Merge pull request openshift#880 from zeeke/ds-sync-20240104

Downstream Sync 20240104
zeeke · Jan 25, 2024 · 5898650 · 5898650
2 parents 3bd85f3 + c6c97ba
commit 5898650
Show file tree

Hide file tree

Showing 30 changed files with 321 additions and 116 deletions.
diff --git a/Makefile b/Makefile
@@ -14,14 +14,16 @@ IMAGE_BUILDER?=docker
 IMAGE_BUILD_OPTS?=
 DOCKERFILE?=Dockerfile
 DOCKERFILE_CONFIG_DAEMON?=Dockerfile.sriov-network-config-daemon
+DOCKERFILE_WEBHOOK?=Dockerfile.webhook
 
 CRD_BASES=./config/crd/bases
 
 export APP_NAME?=sriov-network-operator
 TARGET=$(TARGET_DIR)/bin/$(APP_NAME)
 IMAGE_REPO?=ghcr.io/k8snetworkplumbingwg
 IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME):latest
-CONFIG_DAEMON_IMAGE_TAG?=$(IMAGE_REPO)/sriov-network-config-daemon:latest
+CONFIG_DAEMON_IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME)-config-daemon:latest
+WEBHOOK_IMAGE_TAG?=$(IMAGE_REPO)/$(APP_NAME)-webhook:latest
 MAIN_PKG=cmd/manager/main.go
 export NAMESPACE?=openshift-sriov-network-operator
 export WATCH_NAMESPACE?=openshift-sriov-network-operator
@@ -74,9 +76,10 @@ clean:
 update-codegen:
 	hack/update-codegen.sh
 
-image: ; $(info Building image...)
+image: ; $(info Building images...)
 	$(IMAGE_BUILDER) build -f $(DOCKERFILE) -t $(IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS)
 	$(IMAGE_BUILDER) build -f $(DOCKERFILE_CONFIG_DAEMON) -t $(CONFIG_DAEMON_IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS)
+	$(IMAGE_BUILDER) build -f $(DOCKERFILE_WEBHOOK) -t $(WEBHOOK_IMAGE_TAG) $(CURPATH) $(IMAGE_BUILD_OPTS)
 
 # Run tests
 test: generate vet manifests envtest
@@ -176,7 +179,7 @@ skopeo:
 fakechroot:
 	if ! which fakechroot; then if [ -f /etc/redhat-release ]; then dnf -y install fakechroot; elif [ -f /etc/lsb-release ]; then sudo apt-get -y update; sudo apt-get -y install fakechroot; fi; fi
 
-deploy-setup: export ENABLE_ADMISSION_CONTROLLER?=false
+deploy-setup: export ADMISSION_CONTROLLERS_ENABLED?=false
 deploy-setup: skopeo install
 	hack/deploy-setup.sh $(NAMESPACE)
 
@@ -220,7 +223,7 @@ test-%: generate vet manifests envtest
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir=/tmp -p path)" HOME="$(shell pwd)" go test ./$*/... -coverprofile cover-$*.out -coverpkg ./... -v
 
 # deploy-setup-k8s: export NAMESPACE=sriov-network-operator
-# deploy-setup-k8s: export ENABLE_ADMISSION_CONTROLLER=false
+# deploy-setup-k8s: export ADMISSION_CONTROLLERS_ENABLED=false
 # deploy-setup-k8s: export CNI_BIN_PATH=/opt/cni/bin
 # test-e2e-k8s: test-e2e
 

diff --git a/Makefile.bundle b/Makefile.bundle
@@ -1,6 +1,6 @@
 include Makefile
 # Current Operator version
-VERSION ?= 4.15.0
+VERSION ?= 4.16.0
 # Default bundle image tag
 BUNDLE_IMG ?= controller-bundle:$(VERSION)
 

diff --git a/bindata/manifests/operator-webhook/001-service.yaml b/bindata/manifests/operator-webhook/001-service.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: {{.Namespace}}
   annotations:
     {{- if eq .ClusterType "openshift" }}
-    service.alpha.openshift.io/serving-cert-secret-name: operator-webhook-service
+    service.alpha.openshift.io/serving-cert-secret-name: {{.OperatorWebhookSecretName}}
     {{- end }}
 spec:
   ports:

