m1kola
diff --git a/‎test/ansible/advanced-molecule-operator/Makefile
Lines changed: 34 additions & 5 deletions b/‎test/ansible/advanced-molecule-operator/Makefile
Lines changed: 34 additions & 5 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/PROJECT
Lines changed: 7 additions & 1 deletion b/‎test/ansible/advanced-molecule-operator/PROJECT
Lines changed: 7 additions & 1 deletion
diff --git a/‎test/ansible/advanced-molecule-operator/config/crd/bases/test.example.com_finalizerconcurrencytests.yaml
Lines changed: 44 additions & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/crd/bases/test.example.com_finalizerconcurrencytests.yaml
Lines changed: 44 additions & 0 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/crd/kustomization.yaml
Lines changed: 1 addition & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/crd/kustomization.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/default/kustomization.yaml
Lines changed: 6 additions & 6 deletions b/‎test/ansible/advanced-molecule-operator/config/default/kustomization.yaml
Lines changed: 6 additions & 6 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/default/manager_auth_proxy_patch.yaml
Lines changed: 31 additions & 3 deletions b/‎test/ansible/advanced-molecule-operator/config/default/manager_auth_proxy_patch.yaml
Lines changed: 31 additions & 3 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/default/manager_config_patch.yaml
Lines changed: 0 additions & 10 deletions b/‎test/ansible/advanced-molecule-operator/config/default/manager_config_patch.yaml
Lines changed: 0 additions & 10 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/manager/controller_manager_config.yaml
Lines changed: 0 additions & 10 deletions b/‎test/ansible/advanced-molecule-operator/config/manager/controller_manager_config.yaml
Lines changed: 0 additions & 10 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/manager/kustomization.yaml
Lines changed: 0 additions & 8 deletions b/‎test/ansible/advanced-molecule-operator/config/manager/kustomization.yaml
Lines changed: 0 additions & 8 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/manager/manager.yaml
Lines changed: 42 additions & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/manager/manager.yaml
Lines changed: 42 additions & 0 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/prometheus/monitor.yaml
Lines changed: 6 additions & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/prometheus/monitor.yaml
Lines changed: 6 additions & 0 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/rbac/auth_proxy_client_clusterrole.yaml
Lines changed: 7 additions & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/rbac/auth_proxy_client_clusterrole.yaml
Lines changed: 7 additions & 0 deletions
diff --git a/‎test/ansible/advanced-molecule-operator/config/rbac/auth_proxy_role.yaml
Lines changed: 7 additions & 0 deletions b/‎test/ansible/advanced-molecule-operator/config/rbac/auth_proxy_role.yaml
Lines changed: 7 additions & 0 deletions
@@ -35,6 +35,17 @@ IMAGE_TAG_BASE ?= example.com/advanced-molecule-operator
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
+# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
+BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+
+# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
+# You can enable this value if you would like to use SHA Based Digests
+# To enable set flag to true
+USE_IMAGE_DIGESTS ?= false
+ifeq ($(USE_IMAGE_DIGESTS), true)
+	BUNDLE_GEN_FLAGS += --use-image-digests
+endif
+
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 
@@ -61,8 +72,9 @@ help: ## Display this help.
 ##@ Build
 
 .PHONY: run
+ANSIBLE_ROLES_PATH?="$(shell pwd)/roles"
 run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
-	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
+	$(ANSIBLE_OPERATOR) run
 
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.
@@ -72,6 +84,23 @@ docker-build: ## Build docker image with the manager.
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
 
+# PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
+# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
+# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
+# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> than the export will fail)
+# To properly provided solutions that supports more than one platform you should use this option.
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx: test ## Build and push docker image for the manager for cross-platform support
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- docker buildx create --name project-v3-builder
+	docker buildx use project-v3-builder
+	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- docker buildx rm project-v3-builder
+	rm Dockerfile.cross
+
 ##@ Deployment
 
 .PHONY: install
@@ -102,7 +131,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCH).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -118,7 +147,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.16.0/ansible-operator_$(OS)_$(ARCH) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.27.0/ansible-operator_$(OS)_$(ARCH) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -130,7 +159,7 @@ endif
 bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files.
 	operator-sdk generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
-	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS)
 	operator-sdk bundle validate ./bundle
 
 .PHONY: bundle-build
@@ -149,7 +178,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.19.1/$(OS)-$(ARCH)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCH)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
 
@@ -5,7 +5,6 @@ multigroup: true
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
-  sdk.x-openshift.io/v1: {}
 projectName: advanced-molecule-operator
 resources:
 - api:
@@ -43,6 +42,13 @@ resources:
   group: test
   kind: ClusterAnnotationTest
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: example.com
+  group: test
+  kind: FinalizerConcurrencyTest
+  version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: true
 
