diff --git a/manifests/0000_50_olm_00-pprof-config.yaml b/manifests/0000_50_olm_00-pprof-config.yaml index b7313efce9..8e45534f0d 100644 --- a/manifests/0000_50_olm_00-pprof-config.yaml +++ b/manifests/0000_50_olm_00-pprof-config.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles-config namespace: openshift-operator-lifecycle-manager diff --git a/manifests/0000_50_olm_00-pprof-rbac.yaml b/manifests/0000_50_olm_00-pprof-rbac.yaml index d874c74a25..84f99db4b3 100644 --- a/manifests/0000_50_olm_00-pprof-rbac.yaml +++ b/manifests/0000_50_olm_00-pprof-rbac.yaml @@ -5,6 +5,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager @@ -23,6 +24,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager @@ -42,6 +44,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles namespace: openshift-operator-lifecycle-manager diff --git a/manifests/0000_50_olm_00-pprof-secret.yaml b/manifests/0000_50_olm_00-pprof-secret.yaml index 5035a25523..f7f98d8614 100644 --- a/manifests/0000_50_olm_00-pprof-secret.yaml +++ b/manifests/0000_50_olm_00-pprof-secret.yaml @@ -6,6 +6,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" capability.openshift.io/name: "OperatorLifecycleManager" name: pprof-cert diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index 7129f9dd1f..2f05f0f505 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -5,6 +5,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" name: collect-profiles labels: diff --git a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml index 0096b63eea..f0bb3486ca 100644 --- a/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml @@ -6,6 +6,7 @@ metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" include.release.openshift.io/hypershift: "true" spec: diff --git a/microshift-manifests/0000_50_olm_00-pprof-config.yaml b/microshift-manifests/0000_50_olm_00-pprof-config.yaml deleted file mode 100644 index b7313efce9..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles-config - namespace: openshift-operator-lifecycle-manager -data: - pprof-config.yaml: | - disabled: False diff --git a/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml b/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml deleted file mode 100644 index d874c74a25..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "create", "delete"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -subjects: - - kind: ServiceAccount - name: collect-profiles - namespace: openshift-operator-lifecycle-manager -roleRef: - kind: Role - name: collect-profiles - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - namespace: openshift-operator-lifecycle-manager diff --git a/microshift-manifests/0000_50_olm_00-pprof-secret.yaml b/microshift-manifests/0000_50_olm_00-pprof-secret.yaml deleted file mode 100644 index 5035a25523..0000000000 --- a/microshift-manifests/0000_50_olm_00-pprof-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" - capability.openshift.io/name: "OperatorLifecycleManager" - name: pprof-cert - namespace: openshift-operator-lifecycle-manager -type: kubernetes.io/tls -data: - tls.crt: "" - tls.key: "" diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml deleted file mode 100644 index 7129f9dd1f..0000000000 --- a/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/hypershift: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - name: collect-profiles - labels: - app: olm-collect-profiles - namespace: openshift-operator-lifecycle-manager -spec: - schedule: "*/15 * * * *" - concurrencyPolicy: "Replace" - jobTemplate: - spec: - template: - metadata: - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - labels: - app: olm-collect-profiles - spec: - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: collect-profiles - priorityClassName: openshift-user-critical - containers: - - name: collect-profiles - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 - imagePullPolicy: IfNotPresent - command: - - bin/collect-profiles - args: - - -n - - openshift-operator-lifecycle-manager - - --config-mount-path - - /etc/config - - --cert-mount-path - - /var/run/secrets/serving-cert - - olm-operator-heap-:https://olm-operator-metrics:8443/debug/pprof/heap - - catalog-operator-heap-:https://catalog-operator-metrics:8443/debug/pprof/heap - volumeMounts: - - mountPath: /etc/config - name: config-volume - - mountPath: /var/run/secrets/serving-cert - name: secret-volume - resources: - requests: - cpu: 10m - memory: 80Mi - terminationMessagePolicy: FallbackToLogsOnError - volumes: - - name: config-volume - configMap: - name: collect-profiles-config - - name: secret-volume - secret: - secretName: pprof-cert - restartPolicy: Never diff --git a/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml b/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml deleted file mode 100644 index 0096b63eea..0000000000 --- a/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: collect-profiles - namespace: openshift-operator-lifecycle-manager - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - capability.openshift.io/name: "OperatorLifecycleManager" - include.release.openshift.io/hypershift: "true" -spec: - podSelector: - matchLabels: - app: olm-collect-profiles - egress: - - ports: - - port: 8443 - protocol: TCP - to: - - namespaceSelector: - matchLabels: - name: openshift-operator-lifecycle-manager - - podSelector: - matchLabels: - app: olm-operator - - podSelector: - matchLabels: - app: catalog-operator - - ports: - - port: 6443 - protocol: TCP - - ports: - - port: dns-tcp - protocol: TCP - - port: dns - protocol: UDP - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: openshift-dns - policyTypes: - - Egress - - Ingress diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 4020d60dc3..56b3986a5f 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -338,6 +338,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" name: collect-profiles-config namespace: openshift-operator-lifecycle-manager data: @@ -353,6 +354,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager rules: @@ -370,6 +372,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager subjects: @@ -388,6 +391,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles namespace: openshift-operator-lifecycle-manager EOF @@ -401,6 +405,7 @@ metadata: include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" + release.openshift.io/delete: "true" openshift.io/owning-component: "Operator Framework / operator-lifecycle-manager" name: pprof-cert namespace: openshift-operator-lifecycle-manager @@ -419,6 +424,7 @@ metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" capability.openshift.io/name: "OperatorLifecycleManager" include.release.openshift.io/hypershift: "true" spec: @@ -464,6 +470,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/hypershift: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/delete: "true" name: collect-profiles labels: app: olm-collect-profiles @@ -650,3 +657,12 @@ done # replace input with output mv "${filtered_yaml}" "${yaml_file}" + +# Deleting manifests from CVO takes multiple releases. an annotation was added in 4.22 development to remove the collect-profiles +# resources from the CVO payload. For microshift, since there is no CVO payload and no in process upgrade, let's delete these now. +# In 4.23 development, the CVO manifests should be deleted and this step should be removed. +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_07-collect-profiles.cronjob.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_07-collect-profiles.networkpolicy.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-config.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-rbac.yaml" +rm -f "${ROOT_DIR}/microshift-manifests/0000_50_olm_00-pprof-secret.yaml" diff --git a/tests-extension/test/qe/specs/olmv0_networkpolicy.go b/tests-extension/test/qe/specs/olmv0_networkpolicy.go index 6c2f361215..62676c89b2 100644 --- a/tests-extension/test/qe/specs/olmv0_networkpolicy.go +++ b/tests-extension/test/qe/specs/olmv0_networkpolicy.go @@ -69,33 +69,6 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { ExpectSelector: map[string]string{"app": "catalog-operator"}, ExpectPolicyTypes: []string{"Ingress", "Egress"}, }, - { - Name: "collect-profiles", - Namespace: "openshift-operator-lifecycle-manager", - ExpectIngress: nil, - ExpectEgress: []olmv0util.EgressRule{ - { - Ports: []olmv0util.Port{{Port: 8443, Protocol: "TCP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"name": "openshift-operator-lifecycle-manager"}}, - {PodLabels: map[string]string{"app": "olm-operator"}}, - {PodLabels: map[string]string{"app": "catalog-operator"}}, - }, - }, - { - Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, - Selectors: nil, - }, - { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, - }, - }, - }, - ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, - ExpectPolicyTypes: []string{"Egress", "Ingress"}, - }, { Name: "default-deny-all-traffic", Namespace: "openshift-operator-lifecycle-manager", @@ -181,6 +154,40 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { ExpectPolicyTypes: []string{"Ingress", "Egress"}, }, } + + // Dynamically add collect-profiles policy if the pods exist + if output, err := oc.AsAdmin().WithoutNamespace(). + Run("get"). + Args("pods", "-n", "openshift-operator-lifecycle-manager", "-l", "app=olm-collect-profiles", "-o", "name"). + Output(); err == nil && strings.Contains(output, "collect-profiles") { + policies = append(policies, olmv0util.NpExpecter{ + Name: "collect-profiles", + Namespace: "openshift-operator-lifecycle-manager", + ExpectIngress: nil, + ExpectEgress: []olmv0util.EgressRule{ + { + Ports: []olmv0util.Port{{Port: 8443, Protocol: "TCP"}}, + Selectors: []olmv0util.Selector{ + {NamespaceLabels: map[string]string{"name": "openshift-operator-lifecycle-manager"}}, + {PodLabels: map[string]string{"app": "olm-operator"}}, + {PodLabels: map[string]string{"app": "catalog-operator"}}, + }, + }, + { + Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, + Selectors: nil, + }, + { + Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, + Selectors: []olmv0util.Selector{ + {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + }, + }, + }, + ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, + ExpectPolicyTypes: []string{"Egress", "Ingress"}, + }) + } if _, err := oc.AsAdmin().WithoutNamespace(). Run("get"). Args("catsrc", "redhat-operators", "-n", "openshift-marketplace"). @@ -296,30 +303,6 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { ExpectSelector: map[string]string{"app": "catalog-operator"}, ExpectPolicyTypes: []string{"Ingress", "Egress"}, }, - { - Name: "collect-profiles", - Namespace: "openshift-operator-lifecycle-manager", - ExpectIngress: nil, - ExpectEgress: []olmv0util.EgressRule{ - { - Ports: []olmv0util.Port{{Port: 8443, Protocol: "TCP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"name": "openshift-operator-lifecycle-manager"}}, - {PodLabels: map[string]string{"app": "olm-operator"}}, - {PodLabels: map[string]string{"app": "catalog-operator"}}, - }, - }, - {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, - { - Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, - Selectors: []olmv0util.Selector{ - {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, - }, - }, - }, - ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, - ExpectPolicyTypes: []string{"Egress", "Ingress"}, - }, { Name: "default-deny-all-traffic", Namespace: "openshift-operator-lifecycle-manager", @@ -385,6 +368,37 @@ var _ = g.Describe("[sig-operator][Jira:OLM] OLMv0 networkpolicy", func() { }, } + // Dynamically add collect-profiles policy if the pods exist + if output, err := oc.AsAdmin().WithoutNamespace(). + Run("get"). + Args("pods", "-n", "openshift-operator-lifecycle-manager", "-l", "app=olm-collect-profiles", "-o", "name"). + Output(); err == nil && strings.Contains(output, "collect-profiles") { + policies = append(policies, olmv0util.NpExpecter{ + Name: "collect-profiles", + Namespace: "openshift-operator-lifecycle-manager", + ExpectIngress: nil, + ExpectEgress: []olmv0util.EgressRule{ + { + Ports: []olmv0util.Port{{Port: 8443, Protocol: "TCP"}}, + Selectors: []olmv0util.Selector{ + {NamespaceLabels: map[string]string{"name": "openshift-operator-lifecycle-manager"}}, + {PodLabels: map[string]string{"app": "olm-operator"}}, + {PodLabels: map[string]string{"app": "catalog-operator"}}, + }, + }, + {Ports: []olmv0util.Port{{Port: 6443, Protocol: "TCP"}}, Selectors: nil}, + { + Ports: []olmv0util.Port{{Port: "dns-tcp", Protocol: "TCP"}, {Port: "dns", Protocol: "UDP"}}, + Selectors: []olmv0util.Selector{ + {NamespaceLabels: map[string]string{"kubernetes.io/metadata.name": "openshift-dns"}}, + }, + }, + }, + ExpectSelector: map[string]string{"app": "olm-collect-profiles"}, + ExpectPolicyTypes: []string{"Egress", "Ingress"}, + }) + } + for _, policy := range policies { g.By(fmt.Sprintf("Checking NP %s in %s", policy.Name, policy.Namespace))