diff --git a/bindata/manifests/operator-webhook/003-webhook.yaml b/bindata/manifests/operator-webhook/003-webhook.yaml
@@ -6,8 +6,10 @@ metadata:
   annotations:
     {{- if eq .ClusterType "openshift" }}
     service.beta.openshift.io/inject-cabundle: "true"
-    {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }}
-    cert-manager.io/inject-ca-from: {{.Namespace}}/operator-webhook-service
+    {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+    # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
+    # more variables.
+    cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}}
     {{- end }}
 webhooks:
   - name: operator-webhook.sriovnetwork.openshift.io
@@ -19,9 +21,9 @@ webhooks:
         name: operator-webhook-service
         namespace: {{.Namespace}}
         path: "/mutating-custom-resource"
-      {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }}
-      caBundle: "{{.CaBundle}}"
-      {{- end}}
+      {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+      caBundle: "{{.OperatorWebhookCA}}"
+      {{- end }}
     rules:
       - operations: [ "CREATE", "UPDATE" ]
         apiGroups: ["sriovnetwork.openshift.io"]
@@ -36,8 +38,10 @@ metadata:
   annotations:
     {{- if eq .ClusterType "openshift" }}
     service.beta.openshift.io/inject-cabundle: "true"
-    {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }}
-    cert-manager.io/inject-ca-from: {{.Namespace}}/operator-webhook-service
+    {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+    # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
+    # more variables.
+    cert-manager.io/inject-ca-from: {{.Namespace}}/{{.OperatorWebhookSecretName}}
     {{- end }}
 webhooks:
   - name: operator-webhook.sriovnetwork.openshift.io
@@ -49,8 +53,8 @@ webhooks:
         name: operator-webhook-service
         namespace: {{.Namespace}}
         path: "/validating-custom-resource"
-      {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }}
-      caBundle: "{{.CaBundle}}"
+      {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+      caBundle: "{{.OperatorWebhookCA}}"
       {{- end }}
     rules:
       - operations: [ "CREATE", "UPDATE", "DELETE" ]

diff --git a/bindata/manifests/operator-webhook/server.yaml b/bindata/manifests/operator-webhook/server.yaml
@@ -88,4 +88,4 @@ spec:
       volumes:
       - name: tls
         secret:
-          secretName: operator-webhook-service
+          secretName: {{.OperatorWebhookSecretName}}
diff --git a/bindata/manifests/webhook/001-service.yaml b/bindata/manifests/webhook/001-service.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: {{.Namespace}}
   annotations:
     {{- if eq .ClusterType "openshift" }}
-    service.alpha.openshift.io/serving-cert-secret-name: network-resources-injector-secret
+    service.alpha.openshift.io/serving-cert-secret-name: {{.InjectorWebhookSecretName}}
     {{- end }}
 spec:
   ports:

diff --git a/bindata/manifests/webhook/003-webhook.yaml b/bindata/manifests/webhook/003-webhook.yaml
@@ -6,8 +6,10 @@ metadata:
   annotations:
     {{- if eq .ClusterType "openshift" }}
     service.beta.openshift.io/inject-cabundle: "true"
-    {{- else if and (not .CaBundle) (eq .ClusterType "kubernetes") }}
-    cert-manager.io/inject-ca-from: {{.Namespace}}/network-resources-injector-secret
+    {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+    # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
+    # more variables.
+    cert-manager.io/inject-ca-from: {{.Namespace}}/{{.InjectorWebhookSecretName}}
     {{- end }}
 webhooks:
   - name: network-resources-injector-config.k8s.io
@@ -19,8 +21,8 @@ webhooks:
         name: network-resources-injector-service
         namespace: {{.Namespace}}
         path: "/mutate"
-      {{- if and (.CaBundle) (eq .ClusterType "kubernetes") }}
-      caBundle: "{{.CaBundle}}"
+      {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
+      caBundle: "{{.InjectorWebhookCA}}"
       {{- end }}
     rules:
       - operations: [ "CREATE" ]

