Refine registry+v1 revision phase definitions for granular resource ordering (#2520)

perdasilva · Per G. da Silva · web-flow · commit 662ecf276b48 · 2026-02-24T20:18:00.000Z
Restructure the phase definitions to provide more granular control over
the order in which Kubernetes resources are applied during extension
installation. The previous coarse-grained phases (rbac, deploy, publish)
are replaced with finer-grained phases that better reflect resource
dependency chains and operational best practices.

Phase changes:
- Split "rbac" into "identity" (ServiceAccount), "roles" (ClusterRole,
  Role), and "bindings" (ClusterRoleBinding, RoleBinding) for explicit
  ordering of RBAC prerequisites before their bindings
- Extract "configuration" phase (Secret, ConfigMap) from "deploy" so
  config resources are available before workloads that mount them
- Extract "infrastructure" phase (Service, Issuer) from "deploy" so
  services and cert-manager issuers exist before workloads reference them
- Add "scaling" phase (VerticalPodAutoscaler) after deploy for
  autoscaling policies to target running workloads
- Add "admission" phase (ValidatingWebhookConfiguration,
  MutatingWebhookConfiguration) as the final phase so webhooks are
  registered only after their backing services are ready
- Move CRDs before roles/bindings so RBAC rules referencing custom
  resources can be validated
- Add cert-manager Certificate to "deploy" phase alongside Deployment
- Add monitoring resources (PrometheusRule, ServiceMonitor, PodMonitor)
  and OpenShift console resources to "publish" phase
- Remove explicit mappings for workload kinds that already default to
  "deploy" (DaemonSet, StatefulSet, ReplicaSet, Pod, Job, CronJob)

New phase order: namespaces → policies → identity → configuration →
storage → crds → roles → bindings → infrastructure → deploy →
scaling → publish → admission

Signed-off-by: Per G. da Silva &lt;pegoncal@redhat.com&gt;
Co-authored-by: Per G. da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/internal/operator-controller/applier/boxcutter_test.go b/internal/operator-controller/applier/boxcutter_test.go
@@ -119,7 +119,7 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 			Revision:            1,
 			Phases: []ocv1.ClusterExtensionRevisionPhase{
 				{
-					Name: "deploy",
+					Name: "configuration",
 					Objects: []ocv1.ClusterExtensionRevisionObject{
 						{
 							Object: unstructured.Unstructured{
@@ -219,7 +219,7 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 	t.Log("by checking the rendered objects are present in the correct phases")
 	require.Equal(t, []ocv1.ClusterExtensionRevisionPhase{
 		{
-			Name: string(applier.PhaseDeploy),
+			Name: string(applier.PhaseInfrastructure),
 			Objects: []ocv1.ClusterExtensionRevisionObject{
 				{
 					Object: unstructured.Unstructured{
@@ -233,6 +233,11 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 						},
 					},
 				},
+			},
+		},
+		{
+			Name: string(applier.PhaseDeploy),
+			Objects: []ocv1.ClusterExtensionRevisionObject{
 				{
 					Object: unstructured.Unstructured{
 						Object: map[string]interface{}{
diff --git a/internal/operator-controller/applier/phase.go b/internal/operator-controller/applier/phase.go
@@ -28,28 +28,44 @@ func determinePhase(gk schema.GroupKind) Phase {
 type Phase string
 
 const (
-	PhaseNamespaces   Phase = "namespaces"
-	PhasePolicies     Phase = "policies"
-	PhaseRBAC         Phase = "rbac"
-	PhaseRBACBindings Phase = "rbac-bindings"
-	PhaseCRDs         Phase = "crds"
-	PhaseStorage      Phase = "storage"
-	PhaseDeploy       Phase = "deploy"
-	PhasePublish      Phase = "publish"
+	PhaseNamespaces     Phase = "namespaces"
+	PhasePolicies       Phase = "policies"
+	PhaseIdentity       Phase = "identity"
+	PhaseConfiguration  Phase = "configuration"
+	PhaseStorage        Phase = "storage"
+	PhaseCRDs           Phase = "crds"
+	PhaseRoles          Phase = "roles"
+	PhaseBindings       Phase = "bindings"
+	PhaseInfrastructure Phase = "infrastructure"
+	PhaseDeploy         Phase = "deploy"
+	PhaseScaling        Phase = "scaling"
+	PhasePublish        Phase = "publish"
+	PhaseAdmission      Phase = "admission"
 )
 
 // Well known phases ordered.
 var defaultPhaseOrder = []Phase{
 	PhaseNamespaces,
 	PhasePolicies,
-	PhaseRBAC,
-	PhaseRBACBindings,
-	PhaseCRDs,
+	PhaseIdentity,
+	PhaseConfiguration,
 	PhaseStorage,
+	PhaseCRDs,
+	PhaseRoles,
+	PhaseBindings,
+	PhaseInfrastructure,
 	PhaseDeploy,
+	PhaseScaling,
 	PhasePublish,
+	PhaseAdmission,
 }
 
+// Note: OLMv1 currently only supports registry+v1 content. The registry+v1 format only supports a limited
+// set of object kinds defined in:
+// https://github.com/operator-framework/operator-registry/blob/f410a396abe01dbe6a46b6d90d34bdd844306388/pkg/lib/bundle/supported_resources.go
+// The phase mapping considers all allowable registry+v1 bundle format resource with the following changes:
+// - ClusterServiceVersion is replaced by the resources it describes: Deployment, Cluster/Role/Binding, ServiceAccount, ValidatingWebhookConfiguration, etc.
+// - Certificate and Issuer from cert-manager are added since OLMv1 uses cert-manager for webhook service certificate by default
 var (
 	// This will be populated from `phaseGKMap` in an init func!
 	gkPhaseMap = map[schema.GroupKind]Phase{}
@@ -59,27 +75,18 @@ var (
 		},
 
