Merge pull request #783 from openshift-bot/synchronize-upstream

NO-ISSUE: Synchronize From Upstream Repositories

Author: openshift-merge-bot[bot]

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/mikefarah/yq/v3 v3.0.0-20201202084205-8846255d1c37
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/openshift/api v3.9.0+incompatible
-	github.com/operator-framework/api v0.25.0
+	github.com/operator-framework/api v0.26.0
 	github.com/operator-framework/operator-lifecycle-manager v0.0.0-00010101000000-000000000000
 	github.com/operator-framework/operator-registry v1.43.1
 	github.com/sirupsen/logrus v1.9.3

manifests/0000_50_olm_00-catalogsources.crd.yaml

@@ -1027,19 +1027,15 @@ spec:
                         SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
                         right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
                         Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-                        run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-                        value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-                        When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-                        set to `legacy`.
-
-
-                        In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-                        with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+                        run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+                        determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+                        will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+                        specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+                        catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 
 
                         More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
                       type: string
-                      default: legacy
                       enum:
                         - legacy
                         - restricted

microshift-manifests/0000_50_olm_00-catalogsources.crd.yaml

@@ -1027,19 +1027,15 @@ spec:
                         SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
                         right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
                         Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-                        run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-                        value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-                        When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-                        set to `legacy`.
-
-
-                        In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-                        with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+                        run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+                        determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+                        will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+                        specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+                        catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 
 
                         More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
                       type: string
-                      default: legacy
                       enum:
                         - legacy
                         - restricted

staging/api/crds/operators.coreos.com_catalogsources.yaml

@@ -1023,19 +1023,15 @@ spec:
                         SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
                         right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
                         Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-                        run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-                        value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-                        When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-                        set to `legacy`.
-
-
-                        In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-                        with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+                        run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+                        determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+                        will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+                        specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+                        catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 
 
                         More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
                       type: string
-                      default: legacy
                       enum:
                         - legacy
                         - restricted

staging/api/crds/zz_defs.go

@@ -8,15 +8,15 @@ require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/go-bindata/go-bindata/v3 v3.1.3
 	github.com/google/cel-go v0.17.8
-	github.com/sirupsen/logrus v1.9.2
+	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9
 	k8s.io/api v0.30.1
 	k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery v0.30.1
 	k8s.io/client-go v0.30.1
-	sigs.k8s.io/controller-runtime v0.18.2
+	sigs.k8s.io/controller-runtime v0.18.4
 	sigs.k8s.io/yaml v1.4.0
 )
 

staging/api/go.mod

@@ -106,8 +106,8 @@ github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3c
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
-github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -269,8 +269,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4=
-sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q=
-sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw=
+sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw=
+sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

staging/api/go.sum

@@ -133,18 +133,15 @@ type GrpcPodConfig struct {
 	// SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
 	// right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
 	// Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-	// run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-	// value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-	// When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-	// set to `legacy`.
-	//
-	// In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-	// with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+	// run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+	// determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+	// will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+	// specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+	// catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 	//
 	// More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
 	// +optional
 	// +kubebuilder:validation:Enum=legacy;restricted
-	// +kubebuilder:default:=legacy
 	SecurityContextConfig SecurityConfig `json:"securityContextConfig,omitempty"`
 
 	// MemoryTarget configures the $GOMEMLIMIT value for the gRPC catalog Pod. This is a soft memory limit for the server,

staging/api/pkg/operators/v1alpha1/catalogsource_types.go

@@ -1023,19 +1023,15 @@ spec:
                         SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
                         right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
                         Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-                        run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-                        value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-                        When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-                        set to `legacy`.
-
-
-                        In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-                        with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+                        run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+                        determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+                        will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+                        specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+                        catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 
 
                         More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
                       type: string
-                      default: legacy
                       enum:
                         - legacy
                         - restricted

staging/operator-lifecycle-manager/deploy/chart/crds/0000_50_olm_00-catalogsources.crd.yaml

@@ -23,7 +23,7 @@ require (
 	github.com/onsi/gomega v1.33.1
 	github.com/openshift/api v3.9.0+incompatible
 	github.com/openshift/client-go v0.0.0-20220525160904-9e1acff93e4a
-	github.com/operator-framework/api v0.25.0
+	github.com/operator-framework/api v0.26.0
 	github.com/operator-framework/operator-registry v1.43.1
 	github.com/otiai10/copy v1.14.0
 	github.com/pkg/errors v0.9.1

staging/operator-lifecycle-manager/go.mod

@@ -1817,8 +1817,8 @@ github.com/openshift/api v0.0.0-20221021112143-4226c2167e40 h1:PxjGCA72RtsdHWToZ
 github.com/openshift/api v0.0.0-20221021112143-4226c2167e40/go.mod h1:aQ6LDasvHMvHZXqLHnX2GRmnfTWCF/iIwz8EMTTIE9A=
 github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c h1:CV76yFOTXmq9VciBR3Bve5ZWzSxdft7gaMVB3kS0rwg=
 github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c/go.mod h1:lFMO8mLHXWFzSdYvGNo8ivF9SfF6zInA8ZGw4phRnUE=
-github.com/operator-framework/api v0.25.0 h1:pSQwFSoPmZaTIERadawxtCwicehLkC7i9n3w3+70SVI=
-github.com/operator-framework/api v0.25.0/go.mod h1:PvyCQb0x53ytIqdTECH5e+iqv+am3uZ0qGsZWmL35gQ=
+github.com/operator-framework/api v0.26.0 h1:YVntU2NkVl5zSLLwK5kFcH6P3oSvN9QDgTsY9mb4yUM=
+github.com/operator-framework/api v0.26.0/go.mod h1:3IxOwzVUeGxYlzfwKCcfCyS+q3EEhWA/4kv7UehbeyM=
 github.com/operator-framework/operator-registry v1.43.1 h1:ACahVHGIL/hINBXd3RKWqSFR5SmSM6L5/n9xXqpR51s=
 github.com/operator-framework/operator-registry v1.43.1/go.mod h1:qhssAIYWXDIW+nTg0C5i4iD9zpMtiXtfXqGUuUmGz5c=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=

staging/operator-lifecycle-manager/go.sum

@@ -710,7 +710,7 @@ github.com/openshift/client-go/config/informers/externalversions/config
 github.com/openshift/client-go/config/informers/externalversions/config/v1
 github.com/openshift/client-go/config/informers/externalversions/internalinterfaces
 github.com/openshift/client-go/config/listers/config/v1
-# github.com/operator-framework/api v0.25.0 => ./staging/api
+# github.com/operator-framework/api v0.26.0 => ./staging/api
 ## explicit; go 1.22.0
 github.com/operator-framework/api/crds
 github.com/operator-framework/api/pkg/constraints