The CLI Manager Operator is an OpenShift operator that manages the CLI Manager operand — a service that distributes CLI tools and kubectl plugins to cluster users via krew. It is deployed by the Cluster Version Operator (CVO) and uses the library-go controller framework.
The operator's primary responsibilities:
- Watch the singleton
CliManagercustom resource for desired state - Reconcile operand resources: Deployment, Route, Service, RBAC, ServiceMonitor
- Inject the operand container image and log-level configuration
- Report status via operator conditions and generation tracking
CliManager CR (operator.openshift.io/v1)
(name: "cluster", ns: openshift-cli-manager-operator)
│
▼
┌──────────────────────────────────────────────────┐
│ TargetConfigReconciler │
│ (watches CR, reads embedded YAML assets, │
│ substitutes image + log level, applies all │
│ operand resources via resourceapply) │
└──────────────────────┬───────────────────────────┘
│
┌──────────────────┼──────────────────┐
▼ ▼ ▼
Deployment Route + Service RBAC
(cli-manager (TLS edge, (ClusterRole,
2 replicas) /cli-manager) ServiceAccount)
│
▼
CLI Manager pods
(serve plugins via krew index)
Users interact with the operand through the oc krew command, which fetches plugin metadata from the Route and installs CLI tools.
Entry point: cmd/cli-manager-operator/main.go → pkg/cmd/operator/cmd.go → pkg/operator/starter.go:RunOperator().
Startup sequence:
- Create clients (Kubernetes, dynamic, CliManager, Route)
- Create informer factory for the CliManager CRD (10-minute resync)
- Create and start
TargetConfigReconcilerandClusterOperatorLoggingController - Block until context cancellation
Everything runs in a single namespace: openshift-cli-manager-operator (constant OperatorNamespace in pkg/operator/operatorclient/interfaces.go). Both the operator Deployment and all operand resources (Deployment, Service, Route, RBAC, ServiceMonitor) live here. The constant OperandName = "openshift-cli-manager" is a resource name prefix, not a separate namespace.
pkg/operator/target_config_reconciler.go is the single controller. On each sync it:
- Fetches the
CliManagerCR (cluster) - Applies RBAC resources (ClusterRole, ClusterRoleBinding, Role, RoleBinding)
- Applies the operand Deployment:
- Substitutes
${IMAGE}with the value ofRELATED_IMAGE_OPERAND_IMAGE - Sets klog verbosity based on CR
logLevel(Normal→-v=2, Debug→-v=4, Trace→-v=6, TraceAll→-v=8) - Optionally enables
--serve-artifacts-in-httpfor testing
- Substitutes
- Applies networking resources (Route, Service, metrics Service)
- Applies the ServiceAccount
- Applies the ServiceMonitor for Prometheus scraping
- Updates CR status with deployment generation
The reconciler uses a rate-limited work queue. A worker goroutine blocks on the queue and processes items immediately as they arrive; wait.Until restarts the worker with a 1-second delay if it exits. Events (add/update/delete) on the CliManager CR enqueue a sync.
All operand manifests are embedded in bindata/assets/cli-manager/:
| Asset | Purpose |
|---|---|
deployment.yaml |
2-replica Deployment running cli-manager start, ports 9449 (service) and 60000 (metrics) |
route.yaml |
TLS edge-terminated Route at path /cli-manager with 5-minute HAProxy timeout |
service.yaml |
ClusterIP Service on port 9449 |
servicemetrics.yaml |
Metrics Service on port 60000 |
servicemonitor.yaml |
Prometheus ServiceMonitor |
serviceaccount.yaml |
ServiceAccount for the operand |
clusterrole.yaml |
ClusterRole for CLI Manager |
clusterrolebinding.yaml |
ClusterRoleBinding |
role.yaml |
Namespaced Role |
rolebinding.yaml |
RoleBinding |
The Deployment runs with a restricted-v2 security context and mounts three emptyDir volumes (krew-plugins, krew-git, tmp) plus a cert secret (certs-dir).
The CliManager CRD (operator.openshift.io/v1) embeds the standard OperatorSpec and OperatorStatus from the OpenShift API:
- Spec fields (inherited):
managementState,logLevel,operatorLogLevel,observedConfig,unsupportedConfigOverrides - Status fields (inherited):
conditions,generations,observedGeneration,readyReplicas,version
The CRD is a singleton — the operator expects exactly one instance named cluster in the openshift-cli-manager-operator namespace.
cmd/cli-manager-operator-testing/ builds an identical operator binary but with --serve-artifacts-in-http support (hidden flag). When enabled, the Route uses InsecureEdgeTerminationPolicy: Allow instead of Redirect, and the operand serves artifacts over HTTP. This exists so e2e tests can fetch artifacts over plain HTTP without dealing with TLS certificate setup in CI.