diff --git a/go.mod b/go.mod index c8960d0425..78d582221d 100644 --- a/go.mod +++ b/go.mod @@ -176,7 +176,6 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect github.com/openshift/client-go v0.0.0-20220525160904-9e1acff93e4a // indirect - github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f // indirect github.com/otiai10/copy v1.2.0 // indirect github.com/pbnjay/strptime v0.0.0-20140226051138-5c05b0d668c9 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect @@ -272,7 +271,7 @@ replace ( // use staged repositories github.com/operator-framework/api => ./staging/api - github.com/operator-framework/operator-lifecycle-manager => ./staging/operator-lifecycle-manager + github.com/operator-framework/operator-lifecycle-manager => github.com/awgreene/operator-lifecycle-manager v0.0.0-20221027153047-4eddd8c797b1 github.com/operator-framework/operator-registry => ./staging/operator-registry go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 diff --git a/go.sum b/go.sum index 5ca7b6f0c6..1976e331ad 100644 --- a/go.sum +++ b/go.sum @@ -161,6 +161,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY= github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= +github.com/awgreene/operator-lifecycle-manager v0.0.0-20221027153047-4eddd8c797b1 h1:kX//xrcvGE2UjhTi3btA+W5chia3t/GizdKWaoy8Kgg= +github.com/awgreene/operator-lifecycle-manager v0.0.0-20221027153047-4eddd8c797b1/go.mod h1:CsiQ6vZePdRybtttLCf4WximQW6Xs0SgD6DlAFPDJMA= github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0= github.com/aws/aws-sdk-go v1.17.7/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -987,8 +989,6 @@ github.com/openshift/api v0.0.0-20210517065120-b325f58df679/go.mod h1:dZ4kytOo3s github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0 h1:kMiuiZXH1GdfbiMwsuAQOqGaMxlo9NCUk0wT4XAdfNM= github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0/go.mod h1:uUQ4LClRO+fg5MF/P6QxjMCb1C9f7Oh4RKepftDnEJE= -github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f h1:ll0eE7rgGHsFlrI6ksr6nXL2ur8GYBe8Jj0GwNQ/1+o= -github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f/go.mod h1:r9ZZT5wjwoS2heBfYR26uJhhkGYwgmFqomu9ww0y9Qw= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= diff --git a/vendor/github.com/openshift/cluster-policy-controller/LICENSE b/vendor/github.com/openshift/cluster-policy-controller/LICENSE deleted file mode 100644 index 261eeb9e9f..0000000000 --- a/vendor/github.com/openshift/cluster-policy-controller/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions/nsexemptions.go b/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions/nsexemptions.go deleted file mode 100644 index b81dfb850d..0000000000 --- a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions/nsexemptions.go +++ /dev/null @@ -1,85 +0,0 @@ -package nsexemptions - -import "k8s.io/apimachinery/pkg/util/sets" - -// systemNSSyncExemptions is the list of namespaces deployed by an OpenShift install -// payload, as retrieved by listing the namespaces after a successful installation -// IMPORTANT: The Namespace openshift-operators must be an exception to this rule -// since it is used by OCP/OLM users to install their Operator bundle solutions. -var systemNSSyncExemptions = sets.NewString( - // kube-specific system namespaces - "default", - "kube-node-lease", - "kube-public", - "kube-system", - - // openshift payload namespaces - "openshift", - "openshift-apiserver", - "openshift-apiserver-operator", - "openshift-authentication", - "openshift-authentication-operator", - "openshift-cloud-controller-manager", - "openshift-cloud-controller-manager-operator", - "openshift-cloud-credential-operator", - "openshift-cloud-network-config-controller", - "openshift-cluster-csi-drivers", - "openshift-cluster-machine-approver", - "openshift-cluster-node-tuning-operator", - "openshift-cluster-samples-operator", - "openshift-cluster-storage-operator", - "openshift-cluster-version", - "openshift-config", - "openshift-config-managed", - "openshift-config-operator", - "openshift-console", - "openshift-console-operator", - "openshift-console-user-settings", - "openshift-controller-manager", - "openshift-controller-manager