From 813eaf747596a000bfd876e871b398cecfdbc73d Mon Sep 17 00:00:00 2001
From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
Date: Fri, 28 Feb 2025 17:11:09 +0000
Subject: [PATCH 1/2] fix: update PSA versions to match Kubernetes API version
 (#3524)

In this commit, a new Makefile target `update-k8s-values` was created to automatically update the
`pod-security.kubernetes.io/*-version` values (`enforceVersion`, `auditVersion`, `warnVersion`)
in the Helm chart's `values.yaml` file.

These values now align with the Kubernetes API version defined in `go.mod`, instead of using `latest`. This ensures better compatibility and avoids issues with unsupported versions in Kubernetes PSA.

Upstream-repository: operator-lifecycle-manager
Upstream-commit: efe3a9ac2e3358cdcaff03accea1e2ce96cd0d3f
---
 staging/operator-lifecycle-manager/Makefile       | 15 +++++++++++++--
 .../deploy/chart/values.yaml                      |  8 ++++----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/staging/operator-lifecycle-manager/Makefile b/staging/operator-lifecycle-manager/Makefile
index db91104e2d..927584016d 100644
--- a/staging/operator-lifecycle-manager/Makefile
+++ b/staging/operator-lifecycle-manager/Makefile
@@ -259,7 +259,14 @@ e2e-local: e2e-build kind-create deploy e2e
 #SECTION Code Generation
 
 .PHONY: gen-all #HELP Update OLM API, generate code and mocks
-gen-all: manifests codegen mockgen
+gen-all: manifests codegen update-k8s-values mockgen
+
+.PHONY: update-k8s-values #HELP Update Helm Chart values with Kubernetes version
+update-k8s-values:
+	sed -i.bak -E 's/^( *enforceVersion:).*/\1 "v$(KUBE_MINOR)"/' deploy/chart/values.yaml
+	sed -i.bak -E 's/^( *auditVersion:).*/\1 "v$(KUBE_MINOR)"/' deploy/chart/values.yaml
+	sed -i.bak -E 's/^( *warnVersion:).*/\1 "v$(KUBE_MINOR)"/' deploy/chart/values.yaml
+	rm deploy/chart/values.yaml.bak
 
 .PHONY: manifests
 manifests: vendor #HELP Copy OLM API CRD manifests to deploy/chart/crds
@@ -296,8 +303,12 @@ verify-mockgen: mockgen #HELP Check mocks are up to date
 verify-manifests: manifests #HELP Check CRD manifests are up to date
 	$(MAKE) diff
 
+.PHONY: verify-update-k8s-values
+verify-update-k8s-values: update-k8s-values #HELP Check if Helm Chart values are updated with k8s version
+	$(MAKE) diff
+
 .PHONY: verify
-verify: vendor verify-codegen verify-mockgen verify-manifests #HELP Run all verification checks
+verify: vendor verify-codegen verify-mockgen verify-manifests verify-update-k8s-values #HELP Run all verification checks
 	$(MAKE) diff
 
 #SECTION Release
diff --git a/staging/operator-lifecycle-manager/deploy/chart/values.yaml b/staging/operator-lifecycle-manager/deploy/chart/values.yaml
index ffb5891842..bbbe0272dc 100644
--- a/staging/operator-lifecycle-manager/deploy/chart/values.yaml
+++ b/staging/operator-lifecycle-manager/deploy/chart/values.yaml
@@ -3,17 +3,17 @@ namespace: operator-lifecycle-manager
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 namespace_psa: 
   enforceLevel: baseline
-  enforceVersion: latest
+  enforceVersion: "v1.30"
   auditLevel: restricted
-  auditVersion: latest
+  auditVersion: "v1.30"
   warnLevel: restricted
-  warnVersion: latest
+  warnVersion: "v1.30"
 catalog_namespace: operator-lifecycle-manager
 operator_namespace: operators
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 operator_namespace_psa: 
   enforceLevel: baseline
-  enforceVersion: latest
+  enforceVersion: "v1.30"
 minKubeVersion: 1.11.0
 writeStatusName: '""'
 imagestream: false

From c27894852dd67b3cbed29861f46e54c22deabae8 Mon Sep 17 00:00:00 2001
From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
Date: Mon, 3 Mar 2025 13:28:09 +0000
Subject: [PATCH 2/2] Fix OCP PSA labels for OCP manifests with k8s version

---
 Makefile                                           | 10 ++++++++++
 manifests/0000_50_olm_00-namespace.yaml            |  4 ++--
 microshift-manifests/0000_50_olm_00-namespace.yaml |  4 ++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index f48de5de13..c80fb3bc5d 100644
--- a/Makefile
+++ b/Makefile
@@ -148,6 +148,16 @@ vendor:
 .PHONY: manifests
 manifests: ## Generate manifests
 	OLM_VERSION=$(OLM_VERSION) ./scripts/generate_crds_manifests.sh
+	$(MAKE) update-k8s-manifests
+
+# Minor Kubernetes version to build against derived from the client-go dependency version
+KUBE_MINOR ?= $(shell go list -m k8s.io/client-go | cut -d" " -f2 | sed 's/^v0\.\([[:digit:]]\{1,\}\)\.[[:digit:]]\{1,\}$$/1.\1/')
+
+.PHONY: update-k8s-manifests # HELP Update pod security versions in manifests with Kubernetes version
+update-k8s-manifests:
+	find manifests microshift-manifests -type f -name '*.yaml' -exec \
+	sed -i.bak -E 's/(pod-security.kubernetes.io\/[a-zA-Z-]+-version:).*/\1 "v$(KUBE_MINOR)"/g' {} +;
+	find manifests microshift-manifests -type f -name '*.yaml.bak' -delete
 
 .PHONY: generate-manifests
 generate-manifests: OLM_VERSION=0.0.1-snapshot
diff --git a/manifests/0000_50_olm_00-namespace.yaml b/manifests/0000_50_olm_00-namespace.yaml
index 5680a258d3..c3f092d88e 100644
--- a/manifests/0000_50_olm_00-namespace.yaml
+++ b/manifests/0000_50_olm_00-namespace.yaml
@@ -4,7 +4,7 @@ metadata:
   name: openshift-operator-lifecycle-manager
   labels:
     pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: "v1.24"
+    pod-security.kubernetes.io/enforce-version: "v1.30"
     openshift.io/scc: ""
     openshift.io/cluster-monitoring: "true"
   annotations:
@@ -21,7 +21,7 @@ metadata:
   name: openshift-operators
   labels:
     pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/enforce-version: "v1.24"
+    pod-security.kubernetes.io/enforce-version: "v1.30"
     openshift.io/scc: ""
   annotations:
     openshift.io/node-selector: ""
diff --git a/microshift-manifests/0000_50_olm_00-namespace.yaml b/microshift-manifests/0000_50_olm_00-namespace.yaml
index 5680a258d3..c3f092d88e 100644
--- a/microshift-manifests/0000_50_olm_00-namespace.yaml
+++ b/microshift-manifests/0000_50_olm_00-namespace.yaml
@@ -4,7 +4,7 @@ metadata:
   name: openshift-operator-lifecycle-manager
   labels:
     pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: "v1.24"
+    pod-security.kubernetes.io/enforce-version: "v1.30"
     openshift.io/scc: ""
     openshift.io/cluster-monitoring: "true"
   annotations:
@@ -21,7 +21,7 @@ metadata:
   name: openshift-operators
   labels:
     pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/enforce-version: "v1.24"
+    pod-security.kubernetes.io/enforce-version: "v1.30"
     openshift.io/scc: ""
   annotations:
     openshift.io/node-selector: ""