UPSTREAM: <carry>: Add support for experimental manifests

Update the openshift kustomize configuration for both operator-controller
and catalogd.

Update the manifest generation scripts to put the core generation code
into a function (ignore-whitespace will help with the review), so that
it can be called twice; once for standard, and once for experimental.

Move around some of the kustomization directives to
* Create a patch kustomization (Component) file and move the patch directives from olmv1-ns there. This allows it to be referenced from a different directory.
* Add a kustomization file for tusted-ca. This allows it to be referenced from a different directory.
* Move the setting of the namePrefix for operator-controller; this makes the generation compatible with upstream feature components.
* Define experimental kustomization files that reference existing components.
* Reference the correct CRDs (standard or experimental).
* Add references to upstream feature components into the experimental manifests.

This *will* add `--feature-gates` options from the upstream feature
components to the experimental manifests. The cluster-olm-operator will
strip those arguments from the deployments before adding the enabled
feature gates.

Update the Dockerfiles to include the experimental manifests and a copy
script (`cp-manifests`) into the image containers. The complexity of
having multiple sets of manifests mean that the simple initContainer
copy mechanism found in cluster-olm-operator is no longer sufficient.

This attempts to keep backwards compatibility with older versions of
cluster-olm-operator, specifically by keeping the original (standard)
manifests in the original location, and adding the experimental
manifests in a new directory. The new `cp-manifests` script is used
by newer versions of cluster-olm-operator.

Signed-off-by: Todd Short <[email protected]>

Author: tmshort

openshift/catalogd.Dockerfile

@@ -6,7 +6,9 @@ RUN make go-build-local
 FROM registry.ci.openshift.org/ocp/4.20:base-rhel9
 USER 1001
 COPY --from=builder /build/bin/catalogd /catalogd
+COPY openshift/catalogd/cp-manifests /cp-manifests
 COPY openshift/catalogd/manifests /openshift/manifests
+COPY openshift/catalogd/manifests-experimental /openshift/manifests-experimental
 
 LABEL io.k8s.display-name="OpenShift Operator Lifecycle Manager Catalog Controller" \
       io.k8s.description="This is a component of OpenShift Container Platform that provides operator catalog support."

openshift/catalogd/cp-manifests

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if [ -z "${1}" ]; then
+   echo "No destination specified"
+   exit 1
+fi
+
+DEST=${1}
+
+if [ -d /openshift/manifests ]; then
+    mkdir -p "${DEST}/standard/catalogd"
+    cp -a /openshift/manifests "${DEST}/standard/catalogd"
+fi
+
+if [ -d /openshift/manifests-experimental ]; then
+    mkdir -p "${DEST}/experimental/catalogd"
+    cp -a /openshift/manifests "${DEST}/experimental/catalogd"
+fi
+

openshift/catalogd/generate-manifests.sh

@@ -44,88 +44,98 @@ REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 # Source bingo so we can use kustomize and yq
 . "${REPO_ROOT}/openshift/.bingo/variables.env"
 
