From c2a29db13173ee10ac242987e47d0b7c1788393e Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Wed, 27 Oct 2021 11:01:01 -0700
Subject: [PATCH 01/12] fix authcheck secret get/list/watch

---
 authchecker/v2/pkg/authchecker/authchecker.go | 2 +-
 v2/config/rbac/classic/role.yaml              | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/authchecker/v2/pkg/authchecker/authchecker.go b/authchecker/v2/pkg/authchecker/authchecker.go
index 4d58c8a31..701ef7acb 100644
--- a/authchecker/v2/pkg/authchecker/authchecker.go
+++ b/authchecker/v2/pkg/authchecker/authchecker.go
@@ -109,7 +109,7 @@ func (a *AuthChecker) Reconcile(req reconcile.Request) (reconcile.Result, error)
 	err = a.Client.List(context.TODO(), secrets)
 
 	if err != nil {
-		a.Logger.Error(err, "failed to get pod")
+		a.Logger.Error(err, "failed to list secrets")
 		a.Checker.SetErr(err)
 		return reconcile.Result{}, err
 	}
diff --git a/v2/config/rbac/classic/role.yaml b/v2/config/rbac/classic/role.yaml
index 1e2a4fded..854efaf9f 100644
--- a/v2/config/rbac/classic/role.yaml
+++ b/v2/config/rbac/classic/role.yaml
@@ -205,7 +205,9 @@ rules:
       - ''
     resources:
       - pods
+      - secrets
     verbs:
+      - get
       - watch
       - list
 ---

From f10ecc2d3677fa763eb74090882584cbe457290f Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Wed, 27 Oct 2021 13:59:38 -0700
Subject: [PATCH 02/12] cert pipeline

---
 v2/hack/certify/certify.sh | 152 +++++++++++++++++++++++++++++++++++++
 v2/hack/certify/sub.yaml   |  11 +++
 2 files changed, 163 insertions(+)
 create mode 100755 v2/hack/certify/certify.sh
 create mode 100755 v2/hack/certify/sub.yaml

diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
new file mode 100755
index 000000000..915ba8866
--- /dev/null
+++ b/v2/hack/certify/certify.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+set -Eeox pipefail
+
+SLEEP_LONG="${SLEEP_LONG:-5}"
+SLEEP_SHORT="${SLEEP_SHORT:-2}"
+CERT_NAMESPACE="rhm-certification"
+KUBECONFIG=$HOME/.kube/config
+VERSION="2.4.0"
+
+# Check Subscriptions: subscription-name, namespace
+checksub () {
+	echo "Waiting for Subscription $1 InstallPlan to complete."
+
+	# Wait 2 resync periods for OLM to emit new installplan
+	sleep 60
+
+	# Wait for the InstallPlan to be generated and available on status
+	unset INSTALL_PLAN
+	until oc get subscription $1 -n $2 --output=jsonpath={.status.installPlanRef.name}
+	do
+		sleep $SLEEP_SHORT
+	done
+
+	# Get the InstallPlan
+	until [ -n "$INSTALL_PLAN" ]
+	do
+		sleep $SLEEP_SHORT
+		INSTALL_PLAN=$(oc get subscription $1 -n $2 --output=jsonpath={.status.installPlanRef.name})
+	done
+
+	# Wait for the InstallPlan to Complete
+	unset PHASE
+	until [ "$PHASE" == "Complete" ]
+	do
+		PHASE=$(oc get installplan $INSTALL_PLAN -n $2 --output=jsonpath={.status.phase})
+    if [ "$PHASE" == "Failed" ]; then
+      set +x
+      sleep 3
+      echo "InstallPlan $INSTALL_PLAN for subscription $1 failed."
+      echo "To investigate the reason of the InstallPlan failure run:"
+      echo "oc describe installplan $INSTALL_PLAN -n $2"
+      exit 1
+    fi
+		sleep $SLEEP_SHORT
+	done
+	
+	# Get installed CluserServiceVersion
+	unset CSV
+	until [ -n "$CSV" ]
+	do
+		sleep $SLEEP_SHORT
+		CSV=$(oc get subscription $1 -n $2 --output=jsonpath={.status.installedCSV})
+	done
+	
+	# Wait for the CSV
+	unset PHASE
+	until [ "$PHASE" == "Succeeded" ]
+	do
+		PHASE=$(oc get clusterserviceversion $CSV -n $2 --output=jsonpath={.status.phase})
+    if [ "$PHASE" == "Failed" ]; then
+      set +x
+      sleep 3
+      echo "ClusterServiceVersion $CSV for subscription $1 failed."
+      echo "To investigate the reason of the ClusterServiceVersion failure run:"
+      echo "oc describe clusterserviceversion $CSV -n $2"
+      exit 1
+    fi
+		sleep $SLEEP_SHORT
+	done
+}
+
+
+
+# Install Subscription
+oc apply -f sub.yaml
+
+# Verify Subscriptions
+checksub openshift-pipelines-operator-rh openshift-operators
+
+# Switch to certification namespace
+oc delete ns $CERT_NAMESPACE --ignore-not-found
+oc adm new-project $CERT_NAMESPACE
+oc project $CERT_NAMESPACE
+
+# Create the kubeconfig used by the certification pipeline
+oc delete secret kubeconfig --ignore-not-found
+oc create secret generic kubeconfig --from-file=kubeconfig=$KUBECONFIG
+
+# Import redhat catalogs
+oc import-image redhat-marketplace-index \
+  --from=registry.redhat.io/redhat/redhat-marketplace-index \
+  --reference-policy local \
+  --scheduled \
+  --confirm \
+  --all
+
+CWD=$(pwd)
+TMP_DIR=$(mktemp -d 2>/dev/null || mktemp -d -t 'cptmpdir')
+
+# Install the Certification Pipeline
+cd $TMP_DIR
+git clone https://github.com/redhat-openshift-ecosystem/operator-pipelines
+cd operator-pipelines
+oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/pipelines
+oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/tasks
+cd $CWD
+
+
+# Generate the bundle and add it to the fork
+cd $TMP_DIR
+git clone git@github.com:redhat-marketplace/certified-operators-preprod.git
+
+cd $CWD
+cd ../../
+
+make bundle
+rm -rf $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
+mkdir -p $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
+cp -r bundle/manifests $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
+cp -r bundle/metadata $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
+
+echo "organization: redhat-marketplace" > $TMP_DIR/certified-operators-preprod/config.yaml
+echo "cert_project_id: 5ec3fc8628834587a6b85c2a" > $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/ci.yaml
+
+cd $TMP_DIR
+curl -L https://github.com/mikefarah/yq/releases/download/v4.13.5/yq_linux_amd64.tar.gz | tar -xz 
+./yq_linux_amd64 eval '
+  .metadata.annotations."com.redhat.openshift.versions" = "v4.6-v4.9"
+' -i $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/metadata/annotations.yaml
+
+cd $TMP_DIR/certified-operators-preprod
+git add --all
+git commit -m $VERSION
+git push
+
+
+# Run the Pipeline
+
+cd $TMP_DIR/operator-pipelines
+curl https://mirror.openshift.com/pub/openshift-v4/clients/pipeline/0.19.1/tkn-linux-amd64-0.19.1.tar.gz | tar -xz 
+
+GIT_REPO_URL=https://github.com/redhat-marketplace/certified-operators-preprod.git
+BUNDLE_PATH=operators/redhat-marketplace-operator/$VERSION
+
+./tkn pipeline start operator-ci-pipeline \
+  --param git_repo_url=$GIT_REPO_URL \
+  --param git_branch=stage \
+  --param bundle_path=$BUNDLE_PATH \
+  --param env=stage \
+  --workspace name=pipeline,volumeClaimTemplateFile=templates/workspace-template.yml \
+  --workspace name=kubeconfig,secret=kubeconfig \
+  --showlog
\ No newline at end of file
diff --git a/v2/hack/certify/sub.yaml b/v2/hack/certify/sub.yaml
new file mode 100755
index 000000000..3dc57a82d
--- /dev/null
+++ b/v2/hack/certify/sub.yaml
@@ -0,0 +1,11 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-pipelines-operator-rh
+  namespace: openshift-operators
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: openshift-pipelines-operator-rh
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace

From 116fb4a309b776b020bafb562e778d053a51453a Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Thu, 28 Oct 2021 07:26:50 -0700
Subject: [PATCH 03/12] fix annotation

---
 v2/hack/certify/certify.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
index 915ba8866..9de7521e5 100755
--- a/v2/hack/certify/certify.sh
+++ b/v2/hack/certify/certify.sh
@@ -125,7 +125,7 @@ echo "cert_project_id: 5ec3fc8628834587a6b85c2a" > $TMP_DIR/certified-operators-
 cd $TMP_DIR
 curl -L https://github.com/mikefarah/yq/releases/download/v4.13.5/yq_linux_amd64.tar.gz | tar -xz 
 ./yq_linux_amd64 eval '
-  .metadata.annotations."com.redhat.openshift.versions" = "v4.6-v4.9"
+  .annotations."com.redhat.openshift.versions" = "v4.6-v4.9"
 ' -i $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/metadata/annotations.yaml
 
 cd $TMP_DIR/certified-operators-preprod

From bb95a3eb5139c376863ca88e5e08f0e8ed6f0746 Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Fri, 29 Oct 2021 11:11:29 -0700
Subject: [PATCH 04/12] pyxix api key

---
 v2/hack/certify/certify.sh | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
index 9de7521e5..9d8b82eae 100755
--- a/v2/hack/certify/certify.sh
+++ b/v2/hack/certify/certify.sh
@@ -70,6 +70,9 @@ checksub () {
 }
 
 
+if [ -z ${PYXIS_API_KEY+x} ]; then echo "PYXIS_API_KEY is unset"; exit 1; fi
+
+
 
 # Install Subscription
 oc apply -f sub.yaml
@@ -82,11 +85,20 @@ oc delete ns $CERT_NAMESPACE --ignore-not-found
 oc adm new-project $CERT_NAMESPACE
 oc project $CERT_NAMESPACE
 
+oc create secret generic pyxis-api-secret --from-literal pyxis_api_key=$PYXIS_API_KEY
+
 # Create the kubeconfig used by the certification pipeline
 oc delete secret kubeconfig --ignore-not-found
 oc create secret generic kubeconfig --from-file=kubeconfig=$KUBECONFIG
 
 # Import redhat catalogs
+oc import-image certified-operator-index \
+  --from=registry.redhat.io/redhat/certified-operator-index \
+  --reference-policy local \
+  --scheduled \
+  --confirm \
+  --all
+
 oc import-image redhat-marketplace-index \
   --from=registry.redhat.io/redhat/redhat-marketplace-index \
   --reference-policy local \
@@ -119,8 +131,11 @@ mkdir -p $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-opera
 cp -r bundle/manifests $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
 cp -r bundle/metadata $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
 
+# remove sa duplicated in csv?
+rm -Rf  $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/manifests/redhat-marketplace-operator_v1_serviceaccount.yaml
+
 echo "organization: redhat-marketplace" > $TMP_DIR/certified-operators-preprod/config.yaml
-echo "cert_project_id: 5ec3fc8628834587a6b85c2a" > $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/ci.yaml
+echo "cert_project_id: 5f68c9457115dbd1183ccab6" > $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/ci.yaml
 
 cd $TMP_DIR
 curl -L https://github.com/mikefarah/yq/releases/download/v4.13.5/yq_linux_amd64.tar.gz | tar -xz 

From f5a416ebd2af4725b365e4fa6e5af12bb120ba9e Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Tue, 2 Nov 2021 12:25:32 -0700
Subject: [PATCH 05/12] annotations

---
 v2/Makefile                |  4 ++++
 v2/hack/certify/certify.sh | 11 +++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/v2/Makefile b/v2/Makefile
index a7c01682d..2fafee9e9 100644
--- a/v2/Makefile
+++ b/v2/Makefile
@@ -2,6 +2,7 @@
 VERSION ?= $(shell cd ./tools/version && go run ./main.go)
 UNAME_S := $(shell uname -s)
 UNAME := $(shell echo `uname` | tr '[:upper:]' '[:lower:]')
+OPENSHIFT_VERSIONS ?= v4.6-v4.9
 
 export VERSION
 
@@ -172,6 +173,7 @@ docker-manifest:
 	docker manifest push $(IMAGE)
 
 CSV_YAML_BUNDLE_FILE=bundle/manifests/redhat-marketplace-operator.clusterserviceversion.yaml
+ANNOTATIONS_YAML_BUNDLE_FILE=bundle/metadata/annotations.yaml
 CREATED_TIME ?= $(shell date +"%FT%H:%M:%SZ")
 
