylongpackagenamethatisgreaterthanthemaximumlength + - some.package + + [RFC 1123]: https://tools.ietf.org/html/rfc1123 + maxLength: 253 + type: string + x-kubernetes-validations: + - message: packageName is immutable + rule: self == oldSelf + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + selector: + description: |- + selector is an optional field that can be used + to filter the set of ClusterCatalogs used in the bundle + selection process. + + When unspecified, all ClusterCatalogs will be used in + the bundle selection process. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - upgradeConstraintPolicy: - default: CatalogProvided - description: |- - upgradeConstraintPolicy is an optional field that controls whether - the upgrade path(s) defined in the catalog are enforced for the package - referenced in the packageName field. - - Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - - When this field is set to "CatalogProvided", automatic upgrades will only occur - when upgrade constraints specified by the package author are met. - - When this field is set to "SelfCertified", the upgrade constraints specified by - the package author are ignored. This allows for upgrades and downgrades to - any version of the package. This is considered a dangerous operation as it - can lead to unknown and potentially disastrous outcomes, such as data - loss. It is assumed that users have independently verified changes when - using this option. - - When this field is omitted, the default value is "CatalogProvided". - enum: - - CatalogProvided - - SelfCertified - type: string - version: - description: |- - version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. - - Acceptable version ranges are no longer than 64 characters. - Version ranges are composed of comma- or space-delimited values and one or - more comparison operators, known as comparison strings. Additional - comparison strings can be added using the OR operator (||). - - # Range Comparisons - - To specify a version range, you can use a comparison string like ">=3.0, - <3.6". When specifying a range, automatic updates will occur within that - range. The example comparison string means "install any version greater than - or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any - upgrades are available within the version range after initial installation, - those upgrades should be automatically performed. - - # Pinned Versions - - To specify an exact version to install you can use a version range that - "pins" to a specific version. When pinning to a specific version, no - automatic updates will occur. An example of a pinned version range is - "0.6.0", which means "only install version 0.6.0 and never - upgrade from this version". - - # Basic Comparison Operators - - The basic comparison operators and their meanings are: - - "=", equal (not aliased to an operator) - - "!=", not equal - - "<", less than - - ">", greater than - - ">=", greater than OR equal to - - "<=", less than OR equal to - - # Wildcard Comparisons - - You can use the "x", "X", and "*" characters as wildcard characters in all - comparison operations. Some examples of using the wildcard characters: - - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" - - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" - - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" - - "x", "X", and "*" is equivalent to ">= 0.0.0" - - # Patch Release Comparisons - - When you want to specify a minor version up to the next major version you - can use the "~" character to perform patch comparisons. Some examples: - - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" - - "~1" and "~1.x" is equivalent to ">=1, <2" - - "~2.3" is equivalent to ">=2.3, <2.4" - - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" - - # Major Release Comparisons - - You can use the "^" character to make major release comparisons after a - stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: - - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" - - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" - - "^2.3" is equivalent to ">=2.3, <3" - - "^2.x" is equivalent to ">=2.0.0, <3" - - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" - - "^0.2" is equivalent to ">=0.2.0, <0.3.0" - - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" - - "^0.0" is equivalent to ">=0.0.0, <0.1.0" - - "^0" is equivalent to ">=0.0.0, <1.0.0" - - # OR Comparisons - You can use the "||" character to represent an OR operation in the version - range. Some examples: - - ">=1.2.3, <2.0.0 || >3.0.0" - - "^0 || ^3 || ^5" - - For more information on semver, please see https://semver.org/ - maxLength: 64 - type: string - x-kubernetes-validations: - - message: invalid version expression - rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") - required: - - packageName - type: object - sourceType: - description: |- - sourceType is a required reference to the type of install source. + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + upgradeConstraintPolicy: + default: CatalogProvided + description: |- + upgradeConstraintPolicy is an optional field that controls whether + the upgrade path(s) defined in the catalog are enforced for the package + referenced in the packageName field. + + Allowed values are: "CatalogProvided" or "SelfCertified", or omitted. - Allowed values are "Catalog" + When this field is set to "CatalogProvided", automatic upgrades will only occur + when upgrade constraints specified by the package author are met. - When this field is set to "Catalog", information for determining the - appropriate bundle of content to install will be fetched from - ClusterCatalog resources existing on the cluster. - When using the Catalog