From 6898570ecdc4116b6f20e1e533ca84581d0b300c Mon Sep 17 00:00:00 2001
From: Yuedong Wu <dwcn22@outlook.com>
Date: Mon, 6 Jan 2025 19:38:11 +0800
Subject: [PATCH 1/2] ci

---
 ...rt-manager-operator-cert-manager-1.14.yaml |  17 ++
 ...rt-manager-operator-cert-manager-1.15.yaml |  16 ++
 ...penshift-cert-manager-operator-master.yaml |  48 +++++
 ...ert-manager-operator-master__ocp-4.17.yaml |  49 +++++
 ...-operator-cert-manager-1.14-periodics.yaml |  71 +++++++
 ...-operator-cert-manager-1.15-periodics.yaml |  71 +++++++
 ...ert-manager-operator-master-periodics.yaml |  76 +++++++
 ...rt-manager-operator-master-presubmits.yaml |  72 +++++++
 .../install/cert-manager-install-commands.sh  | 190 ++++++++++++------
 .../install/cert-manager-install-ref.yaml     |  41 ++--
 10 files changed, 567 insertions(+), 84 deletions(-)
 create mode 100644 ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml
 create mode 100644 ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-periodics.yaml
 create mode 100644 ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-periodics.yaml
 create mode 100644 ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml
 mode change 100644 => 100755 ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh

diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml
index fe64b9d4c52a..3f24dc1579d9 100644
--- a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml
+++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml
@@ -139,6 +139,23 @@ tests:
         requests:
           cpu: 100m
     workflow: optional-operators-ci-operator-sdk-aws
+- as: e2e-operator-prod-f7
+  cron: '@weekly'
+  steps:
+    cluster_profile: aws
+    env:
+      CHANNEL: stable-v1.14
+      TARGET_NAMESPACES: cert-manager-operator
+    test:
+    - ref: cert-manager-install
+    - as: test
+      cli: latest
+      commands: make test-e2e
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: cert-manager-1.14
   org: openshift
diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml
index 94fcf451961e..c253365b151f 100644
--- a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml
+++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml
@@ -113,6 +113,22 @@ tests:
         requests:
           cpu: 100m
     workflow: optional-operators-ci-operator-sdk-aws
+- as: e2e-operator-stage-f7
+  cron: '@weekly'
+  steps:
+    cluster_profile: aws
+    env:
+      INDEX_IMG: quay.io/redhat-user-workloads/cert-manager-oape-tenant/cert-manager-operator-1-15/cert-manager-operator-fbc-1-15:bf2b01d9ed2c009b6007c5f651b7b18043f8941a
+    test:
+    - ref: cert-manager-install
+    - as: test
+      cli: latest
+      commands: make test-e2e
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: cert-manager-1.15
   org: openshift
diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
index 773fa8bae41c..19a8538976d1 100644
--- a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
+++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
@@ -113,6 +113,54 @@ tests:
         requests:
           cpu: 100m
     workflow: optional-operators-ci-operator-sdk-aws
+- as: e2e-operator-upgrade
+  steps:
+    cluster_profile: aws
+    test:
+    - as: install
+      cli: latest
+      commands: |
+        export REGISTRY_AUTH_FILE=/tmp/import-secret/.dockerconfigjson
+        export DOCKER_CONFIG=/tmp/.docker
+        mkdir -p $DOCKER_CONFIG
+        cp $REGISTRY_AUTH_FILE $DOCKER_CONFIG/config.json
+        cd /tmp
+        oc create namespace cert-manager-operator
+        operator-sdk run bundle --security-context-config restricted -n cert-manager-operator registry.redhat.io/cert-manager/cert-manager-operator-bundle:v1.14.1
+        oc wait --timeout=10m --for condition=Available -n cert-manager-operator deployment cert-manager-operator-controller-manager
+        oc get deployment -n cert-manager
+      credentials:
+      - mount_path: /tmp/pull-secret
+        name: registry-pull-credentials
+        namespace: test-credentials
+      - mount_path: /tmp/import-secret