-# We're going to do file manipulation, so let's work in a temp dir
-TMP_ROOT="$(mktemp -p . -d 2>/dev/null || mktemp -d ./tmpdir.XXXXXXX)"
-# Make sure to delete the temp dir when we exit
-trap 'rm -rf $TMP_ROOT' EXIT
-
-# Copy all kustomize files into a temp dir
-cp -a "${REPO_ROOT}/config/" "${TMP_ROOT}/config/"
-
-mkdir -p "${TMP_ROOT}/openshift/catalogd/"
-cp -a "${REPO_ROOT}/openshift/catalogd/kustomize" "${TMP_ROOT}/openshift/catalogd/kustomize"
-
-# Override OPENSHIFT-NAMESPACE to ${NAMESPACE}
-find "${TMP_ROOT}" -name "*.yaml" -exec sed -i'.bak' "s/OPENSHIFT-NAMESPACE/${NAMESPACE}/g" {} \;
-find "${TMP_ROOT}" -name "*.bak" -exec rm {} \;
-
-# Create a temp dir for manifests
-TMP_MANIFEST_DIR="${TMP_ROOT}/manifests"
-mkdir -p "$TMP_MANIFEST_DIR"
-
-# Run kustomize, which emits a single yaml file
-TMP_KUSTOMIZE_OUTPUT="${TMP_MANIFEST_DIR}/temp.yaml"
-$KUSTOMIZE build "${TMP_ROOT}/openshift/catalogd/kustomize/overlays/openshift" -o "$TMP_KUSTOMIZE_OUTPUT"
-
-for container_name in "${!IMAGE_MAPPINGS[@]}"; do
-  placeholder="${IMAGE_MAPPINGS[$container_name]}"
-  $YQ -i "(select(.kind == \"Deployment\")|.spec.template.spec.containers[]|select(.name==\"$container_name\")|.image) = \"$placeholder\"" "$TMP_KUSTOMIZE_OUTPUT"
-  $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}"}' "$TMP_KUSTOMIZE_OUTPUT"
-  $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "privileged"}' "$TMP_KUSTOMIZE_OUTPUT"
-  $YQ -i 'select(.kind == "Deployment").spec.template.spec += {"priorityClassName": "system-cluster-critical"}' "$TMP_KUSTOMIZE_OUTPUT"
-done
-
-# Loop through any flag updates that need to be made to the manager container
-for flag_name in "${!FLAG_MAPPINGS[@]}"; do
-  flagval="${FLAG_MAPPINGS[$flag_name]}"
-
-  # First, update the flag if it exists
-  $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT"
-
-  # Then, append the flag if it doesn't exist
-  $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT"
-done
-
-# Use yq to split the single yaml file into 1 per document.
-# Naming convention: $index-$kind-$namespace-$name. If $namespace is empty, just use the empty string.
-(
-  cd "$TMP_MANIFEST_DIR"
-
-  # shellcheck disable=SC2016
-  ${YQ} -s '$index +"-"+ (.kind|downcase) +"-"+ (.metadata.namespace // "") +"-"+ .metadata.name' temp.yaml
-)
-
-# Delete the single yaml file
-rm "$TMP_KUSTOMIZE_OUTPUT"
-
-# Delete and recreate the actual manifests directory
-MANIFEST_DIR="${REPO_ROOT}/openshift/catalogd/manifests"
-rm -rf "${MANIFEST_DIR}"
-mkdir -p "${MANIFEST_DIR}"
-
-# Copy everything we just generated and split into the actual manifests directory
-cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/
-
-# Update file names to be in the format nn-$kind-$namespace-$name
-(
-  cd "$MANIFEST_DIR"
-
-  for f in *; do
-    # Get the numeric prefix from the filename
-    index=$(echo "$f" | cut -d '-' -f 1)
-    # Keep track of the full file name without the leading number and dash
-    name_without_index=${f#$index-}
-    # Fix the double dash in cluster-scoped names
-    name_without_index=${name_without_index//--/-}
-    # Reformat the name so the leading number is always padded to 2 digits
-    new_name=$(printf "%02d" "$index")-$name_without_index
-    # Some file names (namely CRDs) don't end in .yml - make them
-    if ! [[ "$new_name" =~ yml$ ]]; then
-      new_name="${new_name}".yml
-    fi
-    if [[ "$f" != "$new_name" ]]; then
-      # Rename
-      mv "$f" "${new_name}"
-    fi
-  done
-)
+# This function generates the manifests
+generate () {
+    INPUT_DIR=${1}
+    OUTPUT_DIR=${2}
+    # We're going to do file manipulation, so let's work in a temp dir
+    TMP_ROOT="$(mktemp -p . -d 2>/dev/null || mktemp -d ./tmpdir.XXXXXXX)"
+    # Make sure to delete the temp dir when we exit
+    trap 'rm -rf $TMP_ROOT' EXIT
+
+    # Copy all kustomize files into a temp dir
+    cp -a "${REPO_ROOT}/config/" "${TMP_ROOT}/config/"
+
+    mkdir -p "${TMP_ROOT}/openshift/catalogd/"
+    cp -a "${REPO_ROOT}/openshift/catalogd/kustomize" "${TMP_ROOT}/openshift/catalogd/kustomize"
+
+    # Override OPENSHIFT-NAMESPACE to ${NAMESPACE}
+    find "${TMP_ROOT}" -name "*.yaml" -exec sed -i'.bak' "s/OPENSHIFT-NAMESPACE/${NAMESPACE}/g" {} \;
+    find "${TMP_ROOT}" -name "*.bak" -exec rm {} \;
+
+    # Create a temp dir for manifests
+    TMP_MANIFEST_DIR="${TMP_ROOT}/manifests"
+    mkdir -p "$TMP_MANIFEST_DIR"
+
+    # Run kustomize, which emits a single yaml file
+    TMP_KUSTOMIZE_OUTPUT="${TMP_MANIFEST_DIR}/temp.yaml"
+    $KUSTOMIZE build "${TMP_ROOT}/openshift/catalogd/kustomize/overlays/${INPUT_DIR}" -o "$TMP_KUSTOMIZE_OUTPUT"
+
+    for container_name in "${!IMAGE_MAPPINGS[@]}"; do
+        placeholder="${IMAGE_MAPPINGS[$container_name]}"
+        $YQ -i "(select(.kind == \"Deployment\")|.spec.template.spec.containers[]|select(.name==\"$container_name\")|.image) = \"$placeholder\"" "$TMP_KUSTOMIZE_OUTPUT"
+        $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}"}' "$TMP_KUSTOMIZE_OUTPUT"
+        $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "privileged"}' "$TMP_KUSTOMIZE_OUTPUT"
+        $YQ -i 'select(.kind == "Deployment").spec.template.spec += {"priorityClassName": "system-cluster-critical"}' "$TMP_KUSTOMIZE_OUTPUT"
+    done
+
+    # Loop through any flag updates that need to be made to the manager container
+    for flag_name in "${!FLAG_MAPPINGS[@]}"; do
+        flagval="${FLAG_MAPPINGS[$flag_name]}"
+
+        # First, update the flag if it exists
+        $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT"
+
+        # Then, append the flag if it doesn't exist
+        $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT"
+    done
+
+    # Use yq to split the single yaml file into 1 per document.
+    # Naming convention: $index-$kind-$namespace-$name. If $namespace is empty, just use the empty string.
+    (
+        cd "$TMP_MANIFEST_DIR"
+
+        # shellcheck disable=SC2016
+        ${YQ} -s '$index +"-"+ (.kind|downcase) +"-"+ (.metadata.namespace // "") +"-"+ .metadata.name' temp.yaml
+    )
+
+    # Delete the single yaml file
+    rm "$TMP_KUSTOMIZE_OUTPUT"
+
+    # Delete and recreate the actual manifests directory
+    MANIFEST_DIR="${REPO_ROOT}/openshift/catalogd/${OUTPUT_DIR}"
+    rm -rf "${MANIFEST_DIR}"
+    mkdir -p "${MANIFEST_DIR}"
+
+    # Copy everything we just generated and split into the actual manifests directory
+    cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/
+
+    # Update file names to be in the format nn-$kind-$namespace-$name
+    (
+        cd "$MANIFEST_DIR"
+
+        for f in *; do
+            # Get the numeric prefix from the filename
+            index=$(echo "$f" | cut -d '-' -f 1)
+            # Keep track of the full file name without the leading number and dash
+            name_without_index=${f#$index-}
+            # Fix the double dash in cluster-scoped names
+            name_without_index=${name_without_index//--/-}
+            # Reformat the name so the leading number is always padded to 2 digits
+            new_name=$(printf "%02d" "$index")-$name_without_index
+            # Some file names (namely CRDs) don't end in .yml - make them
+            if ! [[ "$new_name" =~ yml$ ]]; then
+                new_name="${new_name}".yml
+            fi
+            if [[ "$f" != "$new_name" ]]; then
+                # Rename
+                mv "$f" "${new_name}"
+            fi
+        done
+    )
+    rm -rf "$TMP_ROOT"
+}
+
+# Generate the manifests
+generate openshift manifests
+generate openshift-experimental manifests-experimental

