Support Global Operators in Console

[awgreene]

Problem: Users rely on Copied CSVs in order to understand which
operators are available in a given namespace. When installing All
Namespace operators, a Copied CSV is created in every namespace which
can place a huge performance strain on clusters with many namespaces.
OLM introduced the ability to disable Copied CSVs for All Namespace mode
operators in an effort to resolve the performance issues on large clusters,
unfortunately removing the ability for console to communicate which global
operators are available in a given namespace.

Solution: The protectedCopiedCSVNamespaces runtime flag can be used to
prevent Copied CSVs from being deleted in certain namespaces even when
Copied CSVs are disabled. OLM has been configured to ensure that Copied CSVs
are protected in the openshift namespace. OLM's manifest yaml has also been
updated to provide authenticated users with the RBAC to view CSVs in the
openshift namespace, which console can then use to communicate which operators
are available globally.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [awgreene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[timflannagan]

/test all

[awgreene]

/retest

[timflannagan]

I'm looking at the second commit changes, and I just want to make sure I'm understanding it correctly:

            - --protectedCopiedCSVNamespaces
            - openshift

Is "openshift" the right value here, or do we need to specify something like "openshift-operators", "openshift-console", etc.?

[tylerslaton]

/retest

[timflannagan]

It looks like this might be related to the CI failures:

{  fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:232]: Jul 27 20:24:39.743: system:authenticated has extra permissions in namespace "openshift":
{APIGroups:["operators.coreos.com"], Resources:["clusterserviceversions"], Verbs:["get" "list" "watch"]}
Ginkgo exit error 1: exit with code 1}

[awgreene]

I've opened openshift/origin#27326 to address this.

[timflannagan]

Note: The PR that Alex had linked is now merged. Looking at the e2e-gcp check, it looks like those changes worked, and we're back in business.

[timflannagan]

/hold

[awgreene]

I kept hitting formatting errors when attempting to add 2 lines to the array with a single update command, if anyone knows how to do this in a single update please chime in.

[timflannagan]

/test all

[timflannagan]

/test unit-olm

[exdx]

This List() might be quite expensive. Is there an implementation where we don't rely on knowing all namespaces on the cluster, just the ones that are in the flag?

[exdx]

Oh wait, it's hitting the cache. This is likely fine then.

[openshift-ci]

@awgreene: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-olm-flaky	c2ec825	link	false	/test e2e-gcp-olm-flaky

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[timflannagan]

/lgtm
/hold cancel