Add Network Observability controller with day-0 installation support

This commit introduces automated installation and management of the
Network Observability Operator during cluster deployment (day-0).

Key features:
- Automatic operator installation via OLM when NetworkObservabilityInstall
  feature gate is enabled
- Opt-out model: installs by default except on SNO clusters
- Feature gate support with backward compatibility for older clusters

Implementation details:
- New observability controller in pkg/controller/observability/
- Manifest-based operator installation (07-observability-operator.yaml)
- Default FlowCollector configuration (08-flowcollector.yaml)
- RBAC permissions for OLM resource management
- namespace creation for operator and observability components

Author: OlivierCazade

go.mod

@@ -161,3 +161,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
 )
+
+replace github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55 => github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b

go.sum

@@ -12,6 +12,8 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b h1:gP0wnvRizYDHlzLptWxAL3BPC1p6iTkqvC9R43Lexn4=
+github.com/OlivierCazade/api v0.0.0-20260324144412-012c4cdbbb5b/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -209,8 +211,6 @@ github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI
 github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE=
 github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
 github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
-github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55 h1:2h6bqs9ua3wrsQnxEbzys3/n5IohLC7Dyb/KgaVYC/A=
-github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98 h1:Ssuo/zELWqb7pFCwzB3QGEA4QeLW948hL2AhWq2SWjs=

manifests/0000_70_cluster-network-operator_02_rbac_observability.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cno-observability
+rules:
+  # Manage the netobserv namespace itself
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "list"]
+
+  # Manage ServiceAccounts for ClusterExtension installer
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "create", "list"]
+
+  # Manage OLM v1 resources for operator installation
+  - apiGroups: ["olm.operatorframework.io"]
+    resources: ["clusterextensions"]
+    verbs: ["get", "list", "create", "update", "patch"]
+
+  # Check for FlowCollector CRD to determine if operator is installed
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get"]
+
+  # Manage FlowCollector CRs
+  - apiGroups: ["flows.netobserv.io"]
+    resources: ["flowcollectors"]
+    verbs: ["get", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cno-observability
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cno-observability
+subjects:
+  - kind: ServiceAccount
+    name: cluster-network-operator
+    namespace: openshift-network-operator

manifests/07-observability-operator.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-netobserv-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netobserv-operator-installer
+  namespace: openshift-netobserv-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: netobserv-operator-installer
+rules:
+  # Permissions needed by OLM v1 to install operators
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: netobserv-operator-installer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: netobserv-operator-installer
+subjects:
+  - kind: ServiceAccount
+    name: netobserv-operator-installer
+    namespace: openshift-netobserv-operator
+---
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: netobserv-operator
+spec:
+  namespace: openshift-netobserv-operator
+  serviceAccount:
+    name: netobserv-operator-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: netobserv-operator
+      channels: [stable]

manifests/08-flowcollector.yaml

@@ -0,0 +1,15 @@
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  agent:
+    ebpf:
+      features:
+        - DNSTracking
+      sampling: 400
+    type: eBPF
+  deploymentModel: Service
+  loki:
+    enable: false
+  namespace: openshift-network-observability

pkg/controller/add_networkconfig.go

@@ -8,6 +8,7 @@ import (
 	"github.com/openshift/cluster-network-operator/pkg/controller/egress_router"
 	"github.com/openshift/cluster-network-operator/pkg/controller/infrastructureconfig"
 	"github.com/openshift/cluster-network-operator/pkg/controller/ingressconfig"
+	"github.com/openshift/cluster-network-operator/pkg/controller/observability"
 	"github.com/openshift/cluster-network-operator/pkg/controller/operconfig"
 	"github.com/openshift/cluster-network-operator/pkg/controller/pki"
 	"github.com/openshift/cluster-network-operator/pkg/controller/proxyconfig"
@@ -28,5 +29,6 @@ func init() {
 		infrastructureconfig.Add,
 		allowlist.Add,
 		dashboards.Add,
+		observability.Add,
 	)
 }