Protect Global Copied CSVs in the openshift namespace

Problem: After disabling Copied CSVs, the openshift console can no
longer communicate to users which operators are available globally
across the cluster.

Solution: Configure OLM to ensure that Copied CSVs for operators scoped
to All Namespaces appear in the openshift namespace. Update the OLM
manifests to include RBAC for authenticated users to view CSVs in this
namespace.

Author: awgreene

manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml

@@ -53,6 +53,8 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --protectedCopiedCSVNamespaces
+            - openshift
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:

manifests/0000_50_olm_07-olm-operator.deployment.yaml

@@ -53,6 +53,8 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --protectedCopiedCSVNamespaces
+            - openshift
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:

manifests/0000_50_olm_15-csv-viewer.rbac.yaml

@@ -0,0 +1,36 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: copied-csv-viewer
+  namespace: openshift
+rules:
+  - apiGroups:
+      - "operators.coreos.com"
+    resources:
+      - "clusterserviceversions"
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: copied-csv-viewers
+  namespace: openshift
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: copied-csv-viewer
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:authenticated

scripts/generate_crds_manifests.sh

@@ -363,6 +363,41 @@ metadata:
     release.openshift.io/delete: "true"
 EOF
 
+cat << EOF > manifests/0000_50_olm_15-csv-viewer.rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: copied-csv-viewer
+  namespace: openshift
+rules:
+- apiGroups:
+  - "operators.coreos.com"
+  resources:
+  - "clusterserviceversions"
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: copied-csv-viewers
+  namespace: openshift
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: copied-csv-viewer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+EOF
+
 add_ibm_managed_cloud_annotations "${ROOT_DIR}/manifests"
 
 find "${ROOT_DIR}/manifests" -type f -exec $SED -i "/^#/d" {} \;

scripts/olm-deployment.patch.yaml

@@ -9,6 +9,14 @@
   value:
     name: RELEASE_VERSION
     value: "0.0.1-snapshot"
+- command: update
+  path: spec.template.spec.containers[0].args[+]
+  value:
+    --protectedCopiedCSVNamespaces
+- command: update
+  path: spec.template.spec.containers[0].args[+]
+  value:
+    openshift
 - command: update
   path: spec.template.spec.containers[*].securityContext
   value: