From 670b93eb22f145c6699656982ca784ba451691c1 Mon Sep 17 00:00:00 2001 From: miyadav Date: Wed, 10 Jun 2026 13:42:36 +0100 Subject: [PATCH 1/3] [Draft] - Adding annotations to manifests for CVO --- .../0000_20_cluster-api-tls-config_role.yaml | 1 + ...rd-compatibility-checker_00_namespace.yaml | 1 + ...patibility-checker_02_service_account.yaml | 2 + ...d-compatibility-checker_03_rbac_roles.yaml | 3 + ...ompatibility-checker_04_rbac_bindings.yaml | 4 + ...patibility-checker_05_metrics-service.yaml | 1 + ...patibility-checker_07_webhook-service.yaml | 1 + ...d-compatibility-checker_08_deployment.yaml | 1 + ...ity-checker_09_allow-egress-operators.yaml | 1 + ...y-checker_10_allow-ingress-to-webhook.yaml | 1 + ...0_cluster-api-installer_05_deployment.yaml | 161 ++++++++++++++++++ ..._30_cluster-api-operator_00_namespace.yaml | 1 + ...30_cluster-api-operator_00_tombstones.yaml | 1 + ...uster-api-operator_01_metrics-service.yaml | 1 + ...luster-api-operator_01_serviceaccount.yaml | 1 + ...0_cluster-api-operator_03_clusterrole.yaml | 1 + ...er-api-operator_04_clusterrolebinding.yaml | 2 + ...30_cluster-api-operator_07_clusterapi.yaml | 1 + ...uster-api-operator_08_clusteroperator.yaml | 1 + .../0000_30_cluster-api_00_namespace.yaml | 1 + ...0_cluster-api_00_tombstones-4.22-tpnu.yaml | 10 ++ ...30_cluster-api_01_credentials-request.yaml | 12 +- ...000_30_cluster-api_02_service_account.yaml | 2 + ...000_30_cluster-api_02_webhook-service.yaml | 1 + .../0000_30_cluster-api_03_rbac_roles.yaml | 3 + .../0000_30_cluster-api_04_rbac_bindings.yaml | 4 + ...000_30_cluster-api_10_metrics-service.yaml | 1 + .../0000_30_cluster-api_10_webhooks.yaml | 1 + ..._allow-ingress-to-metrics-controllers.yaml | 1 + ...12_allow-ingress-to-metrics-operators.yaml | 2 + ...uster-api_13_allow-egress-controllers.yaml | 1 + .../0000_30_cluster-api_15_default-deny.yaml | 2 + ...cluster-api_16_allow-egress-operators.yaml | 60 +++++++ ...uster-api_16_allow-ingress-to-webhook.yaml | 1 + .../0000_30_cluster-api_17_deployment.yaml | 1 + 35 files changed, 284 insertions(+), 5 deletions(-) create mode 100644 manifests/0000_30_cluster-api-installer_05_deployment.yaml create mode 100644 manifests/0000_30_cluster-api_16_allow-egress-operators.yaml diff --git a/manifests/0000_20_cluster-api-tls-config_role.yaml b/manifests/0000_20_cluster-api-tls-config_role.yaml index 15a8a53b4..b030ffea2 100644 --- a/manifests/0000_20_cluster-api-tls-config_role.yaml +++ b/manifests/0000_20_cluster-api-tls-config_role.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: system:openshift:openshift-cluster-api:read-tls-configuration rules: - apiGroups: diff --git a/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml b/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml index 5409e3f8e..b046192aa 100644 --- a/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml +++ b/manifests/0000_20_crd-compatibility-checker_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml b/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml index b67e022f6..6cf086e57 100644 --- a/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml +++ b/manifests/0000_20_crd-compatibility-checker_02_service_account.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements --- apiVersion: v1 kind: Secret @@ -21,4 +22,5 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements type: kubernetes.io/service-account-token diff --git a/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml b/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml index e33f1ecd4..b7c4c3c84 100644 --- a/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml +++ b/manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements name: system:openshift:openshift-compatibility-requirements-operator:compatibility-requirements-controllers rules: - apiGroups: @@ -62,6 +63,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements rules: - apiGroups: - "" @@ -82,6 +84,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements rules: - apiGroups: - "" diff --git a/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml b/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml index 1f98b7f92..22cb8b99f 100644 --- a/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml +++ b/manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:openshift-compatibility-requirements-operator:compatibility-requirements-controllers @@ -27,6 +28,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: Role name: compatibility-requirements-controllers @@ -45,6 +47,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration @@ -64,6 +67,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements roleRef: kind: ClusterRole name: system:openshift:compatibility-requirements-events diff --git a/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml b/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml index 28408140c..1ced1c975 100644 --- a/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml +++ b/manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements service.beta.openshift.io/serving-cert-secret-name: compatibility-requirements-controllers-metrics-tls name: compatibility-requirements-controllers-metrics namespace: openshift-compatibility-requirements-operator diff --git a/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml b/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml index 1229faeef..40f0cdae3 100644 --- a/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml +++ b/manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements service.beta.openshift.io/serving-cert-secret-name: compatibility-requirements-controllers-webhook-service-cert name: compatibility-requirements-controllers-webhook-service namespace: openshift-compatibility-requirements-operator diff --git a/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml b/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml index 98ff3e904..d789618e7 100644 --- a/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml +++ b/manifests/0000_20_crd-compatibility-checker_08_deployment.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "CRDCompatibilityRequirementOperator" + capability.openshift.io/name: CompatibilityRequirements labels: k8s-app: compatibility-requirements-controllers spec: diff --git a/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml b/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml index 6a2f69438..0a9a17e63 100644 --- a/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml +++ b/manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml @@ -20,6 +20,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator + capability.openshift.io/name: CompatibilityRequirements name: allow-egress-compatibility-requirements-controllers namespace: openshift-compatibility-requirements-operator spec: diff --git a/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml b/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml index e7dc352df..8ed7374a8 100644 --- a/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml +++ b/manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator + capability.openshift.io/name: CompatibilityRequirements name: allow-ingress-to-webhook namespace: openshift-compatibility-requirements-operator spec: diff --git a/manifests/0000_30_cluster-api-installer_05_deployment.yaml b/manifests/0000_30_cluster-api-installer_05_deployment.yaml new file mode 100644 index 000000000..2517f76ec --- /dev/null +++ b/manifests/0000_30_cluster-api-installer_05_deployment.yaml @@ -0,0 +1,161 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: capi-operator + namespace: openshift-cluster-api-operator + annotations: + config.openshift.io/inject-proxy: capi-operator + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + exclude.release.openshift.io/internal-openshift-hosted: "true" + release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI + labels: + k8s-app: capi-operator +spec: + selector: + matchLabels: + k8s-app: capi-operator + replicas: 1 + template: + metadata: + annotations: + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: restricted-v2 + labels: + k8s-app: capi-operator + spec: + serviceAccountName: capi-operator + containers: + - name: capi-operator + image: registry.ci.openshift.org/openshift:cluster-capi-operator + command: + - /capi-operator + args: + - --diagnostics-address=:8443 + env: + - name: RELEASE_VERSION + value: "0.0.1-snapshot" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 9440 + name: health + protocol: TCP + - containerPort: 8443 + name: diagnostics + protocol: TCP + resources: + requests: + cpu: 10m + memory: 50Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - name: metrics-cert + mountPath: /tmp/k8s-metrics-server/serving-certs + readOnly: true + - name: provider-aws + mountPath: /var/lib/provider-images/aws-cluster-api-controllers + readOnly: true + - name: provider-azure + mountPath: /var/lib/provider-images/azure-cluster-api-controllers + readOnly: true + - name: provider-baremetal + mountPath: /var/lib/provider-images/baremetal-cluster-api-controllers + readOnly: true + - name: provider-cluster-capi-controllers + mountPath: /var/lib/provider-images/cluster-capi-controllers + readOnly: true + - name: provider-cluster-capi-operator + mountPath: /var/lib/provider-images/cluster-capi-operator + readOnly: true + - name: provider-gcp + mountPath: /var/lib/provider-images/gcp-cluster-api-controllers + readOnly: true + - name: provider-ibmcloud + mountPath: /var/lib/provider-images/ibmcloud-cluster-api-controllers + readOnly: true + - name: provider-openstack + mountPath: /var/lib/provider-images/openstack-cluster-api-controllers + readOnly: true + - name: provider-openstack-resource-controller + mountPath: /var/lib/provider-images/openstack-resource-controller + readOnly: true + - name: provider-vsphere + mountPath: /var/lib/provider-images/vsphere-cluster-api-controllers + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 9440 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 9440 + initialDelaySeconds: 5 + periodSeconds: 10 + nodeSelector: + node-role.kubernetes.io/control-plane: "" + priorityClassName: system-node-critical + restartPolicy: Always + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + volumes: + - name: metrics-cert + secret: + defaultMode: 420 + secretName: capi-operator-metrics-tls + - name: provider-aws + image: + reference: registry.ci.openshift.org/openshift:aws-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-azure + image: + reference: registry.ci.openshift.org/openshift:azure-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-baremetal + image: + reference: registry.ci.openshift.org/openshift:baremetal-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-cluster-capi-controllers + image: + reference: registry.ci.openshift.org/openshift:cluster-capi-controllers + pullPolicy: IfNotPresent + - name: provider-cluster-capi-operator + image: + reference: registry.ci.openshift.org/openshift:cluster-capi-operator + pullPolicy: IfNotPresent + - name: provider-gcp + image: + reference: registry.ci.openshift.org/openshift:gcp-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-ibmcloud + image: + reference: registry.ci.openshift.org/openshift:ibmcloud-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-openstack + image: + reference: registry.ci.openshift.org/openshift:openstack-cluster-api-controllers + pullPolicy: IfNotPresent + - name: provider-openstack-resource-controller + image: + reference: registry.ci.openshift.org/openshift:openstack-resource-controller + pullPolicy: IfNotPresent + - name: provider-vsphere + image: + reference: registry.ci.openshift.org/openshift:vsphere-cluster-api-controllers + pullPolicy: IfNotPresent diff --git a/manifests/0000_30_cluster-api-operator_00_namespace.yaml b/manifests/0000_30_cluster-api-operator_00_namespace.yaml index 440cbd11b..4364a53fc 100644 --- a/manifests/0000_30_cluster-api-operator_00_namespace.yaml +++ b/manifests/0000_30_cluster-api-operator_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_30_cluster-api-operator_00_tombstones.yaml b/manifests/0000_30_cluster-api-operator_00_tombstones.yaml index 7333e602b..ad0770618 100644 --- a/manifests/0000_30_cluster-api-operator_00_tombstones.yaml +++ b/manifests/0000_30_cluster-api-operator_00_tombstones.yaml @@ -11,3 +11,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml b/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml index 409bfee02..2b1f2c63b 100644 --- a/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml +++ b/manifests/0000_30_cluster-api-operator_01_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-operator-metrics-tls name: capi-operator-metrics namespace: openshift-cluster-api-operator diff --git a/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml b/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml index 075f87143..f381442af 100644 --- a/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml +++ b/manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml @@ -9,3 +9,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml b/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml index 2f489e303..a271cc23f 100644 --- a/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml +++ b/manifests/0000_30_cluster-api-operator_03_clusterrole.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: openshift-capi-operator rules: # Being an installer, the required RBAC is necessarily a lot diff --git a/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml b/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml index d372cdaae..b68ddec6b 100644 --- a/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: openshift-capi-operator @@ -26,6 +27,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration diff --git a/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml b/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml index 62dbf6d28..6a3475ed5 100644 --- a/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml +++ b/manifests/0000_30_cluster-api-operator_07_clusterapi.yaml @@ -7,5 +7,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI release.openshift.io/create-only: "true" spec: {} diff --git a/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml b/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml index 5285c28b9..65e2cfc1e 100644 --- a/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml +++ b/manifests/0000_30_cluster-api-operator_08_clusteroperator.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: {} status: versions: diff --git a/manifests/0000_30_cluster-api_00_namespace.yaml b/manifests/0000_30_cluster-api_00_namespace.yaml index 50625cf95..4c88ac8af 100644 --- a/manifests/0000_30_cluster-api_00_namespace.yaml +++ b/manifests/0000_30_cluster-api_00_namespace.