⚠ Single-tenant simplification: remove deprecated features and simplify operator model#2544
Draft
joelanford wants to merge 8 commits intooperator-framework:mainfrom
Draft
⚠ Single-tenant simplification: remove deprecated features and simplify operator model#2544joelanford wants to merge 8 commits intooperator-framework:mainfrom
joelanford wants to merge 8 commits intooperator-framework:mainfrom
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
f854129 to
92ef4cc
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Implements OLMv1 “single-tenant simplification” by shifting to a cluster-admin-only operational model, deprecating per-extension ServiceAccounts, and removing install-mode/permissions features that supported multi-tenancy-like behavior.
Changes:
- Grants operator-controller broad cluster-admin style RBAC and removes PreflightPermissions / SyntheticPermissions / SingleOwnNamespaceInstallSupport plumbing.
- Deprecates and ignores
ClusterExtension.spec.serviceAccountand removes related docs, tests, and tooling. - Forces registry+v1 rendering to AllNamespaces behavior (watch all namespaces) and removes
watchNamespacefrom bundle config schema/tooling.
Reviewed changes
Copilot reviewed 130 out of 137 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml | Removes own-namespace-operator entries from test catalog fixture. |
| testdata/images/bundles/own-namespace-operator/v1.0.0/metadata/annotations.yaml | Removes obsolete own-namespace operator bundle annotations fixture. |
| testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/ownnamespaceoperator.clusterserviceversion.yaml | Removes obsolete own-namespace operator CSV fixture. |
| testdata/images/bundles/own-namespace-operator/v1.0.0/manifests/olm.operatorframework.com_ownnamespaces.yaml | Removes obsolete own-namespace operator CRD fixture. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/09_deployment_argocd-operator-controller-manager.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/03_configmap_argocd-operator-manager-config.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/single-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml | Removes expected output for single-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/13_serviceaccount_argocd-operator-controller-manager.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/12_service_argocd-operator-controller-manager-metrics-service.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/11_rolebinding_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/10_role_argocd-operator.v0-22gmilmgp91wu25is5i2ec598hni8owq3l71bbkl7iz3.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/09_deployment_argocd-operator-controller-manager.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/03_configmap_argocd-operator-manager-config.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/02_clusterrolebinding_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/01_clusterrole_argocd-operator.v0-1dhiybrldl1gyksid1dk2dqjsc72psdybc7iyvse5gpx.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/testdata/expected-manifests/argocd-operator.v0.6.0/own-namespace/00_clusterrole_argocd-operator-metrics-reader.yaml | Removes expected output for own-namespace manifests. |
| test/regression/convert/generate-manifests.go | Updates regression generator to render all bundles as AllNamespaces. |
| test/helpers/helpers.go | Removes SA/RBAC helper setup; simplifies init/cleanup helpers. |
| test/extension-developer-e2e/extension_developer_test.go | Removes per-extension SA/RBAC setup; uses controller identity. |
| test/e2e/steps/testdata/serviceaccount-template.yaml | Removes unused ServiceAccount templating file. |
| test/e2e/steps/testdata/rbac-template.yaml | Removes unused RBAC templating file. |
| test/e2e/steps/testdata/metrics-reader-rbac-template.yaml | Stops templating Namespace; leaves SA + metrics-reader CRB. |
| test/e2e/steps/testdata/cluster-admin-rbac-template.yaml | Removes unused cluster-admin RBAC templating file. |
| test/e2e/steps/steps.go | Removes steps for creating installer SAs; keeps metrics SA/CRB helper. |
| test/e2e/steps/hooks.go | Removes feature gates; creates per-scenario namespace in hooks; improves cleanup behavior. |
| test/e2e/features/update.feature | Removes serviceAccount steps/fields from scenarios. |
| test/e2e/features/uninstall.feature | Removes serviceAccount steps/fields and SA-deletion scenario. |
| test/e2e/features/status.feature | Removes serviceAccount steps/fields from scenarios. |
| test/e2e/features/recover.feature | Removes serviceAccount steps/fields and preflight scenario; aligns recovery tests. |
| test/e2e/README.md | Updates testdata list and examples to remove SA/RBAC references. |
| manifests/standard.yaml | Deprecates serviceAccount in CRD schema; grants wildcard RBAC. |
| manifests/standard-e2e.yaml | Same as standard.yaml for e2e feature-set. |
