UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs

UPSTREAM: <carry>: Copy hack scripts and tools from openshift/origin

UPSTREAM: <carry>: Fix shellcheck failures for copied openshift-hack bash

UPSTREAM: <carry>: Enable build, test and verify

UPSTREAM: <carry>: Copy README content from origin

UPSTREAM: <carry>: Copy watch-termination command from openshift/origin

UPSTREAM: <carry>: Switch image and rpm build to golang 1.14

UPSTREAM: <carry>: Copy test annotation from origin

UPSTREAM: <carry>: Build openshift-compatible kube e2e binary

UPSTREAM: <carry>: Updating openshift-hack/images/hyperkube/Dockerfile.rhel baseimages to mach ocp-build-data config

UPSTREAM: <carry>: Update test annotation rules

UPSTREAM: <carry>: Enable k8s-e2e-serial

UPSTREAM: <carry>: Update test annotation rules

UPSTREAM: <carry>: Build with golang 1.15

UPSTREAM: <carry>: (squash) Stop installing recent bash and protoc from source

UPSTREAM: <carry>: Add rebase instructions

UPSTREAM: <carry>: (squash) Update README.openshift to reflect transition

UPSTREAM: <carry>: (squash) Stop annotating origin tests with [Suite:openshift]

The detection logic was error-prone (different results based on the
repo existing in GOPATH vs not) and whether a test comes from origin
can be inferred from the absence of the `[Suite:k8s]` tag.

UPSTREAM: <carry>: (squash) Update hyperkube version

UPSTREAM: <carry>: (squash) Update OpenShift docs

UPSTREAM: <carry>: watch-termination: fix deletion race and write non-graceful message also to termination.log

UPSTREAM: <carry>: watch-termination: avoid false positives of NonGracefulTermination events

UPSTREAM: <carry>: (squash) remove servicecatalog e2e that was dropped upstream

UPSTREAM: <carry>: (squash) Fix annotation rules

UPSTREAM: <carry>: (squash) Fix image refs

UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube builder & base images to be consistent with ART
Reconciling with https://github.com/openshift/ocp-build-data/tree/b0ab44b419faae6b18e639e780a1fa50a1df8521/images/openshift-enterprise-hyperkube.yml

UPSTREAM: <carry>: (squash) Retry upstream flakes

UPSTREAM: <carry>: (squash) Update test exclussions for 1.20.0

UPSTREAM: <carry>: (squash) Add detail to rebase doc

- Add new section 'Maintaining this document'
- Move checklist above the instructions to emphasize their importance
- Add new section 'Reacting to new commits'
- Mention that generated changes in carries should be dropped

UPSTREAM: <carry>: Enable CSI snapshot e2e tests

All images were uploaded to our quay.io mirror and the tests should
succeed.

UPSTREAM: <carry>: Stop skipping multi-az test (skipped upstream)

UPSTREAM: <carry>: bump tag version & update rebase doc

UPSTREAM: <carry>: update rebase doc & image

UPSTREAM: <carry>: update rebase doc

UPSTREAM: <carry>: update rebase doc

UPSTREAM: <carry>: update rebase doc

UPSTREAM: <carry>: Add Dockerfile to build pause image

Ensuring the target directory exists before writing a file to it.

UPSTREAM: <carry>: disable part of hack/verify-typecheck-providerless.sh due to our carry patches

UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART
Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-pod.yml

UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART
Reconciling with https://github.com/openshift/ocp-build-data/tree/691e628254f318ce56efda5edc7448ec743c37b8/images/openshift-enterprise-hyperkube.yml

UPSTREAM: <carry>: Add process overlap detection event to watch-termination

NOTE: Squash this to watch-termination commit on rebase.

UPSTREAM: <carry>: openshift-hack/images/os/Dockerfile: Add io.openshift.build.versions, etc.

For example, consider the current 4.10 RHCOS:

  $ oc image info -o json registry.ci.openshift.org/ocp/4.10:machine-os-content | jq -r '.config.config.Labels | to_entries[] | .key + ": " + .value' | grep '^io\.k8s\|^io\.openshift'
  io.k8s.description: The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.
  io.k8s.display-name: Red Hat Universal Base Image 8
  io.openshift.build.version-display-names: machine-os=Red Hat Enterprise Linux CoreOS
  io.openshift.build.versions: machine-os=49.84.202109102026-0
  io.openshift.expose-services:
  io.openshift.tags: base rhel8

A bunch of those seem to be inherited from the UBI base image, so we
can leave them alone.  But the io.openshift.build.* entries are
RHCOS-specific, and are consumed by 'oc adm release new ...' [1,2] and
friends to answer questions like "which RHCOS is in this release?":