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI openshift.io/node-selector: "" workload.openshift.io/allowed: "management" labels: diff --git a/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml b/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml index 9f5c31c2c..c41256b59 100644 --- a/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml +++ b/manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml @@ -13,6 +13,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: Secret @@ -25,6 +26,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: ConfigMap @@ -37,6 +39,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -48,6 +51,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -60,6 +64,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -71,6 +76,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -83,6 +89,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: apps/v1 kind: Deployment @@ -95,6 +102,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -106,6 +114,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- apiVersion: v1 kind: Service @@ -116,5 +125,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: cluster-capi-operator-webhook-service namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_01_credentials-request.yaml b/manifests/0000_30_cluster-api_01_credentials-request.yaml index 47501da0c..82e7b26cc 100644 --- a/manifests/0000_30_cluster-api_01_credentials-request.yaml +++ b/manifests/0000_30_cluster-api_01_credentials-request.yaml @@ -4,7 +4,7 @@ metadata: name: openshift-cluster-api-aws namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement,ClusterAPIMachineManagementAWS" @@ -67,7 +67,7 @@ metadata: name: openshift-cluster-api-azure namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -147,7 +147,7 @@ metadata: name: openshift-cluster-api-gcp namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -221,7 +221,7 @@ metadata: name: openshift-cluster-api-openstack namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-set: CustomNoUpgrade,TechPreviewNoUpgrade @@ -239,7 +239,7 @@ metadata: name: openshift-cluster-api-powervs namespace: openshift-cloud-credential-operator annotations: - capability.openshift.io/name: CloudCredential + capability.openshift.io/name: CloudCredential+ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -270,6 +270,7 @@ metadata: name: openshift-cluster-api-vsphere namespace: openshift-cloud-credential-operator annotations: + capability.openshift.io/name: ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" @@ -287,6 +288,7 @@ metadata: name: openshift-cluster-api-baremetal namespace: openshift-cloud-credential-operator annotations: + capability.openshift.io/name: ClusterAPI exclude.release.openshift.io/internal-openshift-hosted: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" diff --git a/manifests/0000_30_cluster-api_02_service_account.yaml b/manifests/0000_30_cluster-api_02_service_account.yaml index 7d661a734..166266633 100644 --- a/manifests/0000_30_cluster-api_02_service_account.yaml +++ b/manifests/0000_30_cluster-api_02_service_account.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI --- # Required by the kubeconfig controller. Can be removed when the kubeconfig # controller is removed. @@ -23,5 +24,6 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI release.openshift.io/create-only: "true" type: kubernetes.io/service-account-token diff --git a/manifests/0000_30_cluster-api_02_webhook-service.yaml b/manifests/0000_30_cluster-api_02_webhook-service.yaml index 6946deee9..d5bc5f10c 100644 --- a/manifests/0000_30_cluster-api_02_webhook-service.yaml +++ b/manifests/0000_30_cluster-api_02_webhook-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-controllers-webhook-service-cert name: capi-controllers-webhook-service namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_03_rbac_roles.yaml b/manifests/0000_30_cluster-api_03_rbac_roles.yaml index 26068a139..b2fe5e0db 100644 --- a/manifests/0000_30_cluster-api_03_rbac_roles.yaml +++ b/manifests/0000_30_cluster-api_03_rbac_roles.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: openshift-capi-controllers rules: - apiGroups: @@ -24,6 +25,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-controllers namespace: openshift-cluster-api rules: @@ -42,6 +44,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: cluster-capi-operator-pull-secret namespace: openshift-config rules: diff --git a/manifests/0000_30_cluster-api_04_rbac_bindings.yaml b/manifests/0000_30_cluster-api_04_rbac_bindings.yaml index 44aeef10e..a8aea59cf 100644 --- a/manifests/0000_30_cluster-api_04_rbac_bindings.yaml +++ b/manifests/0000_30_cluster-api_04_rbac_bindings.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: openshift-capi-controllers @@ -27,6 +28,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: Role name: capi-controllers @@ -45,6 +47,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: ClusterRole name: system:openshift:openshift-cluster-api:read-tls-configuration @@ -64,6 +67,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: kind: Role name: cluster-capi-operator-pull-secret diff --git a/manifests/0000_30_cluster-api_10_metrics-service.yaml b/manifests/0000_30_cluster-api_10_metrics-service.yaml index f96d418fd..286cdc22a 100644 --- a/manifests/0000_30_cluster-api_10_metrics-service.yaml +++ b/manifests/0000_30_cluster-api_10_metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-controllers-metrics-tls name: capi-controllers-metrics namespace: openshift-cluster-api diff --git a/manifests/0000_30_cluster-api_10_webhooks.yaml b/manifests/0000_30_cluster-api_10_webhooks.yaml index ce44dabd5..1e4e09065 100644 --- a/manifests/0000_30_cluster-api_10_webhooks.yaml +++ b/manifests/0000_30_cluster-api_10_webhooks.