diff --git a/.gitignore b/.gitignore index 5e084d94ba3b5..c0f017e2c4130 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.work/ .claude/*local.json .idea/* .vscode/ diff --git a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master.yaml b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master.yaml index 6b9f076cd44db..d67dbc9e20de1 100644 --- a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master.yaml +++ b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master.yaml @@ -1,4 +1,8 @@ base_images: + dev-scripts: + name: test + namespace: ocp-kni + tag: dev-scripts hypershift-operator: name: hypershift-operator namespace: hypershift @@ -180,6 +184,16 @@ tests: requests: cpu: 100m workflow: ipi-aws +- always_run: false + as: e2e-metal-ipi-metallb-gatewayapi-conformance + capabilities: + - intranet + optional: true + steps: + cluster_profile: equinix-ocp-metal + test: + - ref: ingress-metallb-gatewayapi-conformance-test + workflow: ingress-metallb - always_run: false as: e2e-aws-ovn-techpreview optional: true diff --git a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20.yaml b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20.yaml index adca735dafe20..09628be432c56 100644 --- a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20.yaml +++ b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20.yaml @@ -1,4 +1,8 @@ base_images: + dev-scripts: + name: test + namespace: ocp-kni + tag: dev-scripts hypershift-operator: name: hypershift-operator namespace: hypershift @@ -148,6 +152,16 @@ tests: requests: cpu: 100m workflow: ipi-aws +- always_run: false + as: e2e-metal-ipi-metallb-gatewayapi-conformance + capabilities: + - intranet + optional: true + steps: + cluster_profile: equinix-ocp-metal + test: + - ref: ingress-metallb-gatewayapi-conformance-test + workflow: ingress-metallb - always_run: false as: e2e-aws-ovn-techpreview optional: true diff --git a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21.yaml b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21.yaml index 8615f3985405a..20ca074578dd9 100644 --- a/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21.yaml +++ b/ci-operator/config/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21.yaml @@ -1,4 +1,8 @@ base_images: + dev-scripts: + name: test + namespace: ocp-kni + tag: dev-scripts hypershift-operator: name: hypershift-operator namespace: hypershift @@ -180,6 +184,16 @@ tests: requests: cpu: 100m workflow: ipi-aws +- always_run: false + as: e2e-metal-ipi-metallb-gatewayapi-conformance + capabilities: + - intranet + optional: true + steps: + cluster_profile: equinix-ocp-metal + test: + - ref: ingress-metallb-gatewayapi-conformance-test + workflow: ingress-metallb - always_run: false as: e2e-aws-ovn-techpreview optional: true diff --git a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master-presubmits.yaml b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master-presubmits.yaml index e93747837d092..4c5e4abbeb73a 100644 --- a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-master-presubmits.yaml @@ -1316,6 +1316,80 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-ibmcloud-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build07 + context: ci/prow/e2e-metal-ipi-metallb-gatewayapi-conformance + decorate: true + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-metal + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-ingress-operator-master-e2e-metal-ipi-metallb-gatewayapi-conformance + optional: true + rerun_command: /test e2e-metal-ipi-metallb-gatewayapi-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-metal-ipi-metallb-gatewayapi-conformance + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-metal-ipi-metallb-gatewayapi-conformance,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20-presubmits.yaml b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20-presubmits.yaml index d7ebef658c099..6dd195a4a909c 100644 --- a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.20-presubmits.yaml @@ -1160,6 +1160,80 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-ibmcloud-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.20$ + - ^release-4\.20- + cluster: build09 + context: ci/prow/e2e-metal-ipi-metallb-gatewayapi-conformance + decorate: true + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-metal + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-ingress-operator-release-4.20-e2e-metal-ipi-metallb-gatewayapi-conformance + optional: true + rerun_command: /test e2e-metal-ipi-metallb-gatewayapi-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-metal-ipi-metallb-gatewayapi-conformance + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-metal-ipi-metallb-gatewayapi-conformance,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21-presubmits.yaml b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21-presubmits.yaml index 7d5c18f939227..51dd9af0a0959 100644 --- a/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-ingress-operator/openshift-cluster-ingress-operator-release-4.21-presubmits.yaml @@ -1317,6 +1317,80 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-ibmcloud-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.21$ + - ^release-4\.21- + cluster: build09 + context: ci/prow/e2e-metal-ipi-metallb-gatewayapi-conformance + decorate: true + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-metal + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-metal-ipi-metallb-gatewayapi-conformance + optional: true + rerun_command: /test e2e-metal-ipi-metallb-gatewayapi-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-metal-ipi-metallb-gatewayapi-conformance + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-metal-ipi-metallb-gatewayapi-conformance,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/step-registry/ingress/metallb/OWNERS b/ci-operator/step-registry/ingress/metallb/OWNERS new file mode 100644 index 0000000000000..2de9031831519 --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/OWNERS @@ -0,0 +1,10 @@ +approvers: + - Miciah + - candita + - frobware + - gcs278 + - miheer + - brandisher + - lihongan + - melvinjoseph86 + - ShudiLi diff --git a/ci-operator/step-registry/ingress/metallb/conf/OWNERS b/ci-operator/step-registry/ingress/metallb/conf/OWNERS new file mode 100644 index 0000000000000..2de9031831519 --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/conf/OWNERS @@ -0,0 +1,10 @@ +approvers: + - Miciah + - candita + - frobware + - gcs278 + - miheer + - brandisher + - lihongan + - melvinjoseph86 + - ShudiLi diff --git a/ci-operator/step-registry/ingress/metallb/conf/ingress-metallb-conf-commands.sh b/ci-operator/step-registry/ingress/metallb/conf/ingress-metallb-conf-commands.sh new file mode 100755 index 0000000000000..777a6bb593cc8 --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/conf/ingress-metallb-conf-commands.sh @@ -0,0 +1,202 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail +set -x + +echo "Installing MetalLB" + +# Check if metallb-operator package exists in catalogs +echo "Checking for metallb-operator package in available catalogs..." +CATALOG_RETRIES=3 +PACKAGE_EXISTS=false +for retry in $(seq 1 ${CATALOG_RETRIES}); do + if oc get packagemanifest metallb-operator -n openshift-marketplace &>/dev/null; then + PACKAGE_EXISTS=true + echo "Found metallb-operator package in catalog" + break + fi + echo "Retry ${retry}/${CATALOG_RETRIES}: metallb-operator not found, waiting for catalog sync..." + sleep 10 +done + +if [[ "${PACKAGE_EXISTS}" == "false" ]]; then + echo "metallb-operator not found in any catalog after ${CATALOG_RETRIES} retries" + echo "This is expected for pre-release OpenShift versions" + echo "Falling back to upstream MetalLB manifest-based installation" + + # Install upstream MetalLB + METALLB_VERSION="${METALLB_VERSION:-v0.14.9}" + echo "Installing upstream MetalLB ${METALLB_VERSION}" + + # Apply MetalLB manifests (creates namespace and service accounts) + oc apply -f https://raw.githubusercontent.com/metallb/metallb/${METALLB_VERSION}/config/manifests/metallb-native.yaml + + # Grant privileged SCC to MetalLB service accounts + echo "Granting privileged SCC to MetalLB service accounts..." + oc adm policy add-scc-to-user privileged -z controller -n metallb-system + oc adm policy add-scc-to-user privileged -z speaker -n metallb-system + + echo "Waiting for MetalLB controller deployment..." + oc wait --for=condition=Available --timeout=5m -n metallb-system deployment/controller || { + echo "Error: MetalLB controller deployment failed" + oc get pods -n metallb-system + exit 1 + } + + echo "Waiting for MetalLB speaker daemonset..." + oc wait --for=jsonpath='{.status.numberReady}'=1 --timeout=5m -n metallb-system daemonset/speaker || { + echo "Warning: MetalLB speaker daemonset not fully ready, checking status..." + oc get daemonset -n metallb-system speaker + oc get pods -n metallb-system + } + + echo "Upstream MetalLB installed successfully" + +else + # Install using OLM operator + echo "Installing MetalLB operator from catalog" + + # Create the metallb-system namespace + oc apply -f - < /dev/null; then + INSTALLED_GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//') + echo "Installed Go version: ${INSTALLED_GO_VERSION}" + fi + + # Install Go if not present or version mismatch + if [ -z "${INSTALLED_GO_VERSION}" ] || [ "${INSTALLED_GO_VERSION}" != "${REQUIRED_GO_VERSION}" ]; then + echo "Installing Go ${REQUIRED_GO_VERSION}..." + curl -L "https://go.dev/dl/go${REQUIRED_GO_VERSION}.linux-amd64.tar.gz" -o /tmp/go.tar.gz + rm -rf /usr/local/go + tar -C /usr/local -xzf /tmp/go.tar.gz + ln -sf /usr/local/go/bin/go /usr/bin/go + rm -f /tmp/go.tar.gz + echo "Go installed: $(go version)" + else + echo "Go ${INSTALLED_GO_VERSION} is already installed and matches required version" + fi + + # Ensure KUBECONFIG is set + export KUBECONFIG=/root/dev-scripts/ocp/ostest/auth/kubeconfig + + # Verify cluster access + echo "Verifying cluster access..." + oc version || echo "Warning: oc version failed" + oc get nodes || echo "Warning: failed to get nodes" +EOF + +echo "### Running Gateway API conformance tests" + +# setting +e so we won't exit in case of test failure and the artifacts are going to be copied +set +e +ssh "${SSHOPTS[@]}" "root@${IP}" bash <<'EOF' + set -o nounset + set -o pipefail + set -x + + cd /root/cluster-ingress-operator + export KUBECONFIG=/root/dev-scripts/ocp/ostest/auth/kubeconfig + + # Run the conformance test + make gatewayapi-conformance + exit $? +EOF + +TEST_EXIT_CODE=$? + +if [ ${TEST_EXIT_CODE} -ne 0 ]; then + echo "### Tests failed, copying artifacts..." + + # Create artifacts directory if it doesn't exist + mkdir -p "${ARTIFACT_DIR}" + + # Copy test artifacts if they exist + ssh "${SSHOPTS[@]}" "root@${IP}" "test -d /root/cluster-ingress-operator/_output && tar czf /tmp/test-artifacts.tar.gz -C /root/cluster-ingress-operator/_output . || echo 'No artifacts found in _output'" + scp "${SSHOPTS[@]}" "root@${IP}:/tmp/test-artifacts.tar.gz" "${ARTIFACT_DIR}/" 2>/dev/null || echo "No artifacts to copy" + + # Extract artifacts if copied successfully + if [ -f "${ARTIFACT_DIR}/test-artifacts.tar.gz" ]; then + tar xzf "${ARTIFACT_DIR}/test-artifacts.tar.gz" -C "${ARTIFACT_DIR}/" || echo "Failed to extract artifacts" + fi + + exit ${TEST_EXIT_CODE} +fi + +set -e + +echo "### Gateway API conformance tests completed successfully" diff --git a/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.metadata.json b/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.metadata.json new file mode 100644 index 0000000000000..001d57019358f --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.metadata.json @@ -0,0 +1,16 @@ +{ + "path": "ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.yaml", + "owners": { + "approvers": [ + "Miciah", + "candita", + "frobware", + "gcs278", + "miheer", + "brandisher", + "lihongan", + "melvinjoseph86", + "ShudiLi" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.yaml b/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.yaml new file mode 100644 index 0000000000000..e18168e634e4a --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/gatewayapi-conformance-test/ingress-metallb-gatewayapi-conformance-test-ref.yaml @@ -0,0 +1,15 @@ +ref: + as: ingress-metallb-gatewayapi-conformance-test + from: src + grace_period: 10m + commands: ingress-metallb-gatewayapi-conformance-test-commands.sh + timeout: 10800s + resources: + requests: + cpu: "3" + memory: 600Mi + limits: + memory: 2Gi + documentation: |- + This step copies the cluster-ingress-operator source to the provisioning host + and runs the Gateway API conformance test suite with MetalLB configuration. diff --git a/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.metadata.json b/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.metadata.json new file mode 100644 index 0000000000000..5abaa9a0f7cef --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.metadata.json @@ -0,0 +1,16 @@ +{ + "path": "ingress/metallb/ingress-metallb-workflow.yaml", + "owners": { + "approvers": [ + "Miciah", + "candita", + "frobware", + "gcs278", + "miheer", + "brandisher", + "lihongan", + "melvinjoseph86", + "ShudiLi" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.yaml b/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.yaml new file mode 100644 index 0000000000000..857a495bcd83b --- /dev/null +++ b/ci-operator/step-registry/ingress/metallb/ingress-metallb-workflow.yaml @@ -0,0 +1,22 @@ +workflow: + as: ingress-metallb + steps: + allow_best_effort_post_steps: true + env: + DEVSCRIPTS_CONFIG: | + IP_STACK=v4 + NETWORK_TYPE=OVNKubernetes + pre: + - chain: baremetalds-ofcir-pre + - ref: ingress-metallb-conf + post: + - chain: baremetalds-ofcir-post + documentation: |- + The ingress-metallb workflow provides pre- and post- steps that provision and + deprovision an OpenShift cluster with a default configuration on bare metal using + dev-scripts on a provisioning host, allowing job authors to inject their own + ingress-related test logic