⚠ OPRUN-4106: remove support for annotation based config (#2224)

anik120 · web-flow · commit 8016fbd7d7cf · 2025-09-17T15:10:49.000Z
* OPRUN-4106: remove support for annotation based config With #2166 and #2163 in place, annotation based config support can be removed. Signed-off-by: Anik Bhattacharjee <anbhatta@redhat.com> * update docs and demo to use new config spec --------- Signed-off-by: Anik Bhattacharjee <anbhatta@redhat.com>
diff --git a/docs/draft/howto/single-ownnamespace-install.md b/docs/draft/howto/single-ownnamespace-install.md
@@ -91,8 +91,6 @@ apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
   name: argocd
-  annotations:
-    olm.operatorframework.io/watch-namespace: argocd
 spec:
   namespace: argocd
   serviceAccount:
diff --git a/hack/demo/own-namespace-demo-script.sh b/hack/demo/own-namespace-demo-script.sh
@@ -3,7 +3,14 @@
 #
 # Welcome to the OwnNamespace install mode demo
 #
-trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
+set -e
+trap 'echo "Demo ran into error"; trap - SIGTERM && kill -- -$$; exit 1' ERR SIGINT SIGTERM EXIT
+
+# install experimental CRDs with config field support
+kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/experimental.yaml"
+
+# wait for experimental CRDs to be available
+kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io
 
 # enable 'SingleOwnNamespaceInstallSupport' feature gate
 kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]'
@@ -41,3 +48,27 @@ kubectl get deployments -n argocd-system argocd-operator-controller-manager -o j
 # check service account for role binding is the same as controller service-account
 rolebinding=$(kubectl get rolebindings -n argocd-system -o name | grep 'argocd-operator' | head -n 1)
 kubectl get -n argocd-system $rolebinding -o jsonpath='{.subjects}' | jq .[0]
+
+echo "Demo completed successfully!"
+
+# cleanup resources
+echo "Cleaning up demo resources..."
+kubectl delete clusterextension argocd-operator --ignore-not-found=true
+kubectl delete namespace argocd-system --ignore-not-found=true
+kubectl delete clusterrolebinding argocd-installer-crb --ignore-not-found=true
+
+# remove feature gate from deployment
+echo "Removing feature gate from operator-controller..."
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/args", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]' || true
+
+# restore standard CRDs
+echo "Restoring standard CRDs..."
+kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/base.yaml"
+
+# wait for standard CRDs to be available
+kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io
+
+# wait for operator-controller to become available with standard config
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+
+echo "Demo cleanup completed!"
diff --git a/hack/demo/resources/own-namespace-demo.yaml b/hack/demo/resources/own-namespace-demo.yaml
@@ -2,9 +2,6 @@ apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
   name: argocd-operator
-  annotations:
-    # watch namespace is the same as intall namespace
-    olm.operatorframework.io/watch-namespace: argocd-system
 spec:
   namespace: argocd-system
   serviceAccount:
diff --git a/hack/demo/resources/single-namespace-demo.yaml b/hack/demo/resources/single-namespace-demo.yaml
@@ -2,13 +2,14 @@ apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
   name: argocd-operator
-  annotations:
-    # watch-namespace is different from install namespace
-    olm.operatorframework.io/watch-namespace: argocd
 spec:
   namespace: argocd-system
   serviceAccount:
     name: argocd-installer
+  config:
+    configType: Inline
+    inline:
+      watchNamespace: argocd
   source:
     sourceType: Catalog
     catalog:
diff --git a/hack/demo/single-namespace-demo-script.sh b/hack/demo/single-namespace-demo-script.sh
@@ -3,7 +3,14 @@
 #
 # Welcome to the SingleNamespace install mode demo
 #
-trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
+set -e
+trap 'echo "Demo ran into error"; trap - SIGTERM && kill -- -$$; exit 1' ERR SIGINT SIGTERM EXIT
+
+# install experimental CRDs with config field support
+kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/experimental.yaml"
+
+# wait for experimental CRDs to be available
+kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io
 
