Downstream sync 08/09 #352
Closed
+3,193
−273
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* (psa) make workloads compatible with psa:restricted profile With the introduction of [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces), the reccomeneded best practice is to enforce the Restricted policy of admission (see [1] for more details). This PR *) Lables the olm namespace as `enforce:restricted` *) Labels the operators namespace as `enforce:baseline` (to allow existing CSV deployments without securityContext set to deploy in the namespace, which won't be possible with `enforce:resticted`) *) updates the securityContext of olm workload pods(olm-operator, catalog-operator, and CatalogSource registry pods) to adhere to the `Restricted` policy. *) updates the bundle unpacking job to create a pod that adheres to the `Restricted` policy, so that bundles can be unpacked in the `Restricted` namespace. Signed-off-by: Anik Bhattacharjee <[email protected]> * (flaky text fix): GC CSV with wrong namespace annotation The test was modifying the `olm.operatornamespace` to an incorrect value, and checking to make sure that the CSV was garbage collected as a result. However, the olm-controller was copying a fresh copy back into the namespace, so whenever the test was able to get a yes reply to the question "is the CSV gone", in the brief window before it was copied back again, the test was passing. This commit fixes that by making sure that if find a CSV that we expected to be garbage collected, it passes if it determines that the CSV is a fresh copy, and not the one modified before. Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-commit: 67177c0c822fbe7d554669262c6b4f54bebad17f Upstream-repository: operator-lifecycle-manager
This PR: * introduces a chart value that decides if the --set-workload-user-id flag to true or false for the catalog-operator container * introduces chart values to fill in the psa enforce level/version for the namespaces Closes #2827 Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-commit: 2bf96e200400378e67c3c1596454c8ff3b46db1b Upstream-repository: operator-lifecycle-manager
…penshift#250) Signed-off-by: perdasilva <[email protected]> Upstream-commit: f8da7254a5aabb477235d297f080af29f7fb0be4 Upstream-repository: api
….config (openshift#250)" This reverts commit f8da7254a5aabb477235d297f080af29f7fb0be4. Upstream-commit: 5490427930e127437fec9224e59cee50405ca131 Upstream-repository: api
Signed-off-by: perdasilva <[email protected]> Upstream-commit: ae4da2a9ec6a5c8e8725f62eecd5c18bb1816658 Upstream-repository: api
* vendor new o_f/api version Signed-off-by: perdasilva <[email protected]> * Update olm controller to handle Subscription.config.affinity Signed-off-by: perdasilva <[email protected]> Upstream-commit: 55230179df33811fce196cca595c474bf4faaeff Upstream-repository: operator-lifecycle-manager
Problem: When uninstalling a CSV, OLM has always avoided deleting the associated CRD as all CRs on cluster are subsequently deleted, possibly resulting in user dataloss. OLM supports defining conversion webhooks within the CSV. On cluster, conversion webhooks are defined with a CRD and point to a service that handles conversion. If the service is unable to fulfill the request, all requests against the CRs associated with the CRD will fail. When uninstalling a CSV, OLM does not remove the conversion webhook from the CRD, meaning that all requests against the CRs associated with the CRD will fail, resulting in at least two concerns: 1. OLM is unable to subsequently reinstall the operator. When installing a CSV, if the CRD already exists and instances of CRs exist as well, OLM performs a series of checks which ensure that none of the CRs are invalidated against the new schema. The existing CRD's conversion webhooks points to a non-existant service, causing the check to fail and preventing installs. 2. Broken conversion webhooks causes kubernete's garbage collection to fail. Solution: When a CSV is deleted, if no CSV exists that is replacing it, set the CRD's conversion strategy to None. Signed-off-by: Alexander Greene <[email protected]> Upstream-commit: 94374983d448c56d031f0493b84b6dce37b84741 Upstream-repository: operator-lifecycle-manager
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
1) The generated CA and server cert do not include a common name,
which causes some tooling to have trouble tracing the cert chain.
2) The generated CA and server cert include unnecessary key usages,
which means those certificates can be used for more than their
intended purposes.
This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.
Signed-off-by: Joe Lanford <[email protected]>
Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274
Upstream-repository: operator-lifecycle-manager
This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.
Prior to this commit, temporary directory created using `ioutil.TempDir`
needs to be removed manually by calling `os.RemoveAll`, which is omitted
in some tests. The error handling boilerplate e.g.
defer func() {
if err := os.RemoveAll(dir); err != nil {
t.Fatal(err)
}
}
is also tedious, but `t.TempDir` handles this for us nicely.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <[email protected]>
Upstream-commit: 43e43240dd9c32dcb7742e96afb1ab3fd63a9ce2
Upstream-repository: operator-registry
Signed-off-by: timflannagan <[email protected]>
Signed-off-by: timflannagan <[email protected]> Upstream-commit: 33ed9ea30b4daea03435c2ba3839a6ce79894a75 Upstream-repository: operator-registry
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anik120 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@anik120: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Closed
|
I've broken down this sync PR into multiple PRs for a trial no-FF process with QE |
|
closing in favor of the other, decomposed sync PRs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
/hold for #349