NO-ISSUE: Synchronize From Upstream Repositories #471
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes a downstream bug There was a problem downstream where the OpenShift servivce-ca was not yet available, and due to the way the manifests were set up, the service-ca was considered to be part of the SystemCertPool. The problem is that the SystemCertPool, once initialized, will never reload itself. We can get into this situation when we use SSL_CERT_DIR and SSL_CERT_FILE to provide OpenShift CAs to be used by containers/image for pulling. These environment variables change the source of the SystemCertPool. The CertPoolWatcher then watches these locations, and tries to update the pool it provides to the HTTPS client connecting to catalogd. But the SystemCertPool is never updated. (It did not help that there was no explicit CertPoolWatcher for the pull CAs.) I tried to fix this downstream by removing SSL_CERT_DIR, and specifying the `--pull-cas-dir` option. This means that containers/image would directly use certificates that we specify, rather than the default location. But this breaks the use of custom CAs for local image registries. The containers/image package does not provide a way to manipulate the certificate locations beyond a simple directory setting, and we need to leave that directory setting as the default in downstream because it (i.e. /etc/docker/certs.d) is a host- mounted directory that contains certificates for local image registries. And it is possible to configure a custom CA for a local image registry, so that directory must be included, ALONG with the OpenShift provided CAs and service-ca, which is defined by SSL_CERT_DIR. But because of the use of SSL_CERT_DIR to include the OpenShift service-ca, if the service-ca was not available at startup, but became available later, it was not possible to reload the SystemCertPool. Which could cause problems in operator-controller when it tried to connect to catalogd. The fundamental problem is that there's no way to refresh the SystemCertPool, which will become more and more of an issue as certificate lifetimes decrease. Using SSL_CERT_DIR allows us to use the CertPoolWatcher to notice changes to the SystemCertPool. This will allow us to restart the process when certificates change (e.g. OpenShift service-ca becomes available). Changes: * Update CertPoolWatcher to restart on changes to SSL_CERT_DIR and SSL_CERT_FILE * Update CertPoolWatcher to use a Runnable interface, so that it can be added to the manager, and started later, which may improve the changes that the service-ca is ready. * Update CertPoolWatcher to not be created when there's nothing to watch. * Add CertPoolWatcher to catalogd for pull CAs * Add CertPoolWatcher to operator-controller for pull CAs * Improve logging With this, my downstream manifest change should be reverted. Assisted-by: Claude Code (alternatives) Signed-off-by: Todd Short <[email protected]>
…ot module (#2202) * retract v1.5.0; exclude hack/kind-config/containerd/certs.d from root module * fixup! retract v1.5.0; exclude hack/kind-config/containerd/certs.d from root module * fixup! retract v1.5.0; exclude hack/kind-config/containerd/certs.d from root module Signed-off-by: Todd Short <[email protected]> --------- Signed-off-by: Todd Short <[email protected]> Co-authored-by: Todd Short <[email protected]>
* Move to a helm-based configuration This does not remove the kustomize config, but instead puts a helm chart into the repo, that should give very close (but not identical) results. * Adds a new chart: helm/olmv1/ - standard - experimental - openshift - cert-manager - e2e - tilt * Adds "values" files in helm/ * Adds helm executable to .bingo/ * Updates documents int docs/drafts/ * Update tests in tests/ * Update `make manifests` to use helm chart - Update the checked-in manifests - Use a tool like `dyff` to properly diff the manifests * Pull RBAC and WebHook config out of the goland code - controller-tools is not longer used to generate RBAC/Wehbooks - These resources are not part of the helm chart - The CRDs are still generated via kubebuilder Significant changes to the resulting manifests are listed in the RFC. Signed-off-by: Todd Short <[email protected]> Assisted-by: Gemini (research) Assisted-by: Claude Code (analysis) * Move files into directories Signed-off-by: Todd Short <[email protected]> Assisted-by: Gemini (research) Assisted-by: Claude Code (analysis) * Add variable settings to Makefile to control Helm charts Signed-off-by: Todd Short <[email protected]> Assisted-by: Gemini (research) Assisted-by: Claude Code (analysis) * Add prometheus Helm chart This is currently separate due to the ordering of application. If we change the order, this could be included in the main Helm Chart. Signed-off-by: Todd Short <[email protected]> Assisted-by: Gemini (research) Assisted-by: Claude Code (analysis) * Add lint-helm target and CI Signed-off-by: Todd Short <[email protected]> Assisted-by: Gemini (research) Assisted-by: Claude Code (analysis) * Add Boxcutter support Signed-off-by: Todd Short <[email protected]> * Update catalogs to use 4.20 Signed-off-by: Todd Short <[email protected]> * Remove clusterextension editor role Signed-off-by: Todd Short <[email protected]> * Remove configmaps from leader election role Signed-off-by: Todd Short <[email protected]> * Remove stale comment from config manager role Signed-off-by: Todd Short <[email protected]> * Add templating failure for featureSet Signed-off-by: Todd Short <[email protected]> --------- Signed-off-by: Todd Short <[email protected]>
Signed-off-by: Todd Short <[email protected]>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pkg.package-operator.run/boxcutter](https://github.com/package-operator/boxcutter) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/package-operator/boxcutter/releases) - [Commits](package-operator/boxcutter@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: pkg.package-operator.run/boxcutter dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.36.0 to 0.37.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…214) Downstream e2es are failing because the old selectors are still being used.