-operator", - "openshift-dns", - "openshift-dns-operator", - "openshift-etcd", - "openshift-etcd-operator", - "openshift-host-network", - "openshift-image-registry", - "openshift-infra", - "openshift-ingress", - "openshift-ingress-canary", - "openshift-ingress-operator", - "openshift-insights", - "openshift-kni-infra", - "openshift-kube-apiserver", - "openshift-kube-apiserver-operator", - "openshift-kube-controller-manager", - "openshift-kube-controller-manager-operator", - "openshift-kube-scheduler", - "openshift-kube-scheduler-operator", - "openshift-kube-storage-version-migrator", - "openshift-kube-storage-version-migrator-operator", - "openshift-machine-api", - "openshift-machine-config-operator", - "openshift-marketplace", - "openshift-monitoring", - "openshift-multus", - "openshift-network-diagnostics", - "openshift-network-operator", - "openshift-node", - "openshift-nutanix-infra", - "openshift-oauth-apiserver", - "openshift-openstack-infra", - "openshift-operator-lifecycle-manager", - "openshift-ovirt-infra", - "openshift-sdn", - "openshift-service-ca", - "openshift-service-ca-operator", - "openshift-user-workload-monitoring", - "openshift-vsphere-infra", -) - -// IsNamespacePSALabelSyncExemptedInVendoredOCPVersion returns true if the given namespace should be exempted from -// PSA label sync'ing. NOTE: the exemption list is OCP version dependent. Ensure that your vendored -// version of 'cluster-policy-controller' is for the same OCP version as your project. -func IsNamespacePSALabelSyncExemptedInVendoredOCPVersion(namespace string) bool { - return systemNSSyncExemptions.Has(namespace) -} diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/decorators/operator.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/decorators/operator.go index f85d9ef790..4c50392b55 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/decorators/operator.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/decorators/operator.go @@ -2,6 +2,7 @@ package decorators import ( "fmt" + "sort" "strings" "github.com/itchyny/gojq" @@ -331,6 +332,22 @@ func (o *Operator) AddComponents(components ...runtime.Object) error { o.Status.Components.Refs = append(o.Status.Components.Refs, refs...) + // Sort to ensure ordering + sort.SliceStable(o.Status.Components.Refs, func(i, j int) bool { + if o.Status.Components.Refs[i].Kind != o.Status.Components.Refs[j].Kind { + return o.Status.Components.Refs[i].Kind < o.Status.Components.Refs[j].Kind + } + + if o.Status.Components.Refs[i].APIVersion != o.Status.Components.Refs[j].APIVersion { + return o.Status.Components.Refs[i].APIVersion < o.Status.Components.Refs[j].APIVersion + } + + if o.Status.Components.Refs[i].Namespace != o.Status.Components.Refs[j].Namespace { + return o.Status.Components.Refs[i].Namespace < o.Status.Components.Refs[j].Namespace + } + return o.Status.Components.Refs[i].Name < o.Status.Components.Refs[j].Name + }) + return nil } diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go deleted file mode 100644 index d1105f5c9a..0000000000 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_csv_labeler.go +++ /dev/null @@ -1,61 +0,0 @@ -package olm - -import ( - "context" - "fmt" - - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient" - "github.com/sirupsen/logrus" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -const labelSyncerLabelKey = "" - -func NewCSVLabelSyncerLabeler(client operatorclient.ClientInterface, logger *logrus.Logger) *CSVLabelSyncerLabeler { - return &CSVLabelSyncerLabeler{ - client: client, - logger: logger, - } -} - -type CSVLabelSyncerLabeler struct { - client operatorclient.ClientInterface - logger *logrus.Logger -} - -func (c *CSVLabelSyncerLabeler) OnAddOrUpdate(csv *v1alpha1.ClusterServiceVersion) error { - // ignore copied csvs - if csv.IsCopied() { - return nil - } - - // ignore csv updates - if csv.Status.LastTransitionTime != nil { - return nil - } - - namespace, err := c.client.KubernetesInterface().CoreV1().Namespaces().Get(context.Background(), csv.GetNamespace(), metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", csv.GetNamespace()) - } - - // add label sync'er label if it does not