| manifests/experimental.yaml | Deprecates serviceAccount; grants wildcard RBAC; removes preflight flag; renames rolebinding. |
| manifests/experimental-e2e.yaml | Same as experimental.yaml for e2e feature-set. |
| internal/operator-controller/rukpak/render/render.go | Adds SkipInstallModeValidation option and hook. |
| internal/operator-controller/rukpak/bundle/registryv1bundleconfig.json | Removes watchNamespace from bundle config schema. |
| internal/operator-controller/rukpak/bundle/registryv1_test.go | Updates schema tests to match removal of watchNamespace. |
| internal/operator-controller/rukpak/bundle/registryv1.go | Simplifies config schema handling to static JSON schema. |
| internal/operator-controller/rukpak/bundle/README.md | Updates documentation to remove watchNamespace references. |
| internal/operator-controller/resolve/catalog_test.go | Removes serviceAccount from ClusterExtension test fixtures. |
| internal/operator-controller/labels/labels.go | Removes annotations used to track per-extension ServiceAccount identity. |
| internal/operator-controller/features/features.go | Removes PreflightPermissions / SyntheticPermissions / SingleOwnNamespaceInstallSupport feature gates. |
| internal/operator-controller/controllers/revision_engine_factory.go | Removes per-revision engine factory that created SA-scoped clients. |
| internal/operator-controller/controllers/revision_engine.go | Introduces constructor for revision engine using shared client. |
| internal/operator-controller/controllers/clusterextensionrevision_controller_internal_test.go | Removes SA from ClusterExtension test fixture. |
| internal/operator-controller/controllers/clusterextensionrevision_controller.go | Switches reconciler from factory-per-revision to injected shared engine. |
| internal/operator-controller/controllers/clusterextension_reconcile_steps.go | Removes ServiceAccount existence validator. |
| internal/operator-controller/controllers/clusterextension_admission_test.go | Adjusts admission tests for deprecated/optional serviceAccount. |
| internal/operator-controller/config/error_formatting_test.go | Removes watchNamespace/install-mode error formatting cases; updates Unmarshal signature. |
| internal/operator-controller/config/config.go | Removes watchNamespace parsing and installNamespace-dependent schema validation. |
| internal/operator-controller/authentication/tripper.go | Removes SA token-injecting RoundTripper. |
| internal/operator-controller/authentication/tokengetter_test.go | Removes TokenGetter tests. |
| internal/operator-controller/authentication/tokengetter.go | Removes TokenGetter implementation. |
| internal/operator-controller/authentication/synthetic_test.go | Removes synthetic impersonation tests. |
| internal/operator-controller/authentication/synthetic.go | Removes synthetic impersonation helpers. |
| internal/operator-controller/applier/provider.go | Forces AllNamespaces rendering, skips install-mode validation, removes watchNamespace handling. |
| internal/operator-controller/applier/boxcutter.go | Removes pre-authorization and SA annotation propagation on revisions. |
| internal/operator-controller/action/restconfig_test.go | Removes SA/synthetic restconfig mapping tests. |
| internal/operator-controller/action/restconfig.go | Removes SA/synthetic restconfig mappers. |
| helm/tilt.yaml | Removes PreflightPermissions from enabled features list. |
| helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml | Simplifies rolebinding name (removes conditional). |
| helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml | Simplifies ClusterRole template and grants wildcard rules. |
| helm/olmv1/base/operator-controller/crd/standard/olm.operatorframework.io_clusterextensions.yaml | Deprecates and makes serviceAccount optional in generated CRD. |
| helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml | Same as above for experimental CRD. |
| helm/experimental.yaml | Removes PreflightPermissions from enabled experimental feature set. |
| hack/tools/schema-generator/main_test.go | Updates schema generator tests to remove watchNamespace expectations. |
| hack/tools/schema-generator/main.go | Updates generated bundle config schema to exclude watchNamespace. |
| hack/tools/k8smaintainer/README.md | Removes k8s staging pin tool documentation (tool no longer needed). |
| hack/tools/crd-generator/testdata/output/standard/olm.operatorframework.io_clusterextensions.yaml | Updates CRD generator golden output for deprecated serviceAccount. |
| hack/tools/crd-generator/testdata/output/experimental/olm.operatorframework.io_clusterextensions.yaml | Updates CRD generator golden output for deprecated serviceAccount. |
| hack/tools/crd-generator/testdata/api/v1/clusterextension_types.go | Updates test API types for deprecated/optional serviceAccount. |
| hack/tools/catalogs/lib/manifests.sh | Removes SA/RBAC manifest generation; generates Namespace + ClusterExtension only. |