diff --git a/bindata/manifests/webhook/server.yaml b/bindata/manifests/webhook/server.yaml
@@ -88,4 +88,4 @@ spec:
       volumes:
       - name: tls
         secret:
-          secretName: network-resources-injector-secret
+          secretName: {{.InjectorWebhookSecretName}}
diff --git a/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml b/bundle/manifests/sriov-network-operator.clusterserviceversion.yaml
@@ -99,11 +99,11 @@ metadata:
     capabilities: Basic Install
     categories: Networking
     certified: "false"
-    containerImage: quay.io/openshift/origin-sriov-network-operator:4.15
-    createdAt: "2023-11-24T18:31:22Z"
+    containerImage: quay.io/openshift/origin-sriov-network-operator:4.16
+    createdAt: "2024-01-05T17:19:10Z"
     description: An operator for configuring SR-IOV components and initializing SRIOV
       network devices in Openshift cluster.
-    olm.skipRange: '>=4.3.0-0 <4.15.0'
+    olm.skipRange: '>=4.3.0-0 <4.16.0'
     operatorframework.io/suggested-namespace: openshift-sriov-network-operator
     operators.openshift.io/infrastructure-features: '["disconnected", "cni"]'
     operators.operatorframework.io/builder: operator-sdk-v1.31.0
@@ -114,7 +114,7 @@ metadata:
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.ppc64le: supported
-  name: sriov-network-operator.v4.15.0
+  name: sriov-network-operator.v4.16.0
   namespace: openshift-sriov-network-operator
 spec:
   apiservicedefinitions: {}
@@ -330,23 +330,27 @@ spec:
                     fieldRef:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
                 - name: SRIOV_CNI_IMAGE
-                  value: quay.io/openshift/origin-sriov-cni:4.15
+                  value: quay.io/openshift/origin-sriov-cni:4.16
                 - name: SRIOV_DEVICE_PLUGIN_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-device-plugin:4.15
+                  value: quay.io/openshift/origin-sriov-network-device-plugin:4.16
                 - name: NETWORK_RESOURCES_INJECTOR_IMAGE
-                  value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15
+                  value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16
                 - name: OPERATOR_NAME
                   value: sriov-network-operator
                 - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-config-daemon:4.15
+                  value: quay.io/openshift/origin-sriov-network-config-daemon:4.16
                 - name: SRIOV_NETWORK_WEBHOOK_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-webhook:4.15
+                  value: quay.io/openshift/origin-sriov-network-webhook:4.16
                 - name: SRIOV_INFINIBAND_CNI_IMAGE
-                  value: quay.io/openshift/origin-sriov-infiniband-cni:4.15
+                  value: quay.io/openshift/origin-sriov-infiniband-cni:4.16
                 - name: RESOURCE_PREFIX
                   value: openshift.io
-                - name: ENABLE_ADMISSION_CONTROLLER
+                - name: ADMISSION_CONTROLLERS_ENABLED
                   value: "true"
+                - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
+                  value: operator-webhook-service
+                - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME
+                  value: network-resources-injector-secret
                 - name: NAMESPACE
                   valueFrom:
                     fieldRef:
@@ -360,8 +364,8 @@ spec:
                     fieldRef:
                       fieldPath: metadata.name
                 - name: RELEASE_VERSION
-                  value: 4.15.0
-                image: quay.io/openshift/origin-sriov-network-operator:4.15
+                  value: 4.16.0
+                image: quay.io/openshift/origin-sriov-network-operator:4.16
                 imagePullPolicy: IfNotPresent
                 livenessProbe:
                   httpGet:
@@ -533,7 +537,7 @@ spec:
   - sriov
   labels:
     olm-owner-enterprise-app: sriov-network-operator
-    olm-status-descriptors: sriov-network-operator.v4.15.0
+    olm-status-descriptors: sriov-network-operator.v4.16.0
   links:
   - name: Source Code
     url: https://github.com/k8snetworkplumbingwg/sriov-network-operator
@@ -542,4 +546,4 @@ spec:
     name: Red Hat
   provider:
     name: Red Hat
-  version: 4.15.0
+  version: 4.16.0
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -33,7 +33,7 @@ spec:
         operator: Exists
       containers:
       - name: sriov-network-operator
-        image: quay.io/openshift/origin-sriov-network-operator:4.15
+        image: quay.io/openshift/origin-sriov-network-operator:4.16
         command:
         - sriov-network-operator
         args:
@@ -57,23 +57,27 @@ spec:
               fieldRef:
                 fieldPath: metadata.namespace
           - name: SRIOV_CNI_IMAGE
-            value: quay.io/openshift/origin-sriov-cni:4.15
+            value: quay.io/openshift/origin-sriov-cni:4.16
           - name: SRIOV_DEVICE_PLUGIN_IMAGE
-            value: quay.io/openshift/origin-sriov-network-device-plugin:4.15
+            value: quay.io/openshift/origin-sriov-network-device-plugin:4.16
           - name: NETWORK_RESOURCES_INJECTOR_IMAGE
-            value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15
+            value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16
           - name: OPERATOR_NAME
             value: sriov-network-operator
           - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
-            value: quay.io/openshift/origin-sriov-network-config-daemon:4.15
+            value: quay.io/openshift/origin-sriov-network-config-daemon:4.16
           - name: SRIOV_NETWORK_WEBHOOK_IMAGE
-            value: quay.io/openshift/origin-sriov-network-webhook:4.15
+            value: quay.io/openshift/origin-sriov-network-webhook:4.16
           - name: SRIOV_INFINIBAND_CNI_IMAGE
-            value: quay.io/openshift/origin-sriov-infiniband-cni:4.15
+            value: quay.io/openshift/origin-sriov-infiniband-cni:4.16
           - name: RESOURCE_PREFIX
             value: openshift.io
-          - name: ENABLE_ADMISSION_CONTROLLER
+          - name: ADMISSION_CONTROLLERS_ENABLED
             value: "true"
+          - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
+            value: operator-webhook-service
+          - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME
+            value: network-resources-injector-secret
           - name: NAMESPACE
             valueFrom:
               fieldRef:
@@ -87,4 +91,4 @@ spec:
               fieldRef:
                 fieldPath: metadata.name
           - name: RELEASE_VERSION
-            value: 4.15.0
+            value: 4.16.0
diff --git a/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml b/config/manifests/bases/sriov-network-operator.clusterserviceversion.yaml
@@ -6,11 +6,11 @@ metadata:
     capabilities: Basic Install
     categories: Networking
     certified: "false"
-    containerImage: quay.io/openshift/origin-sriov-network-operator:4.15
+    containerImage: quay.io/openshift/origin-sriov-network-operator:4.16
     createdAt: 2019/04/30
     description: An operator for configuring SR-IOV components and initializing SRIOV
       network devices in Openshift cluster.
-    olm.skipRange: '>=4.3.0-0 <4.15.0'
+    olm.skipRange: '>=4.3.0-0 <4.16.0'
     operatorframework.io/suggested-namespace: openshift-sriov-network-operator
     operators.openshift.io/infrastructure-features: '["disconnected", "cni"]'
     repository: https://github.com/k8snetworkplumbingwg/sriov-network-operator
@@ -112,23 +112,27 @@ spec:
                     fieldRef:
                       fieldPath: metadata.namespace
                 - name: SRIOV_CNI_IMAGE
-                  value: quay.io/openshift/origin-sriov-cni:4.15
+                  value: quay.io/openshift/origin-sriov-cni:4.16
                 - name: SRIOV_DEVICE_PLUGIN_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-device-plugin:4.15
+                  value: quay.io/openshift/origin-sriov-network-device-plugin:4.16
                 - name: NETWORK_RESOURCES_INJECTOR_IMAGE
-                  value: quay.io/openshift/origin-sriov-dp-admission-controller:4.15
+                  value: quay.io/openshift/origin-sriov-dp-admission-controller:4.16
                 - name: OPERATOR_NAME
                   value: sriov-network-operator
                 - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-config-daemon:4.15
+                  value: quay.io/openshift/origin-sriov-network-config-daemon:4.16
                 - name: SRIOV_NETWORK_WEBHOOK_IMAGE
-                  value: quay.io/openshift/origin-sriov-network-webhook:4.15
+                  value: quay.io/openshift/origin-sriov-network-webhook:4.16
                 - name: SRIOV_INFINIBAND_CNI_IMAGE
-                  value: quay.io/openshift/origin-sriov-infiniband-cni:4.15
+                  value: quay.io/openshift/origin-sriov-infiniband-cni:4.16
                 - name: RESOURCE_PREFIX
                   value: openshift.io
-                - name: ENABLE_ADMISSION_CONTROLLER
+                - name: ADMISSION_CONTROLLERS_ENABLED
                   value: "true"
+                - name: ADMISSION_CONTROLLERS_CERTIFICATES_OPERATOR_SECRET_NAME
+                  value: operator-webhook-service
+                - name: ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_SECRET_NAME
+                  value: network-resources-injector-secret
                 - name: NAMESPACE
                   valueFrom:
                     fieldRef:
@@ -138,8 +142,8 @@ spec:
                     fieldRef:
                       fieldPath: metadata.name
                 - name: RELEASE_VERSION
-                  value: 4.15.0
-                image: quay.io/openshift/origin-sriov-network-operator:4.15
+                  value: 4.16.0
+                image: quay.io/openshift/origin-sriov-network-operator:4.16
                 imagePullPolicy: IfNotPresent
                 name: sriov-network-operator
                 resources: {}
@@ -166,7 +170,7 @@ spec:
   - sriov
   labels:
     olm-owner-enterprise-app: sriov-network-operator
-    olm-status-descriptors: sriov-network-operator.v4.15.0
+    olm-status-descriptors: sriov-network-operator.v4.16.0
   links:
   - name: Source Code
     url: https://github.com/k8snetworkplumbingwg/sriov-network-operator
@@ -175,4 +179,4 @@ spec:
     name: Red Hat
   provider:
     name: Red Hat
-  version: 4.15.0
+  version: 4.16.0
diff --git a/controllers/helper.go b/controllers/helper.go
@@ -36,6 +36,7 @@ const (
 	mutatingWebhookConfigurationCRDName   = "MutatingWebhookConfiguration"
 	validatingWebhookConfigurationCRDName = "ValidatingWebhookConfiguration"
 	machineConfigCRDName                  = "MachineConfig"
+	trueString                            = "true"
 )
 
 var namespace = os.Getenv("NAMESPACE")