  $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.8.12-x86_64 | jq .displayVersions
  {
    "kubernetes": {
      "Version": "1.21.1",
      "DisplayName": ""
    },
    "machine-os": {
      "Version": "48.84.202109100857-0",
      "DisplayName": "Red Hat Enterprise Linux CoreOS"
    }
  }

Setting this label will avoid failures when consumers like
driver-toolkit's version consumer [3]:

  name: 0.0.1-snapshot-machine-os

bump into ci-tools-built machine-os-content images that lack the
io.openshift.build.versions declaration of machine-os version [4]:

  error: unable to create a release: unknown version reference "machine-os"

I've gone with generic testing values, so hopefully this is not
something that local maintainers need to remember to bump for each
OpenShift z stream.

[1]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/image_mapper.go#L328-L334
[2]: https://github.com/openshift/oc/blob/f94afb52dc8a3185b3b9eacaf92ec34d80f8708d/pkg/cli/admin/release/annotations.go#L19-L28
[3]: openshift/driver-toolkit@464acca#diff-4caed9b2b966a8fa7a016ae28976634a2d3d1b635c4e820d5c038b2305d6af53R18
[4]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/959/pull-ci-openshift-kubernetes-master-images/1438398678602616832#1:build-log.txt%3A97

UPSTREAM: <carry>: update rebase doc

UPSTREAM: <carry>: squash with the rest of tooling

UPSTREAM: <carry>: Updating openshift-enterprise-pod images to be consistent with ART
Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-pod.yml

UPSTREAM: <carry>: Updating openshift-enterprise-hyperkube images to be consistent with ART
Reconciling with https://github.com/openshift/ocp-build-data/tree/5b89f5b601508a0bcc0399fd3f34b7aa2e86e90e/images/openshift-enterprise-hyperkube.yml

UPSTREAM: <carry>: rebase script

openshift-rebase(v1.24):source=b2b619077ea

UPSTREAM: <carry>: Fix networking-related test exclusions

Tests that fail on openshift-sdn specifically should be tagged as
such, so that they don't also get skipped when running under
ovn-kubernetes or third-party network plugins.

UPSTREAM: <carry>: Skip "subPath should be able to unmount" NFS test

Due to a kernel bug https://bugzilla.redhat.com/show_bug.cgi?id=1854379
in Linux 5.7+ this test fails - the bind-mounted NFS share cannot be
cleanly unmounted, gets "Stale file handle" error instead on umount.
As a result this test is permafailing on Fedora CoreOS nodes.

UPSTREAM: <carry>: Skip GlusterFS tests

GlusterFS is not supported in 4.x, we've been running its tests just
because we could. Now it does not work on IPv6 systems.

E [MSGID: 101075] [common-utils.c:312:gf_resolve_ip6] 0-resolver: getaddrinfo failed (Address family for hostname not supported)

UPSTREAM: <carry>: Skip GlusterFS tests

The previous commit left two GlusterFS test still running:

[sig-storage] Volumes GlusterFS should be mountable [Skipped:ibmcloud] [Suite:openshift/conformance/parallel] [Suite:k8s]
[sig-storage] Dynamic Provisioning GlusterDynamicProvisioner should create and delete persistent volumes

Skip it, we don't support Gluster and it does not work on ipv6

UPSTREAM: <carry>: 1.22 alpha & other tests disablement

UPSTREAM: <carry>: 1.21 alpha & other tests disablement

UPSTREAM: <carry>: Enable GenerciEphemeralVolume tests

UPSTREAM: <carry>: Re-enable [Feature:NetworkPolicy] tests which were wrongly disabled in rebase

UPSTREAM: <carry>: Reenable NetworkPolicy test

Signed-off-by: Mohamed Mahmoud <[email protected]>

UPSTREAM: <carry>: Conformance tests (sysctls) should be run

We have to run this test for conformance, and the tests pass. Reenable
this block which has been disabled for 2 releases (but appears to work fine).

UPSTREAM: <carry>: Don't force-disable IPv6, dual-stack, and SCTP tests

Instead, openshift-tests will enable or disable them depending on
cluster configuration.

UPSTREAM: <carry>: update Multi-AZ Cluster Volumes test name

This test was renamed upstream in
kubernetes@006dc74

UPSTREAM: <carry>: re-enable networking tests after rebase

During a bump to k8 ver. 1.22.0, networking
tests were disabled to accomplish the bump.
This disabled netpol and older network tests.
Netpol tests will be enabled in a following
PR and therefore only partially fixes BZ.