 # Generate bundle manifests and metadata, then validate generated files.
@@ -184,7 +186,9 @@ bundle: clean manifests kustomize helm operator-sdk yq
 	--set reporterImage=$(REPORTER_IMAGE) \
 	--set authCheckImage=$(AUTHCHECK_IMAGE) \
 	--set dqLiteImage=$(DQLITE_IMAGE) \
+	--set serviceAccount.create=false \
 	--post-renderer ./config/manifests/kustomize | $(OPERATOR_SDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+	$(YQ) eval -i '.annotations."com.redhat.openshift.versions" = "$(OPENSHIFT_VERSIONS)"' $(ANNOTATIONS_YAML_BUNDLE_FILE)
 	$(YQ) eval -i '.spec.webhookdefinitions[].targetPort = 9443' $(CSV_YAML_BUNDLE_FILE)
 	$(YQ) eval -i '.spec.webhookdefinitions[].containerPort = 9443' $(CSV_YAML_BUNDLE_FILE)
 	$(YQ) eval -i ".metadata.annotations.containerImage = \"$(OPERATOR_IMAGE)\"" $(CSV_YAML_BUNDLE_FILE)
diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
index 9d8b82eae..b166b686a 100755
--- a/v2/hack/certify/certify.sh
+++ b/v2/hack/certify/certify.sh
@@ -6,6 +6,9 @@ SLEEP_SHORT="${SLEEP_SHORT:-2}"
 CERT_NAMESPACE="rhm-certification"
 KUBECONFIG=$HOME/.kube/config
 VERSION="2.4.0"
+IMAGE_REGISTRY=quay.io/dacleyra
+CHANNELS=beta,stable
+DEFAULT_CHANNEL=stable
 
 # Check Subscriptions: subscription-name, namespace
 checksub () {
@@ -117,6 +120,8 @@ oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/pipelines
 oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/tasks
 cd $CWD
 
+oc apply -f https://raw.githubusercontent.com/tonytcampbell/operator-pipelines/preflight-fixes/ansible/roles/operator-pipeline/templates/openshift/tasks/preflight.yml
+
 
 # Generate the bundle and add it to the fork
 cd $TMP_DIR
@@ -137,12 +142,6 @@ rm -Rf  $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operat
 echo "organization: redhat-marketplace" > $TMP_DIR/certified-operators-preprod/config.yaml
 echo "cert_project_id: 5f68c9457115dbd1183ccab6" > $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/ci.yaml
 
-cd $TMP_DIR
-curl -L https://github.com/mikefarah/yq/releases/download/v4.13.5/yq_linux_amd64.tar.gz | tar -xz 
-./yq_linux_amd64 eval '
-  .annotations."com.redhat.openshift.versions" = "v4.6-v4.9"
-' -i $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/metadata/annotations.yaml
-
 cd $TMP_DIR/certified-operators-preprod
 git add --all
 git commit -m $VERSION

From abf329b38e0a14d1cc4ccd34c9a3689b7d46c220 Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Tue, 2 Nov 2021 12:45:15 -0700
Subject: [PATCH 06/12] revert tempalte set

---
 v2/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/v2/Makefile b/v2/Makefile
index 2fafee9e9..11291acb7 100644
--- a/v2/Makefile
+++ b/v2/Makefile
@@ -186,7 +186,6 @@ bundle: clean manifests kustomize helm operator-sdk yq
 	--set reporterImage=$(REPORTER_IMAGE) \
 	--set authCheckImage=$(AUTHCHECK_IMAGE) \
 	--set dqLiteImage=$(DQLITE_IMAGE) \
-	--set serviceAccount.create=false \
 	--post-renderer ./config/manifests/kustomize | $(OPERATOR_SDK) generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 	$(YQ) eval -i '.annotations."com.redhat.openshift.versions" = "$(OPENSHIFT_VERSIONS)"' $(ANNOTATIONS_YAML_BUNDLE_FILE)
 	$(YQ) eval -i '.spec.webhookdefinitions[].targetPort = 9443' $(CSV_YAML_BUNDLE_FILE)

From 8be6dc4cd68722ee3659a1a533438da5d968e095 Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Wed, 3 Nov 2021 06:55:34 -0700
Subject: [PATCH 07/12] cleanup

---
 v2/Makefile                |  7 +++++++
 v2/hack/certify/certify.sh | 16 +++++++---------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/v2/Makefile b/v2/Makefile
index 11291acb7..397ae306a 100644
--- a/v2/Makefile
+++ b/v2/Makefile
@@ -3,6 +3,8 @@ VERSION ?= $(shell cd ./tools/version && go run ./main.go)
 UNAME_S := $(shell uname -s)
 UNAME := $(shell echo `uname` | tr '[:upper:]' '[:lower:]')
 OPENSHIFT_VERSIONS ?= v4.6-v4.9
+CHANNELS ?= beta,stable
+DEFAULT_CHANNEL ?= stable
 
 export VERSION
 
@@ -328,3 +330,8 @@ PIDs ?=
 wait-and-publish:
 	cd tools/connect ; \
 	go run main.go wait-and-publish --timeout $(TIMEOUT) --tag $(TAG) $(PIDS)
+
+# Run certification test
+.PHONY: test-certify
+test-certify: bundle
+	cd hack/certify && ./certify.sh
diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
index b166b686a..a1b02b339 100755
--- a/v2/hack/certify/certify.sh
+++ b/v2/hack/certify/certify.sh
@@ -3,12 +3,8 @@ set -Eeox pipefail
 
 SLEEP_LONG="${SLEEP_LONG:-5}"
 SLEEP_SHORT="${SLEEP_SHORT:-2}"
-CERT_NAMESPACE="rhm-certification"
-KUBECONFIG=$HOME/.kube/config
-VERSION="2.4.0"
-IMAGE_REGISTRY=quay.io/dacleyra
-CHANNELS=beta,stable
-DEFAULT_CHANNEL=stable
+CERT_NAMESPACE="${CERT_NAMESPACE:-rhm-certification}"
+KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"
 
 # Check Subscriptions: subscription-name, namespace
 checksub () {
@@ -123,20 +119,22 @@ cd $CWD
 oc apply -f https://raw.githubusercontent.com/tonytcampbell/operator-pipelines/preflight-fixes/ansible/roles/operator-pipeline/templates/openshift/tasks/preflight.yml
 
 
-# Generate the bundle and add it to the fork
+# Add bundle to the fork
 cd $TMP_DIR
 git clone git@github.com:redhat-marketplace/certified-operators-preprod.git
 
 cd $CWD
 cd ../../
 
-make bundle
 rm -rf $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
 mkdir -p $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
 cp -r bundle/manifests $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
 cp -r bundle/metadata $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
 
-# remove sa duplicated in csv?
+# The operator service account should be ommited in the bundle
+# It will fail certification
+# The service account will be created by OLM
+# kustomize questionable capability to remove the service account
 rm -Rf  $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/manifests/redhat-marketplace-operator_v1_serviceaccount.yaml
 
 echo "organization: redhat-marketplace" > $TMP_DIR/certified-operators-preprod/config.yaml

From d083547fff98079184054b793dcaf8e310634498 Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Thu, 4 Nov 2021 06:57:15 -0700
Subject: [PATCH 08/12] add submit option

---
 v2/Makefile                | 11 +++++-
 v2/hack/certify/certify.sh | 77 ++++++++++++++++++++++++++------------
 2 files changed, 63 insertions(+), 25 deletions(-)

diff --git a/v2/Makefile b/v2/Makefile
index 397ae306a..363d00e84 100644
--- a/v2/Makefile
+++ b/v2/Makefile
@@ -331,7 +331,16 @@ wait-and-publish:
 	cd tools/connect ; \
 	go run main.go wait-and-publish --timeout $(TIMEOUT) --tag $(TAG) $(PIDS)
 
+# Pin images in bundle
+.PHONY: bundle-pin-images
+bundle-pin-images:
+	docker run \
+	--pull always \
+	-v ${HOME}/.docker:/dockercfg \
+	-v $(shell pwd)/bundle/manifests:/manifests quay.io/operator-framework/operator-manifest-tools:latest \
+	pinning pin -a /dockercfg/config.json /manifests
+
 # Run certification test
 .PHONY: test-certify
-test-certify: bundle
+test-certify: bundle bundle-pin-images
 	cd hack/certify && ./certify.sh
diff --git a/v2/hack/certify/certify.sh b/v2/hack/certify/certify.sh
index a1b02b339..40e47fd1e 100755
--- a/v2/hack/certify/certify.sh
+++ b/v2/hack/certify/certify.sh
@@ -5,6 +5,7 @@ SLEEP_LONG="${SLEEP_LONG:-5}"
 SLEEP_SHORT="${SLEEP_SHORT:-2}"
 CERT_NAMESPACE="${CERT_NAMESPACE:-rhm-certification}"
 KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"
+SUBMIT="${SUBMIT:-false}"
 
 # Check Subscriptions: subscription-name, namespace
 checksub () {
@@ -92,6 +93,7 @@ oc create secret generic kubeconfig --from-file=kubeconfig=$KUBECONFIG
 
 # Import redhat catalogs
 oc import-image certified-operator-index \
+  --request-timeout=5m \
   --from=registry.redhat.io/redhat/certified-operator-index \
   --reference-policy local \
   --scheduled \
@@ -99,6 +101,7 @@ oc import-image certified-operator-index \
   --all
 
 oc import-image redhat-marketplace-index \
+  --request-timeout=5m \
   --from=registry.redhat.io/redhat/redhat-marketplace-index \
   --reference-policy local \
   --scheduled \
@@ -107,6 +110,7 @@ oc import-image redhat-marketplace-index \
 
 CWD=$(pwd)
 TMP_DIR=$(mktemp -d 2>/dev/null || mktemp -d -t 'cptmpdir')
+OP_DIR=$CWD/../..
 
 # Install the Certification Pipeline
 cd $TMP_DIR
@@ -114,36 +118,47 @@ git clone https://github.com/redhat-openshift-ecosystem/operator-pipelines
 cd operator-pipelines
 oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/pipelines
 oc apply -R -f ansible/roles/operator-pipeline/templates/openshift/tasks
-cd $CWD
 
-oc apply -f https://raw.githubusercontent.com/tonytcampbell/operator-pipelines/preflight-fixes/ansible/roles/operator-pipeline/templates/openshift/tasks/preflight.yml
+# Temporary fix - appears to be resolved
+# oc apply -f https://raw.githubusercontent.com/tonytcampbell/operator-pipelines/preflight-fixes/ansible/roles/operator-pipeline/templates/openshift/tasks/preflight.yml
 
 
-# Add bundle to the fork
+# Add bundle to the fork on version branch
 cd $TMP_DIR
-git clone git@github.com:redhat-marketplace/certified-operators-preprod.git
+git clone git@github.com:redhat-marketplace/certified-operators.git
+cd certified-operators
 
-cd $CWD
-cd ../../
+# Keep main up to date before a new branch
+git pull https://github.com/redhat-marketplace/certified-operators.git main
+git push origin main
 
-rm -rf $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
-mkdir -p $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION
-cp -r bundle/manifests $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
-cp -r bundle/metadata $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/
+git checkout -B $VERSION
+
+# Cleanup previous manifests, metadata, and create version dir
+rm -rf operators/redhat-marketplace-operator/$VERSION/manifests
+rm -rf operators/redhat-marketplace-operator/$VERSION/metadata
+mkdir -p operators/redhat-marketplace-operator/$VERSION
+
+# Copy the manifests to the branch
+cp -r $OP_DIR/bundle/manifests operators/redhat-marketplace-operator/$VERSION/
+cp -r $OP_DIR/bundle/metadata operators/redhat-marketplace-operator/$VERSION/
 
 # The operator service account should be ommited in the bundle
 # It will fail certification
 # The service account will be created by OLM
 # kustomize questionable capability to remove the service account
-rm -Rf  $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/$VERSION/manifests/redhat-marketplace-operator_v1_serviceaccount.yaml
+rm -Rf operators/redhat-marketplace-operator/$VERSION/manifests/redhat-marketplace-operator_v1_serviceaccount.yaml
+
+# Set our organization
+echo "organization: redhat-marketplace" > config.yaml
 
-echo "organization: redhat-marketplace" > $TMP_DIR/certified-operators-preprod/config.yaml
-echo "cert_project_id: 5f68c9457115dbd1183ccab6" > $TMP_DIR/certified-operators-preprod/operators/redhat-marketplace-operator/ci.yaml
+# This should automatically be present 
+# echo "cert_project_id: 5f68c9457115dbd1183ccab6" > operators/redhat-marketplace-operator/ci.yaml
 
-cd $TMP_DIR/certified-operators-preprod
+# Commit and push the changes to the branch
 git add --all
 git commit -m $VERSION
-git push
+git push -f origin $VERSION
 
