Add Network Observability controller with day-0 installation support

This commit introduces automated installation and management of the
Network Observability Operator during cluster deployment (day-0).

Key features:
- Automatic operator installation via OLM when NetworkObservabilityInstall
  feature gate is enabled
- Opt-out model: installs by default except on SNO clusters
- Feature gate support with backward compatibility for older clusters

Implementation details:
- New observability controller in pkg/controller/observability/
- Manifest-based operator installation (07-observability-operator.yaml)
- Default FlowCollector configuration (08-flowcollector.yaml)
- RBAC permissions for OLM resource management
- namespace creation for operator and observability components

Author: OlivierCazade

go.mod

@@ -161,3 +161,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
 )
+
+replace github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55 => github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b

go.sum

@@ -12,6 +12,8 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b h1:gP0wnvRizYDHlzLptWxAL3BPC1p6iTkqvC9R43Lexn4=
+github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -209,8 +211,6 @@ github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI
 github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE=
 github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
 github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
-github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55 h1:2h6bqs9ua3wrsQnxEbzys3/n5IohLC7Dyb/KgaVYC/A=
-github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98 h1:Ssuo/zELWqb7pFCwzB3QGEA4QeLW948hL2AhWq2SWjs=

manifests/0000_70_cluster-network-operator_02_rbac_observability.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cno-observability
+rules:
+  # Manage the netobserv namespace itself
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "list"]
+
+  # Manage ServiceAccounts for ClusterExtension installer
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "create", "list"]
+
+  # Manage OLM v1 resources for operator installation
+  - apiGroups: ["olm.operatorframework.io"]
+    resources: ["clusterextensions"]
+    verbs: ["get", "list", "create", "update", "patch"]
+
+  # Check for FlowCollector CRD to determine if operator is installed
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get"]
+
+  # Manage FlowCollector CRs
+  - apiGroups: ["flows.netobserv.io"]
+    resources: ["flowcollectors"]
+    verbs: ["get", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cno-observability
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cno-observability
+subjects:
+  - kind: ServiceAccount
+    name: cluster-network-operator
+    namespace: openshift-network-operator

pkg/controller/add_networkconfig.go

@@ -8,6 +8,7 @@ import (
 	"github.com/openshift/cluster-network-operator/pkg/controller/egress_router"
 	"github.com/openshift/cluster-network-operator/pkg/controller/infrastructureconfig"
 	"github.com/openshift/cluster-network-operator/pkg/controller/ingressconfig"
+	"github.com/openshift/cluster-network-operator/pkg/controller/observability"
 	"github.com/openshift/cluster-network-operator/pkg/controller/operconfig"
 	"github.com/openshift/cluster-network-operator/pkg/controller/pki"
 	"github.com/openshift/cluster-network-operator/pkg/controller/proxyconfig"
@@ -28,5 +29,6 @@ func init() {
 		infrastructureconfig.Add,
 		allowlist.Add,
 		dashboards.Add,
+		observability.Add,
 	)
 }

