diff --git a/manifests/0000_20_cluster-api-tls-config_role.yaml b/manifests/0000_20_cluster-api-tls-config_role.yaml index 15a8a53b4..5b556a9e7 100644 --- a/manifests/0000_20_cluster-api-tls-config_role.yaml +++ b/manifests/0000_20_cluster-api-tls-config_role.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: CompatibilityRequirements name: system:openshift:openshift-cluster-api:read-tls-configuration rules: - apiGroups: diff --git a/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml b/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml index 5409e3f8e..b046192aa 100644 --- a/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml +++ b/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml b/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml index b67e022f6..6cf086e57 100644 --- a/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml +++ b/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements --- apiVersion: v1 kind: Secret @@ -21,4 +22,5 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements type: kubernetes.io/service-account-token diff --git a/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml b/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml index e33f1ecd4..b7c4c3c84 100644 --- a/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml +++ b/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements name: system:openshift:openshift-compatibility-requirements-operator:compatibility-requirements-controllers rules: - apiGroups: @@ -62,6 +63,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements rules: - apiGroups: - "" @@ -82,6 +84,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements rules: - apiGroups: - "" diff --git a/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml b/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml index 1f98b7f92..22cb8b99f 100644 --- a/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml +++ b/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:openshift-compatibility-requirements-operator:compatibility-requirements-controllers @@ -27,6 +28,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: Role name: compatibility-requirements-controllers @@ -45,6 +47,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration @@ -64,6 +67,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:compatibility-requirements-events diff --git a/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml b/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml index 28408140c..1ced1c975 100644 --- a/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml +++ b/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements service.beta.openshift.io/serving-cert-secret-name: compatibility-requirements-controllers-metrics-tls name: compatibility-requirements-controllers-metrics namespace: openshift-compatibility-requirements-operator diff --git a/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml b/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml index 1229faeef..40f0cdae3 100644 --- a/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml +++ b/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements service.beta.openshift.io/serving-cert-secret-name: compatibility-requirements-controllers-webhook-service-cert name: compatibility-requirements-controllers-webhook-service namespace: openshift-compatibility-requirements-operator diff --git a/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml b/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml index 98ff3e904..d789618e7 100644 --- a/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml +++ b/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements labels: k8s-app: compatibility-requirements-controllers spec: diff --git a/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml b/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml index 6a2f69438..0a9a17e63 100644 --- a/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml +++ b/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml @@ -20,6 +20,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator + capability.openshift.io/name: CompatibilityRequirements name: allow-egress-compatibility-requirements-controllers namespace: openshift-compatibility-requirements-operator spec: diff --git a/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml b/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml index e7dc352df..8ed7374a8 100644 --- a/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml +++ b/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator + capability.openshift.io/name: CompatibilityRequirements name: allow-ingress-to-webhook namespace: openshift-compatibility-requirements-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_00_namespace.yaml b/manifests/0000_30_cluster-api-operator_00_namespace.yaml index 440cbd11b..4364a53fc 100644 --- a/manifests/0000_30_cluster-api-operator_00_namespace.yaml +++ b/manifests/0000_30_cluster-api-operator_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_30_cluster-api-operator_00_tombstones.yaml b/manifests/0000_30_cluster-api-operator_00_tombstones.yaml index 7333e602b..ad0770618 100644 --- a/manifests/0000_30_cluster-api-operator_00_tombstones.yaml +++ b/manifests/0000_30_cluster-api-operator_00_tombstones.yaml @@ -11,3 +11,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml b/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml index 5732519c1..bed7c320d 100644 --- a/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml +++ b/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-operator namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml b/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml index 409bfee02..2b1f2c63b 100644 --- a/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml +++ b/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-operator-metrics-tls name: capi-operator-metrics namespace: openshift-cluster-api-operator diff --git a/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml b/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml index 075f87143..f381442af 100644 --- a/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml +++ b/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml @@ -9,3 +9,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml index bcd9f2c60..b81c837f9 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-installer-metrics-tls name: capi-installer-metrics namespace: openshift-cluster-api-operator diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml index ae0deabb9..a2473568d 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml @@ -9,3 +9,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml index d26c64399..87374772c 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-installer namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml b/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml index f185e8152..664562ee3 100644 --- a/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml +++ b/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: prometheus-k8s namespace: openshift-cluster-api-operator rules: diff --git a/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml b/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml index 35cea38f6..1312cee48 100644 --- a/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: prometheus-k8s namespace: openshift-cluster-api-operator roleRef: diff --git a/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml b/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml index 2f489e303..a271cc23f 100644 --- a/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml +++ b/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: openshift-capi-operator rules: # Being an installer, the required RBAC is necessarily a lot diff --git a/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml b/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml index 64eb10129..7c068b747 100644 --- a/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml b/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml index d372cdaae..b68ddec6b 100644 --- a/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: openshift-capi-operator @@ -26,6 +27,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration diff --git a/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml b/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml index 4d50cfbc5..9e3aa7bdd 100644 --- a/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml +++ b/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml @@ -10,6 +10,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-egress-operators namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml b/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml index cf83d63ce..8df2bd312 100644 --- a/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml +++ b/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI data: aws-cluster-api-controllers: registry.ci.openshift.org/openshift:aws-cluster-api-controllers azure-cluster-api-controllers: registry.ci.openshift.org/openshift:azure-cluster-api-controllers diff --git a/manifests/0000_30_cluster-api-operator_06_deployment.yaml b/manifests/0000_30_cluster-api-operator_06_deployment.yaml index 49480bdb5..f3a49293b 100644 --- a/manifests/0000_30_cluster-api-operator_06_deployment.yaml +++ b/manifests/0000_30_cluster-api-operator_06_deployment.yaml @@ -10,6 +10,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI labels: k8s-app: capi-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml b/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml index 62dbf6d28..6a3475ed5 100644 --- a/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml +++ b/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml @@ -7,5 +7,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI release.openshift.io/create-only: "true" spec: {} diff --git a/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml b/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml index 5285c28b9..65e2cfc1e 100644 --- a/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml +++ b/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: {} status: versions: diff --git a/manifests/0000_30_cluster-api_00_namespace.yaml b/manifests/0000_30_cluster-api_00_namespace.yaml index 50625cf95..4c88ac8af 100644 --- a/manifests/0000_30_cluster-api_00_namespace.yaml +++ b/manifests/0000_30_cluster-api_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml b/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml index 9f5c31c2c..c41256b59 100644 --- a/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml +++ b/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml @@ -13,6 +13,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: Secret @@ -25,6 +26,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: ConfigMap @@ -37,6 +39,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -48,6 +51,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -60,6 +64,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -71,6 +76,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -83,6 +89,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: apps/v1 kind: Deployment @@ -95,6 +102,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -106,6 +114,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: Service @@ -116,5 +125,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: cluster-capi-operator-webhook-service namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_01_credentials-request.yaml b/manifests/0000_30_cluster-api_01_credentials-request.yaml index 47501da0c..82e7b26cc 100644 --- a/manifests/0000_30_cluster-api_01_credentials-request.yaml +++ b/manifests/0000_30_cluster-api_01_credentials-request.yaml @@ -4,7 +4,7 @@ metadata: name: openshift-cluster-api-aws namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement,ClusterAPIMachineManagementAWS" @@ -67,7 +67,7 @@ metadata: name: openshift-cluster-api-azure namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -147,7 +147,7 @@ metadata: name: openshift-cluster-api-gcp namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -221,7 +221,7 @@ metadata: name: openshift-cluster-api-openstack namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-set: CustomNoUpgrade,TechPreviewNoUpgrade @@ -239,7 +239,7 @@ metadata: name: openshift-cluster-api-powervs namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -270,6 +270,7 @@ metadata: name: openshift-cluster-api-vsphere namespace: openshift-cloud-credential-operator annotations: + capability.openshift.io/name: ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -287,6 +288,7 @@ metadata: name: openshift-cluster-api-baremetal namespace: openshift-cloud-credential-operator annotations: + capability.openshift.io/name: ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" diff --git a/manifests/0000_30_cluster-api_02_service_account.yaml b/manifests/0000_30_cluster-api_02_service_account.yaml index 7d661a734..166266633 100644 --- a/manifests/0000_30_cluster-api_02_service_account.yaml +++ b/manifests/0000_30_cluster-api_02_service_account.