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/inject-cabundle: "true" name: openshift-capi-controllers webhooks: diff --git a/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml b/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml index 6a6da46fc..cb92e4a89 100644 --- a/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml +++ b/manifests/0000_30_cluster-api_11_allow-ingress-to-metrics-controllers.yaml @@ -19,6 +19,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-controllers namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml b/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml index fc48999dd..f45f85a0e 100644 --- a/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml +++ b/manifests/0000_30_cluster-api_12_allow-ingress-to-metrics-operators.yaml @@ -21,6 +21,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-operators namespace: openshift-cluster-api-operator spec: @@ -49,6 +50,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-metrics-operators namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml b/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml index 70f1e10d7..9b81c5056 100644 --- a/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml +++ b/manifests/0000_30_cluster-api_13_allow-egress-controllers.yaml @@ -19,6 +19,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-egress-controllers namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_15_default-deny.yaml b/manifests/0000_30_cluster-api_15_default-deny.yaml index c0aa8051d..a9caa9bd2 100644 --- a/manifests/0000_30_cluster-api_15_default-deny.yaml +++ b/manifests/0000_30_cluster-api_15_default-deny.yaml @@ -24,6 +24,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: # Exclude CAPI pods that need network access: This is done by the other policies # - control-plane: CAPI controller manager pods (capg, capi, capa, capz, etc.) @@ -46,6 +47,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI spec: # Exclude CAPI pods that need network access: This is done by the other policies # - control-plane: CAPI controller manager pods (capg, capi, capa, capz, etc.) diff --git a/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml b/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml new file mode 100644 index 000000000..0b44080fa --- /dev/null +++ b/manifests/0000_30_cluster-api_16_allow-egress-operators.yaml @@ -0,0 +1,60 @@ +# These NetworkPolicies allows egress traffic required for the CAPI operator +# deployments. +# The operator needs broad internet access for cluster management operations, +# cloud provider API calls, and communication with various services. +# +# This policy allows all egress traffic from the capi-controllers pod, which is +# necessary because the operator needs to communicate with: +# - Kubernetes API server for cluster management operations +# - Cloud provider APIs for infrastructure management +# - Container registries and other external services +# +# This approach is more practical than overly granular rules since the operator +# needs broad access to function properly in various environments. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + exclude.release.openshift.io/internal-openshift-hosted: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI + name: allow-egress-operators + namespace: openshift-cluster-api +spec: + egress: + # Allow all egress traffic - operator needs broad access + - {} # Empty rule allows all egress + podSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - capi-controllers + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + exclude.release.openshift.io/internal-openshift-hosted: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI + name: allow-egress-operators + namespace: openshift-cluster-api-operator +spec: + egress: + # Allow all egress traffic - operator needs broad access + - {} # Empty rule allows all egress + podSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - capi-operator + policyTypes: + - Egress diff --git a/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml b/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml index 450244355..576ba4e07 100644 --- a/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml +++ b/manifests/0000_30_cluster-api_16_allow-ingress-to-webhook.yaml @@ -22,6 +22,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-ingress-to-webhook namespace: openshift-cluster-api spec: diff --git a/manifests/0000_30_cluster-api_17_deployment.yaml b/manifests/0000_30_cluster-api_17_deployment.yaml index 06f6cbc0a..379189140 100644 --- a/manifests/0000_30_cluster-api_17_deployment.yaml +++ b/manifests/0000_30_cluster-api_17_deployment.