exist - if _, ok := namespace.Labels[labelSyncerLabelKey]; !ok { - nsCopy := namespace.DeepCopy() - nsCopy.Labels[labelSyncerLabelKey] = "true" - if _, err := c.client.KubernetesInterface().CoreV1().Namespaces().Update(context.Background(), namespace, metav1.UpdateOptions{}); err != nil { - return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", nsCopy.GetNamespace()) - } - - if c.logger != nil { - c.logger.Printf("[CSV LABEL] applied %s=true label to namespace %s", labelSyncerLabelKey, nsCopy.GetNamespace()) - } - } - - return nil -} - -func (c *CSVLabelSyncerLabeler) OnDelete(_ *v1alpha1.ClusterServiceVersion) error { - return nil -} diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go deleted file mode 100644 index 35b7ae1e47..0000000000 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go +++ /dev/null @@ -1,13 +0,0 @@ -package olm - -import ( - "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins" -) - -func init() { - operatorPlugInFactoryFuncs = []plugins.OperatorPlugInFactoryFunc{ - // labels unlabeled non-payload openshift-* csv namespaces with - // security.openshift.io/scc.podSecurityLabelSync: true - plugins.NewCsvNamespaceLabelerPluginFunc, - } -} diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins/downstream_csv_namespace_labeler_plugin.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins/downstream_csv_namespace_labeler_plugin.go deleted file mode 100644 index 710774c96e..0000000000 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins/downstream_csv_namespace_labeler_plugin.go +++ /dev/null @@ -1,368 +0,0 @@ -package plugins - -import ( - "context" - "fmt" - "strings" - "time" - - "github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned" - listerv1alpha1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/listers/operators/v1alpha1" - "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate" - "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient" - "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer" - "github.com/sirupsen/logrus" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/watch" - listerv1 "k8s.io/client-go/listers/core/v1" - "k8s.io/client-go/tools/cache" - "k8s.io/client-go/util/workqueue" -) - -const NamespaceLabelSyncerLabelKey = "security.openshift.io/scc.podSecurityLabelSync" -const openshiftPrefix = "openshift-" - -const noCopiedCsvSelector = "!" + v1alpha1.CopiedLabelKey - -// csvNamespaceLabelerPlugin is responsible for labeling non-payload openshift-* namespaces -// with the label "security.openshift.io/scc.podSecurityLabelSync=true" so that the PSA Label Syncer -// see https://github.com/openshift/cluster-policy-controller/blob/master/pkg/psalabelsyncer/podsecurity_label_sync_controller.go -// can help ensure that the operator payloads in the namespace continue to work even if they don't yet respect the -// upstream Pod Security Admission controller, which will become active in k8s 1.25. -// see https://kubernetes.io/docs/concepts/security/pod-security-admission/ -// If a CSV is created or modified, this controller will look at the csv's namespace. If it is a non-payload namespace, -// if the namespace name is prefixed with 'openshift-', and if the namespace does not contain the label (whatever -// value it may be set to), it will add the "security.openshift.io/scc.podSecurityLabelSync=true" to the namespace. -type csvNamespaceLabelerPlugin struct { - namespaceLister listerv1.NamespaceLister - nonCopiedCsvListerMap map[string]listerv1alpha1.ClusterServiceVersionLister - kubeClient operatorclient.ClientInterface - externalClient versioned.Interface - logger *logrus.Logger -} - -func NewCsvNamespaceLabelerPluginFunc(ctx context.Context, config OperatorConfig, hostOperator HostOperator) (OperatorPlugin, error) { - - if hostOperator == nil { - return nil, fmt.Errorf("cannot initialize plugin: operator undefined") - } - - plugin := &csvNamespaceLabelerPlugin{ - kubeClient: config.OperatorClient(), - externalClient: config.ExternalClient(), - logger: config.Logger(), - namespaceLister: nil, - nonCopiedCsvListerMap: map[string]listerv1alpha1.ClusterServiceVersionLister{}, - } - - plugin.log("setting