OPRUN-3566: UPSTREAM: <carry>: Add global-pull-secret flag

openshift/generate-manifests.sh

@@ -27,9 +27,12 @@ IMAGE_MAPPINGS[manager]='${CATALOGD_IMAGE}'
 # and an entry to the FLAG_MAPPINGS of FLAG_MAPPINGS[flagname]='two', the argument will be updated to:
 # args:
 #  - --flagname=two
+#
+# If the flag doesn't already exist - it will be appended to the list.
 declare -A FLAG_MAPPINGS
 # shellcheck disable=SC2016
 FLAG_MAPPINGS[external-address]="catalogd-service.${NAMESPACE}.svc"
+FLAG_MAPPINGS[global-pull-secret]="openshift-config/pull-secret"
 
 ##################################################
 # You shouldn't need to change anything below here
@@ -74,7 +77,12 @@ done
 # Loop through any flag updates that need to be made to the manager container
 for flag_name in "${!FLAG_MAPPINGS[@]}"; do
   flagval="${FLAG_MAPPINGS[$flag_name]}"
+
+  # First, update the flag if it exists
   $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT"
+
+  # Then, append the flag if it doesn't exist
+  $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT"
 done
 
 # Use yq to split the single yaml file into 1 per document.

openshift/kustomize/overlays/openshift/kustomization.yaml

@@ -1,32 +1,5 @@
-# Adds namespace to all resources.
-namespace: OPENSHIFT-NAMESPACE
-
 namePrefix: catalogd-
 
 resources:
-- ../../../../config/base/crd
-- ../../../../config/base/rbac
-- ../../../../config/base/manager
-
-patches:
-- path: patches/manager_namespace_privileged.yaml
-- target:
-    kind: Service
-    name: service
-  path: patches/manager_service.yaml
-- target:
-    kind: MutatingWebhookConfiguration
-    name: mutating-webhook-configuration
-  path: patches/mutating_webhook_config.yaml
-- target:
-    kind: ClusterRole
-    name: manager-role
-  path: patches/manager_role.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_certs.yaml
-- target:
-    kind: Deployment
-    name: controller-manager
-  path: patches/manager_deployment_mount_etc_containers.yaml
+- olmv1-ns
+- openshift-config

openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml

@@ -0,0 +1,30 @@
+# Adds namespace to all resources.
+namespace: OPENSHIFT-NAMESPACE
+
+resources:
+- ../../../../../config/base/crd
+- ../../../../../config/base/rbac
+- ../../../../../config/base/manager
+
+patches:
+- path: patches/manager_namespace_privileged.yaml
+- target:
+    kind: Service
+    name: service
+  path: patches/manager_service.yaml
+- target:
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+  path: patches/mutating_webhook_config.yaml
+- target:
+    kind: ClusterRole
+    name: manager-role
+  path: patches/manager_role.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_certs.yaml
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_mount_etc_containers.yaml

openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml

@@ -0,0 +1,6 @@
+# Adds namespace to all resources.
+namespace: openshift-config
+
+resources:
+- rbac/catalogd_manager_role.yaml
+- rbac/catalogd_manager_role_binding.yaml

openshift/kustomize/overlays/openshift/openshift-config/rbac/catalogd_manager_role.yaml

@@ -0,0 +1,17 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch

openshift/kustomize/overlays/openshift/openshift-config/rbac/catalogd_manager_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: olm
+    app.kubernetes.io/name: catalogd
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: OPENSHIFT-NAMESPACE

openshift/manifests/04-role-openshift-config-catalogd-manager-role.yml

@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+  name: catalogd-manager-role
+  namespace: openshift-config
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch

openshift/manifests/09-rolebinding-openshift-config-catalogd-manager-rolebinding.yml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+  name: catalogd-manager-rolebinding
+  namespace: openshift-config
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: catalogd-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: catalogd-controller-manager
+    namespace: openshift-catalogd

openshift/manifests/11-deployment-openshift-catalogd-catalogd-controller-manager.yml → openshift/manifests/13-deployment-openshift-catalogd-catalogd-controller-manager.yml

@@ -67,6 +67,7 @@ spec:
             - --external-address=catalogd-service.openshift-catalogd.svc
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
+            - --global-pull-secret=openshift-config/pull-secret
           command:
             - ./manager
           image: ${CATALOGD_IMAGE}