From 81e6f7ca6a6705937490baf5dbdb9d50bac40b56 Mon Sep 17 00:00:00 2001
From: Nati Fridman <nafridma@redhat.com>
Date: Wed, 25 Sep 2024 15:31:54 +0300
Subject: [PATCH 1/2] ztp: reference: Change "pod-security.kubernetes.io/" to
 be prefix based

---
 ztp/kube-compare-reference/metadata.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ztp/kube-compare-reference/metadata.yaml b/ztp/kube-compare-reference/metadata.yaml
index 60336af99..8a73cc83f 100644
--- a/ztp/kube-compare-reference/metadata.yaml
+++ b/ztp/kube-compare-reference/metadata.yaml
@@ -202,10 +202,8 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."include.release.openshift.io/single-node-developer"
       - pathToKey: metadata.annotations."release.openshift.io/create-only"
       - pathToKey: metadata.labels."lca.openshift.io/target-ocp-version"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/audit"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/audit-version"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/warn"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io/warn-version"
+      - pathToKey: metadata.labels."pod-security.kubernetes.io/"
+        isPrefix: true
       - pathToKey: metadata.annotations."capability.openshift.io/name"
       - pathToKey: metadata.annotations."olm.providedAPIs"
       - pathToKey: metadata.annotations."operator.sriovnetwork.openshift.io/last-network-namespace"

From 976ec3de667f15d53e03befb5b98e563f1b66251 Mon Sep 17 00:00:00 2001
From: Nati Fridman <nafridma@redhat.com>
Date: Thu, 26 Sep 2024 09:54:10 +0300
Subject: [PATCH 2/2] ztp: reference: Remove allowLabels template

---
 ztp/kube-compare-reference/metadata.yaml      |  3 ---
 .../local-storage-operator/StorageNS.yaml     |  6 ------
 .../sriov-fec-operator/AcceleratorsNS.yaml    |  6 ------
 .../storage/StorageLVMSubscriptionNS.yaml     | 11 ++--------
 .../optional_labels.tmpl                      | 21 -------------------
 .../cluster-logging/ClusterLogNS.yaml         |  6 ------
 .../required/lca/LcaSubscriptionNS.yaml       |  9 --------
 .../ptp-operator/PtpSubscriptionNS.yaml       |  9 --------
 .../sriov-operator/SriovSubscriptionNS.yaml   |  6 ------
 9 files changed, 2 insertions(+), 75 deletions(-)
 delete mode 100644 ztp/kube-compare-reference/optional_labels.tmpl

diff --git a/ztp/kube-compare-reference/metadata.yaml b/ztp/kube-compare-reference/metadata.yaml
index 8a73cc83f..65f847b7d 100644
--- a/ztp/kube-compare-reference/metadata.yaml
+++ b/ztp/kube-compare-reference/metadata.yaml
@@ -167,7 +167,6 @@ parts:
 
 templateFunctionFiles:
   - validate_node_selector.tmpl
-  - optional_labels.tmpl
   - unordered_list.tmpl
 
 fieldsToOmit:
@@ -184,13 +183,11 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."machineconfiguration.openshift.io/mc-name-suffix"
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."olm.operatorgroup.uid"
-      - pathToKey: metadata.labels."pod-security.kubernetes.io"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.resourceVersion
       - pathToKey: metadata.uid
       - pathToKey: spec.finalizers
       - pathToKey: metadata.creationTimestamp
-      - pathToKey: metadata."pod-security.kubernetes.io"
       - pathToKey: metadata.generation
       - pathToKey: status # TODO:  We need to check status in Subscription and CatalogSource. CNF-13521
       - pathToKey: metadata.finalizers
diff --git a/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml b/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
index 507178d7b..a9ebbc39b 100644
--- a/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
+++ b/ztp/kube-compare-reference/optional/local-storage-operator/StorageNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-local-storage
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml b/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
index d9b65841a..57008f40d 100644
--- a/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
+++ b/ztp/kube-compare-reference/optional/sriov-fec-operator/AcceleratorsNS.yaml
@@ -2,9 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: vran-acceleration-operators
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml b/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
index 1879457d2..5e0cbafc2 100644
--- a/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/optional/storage/StorageLVMSubscriptionNS.yaml
@@ -2,14 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-storage
-  {{- if .metadata.labels }}
   labels:
     # from 4.15+ LVM operator can be part of the management partition.
-    {{- template "requiredLabels" (list .metadata.labels
-        "workload.openshift.io/allowed: \"management\""
-        "openshift.io/cluster-monitoring: \"true\""
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
+    workload.openshift.io/allowed: "management"
+    openshift.io/cluster-monitoring: "true"
diff --git a/ztp/kube-compare-reference/optional_labels.tmpl b/ztp/kube-compare-reference/optional_labels.tmpl
deleted file mode 100644
index f51d026da..000000000
--- a/ztp/kube-compare-reference/optional_labels.tmpl
+++ /dev/null
@@ -1,21 +0,0 @@
-{{- define "allowLabels" }}
-{{- $prefixes := slice . 1 }}
-{{- $result := dict }}
-{{- range $key, $value := (index . 0) }}
-    {{- range $prefix := $prefixes }}
-        {{- if (hasPrefix $prefix $key) }}
-            {{- $_ := set $result $key $value }}
-        {{- end }}
-    {{- end }}
-{{- end }}
-{{- $result | toYaml | nindent 4 }}
-{{- end }}
-
-{{- define "requiredLabels" }}
-{{- $labels := slice . 1 }}
-{{- $result := dict }}
-{{- range $label := $labels }}
-    {{- $_ := merge $result ($label | fromYaml) }}
-{{- end }}
-{{- $result | toYaml | nindent 4 }}
-{{- end }}
diff --git a/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml b/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
index e1b3682e3..f79825410 100644
--- a/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
+++ b/ztp/kube-compare-reference/required/cluster-logging/ClusterLogNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-logging
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml b/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
index cd1b49799..33bc3a644 100644
--- a/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/lca/LcaSubscriptionNS.yaml
@@ -6,12 +6,3 @@ metadata:
     workload.openshift.io/allowed: management
   labels:
     kubernetes.io/metadata.name: openshift-lifecycle-agent
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "requiredLabels" (list .metadata.labels
-        "kubernetes.io/metadata.name: openshift-lifecycle-agent"
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml b/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
index a91690b0b..0aaf9bd6d 100644
--- a/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/ptp-operator/PtpSubscriptionNS.yaml
@@ -6,12 +6,3 @@ metadata:
     workload.openshift.io/allowed: management
   labels:
     openshift.io/cluster-monitoring: "true"
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "requiredLabels" (list .metadata.labels
-        "openshift.io/cluster-monitoring: \"true\""
-    ) }}
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}
diff --git a/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml b/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
index 1e28ed312..0071359bb 100644
--- a/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
+++ b/ztp/kube-compare-reference/required/sriov-operator/SriovSubscriptionNS.yaml
@@ -4,9 +4,3 @@ metadata:
   name: openshift-sriov-network-operator
   annotations:
     workload.openshift.io/allowed: management
-  {{- if .metadata.labels }}
-  labels:
-    {{- template "allowLabels" (list .metadata.labels
-        "pod-security.kubernetes.io"
-    ) }}
-  {{- end }}