@@ -0,0 +1,44 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: finalizerconcurrencytests.test.example.com
+spec:
+  group: test.example.com
+  names:
+    kind: FinalizerConcurrencyTest
+    listKind: FinalizerConcurrencyTestList
+    plural: finalizerconcurrencytests
+    singular: finalizerconcurrencytest
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: FinalizerConcurrencyTest is the Schema for the finalizerconcurrencytests API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of FinalizerConcurrencyTest
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: Status defines the observed state of FinalizerConcurrencyTest
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
@@ -7,6 +7,7 @@ resources:
 - bases/test.example.com_casetests.yaml
 - bases/test.example.com_collectiontests.yaml
 - bases/test.example.com_clusterannotationtests.yaml
+- bases/test.example.com_finalizerconcurrencytests.yaml
 - bases/test.example.com_reconciliationtests.yaml
 - bases/test.example.com_selectortests.yaml
 - bases/test.example.com_subresourcestests.yaml
 
@@ -9,10 +9,12 @@ namespace: advanced-molecule-operator-system
 namePrefix: advanced-molecule-operator-
 
 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
 
-bases:
+resources:
 - ../crd
 - ../rbac
 - ../manager
@@ -25,6 +27,4 @@ patchesStrategicMerge:
 # endpoint w/o any authn/z, please comment the following line.
 - manager_auth_proxy_patch.yaml
 
-# Mount the controller config file for loading manager configurations
-# through a ComponentConfig type
-#- manager_config_patch.yaml
+
@@ -8,22 +8,50 @@ metadata:
 spec:
   template:
     spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: kubernetes.io/arch
+                  operator: In
+                  values:
+                    - amd64
+                    - arm64
+                    - ppc64le
+                    - s390x
+                - key: kubernetes.io/os
+                  operator: In
+                  values:
+                    - linux
       containers:
       - name: kube-rbac-proxy
-        image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.10
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
-        - "--v=10"
+        - "--v=0"
         ports:
         - containerPort: 8443
           protocol: TCP
           name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
       - name: manager
         args:
         - "--health-probe-bind-address=:6789"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
-        - "--ansible-args='--vault-password-file /opt/ansible/pwd.yml'"
         - "--leader-election-id=advanced-molecule-operator"
+        - "--ansible-args='--vault-password-file /opt/ansible/pwd.yml'"
@@ -8,13 +8,3 @@ spec:
     spec:
       containers:
       - name: manager
-        args:
-        - "--config=controller_manager_config.yaml"
-        volumeMounts:
-        - name: manager-config
-          mountPath: /controller_manager_config.yaml
-          subPath: controller_manager_config.yaml
-      volumes:
-      - name: manager-config
-        configMap:
-          name: manager-config
@@ -1,10 +1,2 @@
 resources:
 - manager.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-configMapGenerator:
-- name: manager-config
-  files:
-  - controller_manager_config.yaml
@@ -3,6 +3,12 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: namespace
+    app.kubernetes.io/instance: system
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: advanced-molecule-operator
+    app.kubernetes.io/part-of: advanced-molecule-operator
+    app.kubernetes.io/managed-by: kustomize
   name: system
 ---
 apiVersion: apps/v1
@@ -12,6 +18,12 @@ metadata:
   namespace: system
   labels:
     control-plane: controller-manager
+    app.kubernetes.io/name: deployment
+    app.kubernetes.io/instance: controller-manager
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: advanced-molecule-operator
+    app.kubernetes.io/part-of: advanced-molecule-operator
+    app.kubernetes.io/managed-by: kustomize
 spec:
   selector:
     matchLabels:
@@ -24,8 +36,35 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      # TODO(user): Uncomment the following code to configure the nodeAffinity expression
+      # according to the platforms which are supported by your solution.
+      # It is considered best practice to support multiple architectures. You can
+      # build your manager image using the makefile target docker-buildx.
+      # affinity:
+      #   nodeAffinity:
+      #     requiredDuringSchedulingIgnoredDuringExecution:
+      #       nodeSelectorTerms:
+      #         - matchExpressions:
+      #           - key: kubernetes.io/arch
+      #             operator: In
+      #             values:
+      #               - amd64
+      #               - arm64
+      #               - ppc64le
+      #               - s390x
+      #           - key: kubernetes.io/os
+      #             operator: In
+      #             values:
+      #               - linux
       securityContext:
         runAsNonRoot: true
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - args:
         - --leader-elect
@@ -42,6 +81,9 @@ spec:
           value: /opt/ansible/inventory
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz
 
@@ -5,6 +5,12 @@ kind: ServiceMonitor
 metadata:
   labels:
     control-plane: controller-manager
+    app.kubernets.io/name: servicemonitor
+    app.kubernetes.io/instance: controller-manager-metrics-monitor
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/created-by: advanced-molecule-operator
+    app.kubernetes.io/part-of: advanced-molecule-operator
+    app.kubernetes.io/managed-by: kustomize
   name: controller-manager-metrics-monitor
   namespace: system
 spec:
 
@@ -1,6 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: metrics-reader
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: advanced-molecule-operator
+    app.kubernetes.io/part-of: advanced-molecule-operator
+    app.kubernetes.io/managed-by: kustomize
   name: metrics-reader
 rules:
 - nonResourceURLs:
 
@@ -1,6 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: proxy-role
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: advanced-molecule-operator
+    app.kubernetes.io/part-of: advanced-molecule-operator
+    app.kubernetes.io/managed-by: kustomize
   name: proxy-role
 rules:
 - apiGroups: