OCPBUGS-60693,OCPBUGS-60958: Synchronize From Upstream Repositories

.bingo/Variables.mk

@@ -35,11 +35,11 @@ $(CONTROLLER_GEN): $(BINGO_DIR)/controller-gen.mod
 	@echo "(re)installing $(GOBIN)/controller-gen-v0.20.1"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=controller-gen.mod -o=$(GOBIN)/controller-gen-v0.20.1 "sigs.k8s.io/controller-tools/cmd/controller-gen"
 
-CRD_DIFF := $(GOBIN)/crd-diff-v0.5.0
+CRD_DIFF := $(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097
 $(CRD_DIFF): $(BINGO_DIR)/crd-diff.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/crd-diff-v0.5.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-diff.mod -o=$(GOBIN)/crd-diff-v0.5.0 "sigs.k8s.io/crdify"
+	@echo "(re)installing $(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-diff.mod -o=$(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097 "sigs.k8s.io/crdify"
 
 CRD_REF_DOCS := $(GOBIN)/crd-ref-docs-v0.3.0
 $(CRD_REF_DOCS): $(BINGO_DIR)/crd-ref-docs.mod

.bingo/crd-diff.mod

@@ -2,4 +2,4 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
 
 go 1.24.6
 
-require sigs.k8s.io/crdify v0.5.0
+require sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097

.bingo/crd-diff.sum

@@ -251,6 +251,8 @@ sigs.k8s.io/controller-runtime v0.16.2 h1:mwXAVuEk3EQf478PQwQ48zGOXvW27UJc8NHktQ
 sigs.k8s.io/controller-runtime v0.16.2/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU=
 sigs.k8s.io/crdify v0.5.0 h1:mrMH9CgXQPTZUpTU6Klqfnlys8bggv/7uvLT2lXSP7A=
 sigs.k8s.io/crdify v0.5.0/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097 h1:gwDRFCc64lhEpxY944IJFW+CrmMFXWH+JjpE0JHp42Y=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

.bingo/variables.env

@@ -14,7 +14,7 @@ CONFTEST="${GOBIN}/conftest-v0.62.0"
 
 CONTROLLER_GEN="${GOBIN}/controller-gen-v0.20.1"
 
-CRD_DIFF="${GOBIN}/crd-diff-v0.5.0"
+CRD_DIFF="${GOBIN}/crd-diff-v0.5.1-0.20260309184313-54162f2e3097"
 
 CRD_REF_DOCS="${GOBIN}/crd-ref-docs-v0.3.0"
 

docs/concepts/large-bundle-support.md → docs/draft/concepts/large-bundle-support.md

@@ -139,12 +139,19 @@ follow for consistency and safe lifecycle management.
 
 Recommended conventions:
 
-1. **Immutability**: Secrets should set `immutable: true`. Because COS phases
+1. **Secret type**: Secrets should use the dedicated type
+   `olm.operatorframework.io/object-data` to distinguish them from user-created
+   Secrets and enable easy identification. The system always sets this type on
+   Secrets it creates. The reconciler does not enforce the type when resolving
+   refs — Secrets with any type are accepted — but producers should set it for
+   consistency.
+
+2. **Immutability**: Secrets should set `immutable: true`. Because COS phases
    are immutable, the content backing a ref should not change after creation.
    Mutable referenced Secrets are not rejected, but modifying them after the
    COS is created leads to undefined behavior.
 
-2. **Owner references**: Referenced Secrets should carry an ownerReference to
+3. **Owner references**: Referenced Secrets should carry an ownerReference to
    the COS so that Kubernetes garbage collection removes them when the COS is
    deleted:
    ```yaml
@@ -159,7 +166,7 @@ Recommended conventions:
    Secret when the COS is deleted. The reconciler does not delete referenced
    Secrets itself.
 
-3. **Revision label**: A label identifying the owning revision aids discovery,
+4. **Revision label**: A label identifying the owning revision aids discovery,
    debugging, and bulk cleanup:
    ```
    olm.operatorframework.io/revision-name: <COS-name>
@@ -237,6 +244,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   service-account: <base64(JSON ServiceAccount manifest)>
   cluster-role:    <base64(JSON ClusterRole manifest)>
@@ -255,6 +263,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   my-crd: <base64(JSON CRD manifest)>
 ---
@@ -272,6 +281,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   deployment: <base64(JSON Deployment manifest)>
 ```
@@ -653,7 +663,7 @@ rollout semantics are unchanged.
 | **Crash safety** | 3-step: Secrets → COS → patch ownerRefs; orphan cleanup via revision label                            | 2-step: COS → Secrets with ownerRefs; simpler but reconciler may see missing Secrets temporarily |
 | **Flexibility** | Mixed inline/ref per object within the same phase is possible                                         | All-or-nothing — either all phases inline or all externalized                                    |
 | **Storage efficiency** | Per-object compression misses cross-object redundancy; potentially more Secrets created in edge cases | Better compression from cross-phase redundancy; fewer Secrets                                    |
-| **Resource type** | Secret only                                                                                          | Secret only (with dedicated type)                                                                |
+| **Resource type** | Secret with dedicated type `olm.operatorframework.io/object-data`                                     | Secret with dedicated type `olm.operatorframework.io/revision-phase-data`                        |
 | **Phases structure** | Unchanged — phases array preserved as-is; only individual objects gain a new resolution path          | Replaced at the top level — phases field swapped for phasesRef                                   |
 | **Content addressability** | Content hash as Secret data key — key changes when content changes                                    | Content hash embedded in Secret name — detects changes without fetching contents                 |
 

go.mod

@@ -45,10 +45,10 @@ require (
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/kubernetes v1.35.0
 	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
-	pkg.package-operator.run/boxcutter v0.12.0
+	pkg.package-operator.run/boxcutter v0.13.0
 	sigs.k8s.io/controller-runtime v0.23.3
 	sigs.k8s.io/controller-tools v0.20.1
-	sigs.k8s.io/crdify v0.5.0
+	sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -796,16 +796,16 @@ k8s.io/utils v0.0.0-20260319190234-28399d86e0b5 h1:kBawHLSnx/mYHmRnNUf9d4CpjREbe
 k8s.io/utils v0.0.0-20260319190234-28399d86e0b5/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
 oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
-pkg.package-operator.run/boxcutter v0.12.0 h1:9XAi8MjwghfNHyuWzhqrEjY+XIGUz2rg+A72KITb+wA=
-pkg.package-operator.run/boxcutter v0.12.0/go.mod h1:Bo1tgiXCYJtehp5p+2aTrKt7VnJhrGKSSBvUQofnDRg=
+pkg.package-operator.run/boxcutter v0.13.0 h1:LNUS36NFkI+6J1CcVMrmTOtZt8UoalwXcIDlTPG66C4=
+pkg.package-operator.run/boxcutter v0.13.0/go.mod h1:Bo1tgiXCYJtehp5p+2aTrKt7VnJhrGKSSBvUQofnDRg=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
 sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
 sigs.k8s.io/controller-tools v0.20.1 h1:gkfMt9YodI0K85oT8rVi80NTXO/kDmabKR5Ajn5GYxs=
 sigs.k8s.io/controller-tools v0.20.1/go.mod h1:b4qPmjGU3iZwqn34alUU5tILhNa9+VXK+J3QV0fT/uU=
-sigs.k8s.io/crdify v0.5.0 h1:mrMH9CgXQPTZUpTU6Klqfnlys8bggv/7uvLT2lXSP7A=
-sigs.k8s.io/crdify v0.5.0/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097 h1:gwDRFCc64lhEpxY944IJFW+CrmMFXWH+JjpE0JHp42Y=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