 
 # Run the Pipeline
@@ -151,14 +166,28 @@ git push
 cd $TMP_DIR/operator-pipelines
 curl https://mirror.openshift.com/pub/openshift-v4/clients/pipeline/0.19.1/tkn-linux-amd64-0.19.1.tar.gz | tar -xz 
 
-GIT_REPO_URL=https://github.com/redhat-marketplace/certified-operators-preprod.git
+GIT_REPO_URL=https://github.com/redhat-marketplace/certified-operators.git
 BUNDLE_PATH=operators/redhat-marketplace-operator/$VERSION
 
-./tkn pipeline start operator-ci-pipeline \
-  --param git_repo_url=$GIT_REPO_URL \
-  --param git_branch=stage \
-  --param bundle_path=$BUNDLE_PATH \
-  --param env=stage \
-  --workspace name=pipeline,volumeClaimTemplateFile=templates/workspace-template.yml \
-  --workspace name=kubeconfig,secret=kubeconfig \
-  --showlog
\ No newline at end of file
+if [ "$SUBMIT" == "true" ]; then
+    ./tkn pipeline start operator-ci-pipeline \
+    --param git_repo_url=$GIT_REPO_URL \
+    --param git_branch=$VERSION \
+    --param bundle_path=$BUNDLE_PATH \
+    --param upstream_repo_name=redhat-openshift-ecosystem/certified-operators \
+    --param submit=true \
+    --param env=prod \
+    --workspace name=pipeline,volumeClaimTemplateFile=templates/workspace-template.yml \
+    --workspace name=kubeconfig,secret=kubeconfig \
+    --workspace name=pyxis-api-key,secret=pyxis-api-secret \
+    --showlog
+else
+    ./tkn pipeline start operator-ci-pipeline \
+    --param git_repo_url=$GIT_REPO_URL \
+    --param git_branch=$VERSION \
+    --param bundle_path=$BUNDLE_PATH \
+    --param env=prod \
+    --workspace name=pipeline,volumeClaimTemplateFile=templates/workspace-template.yml \
+    --workspace name=kubeconfig,secret=kubeconfig \
+    --showlog
+fi
\ No newline at end of file

From 80d539148b2aabefc7c1db530630d8b142c8dcd6 Mon Sep 17 00:00:00 2001
From: Zach Taylor <ztaylor@ibm.com>
Date: Thu, 4 Nov 2021 11:34:19 -0400
Subject: [PATCH 09/12] bugfix: several fixes in this release

---
 v2/version/version.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/v2/version/version.go b/v2/version/version.go
index 477084a63..ea75f75a9 100644
--- a/v2/version/version.go
+++ b/v2/version/version.go
@@ -14,5 +14,5 @@
 
 package version
 
-const Version = "2.4.0"
-const LastVersion = "2.3.4"
+const Version = "2.4.1"
+const LastVersion = "2.4.0"

From 5d63d1e0d3781f83a8aabf66279af50271c018e8 Mon Sep 17 00:00:00 2001
From: Zach Taylor <ztaylor@ibm.com>
Date: Fri, 5 Nov 2021 14:44:29 -0400
Subject: [PATCH 10/12] bugfix: fix rrs3 reconcilation

---
 v2/Makefile                                   |  2 +-
 .../v1alpha1/remoteresources3_types.go        |  1 +
 .../prometheus-operator/deployment-v4.5.yaml  | 30 ++++++++---------
 .../prometheus-operator/deployment-v4.6.yaml  |  2 +-
 .../razee/rrs3-controller-deployment.yaml     |  6 +++-
 ...etplace.redhat.com_marketplaceconfigs.yaml |  2 +-
 .../marketplace.redhat.com_meterbases.yaml    |  2 +-
 ...rketplace.redhat.com_meterdefinitions.yaml |  2 +-
 .../marketplace.redhat.com_meterreports.yaml  |  2 +-
 ...rketplace.redhat.com_razeedeployments.yaml |  2 +-
 ...ketplace.redhat.com_remoteresources3s.yaml |  3 +-
 ...otes3_disable_preserve_unknown_fields.yaml |  6 ----
 v2/config/rbac/classic/role.yaml              | 25 +--------------
 .../marketplace/razeedeployment_controller.go | 32 ++++++++++++++++---
 v2/pkg/manifests/factory.go                   | 24 ++++++--------
 v2/pkg/utils/envvar/envvar_test.go            | 13 ++++++--
 16 files changed, 80 insertions(+), 74 deletions(-)
 delete mode 100644 v2/config/crd/patches/remotes3_disable_preserve_unknown_fields.yaml

diff --git a/v2/Makefile b/v2/Makefile
index a7c01682d..7e5d7c719 100644
--- a/v2/Makefile
+++ b/v2/Makefile
@@ -56,7 +56,7 @@ IMG ?= $(OPERATOR_IMAGE)
 IMAGE ?= $(OPERATOR_IMAGE)
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 # CRD_OPTIONS ?= "crd:trivialVersions=true"
-CRD_OPTIONS ?= "crd:crdVersions={v1},trivialVersions=false,preserveUnknownFields=false"
+CRD_OPTIONS ?= "crd:crdVersions={v1}"
 
 GOPATH=$(shell go env GOPATH)
 
diff --git a/v2/apis/marketplace/v1alpha1/remoteresources3_types.go b/v2/apis/marketplace/v1alpha1/remoteresources3_types.go
index 286e1fc36..aa105e627 100644
--- a/v2/apis/marketplace/v1alpha1/remoteresources3_types.go
+++ b/v2/apis/marketplace/v1alpha1/remoteresources3_types.go
@@ -145,6 +145,7 @@ type Header map[string]string
 
 // RemoteResourceS3Spec defines the desired state of RemoteResourceS3
 // +k8s:openapi-gen=true
+// +kubebuilder:pruning:PreserveUnknownFields
 type RemoteResourceS3Spec struct {
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
 	// Auth provides options to authenticate to a remote location
diff --git a/v2/assets/prometheus-operator/deployment-v4.5.yaml b/v2/assets/prometheus-operator/deployment-v4.5.yaml
index 56a676229..48e8247dc 100644
--- a/v2/assets/prometheus-operator/deployment-v4.5.yaml
+++ b/v2/assets/prometheus-operator/deployment-v4.5.yaml
@@ -26,13 +26,13 @@ spec:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
-            - matchExpressions:
-                - key: kubernetes.io/arch
-                  operator: In
-                  values:
-                    - amd64
-                    - ppc64le
-                    - s390x    
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - amd64
+                      - ppc64le
+                      - s390x
       containers:
         - image: redhat-marketplace-authcheck:latest
           imagePullPolicy: IfNotPresent
@@ -43,13 +43,13 @@ spec:
               memory: 20Mi
             limits:
               cpu: 10m
-              memory: 25Mi              
+              memory: 25Mi
           terminationMessagePolicy: FallbackToLogsOnError
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
-              - ALL
+                - ALL
             privileged: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
@@ -76,15 +76,15 @@ spec:
               memory: 60Mi
             limits:
               cpu: 10m
-              memory: 60Mi              
+              memory: 200Mi
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
-              - ALL
+                - ALL
             privileged: false
             readOnlyRootFilesystem: true
-            runAsNonRoot: true 
+            runAsNonRoot: true
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - mountPath: /etc/tls/private
@@ -109,15 +109,15 @@ spec:
               memory: 40Mi
             limits:
               cpu: 1m
-              memory: 40Mi           
+              memory: 40Mi
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
-              - ALL
+                - ALL
             privileged: false
             readOnlyRootFilesystem: true
-            runAsNonRoot: true 
+            runAsNonRoot: true
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - mountPath: /etc/tls/private
diff --git a/v2/assets/prometheus-operator/deployment-v4.6.yaml b/v2/assets/prometheus-operator/deployment-v4.6.yaml
index 3bf9780f1..178de4709 100644
--- a/v2/assets/prometheus-operator/deployment-v4.6.yaml
+++ b/v2/assets/prometheus-operator/deployment-v4.6.yaml
@@ -71,7 +71,7 @@ spec:
               memory: 60Mi
             limits:
               cpu: 10m
-              memory: 60Mi
+              memory: 200Mi
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
diff --git a/v2/assets/razee/rrs3-controller-deployment.yaml b/v2/assets/razee/rrs3-controller-deployment.yaml
index edea47689..95170439b 100755
--- a/v2/assets/razee/rrs3-controller-deployment.yaml
+++ b/v2/assets/razee/rrs3-controller-deployment.yaml
@@ -91,14 +91,18 @@ spec:
               memory: 75Mi
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
-            - mountPath: /usr/src/app/download-cache
+            - mountPath: /home/node/download-cache
               name: cache-volume
+            - mountPath: /usr/src/app/download-cache
+              name: cache-volume-2
             - mountPath: /usr/src/app/config
               name: razeedeploy-config
       serviceAccountName: redhat-marketplace-remoteresources3deployment
       volumes:
         - emptyDir: {}
           name: cache-volume
+        - emptyDir: {}
+          name: cache-volume-2
         - configMap:
             defaultMode: 440
             name: razeedeploy-config
diff --git a/v2/config/crd/bases/marketplace.redhat.com_marketplaceconfigs.yaml b/v2/config/crd/bases/marketplace.redhat.com_marketplaceconfigs.yaml
index 91c4aaeb1..3b5ea63c6 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_marketplaceconfigs.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_marketplaceconfigs.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: marketplaceconfigs.marketplace.redhat.com
 spec:
diff --git a/v2/config/crd/bases/marketplace.redhat.com_meterbases.yaml b/v2/config/crd/bases/marketplace.redhat.com_meterbases.yaml
index 6ec5a0b09..c6d2fe5e8 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_meterbases.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_meterbases.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: meterbases.marketplace.redhat.com
 spec:
diff --git a/v2/config/crd/bases/marketplace.redhat.com_meterdefinitions.yaml b/v2/config/crd/bases/marketplace.redhat.com_meterdefinitions.yaml
index 30caa2738..b9c640bd3 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_meterdefinitions.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_meterdefinitions.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: meterdefinitions.marketplace.redhat.com
 spec:
diff --git a/v2/config/crd/bases/marketplace.redhat.com_meterreports.yaml b/v2/config/crd/bases/marketplace.redhat.com_meterreports.yaml
index f064e8994..8a92dbcd4 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_meterreports.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_meterreports.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: meterreports.marketplace.redhat.com
 spec:
diff --git a/v2/config/crd/bases/marketplace.redhat.com_razeedeployments.yaml b/v2/config/crd/bases/marketplace.redhat.com_razeedeployments.yaml
index 284dd15ae..aac75b398 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_razeedeployments.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_razeedeployments.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: razeedeployments.marketplace.redhat.com
 spec:
diff --git a/v2/config/crd/bases/marketplace.redhat.com_remoteresources3s.yaml b/v2/config/crd/bases/marketplace.redhat.com_remoteresources3s.yaml
index 85366d44e..d1c085a23 100644
--- a/v2/config/crd/bases/marketplace.redhat.com_remoteresources3s.yaml
+++ b/v2/config/crd/bases/marketplace.redhat.com_remoteresources3s.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: remoteresources3s.marketplace.redhat.com
 spec:
@@ -209,6 +209,7 @@ spec:
                   type: object
                 type: array
             type: object
+            x-kubernetes-preserve-unknown-fields: true
           status:
             description: RemoteResourceS3Status defines the observed state of RemoteResourceS3
             properties:
diff --git a/v2/config/crd/patches/remotes3_disable_preserve_unknown_fields.yaml b/v2/config/crd/patches/remotes3_disable_preserve_unknown_fields.yaml
deleted file mode 100644
index 2b8c82542..000000000
--- a/v2/config/crd/patches/remotes3_disable_preserve_unknown_fields.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: remoteresources3s.marketplace.redhat.com
-spec:
-  preserveUnknownFields: true
diff --git a/v2/config/rbac/classic/role.yaml b/v2/config/rbac/classic/role.yaml
index 854efaf9f..41ad35703 100644
--- a/v2/config/rbac/classic/role.yaml
+++ b/v2/config/rbac/classic/role.yaml
@@ -12,30 +12,6 @@ rules:
       - '*'
     verbs:
       - '*'
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - update
-    resourceNames:
-      - meterdefinitions.marketplace.redhat.com
-  - apiGroups:
-      - 'route.openshift.io'
-    resources:
-      - routes
-    verbs:
-      - get
-      - list
-      - watch
 ---
 # Source: redhat-marketplace-operator-template-chart/templates/role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -231,6 +207,7 @@ rules:
     resources:
       - secrets
     verbs:
+      - get
       - list
       - watch
 ---
diff --git a/v2/controllers/marketplace/razeedeployment_controller.go b/v2/controllers/marketplace/razeedeployment_controller.go
index 6bc4c9baa..9acbd4530 100644
--- a/v2/controllers/marketplace/razeedeployment_controller.go
+++ b/v2/controllers/marketplace/razeedeployment_controller.go
@@ -15,6 +15,7 @@
 package marketplace
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"reflect"
@@ -911,7 +912,7 @@ func (r *RazeeDeploymentReconciler) Reconcile(request reconcile.Request) (reconc
 			return reconcile.Result{}, err
 		}
 
