This will fail verify. Testing upstream fix to root out any other issues until I can downsync the bug fix commit

Per Goncalves da Silva · Per Goncalves da Silva · commit cae8c93b0fbc · 2025-05-19T20:58:53.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml
@@ -126,6 +126,9 @@ spec:
         - protocol: TCP
           port: 5443
   egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
     - ports:
         - port: dns-tcp
           protocol: TCP
diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml
@@ -126,6 +126,9 @@ spec:
         - protocol: TCP
           port: 5443
   egress:
+    - ports:
+        - port: 6443
+          protocol: TCP
     - ports:
         - port: dns-tcp
           protocol: TCP
diff --git a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml
@@ -62,6 +62,7 @@ spec:
       - protocol: TCP
         port: {{ .Values.package.service.internalPort }}
   egress:
+    - {{ .Values.networkPolicy.kubeAPIServer | toYaml | nindent 6 | trimSuffix "\n" }}
     - {{ .Values.networkPolicy.dns | toYaml | nindent 6 | trimSuffix "\n" }}
     - ports:
       - protocol: TCP
diff --git a/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/staging/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go
@@ -2,6 +2,7 @@ package reconciler
 
 import (
 	"fmt"
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
@@ -16,7 +17,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
-func DesiredGRPCServerNetworkPolicy(catalogSource client.Object, matchLabels map[string]string) *networkingv1.NetworkPolicy {
+func DesiredGRPCServerNetworkPolicy(catalogSource *v1alpha1.CatalogSource, matchLabels map[string]string) *networkingv1.NetworkPolicy {
 	np := &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("%s-grpc-server", catalogSource.GetName()),
@@ -43,6 +44,19 @@ func DesiredGRPCServerNetworkPolicy(catalogSource client.Object, matchLabels map
 			},
 		},
 	}
+	// Allow egress to kube-apiserver from configmap backed catalog sources
+	if catalogSource.Spec.SourceType == v1alpha1.SourceTypeConfigmap || catalogSource.Spec.SourceType == v1alpha1.SourceTypeInternal {
+		np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{
+			{
+				Ports: []networkingv1.NetworkPolicyPort{
+					{
+						Protocol: ptr.To(corev1.ProtocolTCP),
+						Port:     ptr.To(intstr.FromInt32(6443)),
+					},
+				},
+			},
+		}
+	}
 	ownerutil.AddOwner(np, catalogSource, false, false)
 	return np
 }
diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/reconciler/helpers.go
