IBM · rwhundley · Oct 8, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 10, 2024
diff --git a/Makefile b/Makefile
@@ -21,7 +21,10 @@
 BUILD_LOCALLY ?= 1
 
 # The namespace that operator will be deployed in
-NAMESPACE=ibm-common-services
+CONTROL_NS ?= ibm-common-services
+DATA_NS ?= $(CONTROL_NS)
+WATCH_NS ?= $(DATA_NS)
+
 GIT_COMMIT_ID=$(shell git rev-parse --short HEAD)
 GIT_REMOTE_URL=$(shell git config --get remote.origin.url)
 IMAGE_BUILD_OPTS=--build-arg "VCS_REF=$(GIT_COMMIT_ID)" --build-arg "VCS_URL=$(GIT_REMOTE_URL)"
@@ -362,7 +365,6 @@ bundle-render: ## Render the bundle contents into the local FBC index.
 	./hack/bundle-render $(IMG).v$(BUNDLE_VERSION) $(BUNDLE_IMG)
 
 TARGET_ARCH=$(LOCAL_ARCH)
-
 build-image: $(GO) $(CONFIG_DOCKER_TARGET) licenses-dir ## Build the Operator manager image
 	@echo "Building manager binary for linux/$(TARGET_ARCH)"
 	@CGO_ENABLED=0 GOOS=linux GOARCH=$(TARGET_ARCH) $(GO) build -a -o build/_output/bin/manager main.go
@@ -394,8 +396,8 @@ images: $(CONFIG_DOCKER_TARGET)  ## Build the multi-arch manifest.
 
 ##@ Deployment
 
-ifndef ignore-not-found
-  ignore-not-found = false
+ifndef IGNORE_NOT_FOUND
+  IGNORE_NOT_FOUND = false
 endif
 
 .PHONY: install
@@ -404,18 +406,36 @@ install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -f -
 
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
-	- oc apply -f config/samples/bases/operator_v1alpha1_authentication.yaml -n ${NAMESPACE}
+	kubectl get namespace $(CONTROL_NS) || kubectl create namespace $(CONTROL_NS)
+	kubectl get namespace $(DATA_NS) || kubectl create namespace $(DATA_NS)
+	cd config/manager/overlays/$(MODE) && $(KUSTOMIZE) edit set image controller=$(IMAGE_TAG_BASE):$(VERSION)
+	#@ 
+	WATCH_NS=$(WATCH_NS) $(YQ) -i 'with(.[] | select(.value.name == "WATCH_NAMESPACE") ; .value.value |= env(WATCH_NS))' \
+		config/manager/overlays/$(MODE)/image_env_vars_patch.yaml
+	$(KUSTOMIZE) build config/default/overlays/$(MODE) | kubectl apply -n $(CONTROL_NS) -f -
+	$(KUSTOMIZE) build config/samples/overlays/$(MODE) | kubectl apply -n $(DATA_NS) -f -
+
+cncf: manifests kustomize ## Generate manifests for use on CNCF clusters.
+	cd config/manager/overlays/cncf && $(KUSTOMIZE) edit set image controller=$(IMAGE_TAG_BASE):$(VERSION)
+	WATCH_NS=$(WATCH_NS) $(YQ) -i 'with(.[] | select(.value.name == "WATCH_NAMESPACE") ; .value.value |= env(WATCH_NS))' \
+		config/manager/overlays/cncf/image_env_vars_patch.yaml
+	$(KUSTOMIZE) build config/default/overlays/cncf > default.yml
+	$(KUSTOMIZE) build config/samples/overlays/cncf > authentication.yml
 
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	- oc delete -f config/samples/bases/operator_v1alpha1_authentication.yaml -n ${NAMESPACE}
-	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/samples/overlays/$(MODE) | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -n $(DATA_NS) -f -
+	$(KUSTOMIZE) build config/default/overlays/$(MODE) | kubectl delete --ignore-not-found=$(IGNORE_NOT_FOUND) -n $(CONTROL_NS) -f -
+	kubectl delete namespace $(DATA_NS)
+	[[ $(CONTROL_NS) == $(DATA_NS) ]] || kubectl delete namespace $(CONTROL_NS)
+
+.PHONY: bundle-push
+bundle-push: ## Push the bundle image.
+	$(MAKE) docker-push IMG=$(BUNDLE_IMG)
 
 # A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0).
 # These images MUST exist in a registry and be pull-able.

diff --git a/apis/operator/v1alpha1/authentication_types.go b/apis/operator/v1alpha1/authentication_types.go
@@ -269,10 +269,6 @@ type AuthenticationList struct {
 	Items           []Authentication `json:"items"`
 }
 
-func init() {
-	SchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
-}
-
 const AnnotationAuthMigrationComplete string = "authentication.operator.ibm.com/migration-complete"
 const AnnotationAuthRetainMigrationArtifacts string = "authentication.operator.ibm.com/retain-migration-artifacts"
 const AnnotationAuthDBSchemaVersion string = "authentication.operator.ibm.com/db-schema-version"
@@ -320,3 +316,8 @@ func (a *Authentication) GetDBSchemaVersion() string {
 func (a *Authentication) IsReady() bool {
 	return a.Status.Service.Status == "Ready"
 }
+
+func init() {
+	SchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
+	ODLMEnabledSchemeBuilder.Register(&Authentication{}, &AuthenticationList{})
+}
diff --git a/apis/operator/v1alpha1/groupversion_info.go b/apis/operator/v1alpha1/groupversion_info.go
@@ -33,4 +33,9 @@ var (
 