 		PhasePolicies: {
-			{Kind: "ResourceQuota"},
-			{Kind: "LimitRange"},
-			{Kind: "PriorityClass", Group: "scheduling.k8s.io"},
 			{Kind: "NetworkPolicy", Group: "networking.k8s.io"},
-			{Kind: "HorizontalPodAutoscaler", Group: "autoscaling"},
 			{Kind: "PodDisruptionBudget", Group: "policy"},
+			{Kind: "PriorityClass", Group: "scheduling.k8s.io"},
 		},
 
-		PhaseRBAC: {
+		PhaseIdentity: {
 			{Kind: "ServiceAccount"},
-			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
-			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
-		},
-
-		PhaseRBACBindings: {
-			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
-			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
 		},
 
-		PhaseCRDs: {
-			{Kind: "CustomResourceDefinition", Group: "apiextensions.k8s.io"},
+		PhaseConfiguration: {
+			{Kind: "Secret"},
+			{Kind: "ConfigMap"},
 		},
 
 		PhaseStorage: {
@@ -88,25 +95,50 @@ var (
 			{Kind: "StorageClass", Group: "storage.k8s.io"},
 		},
 
+		PhaseCRDs: {
+			{Kind: "CustomResourceDefinition", Group: "apiextensions.k8s.io"},
+		},
+
+		PhaseRoles: {
+			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
+			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseBindings: {
+			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
+			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseInfrastructure: {
+			{Kind: "Service"},
+			{Kind: "Issuer", Group: "cert-manager.io"},
+		},
+
 		PhaseDeploy: {
+			{Kind: "Certificate", Group: "cert-manager.io"},
 			{Kind: "Deployment", Group: "apps"},
-			{Kind: "DaemonSet", Group: "apps"},
-			{Kind: "StatefulSet", Group: "apps"},
-			{Kind: "ReplicaSet"},
-			{Kind: "Pod"}, // probing complicated, may be either Completed or Available.
-			{Kind: "Job", Group: "batch"},
-			{Kind: "CronJob", Group: "batch"},
-			{Kind: "Service"},
-			{Kind: "Secret"},
-			{Kind: "ConfigMap"},
+		},
+
+		PhaseScaling: {
+			{Kind: "VerticalPodAutoscaler", Group: "autoscaling.k8s.io"},
 		},
 
 		PhasePublish: {
+			{Kind: "PrometheusRule", Group: "monitoring.coreos.com"},
+			{Kind: "ServiceMonitor", Group: "monitoring.coreos.com"},
+			{Kind: "PodMonitor", Group: "monitoring.coreos.com"},
 			{Kind: "Ingress", Group: "networking.k8s.io"},
-			{Kind: "APIService", Group: "apiregistration.k8s.io"},
 			{Kind: "Route", Group: "route.openshift.io"},
-			{Kind: "MutatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
+			{Kind: "ConsoleYAMLSample", Group: "console.openshift.io"},
+			{Kind: "ConsoleQuickStart", Group: "console.openshift.io"},
+			{Kind: "ConsoleCLIDownload", Group: "console.openshift.io"},
+			{Kind: "ConsoleLink", Group: "console.openshift.io"},
+			{Kind: "ConsolePlugin", Group: "console.openshift.io"},
+		},
+
+		PhaseAdmission: {
 			{Kind: "ValidatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
+			{Kind: "MutatingWebhookConfiguration", Group: "admissionregistration.k8s.io"},
 		},
 	}
 )
diff --git a/internal/operator-controller/applier/phase_test.go b/internal/operator-controller/applier/phase_test.go

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)`
`119`	`119`	`Revision: 1,`
`120`	`120`	`Phases: []ocv1.ClusterExtensionRevisionPhase{`
`121`	`121`	`{`
`122`		`- Name: "deploy",`
	`122`	`+ Name: "configuration",`
`123`	`123`	`Objects: []ocv1.ClusterExtensionRevisionObject{`
`124`	`124`	`{`
`125`	`125`	`Object: unstructured.Unstructured{`
`@@ -219,7 +219,7 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {`
`219`	`219`	`t.Log("by checking the rendered objects are present in the correct phases")`
`220`	`220`	`require.Equal(t, []ocv1.ClusterExtensionRevisionPhase{`
`221`	`221`	`{`
`222`		`- Name: string(applier.PhaseDeploy),`
	`222`	`+ Name: string(applier.PhaseInfrastructure),`
`223`	`223`	`Objects: []ocv1.ClusterExtensionRevisionObject{`
`224`	`224`	`{`
`225`	`225`	`Object: unstructured.Unstructured{`
`@@ -233,6 +233,11 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {`
`233`	`233`	`},`
`234`	`234`	`},`
`235`	`235`	`},`
	`236`	`+ },`
	`237`	`+ },`
	`238`	`+ {`
	`239`	`+ Name: string(applier.PhaseDeploy),`
	`240`	`+ Objects: []ocv1.ClusterExtensionRevisionObject{`
`236`	`241`	`{`
`237`	`242`	`Object: unstructured.Unstructured{`
`238`	`243`	`Object: map[string]interface{}{`