pkg/controller/observability/manifests/07-observability-operator.yaml

@@ -0,0 +1,246 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-netobserv-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netobserv-operator-installer
+  namespace: openshift-netobserv-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: netobserv-operator-installer
+rules:
+  # Permissions needed by OLM v1 to install the Network Observability operator
+  # Based on OLM v1 pre-authorization requirements from the operator bundle
+
+  # Core resources
+  - apiGroups: [""]
+    resources: ["endpoints", "nodes", "pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts", "services", "configmaps"]
+    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets", "persistentvolumeclaims"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # Webhooks - validating webhook configurations
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["create", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    resourceNames: ["flowcollectorconversionwebhook.netobserv.io", "flowmetricvalidationwebhook.netobserv.io"]
+    verbs: ["delete", "get", "patch", "update"]
+
+  # CRDs and API services
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "get", "list", "watch", "update", "patch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions/status"]
+    verbs: ["patch", "update"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    resourceNames: ["flowcollectors.flows.netobserv.io", "flowcollectorslices.flows.netobserv.io", "flowmetrics.flows.netobserv.io"]
+    verbs: ["delete"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch"]
+
+  # Workloads
+  - apiGroups: ["apps"]
+    resources: ["deployments", "daemonsets"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+
+  # Authentication and authorization
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Autoscaling
+  - apiGroups: ["autoscaling"]
+    resources: ["horizontalpodautoscalers"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # eBPF (bpfman.io)
+  - apiGroups: ["bpfman.io"]
+    resources: ["clusterbpfapplications"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["bpfman.io"]
+    resources: ["clusterbpfapplications/status"]
+    verbs: ["get", "patch", "update"]
+
+  # OpenShift config
+  - apiGroups: ["config.openshift.io"]
+    resources: ["clusterversions", "networks"]
+    verbs: ["get", "list", "watch"]
+
+  # Console plugin
+  - apiGroups: ["console.openshift.io"]
+    resources: ["consoleplugins"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # Coordination (leader election)
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # Discovery
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+  # FlowCollector CRs
+  - apiGroups: ["flows.netobserv.io"]
+    resources: ["flowcollectors", "flowcollectorslices", "flowmetrics"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["flows.netobserv.io"]
+    resources: ["flowcollectors/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["flows.netobserv.io"]
+    resources: ["flowcollectors/status", "flowcollectorslices/status", "flowmetrics/status"]
+    verbs: ["get", "patch", "update"]
+
+  # OVN-Kubernetes
+  - apiGroups: ["k8s.ovn.org"]
+    resources: ["clusteruserdefinednetworks", "userdefinednetworks"]
+    verbs: ["get", "list", "watch"]
+
+  # Loki integration
+  - apiGroups: ["loki.grafana.com"]
+    resources: ["lokistacks"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["loki.grafana.com"]
+    resources: ["network"]
+    resourceNames: ["logs"]
+    verbs: ["create", "get"]
+
+  # Metrics
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods"]
+    verbs: ["create"]
+
+  # Monitoring
+  - apiGroups: ["monitoring.coreos.com"]
+    resources: ["prometheusrules", "servicemonitors"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # Network policies
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+
+  # OLM ClusterExtension finalizers
+  - apiGroups: ["olm.operatorframework.io"]
+    resources: ["clusterextensions/finalizers"]
+    resourceNames: ["netobserv-operator"]
+    verbs: ["update"]
+
+  # OpenShift console and network config
+  - apiGroups: ["operator.openshift.io"]
+    resources: ["consoles"]
+    verbs: ["get", "list", "update", "watch"]
+  - apiGroups: ["operator.openshift.io"]
+    resources: ["networks"]
+    verbs: ["get", "list", "watch"]
+
+  # RBAC
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterroles", "clusterrolebindings"]
+    verbs: ["create", "delete", "get", "list", "update", "watch", "patch"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles"]
+    verbs: ["list", "watch"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["rolebindings"]
+    verbs: ["create", "delete", "get", "list", "update", "watch"]
+
+  # Security context constraints
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    verbs: ["create", "list", "update", "watch"]
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["hostnetwork"]
+    verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: netobserv-operator-installer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: netobserv-operator-installer
+subjects:
+  - kind: ServiceAccount
+    name: netobserv-operator-installer
+    namespace: openshift-netobserv-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: netobserv-operator-installer
+  namespace: openshift-netobserv-operator
+rules:
+  # Namespace-scoped permissions needed for operator installation
+  # The operator needs to manage Roles and RoleBindings in its own namespace
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles"]
+    verbs: ["create"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles"]
+    resourceNames: ["netobserv-openshift-netobserv-operator-prometheus"]
+    verbs: ["delete", "get", "patch", "update"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["rolebindings"]
+    resourceNames: ["netobserv-openshift-netobserv-operator-prometheus"]
+    verbs: ["delete", "get", "patch", "update"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["rolebindings"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: netobserv-operator-installer
+  namespace: openshift-netobserv-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: netobserv-operator-installer
+subjects:
+  - kind: ServiceAccount
+    name: netobserv-operator-installer
+    namespace: openshift-netobserv-operator
+---
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: netobserv-operator
+spec:
+  namespace: openshift-netobserv-operator
+  serviceAccount:
+    name: netobserv-operator-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: netobserv-operator
+      channels: [stable]

pkg/controller/observability/manifests/08-flowcollector.yaml

@@ -0,0 +1,15 @@
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  agent:
+    ebpf:
+      features:
+        - DNSTracking
+      sampling: 400
+    type: eBPF
+  deploymentModel: Service
+  loki:
+    enable: false
+  namespace: openshift-network-observability