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI labels: k8s-app: capi-controllers spec: From deb7f8edc4030106d0da7861d494eb7394e3b5cb Mon Sep 17 00:00:00 2001 From: miyadav Date: Thu, 18 Jun 2026 10:15:07 +0100 Subject: [PATCH 2/3] Annotating with ClusterAPI would wrongly remove it when only CompatibilityRequirements is enabled,hence updated --- manifests/0000_20_cluster-api-tls-config_role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/0000_20_cluster-api-tls-config_role.yaml b/manifests/0000_20_cluster-api-tls-config_role.yaml index b030ffea2..5b556a9e7 100644 --- a/manifests/0000_20_cluster-api-tls-config_role.yaml +++ b/manifests/0000_20_cluster-api-tls-config_role.yaml @@ -7,7 +7,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" - capability.openshift.io/name: ClusterAPI + capability.openshift.io/name: CompatibilityRequirements name: system:openshift:openshift-cluster-api:read-tls-configuration rules: - apiGroups: From 89817c1166a99fd21f91270495a5e3d6a9e1574d Mon Sep 17 00:00:00 2001 From: miyadav Date: Fri, 26 Jun 2026 16:29:43 +0100 Subject: [PATCH 3/3] adding annotations to missed file , removing cluster-api deployment manifest by installer --- ...0_cluster-api-installer_05_deployment.yaml | 161 ------------------ ...rator_01_capi-operator-servicemonitor.yaml | 1 + ...tor_02_capi-installer-metrics-service.yaml | 1 + ...ator_02_capi-installer-serviceaccount.yaml | 1 + ...ator_02_capi-installer-servicemonitor.yaml | 1 + ...uster-api-operator_02_prometheus-role.yaml | 1 + ...pi-operator_02_prometheus-rolebinding.yaml | 1 + ..._04_capi-installer-clusterrolebinding.yaml | 1 + ...pi-operator_05_allow-egress-operators.yaml | 1 + ...operator_05_provider-images-configmap.yaml | 1 + ...30_cluster-api-operator_06_deployment.yaml | 1 + 11 files changed, 10 insertions(+), 161 deletions(-) delete mode 100644 manifests/0000_30_cluster-api-installer_05_deployment.yaml diff --git a/manifests/0000_30_cluster-api-installer_05_deployment.yaml b/manifests/0000_30_cluster-api-installer_05_deployment.yaml deleted file mode 100644 index 2517f76ec..000000000 --- a/manifests/0000_30_cluster-api-installer_05_deployment.yaml +++ /dev/null @@ -1,161 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: capi-operator - namespace: openshift-cluster-api-operator - annotations: - config.openshift.io/inject-proxy: capi-operator - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - exclude.release.openshift.io/internal-openshift-hosted: "true" - release.openshift.io/feature-gate: "ClusterAPIMachineManagement" - capability.openshift.io/name: ClusterAPI - labels: - k8s-app: capi-operator -spec: - selector: - matchLabels: - k8s-app: capi-operator - replicas: 1 - template: - metadata: - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - labels: - k8s-app: capi-operator - spec: - serviceAccountName: capi-operator - containers: - - name: capi-operator - image: registry.ci.openshift.org/openshift:cluster-capi-operator - command: - - /capi-operator - args: - - --diagnostics-address=:8443 - env: - - name: RELEASE_VERSION - value: "0.0.1-snapshot" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 9440 - name: health - protocol: TCP - - containerPort: 8443 - name: diagnostics - protocol: TCP - resources: - requests: - cpu: 10m - memory: 50Mi - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: metrics-cert - mountPath: /tmp/k8s-metrics-server/serving-certs - readOnly: true - - name: provider-aws - mountPath: /var/lib/provider-images/aws-cluster-api-controllers - readOnly: true - - name: provider-azure - mountPath: /var/lib/provider-images/azure-cluster-api-controllers - readOnly: true - - name: provider-baremetal - mountPath: /var/lib/provider-images/baremetal-cluster-api-controllers - readOnly: true - - name: provider-cluster-capi-controllers - mountPath: /var/lib/provider-images/cluster-capi-controllers - readOnly: true - - name: provider-cluster-capi-operator - mountPath: /var/lib/provider-images/cluster-capi-operator - readOnly: true - - name: provider-gcp - mountPath: /var/lib/provider-images/gcp-cluster-api-controllers - readOnly: true - - name: provider-ibmcloud - mountPath: /var/lib/provider-images/ibmcloud-cluster-api-controllers - readOnly: true - - name: provider-openstack - mountPath: /var/lib/provider-images/openstack-cluster-api-controllers - readOnly: true - - name: provider-openstack-resource-controller - mountPath: /var/lib/provider-images/openstack-resource-controller - readOnly: true - - name: provider-vsphere - mountPath: /var/lib/provider-images/vsphere-cluster-api-controllers - readOnly: true - livenessProbe: - httpGet: - path: /healthz - port: 9440 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 9440 - initialDelaySeconds: 5 - periodSeconds: 10 - nodeSelector: - node-role.kubernetes.io/control-plane: "" - priorityClassName: system-node-critical - restartPolicy: Always - tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - volumes: - - name: metrics-cert - secret: - defaultMode: 420 - secretName: capi-operator-metrics-tls - - name: provider-aws - image: - reference: registry.ci.openshift.org/openshift:aws-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-azure - image: - reference: registry.ci.openshift.org/openshift:azure-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-baremetal - image: - reference: registry.ci.openshift.org/openshift:baremetal-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-cluster-capi-controllers - image: - reference: registry.ci.openshift.org/openshift:cluster-capi-controllers - pullPolicy: IfNotPresent - - name: provider-cluster-capi-operator - image: - reference: registry.ci.openshift.org/openshift:cluster-capi-operator - pullPolicy: IfNotPresent - - name: provider-gcp - image: - reference: registry.ci.openshift.org/openshift:gcp-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-ibmcloud - image: - reference: registry.ci.openshift.org/openshift:ibmcloud-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-openstack - image: - reference: registry.ci.openshift.org/openshift:openstack-cluster-api-controllers - pullPolicy: IfNotPresent - - name: provider-openstack-resource-controller - image: - reference: registry.ci.openshift.org/openshift:openstack-resource-controller - pullPolicy: IfNotPresent - - name: provider-vsphere - image: - reference: registry.ci.openshift.org/openshift:vsphere-cluster-api-controllers - pullPolicy: IfNotPresent diff --git a/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml b/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml index 5732519c1..bed7c320d 100644 --- a/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml +++ b/manifests/0000_30_cluster-api-operator_01_capi-operator-servicemonitor.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-operator namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml index bcd9f2c60..b81c837f9 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI service.beta.openshift.io/serving-cert-secret-name: capi-installer-metrics-tls name: capi-installer-metrics namespace: openshift-cluster-api-operator diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml index ae0deabb9..a2473568d 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml @@ -9,3 +9,4 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI diff --git a/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml b/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml index d26c64399..87374772c 100644 --- a/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml +++ b/manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: capi-installer namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml b/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml index f185e8152..664562ee3 100644 --- a/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml +++ b/manifests/0000_30_cluster-api-operator_02_prometheus-role.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: prometheus-k8s namespace: openshift-cluster-api-operator rules: diff --git a/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml b/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml index 35cea38f6..1312cee48 100644 --- a/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_02_prometheus-rolebinding.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: prometheus-k8s namespace: openshift-cluster-api-operator roleRef: diff --git a/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml b/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml index 64eb10129..7c068b747 100644 --- a/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml +++ b/manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml @@ -8,6 +8,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml b/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml index 4d50cfbc5..9e3aa7bdd 100644 --- a/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml +++ b/manifests/0000_30_cluster-api-operator_05_allow-egress-operators.yaml @@ -10,6 +10,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI name: allow-egress-operators namespace: openshift-cluster-api-operator spec: diff --git a/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml b/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml index cf83d63ce..8df2bd312 100644 --- a/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml +++ b/manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml @@ -9,6 +9,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI data: aws-cluster-api-controllers: registry.ci.openshift.org/openshift:aws-cluster-api-controllers azure-cluster-api-controllers: registry.ci.openshift.org/openshift:azure-cluster-api-controllers diff --git a/manifests/0000_30_cluster-api-operator_06_deployment.yaml b/manifests/0000_30_cluster-api-operator_06_deployment.yaml index 49480bdb5..f3a49293b 100644 --- a/manifests/0000_30_cluster-api-operator_06_deployment.yaml +++ b/manifests/0000_30_cluster-api-operator_06_deployment.yaml @@ -10,6 +10,7 @@ metadata: include.release.openshift.io/single-node-developer: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" release.openshift.io/feature-gate: "ClusterAPIMachineManagement" + capability.openshift.io/name: ClusterAPI labels: k8s-app: capi-operator spec: