Update boilerplate in ADO

.tekton/addon-operator-pko-pull-request.yaml

@@ -7,7 +7,8 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/cancel-in-progress: 'true'
     pipelinesascode.tekton.dev/max-keep-runs: '3'
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "main"
   labels:
     appstudio.openshift.io/application: addon-operator
     appstudio.openshift.io/component: addon-operator-pko

.tekton/addon-operator-pko-push.yaml

@@ -7,7 +7,8 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/cancel-in-progress: 'false'
     pipelinesascode.tekton.dev/max-keep-runs: '3'
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
+      == "main"
   labels:
     appstudio.openshift.io/application: addon-operator
     appstudio.openshift.io/component: addon-operator-pko

OWNERS_ALIASES

@@ -61,7 +61,6 @@ aliases:
     - casey-williams-rh
     - boranx
   srep-functional-team-thor:
-    - a7vicky
     - diakovnec
     - MitaliBhalla
     - feichashao

boilerplate/_data/last-boilerplate-commit

@@ -1 +1 @@
-f03571416bfe939238200ef033d06d6ad4ab0738
+e3f009d62af7f2238476d8e66285075a2b73aaf2

boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES

@@ -61,7 +61,6 @@ aliases:
     - casey-williams-rh
     - boranx
   srep-functional-team-thor:
-    - a7vicky
     - diakovnec
     - MitaliBhalla
     - feichashao

boilerplate/openshift/golang-osd-operator/README.md

@@ -119,6 +119,18 @@ Checks consist of:
 - `go generate`. This is a no-op if you have no `//go:generate`
   directives in your code.
 
+## PKO (Package Operator) fixture validation
+
+Operators deployed via [Package Operator](https://package-operator.run/) can define snapshot test fixtures that validate `.gotmpl` template rendering. If `deploy_pko/manifest.yaml` exists and contains a `test:` section, the following targets are available:
+
+- `make validate-pko-fixtures` validates that committed fixtures in `deploy_pko/.test-fixtures/` match the current template output. This runs automatically as part of `make validate` (and therefore `make container-validate`). Repos without PKO test fixtures are silently skipped.
+- `make generate-pko-fixtures` regenerates fixtures after intentional changes to `.gotmpl` files or `manifest.yaml` config. Review the diff and commit the updated fixtures alongside the template changes.
+- `make container-generate-pko-fixtures` runs fixture generation inside the boilerplate backing container, which has `kubectl-package` pre-installed. Useful if you don't have `kubectl-package` installed locally. The repository is bind-mounted into the container, so the generated fixtures appear directly in your local `deploy_pko/.test-fixtures/` directory — no manual copy step needed.
+
+Both targets require `kubectl-package`. If it is not found, the target fails with installation instructions. The backing container image includes `kubectl-package`, so `make container-validate` and `make container-generate-pko-fixtures` always work.
+
+**Important:** Buildah's `COPY *` includes dotfiles and dotdirs (contrary to standard glob behavior), so `deploy_pko/.test-fixtures/` will be included in the PKO OCI image unless excluded. `make generate-pko-fixtures` automatically creates a `deploy_pko/.dockerignore` with `.test-fixtures` to prevent this. `make validate-pko-fixtures` verifies the exclusion exists. Without it, PKO will see duplicate objects and fail to deploy the ClusterPackage.
+
 ## FIPS (Federal Information Processing Standards)
 
 To enable FIPS in your build there is a `make ensure-fips` target.

boilerplate/openshift/golang-osd-operator/olm_pko_migration.py

@@ -563,6 +563,8 @@ def annotate_manifests(manifests: list[str]) -> list[dict[str, Any]]:
                     annotated.append(manifest)
                 elif kind == "ServiceMonitor":
                     annotated.append(annotate(manifest, PHASE_DEPLOY))
+                elif kind == "ConfigMap":
+                    annotated.append(annotate(manifest, PHASE_DEPLOY))
                 else:
                     print(f"Unhandled type: {kind}")
                     annotated.append(manifest)

boilerplate/openshift/golang-osd-operator/standard.mk

@@ -309,10 +309,82 @@ prow-config:
 # Targets used by prow
 ######################
 
+# validate-pko-fixtures: Validate PKO package templates against committed snapshot fixtures.
+# Silently skips if deploy_pko/ has no manifest.yaml with a test section.
+# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases
+.PHONY: validate-pko-fixtures
+validate-pko-fixtures:
+	@if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \
+		if ! command -v kubectl-package >/dev/null 2>&1; then \
+			echo "ERROR: kubectl-package is not installed." >&2; \
+			echo "Install it from: https://github.com/package-operator/package-operator/releases" >&2; \
+			echo "Example: curl -L -o /usr/local/bin/kubectl-package https://github.com/package-operator/package-operator/releases/download/v1.18.6/kubectl-package_linux_amd64 && chmod +x /usr/local/bin/kubectl-package" >&2; \
+			exit 1; \
+		fi; \
+		echo "Validating PKO package fixtures..."; \
+		kubectl-package validate deploy_pko/ || \
+			(echo "ERROR: PKO fixture validation failed. Rendered templates do not match committed fixtures." >&2; \
+			 echo "If you intentionally changed a deploy_pko/ .gotmpl or manifest.yaml config, regenerate fixtures:" >&2; \
+			 echo "  make generate-pko-fixtures" >&2; \
+			 echo "  git diff deploy_pko/.test-fixtures/" >&2; \
+			 echo "Review the diff to confirm only your intended changes are reflected, then commit the updated fixtures." >&2; \
+			 echo "If you did NOT intend to change template output, your modifications may have introduced an unintended" >&2; \
+			 echo "regression in the rendered deployment manifests. Review your changes to deploy_pko/ carefully." >&2; \
+			 exit 1); \
+		if [ -d deploy_pko/.test-fixtures ]; then \
+			ignore_file=""; \
+			if [ -f deploy_pko/.containerignore ]; then \
+				ignore_file="deploy_pko/.containerignore"; \
+			elif [ -f deploy_pko/.dockerignore ]; then \
+				ignore_file="deploy_pko/.dockerignore"; \
+			fi; \
+			if [ -z "$$ignore_file" ]; then \
+				echo "ERROR: deploy_pko/.test-fixtures/ exists but no .dockerignore or .containerignore found in deploy_pko/." >&2; \
+				echo "Without it, test fixtures will be included in the PKO OCI image, causing Duplicate Object errors." >&2; \
+				echo "Fix: run 'make generate-pko-fixtures' to auto-create deploy_pko/.dockerignore" >&2; \
+				exit 1; \
+			elif ! grep -q '\.test-fixtures' "$$ignore_file"; then \
+				echo "ERROR: $$ignore_file exists but does not exclude .test-fixtures." >&2; \
+				echo "Without this exclusion, test fixtures will be included in the PKO OCI image." >&2; \
+				echo "Fix: add '.test-fixtures' to $$ignore_file" >&2; \
+				exit 1; \
+			fi; \
+		fi; \
+	fi
+
+# generate-pko-fixtures: Regenerate PKO snapshot fixtures after template changes.
+# Requires kubectl-package; see https://github.com/package-operator/package-operator/releases
+.PHONY: generate-pko-fixtures
+generate-pko-fixtures:
+	@if [ -d deploy_pko ] && grep -q '^test:' deploy_pko/manifest.yaml 2>/dev/null; then \
+		if ! command -v kubectl-package >/dev/null 2>&1; then \
+			echo "ERROR: kubectl-package is not installed." >&2; \
+			echo "Install it from: https://github.com/package-operator/package-operator/releases" >&2; \
+			echo "Example: curl -L -o /usr/local/bin/kubectl-package https://github.com/package-operator/package-operator/releases/download/v1.18.6/kubectl-package_linux_amd64 && chmod +x /usr/local/bin/kubectl-package" >&2; \
+			exit 1; \
+		fi; \
+		echo "Regenerating PKO test fixtures..."; \
+		rm -rf deploy_pko/.test-fixtures; \
+		kubectl-package validate deploy_pko/ && \
+		if [ ! -f deploy_pko/.dockerignore ] && [ ! -f deploy_pko/.containerignore ]; then \
+			echo ".test-fixtures" > deploy_pko/.dockerignore; \
+			echo "Created deploy_pko/.dockerignore to exclude .test-fixtures from PKO image."; \
+		elif [ -f deploy_pko/.dockerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.dockerignore; then \
+			echo ".test-fixtures" >> deploy_pko/.dockerignore; \
+			echo "Added .test-fixtures to deploy_pko/.dockerignore."; \
+		elif [ -f deploy_pko/.containerignore ] && ! grep -q '\.test-fixtures' deploy_pko/.containerignore; then \
+			echo ".test-fixtures" >> deploy_pko/.containerignore; \
+			echo "Added .test-fixtures to deploy_pko/.containerignore."; \
+		fi; \
+		echo "Fixtures regenerated. Review with 'git diff deploy_pko/.test-fixtures/' and commit."; \
+	else \
+		echo "No PKO test configuration found in deploy_pko/manifest.yaml, nothing to generate."; \
+	fi
+
 # validate: Ensure code generation has not been forgotten; and ensure
 # generated and boilerplate code has not been modified.
 .PHONY: validate
-validate: boilerplate-freeze-check generate-check
+validate: boilerplate-freeze-check generate-check validate-pko-fixtures
 
 # lint: Perform static analysis.
 .PHONY: lint
@@ -396,6 +468,10 @@ container-validate:
 container-coverage:
 	${BOILERPLATE_CONTAINER_MAKE} coverage
 
+.PHONY: container-generate-pko-fixtures
+container-generate-pko-fixtures:
+	${BOILERPLATE_CONTAINER_MAKE} generate-pko-fixtures
+
 # Run all container-* validation targets in sequence.
 # Set NONINTERACTIVE=true to skip debug shells and fail fast for CI/automation.
 .PHONY: container-all

build/Dockerfile

@@ -10,7 +10,7 @@ COPY . .
 RUN make go-build
 
 ###
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882
 
 ENV USER_UID=1001 \
     USER_NAME=addon-operator

build/Dockerfile.olm-registry

@@ -4,7 +4,7 @@ COPY ${SAAS_OPERATOR_DIR} manifests
 RUN initializer --permissive
 
 # ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882
 
 COPY --from=builder /bin/registry-server /bin/registry-server
 COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe

build/Dockerfile.webhook

@@ -10,7 +10,7 @@ COPY . .
 RUN GOOS=linux CGO_ENABLED=1 GOARCH=amd64 GOFLAGS="" go build -o build/_output/bin/addon-operator-webhook ./cmd/addon-operator-webhook
 
 ###
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1775623882
 
 ENV USER_UID=1001 \
     USER_NAME=addon-operator

deploy_pko/ConfigMap-trusted-ca-bundle.yaml

@@ -3,8 +3,8 @@ kind: ConfigMap
 metadata:
   namespace: openshift-addon-operator
   name: trusted-ca-bundle
+  labels:
+    config.openshift.io/inject-trusted-cabundle: 'true'
   annotations:
     package-operator.run/phase: deploy
     package-operator.run/collision-protection: IfNoController
-  labels:
-    config.openshift.io/inject-trusted-cabundle: 'true'