 	// AddToScheme adds the types in this group-version to the given scheme.
 	AddToScheme = SchemeBuilder.AddToScheme
+
+	// The following is a dedicated scheme for when ODLM is available on the cluster; it shares the same
+	// GroupVersion as Authentication
+	ODLMEnabledSchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+	AddODLMEnabledToScheme   = ODLMEnabledSchemeBuilder.AddToScheme
 )
diff --git a/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml
@@ -192,7 +192,7 @@ metadata:
     categories: Security
     certified: "false"
     containerImage: icr.io/cpopen/ibm-iam-operator:4.9.0
-    createdAt: "2024-10-14T17:39:53Z"
+    createdAt: "2024-11-15T10:02:00Z"
     description: The IAM operator provides a simple Kubernetes CRD-Based API to manage the lifecycle of IAM services. With this operator, you can simply deploy and upgrade the IAM services
     olm.skipRange: <4.9.0
     operators.operatorframework.io/builder: operator-sdk-v1.37.0
@@ -334,11 +334,6 @@ spec:
                   - command:
                       - ibm-iam-operator
                     env:
-                      - name: WATCH_NAMESPACE
-                        valueFrom:
-                          configMapKeyRef:
-                            name: namespace-scope
-                            key: namespaces
                       - name: POD_NAME
                         valueFrom:
                           fieldRef:
@@ -360,6 +355,11 @@ spec:
                         value: icr.io/cpopen/cpfs/icp-identity-manager:4.9.0
                       - name: IM_INITCONTAINER_IMAGE
                         value: icr.io/cpopen/cpfs/im-initcontainer:4.9.0
+                      - name: WATCH_NAMESPACE
+                        valueFrom:
+                          configMapKeyRef:
+                            name: namespace-scope
+                            key: namespaces
                     image: icr.io/cpopen/ibm-iam-operator:4.9.0
                     imagePullPolicy: IfNotPresent
                     name: ibm-iam-operator
@@ -386,32 +386,6 @@ spec:
                 serviceAccountName: ibm-iam-operator
       permissions:
         - rules:
-            - apiGroups:
-                - route.openshift.io
-              resources:
-                - routes
-              verbs:
-                - get
-                - list
-                - watch
-                - create
-                - delete
-                - update
-                - patch
-            - apiGroups:
-                - route.openshift.io
-              resources:
-                - routes/custom-host
-              verbs:
-                - create
-            - apiGroups:
-                - route.openshift.io
-              resources:
-                - routes/status
-              verbs:
-                - get
-                - list
-                - watch
             - apiGroups:
                 - ""
               resources:
@@ -460,13 +434,6 @@ spec:
                 - patch
                 - update
                 - watch
-            - apiGroups:
-                - monitoring.coreos.com
-              resources:
-                - servicemonitors
-              verbs:
-                - get
-                - create
             - apiGroups:
                 - apps
               resourceNames:
@@ -523,26 +490,6 @@ spec:
                 - get
                 - list
                 - create
-            - apiGroups:
-                - operator.ibm.com
-              resources:
-                - operandrequests
-              verbs:
-                - create
-                - get
-                - list
-                - patch
-                - watch
-                - update
-                - delete
-            - apiGroups:
-                - operator.ibm.com
-              resources:
-                - operandrequests/status
-              verbs:
-                - watch
-                - get
-                - list
             - apiGroups:
                 - cert-manager.io
               resources:
@@ -622,6 +569,52 @@ spec:
                 - patch
                 - update
                 - watch
+            - apiGroups:
+                - route.openshift.io
+              resources:
+                - routes
+              verbs:
+                - get
+                - list
+                - watch
+                - create
+                - delete
+                - update
+                - patch
+            - apiGroups:
+                - route.openshift.io
+              resources:
+                - routes/custom-host
+              verbs:
+                - create
+            - apiGroups:
+                - route.openshift.io
+              resources:
+                - routes/status
+              verbs:
+                - get
+                - list
+                - watch
+            - apiGroups:
+                - operator.ibm.com
+              resources:
+                - operandrequests
+              verbs:
+                - create
+                - get
+                - list
+                - patch
+                - watch
+                - update
+                - delete
+            - apiGroups:
+                - operator.ibm.com
+              resources:
+                - operandrequests/status
+              verbs:
+                - watch
+                - get
+                - list
           serviceAccountName: ibm-iam-operator
     strategy: deployment
   installModes:

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -6,7 +6,6 @@ resources:
 - bases/operator.ibm.com_authentications.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_clients.yaml
@@ -22,3 +21,5 @@ patchesStrategicMerge:
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
diff --git a/config/crd/patches/cainjection_in_oidc.security_clients.yaml b/config/crd/patches/cainjection_in_oidc.security_clients.yaml
diff --git a/config/crd/patches/cainjection_in_operator_authentications.yaml b/config/crd/patches/cainjection_in_operator_authentications.yaml
diff --git a/config/crd/patches/webhook_in_oidc.security_clients.yaml b/config/crd/patches/webhook_in_oidc.security_clients.yaml
diff --git a/config/crd/patches/webhook_in_operator_authentications.yaml b/config/crd/patches/webhook_in_operator_authentications.yaml
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml