ci

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml

@@ -139,6 +139,23 @@ tests:
         requests:
           cpu: 100m
     workflow: optional-operators-ci-operator-sdk-aws
+- as: e2e-operator-prod-f7
+  cron: '@weekly'
+  steps:
+    cluster_profile: aws
+    env:
+      CHANNEL: stable-v1.14
+      TARGET_NAMESPACES: cert-manager-operator
+    test:
+    - ref: cert-manager-install
+    - as: test
+      cli: latest
+      commands: make test-e2e
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: cert-manager-1.14
   org: openshift

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml

@@ -113,6 +113,22 @@ tests:
         requests:
           cpu: 100m
     workflow: optional-operators-ci-operator-sdk-aws
+- as: e2e-operator-stage-f7
+  cron: '@weekly'
+  steps:
+    cluster_profile: aws
+    env:
+      INDEX_IMG: quay.io/redhat-user-workloads/cert-manager-oape-tenant/cert-manager-operator-1-15/cert-manager-operator-fbc-1-15:bf2b01d9ed2c009b6007c5f651b7b18043f8941a
+    test:
+    - ref: cert-manager-install
+    - as: test
+      cli: latest
+      commands: make test-e2e
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: cert-manager-1.15
   org: openshift

ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-periodics.yaml

@@ -0,0 +1,71 @@
+periodics:
+- agent: kubernetes
+  cluster: build09
+  cron: '@weekly'
+  decorate: true
+  extra_refs:
+  - base_ref: cert-manager-1.14
+    org: openshift
+    repo: cert-manager-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-operator-cert-manager-1.14-e2e-operator-prod-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-operator-prod-f7
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-periodics.yaml

@@ -0,0 +1,71 @@
+periodics:
+- agent: kubernetes
+  cluster: build09
+  cron: '@weekly'
+  decorate: true
+  extra_refs:
+  - base_ref: cert-manager-1.15
+    org: openshift
+    repo: cert-manager-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-operator-cert-manager-1.15-e2e-operator-stage-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-operator-stage-f7
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh

@@ -4,18 +4,79 @@ set -e
 set -u
 set -o pipefail
 
-if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
-    source "${SHARED_DIR}/proxy-conf.sh"
-    echo "proxy: ${SHARED_DIR}/proxy-conf.sh"
-fi
+function run_command() {
+    local cmd="$1"
+    echo "Running Command: ${cmd}"
+    eval "${cmd}"
+}
 
-CATSRC=qe-app-registry
-if [[ ! "$(oc get catalogsource qe-app-registry -n openshift-marketplace -o yaml)" =~ "lastObservedState: READY" ]]; then
-    echo "The catalogsource qe-app-registry is either not existing or not ready. Will use redhat-operators to install cert-manager Operator."
-    CATSRC=redhat-operators
-fi
+function set_proxy () {
+    if test -s "${SHARED_DIR}/proxy-conf.sh" ; then
+        echo "Setting proxy configuration"
+        source "${SHARED_DIR}/proxy-conf.sh"
+    else
+        echo "No proxy settings found. Skipping proxy configuration"
+    fi
+}
+
+function auth_stage_registry () {
+    echo "Retrieving the 'registry.stage.redhat.io' auth config from shared credentials" 
+    local stage_registry_path="/var/run/vault/mirror-registry/registry_stage.json"
+    local stage_auth_user=$(jq -r '.user' $stage_registry_path)
+    local stage_auth_password=$(jq -r '.password' $stage_registry_path)
+    local stage_auth_config=$(echo -n " " "$stage_auth_user":"$stage_auth_password" | base64 -w 0)
+
+    echo "Updating the image pull secret with the auth config"
+    oc extract secret/pull-secret -n openshift-config --confirm --to /tmp
+    local new_dockerconfig="/tmp/.new-dockerconfigjson"
+    jq --argjson a "{\"registry.stage.redhat.io\": {\"auth\": \"$stage_auth_config\"}}" '.auths |= . + $a' "/tmp/.dockerconfigjson" >"$new_dockerconfig"
+    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=$new_dockerconfig
+}
+
+function wait_for_state() {
+    local object="$1"
+    local state="$2"
+    local timeout="$3"
+    local namespace="${4:-}"
+    local selector="${5:-}"
+
+    echo "Waiting for (${object}) in namespace (${namespace}) with selector (${selector}) to exist..."
+    for i in {1..60}; do
+        oc get ${object} --selector="${selector}" -n=${namespace} |& grep -ivE "(no resources found|not found)" && break || sleep 5
+    done
 
-oc create -f - << EOF
+    echo "Waiting for (${object}) in namespace (${namespace}) with selector (${selector}) to become (${state})..."
+    oc wait --for=${state} --timeout=${timeout} ${object} --selector="${selector}" -n="${namespace}"
+}
+
+function create_catalogsource () {
+    echo "Creating a custom catalogsource using image: $INDEX_IMG"
+    oc apply -f - << EOF
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: $CATSRC
+  namespace: openshift-marketplace
+spec:
+  sourceType: grpc
+  image: $INDEX_IMG
+EOF
+}
+
+function is_catalogsource_ready () {
+    if wait_for_state "catalogsource/${CATSRC}" "jsonpath={.status.connectionState.lastObservedState}=READY" "5m" "openshift-marketplace"; then
+        echo "CatalogSource is ready"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n openshift-marketplace"
+        run_command "oc get event -n openshift-marketplace | grep ${CATSRC}"
+        exit 1
+    fi
+}
+
+function subscribe_operator () {
+    echo "Creating the Namespace, OperatorGroup and Subscription for the operator installation"
+    oc apply -f - <<EOF
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -24,78 +85,59 @@ metadata:
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
-  name: cert-manager-operator-og
+  name: openshift-cert-manager-operator
   namespace: cert-manager-operator
 spec:
-  targetNamespaces:
-  - cert-manager-operator
+  targetNamespaces: [$TARGET_NAMESPACES]
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: openshift-cert-manager-operator
   namespace: cert-manager-operator
 spec:
-  channel: stable-v1
-  installPlanApproval: Automatic
+  channel: $CHANNEL
   name: openshift-cert-manager-operator
-  source: "$CATSRC"
+  source: $CATSRC
   sourceNamespace: openshift-marketplace
 EOF
+}
 
-MAX_RETRY=20
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking openshift-cert-manager-operator subscription status for the #${COUNTER}-th time ..."
-    if [ "$(oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=jsonpath='{.status.state}')" == AtLatestKnown ]; then
-        echo "The openshift-cert-manager-operator subscription status becomes ready" && break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The openshift-cert-manager-operator subscription status is not ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=jsonpath='{.status}'
-        exit 1
-    fi
-    sleep $INTERVAL
-done
-
-MAX_RETRY=20
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking cert-manager-operator CSV status for the #${COUNTER}-th time ..."
-    if [[ "$(oc get --no-headers csv -n cert-manager-operator)" == *cert-manager-operator.*Succeeded ]]; then
-        echo "The cert-manager-operator CSV status becomes ready" && break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The cert-manager-operator CSV status is not ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        CSV_NAME=$(oc get csv -n cert-manager-operator | grep -E -o '^cert-manager-operator[^ ]*')
-        oc get csv "$CSV_NAME" -n cert-manager-operator -o=jsonpath='{.status}'
+function is_operator_ready () {
+    if wait_for_state "deployment/cert-manager-operator-controller-manager" "condition=Available" "5m" "cert-manager-operator"; then
+        echo "Operator is ready"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n cert-manager-operator"
+        run_command "oc get csv -n cert-manager-operator"
+        run_command "oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=jsonpath='{.status}'"
+        run_command "oc get event -n cert-manager-operator"
         exit 1
     fi
-    sleep $INTERVAL
-done
-
-MAX_RETRY=30
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking cert-manager pods status for the #${COUNTER}-th time ..."
-    if [ "$(oc get pods -n cert-manager -o=jsonpath='{.items[*].status.phase}')" == "Running Running Running" ]; then
-        echo "[$(date -u --rfc-3339=seconds)] Finished cert-manager Operator installation. The cert-manager pods are all ready."
-        oc get po -n cert-manager
-        break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The cert-manager pods are not all ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        oc get pods -n cert-manager
+
+    if wait_for_state "deployment/cert-manager" "condition=Available" "5m" "cert-manager" && \
+        wait_for_state "deployment/cert-manager-webhook" "condition=Available" "5m" "cert-manager" && \
+        wait_for_state "deployment/cert-manager-cainjector" "condition=Available" "5m" "cert-manager"; then
+        echo "Operands are all ready"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n cert-manager"
+        run_command "oc get event -n cert-manager"
         exit 1
     fi
-    sleep $INTERVAL
-done
+}
+
+set_proxy
+auth_stage_registry
+
+# If 'INDEX_IMG' is not empty, create the catalogsource using custom index image; otherwise use the default 'redhat-operators'.
+if [ -n "${INDEX_IMG}" ]; then
+    CATSRC=custom-catalog-cert-manager-operator
+    create_catalogsource
+else
+    CATSRC=redhat-operators
+fi
+
+is_catalogsource_ready
+subscribe_operator
+is_operator_ready