OPRUN-4445: add lifecycle-controller and lifecycle-server

[joelanford]

Add controller that watches CatalogSources and manages lifecycle-server deployments. The server serves FBC catalog content over HTTP.

Includes build targets, container image updates, and RBAC manifests.

[openshift-ci-robot]

@joelanford: This pull request references OPRUN-4445 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add controller that watches CatalogSources and manages lifecycle-server deployments. The server serves FBC catalog content over HTTP.

Includes build targets, container image updates, and RBAC manifests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelanford

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [joelanford]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[joelanford]

/test all

[Copilot]

Pull request overview

This PR introduces a lifecycle-controller and lifecycle-server to manage and serve FBC (File-Based Catalog) lifecycle data over HTTP. The controller watches CatalogSources and dynamically creates lifecycle-server deployments per catalog, while the server provides an authenticated HTTP API for accessing lifecycle information.

Changes:

• Added lifecycle-server package that loads and serves FBC lifecycle data via HTTP with authentication/authorization
• Added lifecycle-controller that watches CatalogSources and manages lifecycle-server deployments, services, and network policies
• Integrated TLS configuration dynamically from OpenShift APIServer resource
• Added build targets, container image updates, and comprehensive RBAC manifests

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/lifecycle-server/server.go	HTTP handler for serving lifecycle data with version/package lookup
pkg/lifecycle-server/fbc.go	FBC data loader with regex-based schema matching
pkg/lifecycle-controller/controller.go	Main controller reconciling CatalogSources and managing lifecycle-server resources
cmd/lifecycle-server/main.go, start.go, util.go	CLI for lifecycle-server with TLS, authn/authz, and health endpoints
cmd/lifecycle-controller/main.go, start.go, util.go	CLI for lifecycle-controller with leader election and TLS config watching
Makefile	Build targets for new lifecycle-controller and lifecycle-server binaries
operator-lifecycle-manager.Dockerfile	Container image updates to include new binaries
manifests/0000_50_olm_09-lifecycle-server.rbac.yaml	ClusterRole for lifecycle-server (tokenreviews/subjectaccessreviews)
manifests/0000_50_olm_08-lifecycle-controller.rbac.yaml	RBAC for lifecycle-controller including cluster-wide resource management
manifests/0000_50_olm_08-lifecycle-controller.networkpolicy.yaml	NetworkPolicy restricting lifecycle-controller ingress/egress
manifests/0000_50_olm_08-lifecycle-controller.deployment.yaml	Deployment manifest for lifecycle-controller with security constraints

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fbcPath construction concatenates catalogMountPath and catalogDir without ensuring proper path formatting. If catalogDir starts with a slash (e.g., "/configs"), the result would be "/catalog/configs" which is correct, but if it doesn't start with a slash, or if it has a trailing slash, it could lead to malformed paths. Consider using path.Join or ensuring consistent path formatting to avoid potential path construction issues.

Suggested change

	}
	}
	// Ensure catalogDir has a leading slash so concatenation produces a valid path.
	if !strings.HasPrefix(catalogDir, "/") {
	catalogDir = "/" + catalogDir
	}

[Copilot]

The GetCipherSuites method returns a slice that shares the underlying array with the config. If this slice is modified by the caller, it could lead to unexpected behavior or race conditions. Consider returning a defensive copy of the slice to ensure thread safety.

Suggested change

	return p.config.cipherSuiteStrings
	if p.config == nil || p.config.cipherSuiteStrings == nil {
	return nil
	}
	ciphers := make([]string, len(p.config.cipherSuiteStrings))
	copy(ciphers, p.config.cipherSuiteStrings)
	return ciphers

[Copilot]

The cleanupResources function does not delete the NetworkPolicy that is created in ensureResources. This will result in orphaned NetworkPolicy resources when a CatalogSource is deleted or no longer matches the selectors. The NetworkPolicy should be deleted along with the Deployment, Service, and ServiceAccount to ensure complete cleanup.

Suggested change

	// Delete NetworkPolicy
	np := &networkingv1.NetworkPolicy{
	ObjectMeta: metav1.ObjectMeta{
	Name: name,
	Namespace: csNamespace,
	},
	}
	if err := r.Delete(ctx, np); err != nil && !errors.IsNotFound(err) {
	log.Error(err, "failed to delete networkpolicy")
	return err
	}

[Copilot]

The resourceName function truncates names to 63 characters but doesn't handle the case where truncation results in a trailing hyphen, which is invalid for Kubernetes resource names. Consider trimming trailing hyphens after truncation to ensure the generated name is always valid.

Suggested change

	}
	}
	name = strings.TrimRight(name, "-")

[Copilot]

The LoadLifecycleData function has several code paths that should be covered by tests: successful loading, non-existent path, schema matching, and concurrent access. The repository has test coverage for pkg/package-server-manager (e.g., pkg/package-server-manager/controller_test.go), so tests should be added for this new functionality as well.

[Copilot]

The HTTP handler has multiple code paths (no data, version not found, package not found, successful response) that should be covered by tests. The repository has test coverage for pkg/package-server-manager (e.g., pkg/package-server-manager/controller_test.go), so tests should be added for this new functionality as well.

[Copilot]

The resourceName function has several edge cases (names with dots, underscores, long names, truncation) that should be covered by tests to ensure it always generates valid Kubernetes resource names. The repository has test coverage for pkg/package-server-manager (e.g., pkg/package-server-manager/controller_test.go), so tests should be added for this new functionality as well.

[Copilot]

The GOMEMLIMIT is set to "5MiB" but the memory request is set to "10Mi". These should be aligned for optimal performance. Typically, GOMEMLIMIT should be set to 90% of the memory limit, or if no limit is set, slightly below the memory request to account for non-Go memory usage. Consider either increasing GOMEMLIMIT closer to 10Mi or adjusting the memory request.

[joelanford]

/test all

[joelanford]

/test all

[openshift-ci]

@joelanford: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.