+        name: ci-pull-credentials
+        namespace: test-credentials
+      from: cli-operator-sdk
+      resources:
+        requests:
+          cpu: 100m
+    - as: upgrade
+      cli: latest
+      commands: |
+        operator-sdk run bundle-upgrade --security-context-config restricted -n cert-manager-operator "$OO_BUNDLE"
+        oc wait --timeout=10m --for condition=Available -n cert-manager-operator deployment cert-manager-operator-controller-manager
+        oc get deployment -n cert-manager
+      dependencies:
+      - env: OO_BUNDLE
+        name: cert-manager-operator-bundle
+      from: cli-operator-sdk
+      resources:
+        requests:
+          cpu: 100m
+    - as: test
+      cli: latest
+      commands: make test-e2e
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: master
   org: openshift
diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml
new file mode 100644
index 000000000000..4a171b4d97a5
--- /dev/null
+++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master__ocp-4.17.yaml
@@ -0,0 +1,49 @@
+base_images:
+  cli:
+    name: "4.17"
+    namespace: ocp
+    tag: cli
+  tests-private:
+    name: tests-private
+    namespace: ci
+    tag: "4.17"
+  upi-installer:
+    name: "4.17"
+    namespace: ocp
+    tag: upi-installer
+build_root:
+  image_stream_tag:
+    name: release
+    namespace: openshift
+    tag: golang-1.21
+  use_build_cache: true
+releases:
+  latest:
+    candidate:
+      architecture: amd64
+      product: ocp
+      stream: nightly
+      version: "4.17"
+resources:
+  '*':
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: e2e-operator
+  cron: '@weekly'
+  steps:
+    cluster_profile: aws-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      TEST_FILTERS: CFE&;~ChkUpgrade&;
+      TEST_SCENARIOS: cert-manager
+    test:
+    - ref: openshift-extended-test
+    - ref: openshift-e2e-test-qe-report
+    workflow: cucushift-installer-rehearse-aws-ipi
+zz_generated_metadata:
+  branch: master
+  org: openshift
+  repo: cert-manager-operator
+  variant: ocp-4.17
diff --git a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-periodics.yaml b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-periodics.yaml
new file mode 100644
index 000000000000..aee21620c44e
--- /dev/null
+++ b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-periodics.yaml
@@ -0,0 +1,71 @@
+periodics:
+- agent: kubernetes
+  cluster: build09
+  cron: '@weekly'
+  decorate: true
+  extra_refs:
+  - base_ref: cert-manager-1.14
+    org: openshift
+    repo: cert-manager-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-operator-cert-manager-1.14-e2e-operator-prod-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-operator-prod-f7
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
diff --git a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-periodics.yaml b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-periodics.yaml
new file mode 100644
index 000000000000..082f049db8d1
--- /dev/null
+++ b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-periodics.yaml
@@ -0,0 +1,71 @@
+periodics:
+- agent: kubernetes
+  cluster: build09
+  cron: '@weekly'
+  decorate: true
+  extra_refs:
+  - base_ref: cert-manager-1.15
+    org: openshift
+    repo: cert-manager-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-operator-cert-manager-1.15-e2e-operator-stage-f7
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-operator-stage-f7
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
diff --git a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml
new file mode 100644
index 000000000000..3c05b507108b
--- /dev/null
+++ b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-periodics.yaml
@@ -0,0 +1,76 @@
+periodics:
+- agent: kubernetes
+  cluster: build10
+  cron: '@weekly'
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: cert-manager-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: ocp-4.17
+    ci.openshift.io/generator: prowgen
+    job-release: "4.17"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-operator-master-ocp-4.17-e2e-operator
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-operator
+      - --variant=ocp-4.17
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
diff --git a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml
index 9481d2c8202f..c9b0b684015f 100644
--- a/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml
+++ b/ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml
@@ -125,6 +125,78 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-operator,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build01
+    context: ci/prow/e2e-operator-upgrade
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cert-manager-operator-master-e2e-operator-upgrade
+    rerun_command: /test e2e-operator-upgrade
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-operator-upgrade
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-operator-upgrade,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches:
diff --git a/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh b/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh
old mode 100644
new mode 100755
index f13369ecdc10..45baa0b3038e
--- a/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh
+++ b/ci-operator/step-registry/cert-manager/install/cert-manager-install-commands.sh
@@ -4,18 +4,93 @@ set -e
 set -u
 set -o pipefail
 
-if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
-    source "${SHARED_DIR}/proxy-conf.sh"
-    echo "proxy: ${SHARED_DIR}/proxy-conf.sh"
-fi
+function timestamp() {
+    date -u --rfc-3339=seconds
+}
 
-CATSRC=qe-app-registry
-if [[ ! "$(oc get catalogsource qe-app-registry -n openshift-marketplace -o yaml)" =~ "lastObservedState: READY" ]]; then
-    echo "The catalogsource qe-app-registry is either not existing or not ready. Will use redhat-operators to install cert-manager Operator."
-    CATSRC=redhat-operators
-fi
+function run_command() {
+    local cmd="$1"
+    echo "Running Command: ${cmd}"
+    eval "${cmd}"
+}
+
+function set_proxy () {
+    if test -s "${SHARED_DIR}/proxy-conf.sh" ; then
+        echo "Setting proxy configuration..."
+        source "${SHARED_DIR}/proxy-conf.sh"
+    else
+        echo "No proxy settings found. Skipping proxy configuration..."
+    fi
+}
+
+function auth_stage_registry () {
+    echo "Retrieving the 'registry.stage.redhat.io' auth config from shared credentials..." 
+    local stage_registry_path="/var/run/vault/mirror-registry/registry_stage.json"
+    local stage_auth_user=$(jq -r '.user' $stage_registry_path)
+    local stage_auth_password=$(jq -r '.password' $stage_registry_path)
+    local stage_auth_config=$(echo -n " " "$stage_auth_user":"$stage_auth_password" | base64 -w 0)
+
+    echo "Updating the image pull secret with the auth config..."
+    oc extract secret/pull-secret -n openshift-config --confirm --to /tmp
+    local new_dockerconfig="/tmp/.new-dockerconfigjson"
+    jq --argjson a "{\"registry.stage.redhat.io\": {\"auth\": \"$stage_auth_config\"}}" '.auths |= . + $a' "/tmp/.dockerconfigjson" >"$new_dockerconfig"
+    oc set data secret pull-secret -n openshift-config --from-file=.dockerconfigjson=$new_dockerconfig
+}
+
+function wait_for_state() {
+    local object="$1"
+    local state="$2"
+    local timeout="$3"
+    local namespace="${4:-}"
+    local selector="${5:-}"
+
+    echo "Waiting for '${object}' in namespace '${namespace}' with selector '${selector}' to exist..."
+    for _ in {1..30}; do
+        oc get ${object} --selector="${selector}" -n=${namespace} |& grep -ivE "(no resources found|not found)" && break || sleep 5
+    done
+
+    echo "Waiting for '${object}' in namespace '${namespace}' with selector '${selector}' to become '${state}'..."
+    oc wait --for=${state} --timeout=${timeout} ${object} --selector="${selector}" -n="${namespace}"
+    return $?
+}
+
+function create_catalogsource () {
+    echo "Creating a custom catalogsource using image: '$INDEX_IMG'..."
+    oc apply -f - << EOF
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: $CATSRC
+  namespace: openshift-marketplace
+spec:
+  sourceType: grpc
+  image: $INDEX_IMG
+EOF
+
+    if wait_for_state "catalogsource/${CATSRC}" "jsonpath={.status.connectionState.lastObservedState}=READY" "5m" "openshift-marketplace"; then
+        echo "CatalogSource is ready"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n openshift-marketplace"
+        run_command "oc get event -n openshift-marketplace | grep ${CATSRC}"
+        exit 1
+    fi
+}
+
+function subscribe_operator () {
+    echo "Checking if the PackageManifest exists in the CatalogSource before installing the operator..."
+    output=$(oc get packagemanifest -n openshift-marketplace -l=catalog=$CATSRC --field-selector=metadata.name=openshift-cert-manager-operator 2>&1)
+    if [[ $? -ne 0 ]] || echo "$output" | grep -q "No resources found"; then
+        echo "No PackageManifest found. Skipping installation..."
+        exit 0
+    fi
+
+    if [[ "$TARGET_NAMESPACES" == "!all" ]]; then
+        TARGET_NAMESPACES=""
+    fi
 
-oc create -f - << EOF
+    echo "Creating the Namespace, OperatorGroup and Subscription for the operator installation..."
+    oc apply -f - <<EOF
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -27,8 +102,7 @@ metadata:
   name: cert-manager-operator-og
   namespace: cert-manager-operator
 spec:
-  targetNamespaces:
-  - cert-manager-operator
+  targetNamespaces: [$TARGET_NAMESPACES]
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
@@ -36,66 +110,48 @@ metadata:
   name: openshift-cert-manager-operator
   namespace: cert-manager-operator
 spec:
-  channel: stable-v1
-  installPlanApproval: Automatic
+  channel: $CHANNEL
   name: openshift-cert-manager-operator
-  source: "$CATSRC"
+  source: $CATSRC
   sourceNamespace: openshift-marketplace
 EOF
 
-MAX_RETRY=20
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking openshift-cert-manager-operator subscription status for the #${COUNTER}-th time ..."
-    if [ "$(oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=jsonpath='{.status.state}')" == AtLatestKnown ]; then
-        echo "The openshift-cert-manager-operator subscription status becomes ready" && break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The openshift-cert-manager-operator subscription status is not ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=jsonpath='{.status}'
-        exit 1
-    fi
-    sleep $INTERVAL
-done
-
-MAX_RETRY=20
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking cert-manager-operator CSV status for the #${COUNTER}-th time ..."
-    if [[ "$(oc get --no-headers csv -n cert-manager-operator)" == *cert-manager-operator.*Succeeded ]]; then
-        echo "The cert-manager-operator CSV status becomes ready" && break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The cert-manager-operator CSV status is not ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        CSV_NAME=$(oc get csv -n cert-manager-operator | grep -E -o '^cert-manager-operator[^ ]*')
-        oc get csv "$CSV_NAME" -n cert-manager-operator -o=jsonpath='{.status}'
+    if wait_for_state "deployment/cert-manager-operator-controller-manager" "condition=Available" "5m" "cert-manager-operator"; then
+        echo "Operator is ready"
+        run_command "oc get csv -n cert-manager-operator"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n cert-manager-operator"
+        run_command "oc get event -n cert-manager-operator"
+        run_command "oc get csv -n cert-manager-operator"
+        run_command "oc get subscription openshift-cert-manager-operator -n cert-manager-operator -o=yaml}'"
         exit 1
     fi
-    sleep $INTERVAL
-done
-
-MAX_RETRY=30
-INTERVAL=10
-COUNTER=0
-while :;
-do
-    echo "Checking cert-manager pods status for the #${COUNTER}-th time ..."
-    if [ "$(oc get pods -n cert-manager -o=jsonpath='{.items[*].status.phase}')" == "Running Running Running" ]; then
-        echo "[$(date -u --rfc-3339=seconds)] Finished cert-manager Operator installation. The cert-manager pods are all ready."