| hack/tools/catalogs/generate-manifests | Removes RBAC mode and SA/RBAC flags; aligns output with new model. |
| hack/tools/catalogs/README.md | Updates documentation to match new generate-manifests behavior. |
| hack/test/pre-upgrade-setup.sh | Removes SA/RBAC bootstrap for upgrade tests; removes serviceAccount field in CE. |
| hack/demo/synthetic-user-cluster-admin-demo-script.sh | Removes obsolete synthetic-user demo script. |
| hack/demo/single-namespace-demo-script.sh | Removes obsolete single-namespace demo script. |
| hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml | Removes serviceAccount field from demo ClusterExtension. |
| hack/demo/resources/synthetic-user-perms/cegroup-admin-binding.yaml | Removes obsolete synthetic permissions demo resource. |
| hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml | Removes obsolete synthetic permissions demo ClusterExtension. |
| hack/demo/resources/single-namespace-demo.yaml | Removes obsolete single-namespace demo ClusterExtension. |
| hack/demo/resources/own-namespace-demo.yaml | Removes obsolete own-namespace demo ClusterExtension. |
| hack/demo/own-namespace-demo-script.sh | Removes obsolete own-namespace demo script. |
| go.sum | Removes sums for k8s.io/kubernetes and related deps. |
| go.mod | Removes k8s.io/kubernetes and replace directives; updates verify flow to use tidy. |
| docs/tutorials/install-extension.md | Removes ServiceAccount guidance and YAML fields from tutorial. |
| docs/tutorials/downgrade-extension.md | Removes serviceAccount from examples. |
| docs/howto/how-to-z-stream-upgrades.md | Removes serviceAccount from examples. |
| docs/howto/how-to-version-range-upgrades.md | Removes serviceAccount from examples. |
| docs/howto/how-to-pin-version.md | Removes serviceAccount from examples. |
| docs/howto/how-to-channel-based-upgrades.md | Removes serviceAccount from examples. |
| docs/howto/derive-service-account.md | Adds deprecation notice indicating guide is no longer applicable. |
| docs/draft/project/single-tenant-simplification/CLEANUP.md | Adds cleanup tracking document for remaining work items. |
| docs/draft/project/single-tenant-simplification/09-documentation.md | Adds documentation work item plan. |
| docs/draft/project/single-tenant-simplification/07-simplify-contentmanager.md | Adds contentmanager simplification work item plan. |
| docs/draft/project/single-tenant-simplification/06-optional-namespace.md | Adds optional namespace work item plan. |
| docs/draft/project/single-tenant-simplification/05-remove-single-own-namespace.md | Adds install-mode removal work item plan. |
| docs/draft/project/single-tenant-simplification/04-remove-synthetic-permissions.md | Adds synthetic permissions removal work item plan. |
| docs/draft/project/single-tenant-simplification/03-remove-preflight-permissions.md | Adds preflight removal work item plan. |
| docs/draft/project/single-tenant-simplification/02-deprecate-service-account.md | Adds serviceAccount deprecation work item plan. |
| docs/draft/project/single-tenant-simplification/01-cluster-admin.md | Adds cluster-admin work item plan. |
| docs/draft/howto/use-synthetic-permissions.md | Removes obsolete synthetic permissions draft doc. |
| docs/draft/howto/single-ownnamespace-install.md | Removes obsolete single/own namespace draft doc. |
| docs/draft/howto/rbac-permissions-checking.md | Removes obsolete RBAC preflight draft doc. |
| docs/draft/howto/enable-helm-chart-support.md | Removes serviceAccount from example. |
| docs/concepts/upgrade-support.md | Removes serviceAccount from examples. |
| docs/concepts/permission-model.md | Adds deprecation notice indicating prior model is outdated. |
| docs/concepts/crd-upgrade-safety.md | Removes serviceAccount from examples. |
| docs/concepts/controlling-catalog-selection.md | Removes serviceAccount from examples. |
| docs/api-reference/olmv1-api-reference.md | Updates API reference to show serviceAccount is optional/deprecated and fixes type description. |
| cmd/operator-controller/main.go | Removes SA-scoped rest config mapping and pre-authorization; wires shared revision engine; updates contentmanager init. |
| api/v1/validation_test.go | Updates API validation tests to not require serviceAccount. |
| api/v1/clusterextension_types.go | Deprecates spec.serviceAccount, makes it optional/omittable, and deprecates ServiceAccountReference type. |
| Makefile | Removes k8s-pin and switches verify to run tidy. |
Comments suppressed due to low confidence (1)
api/v1/clusterextension_types.go:389
ServiceAccountReferenceis now deprecated/ignored, but the field-level docs still state that the ServiceAccount is required for installation and must exist in the install namespace. This is misleading for API consumers reading Go docs / generated reference. Please update these comments to reflect that the referenced ServiceAccount is no longer used (and ideally that thenameis only validated if the deprecated object is provided).