 sigs.k8s.io/gateway-api v1.5.0 h1:duoo14Ky/fJXpjpmyMISE2RTBGnfCg8zICfTYLTnBJA=
 sigs.k8s.io/gateway-api v1.5.0/go.mod h1:GvCETiaMAlLym5CovLxGjS0NysqFk3+Yuq3/rh6QL2o=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=

internal/operator-controller/applier/phase.go

@@ -2,19 +2,11 @@ package applier
 
 import (
 	"cmp"
-	"encoding/json"
-	"fmt"
 	"slices"
-	"strings"
 
-	"k8s.io/apimachinery/pkg/api/equality"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"pkg.package-operator.run/boxcutter/probing"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	ocv1ac "github.com/operator-framework/operator-controller/applyconfigurations/api/v1"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
 )
 
 // The following, with modifications, is taken from:
@@ -206,58 +198,3 @@ func PhaseSort(unsortedObjs []ocv1ac.ClusterObjectSetObjectApplyConfiguration) [
 
 	return phasesSorted
 }
-
-// FieldValueProbe checks if the value found at FieldPath matches the provided Value
-type FieldValueProbe struct {
-	FieldPath, Value string
-}
-
-var _ probing.Prober = (*FieldValueProbe)(nil)
-
-// Probe executes the probe.
-func (fe *FieldValueProbe) Probe(obj client.Object) probing.Result {
-	uMap, err := util.ToUnstructured(obj)
-	if err != nil {
-		return probing.UnknownResult(fmt.Sprintf("failed to convert to unstructured: %v", err))
-	}
-	return fe.probe(uMap)
-}
-
-func (fv *FieldValueProbe) probe(obj *unstructured.Unstructured) probing.Result {
-	fieldPath := strings.Split(strings.Trim(fv.FieldPath, "."), ".")
-
-	fieldVal, ok, err := unstructured.NestedFieldCopy(obj.Object, fieldPath...)
-	if err != nil {
-		return probing.Result{
-			Status:   probing.StatusFalse,
-			Messages: []string{fmt.Sprintf(`error locating key %q; %v`, fv.FieldPath, err)},
-		}
-	}
-	if !ok {
-		return probing.Result{
-			Status:   probing.StatusFalse,
-			Messages: []string{fmt.Sprintf(`missing key: %q`, fv.FieldPath)},
-		}
-	}
-
-	if !equality.Semantic.DeepEqual(fieldVal, fv.Value) {
-		foundJSON, err := json.Marshal(fieldVal)
-		if err != nil {
-			foundJSON = []byte("<value marshal failed>")
-		}
-		expectedJSON, err := json.Marshal(fv.Value)
-		if err != nil {
-			expectedJSON = []byte("<value marshal failed>")
-		}
-
-		return probing.Result{
-			Status:   probing.StatusFalse,
-			Messages: []string{fmt.Sprintf(`value at key %q != %q; expected: %s got: %s`, fv.FieldPath, fv.Value, expectedJSON, foundJSON)},
-		}
-	}
-
-	return probing.Result{
-		Status:   probing.StatusTrue,
-		Messages: []string{fmt.Sprintf(`value at key %q == %q`, fv.FieldPath, fv.Value)},
-	}
-}

internal/operator-controller/applier/phase_test.go

@@ -3,14 +3,9 @@ package applier_test
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/ptr"
-	"pkg.package-operator.run/boxcutter/probing"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	ocv1ac "github.com/operator-framework/operator-controller/applyconfigurations/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
@@ -1036,82 +1031,3 @@ func Test_PhaseSort(t *testing.T) {
 		})
 	}
 }
-
-func Test_FieldValueProbe(t *testing.T) {
-	for _, tc := range []struct {
-		name           string
-		obj            client.Object
-		probe          applier.FieldValueProbe
-		expectedResult probing.Result
-	}{
-		{
-			name: "True result with found key and equal value",
-			obj: &corev1.Service{
-				TypeMeta:   metav1.TypeMeta{Kind: "Service", APIVersion: "v1"},
-				ObjectMeta: metav1.ObjectMeta{Name: "my-service", Namespace: "my-namespace"},
-			},
-			probe: applier.FieldValueProbe{
-				FieldPath: "metadata.name",
-				Value:     "my-service",
-			},
-			expectedResult: probing.Result{
-				Status: probing.StatusTrue,
-				Messages: []string{
-					`value at key "metadata.name" == "my-service"`,
-				},