Signed-off-by: Joe Lanford <[email protected]>
Sets a limit to the number of previous ClusterExtensionRevisions we keep in the cluster, and trims the list of previous revisions when creating new revisions to stay at the limit. The limit has been set to 5 for now. Any revisions beyond this limit will be removed from the cluster. Signed-off-by: Daniel Franz <[email protected]>
This reverts PR2195 This reverts commit febdb59. Signed-off-by: Todd Short <[email protected]>
* move helm converter to applier package Signed-off-by: Per Goncalves da Silva <[email protected]> * Address reviewer comments Signed-off-by: Per Goncalves da Silva <[email protected]> --------- Signed-off-by: Per Goncalves da Silva <[email protected]> Co-authored-by: Per Goncalves da Silva <[email protected]>
openshift-ci-robot
added
the
jira/valid-reference
|
@tmshort: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
@tmshort: GitHub didn't allow me to request PR reviews from the following users: openshift/openshift-team-operator-framework. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-ci
bot
added
the
tide/merge-method-merge
Contributor
|
@tmshort: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
Author
|
/approve |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Contributor
|
/lgtm |
|
/verified by @bandrade |
openshift-ci
bot
added
the
qe-approved
openshift-ci-robot
added
the
verified
|
@bandrade: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
… certificate rotation This change is a refactor of code from openshift/origin#30059. Assisted-by: Gemini
…tion test, mirroring the logic used in the certificate rotation test. This makes the test more robust by ensuring a new secret is created, not just that an existing one is still present.
…ate with new tests
Signed-off-by: grokspawn <[email protected]>
This commit migrates the olmv1_catalog set of tests from openshift/origin to OTE as part the broad effort to migrate all tests. Assisted-by: Gemini
This commit migrates the OLMv1 single and own namespace watch mode tests from openshift/origin/test/extended/olm/olmv1-singleownnamespace.go to this repository. This is part of the effort to move component-specific tests into their respective downstream locations. Assisted-by: Gemini
…tion test, mirroring the logic used in the certificate rotation test. This makes the test more robust by ensuring a new secret is created, not just that an existing one is still present. This reverts commit 0bb1953. UPSTREAM: <carry>: [OTE] Add webhook to validate openshift-service-ca certificate rotation This reverts commit e9e3220.
This reverts commit 9cc13d8.
…rator Signed-off-by: Per Goncalves da Silva <[email protected]>
tmshort
force-pushed
the
synchronize
branch
from
f3b4bbb to
659f1a9
Compare
openshift-ci-robot
removed
the
verified
|
@tmshort: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
/lgtm |
Contributor
|
@tmshort: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Contributor
|
/verified by @jianzhangbjz |
openshift-ci-robot
added
the
verified
|
@jianzhangbjz: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
This was referenced Sep 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The downstream repository has been updated with the following following upstream commits:
The
vendor/directory has been updated and the following commits were carried:This pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.
/cc @openshift/openshift-team-operator-framework
/label tide/merge-method-merge
/label kind/sync