updating to operator-sdk 1.40

Makefile

@@ -57,8 +57,6 @@ endif
 
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(RELEASE_TAG)
-# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.31.0
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -191,10 +189,13 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.1
-ENVTEST_VERSION ?= release-0.19
-OPERATOR_SDK_VERSION ?= "v1.39.0"
+KUSTOMIZE_VERSION ?= v5.6.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.2
+#ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20)
+ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
+#ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31)
+ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
+OPERATOR_SDK_VERSION ?= "v1.40.0"
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
@@ -211,11 +212,23 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
 
+.PHONY: setup-envtest
+setup-envtest: envtest ## Download the binaries required for ENVTEST in the local bin directory.
+	@echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..."
+	@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \
+		echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \
+		exit 1; \
+	}
+
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION)
 
+.PHONY: lint-config
+lint-config: golangci-lint ## Verify golangci-lint linter configuration
+	$(GOLANGCI_LINT) config verify
+
 .PHONY: operator-sdk
 OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk
 operator-sdk: ## Download operator-sdk locally if necessary.
@@ -257,7 +270,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
 	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else

config/crd/bases/certification.redhat.com_operatorpipelines.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: operatorpipelines.certification.redhat.com
 spec:
   group: certification.redhat.com

config/default/metrics_service.yaml

@@ -15,3 +15,4 @@ spec:
     targetPort: 8443
   selector:
     control-plane: controller-manager
+    app.kubernetes.io/name: operator-certification-operator

config/manager/manager.yaml

@@ -3,6 +3,7 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: operator-certification-operator
   name: system
 ---
 apiVersion: apps/v1
@@ -12,17 +13,20 @@ metadata:
   namespace: system
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: operator-certification-operator
 spec:
   selector:
     matchLabels:
       control-plane: controller-manager
+      app.kubernetes.io/name: operator-certification-operator
   replicas: 1
   template:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
       labels:
         control-plane: controller-manager
+        app.kubernetes.io/name: operator-certification-operator
     spec:
       securityContext:
         runAsNonRoot: true

config/manifests/kustomization.yaml

@@ -9,7 +9,7 @@ resources:
 # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.
 # These patches remove the unnecessary "cert" volume and its manager container volumeMount.
-#patchesJson6902:
+#patches:
 #- target:
 #    group: apps
 #    version: v1
@@ -20,7 +20,8 @@ resources:
 #    # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
 #    # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
 #    - op: remove
-#      path: /spec/template/spec/containers/1/volumeMounts/0
+
+#      path: /spec/template/spec/containers/0/volumeMounts/0
 #    # Remove the "cert" volume, since OLM will create and mount a set of certs.
 #    # Update the indices in this path if adding or removing volumes in the manager's Deployment.
 #    - op: remove

config/network-policy/allow-metrics-traffic.yaml

@@ -1,6 +1,6 @@
 # This NetworkPolicy allows ingress traffic
 # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
-# namespaces are able to gathering data from the metrics endpoint.
+# namespaces are able to gather data from the metrics endpoint.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -13,6 +13,7 @@ spec:
   podSelector:
     matchLabels:
       control-plane: controller-manager
+      app.kubernetes.io/name: operator-certification-operator
   policyTypes:
     - Ingress
   ingress:

config/prometheus/monitor.yaml

@@ -5,6 +5,7 @@ kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: operator-certification-operator
   name: controller-manager-metrics-monitor
   namespace: system
 spec:
@@ -18,3 +19,4 @@ spec:
   selector:
     matchLabels:
       control-plane: controller-manager
+      app.kubernetes.io/name: operator-certification-operator

config/rbac/kustomization.yaml

@@ -18,3 +18,11 @@ resources:
 - metrics_auth_role.yaml
 - metrics_auth_role_binding.yaml
 - metrics_reader_role.yaml
+# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. Those roles are
+# not used by the {{ .ProjectName }} itself. You can comment the following lines
+# if you do not want those helpers be installed with your Project.
+#- operatorpipeline_admin_role.yaml
+#- operatorpipeline_editor_role.yaml
+#- operatorpipeline_viewer_role.yaml
+

config/rbac/leader_election_role.yaml

@@ -2,6 +2,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: leader-election-role
 rules:
 - apiGroups:

config/rbac/leader_election_role_binding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: leader-election-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/rbac/operatorpipeline_admin_role.yaml

@@ -0,0 +1,27 @@
+# This rule is not used by the project operator-certification-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over cache.example.com.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: operatorpipeline-admin-role
+rules:
+- apiGroups:
+  - cache.example.com
+  resources:
+  - operatorpipelines
+  verbs:
+  - '*'
+- apiGroups:
+  - cache.example.com
+  resources:
+  - operatorpipelines/status
+  verbs:
+  - get

config/rbac/operatorpipeline_editor_role.yaml

@@ -1,7 +1,15 @@
-# permissions for end users to edit operatorpipelines.
+# This rule is not used by the project operator-certification-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the cache.example.com.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: operatorpipeline-editor-role
 rules:
 - apiGroups:

config/rbac/operatorpipeline_viewer_role.yaml

@@ -1,7 +1,15 @@
-# permissions for end users to view operatorpipelines.
+# This rule is not used by the project operator-certification-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to cache.example.com resources.
+# This role is intended for users who need visibility into these resources
+# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: operatorpipeline-viewer-role
 rules:
 - apiGroups:

config/rbac/role.yaml

@@ -5,9 +5,9 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - certification.redhat.com
+  - ""
   resources:
-  - operatorpipelines
+  - secrets
   verbs:
   - create
   - delete
@@ -19,29 +19,29 @@ rules:
 - apiGroups:
   - certification.redhat.com
   resources:
-  - operatorpipelines/finalizers
+  - operatorpipelines
   verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
   - update
+  - watch
 - apiGroups:
   - certification.redhat.com
   resources:
-  - operatorpipelines/status
+  - operatorpipelines/finalizers
   verbs:
-  - get
-  - patch
   - update
 - apiGroups:
-  - ""
+  - certification.redhat.com
   resources:
-  - secrets
+  - operatorpipelines/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - image.openshift.io
   resources:

config/rbac/role_binding.yaml

@@ -1,6 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io

config/rbac/service_account.yaml

@@ -1,5 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  labels:
+    app.kubernetes.io/name: operator-certification-operator
   name: controller-manager
   namespace: system

config/scorecard/kustomization.yaml

@@ -15,3 +15,4 @@ patches:
     kind: Configuration
     name: config
     version: v1alpha3
+# +kubebuilder:scaffold:patches

config/scorecard/patches/basic.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -4,7 +4,7 @@
     entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -14,7 +14,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -24,7 +24,7 @@
     entrypoint:
     - scorecard-test
     - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -34,7 +34,7 @@
     entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -44,7 +44,7 @@
     entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.14.0
+    image: quay.io/operator-framework/scorecard-test:v1.40.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

internal/controller/operatorpipeline_controller.go

@@ -218,5 +218,6 @@ func (r *OperatorPipelineReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&securityv1.SecurityContextConstraints{}).
 		Owns(&rbacv1.ClusterRole{}).
 		Owns(&rbacv1.ClusterRoleBinding{}).
+		Named("operator_pipeline").
 		Complete(r)
 }