diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml new file mode 100644 index 0000000000000..43d685c720e53 --- /dev/null +++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml @@ -0,0 +1,82 @@ +base_images: + cli: + name: "4.17" + namespace: ocp + tag: cli + upi-installer: + name: "4.17" + namespace: ocp + tag: upi-installer + tests-private: + name: tests-private + namespace: ci + tag: "4.17" +build_root: + image_stream_tag: + name: release + namespace: openshift + tag: golang-1.21 + use_build_cache: true +releases: + latest: + candidate: + product: ocp + stream: nightly + version: "4.17" + architecture: amd64 +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: e2e-operator + cron: '@weekly' + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + TEST_FILTERS: CFE&;~ChkUpgrade&; + TEST_SCENARIOS: cert-manager + test: + - ref: openshift-extended-test + - ref: openshift-e2e-test-qe-report + workflow: cucushift-installer-rehearse-aws-ipi +- as: e2e-operator-prod + cron: '@weekly' + steps: + cluster_profile: aws + env: + CHANNEL: stable-v1.14 + TARGET_NAMESPACES: cert-manager-operator + test: + - ref: cert-manager-install + - as: test + cli: latest + commands: make test-e2e + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- as: e2e-operator-stage + cron: '@weekly' + steps: + cluster_profile: aws + env: + INDEX_IMG: quay.io/redhat-user-workloads/cert-manager-oape-tenant/cert-manager-operator-1-15/cert-manager-operator-fbc-1-15:bf2b01d9ed2c009b6007c5f651b7b18043f8941a + test: + - ref: cert-manager-install + - as: test + cli: latest + commands: make test-e2e + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +zz_generated_metadata: + branch: master + org: openshift + repo: cert-manager-operator + variant: ocp-4.17 diff --git a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml new file mode 100644 index 0000000000000..d50b45c1729e2 --- /dev/null +++ b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml @@ -0,0 +1,226 @@ +periodics: +- agent: kubernetes + cluster: build10 + cron: '@weekly' + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: cert-manager-operator + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: ocp-4.17 + ci.openshift.io/generator: prowgen + job-release: "4.17" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-cert-manager-operator-master-ocp-4.17-e2e-operator + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-operator + - --variant=ocp-4.17 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build10 + cron: '@weekly' + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: cert-manager-operator + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws + ci-operator.openshift.io/variant: ocp-4.17 + ci.openshift.io/generator: prowgen + job-release: "4.17" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-cert-manager-operator-master-ocp-4.17-e2e-operator-prod + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-operator-prod + - --variant=ocp-4.17 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build10 + cron: '@weekly' + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: cert-manager-operator + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws + ci-operator.openshift.io/variant: ocp-4.17 + ci.openshift.io/generator: prowgen + job-release: "4.17" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-cert-manager-operator-master-ocp-4.17-e2e-operator-stage + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-operator-stage + - --variant=ocp-4.17 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh b/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh index f13369ecdc109..520de3507ea25 100644 --- a/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh +++ b/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh @@ -4,18 +4,64 @@ set -e set -u set -o pipefail -if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then - source "${SHARED_DIR}/proxy-conf.sh" - echo "proxy: ${SHARED_DIR}/proxy-conf.sh" -fi +function run_command() { + local cmd="$1" + echo "Running Command: ${cmd}" + eval "${cmd}" +} -CATSRC=qe-app-registry -if [[ ! "$(oc get catalogsource qe-app-registry -n openshift-marketplace -o yaml)" =~ "lastObservedState: READY" ]]; then - echo "The catalogsource qe-app-registry is either not existing or not ready. Will use redhat-operators to install cert-manager Operator." - CATSRC=redhat-operators -fi +function set_proxy () { + if test -s "${SHARED_DIR}/proxy-conf.sh" ; then + echo "=> Setting proxy configurations" + source "${SHARED_DIR}/proxy-conf.sh" + else + echo "No proxy settings found" + fi +} + +function auth_stage_registry () { + echo "=> Retrieving the 'registry.stage.redhat.io' auth config from shared credentials" + local stage_registry_path="/var/run/vault/mirror-registry/registry_stage.json" + local stage_auth_user=$(jq -r '.user' $stage_registry_path) + local stage_auth_password=$(jq -r '.password' $stage_registry_path) + local stage_auth_config=$(echo -n " " "$stage_auth_user":"$stage_auth_password" | base64 -w 0) + + echo "=> Updating the image pull secret with the auth config" + oc extract secret/pull-secret -n openshift-config --confirm --to /tmp + local new_dockerconfig="/tmp/.new-dockerconfigjson" + jq --argjson a "{\"registry.stage.redhat.io\": {\"auth\": \"$stage_auth_config\"}}" '.auths |= . + $a' "/tmp/.dockerconfigjson" >"$new_dockerconfig" + oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=$new_dockerconfig +} + +function create_catalogsource () { + echo "=> Creating a custom catalogsource using image: $INDEX_IMG" + oc apply -f - << EOF +apiVersion: operators.coreos.com/v1alpha1 +kind: CatalogSource +metadata: + name: $CATSRC + namespace: openshift-marketplace +spec: + sourceType: grpc + image: $INDEX_IMG +EOF +} + +function is_catalogsource_ready () { + echo "=> Waiting for CatalogSource '$CATSRC' to become ready" + if oc wait --for=jsonpath='{.status.connectionState.lastObservedState}'=READY --timeout=5m -n openshift-marketplace catalogsource $CATSRC; then + echo "CatalogSource is ready" + else + echo "Timed out after 5m. Dumping resources ..." + run_command "oc get pod -n openshift-marketplace" + run_command "oc get event -n openshift-marketplace" + exit 1 + fi +} -oc create -f - << EOF +function subscribe_operator () { + echo "=> Creating the Namespace, OperatorGroup and Subscription for the operator installation" + oc apply -f - < Waiting for the operator deployment to become available" + if oc wait --for=condition=Available --timeout=5m -n cert-manager-operator -l=name=cert-manager-operator deployment; then + echo "Operator is ready" + else + echo "Timed out after 5m. Dumping resources ..." + run_command "oc get pod -n cert-manager-operator" + run_command "oc get event -n cert-manager-operator" + run_command "oc get csv -n cert-manager-operator" + run_command "oc get subscription -n cert-manager-operator -o=jsonpath='{.status}'" exit 1 fi - sleep $INTERVAL -done -MAX_RETRY=20 -INTERVAL=10 -COUNTER=0 -while :; -do - echo "Checking cert-manager-operator CSV status for the #${COUNTER}-th time ..." - if [[ "$(oc get --no-headers csv -n cert-manager-operator)" == *cert-manager-operator.*Succeeded ]]; then - echo "The cert-manager-operator CSV status becomes ready" && break - fi - ((++COUNTER)) - if [[ $COUNTER -eq $MAX_RETRY ]]; then - echo "The cert-manager-operator CSV status is not ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:" - CSV_NAME=$(oc get csv -n cert-manager-operator | grep -E -o '^cert-manager-operator[^ ]*') - oc get csv "$CSV_NAME" -n cert-manager-operator -o=jsonpath='{.status}' + echo "=> Waiting for the operand deployments to become available" + if oc wait --for=condition=Available --timeout=5m -n cert-manager -l=app.kubernetes.io/instance=cert-manager deployment; then + echo "Operands are all ready" + else + echo "Timed out after 5m. Dumping resources ..." + run_command "oc get pod -n cert-manager" + run_command "oc get event -n cert-manager" exit 1 fi - sleep $INTERVAL -done +} -MAX_RETRY=30 -INTERVAL=10 -COUNTER=0 -while :; -do - echo "Checking cert-manager pods status for the #${COUNTER}-th time ..." - if [ "$(oc get pods -n cert-manager -o=jsonpath='{.items[*].status.phase}')" == "Running Running Running" ]; then - echo "[$(date -u --rfc-3339=seconds)] Finished cert-manager Operator installation. The cert-manager pods are all ready." - oc get po -n cert-manager - break - fi - ((++COUNTER)) - if [[ $COUNTER -eq $MAX_RETRY ]]; then - echo "The cert-manager pods are not all ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:" - oc get pods -n cert-manager - exit 1 - fi - sleep $INTERVAL -done +set_proxy +auth_stage_registry + +# If 'INDEX_IMG' is not empty, create the catalogsource using custom index image; otherwise use the default 'redhat-operators'. +if [ -n "${INDEX_IMG}" ]; then + CATSRC=custom-catalog-cert-manager-operator + create_catalogsource +else + CATSRC=redhat-operators +fi + +is_catalogsource_ready +subscribe_operator +is_operator_ready diff --git a/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml b/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml index f50f9c1f90d1e..a97bd0ffd8868 100644 --- a/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml +++ b/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml @@ -1,18 +1,25 @@ ref: - as: cert-manager-install - from_image: - namespace: ci - name: verification-tests - tag: latest - grace_period: 20m - commands: cert-manager-install-commands.sh - cli: latest - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 300m - memory: 200Mi - documentation: |- - Install cert-manager Operator. + as: cert-manager-install + from: upi-installer + cli: latest + commands: cert-manager-install-commands.sh + resources: + requests: + cpu: 100m + memory: 200Mi + credentials: + - namespace: test-credentials + name: openshift-custom-mirror-registry + mount_path: /var/run/vault/mirror-registry + env: + - name: INDEX_IMG + documentation: The index image to use for the custom catalog source creation. If unset, it indicates to use the default 'redhat-operators' catalog source. + default: "" + - name: CHANNEL + documentation: The name of the operator channel to track. + default: "stable-v1" + - name: TARGET_NAMESPACES + documentation: A comma-separated list of namespaces the operator will target. If unset, it indicates that all namespaces will be targeted. + default: "" + documentation: |- + Install the cert-manager Operator for Red Hat OpenShift from catalog source (supports both default and BYO catalogs).