OCPVE-647: annotate manifests with capability name

bindata/bootstrap/cloudcredential_v1_credentialsrequest_crd.yaml

@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
   name: credentialsrequests.cloudcredential.openshift.io

bindata/bootstrap/cloudcredential_v1_operator_config_custresdef.yaml

@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     api-approved.openshift.io: https://github.com/openshift/api/pull/692
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"

bindata/bootstrap/namespace.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     openshift.io/node-selector: ""
   labels:
     controller-tools.k8s.io: "1.0"

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/nutanix-cloud-native/prism-go-client v0.2.1-0.20220804130801-c8a253627c64
-	github.com/openshift/api v0.0.0-20230724190601-61a5301895a5
+	github.com/openshift/api v0.0.0-20231204192004-bfea29e5e6c4
 	github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533
 	github.com/openshift/library-go v0.0.0-20230620084201-504ca4bd5a83
 	github.com/pkg/errors v0.9.1

go.sum

@@ -614,8 +614,8 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
 github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
-github.com/openshift/api v0.0.0-20230724190601-61a5301895a5 h1:0n+J2TGJ/VssCO952qLcZtlLqb1sx57XHFA4aQZTL/E=
-github.com/openshift/api v0.0.0-20230724190601-61a5301895a5/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs=
+github.com/openshift/api v0.0.0-20231204192004-bfea29e5e6c4 h1:5RyeLvTSZEn/fDQA6e6+qIvFPssWjreY8pbwfg4/EEQ=
+github.com/openshift/api v0.0.0-20231204192004-bfea29e5e6c4/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
 github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533 h1:mh3ZYs7kPIIe3UUY6tJcTExmtjnXXUu0MrBuK2W/Qvw=
 github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/library-go v0.0.0-20230620084201-504ca4bd5a83 h1:z7tTnbZ2bzPtXjVnWHWCtUCBYrZYeKJitkV1rffmMY8=

manifests/00-clusterreader_clusterrole.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 rules:

manifests/00-config-custresdef.yaml

@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     api-approved.openshift.io: https://github.com/openshift/api/pull/692
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"

manifests/00-namespace.yaml → manifests/0000_03_cloud-credential-operator_00_namespace.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     openshift.io/node-selector: ""

manifests/00-crd.yaml → manifests/0000_03_cloud-credential-operator_01_crd.yaml

@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
   name: credentialsrequests.cloudcredential.openshift.io

manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml → manifests/0000_90_cloud-credential-operator_00_prometheusrole.yaml

@@ -4,6 +4,7 @@ metadata:
   name: prometheus-k8s
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 rules:

manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml → manifests/0000_90_cloud-credential-operator_01_prometheusrolebinding.yaml

@@ -4,6 +4,7 @@ metadata:
   name: prometheus-k8s
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 roleRef:

manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml → manifests/0000_90_cloud-credential-operator_02_servicemonitor.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 spec:

manifests/0000_90_cloud-credential-operator_04_alertrules.yaml → manifests/0000_90_cloud-credential-operator_03_alertrules.yaml

@@ -2,6 +2,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
   name: cloud-credential-operator-alerts

manifests/01-cluster-role-binding.yaml

@@ -4,6 +4,7 @@ metadata:
   creationTimestamp: null
   name: cloud-credential-operator-rolebinding
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 roleRef:

manifests/01-cluster-role.yaml

@@ -4,6 +4,7 @@ metadata:
   creationTimestamp: null
   name: cloud-credential-operator-role
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 rules:

manifests/01-config-role-binding.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator
   namespace: openshift-config-managed
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 subjects:

manifests/01-config-role.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator-role
   namespace: openshift-config-managed
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 rules:

manifests/01-operator-config.yaml

@@ -3,6 +3,7 @@ kind: CloudCredential
 metadata:
   name: cluster
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/create-only: "true"

manifests/01-role-binding.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 subjects:

manifests/01-role.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator-role
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 rules:

manifests/01-service-delete.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/delete: "true"
   labels:

manifests/01-service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     service.alpha.openshift.io/serving-cert-secret-name: cloud-credential-operator-serving-cert

manifests/01-trusted-ca-configmap.yaml

@@ -6,5 +6,6 @@ metadata:
   name: cco-trusted-ca
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"

manifests/02-sa.yaml

@@ -4,5 +4,6 @@ metadata:
   name: cloud-credential-operator
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"

manifests/03-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
+    capability.openshift.io/name: CloudCredential
     config.openshift.io/inject-proxy: cloud-credential-operator
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/self-managed-high-availability: "true"

manifests/04-cluster-operator.yaml

@@ -3,6 +3,7 @@ kind: ClusterOperator
 metadata:
   name: cloud-credential
   annotations:
+    capability.openshift.io/name: CloudCredential
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 status:

manifests/05-gcp-ro-credentialsrequest.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator-gcp-ro-creds
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 spec:

manifests/05-iam-ro-credentialsrequest.yaml

@@ -4,6 +4,7 @@ metadata:
   name: cloud-credential-operator-iam-ro
   namespace: openshift-cloud-credential-operator
   annotations:
+    capability.openshift.io/name: CloudCredential
     exclude.release.openshift.io/internal-openshift-hosted: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
 spec:

pkg/cmd/render/render.go

@@ -19,17 +19,19 @@ package render
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"text/template"
 
+	v1 "github.com/openshift/api/config/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	corev1 "k8s.io/api/core/v1"
-	yaml "k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/apimachinery/pkg/util/yaml"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
 
@@ -143,14 +145,21 @@ func runRenderCmd(cmd *cobra.Command, args []string) {
 func render() error {
 	operatorDisabledViaConfigmap := isDisabledViaConfigmap()
 
-	installConfigMode, err := getModeFromInstallConfig()
+	installConfig, err := getInstallConfig()
 	if err != nil {
-		return err
+		return errors.Wrap(err, "failed to read install config")
 	}
+
+	installConfigMode := installConfig.CredentialsMode
+
 	if !isValidMode(installConfigMode) {
 		return fmt.Errorf("invalid mode defined: %s", installConfigMode)
 	}
 
+	if isDisabledViaCapability(installConfig.Capabilities) {
+		return nil
+	}
+
 	effectiveMode, conflict := utils.GetEffectiveOperatorMode(operatorDisabledViaConfigmap, installConfigMode)
 
 	if conflict {
@@ -201,7 +210,7 @@ func render() error {
 		podPath := filepath.Join(ccoRenderDir, bootstrapManifestsDir, podYamlFilename)
 		podContent := fmt.Sprintf(podTemplate, renderOpts.ccoImage)
 		log.Infof("writing file: %s", podPath)
-		err := ioutil.WriteFile(podPath, []byte(podContent), 0644)
+		err := os.WriteFile(podPath, []byte(podContent), 0644)
 		if err != nil {
 			return errors.Wrap(err, "failed to write file")
 		}
@@ -212,9 +221,23 @@ func render() error {
 	return nil
 }
 
+func isDisabledViaCapability(capabilities *v1.ClusterVersionCapabilitiesSpec) bool {
+	baselineSet := v1.ClusterVersionCapabilitySetCurrent
+	if capabilities != nil && capabilities.BaselineCapabilitySet != "" {
+		baselineSet = capabilities.BaselineCapabilitySet
+	}
+
+	enabledCaps := sets.New[v1.ClusterVersionCapability](v1.ClusterVersionCapabilitySets[baselineSet]...)
+	if capabilities != nil {
+		enabledCaps.Insert(capabilities.AdditionalEnabledCapabilities...)
+	}
+
+	return !enabledCaps.Has(v1.ClusterVersionCapabilityCloudCredential)
+}
+
 func writeFile(filePath string, fileData []byte) error {
 	log.Infof("Writing file: %s", filePath)
-	err := ioutil.WriteFile(filePath, fileData, 0644)
+	err := os.WriteFile(filePath, fileData, 0644)
 	if err != nil {
 		return errors.Wrap(err, "failed to write file")
 	}
@@ -264,42 +287,44 @@ func isDisabledViaConfigmap() bool {
 }
 
 type basicInstallConfig struct {
-	CredentialsMode operatorv1.CloudCredentialsMode `json:"credentialsMode"`
+	CredentialsMode operatorv1.CloudCredentialsMode    `json:"credentialsMode"`
+	Capabilities    *v1.ClusterVersionCapabilitiesSpec `json:"capabilities"`
 }
 
-func getModeFromInstallConfig() (operatorv1.CloudCredentialsMode, error) {
+func getInstallConfig() (*basicInstallConfig, error) {
+	instConf := &basicInstallConfig{}
 
 	// if we were not provided a place to search for the install-time manifests,
 	// just return the default cloudCredentialsMode (empty string)
 	if renderOpts.manifestsDir == "" {
-		return "", nil
+		return instConf, nil
 	}
 
 	cm, err := getConfigMap(renderOpts.manifestsDir, installConfigNamespace, installConfigName)
 	if err != nil {
-		return "", errors.Wrapf(err, "failed to find configmap %s/%s in manifests", installConfigNamespace, installConfigName)
+		return nil, errors.Wrapf(err, "failed to find configmap %s/%s in manifests", installConfigNamespace, installConfigName)
 	}
 	if cm == nil {
-		return "", fmt.Errorf("failed to find configmap %s/%s in manifests", installConfigNamespace, installConfigName)
+		return nil, fmt.Errorf("failed to find configmap %s/%s in manifests", installConfigNamespace, installConfigName)
 	}
 
 	data, ok := cm.Data[installConfigKeyName]
 	if !ok {
-		return "", fmt.Errorf("did not find key %s in configmap %s/%s", installConfigKeyName, installConfigNamespace, installConfigName)
+		return nil, fmt.Errorf("did not find key %s in configmap %s/%s", installConfigKeyName, installConfigNamespace, installConfigName)
 	}
 
 	decoder := yaml.NewYAMLOrJSONDecoder(bytes.NewReader([]byte(data)), 4096)
-	instConf := &basicInstallConfig{}
 	if err := decoder.Decode(instConf); err != nil {
-		return "", errors.Wrap(err, "failed to decode install config")
+		return nil, errors.Wrap(err, "failed to decode install config")
 	}
 	log.Debugf("install-config contains CredentialsMode: %s", instConf.CredentialsMode)
-	return instConf.CredentialsMode, nil
+
+	return instConf, nil
 }
 
 func getConfigMap(manifestsDir, namespace, name string) (*corev1.ConfigMap, error) {
 
-	files, err := ioutil.ReadDir(manifestsDir)
+	files, err := os.ReadDir(manifestsDir)
 	if err != nil {
 		log.WithError(err).Errorf("failed to list files in %s", manifestsDir)
 		return nil, err