Refine registry+v1 revision phase definitions for granular resource ordering

Restructure the phase definitions to provide more granular control over
the order in which Kubernetes resources are applied during extension
installation. The previous coarse-grained phases (rbac, deploy, publish)
are replaced with finer-grained phases that better reflect resource
dependency chains and operational best practices.

Phase changes:
- Split "rbac" into "identity" (ServiceAccount), "roles" (ClusterRole,
  Role), and "bindings" (ClusterRoleBinding, RoleBinding) for explicit
  ordering of RBAC prerequisites before their bindings
- Extract "configuration" phase (Secret, ConfigMap) from "deploy" so
  config resources are available before workloads that mount them
- Extract "infrastructure" phase (Service, Issuer) from "deploy" so
  services and cert-manager issuers exist before workloads reference them
- Add "scaling" phase (VerticalPodAutoscaler) after deploy for
  autoscaling policies to target running workloads
- Add "admission" phase (ValidatingWebhookConfiguration,
  MutatingWebhookConfiguration) as the final phase so webhooks are
  registered only after their backing services are ready
- Move CRDs before roles/bindings so RBAC rules referencing custom
  resources can be validated
- Add cert-manager Certificate to "deploy" phase alongside Deployment
- Add monitoring resources (PrometheusRule, ServiceMonitor, PodMonitor)
  and OpenShift console resources to "publish" phase
- Remove explicit mappings for workload kinds that already default to
  "deploy" (DaemonSet, StatefulSet, ReplicaSet, Pod, Job, CronJob)

New phase order: namespaces → policies → identity → configuration →
storage → crds → roles → bindings → infrastructure → deploy →
scaling → publish → admission

Signed-off-by: Per G. da Silva <[email protected]>

Author: Per G. da Silva

internal/operator-controller/applier/boxcutter_test.go

@@ -119,7 +119,7 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 			Revision:            1,
 			Phases: []ocv1.ClusterExtensionRevisionPhase{
 				{
-					Name: "deploy",
+					Name: "configuration",
 					Objects: []ocv1.ClusterExtensionRevisionObject{
 						{
 							Object: unstructured.Unstructured{
@@ -219,7 +219,7 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 	t.Log("by checking the rendered objects are present in the correct phases")
 	require.Equal(t, []ocv1.ClusterExtensionRevisionPhase{
 		{
-			Name: string(applier.PhaseDeploy),
+			Name: string(applier.PhaseInfrastructure),
 			Objects: []ocv1.ClusterExtensionRevisionObject{
 				{
 					Object: unstructured.Unstructured{
@@ -233,6 +233,11 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 						},
 					},
 				},
+			},
+		},
+		{
+			Name: string(applier.PhaseDeploy),
+			Objects: []ocv1.ClusterExtensionRevisionObject{
 				{
 					Object: unstructured.Unstructured{
 						Object: map[string]interface{}{

internal/operator-controller/applier/phase.go

@@ -28,28 +28,44 @@ func determinePhase(gk schema.GroupKind) Phase {
 type Phase string
 
 const (
-	PhaseNamespaces   Phase = "namespaces"
-	PhasePolicies     Phase = "policies"
-	PhaseRBAC         Phase = "rbac"
-	PhaseRBACBindings Phase = "rbac-bindings"
-	PhaseCRDs         Phase = "crds"
-	PhaseStorage      Phase = "storage"
-	PhaseDeploy       Phase = "deploy"
-	PhasePublish      Phase = "publish"
+	PhaseNamespaces     Phase = "namespaces"
+	PhasePolicies       Phase = "policies"
+	PhaseIdentity       Phase = "identity"
+	PhaseConfiguration  Phase = "configuration"
+	PhaseStorage        Phase = "storage"
+	PhaseCRDs           Phase = "crds"
+	PhaseRoles          Phase = "roles"
+	PhaseBindings       Phase = "bindings"
+	PhaseInfrastructure Phase = "infrastructure"
+	PhaseDeploy         Phase = "deploy"
+	PhaseScaling        Phase = "scaling"
+	PhasePublish        Phase = "publish"
+	PhaseAdmission      Phase = "admission"
 )
 
 // Well known phases ordered.
 var defaultPhaseOrder = []Phase{
 	PhaseNamespaces,
 	PhasePolicies,
-	PhaseRBAC,
-	PhaseRBACBindings,
-	PhaseCRDs,
+	PhaseIdentity,
+	PhaseConfiguration,
 	PhaseStorage,
+	PhaseCRDs,
+	PhaseRoles,
+	PhaseBindings,
+	PhaseInfrastructure,
 	PhaseDeploy,
+	PhaseScaling,
 	PhasePublish,
+	PhaseAdmission,
 }
 
