OPRUN-4017: Synchronize From Upstream Repositories

Makefile

@@ -142,18 +142,23 @@ tidy:
 
 .PHONY: manifests
 KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac
-KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/manager/webhook
+KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook
 KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
 # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files
 # So we have to generate them together and then move them into place
 manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
-	# Generate the remaining operator-controller manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)
-	# Generate the remaining catalogd manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)
+	# Generate the remaining operator-controller standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
+	# Generate the remaining operator-controller experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
+	# Generate the remaining catalogd standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard
+	# Generate the remaining catalogd experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental
 	# Generate manifests stored in source-control
 	mkdir -p $(MANIFEST_HOME)
 	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST)
@@ -278,18 +283,13 @@ test-experimental-e2e: run image-registry prometheus experimental-e2e e2e e2e-me
 prometheus: PROMETHEUS_NAMESPACE := olmv1-system
 prometheus: PROMETHEUS_VERSION := v0.83.0
 prometheus: #EXHELP Deploy Prometheus into specified namespace
-	./hack/test/setup-monitoring.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE)
+	./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION)
 
-# The metrics.out file contains raw json data of the metrics collected during a test run.
-# In an upcoming PR, this query will be replaced with one that checks for alerts from
-# prometheus. Prometheus will gather metrics we currently query for over the test run, 
-# and provide alerts from the metrics based on the rules that we set.
+# The output alerts.out file contains any alerts, pending or firing, collected during a test run in json format.
 .PHONY: e2e-metrics
+e2e-metrics: ALERTS_FILE_PATH := $(if $(ARTIFACT_PATH),$(ARTIFACT_PATH),.)/alerts.out
 e2e-metrics: #EXHELP Request metrics from prometheus; place in ARTIFACT_PATH if set
-	curl -X POST \
-	-H "Content-Type: application/x-www-form-urlencoded" \
-	--data 'query={pod=~"operator-controller-controller-manager-.*|catalogd-controller-manager-.*"}' \
-	http://localhost:30900/api/v1/query > $(if $(ARTIFACT_PATH),$(ARTIFACT_PATH),.)/metrics.out
+	curl -X GET http://localhost:30900/api/v1/alerts | jq 'if (.data.alerts | length) > 0 then .data.alerts.[] else empty end' > $(ALERTS_FILE_PATH)
 
 .PHONY: extension-developer-e2e
 extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e

codecov.yml

@@ -10,12 +10,16 @@ coverage:
       default:
         target: auto
         threshold: 2%
+        paths:
+          - "api/"
+          - "cmd/"
+          - "internal/"
     patch:
       default:
         target: auto
         threshold: 1%
-  paths:
-    - "api/"
-    - "cmd/"
-    - "internal/"
+        paths:
+          - "api/"
+          - "cmd/"
+          - "internal/"
 

commitchecker.yaml

@@ -1,4 +1,4 @@
-expectedMergeBase: 36809b312a523019c98655a9fda396e0f1588318
+expectedMergeBase: 850e4a128012f99f95fea9b521be5c6edf1d0d86
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

config/README.md

@@ -27,6 +27,14 @@ This provides additional configuration support for end-to-end testing, including
 
 This configuration is used to generate `manifests/standard-e2e.yaml`.
 
+## config/overlays/prometheus
+
+Overlay containing manifest files which enable prometheus scraping of the catalogd and operator-controller pods. Used during e2e runs to measure performance over the lifetime of the test. 
+
+These manifests will not end up in the `manifests/` folder, as they must be applied in two distinct steps to avoid issues with applying prometheus CRDs and CRs simultaneously.
+
+Performance alert settings can be found in: `config/overlays/prometheus/prometheus_rule.yaml`
+
 ## config/overlays/experimental
 
 This provides additional configuration used to support experimental features, including CRDs. This configuration requires cert-manager.

