OCPBUGS-86797,OPRUN-4415: Synchronize From Upstream Repositories#743
Open
openshift-bot wants to merge 116 commits into
Open
OCPBUGS-86797,OPRUN-4415: Synchronize From Upstream Repositories#743openshift-bot wants to merge 116 commits into
openshift-bot wants to merge 116 commits into
Conversation
… to 0.9.0 (#2730) * 🌱 Bump github.com/operator-framework/helm-operator-plugins Bumps [github.com/operator-framework/helm-operator-plugins](https://github.com/operator-framework/helm-operator-plugins) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/operator-framework/helm-operator-plugins/releases) - [Commits](operator-framework/helm-operator-plugins@v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: github.com/operator-framework/helm-operator-plugins dependency-version: 0.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * fix: add Config() method to ActionInterface mocks for helm-operator-plugins v0.9.0 helm-operator-plugins v0.9.0 added Config() *action.Configuration to ActionInterface. Update test mocks to implement the new method. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Todd Short <tshort@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Todd Short <tshort@redhat.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
The catalogd HTTP server (port 8443) hardcoded MinVersion: tls.VersionTLS12 and ignored cipher suite/curve configuration, making it non-compliant with OpenShift's central TLS policy (OPRUN-4415). The TLS profile flags (--tls-profile, --tls-custom-ciphers, etc.) were already parsed and applied to the webhook and metrics servers, but the catalog server's CatalogServerConfig had no field to receive them, and the server did not disable HTTP/2 (unlike the webhook and metrics servers, which set NextProtos=["http/1.1"] to mitigate GHSA-qppj-fm5r-hxr3 and GHSA-4374-p667-p6c8). Add a TLSOpts field to CatalogServerConfig and apply all TLS settings exclusively via those functions, keeping TLS policy out of serverutil entirely. This includes GetCertificate (previously hardcoded from the certwatcher), so the cw parameter is removed from AddCatalogServerToManager. Wire both the TLS profile function and the HTTP/2-disabling opts into the catalog server config in main — in the same order as the webhook and metrics servers (tlsOpts then tlsProfile). Fail fast at startup if TLSOpts do not configure any certificate source (GetCertificate, GetConfigForClient, or Certificates), so a misconfiguration surfaces immediately rather than allowing the server to become ready while every TLS handshake silently fails. Fixes: OCPBUGS-86797 Relates-to: OPRUN-4415 Signed-off-by: Todd Short <tshort@redhat.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
openshift-bot
added
the
tide/merge-method-merge
openshift-ci-robot
added
jira/valid-reference
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-86797, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. This pull request references OPRUN-4415 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-bot
added
kind/sync
approved
WalkthroughCatalog server TLS wiring now accepts TLS option functions via CatalogServerConfig.TLSOpts and removes direct cert-watcher injection; serverutil builds and validates tls.Config from those options. Tests added for TLS behavior. Helm test mocks updated to satisfy interfaces. Multiple Go/Python dependency and OWNERS updates applied repository-wide. ChangesTLS Refactoring & Repo Updates
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 13 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (13 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-86797, which is valid. 3 validation(s) were run on this bug
This pull request references OPRUN-4415 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: openshift-bot The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
1 similar comment
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: openshift-bot The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Contributor
|
/retest It was a network test failure. |
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v6.0.0...v6.0.1) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v6.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/operator-framework/helm-operator-plugins](https://github.com/operator-framework/helm-operator-plugins) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/operator-framework/helm-operator-plugins/releases) - [Commits](operator-framework/helm-operator-plugins@v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: github.com/operator-framework/helm-operator-plugins dependency-version: 0.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [click](https://github.com/pallets/click) from 8.3.3 to 8.4.0. - [Release notes](https://github.com/pallets/click/releases) - [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst) - [Commits](pallets/click@8.3.3...8.4.0) --- updated-dependencies: - dependency-name: click dependency-version: 8.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.21.5 to 0.21.6. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Commits](google/go-containerregistry@v0.21.5...v0.21.6) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-version: 0.21.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lxml](https://github.com/lxml/lxml) from 6.1.0 to 6.1.1. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-6.1.0...lxml-6.1.1) --- updated-dependencies: - dependency-name: lxml dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
openshift-bot
force-pushed
the
synchronize-upstream
branch
from
597bc50 to
436bc19
Compare
Contributor
|
New changes are detected. LGTM label has been removed. |
Contributor
|
/test okd-scos-images |
Bumps [certifi](https://github.com/certifi/python-certifi) from 2026.4.22 to 2026.5.20. - [Commits](certifi/python-certifi@2026.04.22...2026.05.20) --- updated-dependencies: - dependency-name: certifi dependency-version: 2026.5.20 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@v10.2.0...v10.3.0) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 🌱 Bump go.podman.io/image/v5 from 5.39.2 to 5.40.0 Bumps [go.podman.io/image/v5](https://github.com/podman-container-tools/container-libs) from 5.39.2 to 5.40.0. - [Release notes](https://github.com/podman-container-tools/container-libs/releases) - [Commits](podman-container-tools/container-libs@image/v5.39.2...image/v5.40.0) --- updated-dependencies: - dependency-name: go.podman.io/image/v5 dependency-version: 5.40.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * fix(test): isolate image puller test from system registries.conf The defaultContextFunc used in TestContainersImagePuller_Pull did not set SystemRegistriesConfPath, causing it to fall back to the system /etc/containers/registries.conf. go.podman.io/image/v5 v5.40.0 now validates this file's format earlier, so CI runners with a v1-format file fail before even reaching the registry connection attempt. Apply the same pattern already used by buildSourceContextFunc: write an empty but valid v2 registries.conf to a temp dir and point SystemRegistriesConfPath at it, making the test hermetic. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Todd Short <tshort@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Todd Short <tshort@redhat.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…64 support Signed-off-by: Daniel Franz <dfranz@redhat.com>