This commit partially fixes bug 1986307.
https://bugzilla.redhat.com/show_bug.cgi?id=1986307

Signed-off-by: Martin Kennelly <[email protected]>

UPSTREAM: <drop>: update test annotate rules

openshift-rebase(v1.24):source=7725d540b11

UPSTREAM: <carry>: Add DOWNSTREAM_OWNERS

UPSTREAM: <carry>: clarify downstream approver rules

openshift-rebase(v1.24):source=d74d9a2173b

UPSTREAM: <carry>: copy extensions into resulting image

openshift-rebase(v1.24):source=0bca5f4fa8e

UPSTREAM: <carry>: update rebase doc

openshift-rebase(v1.24):source=9b19ca983f4

UPSTREAM: <carry>: Fix conformance and serial tests by stopping node cordoning

Master nodes already have `master` taint which
cannot be tolerated by normal workloads. If we manually
cordon the master nodes again, some of the control plane
components cannot get rescheduled unless they have
toleration to the `node.kubernetes.io/unschedulable`
taint. Even if we have the toleration in the pod
spec, because of the backwards compability issues
scheduler will ignore nodes which have `unschedulable`
field set. IOW:

- Cordoning master nodes is redundant as masters already
  have taints
- Cordoning master nodes can cause issues which are hard
  to debug as control-plane components may be evicted/preempted
  during e2e run(highly unlikely but a possibility).

So, let's stop cordoning master nodes.

openshift-rebase(v1.24):source=9755d206dd5

UPSTREAM: <carry>: enable internal traffic policy tests

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1986307

Signed-off-by: Martin Kennelly <[email protected]>

openshift-rebase(v1.24):source=f921d48224f

UPSTREAM: <carry>: update rebase doc

openshift-rebase(v1.24):source=9119117160a

UPSTREAM: <carry>: enable e2e test after 1.23 rebase in sdn

Enable "[sig-network] Conntrack should be able to preserve UDP traffic when initial unready endpoints get ready" after 1.23 rebase in openshift/sdn

Signed-off-by: Riccardo Ravaioli <[email protected]>

openshift-rebase(v1.24):source=32ce0d0897c

openshift-rebase(v1.24):source=32ce0d0897c

openshift-rebase(v1.24):source=32ce0d0897c

UPSTREAM: <carry>: Unskip OCP SDN related tests

Unskip networkPolicy tests concerning IpBlock and
egress rules since both features have now been
implemented.

Signed-off-by: astoycos <[email protected]>

openshift-rebase(v1.24):source=aba8d2093ce

UPSTREAM: <carry>: enable should drop INVALID conntrack entries test

Signed-off-by: Jamo Luhrsen <[email protected]>

openshift-rebase(v1.24):source=3f7f68a7ce3

openshift-rebase(v1.24):source=3f7f68a7ce3

openshift-rebase(v1.24):source=3f7f68a7ce3

UPSTREAM: <carry>: update e2es

openshift-rebase(v1.24):source=96a18e04df7

UPSTREAM: revert: <carry>: Unskip OCP SDN related tests

These newly-enabled tests are breaking some CI, possibly due to race
conditions in the tests. Re-disable them for now.

This reverts commit aba8d20.

openshift-rebase(v1.24):source=d032c6e6463

UPSTREAM: <carry>: update hyperkube and image version

UPSTREAM: <drop>: disable e2e tests

- disable 'ProxyTerminatingEndpoints' feature e2e tests

- disable [sig-network] [Feature:Topology Hints] should distribute endpoints evenly
see https://bugzilla.redhat.com/show_bug.cgi?id=2079958 for more context

UPSTREAM: <carry>: Add kubensenter to the openshift RPM

This carry-patch adds the kubensenter script to the openshift-hyperkube
RPM, by importing it via the new hack/update-kubensenter.sh script.

Signed-off-by: Jim Ramsay <[email protected]>

UPSTREAM: <carry>: Skip session affinity timeout tests

in 4.12 and higher the default CNI is OVNKubernetes and
these two tests do not pass. Skip them. They are also
skipping in the origin test suites for ovnk.

Signed-off-by: Jamo Luhrsen <[email protected]>

UPSTREAM: <carry>: Update kubensenter to use exec instead of direct call

Because kubelet relies on systemd's Type=notify mechanism, we don't need
or want kubensenter to keep itself in the process tree. exec is best.

Signed-off-by: Jim Ramsay <[email protected]>

UPSTREAM: <carry>: update to ginkgo v2 - squash to tooling

Author: marun

Diff for: .ci-operator.yaml

@@ -0,0 +1,4 @@
+build_root_image:
+  name: release
+  namespace: openshift
+  tag: rhel-8-release-golang-1.19-openshift-4.12

Diff for: .gitignore

@@ -123,3 +123,6 @@ zz_generated_*_test.go
 
 # generated by verify-vendor.sh
 vendordiff.patch
+
+# Ignore openshift source archives produced as part of rpm build
+openshift*.tar.gz

Diff for: DOWNSTREAM_OWNERS

@@ -0,0 +1,28 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+filters:
+  ".*":
+    # Downstream reviewers, don't have to match those in OWNERS
+    reviewers:
+    - deads2k
+    - sttts
+    - soltysh
+    - mfojtik
+
+    # Approvers are limited to the team that manages rebases and pays the price for carries that are introduced
+    approvers:
+    - deads2k
+    - sttts
+    - soltysh
+    - mfojtik
+
+  "^\\.go.(mod|sum)$":
+    labels:
+    - "vendor-update"
+  "^vendor/.*":
+    labels:
+    - "vendor-update"
+  "^staging/.*":
+    labels:
+    - "vendor-update"
+component: kube-apiserver

Diff for: README.openshift.md

@@ -0,0 +1,73 @@
+# OpenShift's fork of k8s.io/kubernetes
+
+This respository contains core Kubernetes components with OpenShift-specific patches.
+
+## Cherry-picking an upstream commit into openshift/kubernetes: Why, how, and when.
+
+`openshift/kubernetes` carries patches on top of each rebase in one of two ways:
+
+1. *periodic rebases* against an upstream Kubernetes tag.  Eventually,
+any code you have in upstream Kubernetes will land in Openshift via
+this mechanism.
+
+2. Cherry-picked patches for important *bug fixes*.  We really try to
+limit feature back-porting entirely. Unless there are exceptional circumstances, your backport should at least be merged in kubernetes master branch. With every carry patch (not included in upstream) you are introducing a maintenance burden for the team managing rebases.
+
+### For Openshift newcomers: Pick my Kubernetes fix into Openshift vs. wait for the next rebase?
+
+Assuming you read the bullets above... If your patch is really far behind, for
+example, if there have been 5 commits modifying the directory you care about,
+cherry picking will be increasingly difficult and you should consider waiting
+for the next rebase, which will likely include the commit you care about or at
+least decrease the amount of cherry picks you need to do to merge.
+
+To really know the answer, you need to know *how many commits behind you are in
+a particular directory*, often.
+
+To do this, just use git log, like so (using pkg/scheduler/ as an example).
+
+```
+MYDIR=pkg/scheduler/algorithm git log --oneline --
+  ${MYDIR} | grep UPSTREAM | cut -d' ' -f 4-10 | head -1
+```
+
+The commit message printed above will tell you:
+
+- what the LAST commit in Kubernetes was (which effected
+"/pkg/scheduler/algorithm")
+- directory, which will give you an intuition about how "hot" the code you are
+cherry picking is.  If it has changed a lot, recently, then that means you
+probably will want to wait for a rebase to land.
+
+### Cherry-picking an upstream change
+
+Since `openshift/kubernetes` closely resembles `k8s.io/kubernetes`,
+cherry-picking largely involves proposing upstream commits in a PR to our
+downstream fork. Other than the usual potential for merge conflicts, the
+commit messages for all commits proposed to `openshift/kubernetes` must
+reflect the following:
+
+- `UPSTREAM: <UPSTREAM PR ID>:` The prefix for upstream commits to ensure
+  correct handling during a future rebase. The person performing the rebase
+  will know to omit a commit with this prefix if the referenced PR is already
+  present in the new base history.
+- `UPSTREAM: <drop>:` The prefix for downstream commits of code that is
+  generated (i.e. via `make update`) or that should not be retained by the
+  next rebase.
+- `UPSTREAM: <carry>:` The prefix for downstream commits that maintain
+  downstream-specific behavior (i.e. to ensure an upstream change is
+  compatible with OpenShift). Commits with this are usually retained across
+  rebases.
+
+## Updating openshift/kubernetes to a new upstream release
+
+Instructions for rebasing `openshift/kubernetes` are maintained in a [separate
+document](REBASE.openshift.md).
+
+## RPM Packaging
+
+A specfile is included in this repo which can be used to produce RPMs
+including the openshift binary. While the specfile will be kept up to
+date with build requirements the version is not updated. Building the
+rpm with the `openshift-hack/build-rpms.sh` helper script will ensure
+that the version is set correctly.