 # enable 'SingleOwnNamespaceInstallSupport' feature gate
 kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]'
@@ -44,3 +51,27 @@ kubectl get deployments -n argocd-system argocd-operator-controller-manager -o j
 # check service account for role binding is the controller deployment service account
 rolebinding=$(kubectl get rolebindings -n argocd -o name | grep 'argocd-operator' | head -n 1)
 kubectl get -n argocd $rolebinding -o jsonpath='{.subjects}' | jq .[0]
+
+echo "Demo completed successfully!"
+
+# cleanup resources
+echo "Cleaning up demo resources..."
+kubectl delete clusterextension argocd-operator --ignore-not-found=true
+kubectl delete namespace argocd-system argocd --ignore-not-found=true
+kubectl delete clusterrolebinding argocd-installer-crb --ignore-not-found=true
+
+# remove feature gate from deployment
+echo "Removing feature gate from operator-controller..."
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/args", "value": "--feature-gates=SingleOwnNamespaceInstallSupport=true"}]' || true
+
+# restore standard CRDs
+echo "Restoring standard CRDs..."
+kubectl apply -f "$(dirname "${BASH_SOURCE[0]}")/../../manifests/base.yaml"
+
+# wait for standard CRDs to be available
+kubectl wait --for condition=established --timeout=60s crd/clusterextensions.olm.operatorframework.io
+
+# wait for operator-controller to become available with standard config
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+
+echo "Demo cleanup completed!"
diff --git a/internal/operator-controller/applier/watchnamespace.go b/internal/operator-controller/applier/watchnamespace.go
@@ -10,10 +10,6 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 )
 
-const (
-	AnnotationClusterExtensionWatchNamespace = "olm.operatorframework.io/watch-namespace"
-)
-
 // GetWatchNamespace determines the watch namespace the ClusterExtension should use
 // Note: this is a temporary artifice to enable gated use of single/own namespace install modes
 // for registry+v1 bundles. This will go away once the ClusterExtension API is updated to include
@@ -32,8 +28,6 @@ func GetWatchNamespace(ext *ocv1.ClusterExtension) (string, error) {
 			return "", fmt.Errorf("invalid bundle configuration: %w", err)
 		}
 		watchNamespace = cfg.WatchNamespace
-	} else if _, ok := ext.Annotations[AnnotationClusterExtensionWatchNamespace]; ok {
-		watchNamespace = ext.Annotations[AnnotationClusterExtensionWatchNamespace]
 	} else {
 		return "", nil
 	}
diff --git a/internal/operator-controller/applier/watchnamespace_test.go b/internal/operator-controller/applier/watchnamespace_test.go
@@ -39,13 +39,13 @@ func TestGetWatchNamespace(t *testing.T) {
 	for _, tt := range []struct {
 		name        string
 		want        string
-		csv         *ocv1.ClusterExtension
+		ce          *ocv1.ClusterExtension
 		expectError bool
 	}{
 		{
-			name: "cluster extension does not configure a watch namespace",
+			name: "no watch namespace is configured in a ClusterExtension CR",
 			want: corev1.NamespaceAll,
-			csv: &ocv1.ClusterExtension{
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:        "extension",
 					Annotations: nil,
@@ -54,9 +54,9 @@ func TestGetWatchNamespace(t *testing.T) {
 			},
 			expectError: false,
 		}, {
-			name: "cluster extension configures a watch namespace",
+			name: "a watch namespace is configured in a ClusterExtension CR",
 			want: "watch-namespace",
-			csv: &ocv1.ClusterExtension{
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
 				},
@@ -71,63 +71,41 @@ func TestGetWatchNamespace(t *testing.T) {
 			},
 			expectError: false,
 		}, {
-			name: "cluster extension configures a watch namespace through annotation",
-			want: "watch-namespace",
-			csv: &ocv1.ClusterExtension{
+			name: "a watch namespace is configured in a ClusterExtension CR but with invalid namespace",
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
-					Annotations: map[string]string{
-						"olm.operatorframework.io/watch-namespace": "watch-namespace",
-					},
 				},
-			},
-			expectError: false,
-		}, {
-			name: "cluster extension configures a watch namespace through annotation with invalid ns",
-			csv: &ocv1.ClusterExtension{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "extension",
-					Annotations: map[string]string{
-						"olm.operatorframework.io/watch-namespace": "watch-namespace-",
-					},
-				},
-			},
-			expectError: true,
-		}, {
-			name: "cluster extension configures a watch namespace through annotation with empty ns",
-			csv: &ocv1.ClusterExtension{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "extension",
-					Annotations: map[string]string{
-						"olm.operatorframework.io/watch-namespace": "",
+				Spec: ocv1.ClusterExtensionSpec{
+					Config: &ocv1.ClusterExtensionConfig{
+						ConfigType: ocv1.ClusterExtensionConfigTypeInline,
+						Inline: &apiextensionsv1.JSON{
+							Raw: []byte(`{"watchNamespace":"watch-namespace-"}`),
+						},
 					},
 				},
 			},
 			expectError: true,
 		}, {
-			name: "cluster extension configures a watch namespace through annotation and config (take config)",
-			want: "watch-namespace",
-			csv: &ocv1.ClusterExtension{
+			name: "a watch namespace is configured in a ClusterExtension CR with an empty string as the namespace",
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
-					Annotations: map[string]string{
-						"olm.operatorframework.io/watch-namespace": "dont-use-this-watch-namespace",
-					},
 				},
 				Spec: ocv1.ClusterExtensionSpec{
 					Config: &ocv1.ClusterExtensionConfig{
 						ConfigType: ocv1.ClusterExtensionConfigTypeInline,
 						Inline: &apiextensionsv1.JSON{
-							Raw: []byte(`{"watchNamespace":"watch-namespace"}`),
+							Raw: []byte(`{"watchNamespace":""}`),
 						},
 					},
 				},
 			},
-			expectError: false,
+			expectError: true,
 		}, {
-			name: "cluster extension configures an invalid watchNamespace: multiple watch namespaces",
+			name: "an invalid watchNamespace value is configured in a ClusterExtension CR: multiple watch namespaces",
 			want: "",
-			csv: &ocv1.ClusterExtension{
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
 				},
@@ -142,9 +120,9 @@ func TestGetWatchNamespace(t *testing.T) {
 			},
 			expectError: true,
 		}, {
-			name: "cluster extension configures an invalid watchNamespace: invalid name",
+			name: "an invalid watchNamespace value is configured in a ClusterExtension CR: invalid name",
 			want: "",
-			csv: &ocv1.ClusterExtension{
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
 				},
@@ -159,9 +137,9 @@ func TestGetWatchNamespace(t *testing.T) {
 			},
 			expectError: true,
 		}, {
-			name: "cluster extension configures an invalid watchNamespace: invalid json",
+			name: "an invalid watchNamespace value is configured in a ClusterExtension CR: invalid json",
 			want: "",
-			csv: &ocv1.ClusterExtension{
+			ce: &ocv1.ClusterExtension{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "extension",
 				},
@@ -178,7 +156,7 @@ func TestGetWatchNamespace(t *testing.T) {
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := applier.GetWatchNamespace(tt.csv)
+			got, err := applier.GetWatchNamespace(tt.ce)
 			require.Equal(t, tt.want, got)
 			require.Equal(t, tt.expectError, err != nil)
 		})

