diff --git a/manifests/0000_50_olm_01-networkpolicies.yaml b/manifests/0000_50_olm_01-networkpolicies.yaml new file mode 100644 index 0000000000..84fb60d38d --- /dev/null +++ b/manifests/0000_50_olm_01-networkpolicies.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: openshift-operators + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/self-managed-high-availability: "true" + capability.openshift.io/name: "OperatorLifecycleManager" +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - {} + egress: + - {} diff --git a/microshift-manifests/0000_50_olm_01-networkpolicies.yaml b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml new file mode 100644 index 0000000000..84fb60d38d --- /dev/null +++ b/microshift-manifests/0000_50_olm_01-networkpolicies.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: openshift-operators + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/self-managed-high-availability: "true" + capability.openshift.io/name: "OperatorLifecycleManager" +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - {} + egress: + - {} diff --git a/microshift-manifests/kustomization.yaml b/microshift-manifests/kustomization.yaml index ea1c55c54e..2147cc0b9c 100644 --- a/microshift-manifests/kustomization.yaml +++ b/microshift-manifests/kustomization.yaml @@ -14,6 +14,7 @@ resources: - 0000_50_olm_00-pprof-rbac.yaml - 0000_50_olm_00-pprof-secret.yaml - 0000_50_olm_00-subscriptions.crd.yaml + - 0000_50_olm_01-networkpolicies.yaml - 0000_50_olm_01-olm-operator.serviceaccount.yaml - 0000_50_olm_02-olmconfig.yaml - 0000_50_olm_02-services.yaml diff --git a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml new file mode 100644 index 0000000000..cb0da2493d --- /dev/null +++ b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_01-networkpolicies.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.operator_namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - {} + egress: + - {} diff --git a/staging/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go b/staging/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go index 82a648f037..d7907b6af6 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go +++ b/staging/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go @@ -662,18 +662,18 @@ func (c *ConfigMapUnpacker) ensureConfigmap(csRef *corev1.ObjectReference, name return } -func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (job *batchv1.Job, err error) { +func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (*batchv1.Job, error) { fresh := c.job(cmRef, bundlePath, secrets, timeout) var jobs, toDelete []*batchv1.Job - jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name}) + jobs, err := c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name}) if err != nil { - return + return nil, err } // This is to ensure that we account for any existing unpack jobs that may be missing the label jobWithoutLabel, err := c.jobLister.Jobs(fresh.GetNamespace()).Get(cmRef.Name) if err != nil && !apierrors.IsNotFound(err) { - return + return nil, err } if jobWithoutLabel != nil { _, labelExists := jobWithoutLabel.Labels[bundleUnpackRefLabel] @@ -683,12 +683,11 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath } if len(jobs) == 0 { - job, err = c.client.BatchV1().Jobs(fresh.GetNamespace()).Create(context.TODO(), fresh, metav1.CreateOptions{}) - return + return c.client.BatchV1().Jobs(fresh.GetNamespace()).Create(context.TODO(), fresh, metav1.CreateOptions{}) } - maxRetainedJobs := 5 // TODO: make this configurable - job, toDelete = sortUnpackJobs(jobs, maxRetainedJobs) // choose latest or on-failed job attempt + maxRetainedJobs := 5 // TODO: make this configurable + job, toDelete := sortUnpackJobs(jobs, maxRetainedJobs) // choose latest or on-failed job attempt // only check for retries if an unpackRetryInterval is specified if unpackRetryInterval > 0 { @@ -705,18 +704,18 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath for _, j := range toDelete { _ = c.client.BatchV1().Jobs(j.GetNamespace()).Delete(context.TODO(), j.GetName(), metav1.DeleteOptions{}) } - return + return job, err } } if equality.Semantic.DeepDerivative(fresh.GetOwnerReferences(), job.GetOwnerReferences()) && equality.Semantic.DeepDerivative(fresh.Spec, job.Spec) { - return + return job, nil } // TODO: Decide when to fail-out instead of deleting the job err = c.client.BatchV1().Jobs(job.GetNamespace()).Delete(context.TODO(), job.GetName(), metav1.DeleteOptions{}) job = nil - return + return nil, err } func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference) (role *rbacv1.Role, err error) { diff --git a/staging/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go b/staging/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go index 4d0a97d1b6..8efc0f51da 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go +++ b/staging/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go @@ -10,6 +10,7 @@ const ( ConsoleQuickStartKind = "ConsoleQuickStart" ConsoleCLIDownloadKind = "ConsoleCLIDownload" ConsoleLinkKind = "ConsoleLink" + NetworkPolicyKind = "NetworkPolicy" ) var supportedKinds = map[string]struct{}{ @@ -22,6 +23,7 @@ var supportedKinds = map[string]struct{}{ ConsoleQuickStartKind: {}, ConsoleCLIDownloadKind: {}, ConsoleLinkKind: {}, + NetworkPolicyKind: {}, } // isSupported returns true if OLM supports this type of CustomResource. diff --git a/staging/operator-lifecycle-manager/test/e2e/collect-ci-artifacts.sh b/staging/operator-lifecycle-manager/test/e2e/collect-ci-artifacts.sh index 813c162695..a02d6271b5 100755 --- a/staging/operator-lifecycle-manager/test/e2e/collect-ci-artifacts.sh +++ b/staging/operator-lifecycle-manager/test/e2e/collect-ci-artifacts.sh @@ -19,8 +19,12 @@ commands+=("get subscriptions -o yaml") commands+=("get operatorgroups -o yaml") commands+=("get clusterserviceversions -o yaml") commands+=("get installplans -o yaml") +commands+=("get jobs -o yaml") +commands+=("get configmaps -o yaml") commands+=("get pods -o wide") +commands+=("get jobs -o wide") commands+=("get events --sort-by .lastTimestamp") +commands:=("get configmaps -o wide") echo "Storing the test artifact output in the ${TEST_ARTIFACTS_DIR} directory" for command in "${commands[@]}"; do diff --git a/staging/operator-registry/pkg/lib/bundle/supported_resources.go b/staging/operator-registry/pkg/lib/bundle/supported_resources.go index 94b5fd01df..a07b28aef3 100644 --- a/staging/operator-registry/pkg/lib/bundle/supported_resources.go +++ b/staging/operator-registry/pkg/lib/bundle/supported_resources.go @@ -20,6 +20,7 @@ const ( ConsoleQuickStartKind = "ConsoleQuickStart" ConsoleCLIDownloadKind = "ConsoleCLIDownload" ConsoleLinkKind = "ConsoleLink" + NetworkPolicyKind = "NetworkPolicy" ) // Namespaced indicates whether the resource is namespace scoped (true) or cluster-scoped (false). @@ -47,6 +48,7 @@ var supportedResources = map[string]Namespaced{ ConsoleQuickStartKind: false, ConsoleCLIDownloadKind: false, ConsoleLinkKind: false, + NetworkPolicyKind: true, } // IsSupported checks if the object kind is OLM-supported and if it is namespaced diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go index 82a648f037..d7907b6af6 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go @@ -662,18 +662,18 @@ func (c *ConfigMapUnpacker) ensureConfigmap(csRef *corev1.ObjectReference, name return } -func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (job *batchv1.Job, err error) { +func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath string, secrets []corev1.LocalObjectReference, timeout time.Duration, unpackRetryInterval time.Duration) (*batchv1.Job, error) { fresh := c.job(cmRef, bundlePath, secrets, timeout) var jobs, toDelete []*batchv1.Job - jobs, err = c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name}) + jobs, err := c.jobLister.Jobs(fresh.GetNamespace()).List(k8slabels.ValidatedSetSelector{bundleUnpackRefLabel: cmRef.Name}) if err != nil { - return + return nil, err } // This is to ensure that we account for any existing unpack jobs that may be missing the label jobWithoutLabel, err := c.jobLister.Jobs(fresh.GetNamespace()).Get(cmRef.Name) if err != nil && !apierrors.IsNotFound(err) { - return + return nil, err } if jobWithoutLabel != nil { _, labelExists := jobWithoutLabel.Labels[bundleUnpackRefLabel] @@ -683,12 +683,11 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath } if len(jobs) == 0 { - job, err = c.client.BatchV1().Jobs(fresh.GetNamespace()).Create(context.TODO(), fresh, metav1.CreateOptions{}) - return + return c.client.BatchV1().Jobs(fresh.GetNamespace()).Create(context.TODO(), fresh, metav1.CreateOptions{}) } - maxRetainedJobs := 5 // TODO: make this configurable - job, toDelete = sortUnpackJobs(jobs, maxRetainedJobs) // choose latest or on-failed job attempt + maxRetainedJobs := 5 // TODO: make this configurable + job, toDelete := sortUnpackJobs(jobs, maxRetainedJobs) // choose latest or on-failed job attempt // only check for retries if an unpackRetryInterval is specified if unpackRetryInterval > 0 { @@ -705,18 +704,18 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath for _, j := range toDelete { _ = c.client.BatchV1().Jobs(j.GetNamespace()).Delete(context.TODO(), j.GetName(), metav1.DeleteOptions{}) } - return + return job, err } } if equality.Semantic.DeepDerivative(fresh.GetOwnerReferences(), job.GetOwnerReferences()) && equality.Semantic.DeepDerivative(fresh.Spec, job.Spec) { - return + return job, nil } // TODO: Decide when to fail-out instead of deleting the job err = c.client.BatchV1().Jobs(job.GetNamespace()).Delete(context.TODO(), job.GetName(), metav1.DeleteOptions{}) job = nil - return + return nil, err } func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference) (role *rbacv1.Role, err error) { diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go index 4d0a97d1b6..8efc0f51da 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalog/supportedresources.go @@ -10,6 +10,7 @@ const ( ConsoleQuickStartKind = "ConsoleQuickStart" ConsoleCLIDownloadKind = "ConsoleCLIDownload" ConsoleLinkKind = "ConsoleLink" + NetworkPolicyKind = "NetworkPolicy" ) var supportedKinds = map[string]struct{}{ @@ -22,6 +23,7 @@ var supportedKinds = map[string]struct{}{ ConsoleQuickStartKind: {}, ConsoleCLIDownloadKind: {}, ConsoleLinkKind: {}, + NetworkPolicyKind: {}, } // isSupported returns true if OLM supports this type of CustomResource. diff --git a/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go b/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go index 94b5fd01df..a07b28aef3 100644 --- a/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go +++ b/vendor/github.com/operator-framework/operator-registry/pkg/lib/bundle/supported_resources.go @@ -20,6 +20,7 @@ const ( ConsoleQuickStartKind = "ConsoleQuickStart" ConsoleCLIDownloadKind = "ConsoleCLIDownload" ConsoleLinkKind = "ConsoleLink" + NetworkPolicyKind = "NetworkPolicy" ) // Namespaced indicates whether the resource is namespace scoped (true) or cluster-scoped (false). @@ -47,6 +48,7 @@ var supportedResources = map[string]Namespaced{ ConsoleQuickStartKind: false, ConsoleCLIDownloadKind: false, ConsoleLinkKind: false, + NetworkPolicyKind: true, } // IsSupported checks if the object kind is OLM-supported and if it is namespaced