sourceType, the catalog field must also be set. + When this field is set to "SelfCertified", the upgrade constraints specified by + the package author are ignored. This allows for upgrades and downgrades to + any version of the package. This is considered a dangerous operation as it + can lead to unknown and potentially disastrous outcomes, such as data + loss. It is assumed that users have independently verified changes when + using this option. + + When this field is omitted, the default value is "CatalogProvided". + enum: + - CatalogProvided + - SelfCertified + type: string + version: + description: |- + version is an optional semver constraint (a specific version or range of versions). When unspecified, the latest version available will be installed. + + Acceptable version ranges are no longer than 64 characters. + Version ranges are composed of comma- or space-delimited values and one or + more comparison operators, known as comparison strings. Additional + comparison strings can be added using the OR operator (||). + + # Range Comparisons + + To specify a version range, you can use a comparison string like ">=3.0, + <3.6". When specifying a range, automatic updates will occur within that + range. The example comparison string means "install any version greater than + or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any + upgrades are available within the version range after initial installation, + those upgrades should be automatically performed. + + # Pinned Versions + + To specify an exact version to install you can use a version range that + "pins" to a specific version. When pinning to a specific version, no + automatic updates will occur. An example of a pinned version range is + "0.6.0", which means "only install version 0.6.0 and never + upgrade from this version". + + # Basic Comparison Operators + + The basic comparison operators and their meanings are: + - "=", equal (not aliased to an operator) + - "!=", not equal + - "<", less than + - ">", greater than + - ">=", greater than OR equal to + - "<=", less than OR equal to + + # Wildcard Comparisons + + You can use the "x", "X", and "*" characters as wildcard characters in all + comparison operations. Some examples of using the wildcard characters: + - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0" + - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0" + - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3" + - "x", "X", and "*" is equivalent to ">= 0.0.0" + + # Patch Release Comparisons + + When you want to specify a minor version up to the next major version you + can use the "~" character to perform patch comparisons. Some examples: + - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0" + - "~1" and "~1.x" is equivalent to ">=1, <2" + - "~2.3" is equivalent to ">=2.3, <2.4" + - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0" + + # Major Release Comparisons + + You can use the "^" character to make major release comparisons after a + stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples: + - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0" + - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0" + - "^2.3" is equivalent to ">=2.3, <3" + - "^2.x" is equivalent to ">=2.0.0, <3" + - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0" + - "^0.2" is equivalent to ">=0.2.0, <0.3.0" + - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4" + - "^0.0" is equivalent to ">=0.0.0, <0.1.0" + - "^0" is equivalent to ">=0.0.0, <1.0.0" + + # OR Comparisons + You can use the "||" character to represent an OR operation in the version + range. Some examples: + - ">=1.2.3, <2.0.0 || >3.0.0" + - "^0 || ^3 || ^5" + + For more information on semver, please see https://semver.org/ + maxLength: 64 + type: string + x-kubernetes-validations: + - message: invalid version expression + rule: self.matches("^(\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|[x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*]))?(\\.(0|[1-9]\\d*|x|X|\\*))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)((?:\\s+|,\\s*|\\s*\\|\\|\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\^)\\s*(v?(0|[1-9]\\d*|x|X|\\*])(\\.(0|[1-9]\\d*|x|X|\\*))?(\\.(0|[1-9]\\d*|x|X|\\*]))?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?)\\s*)*$") + required: + - packageName + type: object + sourceType: + description: |- + sourceType is a required reference to the type of install source. + + Allowed values are "Catalog" + + When this field is set to "Catalog", information for determining the + appropriate bundle of content to install will be fetched from + ClusterCatalog resources existing on the cluster. + When using the Catalog sourceType, the catalog field must also be set. + enum: + - Catalog + type: string + required: + - sourceType + type: object + x-kubernetes-validations: + - message: catalog is required when sourceType is Catalog, and forbidden + otherwise + rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? + has(self.catalog) : !has(self.catalog)' + required: + - namespace + - serviceAccount + - source + type: object + status: + description: status is an optional field that defines the observed state + of the ClusterExtension. + properties: + conditions: + description: |- + The set of condition types which apply to all spec.source variations are Installed and Progressing. + + The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. + When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. + When Installed is False and the Reason is Failed, the bundle has failed to install. + + The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. + When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. + When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. + When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. + + When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. + These are indications from a package owner to guide users away from a particular package, channel, or bundle. + BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. + ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. + PackageDeprecated is set if the requested package is marked deprecated in the catalog. + Deprecated is a rollup condition that is present when any of the deprecated conditions are present. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. enum: - - Catalog + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - sourceType + - lastTransitionTime + - message + - reason + - status + - type type: object - x-kubernetes-validations: - - message: catalog is required when sourceType is Catalog, and forbidden otherwise - rule: 'has(self.sourceType) && self.sourceType == ''Catalog'' ? has(self.catalog) : !has(self.catalog)' - required: - - namespace - - serviceAccount - - source - type: object - status: - description: status is an optional field that defines the observed state of the ClusterExtension. - properties: - conditions: - description: |- - The set of condition types which apply to all spec.source variations are Installed and Progressing. - - The Installed condition represents whether or not the bundle has been installed for this ClusterExtension. - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed. - When Installed is False and the Reason is Failed, the bundle has failed to install. - - The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state. - When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state. - When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts. - When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery. - - When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition. - These are indications from a package owner to guide users away from a particular package, channel, or bundle. - BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog. - ChannelDeprecated is set if the requested channel is marked deprecated in the catalog. - PackageDeprecated is set if the requested package is marked deprecated in the catalog. - Deprecated is a rollup condition that is present when any of the deprecated conditions are present. - items: - description: Condition contains details for one aspect of the current state of this API Resource. + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + install: + description: install is a representation of the current installation + status for this ClusterExtension. + properties: + bundle: + description: |- + bundle is a required field which represents the identifying attributes of a bundle. + + A "bundle" is a versioned set of content that represents the resources that + need to be applied to a cluster to install a package. properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: + name: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + name is required and follows the DNS subdomain standard + as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric character, + and be no longer than 253 characters. type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: + x-kubernetes-validations: + - message: packageName must be a valid DNS1123 subdomain. + It must contain only lowercase alphanumeric characters, + hyphens (-) or periods (.), start and end with an alphanumeric + character, and be no longer than 253 characters + rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + version: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + version is a required field and is a reference to the version that this bundle represents + version follows the semantic versioning standard as defined in https://semver.org/. type: string + x-kubernetes-validations: + - message: version must be well-formed semver + rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") required: - - lastTransitionTime - - message - - reason - - status - - type + - name + - version type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - install: - description: install is a representation of the current installation status for this ClusterExtension. - properties: - bundle: - description: |- - bundle is a required field which represents the identifying attributes of a bundle. - - A "bundle" is a versioned set of content that represents the resources that - need to be applied to a cluster to install a package. - properties: - name: - description: |- - name is required and follows the DNS subdomain standard - as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters, - hyphens (-) or periods (.), start and end with an alphanumeric character, - and be no longer than 253 characters. - type: string - x-kubernetes-validations: - - message: packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters - rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - version: - description: |- - version is a required field and is a reference to the version that this bundle represents - version follows the semantic versioning standard as defined in https://semver.org/. - type: string - x-kubernetes-validations: - - message: version must be well-formed semver - rule: self.matches("^([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([-0-9A-Za-z]+(\\.[-0-9A-Za-z]+)*))?(\\+([-0-9A-Za-z]+(-\\.[-0-9A-Za-z]+)*))?") - required: - - name - - version - type: object - required: - - bundle - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} + required: + - bundle + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} --- # Source: olmv1/templates/09-clusterrole-catalogd-manager-role.yml apiVersion: rbac.authorization.k8s.io/v1