Original file line number	Diff line number	Diff line change
`@@ -10,10 +10,6 @@ import (`
`10`	`10`	`"github.com/operator-framework/operator-controller/internal/operator-controller/features"`
`11`	`11`	`)`
`12`	`12`
`13`		`-const (`
`14`		`- AnnotationClusterExtensionWatchNamespace = "olm.operatorframework.io/watch-namespace"`
`15`		`-)`
`16`		`-`
`17`	`13`	`// GetWatchNamespace determines the watch namespace the ClusterExtension should use`
`18`	`14`	`// Note: this is a temporary artifice to enable gated use of single/own namespace install modes`
`19`	`15`	`// for registry+v1 bundles. This will go away once the ClusterExtension API is updated to include`
`@@ -32,8 +28,6 @@ func GetWatchNamespace(ext *ocv1.ClusterExtension) (string, error) {`
`32`	`28`	`return "", fmt.Errorf("invalid bundle configuration: %w", err)`
`33`	`29`	`}`
`34`	`30`	`watchNamespace = cfg.WatchNamespace`
`35`		`- } else if _, ok := ext.Annotations[AnnotationClusterExtensionWatchNamespace]; ok {`
`36`		`- watchNamespace = ext.Annotations[AnnotationClusterExtensionWatchNamespace]`
`37`	`31`	`} else {`
`38`	`32`	`return "", nil`
`39`	`33`	`}`