openshift
diff --git a/‎go.mod
Lines changed: 4 additions & 3 deletions b/‎go.mod
Lines changed: 4 additions & 3 deletions
diff --git a/‎go.sum
Lines changed: 4 additions & 1 deletion b/‎go.sum
Lines changed: 4 additions & 1 deletion
diff --git a/‎staging/operator-lifecycle-manager/go.mod
Lines changed: 6 additions & 3 deletions b/‎staging/operator-lifecycle-manager/go.mod
Lines changed: 6 additions & 3 deletions
diff --git a/‎staging/operator-lifecycle-manager/go.sum
Lines changed: 4 additions & 1 deletion b/‎staging/operator-lifecycle-manager/go.sum
Lines changed: 4 additions & 1 deletion
diff --git a/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go
Lines changed: 13 additions & 0 deletions b/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/operator_plugin.go
Lines changed: 0 additions & 24 deletions b/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/operator_plugin.go
Lines changed: 0 additions & 24 deletions
diff --git a/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/plugins/downstream_csv_namespace_labeler_plugin.go
Lines changed: 172 additions & 0 deletions b/‎staging/operator-lifecycle-manager/pkg/controller/operators/olm/plugins/downstream_csv_namespace_labeler_plugin.go
Lines changed: 172 additions & 0 deletions
@@ -11,7 +11,7 @@ require (
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.4.1
 	github.com/mikefarah/yq/v3 v3.0.0-20201202084205-8846255d1c37
 	github.com/onsi/ginkgo/v2 v2.1.3
-	github.com/openshift/api v0.0.0-20200331152225-585af27e34fd
+	github.com/openshift/api v0.0.0-20220525145417-ee5b62754c68
 	github.com/operator-framework/api v0.15.0
 	github.com/operator-framework/operator-lifecycle-manager v0.0.0-00010101000000-000000000000
 	github.com/operator-framework/operator-registry v1.17.5
@@ -176,7 +176,8 @@ require (
 	github.com/onsi/gomega v1.18.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
-	github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0 // indirect
+	github.com/openshift/client-go v0.0.0-20220525160904-9e1acff93e4a // indirect
+	github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f // indirect
 	github.com/otiai10/copy v1.2.0 // indirect
 	github.com/pbnjay/strptime v0.0.0-20140226051138-5c05b0d668c9 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
@@ -223,7 +224,7 @@ require (
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 
@@ -989,6 +989,8 @@ github.com/openshift/api v0.0.0-20210517065120-b325f58df679/go.mod h1:dZ4kytOo3s
 github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0 h1:kMiuiZXH1GdfbiMwsuAQOqGaMxlo9NCUk0wT4XAdfNM=
 github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0/go.mod h1:uUQ4LClRO+fg5MF/P6QxjMCb1C9f7Oh4RKepftDnEJE=
+github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f h1:ll0eE7rgGHsFlrI6ksr6nXL2ur8GYBe8Jj0GwNQ/1+o=
+github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f/go.mod h1:r9ZZT5wjwoS2heBfYR26uJhhkGYwgmFqomu9ww0y9Qw=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k=
@@ -1435,8 +1437,9 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 
@@ -22,8 +22,8 @@ require (
 	github.com/mitchellh/mapstructure v1.4.1
 	github.com/onsi/ginkgo/v2 v2.1.3
 	github.com/onsi/gomega v1.18.1
-	github.com/openshift/api v0.0.0-20200331152225-585af27e34fd
-	github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0
+	github.com/openshift/api v0.0.0-20220525145417-ee5b62754c68
+	github.com/openshift/client-go v0.0.0-20220525160904-9e1acff93e4a
 	github.com/operator-framework/api v0.15.0
 	github.com/operator-framework/operator-registry v1.17.5
 	github.com/otiai10/copy v1.2.0
@@ -221,7 +221,7 @@ require (
 	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
@@ -258,3 +258,6 @@ replace (
 	go.opentelemetry.io/otel => go.opentelemetry.io/otel v0.20.0
 	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v0.20.0
 )
+
+// downstream only
+require github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f
@@ -1075,6 +1075,8 @@ github.com/openshift/api v0.0.0-20211014063134-be2a7fb8aa44/go.mod h1:RsQCVJu4qh
 github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0 h1:kMiuiZXH1GdfbiMwsuAQOqGaMxlo9NCUk0wT4XAdfNM=
 github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0/go.mod h1:uUQ4LClRO+fg5MF/P6QxjMCb1C9f7Oh4RKepftDnEJE=
+github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f h1:ll0eE7rgGHsFlrI6ksr6nXL2ur8GYBe8Jj0GwNQ/1+o=
+github.com/openshift/cluster-policy-controller v0.0.0-20220825134653-523e4104074f/go.mod h1:r9ZZT5wjwoS2heBfYR26uJhhkGYwgmFqomu9ww0y9Qw=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/operator-framework/api v0.7.1/go.mod h1:L7IvLd/ckxJEJg/t4oTTlnHKAJIP/p51AvEslW3wYdY=
@@ -1550,8 +1552,9 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 
@@ -0,0 +1,13 @@
+package olm
+
+import (
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins"
+)
+
+func init() {
+	operatorPlugInFactoryFuncs = []plugins.OperatorPlugInFactoryFunc{
+		// labels unlabeled non-payload openshift-* csv namespaces with
+		// security.openshift.io/scc.podSecurityLabelSync: true
+		plugins.NewCsvNamespaceLabelerPlugInfunc,
+	}
+}
@@ -0,0 +1,172 @@
+package plugins
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/nsexemptions"
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/internal/pruning"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/informers"
+	listerv1 "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+)
+
+const NamespaceLabelSyncerLabelKey = "security.openshift.io/scc.podSecurityLabelSync"
+
+// csvNamespaceLabelerPlugin is responsible for labeling non-payload openshift-* namespaces
+// with the label "security.openshift.io/scc.podSecurityLabelSync=true" so that the  PSA Label Syncer
+// see https://github.com/openshift/cluster-policy-controller/blob/master/pkg/psalabelsyncer/podsecurity_label_sync_controller.go
+// can help ensure that the operator payloads in the namespace continue to work even if they don't yet respect the
+// upstream Pod Security Admission controller, which will become active in k8s 1.15.
+// see https://kubernetes.io/docs/concepts/security/pod-security-admission/
+// If a CSV is created or modified, this controller will look at the csv's namespace. If it is a non-payload namespace,
+// if the namespace name is prefixed with 'openshift-', and if the namespace does not contain the label (whatever
+// value it may be set to), it will add the "security.openshift.io/scc.podSecurityLabelSync=true" to the namespace.
+type csvNamespaceLabelerPlugin struct {
+	namespaceListerMap map[string]listerv1.NamespaceLister
+	kubeClient         operatorclient.ClientInterface
+	externalClient     versioned.Interface
+	logger             *logrus.Logger
+}
+
+func NewCsvNamespaceLabelerPlugInfunc(ctx context.Context, config OperatorConfig, hostOperator HostOperator) (OperatorPlugin, error) {
+
+	if hostOperator == nil {
+		return nil, fmt.Errorf("cannot initialize plugin: operator undefined")
+	}
+
+	plugin := &csvNamespaceLabelerPlugin{
+		kubeClient:         config.OperatorClient(),
+		externalClient:     config.ExternalClient(),
+		logger:             config.Logger(),
+		namespaceListerMap: map[string]listerv1.NamespaceLister{},
+	}
+
+	for _, namespace := range config.WatchedNamespaces() {
+
+		// create a namespace informer for namespaces that do not include
+		// the label syncer label
+		namespaceInformer := informers.NewSharedInformerFactoryWithOptions(
+			plugin.kubeClient.KubernetesInterface(),
+			config.ResyncPeriod()(),
+			informers.WithNamespace(namespace),
+		).Core().V1().Namespaces()
+
+		if err := hostOperator.RegisterInformer(namespaceInformer.Informer()); err != nil {
+			return nil, err
+		}
+		plugin.namespaceListerMap[namespace] = namespaceInformer.Lister()
+
+		// create a new csv informer and prune status to reduce memory footprint
+		csvNamespaceLabelerInformer := cache.NewSharedIndexInformer(
+			pruning.NewListerWatcher(
+				plugin.externalClient,
+				namespace,
+				func(opts *metav1.ListOptions) {
+					opts.LabelSelector = fmt.Sprintf("!%s", v1alpha1.CopiedLabelKey)
+				},
+				pruning.PrunerFunc(func(csv *v1alpha1.ClusterServiceVersion) {
+					*csv = v1alpha1.ClusterServiceVersion{
+						TypeMeta:   csv.TypeMeta,
+						ObjectMeta: csv.ObjectMeta,
+					}
+				}),
+			),
+			&v1alpha1.ClusterServiceVersion{},
+			config.ResyncPeriod()(),
+			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+		)
+
+		csvNamespaceLabelerPluginQueue := workqueue.NewNamedRateLimitingQueue(
+			workqueue.DefaultControllerRateLimiter(),
+			fmt.Sprintf("%s/csv-ns-labeler-plugin", namespace),
+		)
+		csvNamespaceLabelerPluginQueueInformer, err := queueinformer.NewQueueInformer(
+			ctx,
+			queueinformer.WithInformer(csvNamespaceLabelerInformer),
+			queueinformer.WithLogger(config.Logger()),
+			queueinformer.WithQueue(csvNamespaceLabelerPluginQueue),
+			queueinformer.WithIndexer(csvNamespaceLabelerInformer.GetIndexer()),
+			queueinformer.WithSyncer(plugin),
+		)
+		if err != nil {
+			return nil, err
+		}
+		if err := hostOperator.RegisterQueueInformer(csvNamespaceLabelerPluginQueueInformer); err != nil {
+			return nil, err
+		}
+	}
+
+	return plugin, nil
+}
+
+func (p *csvNamespaceLabelerPlugin) Shutdown() error {
+	return nil
+}
+
+func (p *csvNamespaceLabelerPlugin) Sync(ctx context.Context, event kubestate.ResourceEvent) error {
+	// only act on csv added and updated events
+	if event.Type() != kubestate.ResourceAdded && event.Type() != kubestate.ResourceUpdated {
+		return nil
+	}
+
+	csv, ok := event.Resource().(*v1alpha1.ClusterServiceVersion)
+	if !ok {
+		return fmt.Errorf("event resource is not a ClusterServiceVersion")
+	}
+
+	// ignore copied csvs
+	// informer should already be filtering these out - but just in case
+	if csv.IsCopied() {
+		return nil
+	}
+
+	// ignore non-openshift-* and payload openshift-* namespaces
+	if !strings.HasPrefix(csv.GetNamespace(), "openshift-") || nsexemptions.IsNamespacePSALabelSyncExemptedInVendoredOCPVersion(csv.GetNamespace()) {
+		return nil
+	}
+
+	namespace, err := p.getNamespace(csv.GetNamespace())
+	if err != nil {
+		return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", csv.GetNamespace())
+	}
+
+	// add label sync'er label if it does not exist
+	if _, ok := namespace.GetLabels()[NamespaceLabelSyncerLabelKey]; !ok {
+		nsCopy := namespace.DeepCopy()
+		if nsCopy.GetLabels() == nil {
+			nsCopy.SetLabels(map[string]string{})
+		}
+		nsCopy.GetLabels()[NamespaceLabelSyncerLabelKey] = "true"
+		if _, err := p.kubeClient.KubernetesInterface().CoreV1().Namespaces().Update(ctx, nsCopy, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", nsCopy.GetNamespace())
+		}
+
+		if p.logger != nil {
+			p.logger.Infof("applied %s=true label to namespace %s", NamespaceLabelSyncerLabelKey, nsCopy.GetNamespace())
+		}
+	}
+
+	return nil
+}
+
+func (p *csvNamespaceLabelerPlugin) getNamespace(namespace string) (*v1.Namespace, error) {
+	lister, ok := p.namespaceListerMap[namespace]
+	if !ok {
+		lister, ok = p.namespaceListerMap[metav1.NamespaceAll]
+		if !ok {
+			return nil, fmt.Errorf("no namespace lister found for namespace: %s", namespace)
+		}
+	}
+	return lister.Get(namespace)
+}