Sync 2022-08-10 #354
Closed
Sync 2022-08-10 #354
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…penshift#250) Signed-off-by: perdasilva <[email protected]> Upstream-repository: api Upstream-commit: f8da7254a5aabb477235d297f080af29f7fb0be4
….config (openshift#250)" This reverts commit f8da7254a5aabb477235d297f080af29f7fb0be4. Upstream-repository: api Upstream-commit: 5490427930e127437fec9224e59cee50405ca131
Signed-off-by: perdasilva <[email protected]> Upstream-repository: api Upstream-commit: ae4da2a9ec6a5c8e8725f62eecd5c18bb1816658
) This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <[email protected]> Upstream-repository: operator-registry Upstream-commit: 43e43240dd9c32dcb7742e96afb1ab3fd63a9ce2
Signed-off-by: timflannagan <[email protected]> Upstream-repository: operator-registry Upstream-commit: 732b5722825e085c045b94fbb5ae36dcb8df59c3
Signed-off-by: timflannagan <[email protected]> Upstream-repository: operator-registry Upstream-commit: 33ed9ea30b4daea03435c2ba3839a6ce79894a75
Get the current OpenShift release version from the RELEASE_VERSION environment variable since the behavior of the original source -- the ClusterVersion desired release status field -- has changed. Signed-off-by: Tyler Slaton <[email protected]> Co-authored-by: Nick Hale <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: b2086bd2c5eb9b60370869757c51fa7908d2cde0
* (psa) make workloads compatible with psa:restricted profile With the introduction of [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces), the reccomeneded best practice is to enforce the Restricted policy of admission (see [1] for more details). This PR *) Lables the olm namespace as `enforce:restricted` *) Labels the operators namespace as `enforce:baseline` (to allow existing CSV deployments without securityContext set to deploy in the namespace, which won't be possible with `enforce:resticted`) *) updates the securityContext of olm workload pods(olm-operator, catalog-operator, and CatalogSource registry pods) to adhere to the `Restricted` policy. *) updates the bundle unpacking job to create a pod that adheres to the `Restricted` policy, so that bundles can be unpacked in the `Restricted` namespace. Signed-off-by: Anik Bhattacharjee <[email protected]> * (flaky text fix): GC CSV with wrong namespace annotation The test was modifying the `olm.operatornamespace` to an incorrect value, and checking to make sure that the CSV was garbage collected as a result. However, the olm-controller was copying a fresh copy back into the namespace, so whenever the test was able to get a yes reply to the question "is the CSV gone", in the brief window before it was copied back again, the test was passing. This commit fixes that by making sure that if find a CSV that we expected to be garbage collected, it passes if it determines that the CSV is a fresh copy, and not the one modified before. Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 67177c0c822fbe7d554669262c6b4f54bebad17f
* vendor new o_f/api version Signed-off-by: perdasilva <[email protected]> * Update olm controller to handle Subscription.config.affinity Signed-off-by: perdasilva <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 55230179df33811fce196cca595c474bf4faaeff
This PR: * introduces a chart value that decides if the --set-workload-user-id flag to true or false for the catalog-operator container * introduces chart values to fill in the psa enforce level/version for the namespaces Closes #2827 Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: f982e2fbeecfcb917665ed760363326e313b2967
Problem: When uninstalling a CSV, OLM has always avoided deleting the associated CRD as all CRs on cluster are subsequently deleted, possibly resulting in user dataloss. OLM supports defining conversion webhooks within the CSV. On cluster, conversion webhooks are defined with a CRD and point to a service that handles conversion. If the service is unable to fulfill the request, all requests against the CRs associated with the CRD will fail. When uninstalling a CSV, OLM does not remove the conversion webhook from the CRD, meaning that all requests against the CRs associated with the CRD will fail, resulting in at least two concerns: 1. OLM is unable to subsequently reinstall the operator. When installing a CSV, if the CRD already exists and instances of CRs exist as well, OLM performs a series of checks which ensure that none of the CRs are invalidated against the new schema. The existing CRD's conversion webhooks points to a non-existant service, causing the check to fail and preventing installs. 2. Broken conversion webhooks causes kubernete's garbage collection to fail. Solution: When a CSV is deleted, if no CSV exists that is replacing it, set the CRD's conversion strategy to None. Signed-off-by: Alexander Greene <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 94374983d448c56d031f0493b84b6dce37b84741
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
1) The generated CA and server cert do not include a common name,
which causes some tooling to have trouble tracing the cert chain.
2) The generated CA and server cert include unnecessary key usages,
which means those certificates can be used for more than their
intended purposes.
This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.
Signed-off-by: Joe Lanford <[email protected]>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274
Signed-off-by: Jordan Keister <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: c312b41e3079b5cb1672120046b376f50cb4246f
Signed-off-by: Jordan Keister <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 8a56bcc6e3f9b9e25cbbc003ef17c710622771fa
Signed-off-by: perdasilva <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: 82d17f39785d0e7fdc0d6b77c35209c5c915bad6
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timflannagan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
approved
|
The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift org. You can then trigger verification by writing
|
|
@timflannagan: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just test piloting the
make syncworkflow that was added in #351.