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- # Required by the kubeconfig controller. Can be removed when the kubeconfig # controller is removed. @@ -23,5 +24,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI release.openshift.io/create-only: "true" type: kubernetes.io/service-account-token diff --git a/manifests/0000_30_cluster-api_02_webhook-service.yaml b/manifests/0000_30_cluster-api_02_webhook-service.yaml index 6946deee9..d5bc5f10c 100644 --- a/manifests/0000_30_cluster-api_02_webhook-service.yaml +++ b/manifests/0000_30_cluster-api_02_webhook-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-controllers-webhook-service-cert name: capi-controllers-webhook-service namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_03_rbac_roles.yaml b/manifests/0000_30_cluster-api_03_rbac_roles.yaml index 26068a139..b2fe5e0db 100644 --- a/manifests/0000_30_cluster-api_03_rbac_roles.yaml +++ b/manifests/0000_30_cluster-api_03_rbac_roles.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: openshift-capi-controllers rules: - apiGroups: @@ -24,6 +25,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-controllers namespace: openshift-cluster-api rules: @@ -42,6 +44,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: cluster-capi-operator-pull-secret namespace: openshift-config rules: diff --git a/manifests/0000_30_cluster-api_04_rbac_bindings.yaml b/manifests/0000_30_cluster-api_04_rbac_bindings.yaml index 44aeef10e..a8aea59cf 100644 --- a/manifests/0000_30_cluster-api_04_rbac_bindings.yaml +++ b/manifests/0000_30_cluster-api_04_rbac_bindings.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: openshift-capi-controllers @@ -27,6 +28,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: Role name: capi-controllers @@ -45,6 +47,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration @@ -64,6 +67,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: Role name: cluster-capi-operator-pull-secret diff --git a/manifests/0000_30_cluster-api_10_metrics-service.yaml b/manifests/0000_30_cluster-api_10_metrics-service.yaml index f96d418fd..286cdc22a 100644 --- a/manifests/0000_30_cluster-api_10_metrics-service.yaml +++ b/manifests/0000_30_cluster-api_10_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-controllers-metrics-tls name: capi-controllers-metrics namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_10_webhooks.yaml b/manifests/0000_30_cluster-api_10_webhooks.yaml index ce44dabd5..1e4e09065 100644 --- a/manifests/0000_30_cluster-api_10_webhooks.yaml +++ b/manifests/0000_30_cluster-api_10_webhooks.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/inject-cabundle: "true" name: openshift-capi-controllers webhooks: diff --git a/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml b/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml index 6a6da46fc..cb92e4a89 100644 --- a/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml +++ b/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml @@ -19,6 +19,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-controllers namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml b/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml index fc48999dd..f45f85a0e 100644 --- a/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml +++ b/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml @@ -21,6 +21,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-operators namespace: openshift-cluster-api-operator spec: @@ -49,6 +50,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-operators namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml b/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml index 70f1e10d7..9b81c5056 100644 --- a/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml +++ b/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml @@ -19,6 +19,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-egress-controllers namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_15_default-deny.yaml b/manifests/0000_30_cluster-api_15_default-deny.yaml index c0aa8051d..a9caa9bd2 100644 --- a/manifests/0000_30_cluster-api_15_default-deny.yaml +++ b/manifests/0000_30_cluster-api_15_default-deny.yaml @@ -24,6 +24,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: # Exclude CAPI pods that need network access: This is done by the other policies # - control-plane: CAPI controller manager pods (capg, capi, capa, capz, etc.) @@ -46,6 +47,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: # Exclude CAPI pods that need network access: This is done by the other policies # - control-plane: CAPI controller manager pods (capg, capi, capa, capz, etc.) diff --git a/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml b/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml new file mode 100644 index 000000000..0b44080fa --- /dev/null +++ b/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml @@ -0,0 +1,60 @@ +# These NetworkPolicies allows egress traffic required for the CAPI operator +# deployments. +# The operator needs broad internet access for cluster management operations, +# cloud provider API calls, and communication with various services. +# +# This policy allows all egress traffic from the capi-controllers pod, which is +# necessary because the operator needs to communicate with: +# - Kubernetes API server for cluster management operations +# - Cloud provider APIs for infrastructure management +# - Container registries and other external services +# +# This approach is more practical than overly granular rules since the operator +# needs broad access to function properly in various environments. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + exclude.release.openshift.io/internal-openshift-hosted: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI + name: allow-egress-operators + namespace: openshift-cluster-api +spec: + egress: + # Allow all egress traffic - operator needs broad access + - {} # Empty rule allows all egress + podSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - capi-controllers + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + exclude.release.openshift.io/internal-openshift-hosted: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI + name: allow-egress-operators + namespace: openshift-cluster-api-operator +spec: + egress: + # Allow all egress traffic - operator needs broad access + - {} # Empty rule allows all egress + podSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - capi-operator + policyTypes: + - Egress diff --git a/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml b/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml index 450244355..576ba4e07 100644 --- a/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml +++ b/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml @@ -22,6 +22,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-webhook namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_17_deployment.yaml b/manifests/0000_30_cluster-api_17_deployment.yaml index 06f6cbc0a..379189140 100644 --- a/manifests/0000_30_cluster-api_17_deployment.yaml +++ b/manifests/0000_30_cluster-api_17_deployment.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI labels: k8s-app: capi-controllers spec: