UPSTREAM: <drop>: Add global-pull-secret flag

Pass global-pull-secret to the manager container.

Signed-off-by: Mikalai Radchuk <[email protected]>

Author: Mikalai Radchuk

openshift/generate-manifests.sh

@@ -20,6 +20,19 @@ IMAGE_MAPPINGS[kube-rbac-proxy]='${KUBE_RBAC_PROXY_IMAGE}'
 # shellcheck disable=SC2016
 IMAGE_MAPPINGS[manager]='${OPERATOR_CONTROLLER_IMAGE}'
 
+# This is a mapping of catalogd flag names to values. For example, given a deployment with a container
+# named "manager" and arguments:
+# args:
+#  - --flagname=one
+# and an entry to the FLAG_MAPPINGS of FLAG_MAPPINGS[flagname]='two', the argument will be updated to:
+# args:
+#  - --flagname=two
+#
+# If the flag doesn't already exist - it will be appended to the list.
+declare -A FLAG_MAPPINGS
+# shellcheck disable=SC2016
+FLAG_MAPPINGS[global-pull-secret]="openshift-config/pull-secret"
+
 ##################################################
 # You shouldn't need to change anything below here
 ##################################################
@@ -36,29 +49,41 @@ TMP_ROOT="$(mktemp -p . -d 2>/dev/null || mktemp -d ./tmpdir.XXXXXXX)"
 trap 'rm -rf $TMP_ROOT' EXIT
 
 # Copy all kustomize files into a temp dir
-TMP_CONFIG="${TMP_ROOT}/config"
-cp -a "${REPO_ROOT}/config" "$TMP_CONFIG"
+cp -a "${REPO_ROOT}/config" "${TMP_ROOT}/config"
+mkdir -p "${TMP_ROOT}/openshift"
+cp -a "${REPO_ROOT}/openshift/kustomize" "${TMP_ROOT}/openshift/kustomize"
 
-# Override namespace to openshift-operator-controller
-$YQ -i ".namespace = \"${NAMESPACE}\"" "${TMP_CONFIG}/base/kustomization.yaml"
+# Override OPENSHIFT-NAMESPACE to ${NAMESPACE}
+find "${TMP_ROOT}" -name "*.yaml" -exec sed -i "s/OPENSHIFT-NAMESPACE/${NAMESPACE}/g" {} \;
 
 # Create a temp dir for manifests
 TMP_MANIFEST_DIR="${TMP_ROOT}/manifests"
 mkdir -p "$TMP_MANIFEST_DIR"
 
 # Run kustomize, which emits a single yaml file
 TMP_KUSTOMIZE_OUTPUT="${TMP_MANIFEST_DIR}/temp.yaml"
-$KUSTOMIZE build "${REPO_ROOT}"/openshift/kustomize/overlays/openshift -o "$TMP_KUSTOMIZE_OUTPUT"
+$KUSTOMIZE build "${TMP_ROOT}/openshift/kustomize/overlays/openshift" -o "$TMP_KUSTOMIZE_OUTPUT"
 
 for container_name in "${!IMAGE_MAPPINGS[@]}"; do
   placeholder="${IMAGE_MAPPINGS[$container_name]}"
   $YQ -i "(select(.kind == \"Deployment\")|.spec.template.spec.containers[]|select(.name==\"$container_name\")|.image) = \"$placeholder\"" "$TMP_KUSTOMIZE_OUTPUT"
   $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}"}' "$TMP_KUSTOMIZE_OUTPUT"
-  $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "restricted-v2"}' "$TMP_KUSTOMIZE_OUTPUT"
+  $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "privileged"}' "$TMP_KUSTOMIZE_OUTPUT"
   $YQ -i 'select(.kind == "Deployment").spec.template.spec += {"priorityClassName": "system-cluster-critical"}' "$TMP_KUSTOMIZE_OUTPUT"
   $YQ -i 'select(.kind == "Namespace").metadata.annotations += {"workload.openshift.io/allowed": "management"}' "$TMP_KUSTOMIZE_OUTPUT"
 done
 
+# Loop through any flag updates that need to be made to the manager container
+for flag_name in "${!FLAG_MAPPINGS[@]}"; do
+  flagval="${FLAG_MAPPINGS[$flag_name]}"
+
+  # First, update the flag if it exists
+  $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT"
+
+  # Then, append the flag if it doesn't exist
+  $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT"
+done
+
 # Use yq to split the single yaml file into 1 per document.
 # Naming convention: $index-$kind-$namespace-$name. If $namespace is empty, just use the empty string.
 (
@@ -102,4 +127,3 @@ cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/
     fi
   done
 )
-

openshift/kustomize/overlays/openshift/kustomization.yaml

@@ -1,16 +1,5 @@
-# Adds namespace to all resources.
-namespace: openshift-operator-controller
-
 namePrefix: operator-controller-
 
 resources:
-  - resources/ca_configmap.yaml
-  - ../../../../config/base/crd
-  - ../../../../config/base/rbac
-  - ../../../../config/base/manager
-
-patches:
-  - target:
-      kind: Deployment
-      name: controller-manager
-    path: patches/manager_deployment_ca.yaml
+  - olmv1-ns
+  - openshift-config

openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml

@@ -0,0 +1,19 @@
+# Adds namespace to all resources.
+namespace: OPENSHIFT-NAMESPACE
+
+resources:
+  - resources/ca_configmap.yaml
+  - ../../../../../config/base/crd
+  - ../../../../../config/base/rbac
+  - ../../../../../config/base/manager
+
+patches:
+  - target:
+      kind: ClusterRole
+      name: manager-role
+    path: patches/manager_role.yaml
+  - target:
+      kind: Deployment
+      name: controller-manager
+    path: patches/manager_deployment_ca.yaml
+  - path: patches/manager_namespace_privileged.yaml

openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml renamed to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml

@@ -0,0 +1,7 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups: [security.openshift.io]
+    resources: [securitycontextconstraints]
+    resourceNames: [privileged]
+    verbs: [use]

openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml

@@ -0,0 +1,6 @@
+# Adds namespace to all resources.
+namespace: openshift-config
+
+resources:
+- rbac/operator-controller_manager_role.yaml
+- rbac/operator-controller_manager_role_binding.yaml

openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml renamed to openshift/kustomize/overlays/openshift/olmv1-ns/resources/ca_configmap.yaml

@@ -0,0 +1,17 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch

openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: OPENSHIFT-NAMESPACE