-		if !reflect.DeepEqual(watchKeeperSecret.Data, updatedWatchKeeperSecret.Data) {
+		if !isMapStringByteEqual(watchKeeperSecret.Data, updatedWatchKeeperSecret.Data) {
 			err = r.Client.Update(context.TODO(), &watchKeeperSecret)
 			if err != nil {
 				reqLogger.Error(err, "Failed to create resource", "resource: ", utils.WATCH_KEEPER_SECRET_NAME)
@@ -981,13 +982,13 @@ func (r *RazeeDeploymentReconciler) Reconcile(request reconcile.Request) (reconc
 			return reconcile.Result{}, err
 		}
 
-		if !reflect.DeepEqual(ibmCosReaderKey.Data, updatedibmCosReaderKey.Data) {
+		if !isMapStringByteEqual(ibmCosReaderKey.Data, updatedibmCosReaderKey.Data) {
 			err = r.Client.Update(context.TODO(), &ibmCosReaderKey)
 			if err != nil {
-				reqLogger.Error(err, "Failed to create resource", "resource: ", utils.WATCH_KEEPER_SECRET_NAME)
+				reqLogger.Error(err, "Failed to create resource", "resource: ", utils.COS_READER_KEY_NAME)
 				return reconcile.Result{}, err
 			}
-			reqLogger.Info("Resource updated successfully", "resource: ", utils.WATCH_KEEPER_SECRET_NAME)
+			reqLogger.Info("Resource updated successfully", "resource: ", utils.COS_READER_KEY_NAME)
 			return reconcile.Result{Requeue: true}, nil
 		}
 
@@ -1948,3 +1949,26 @@ func (r *RazeeDeploymentReconciler) createOrUpdateWatchKeeperDeployment(
 
 	return reconcile.Result{}, nil
 }
+
+func isMapStringByteEqual(d1, d2 map[string][]byte) bool {
+	equal := true
+	for key2, value2 := range d1 {
+		found := false
+		for key, value := range d2 {
+			if key == key2 {
+				found = true
+				if bytes.Compare(value, value2) != 0 {
+					equal = false
+					break
+				}
+			}
+		}
+
+		if !found {
+			equal = false
+			break
+		}
+	}
+
+	return equal
+}
diff --git a/v2/pkg/manifests/factory.go b/v2/pkg/manifests/factory.go
index a9e931b4c..8f701d555 100644
--- a/v2/pkg/manifests/factory.go
+++ b/v2/pkg/manifests/factory.go
@@ -151,8 +151,8 @@ func (f *Factory) ReplaceImages(container *corev1.Container) error {
 					Port: intstr.FromInt(8089),
 				},
 			},
-			InitialDelaySeconds: 15,
-			PeriodSeconds:       20,
+			InitialDelaySeconds: 20,
+			PeriodSeconds:       30,
 		}
 		container.ReadinessProbe = &corev1.Probe{
 			Handler: corev1.Handler{
@@ -161,8 +161,8 @@ func (f *Factory) ReplaceImages(container *corev1.Container) error {
 					Port: intstr.FromInt(8089),
 				},
 			},
-			InitialDelaySeconds: 5,
-			PeriodSeconds:       10,
+			InitialDelaySeconds: 20,
+			PeriodSeconds:       30,
 		}
 
 		envChanges.Append(addPodName)
@@ -179,13 +179,17 @@ func (f *Factory) ReplaceImages(container *corev1.Container) error {
 
 		// watch-keeper and rrs3 doesn't use HTTPS_PROXY correctly
 		// will fail; HTTP_PROXY will be used instead
-		envChanges.Append(removeHTTPSProxy)
+		envChanges.Remove(corev1.EnvVar{
+			Name: "HTTPS_PROXY",
+		})
 	case container.Name == "watch-keeper":
 		container.Image = f.config.RelatedImages.WatchKeeper
 
 		// watch-keeper and rrs3 doesn't use HTTPS_PROXY correctly
 		// will fail; HTTP_PROXY will be used instead
-		envChanges.Append(removeHTTPSProxy)
+		envChanges.Remove(corev1.EnvVar{
+			Name: "HTTPS_PROXY",
+		})
 	}
 
 	envChanges.Merge(container)
@@ -193,14 +197,6 @@ func (f *Factory) ReplaceImages(container *corev1.Container) error {
 }
 
 var (
-	removeHTTPSProxy = envvar.Changes{
-		envvar.Add(
-			corev1.EnvVar{
-				Name:  "HTTPS_PROXY",
-				Value: "",
-			},
-		),
-	}
 	addPodName = envvar.Changes{
 		envvar.Add(corev1.EnvVar{
 			Name: "POD_NAME",
diff --git a/v2/pkg/utils/envvar/envvar_test.go b/v2/pkg/utils/envvar/envvar_test.go
index d4bfb6490..17af47459 100644
--- a/v2/pkg/utils/envvar/envvar_test.go
+++ b/v2/pkg/utils/envvar/envvar_test.go
@@ -24,8 +24,10 @@ import (
 
 var _ = Describe("envvar", func() {
 	var (
-		var1 = v1.EnvVar{Name: "foo"}
-		var2 = v1.EnvVar{Name: "foo2"}
+		var1  = v1.EnvVar{Name: "foo"}
+		var2  = v1.EnvVar{Name: "foo2"}
+		var2a = v1.EnvVar{Name: "foo2", Value: "a"}
+		var2b = v1.EnvVar{Name: "foo2", Value: "b"}
 
 		container corev1.Container
 		changes   envvar.Changes
@@ -50,6 +52,13 @@ var _ = Describe("envvar", func() {
 		Expect(container.Env).To(BeEmpty())
 	})
 
+	It("should override if same name", func() {
+		changes.Add(var2a)
+		changes.Add(var2b)
+		changes.Merge(&container)
+		Expect(container.Env).To(ConsistOf(var1, var2b))
+	})
+
 	It("should add/remove env vars", func() {
 		changes.Remove(var1)
 		changes2 := envvar.Changes{}

From 7dfcd9ce8e05b40d709bfc258b87780b074752a3 Mon Sep 17 00:00:00 2001
From: Zach Taylor <ztaylor@ibm.com>
Date: Fri, 5 Nov 2021 15:25:18 -0400
Subject: [PATCH 11/12] bugfix: equality check func testing

---
 .../marketplace/razeedeployment_controller.go | 29 ++++++-----
 .../razeedeployment_controller_test.go        | 50 +++++++++++++++++++
 2 files changed, 64 insertions(+), 15 deletions(-)

diff --git a/v2/controllers/marketplace/razeedeployment_controller.go b/v2/controllers/marketplace/razeedeployment_controller.go
index 9acbd4530..fa3ec5fa3 100644
--- a/v2/controllers/marketplace/razeedeployment_controller.go
+++ b/v2/controllers/marketplace/razeedeployment_controller.go
@@ -1951,24 +1951,23 @@ func (r *RazeeDeploymentReconciler) createOrUpdateWatchKeeperDeployment(
 }
 
 func isMapStringByteEqual(d1, d2 map[string][]byte) bool {
-	equal := true
-	for key2, value2 := range d1 {
-		found := false
-		for key, value := range d2 {
-			if key == key2 {
-				found = true
-				if bytes.Compare(value, value2) != 0 {
-					equal = false
-					break
-				}
-			}
+	for key, value := range d1 {
+		value2, ok := d2[key]
+		if !ok {
+			return false
+		}
+
+		if bytes.Compare(value, value2) != 0 {
+			return false
 		}
+	}
 
-		if !found {
-			equal = false
-			break
+	for key := range d2 {
+		_, ok := d1[key]
+		if !ok {
+			return false
 		}
 	}
 
-	return equal
+	return true
 }
diff --git a/v2/controllers/marketplace/razeedeployment_controller_test.go b/v2/controllers/marketplace/razeedeployment_controller_test.go
index 8cb373bbf..fd91faa82 100644
--- a/v2/controllers/marketplace/razeedeployment_controller_test.go
+++ b/v2/controllers/marketplace/razeedeployment_controller_test.go
@@ -433,3 +433,53 @@ var _ = Describe("Testing with Ginkgo", func() {
 		)
 	})
 })
+
+var _ = Describe("isMapStringByteEqual", func() {
+	It("should check equality", func() {
+		d1 := map[string][]byte{
+			"foo": []byte("bar"),
+		}
+		d2 := map[string][]byte{
+			"foo": []byte("bar"),
+		}
+
+		Expect(isMapStringByteEqual(d1, d2)).To(BeTrue())
+		Expect(isMapStringByteEqual(d2, d1)).To(BeTrue())
+
+		d2 = map[string][]byte{
+			"foo": []byte("bar"),
+			"bar": []byte("bar"),
+		}
+
+		Expect(isMapStringByteEqual(d1, d2)).To(BeFalse())
+		Expect(isMapStringByteEqual(d2, d1)).To(BeFalse())
+
+		d2 = map[string][]byte{
+			"bar": []byte("bar"),
+		}
+
+		Expect(isMapStringByteEqual(d1, d2)).To(BeFalse())
+		Expect(isMapStringByteEqual(d2, d1)).To(BeFalse())
+
+		d1 = map[string][]byte{
+			"foo": []byte("bar"),
+		}
+		d2 = map[string][]byte{
+			"foo": []byte("bar2"),
+		}
+
+		Expect(isMapStringByteEqual(d1, d2)).To(BeFalse())
+		Expect(isMapStringByteEqual(d2, d1)).To(BeFalse())
+
+		d1 = map[string][]byte{
+			"foo":  []byte("bar"),
+			"foo2": []byte("bar2"),
+		}
+		d2 = map[string][]byte{
+			"foo": []byte("bar"),
+		}
+
+		Expect(isMapStringByteEqual(d1, d2)).To(BeFalse())
+		Expect(isMapStringByteEqual(d2, d1)).To(BeFalse())
+	})
+})

From fda0a9c53a9641fe8d744872ad3c1b1d4f506d25 Mon Sep 17 00:00:00 2001
From: Daniel Cleyrat <dacleyra@us.ibm.com>
Date: Tue, 9 Nov 2021 11:38:31 -0800
Subject: [PATCH 12/12] mergo for rrs3 CreateOrUpdate

---
 .../marketplace/razeedeployment_controller.go        | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/v2/controllers/marketplace/razeedeployment_controller.go b/v2/controllers/marketplace/razeedeployment_controller.go
index fa3ec5fa3..862fdc7e8 100644
--- a/v2/controllers/marketplace/razeedeployment_controller.go
+++ b/v2/controllers/marketplace/razeedeployment_controller.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/gotidy/ptr"
+	"github.com/imdario/mergo"
 	marketplacev1alpha1 "github.com/redhat-marketplace/redhat-marketplace-operator/v2/apis/marketplace/v1alpha1"
 	"github.com/redhat-marketplace/redhat-marketplace-operator/v2/pkg/config"
 	"github.com/redhat-marketplace/redhat-marketplace-operator/v2/pkg/manifests"
@@ -1878,15 +1879,15 @@ func (r *RazeeDeploymentReconciler) createOrUpdateRemoteResourceS3Deployment(
 	instance *marketplacev1alpha1.RazeeDeployment,
 ) (reconcile.Result, error) {
 	rrs3Deployment, err := r.factory.NewRemoteResourceS3Deployment()
-
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		_, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, rrs3Deployment, func() error {
-			r.factory.SetControllerReference(instance, rrs3Deployment)
-			return r.factory.UpdateRemoteResourceS3Deployment(rrs3Deployment)
+			rrs3Dep, _ := r.factory.NewRemoteResourceS3Deployment()
+			r.factory.SetControllerReference(instance, rrs3Dep)
+			return mergo.Merge(rrs3Deployment, rrs3Dep, mergo.WithOverride)
 		})
 		return err
 	})
@@ -1923,8 +1924,9 @@ func (r *RazeeDeploymentReconciler) createOrUpdateWatchKeeperDeployment(
 
 	err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		_, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, watchKeeperDeployment, func() error {
-			r.factory.SetControllerReference(instance, watchKeeperDeployment)
-			return r.factory.UpdateWatchKeeperDeployment(watchKeeperDeployment)
+			watchKeeperDep, _ := r.factory.NewWatchKeeperDeployment()
+			r.factory.SetControllerReference(instance, watchKeeperDep)
+			return mergo.Merge(watchKeeperDeployment, watchKeeperDep, mergo.WithOverride)
 		})
 		return err
 	})