// name is a required, immutable reference to the name of the ServiceAccount used for installation
// and management of the content for the package specified in the packageName field.
//
// This ServiceAccount must exist in the installNamespace.
//
// The name field follows the DNS subdomain standard as defined in [RFC 1123].
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bc9005b to
dea367a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 130 out of 137 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
25
to
29
| packageName: \${PACKAGE_NAME} | ||
| version: \${PACKAGE_VERSION} | ||
| install: | ||
| namespace: \${NAMESPACE} | ||
| serviceAccount: | ||
| name: \${SERVICE_ACCOUNT_NAME} | ||
| EOF |
There was a problem hiding this comment.
generate_cluster_extension is emitting an invalid ClusterExtension spec by putting the installation namespace under spec.install.namespace. The ClusterExtension API uses spec.namespace (and spec.install is for install options like preflights). Update the generated manifest to set spec.namespace: ${NAMESPACE} and remove the spec.install.namespace field so the generated CR is accepted by the API server.
dea367a to
927ea31
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2544 +/- ##
==========================================
+ Coverage 68.65% 68.82% +0.16%
==========================================
Files 131 125 -6
Lines 9333 8479 -854
==========================================
- Hits 6408 5836 -572
+ Misses 2436 2192 -244
+ Partials 489 451 -38
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
927ea31 to
26ea407
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 140 out of 147 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
167
to
168
| rres, err := c.RevisionEngine.Reconcile(ctx, *revision, opts...) | ||
| if err != nil { |
There was a problem hiding this comment.
ClusterExtensionRevisionReconciler assumes RevisionEngine is always non-nil and calls c.RevisionEngine.Reconcile(...). If RevisionEngine is accidentally not wired (e.g., in a future refactor or a new test/controller setup), this will panic. Consider adding an explicit nil check early in reconcile() that sets retrying conditions and returns a clear error instead of dereferencing a nil engine.
9db1069 to
e4b5853
Compare
Add a design document proposing changes to re-affirm OLM v1's single-tenant, cluster-admin-only operational model. The design covers deprecating the service account field, removing SingleNamespace/OwnNamespace install mode support, automating namespace management, and simplifying the content manager. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 103 out of 104 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (3)
internal/operator-controller/contentmanager/contentmanager.go:1
- This assumes every
client.Objectpassed intoWatchalready has its GVK populated, but typed objects commonly have an emptyGroupVersionKind()unless explicitly set. That can cause drift detection setup to fail at runtime. Prefer deriving GVK via the scheme (e.g.,apiutil.GVKForObject) or, forunstructured.Unstructured, fromGetAPIVersion()/GetKind(); this also avoids turning a bookkeeping detail into a hard error.
test/e2e/steps/hooks.go:1 - The scenario namespace is now created in
CreateScenarioContext, butScenarioCleanupdoesn’t appear to delete it. This can leak namespaces across E2E runs (especially locally or in shared clusters), causing resource buildup and potential name collisions over time. Consider adding the namespace to the cleanup deletion list (or explicitly deletingnamespace/<sc.namespace>inScenarioCleanup).
helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml:1 - This ClusterRole effectively replicates
cluster-admin. If the intent is to grant cluster-admin privileges, binding the ServiceAccount directly to the built-incluster-adminClusterRole via a ClusterRoleBinding avoids duplicating semantics in a custom role and reduces the chance of drift across Kubernetes versions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Deprecated: This field is ignored. It will be removed in a future API version. | ||
| // | ||
| // +optional | ||
| ServiceAccount ServiceAccountReference `json:"serviceAccount,omitzero"` |
…fy operator model Implement the single-tenant simplification design to re-affirm OLM v1's cluster-admin-only operational model. Changes across work items: - 01-cluster-admin: Grant operator-controller cluster-admin ClusterRole (remove custom RBAC rules) - 02-deprecate-service-account: Mark spec.serviceAccount as deprecated and optional; remove from docs/examples/tooling - 03-remove-preflight-permissions: Remove PreflightPermissions feature gate and RBAC pre-authorization code - 04-remove-synthetic-permissions: Remove SyntheticPermissions feature gate and synthetic user/group authentication - 07-simplify-contentmanager: Remove per-extension REST config and use shared manager client for content management - 09-documentation: Resolve merge conflicts, add cleanup tracking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
e4b5853 to
19ea49f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implement the single-tenant simplification design to re-affirm OLM v1's
cluster-admin-only operational model.
Changes across work items:
spec.serviceAccountas deprecated and optional; remove from docs/examples/toolingPreflightPermissionsfeature gate and RBAC pre-authorization codeSyntheticPermissionsfeature gate and synthetic user/group authenticationReviewer Checklist
Generated with Claude Code