openshift/catalogd/kustomize/overlays/openshift-experimental/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+- ../../../../../config/base/catalogd/crd/experimental
+- ../openshift/olmv1-ns
+- ../openshift/openshift-config
+- ../openshift/catalogs
+
+# Only those copinents that are part of catalogd TechPreview should be listed here
+components:
+- ../../../../../config/components/features/apiv1-metas-handler

openshift/catalogd/kustomize/overlays/openshift/kustomization.yaml

@@ -1,4 +1,5 @@
 resources:
+- ../../../../../config/base/catalogd/crd/standard
 - olmv1-ns
 - openshift-config
 - catalogs

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml

@@ -4,42 +4,10 @@ namespace: OPENSHIFT-NAMESPACE
 namePrefix: catalogd-
 
 resources:
-- ../../../../../../config/base/catalogd/crd
 - ../../../../../../config/base/catalogd/rbac
 - ../../../../../../config/base/catalogd/manager
 - ../../../../../../config/base/common
 - metrics
-- trusted-ca/catalogd_trusted_ca_configmap.yaml
-
-patches:
-- path: patches/manager_namespace_privileged.yaml
-- path: patches/manager_namespace_monitored.yaml
-- path: patches/manager_namespace_annotations.yaml
-- target:
-    kind: Service
-    name: service
-  path: patches/manager_service.yaml
-- target:
-    kind: MutatingWebhookConfiguration
-    name: mutating-webhook-configuration
-  path: patches/mutating_webhook_config.yaml
-- target:
-    kind: ClusterRole
-    name: manager-role
-  path: patches/manager_role.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_certs.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_mount_etc_containers.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_log_verbosity.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_node_selection.yaml
+- trusted-ca
+components:
+- patches

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/patches/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+- path: manager_namespace_privileged.yaml
+- path: manager_namespace_monitored.yaml
+- path: manager_namespace_annotations.yaml
+- target:
+    kind: Service
+    name: service
+  path: manager_service.yaml
+- target:
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+  path: mutating_webhook_config.yaml
+- target:
+    kind: ClusterRole
+    name: manager-role
+  path: manager_role.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: manager_deployment_certs.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: manager_deployment_mount_etc_containers.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: manager_deployment_log_verbosity.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: manager_deployment_node_selection.yaml

openshift/catalogd/kustomize/overlays/openshift/olmv1-ns/trusted-ca/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- catalogd_trusted_ca_configmap.yaml 

openshift/catalogd/manifests-experimental/00-namespace-openshift-catalogd.yml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: management
+  labels:
+    app.kubernetes.io/part-of: olm
+    openshift.io/cluster-monitoring: "true"
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/warn-version: latest
+  name: openshift-catalogd