up csv namespace plug-in for namespaces: %s", config.WatchedNamespaces()) - - namespaceInformer := newNamespaceInformer(config.OperatorClient(), config.ResyncPeriod()()) - - plugin.log("registering namespace informer") - - plugin.namespaceLister = listerv1.NewNamespaceLister(namespaceInformer.GetIndexer()) - - namespaceQueue := workqueue.NewNamedRateLimitingQueue( - workqueue.DefaultControllerRateLimiter(), - "csv-ns-labeler-plugin-ns-queue", - ) - namespaceQueueInformer, err := queueinformer.NewQueueInformer( - ctx, - queueinformer.WithInformer(namespaceInformer), - queueinformer.WithLogger(config.Logger()), - queueinformer.WithQueue(namespaceQueue), - queueinformer.WithIndexer(namespaceInformer.GetIndexer()), - queueinformer.WithSyncer(plugin), - ) - if err != nil { - return nil, err - } - if err := hostOperator.RegisterQueueInformer(namespaceQueueInformer); err != nil { - return nil, err - } - - for _, namespace := range config.WatchedNamespaces() { - plugin.log("setting up namespace: %s", namespace) - // ignore namespaces that are *NOT* prefixed with openshift- but accept metav1.NamespaceAll - if !(hasOpenshiftPrefix(namespace)) && namespace != metav1.NamespaceAll { - continue - } - - nonCopiedCsvInformer := newNonCopiedCsvInformerForNamespace(namespace, config.ExternalClient(), config.ResyncPeriod()()) - - nonCopiedCsvQueue := workqueue.NewNamedRateLimitingQueue( - workqueue.DefaultControllerRateLimiter(), - fmt.Sprintf("%s/csv-ns-labeler-plugin-csv-queue", namespace), - ) - nonCopiedCsvQueueInformer, err := queueinformer.NewQueueInformer( - ctx, - queueinformer.WithInformer(nonCopiedCsvInformer), - queueinformer.WithLogger(config.Logger()), - queueinformer.WithQueue(nonCopiedCsvQueue), - queueinformer.WithIndexer(nonCopiedCsvInformer.GetIndexer()), - queueinformer.WithSyncer(plugin), - ) - if err != nil { - return nil, err - } - if err := hostOperator.RegisterQueueInformer(nonCopiedCsvQueueInformer); err != nil { - return nil, err - } - plugin.nonCopiedCsvListerMap[namespace] = listerv1alpha1.NewClusterServiceVersionLister(nonCopiedCsvInformer.GetIndexer()) - plugin.log("registered csv queue informer for: %s", namespace) - } - plugin.log("finished setting up csv namespace labeler plugin") - - return plugin, nil -} - -func (p *csvNamespaceLabelerPlugin) Shutdown() error { - return nil -} - -func (p *csvNamespaceLabelerPlugin) Sync(ctx context.Context, event kubestate.ResourceEvent) error { - // only act on csv added and updated events - if event.Type() != kubestate.ResourceAdded && event.Type() != kubestate.ResourceUpdated { - return nil - } - - var namespace *v1.Namespace - var err error - - // get namespace from the event resource - switch eventResource := event.Resource().(type) { - - // handle csv events - case *v1alpha1.ClusterServiceVersion: - // ignore copied csvs and namespaces that should be ignored - if eventResource.IsCopied() || ignoreNamespace(eventResource.GetNamespace()) { - return nil - } - - namespace, err = p.getNamespace(eventResource.GetNamespace()) - if err != nil { - return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", eventResource.GetNamespace()) - } - - // handle namespace events - case *v1.Namespace: - // ignore namespaces that should be ignored and ones that are already labeled - if ignoreNamespace(eventResource.GetName()) || hasLabelSyncerLabel(eventResource) { - return nil - } - - // get csv count for namespace - csvCount, err := p.countClusterServiceVersions(eventResource.GetName()) - if err != nil { - return fmt.Errorf("error counting csvs in namespace=%s: %s", eventResource.GetName(), err) - } - - // ignore namespaces with no csvs - if csvCount <= 0 { - return nil - } - - namespace = eventResource - default: - return fmt.Errorf("event resource is neither a ClusterServiceVersion or a Namespace") - } - - // add label sync'er label if it does not exist - if !