diff --git a/Gopkg.lock b/Gopkg.lock
index 5ffc5577633..51a557ea61b 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -573,7 +573,7 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:bbc32b242c1c5f01b2a67ddba4993e99c10fee3c940781c7a6f170a7fc032f9b"
+  digest = "1:d0d2bb40f5ac1e8af846d78fa885835f067ff485d07d912e98cf8ca30a88285a"
   name = "github.com/openshift/api"
   packages = [
     "config/v1",
@@ -581,7 +581,7 @@
     "route/v1",
   ]
   pruneopts = "NUT"
-  revision = "acaf712b5c5cbe88bdffd569a3481cf9ebbfab7c"
+  revision = "d2972510af76418506bf0374bc2e73b0b9e538ce"
 
 [[projects]]
   branch = "master"
@@ -596,7 +596,7 @@
     "route/clientset/versioned/typed/route/v1",
   ]
   pruneopts = "NUT"
-  revision = "c44a8b61b9f46cd9e802384dfeda0bc9942db68a"
+  revision = "e9678e3b850da36470c5554609c6cd110aace47e"
 
 [[projects]]
   branch = "master"
diff --git a/pkg/asset/manifests/additionaltrustbundleconfig.go b/pkg/asset/manifests/additionaltrustbundleconfig.go
index 3d208fb3006..705ebfe8b32 100644
--- a/pkg/asset/manifests/additionaltrustbundleconfig.go
+++ b/pkg/asset/manifests/additionaltrustbundleconfig.go
@@ -67,7 +67,7 @@ func (atbc *AdditionalTrustBundleConfig) Generate(dependencies asset.Parents) er
 			Kind:       "ConfigMap",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "openshift-config-managed",
+			Namespace: "openshift-config",
 			Name:      additionalTrustBundleConfigMapName,
 		},
 		Data: data,
diff --git a/vendor/github.com/openshift/api/config/v1/doc.go b/vendor/github.com/openshift/api/config/v1/doc.go
index fa6f8d92423..4ff5208f2c2 100644
--- a/vendor/github.com/openshift/api/config/v1/doc.go
+++ b/vendor/github.com/openshift/api/config/v1/doc.go
@@ -2,6 +2,7 @@
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:openapi-gen=true
 
+// +kubebuilder:validation:Optional
 // +groupName=config.openshift.io
 // Package v1 is the v1 version of the API.
 package v1
diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go
index 66c342569aa..35eace3701c 100644
--- a/vendor/github.com/openshift/api/config/v1/register.go
+++ b/vendor/github.com/openshift/api/config/v1/register.go
@@ -56,6 +56,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&NetworkList{},
 		&OAuth{},
 		&OAuthList{},
+		&OperatorHub{},
+		&OperatorHubList{},
 		&Project{},
 		&ProjectList{},
 		&Proxy{},
diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go
index 7cca0947100..ca36f677750 100644
--- a/vendor/github.com/openshift/api/config/v1/types.go
+++ b/vendor/github.com/openshift/api/config/v1/types.go
@@ -17,6 +17,8 @@ type ConfigMapFileReference struct {
 // The namespace must be specified at the point of use.
 type ConfigMapNameReference struct {
 	// name is the metadata.name of the referenced config map
+	// +kubebuilder:validation:Required
+	// +required
 	Name string `json:"name"`
 }
 
@@ -24,6 +26,8 @@ type ConfigMapNameReference struct {
 // The namespace must be specified at the point of use.
 type SecretNameReference struct {
 	// name is the metadata.name of the referenced secret
+	// +kubebuilder:validation:Required
+	// +required
 	Name string `json:"name"`
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
index 6d32b9d827b..0722ddbfc76 100644
--- a/vendor/github.com/openshift/api/config/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -26,6 +26,7 @@ type AuthenticationSpec struct {
 	// type identifies the cluster managed, user facing authentication mode in use.
 	// Specifically, it manages the component that responds to login attempts.
 	// The default is IntegratedOAuth.
+	// +optional
 	Type AuthenticationType `json:"type"`
 