-        oc get po -n cert-manager
-        break
-    fi
-    ((++COUNTER))
-    if [[ $COUNTER -eq $MAX_RETRY ]]; then
-        echo "The cert-manager pods are not all ready after $((MAX_RETRY * INTERVAL)) seconds. Dumping status:"
-        oc get pods -n cert-manager
+
+    if wait_for_state "deployment/cert-manager" "condition=Available" "5m" "cert-manager" && \
+        wait_for_state "deployment/cert-manager-webhook" "condition=Available" "5m" "cert-manager" && \
+        wait_for_state "deployment/cert-manager-cainjector" "condition=Available" "5m" "cert-manager"; then
+        echo "Operands are all ready"
+    else
+        echo "Timed out after 5m. Dumping resources for debugging..."
+        run_command "oc get pod -n cert-manager"
+        run_command "oc get event -n cert-manager"
         exit 1
     fi
-    sleep $INTERVAL
-done
+}
+
+timestamp
+set_proxy
+
+# If 'INDEX_IMG' is not empty, create the catalogsource using custom index image; otherwise use the default 'redhat-operators'.
+if [ -n "${INDEX_IMG}" ]; then
+    CATSRC=custom-catalog-cert-manager-operator
+    auth_stage_registry
+    create_catalogsource
+else
+    CATSRC=redhat-operators
+fi
+
+subscribe_operator
+
+echo "[$(timestamp)] Succeeded in installing the cert-manager Operator for Red Hat OpenShift!"
diff --git a/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml b/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml
index f50f9c1f90d1..fa54f17ec9b4 100644
--- a/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml
+++ b/ci-operator/step-registry/cert-manager/install/cert-manager-install-ref.yaml
@@ -1,18 +1,25 @@
 ref:
- as: cert-manager-install
- from_image:
-   namespace: ci
-   name: verification-tests
-   tag: latest
- grace_period: 20m
- commands: cert-manager-install-commands.sh
- cli: latest
- resources:
-   limits:
-     cpu: 500m
-     memory: 500Mi
-   requests:
-     cpu: 300m
-     memory: 200Mi
- documentation: |-
-   Install cert-manager Operator.
+  as: cert-manager-install
+  from: upi-installer
+  cli: latest
+  commands: cert-manager-install-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  credentials:
+    - namespace: test-credentials
+      name: openshift-custom-mirror-registry
+      mount_path: /var/run/vault/mirror-registry
+  env:
+    - name: INDEX_IMG
+      documentation: The index image to use for the custom catalog source creation. If unset, it indicates to use the default 'redhat-operators' catalog source.
+      default: ""
+    - name: CHANNEL
+      documentation: The name of the operator channel to track.
+      default: "stable-v1"
+    - name: TARGET_NAMESPACES
+      documentation: A comma-separated list of namespaces the operator will target. Special, value '!all' means that all namespaces will be targeted. 
+      default: "cert-manager-operator"
+  documentation: |-
+    Install the cert-manager Operator for Red Hat OpenShift from catalog source (supports both default and BYO catalogs).

From 32de852423524a7b55f1b974da86d692ad0b297c Mon Sep 17 00:00:00 2001
From: Yuedong Wu <dwcn22@outlook.com>
Date: Thu, 9 Jan 2025 15:18:26 +0800
Subject: [PATCH 2/2] wait

---
 .../openshift-cert-manager-operator-master.yaml                 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
index 19a8538976d1..28ec164e5fd1 100644
--- a/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
+++ b/ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
@@ -95,6 +95,7 @@ tests:
       OO_INSTALL_MODE: AllNamespaces
       OO_INSTALL_NAMESPACE: cert-manager-operator
       OO_SECURITY_CONTEXT: restricted
+      TIMEOUT: +6 hours
     test:
     - as: install
       cli: latest
@@ -105,6 +106,7 @@ tests:
         requests:
           cpu: 100m
     - ref: fips-check-fips-or-die
+    - ref: wait
     - as: test
       cli: latest
       commands: make test-e2e