(hasLabelSyncerLabel(namespace)) { - if err := applyLabelSyncerLabel(ctx, p.kubeClient, namespace); err != nil { - return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", namespace.GetNamespace()) - } - p.log("applied %s=true label to namespace %s", NamespaceLabelSyncerLabelKey, namespace.GetNamespace()) - } - - return nil -} - -func (p *csvNamespaceLabelerPlugin) getNamespace(namespace string) (*v1.Namespace, error) { - ns, err := p.namespaceLister.Get(namespace) - if err != nil { - return nil, err - } - return ns, nil -} - -func (p *csvNamespaceLabelerPlugin) countClusterServiceVersions(namespace string) (int, error) { - lister, ok := p.nonCopiedCsvListerMap[namespace] - if !ok { - lister, ok = p.nonCopiedCsvListerMap[metav1.NamespaceAll] - if !ok { - return 0, fmt.Errorf("no csv indexer found for namespace: %s", namespace) - } - } - labelSelector, err := labels.Parse(noCopiedCsvSelector) - if err != nil { - return 0, err - } - - csvList, err := lister.ClusterServiceVersions(namespace).List(labelSelector) - if err != nil { - return 0, err - } - return len(csvList), nil -} - -func (p *csvNamespaceLabelerPlugin) log(format string, args ...interface{}) { - if p.logger != nil { - p.logger.Infof("[CSV NS Plug-in] "+format, args...) - } -} - -// newNamespaceInformer creates a namespace informer that filters namespaces the plug-in is not interested in: -// payload namespaces (except openshift-operators) and non openshift- prefixed namespaces -// the informer also prunes the namespace objects to only keep basic type and object metadata and annotations -func newNamespaceInformer(k8sClient operatorclient.ClientInterface, resyncPeriod time.Duration) cache.SharedIndexInformer { - // create a namespace informer - pruneNamespace := func(namespace *v1.Namespace) { - namespace = &v1.Namespace{ - TypeMeta: namespace.TypeMeta, - ObjectMeta: metav1.ObjectMeta{ - Name: namespace.GetName(), - Namespace: namespace.GetNamespace(), - Annotations: namespace.GetAnnotations(), - }, - } - } - - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { - list, err := k8sClient.KubernetesInterface().CoreV1().Namespaces().List(context.Background(), options) - if err != nil { - return list, err - } - - // filter and prune namespaces - var filteredList []v1.Namespace - for i := range list.Items { - ns := list.Items[i] - if !(ignoreNamespace(ns.GetName())) { - pruneNamespace(&ns) - filteredList = append(filteredList, ns) - } - } - return &v1.NamespaceList{ - Items: filteredList, - }, nil - }, - WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { - nsWatch, err := k8sClient.KubernetesInterface().CoreV1().Namespaces().Watch(context.Background(), options) - if err != nil { - return nsWatch, err - } - return watch.Filter(nsWatch, func(e watch.Event) (watch.Event, bool) { - if ns, ok := e.Object.(*v1.Namespace); ok { - if !(ignoreNamespace(ns.GetName())) { - pruneNamespace(ns) - return e, true - } - } - return e, false - }), nil - }, - }, - &v1.Namespace{}, - resyncPeriod, - cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, - ) -} - -// newNonCopiedCsvInformerForNamespace creates a csv-based informer that filters out copied csvs and csv events coming -// from namespaces the plug-in is not interested in: payload namespaces (except openshift-operators) and -// non openshift- prefixed namespaces -// the informer also prunes the csvs to only keep basic type and object metadata and annotations -func newNonCopiedCsvInformerForNamespace(namespace string, externalClient versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - // create a new csv informer and prune status to reduce memory footprint - pruneCSV := func(csv *v1alpha1.ClusterServiceVersion) { - csv = &v1alpha1.ClusterServiceVersion{ - TypeMeta: csv.TypeMeta, - ObjectMeta: metav1.ObjectMeta{ - Name: csv.GetName(), - Namespace: csv.GetNamespace(), - Annotations: csv.GetAnnotations(), - }, - } - } - - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { - options.LabelSelector = noCopiedCsvSelector - list, err := externalClient.OperatorsV1alpha1().ClusterServiceVersions(namespace).List(context.Background(), options) - if err != nil { - return list, err - } - - // filter and prune csvs - var filteredList []v1alpha1.ClusterServiceVersion - for i := range list.Items { - csv := list.Items[i] - if !