 	// oauthMetadata contains the discovery endpoint data for OAuth 2.0
diff --git a/vendor/github.com/openshift/api/config/v1/types_dns.go b/vendor/github.com/openshift/api/config/v1/types_dns.go
index 8f7d67be51a..ef04f7a67f7 100644
--- a/vendor/github.com/openshift/api/config/v1/types_dns.go
+++ b/vendor/github.com/openshift/api/config/v1/types_dns.go
@@ -6,8 +6,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// DNS holds cluster-wide information about DNS.  The canonical name is `cluster`
-// TODO this object is an example of a possible grouping and is subject to change or removal
+// DNS holds cluster-wide information about DNS. The canonical name is `cluster`
 type DNS struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object's metadata.
@@ -28,6 +27,8 @@ type DNSSpec struct {
 	//
 	// For example, given the base domain `openshift.example.com`, an API server
 	// DNS record may be created for `cluster-api.openshift.example.com`.
+	//
+	// Once set, this field cannot be changed.
 	BaseDomain string `json:"baseDomain"`
 	// publicZone is the location where all the DNS records that are publicly accessible to
 	// the internet exist.
diff --git a/vendor/github.com/openshift/api/config/v1/types_operatorhub.go b/vendor/github.com/openshift/api/config/v1/types_operatorhub.go
new file mode 100644
index 00000000000..b0841a3d54c
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_operatorhub.go
@@ -0,0 +1,67 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OperatorHubSpec defines the desired state of OperatorHub
+type OperatorHubSpec struct {
+	// hubSources is the list of default OperatorSources and their configuration
+	HubSources []HubSource `json:"hubSources,omitempty"`
+}
+
+// OperatorHubStatus defines the observed state of OperatorHub
+type OperatorHubStatus struct {
+	// hubSourcesStatus encapsulates the result applying the configuration
+	HubSourcesStatus []HubSourceStatus `json:"hubSourcesStatus,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHub is the Schema for the operatorhubs API
+// +kubebuilder:subresource:status
+// +genclient:nonNamespaced
+type OperatorHub struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec   OperatorHubSpec   `json:"spec"`
+	Status OperatorHubStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// OperatorHubList contains a list of OperatorHub
+type OperatorHubList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []OperatorHub `json:"items"`
+}
+
+// HubSource is used to specify the OperatorSource and its configuration
+type HubSource struct {
+	// name is the name of one of the default OperatorSources
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:Required
+	Name string `json:"name"`
+	// disabled is used to disable a default OperatorSource on cluster
+	// +kubebuilder:Required
+	Disabled bool `json:"disabled"`
+}
+
+// HubSourceStatus is used to reflect the current state of applying the
+// configuration to a default source
+type HubSourceStatus struct {
+	// name is the name of one of the default OperatorSources
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:Required
+	Name string `json:"name,omitempty"`
+	// configuration is the state of the default OperatorSources configuration
+	Configuration map[string]string `json:"configuration,omitempty"`
+	// status indicates success or failure in applying the configuration
+	Status string `json:"status,omitempty"`
+	// message provides more information regarding failures
+	Message string `json:"message,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_proxy.go b/vendor/github.com/openshift/api/config/v1/types_proxy.go
index 821ae89750e..39847014829 100644
--- a/vendor/github.com/openshift/api/config/v1/types_proxy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_proxy.go
@@ -46,14 +46,14 @@ type ProxySpec struct {
 	// only be consumed by a proxy validator. The validator is responsible for reading
 	// ConfigMapNameReference, validating the certificate and copying "ca-bundle.crt"
 	// from data to a ConfigMap in the namespace of an operator configured for proxy.
-	// The namespace for this ConfigMap is "openshift-config-managed". Here is an example
+	// The namespace for this ConfigMap is "openshift-config". Here is an example
 	// ConfigMap (in yaml):
 	//
 	// apiVersion: v1
 	// kind: ConfigMap
 	// metadata:
-	//  name: proxy-ca
-	//  namespace: openshift-config-managed
+	//  name: trusted-ca-bundle
+	//  namespace: openshift-config
 	//  data:
 	//    ca-bundle.crt: |
 	//      -----BEGIN CERTIFICATE-----
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
index 4fa507b16a0..80f32c591c8 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -1571,6 +1571,45 @@ func (in *HTTPServingInfo) DeepCopy() *HTTPServingInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HubSource) DeepCopyInto(out *HubSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HubSource.
+func (in *HubSource) DeepCopy() *HubSource {
+	if in == nil {
+		return nil
+	}
+	out := new(HubSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HubSourceStatus) DeepCopyInto(out *HubSourceStatus) {
+	*out = *in
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HubSourceStatus.
+func (in *HubSourceStatus) DeepCopy() *HubSourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HubSourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider) {
 	*out = *in
@@ -2465,6 +2504,111 @@ func (in *OperandVersion) DeepCopy() *OperandVersion {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHub) DeepCopyInto(out *OperatorHub) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHub.
+func (in *OperatorHub) DeepCopy() *OperatorHub {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHub)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OperatorHub) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubList) DeepCopyInto(out *OperatorHubList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OperatorHub, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubList.
+func (in *OperatorHubList) DeepCopy() *OperatorHubList {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OperatorHubList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubSpec) DeepCopyInto(out *OperatorHubSpec) {
+	*out = *in
+	if in.HubSources != nil {
+		in, out := &in.HubSources, &out.HubSources
+		*out = make([]HubSource, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubSpec.
+func (in *OperatorHubSpec) DeepCopy() *OperatorHubSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OperatorHubStatus) DeepCopyInto(out *OperatorHubStatus) {
+	*out = *in
+	if in.HubSourcesStatus != nil {
+		in, out := &in.HubSourcesStatus, &out.HubSourcesStatus
+		*out = make([]HubSourceStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorHubStatus.
+func (in *OperatorHubStatus) DeepCopy() *OperatorHubStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OperatorHubStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlatformStatus) DeepCopyInto(out *PlatformStatus) {
 	*out = *in
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
index 868921b7746..d93945fb9fd 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -584,7 +584,7 @@ func (ConsoleStatus) SwaggerDoc() map[string]string {
 }
 
 var map_DNS = map[string]string{
-	"":         "DNS holds cluster-wide information about DNS.  The canonical name is `cluster`",
+	"":         "DNS holds cluster-wide information about DNS. The canonical name is `cluster`",
 	"metadata": "Standard object's metadata.",
 	"spec":     "spec holds user settable values for configuration",
 	"status":   "status holds observed values from the cluster. They may not be overridden.",
@@ -603,7 +603,7 @@ func (DNSList) SwaggerDoc() map[string]string {
 }
 
 var map_DNSSpec = map[string]string{
-	"baseDomain":  "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base.\n\nFor example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`.",
+	"baseDomain":  "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base.\n\nFor example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`.\n\nOnce set, this field cannot be changed.",
 	"publicZone":  "publicZone is the location where all the DNS records that are publicly accessible to the internet exist.\n\nIf this field is nil, no public records should be created.\n\nOnce set, this field cannot be changed.",
 	"privateZone": "privateZone is the location where all the DNS records that are only available internally to the cluster exist.\n\nIf this field is nil, no private records should be created.\n\nOnce set, this field cannot be changed.",
 }
@@ -1146,6 +1146,62 @@ func (TokenConfig) SwaggerDoc() map[string]string {
 	return map_TokenConfig
 }
 
+var map_HubSource = map[string]string{
+	"":         "HubSource is used to specify the OperatorSource and its configuration",
+	"name":     "name is the name of one of the default OperatorSources",
+	"disabled": "disabled is used to disable a default OperatorSource on cluster",
+}
+
+func (HubSource) SwaggerDoc() map[string]string {
+	return map_HubSource
+}
+
+var map_HubSourceStatus = map[string]string{
+	"":              "HubSourceStatus is used to reflect the current state of applying the configuration to a default source",
+	"name":          "name is the name of one of the default OperatorSources",
+	"configuration": "configuration is the state of the default OperatorSources configuration",
+	"status":        "status indicates success or failure in applying the configuration",
+	"message":       "message provides more information regarding failures",
+}
+
+func (HubSourceStatus) SwaggerDoc() map[string]string {
+	return map_HubSourceStatus
+}
+
+var map_OperatorHub = map[string]string{
+	"": "OperatorHub is the Schema for the operatorhubs API",
+}
+
+func (OperatorHub) SwaggerDoc() map[string]string {
+	return map_OperatorHub
+}
+
+var map_OperatorHubList = map[string]string{
+	"": "OperatorHubList contains a list of OperatorHub",
+}
+
+func (OperatorHubList) SwaggerDoc() map[string]string {
+	return map_OperatorHubList
+}
+
+var map_OperatorHubSpec = map[string]string{
+	"":           "OperatorHubSpec defines the desired state of OperatorHub",
+	"hubSources": "hubSources is the list of default OperatorSources and their configuration",
+}
+
+func (OperatorHubSpec) SwaggerDoc() map[string]string {
+	return map_OperatorHubSpec
+}
+
+var map_OperatorHubStatus = map[string]string{
+	"":                 "OperatorHubStatus defines the observed state of OperatorHub",
+	"hubSourcesStatus": "hubSourcesStatus encapsulates the result applying the configuration",
+}
+
+func (OperatorHubStatus) SwaggerDoc() map[string]string {
+	return map_OperatorHubStatus
+}
+
 var map_Project = map[string]string{
 	"":         "Project holds cluster-wide information about Project.  The canonical name is `cluster`",
 	"metadata": "Standard object's metadata.",
@@ -1208,7 +1264,7 @@ var map_ProxySpec = map[string]string{
 	"httpsProxy":         "httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.",
 	"noProxy":            "noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. Empty means unset and will not result in an env var.",
 	"readinessEndpoints": "readinessEndpoints is a list of endpoints used to verify readiness of the proxy.",
-	"trustedCA":          "trustedCA is a reference to a ConfigMap containing a CA certificate bundle used for client egress HTTPS connections. The certificate bundle must be from the CA that signed the proxy's certificate and be signed for everything. trustedCA should only be consumed by a proxy validator. The validator is responsible for reading ConfigMapNameReference, validating the certificate and copying \"ca-bundle.crt\" from data to a ConfigMap in the namespace of an operator configured for proxy. The namespace for this ConfigMap is \"openshift-config-managed\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: proxy-ca\n namespace: openshift-config-managed\n data:\n   ca-bundle.crt: |",
+	"trustedCA":          "trustedCA is a reference to a ConfigMap containing a CA certificate bundle used for client egress HTTPS connections. The certificate bundle must be from the CA that signed the proxy's certificate and be signed for everything. trustedCA should only be consumed by a proxy validator. The validator is responsible for reading ConfigMapNameReference, validating the certificate and copying \"ca-bundle.crt\" from data to a ConfigMap in the namespace of an operator configured for proxy. The namespace for this ConfigMap is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: trusted-ca-bundle\n namespace: openshift-config\n data:\n   ca-bundle.crt: |",
 }
 
 func (ProxySpec) SwaggerDoc() map[string]string {