+// Note: OLMv1 currently only supports registry+v1 content. The registry+v1 format only supports a limited
+// set of object kinds defined in:
+// https://github.com/operator-framework/operator-registry/blob/f410a396abe01dbe6a46b6d90d34bdd844306388/pkg/lib/bundle/supported_resources.go
+// The only exception are:
+// - ClusterServiceVersion is omitted since OLMv1 generates the Deployment(s), RBAC resources, webhook configurations, etc. from the bundle's CSV
+// - Certificate and Issuer from cert-manager are added since OLMv1 uses cert-manager for webhook service certificate by default
 var (
 	// This will be populated from `phaseGKMap` in an init func!
 	gkPhaseMap = map[schema.GroupKind]Phase{}
@@ -59,27 +75,18 @@ var (
 		},
 
 		PhasePolicies: {
-			{Kind: "ResourceQuota"},
-			{Kind: "LimitRange"},
-			{Kind: "PriorityClass", Group: "scheduling.k8s.io"},
 			{Kind: "NetworkPolicy", Group: "networking.k8s.io"},
-			{Kind: "HorizontalPodAutoscaler", Group: "autoscaling"},
 			{Kind: "PodDisruptionBudget", Group: "policy"},
+			{Kind: "PriorityClass", Group: "scheduling.k8s.io"},
 		},
 
-		PhaseRBAC: {
+		PhaseIdentity: {
 			{Kind: "ServiceAccount"},
-			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
-			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
-		},
-
-		PhaseRBACBindings: {
-			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
-			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
 		},
 
-		PhaseCRDs: {
-			{Kind: "CustomResourceDefinition", Group: "apiextensions.k8s.io"},
+		PhaseConfiguration: {
+			{Kind: "Secret"},
+			{Kind: "ConfigMap"},
 		},
 
 		PhaseStorage: {
@@ -88,25 +95,50 @@ var (
 			{Kind: "StorageClass", Group: "storage.k8s.io"},
 		},
 
+		PhaseCRDs: {
+			{Kind: "CustomResourceDefinition", Group: "apiextensions.k8s.io"},
+		},
+
+		PhaseRoles: {
+			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
+			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseBindings: {
+			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
+			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseInfrastructure: {
+			{Kind: "Service"},
+			{Kind: "Issuer", Group: "cert-manager.io"},
+		},
+
 		PhaseDeploy: {
+			{Kind: "Certificate", Group: "cert-manager.io"},
 			{Kind: "Deployment", Group: "apps"},
-			{Kind: "DaemonSet", Group: "apps"},
-			{Kind: "StatefulSet", Group: "apps"},
-			{Kind: "ReplicaSet"},
-			{Kind: "Pod"}, // probing complicated, may be either Completed or Available.
-			{Kind: "Job", Group: "batch"},
-			{Kind: "CronJob", Group: "batch"},
-			{Kind: "Service"},
-			{Kind: "Secret"},
-			{Kind: "ConfigMap"},
+		},
+
+		PhaseScaling: {
+			{Kind: "VerticalPodAutoscaler", Group: "autoscaling.k8s.io"},
 		},
 
 		PhasePublish: {
+			{Kind: "PrometheusRule", Group: "monitoring.coreos.com"},
+			{Kind: "ServiceMonitor", Group: "monitoring.coreos.com"},
+			{Kind: "PodMonitor", Group: "monitoring.coreos.com"},
 			{Kind: "Ingress", Group: "networking.k8s.io"},
-			{Kind: "APIService", Group: "apiregistration.k8s.io"},
 			{Kind: "Route", Group: "route.openshift.io"},
-			{Kind: "MutatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
+			{Kind: "ConsoleYAMLSample", Group: "console.openshift.io"},
+			{Kind: "ConsoleQuickStart", Group: "console.openshift.io"},
+			{Kind: "ConsoleCLIDownload", Group: "console.openshift.io"},
+			{Kind: "ConsoleLink", Group: "console.openshift.io"},
+			{Kind: "ConsolePlugin", Group: "console.openshift.io"},
+		},
+
+		PhaseAdmission: {
 			{Kind: "ValidatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
+			{Kind: "MutatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
 		},
 	}
 )