(ignoreNamespace(csv.GetNamespace())) { - pruneCSV(&csv) - filteredList = append(filteredList, csv) - } - } - return &v1alpha1.ClusterServiceVersionList{ - Items: filteredList, - }, nil - }, - WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { - options.LabelSelector = noCopiedCsvSelector - csvWatch, err := externalClient.OperatorsV1alpha1().ClusterServiceVersions(namespace).Watch(context.Background(), options) - if err != nil { - return csvWatch, err - } - return watch.Filter(csvWatch, func(e watch.Event) (watch.Event, bool) { - if csv, ok := e.Object.(*v1alpha1.ClusterServiceVersion); ok { - if !(ignoreNamespace(csv.GetNamespace())) && !csv.IsCopied() { - pruneCSV(csv) - return e, true - } - } - return e, false - }), nil - }, - }, - &v1alpha1.ClusterServiceVersion{}, - resyncPeriod, - cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, - ) -} - -func hasOpenshiftPrefix(namespaceName string) bool { - return strings.HasPrefix(namespaceName, openshiftPrefix) -} - -func ignoreNamespace(namespace string) bool { - // ignore non-openshift-* and payload openshift-* namespaces - return !hasOpenshiftPrefix(namespace) || nsexemptions.IsNamespacePSALabelSyncExemptedInVendoredOCPVersion(namespace) -} - -func applyLabelSyncerLabel(ctx context.Context, kubeClient operatorclient.ClientInterface, namespace *v1.Namespace) error { - if _, ok := namespace.GetLabels()[NamespaceLabelSyncerLabelKey]; !ok { - nsCopy := namespace.DeepCopy() - if nsCopy.GetLabels() == nil { - nsCopy.SetLabels(map[string]string{}) - } - nsCopy.GetLabels()[NamespaceLabelSyncerLabelKey] = "true" - if _, err := kubeClient.KubernetesInterface().CoreV1().Namespaces().Update(ctx, nsCopy, metav1.UpdateOptions{}); err != nil { - return err - } - } - return nil -} - -func hasLabelSyncerLabel(namespace *v1.Namespace) bool { - _, ok := namespace.GetLabels()[NamespaceLabelSyncerLabelKey] - return ok -} diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/operator_controller.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/operator_controller.go index a8e6cab804..7e9300e015 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/operator_controller.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/operator_controller.go @@ -3,6 +3,7 @@ package operators import ( "context" "fmt" + "reflect" "github.com/go-logr/logr" appsv1 "k8s.io/api/apps/v1" @@ -152,9 +153,11 @@ func (r *OperatorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c return ctrl.Result{Requeue: true}, nil } } else { - if err := r.Status().Update(ctx, operator.Operator); err != nil { - log.Error(err, "Could not update Operator status") - return ctrl.Result{Requeue: true}, nil + if !reflect.DeepEqual(in.Status, operator.Operator.Status) { + if err := r.Status().Update(ctx, operator.Operator); err != nil { + log.Error(err, "Could not update Operator status") + return ctrl.Result{Requeue: true}, nil + } } } diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/filemonitor/cabundle_updater.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/filemonitor/cabundle_updater.go index 4fcee4e457..58f577ef45 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/filemonitor/cabundle_updater.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/filemonitor/cabundle_updater.go @@ -2,7 +2,7 @@ package filemonitor import ( "crypto/x509" - "io/ioutil" + "os" "sync" "github.com/fsnotify/fsnotify" @@ -16,7 +16,7 @@ type certPoolStore struct { } func NewCertPoolStore(clientCAPath string) (*certPoolStore, error) { - pem, err := ioutil.ReadFile(clientCAPath) + pem, err := os.ReadFile(clientCAPath) if err != nil { return nil, err } @@ -31,7 +31,7 @@ func NewCertPoolStore(clientCAPath string) (*certPoolStore, error) { } func (c *certPoolStore) storeCABundle(clientCAPath string) error { - pem, err := ioutil.ReadFile(clientCAPath) + pem, err := os.ReadFile(clientCAPath) if err == nil { c.mutex.Lock() defer c.mutex.Unlock() diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped/token_retriever.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped/token_retriever.go index 058f3f4017..d3dbcee5db 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped/token_retriever.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped/token_retriever.go @@ -82,6 +82,12 @@ func getAPISecret(logger logrus.FieldLogger, kubeclient operatorclient.ClientInt func filterSecretsBySAName(saName string, secrets *corev1.SecretList) map[string]*corev1.Secret { secretMap := make(map[string]*corev1.Secret) for _, ref := range secrets.Items { + // Avoid referencing the "ref" created by the range-for loop as + // the secret stored in the map will change if there are more + // entries in the list of secrets that the range-for loop is + // iterating over. + ref := ref + annotations := ref.GetAnnotations() value := annotations[corev1.ServiceAccountNameKey] if value == saName { diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/storage/subresources.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/storage/subresources.go index 45d30bd59b..455da45dc6 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/storage/subresources.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/storage/subresources.go @@ -3,7 +3,7 @@ package storage import ( "context" "encoding/base64" - "io/ioutil" + "io" "net/http" "strconv" "strings" @@ -68,7 +68,7 @@ func (s *LogoStorage) Connect(ctx context.Context, name string, options runtime. etag := `"` + strings.Join([]string{name, pkgChannel.Name, pkgChannel.CurrentCSV}, ".") + `"` reader := base64.NewDecoder(base64.StdEncoding, strings.NewReader(data)) - imgBytes, _ := ioutil.ReadAll(reader) + imgBytes, _ := io.ReadAll(reader) return imgBytes, mimeType, etag } diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/util/cpb/main.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/util/cpb/main.go index ae9912bf97..5b1769bb37 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/util/cpb/main.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/util/cpb/main.go @@ -2,7 +2,6 @@ package main import ( "fmt" - "io/ioutil" "os" "path/filepath" @@ -118,7 +117,7 @@ func getMetadata() (m *metadata, err error) { m.annotationsFile = path // Unmarshal metadata - content, err := ioutil.ReadFile(path) + content, err := os.ReadFile(path) if err != nil { return fmt.Errorf("couldn't get content of annotations.yaml file: %s", path) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 76b39cb323..171ebf77e6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -630,9 +630,6 @@ github.com/openshift/client-go/config/informers/externalversions/config github.com/openshift/client-go/config/informers/externalversions/config/v1 github.com/openshift/client-go/config/informers/externalversions/internalinterfaces github.com/openshift/client-go/config/listers/config/v1 -# github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f -## explicit; go 1.18 -github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions # github.com/operator-framework/api v0.17.1 => ./staging/api ## explicit; go 1.18 github.com/operator-framework/api/crds @@ -651,7 +648,7 @@ github.com/operator-framework/api/pkg/validation github.com/operator-framework/api/pkg/validation/errors github.com/operator-framework/api/pkg/validation/interfaces github.com/operator-framework/api/pkg/validation/internal -# github.com/operator-framework/operator-lifecycle-manager v0.0.0-00010101000000-000000000000 => ./staging/operator-lifecycle-manager +# github.com/operator-framework/operator-lifecycle-manager v0.0.0-00010101000000-000000000000 => github.com/awgreene/operator-lifecycle-manager v0.0.0-20221027153047-4eddd8c797b1 ## explicit; go 1.18 github.com/operator-framework/operator-lifecycle-manager/cmd/catalog github.com/operator-framework/operator-lifecycle-manager/cmd/olm @@ -2185,7 +2182,7 @@ sigs.k8s.io/yaml # github.com/openshift/api => github.com/openshift/api v0.0.0-20210517065120-b325f58df679 # github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0 # github.com/operator-framework/api => ./staging/api -# github.com/operator-framework/operator-lifecycle-manager => ./staging/operator-lifecycle-manager +# github.com/operator-framework/operator-lifecycle-manager => github.com/awgreene/operator-lifecycle-manager v0.0.0-20221027153047-4eddd8c797b1 # github.com/operator-framework/operator-registry => ./staging/operator-registry # go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 # go.opentelemetry.io/otel => go.opentelemetry.io/otel v0.20.0