Signed-off-by: Todd Short <tshort@redhat.com>
…t in OTE tests Update all remaining references to ClusterExtensionRevision in openshift/tests-extension to use ClusterObjectSet, matching the upstream rename in operator-framework/operator-controller#2589. Files updated: - test/qe/specs/olmv1_ce.go: RBAC resource names and comments - test/olmv1-preflight.go: scenario constants, test names, RBAC rules - .openshift-tests-extension/openshift_payload_olmv1.json: test name - pkg/bindata/qe/bindata.go: embedded RBAC templates - test/qe/testdata/olm/sa-nginx-limited-boxcutter.yaml: RBAC resources - test/qe/testdata/olm/sa-nginx-insufficient-operand-rbac-boxcutter.yaml: RBAC resources Signed-off-by: Camila Macedo <cmacedo@redhat.com> Made-with: Cursor
…s ClusterObjectSet The upstream rename of ClusterExtensionRevision to ClusterObjectSet (operator-framework/operator-controller#2589) breaks the incompatible operator detection in cluster-olm-operator. The cluster-olm-operator binary still reads ClusterExtensionRevision resources to find operators with olm.maxOpenShiftVersion, so after the rename it never detects incompatible operators and InstalledOLMOperatorsUpgradeable stays True. Skip this test when NewOLMBoxCutterRuntime feature gate is enabled until cluster-olm-operator is updated to read ClusterObjectSet. Signed-off-by: Camila Macedo <cmacedo@redhat.com> Made-with: Cursor
Signed-off-by: Francesco Giudici <fgiudici@redhat.com>
Signed-off-by: Todd Short <todd.short@me.com>
…to run outside of OCP
…ffinity for HA topology Rolling updates in HighlyAvailable clusters leave catalogd and operator-controller unavailable when the only running pod is evicted before its replacement is ready. Fix by defaulting replicas=1 and PDB disabled in the static Helm values (safe for SNO/External topologies, passes the SNO conformance test that asserts exactly one replica in SingleReplica topology mode). Add pod anti-affinity to prefer scheduling replicas on different nodes. cluster-olm-operator detects the cluster's ControlPlaneTopology at startup and overrides these values to replicas=2 and PDB enabled when a HighlyAvailable topology is detected, then re-renders the manifests before starting controllers. When a topology change is observed at runtime (exceedingly rare), the operator exits so its deployment controller restarts it, triggering a fresh Helm render with the correct values for the new topology. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com>
…etween both-watch-modes scenarios The both-watch-modes test loops over two scenarios (singlens, ownns) inside a single It block and was blocking on full namespace deletion between them. This caused flaky 300s timeouts on GCP techpreview clusters where master nodes run at 94-99% CPU, which starves the namespace controller and makes namespace termination arbitrarily slow. The wait was not guarding anything real: - EnsureCleanupClusterExtension already ensures the CE and CRD are gone; since CE deletion uses ForegroundPropagation, the ClusterObjectSet teardown must complete before the CE disappears, meaning all managed resources (Deployments, Services, etc.) are already deleted at that point. - The singleown bundle installs no ValidatingWebhookConfiguration or MutatingWebhookConfiguration, so there is no webhook admission risk. - Each scenario generates unique namespace names and CRD group suffixes via rand.String(4), so a terminating namespace from scenario 1 cannot collide with or interfere with scenario 2's resources. Trigger both namespace deletions and proceed without waiting. The DeferCleanup registrations that already exist will handle any residual cleanup after the spec exits. Fixes: OCPBUGS-84943 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com>
- Replace broken test-experimental-e2e target (test/experimental-e2e no longer exists) with /bin/true so triggered jobs always succeed - Pass -timeout=60m to go test; the previous invocation relied on Go's 10m default which is too short for BoxcutterRuntime clusters - Set E2E_STEP_TIMEOUT=15m; BoxcutterRuntime applies resources through sequential phases (CRD must reach Established before the deploy phase starts), making installations slower than the upstream 5m default - Skip ~@CatalogdHA scenarios (require multiple catalogd replicas not present in standard topology) - Skip ~@ProgressDeadline scenarios (require progressDeadlineMinutes < 10 but the OpenShift CRD enforces a minimum of 10) - Skip ~@httpproxy scenarios (too disruptive to cluster networking) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com>
The e2e-test-registry image is no longer built by CI after openshift/release#78581 removed it from the CI config. The dynamic per-scenario catalog system replaced the pre-built registry image, making this Dockerfile dead code.
It's no longer bring used. Signed-off-by: Todd Short <tshort@redhat.com>
Adds a new test that verifies cluster-olm-operator correctly configures operator-controller and catalogd deployments based on the cluster's control plane topology: - HA topologies (HighlyAvailable, HighlyAvailableArbiter, DualReplica): replicas=2 with a PodDisruptionBudget present - Non-HA topologies (SingleReplica/SNO, External): replicas=1, no PDB Also registers policyv1 in the test scheme to support PDB list queries. Assisted-by: claude Signed-off-by: Todd Short <tshort@redhat.com>
… builders Signed-off-by: Todd Short <tshort@redhat.com>
openshift-bot
force-pushed
the
synchronize-upstream
branch
from
de8dd84 to
ff7cbfd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JIRA Tickets:
The downstream repository has been updated with the following following upstream commits:
The
vendor/directory has been updated and the following commits were carried:@catalogd-updateThis pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.
/assign @openshift/openshift-team-operator-runtime
Summary by CodeRabbit
Chores
Tests