-			},
-		},
-		{
-			name: "False result with unfound key",
-			obj: &corev1.Service{
-				TypeMeta:   metav1.TypeMeta{Kind: "Service", APIVersion: "v1"},
-				ObjectMeta: metav1.ObjectMeta{Name: "my-service", Namespace: "my-namespace"},
-			},
-			probe: applier.FieldValueProbe{
-				FieldPath: "spec.foo",
-				Value:     "my-service",
-			},
-			expectedResult: probing.Result{
-				Status: probing.StatusFalse,
-				Messages: []string{
-					`missing key: "spec.foo"`,
-				},
-			},
-		},
-		{
-			name: "False result with found key and unequal value",
-			obj: &corev1.Service{
-				TypeMeta:   metav1.TypeMeta{Kind: "Service", APIVersion: "v1"},
-				ObjectMeta: metav1.ObjectMeta{Name: "my-service", Namespace: "my-namespace"},
-			},
-			probe: applier.FieldValueProbe{
-				FieldPath: "metadata.namespace",
-				Value:     "bar",
-			},
-			expectedResult: probing.Result{
-				Status: probing.StatusFalse,
-				Messages: []string{
-					`value at key "metadata.namespace" != "bar"; expected: "bar" got: "my-namespace"`,
-				},
-			},
-		},
-		{
-			name: "Unknown result unstructured conversion failure",
-			obj:  nil,
-			probe: applier.FieldValueProbe{
-				FieldPath: "metadata.name",
-				Value:     "my-service",
-			},
-			expectedResult: probing.Result{
-				Status: probing.StatusUnknown,
-				Messages: []string{
-					"failed to convert to unstructured: object is nil",
-				},
-			},
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			assert.Equal(t, tc.expectedResult, tc.probe.Probe(tc.obj))
-		})
-	}
-}

internal/operator-controller/applier/secretpacker.go

@@ -143,6 +143,7 @@ func (p *SecretPacker) newSecret(data map[string][]byte) corev1.Secret {
 			},
 		},
 		Immutable: ptr.To(true),
+		Type:      labels.SecretTypeObjectData,
 		Data:      data,
 	}
 }

internal/operator-controller/applier/secretpacker_test.go

@@ -46,6 +46,7 @@ func TestSecretPacker_Pack(t *testing.T) {
 		assert.True(t, strings.HasPrefix(result.Secrets[0].Name, "my-ext-3-"), "Secret name should be content-addressable with revision prefix")
 		assert.Equal(t, "olmv1-system", result.Secrets[0].Namespace)
 		assert.True(t, *result.Secrets[0].Immutable)
+		assert.Equal(t, labels.SecretTypeObjectData, result.Secrets[0].Type)
 		assert.Equal(t, "my-ext-3", result.Secrets[0].Labels[labels.RevisionNameKey])
 		assert.Equal(t, "my-ext", result.Secrets[0].Labels[labels.OwnerNameKey])
 

internal/operator-controller/controllers/clusterobjectset_controller.go

@@ -38,7 +38,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/labels"
 )
 
@@ -643,7 +642,7 @@ func buildProgressionProbes(progressionProbes []ocv1.ProgressionProbe) (probing.
 				fieldsEqualProbe := probing.FieldsEqualProbe(probe.FieldsEqual)
 				assertions = append(assertions, &fieldsEqualProbe)
 			case ocv1.ProbeTypeFieldValue:
-				fieldValueProbe := applier.FieldValueProbe(probe.FieldValue)
+				fieldValueProbe := probing.FieldValueProbe(probe.FieldValue)
 				assertions = append(assertions, &fieldValueProbe)
 			default:
 				return nil, fmt.Errorf("unknown progressionProbe assertion probe type: %s", probe.Type)

internal/operator-controller/labels/labels.go

@@ -1,6 +1,13 @@
 package labels
 
+import corev1 "k8s.io/api/core/v1"
+
 const (
+	// SecretTypeObjectData is the custom Secret type used for Secrets that store
+	// externalized object content referenced by ClusterObjectSet ref entries.
+	// It distinguishes OLM-managed ref Secrets from user-created Secrets.
+	SecretTypeObjectData corev1.SecretType = "olm.operatorframework.io/object-data" //nolint:gosec // G101 false positive: this is a Kubernetes Secret type identifier, not a credential
+
 	// OwnerKindKey is the label key used to record the kind of the owner
 	// resource responsible for creating or managing a ClusterObjectSet.
 	OwnerKindKey = "olm.operatorframework.io/owner-kind"