config/base/catalogd/kustomization.yaml

@@ -1,8 +1,6 @@
 # Does not include the CRD, which must be added separately (it's non-namespaced)
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: olmv1-system
 namePrefix: catalogd-
 resources:
-- rbac
 - manager

config/base/catalogd/manager/kustomization.yaml

@@ -2,17 +2,9 @@ resources:
 - manager.yaml
 - service.yaml
 - network_policy.yaml
-- webhook/manifests.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
   newName: quay.io/operator-framework/catalogd
   newTag: devel
-patches:
-- path: webhook/patch.yaml
-  target:
-    group: admissionregistration.k8s.io
-    kind: MutatingWebhookConfiguration
-    name: mutating-webhook-configuration
-    version: v1

config/base/catalogd/manager/manager.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system
   annotations:
     kubectl.kubernetes.io/default-logs-container: manager
   labels:

config/base/catalogd/manager/network_policy.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system
 spec:
   podSelector:
     matchLabels:

config/base/catalogd/manager/service.yaml

@@ -5,7 +5,7 @@ metadata:
       app.kubernetes.io/part-of: olm
       app.kubernetes.io/name: catalogd
   name: service
-  namespace: system
+  namespace: olmv1-system
 spec:
   selector:
     control-plane: catalogd-controller-manager

config/base/catalogd/rbac/auth_proxy_role_binding.yaml → config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml

@@ -12,4 +12,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system

config/base/catalogd/rbac/common/kustomization.yaml

@@ -0,0 +1,19 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml

config/base/catalogd/rbac/leader_election_role.yaml → config/base/catalogd/rbac/common/leader_election_role.yaml

@@ -6,6 +6,7 @@ metadata:
     app.kubernetes.io/part-of: olm
     app.kubernetes.io/name: catalogd
   name: leader-election-role
+  namespace: olmv1-system
 rules:
 - apiGroups:
   - ""

config/base/catalogd/rbac/leader_election_role_binding.yaml → config/base/catalogd/rbac/common/leader_election_role_binding.yaml

@@ -5,11 +5,12 @@ metadata:
     app.kubernetes.io/part-of: olm
     app.kubernetes.io/name: catalogd
   name: leader-election-rolebinding
+  namespace: olmv1-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system

config/base/catalogd/rbac/role_binding.yaml → config/base/catalogd/rbac/common/role_binding.yaml

@@ -12,7 +12,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -21,12 +21,12 @@ metadata:
     app.kubernetes.io/part-of: olm
     app.kubernetes.io/name: catalogd
   name: manager-rolebinding
-  namespace: system
+  namespace: olmv1-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: manager-role
 subjects:
   - kind: ServiceAccount
     name: controller-manager
-    namespace: system
+    namespace: olmv1-system

config/base/catalogd/rbac/service_account.yaml → config/base/catalogd/rbac/common/service_account.yaml

@@ -5,4 +5,4 @@ metadata:
     app.kubernetes.io/part-of: olm
     app.kubernetes.io/name: catalogd
   name: controller-manager
-  namespace: system
+  namespace: olmv1-system

config/base/catalogd/rbac/experimental/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+resources:
+- ../common
+- role.yaml

config/base/catalogd/rbac/role.yaml → config/base/catalogd/rbac/experimental/role.yaml

@@ -35,7 +35,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: manager-role
-  namespace: system
+  namespace: olmv1-system
 rules:
 - apiGroups:
   - ""

config/base/catalogd/rbac/kustomization.yaml

@@ -1,20 +1,4 @@
+# This kustomization picks the standard rbac by default
+# If the experimental rbac is desired, select that directory explicitly
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# The following RBAC configurations are used to protect
-# the metrics endpoint with authn/authz. These configurations
-# ensure that only authorized users and service accounts
-# can access the metrics endpoint. Comment the following
-# permissions if you want to disable this protection.
-# More info: https://book.kubebuilder.io/reference/metrics.html
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- standard

config/base/catalogd/rbac/standard/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+resources:
+  - ../common
+  - role.yaml

config/base/catalogd/rbac/standard/role.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: olmv1-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch

config/base/catalogd/webhook/experimental/kustomization.yaml

@@ -0,0 +1,13 @@
+resources:
+- manifests.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+patches:
+- path: patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+    version: v1

config/base/catalogd/webhook/kustomization.yaml

@@ -0,0 +1,4 @@
+# This kustomization picks the standard webhook by default
+# If the experimental webhook is desired, select that directory explicitly
+resources:
+- standard

config/base/catalogd/webhook/standard/kustomization.yaml

@@ -0,0 +1,13 @@
+resources:
+- manifests.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+patches:
+- path: patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+    version: v1

config/base/catalogd/webhook/standard/manifests.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-olm-operatorframework-io-v1-clustercatalog
+  failurePolicy: Fail
+  name: inject-metadata-name.olm.operatorframework.io
+  rules:
+  - apiGroups:
+    - olm.operatorframework.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustercatalogs
+  sideEffects: None
+  timeoutSeconds: 10