for MetalLB scenarios. + + This workflow uses the baremetalds-ofcir infrastructure to set up a bare metal cluster + suitable for testing ingress features with MetalLB load balancer. Tests run on the + provisioning host via SSH. diff --git a/clusters/app.ci/release-controller/admin_01_releasepayload_crd.yaml b/clusters/app.ci/release-controller/admin_01_releasepayload_crd.yaml index 1113648d042f2..e69de29bb2d1d 100644 --- a/clusters/app.ci/release-controller/admin_01_releasepayload_crd.yaml +++ b/clusters/app.ci/release-controller/admin_01_releasepayload_crd.yaml @@ -1,431 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: releasepayloads.release.openshift.io -spec: - group: release.openshift.io - names: - kind: ReleasePayload - listKind: ReleasePayloadList - plural: releasepayloads - singular: releasepayload - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: "ReleasePayload encapsulates the information for the creation of a ReleasePayload and aggregates the results of its respective verification tests. \n The release-controller is configured to monitor imagestreams, in a specific namespace, that are annotated with a ReleaseConfig. The ReleaseConfig is a definition of how releases are calculated. When a ReleasePayload is generated, it will be generated in the same namespace as the imagstream that produced it. If/when an update occurs, to one of these imagestreams, the release-controller will: 1. Create a point-in-time mirror of the updated imagestream 2. Create a new Release from the mirror - Any errors before this point will cause the release to marked `Failed` 3. Launches a set of release analysis jobs 4. Launches an aggregation job 5. Launches a set of release verification jobs - These can either be `Blocking Jobs` which will prevent release acceptance or `Informing Jobs` which will not prevent release acceptance. 6. For Stable releases, launches a set of jobs to test a subset of the supported upgrades defined inside the release image itself. While these jobs do not have any real bearing on the acceptance or rejection of a ReleasePayload, they will be monitored and their respective results captured. The hope would be to use these results to provide a convenient way to override a \"Rejected\" release caused by a blocking upgrade job. 7. Monitors for job completions - If all `Blocking Jobs` complete successfully, then the release is `Accepted`. If any `Blocking Jobs` fail, the release will be marked `Rejected` 8. Publishes all results to the respective webpage \n Example: ART: 1. Publishes an update to the `ocp/4.9-art-latest` imagestream \n Release-controller: 1. Creates a mirror named: `ocp/4.9-art-latest-2021-09-27-105859` 2. Creates a ReleasePayload: `ocp/4.9.0-0.nightly-2021-09-27-105859` -Labels: release.openshift.io/imagestream=release release.openshift.io/imagestreamtag-name=4.9.0-0.nightly-2021-09-27-105859 3. Creates an OpenShift Release: `ocp/release:4.9.0-0.nightly-2021-09-27-105859` 4. Update ReleasePayload conditions with results of release creation job If the release was created successfully, the release-controller: 5. Launches: 4.9.0-0.nightly-2021-09-27-105859-aggregated--analysis- 6. Launches: 4.9.0-0.nightly-2021-09-27-105859-aggregated--aggregator 7. Launches: 4.9.0-0.nightly-2021-09-27-105859- \n When ART promotes a GA release, they will assemble releases themselves, publish it to quay.io, and then update the \"stable\" release stream (i.e. ocp/release) with the corresponding payload. In this scenario, the release-controller will perform all the same steps, mentioned above, but the mirror will be named after the \"official\" release (i.e. 4.9.7) and not not contain a timestamp. Likewise, any verification tests will only contain the release name and the name of the verification test as defined in the ReleaseConfig. The release-controller will also launch a small sample of jobs to test upgrades from the list of upgrade versions defined inside the release image itself: \n For example: $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.22-x86_64 \n The list of supported upgrades is: 4.10.16, 4.10.17, 4.10.18, 4.10.20, 4.10.21, 4.10.22, 4.10.23, 4.10.24, 4.10.25, 4.10.26, 4.10.27, 4.10.28, 4.10.29, 4.10.30, 4.10.31, 4.10.32, 4.10.33, 4.10.34, 4.10.35, 4.10.36, 4.10.37, 4.10.38, 4.10.39, 4.10.40, 4.10.41, 4.10.42, 4.10.43, 4.10.44, 4.10.45, 4.10.46, 4.10.47, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.11.8, 4.11.9, 4.11.10, 4.11.11, 4.11.12, 4.11.13, 4.11.14, 4.11.16, 4.11.17, 4.11.18, 4.11.19, 4.11.20, 4.11.21 \n From the list above, the release-controller will launch a subset of jobs named like: 4.11.22-upgrade-from-4.10.16- 4.11.22-upgrade-from-4.11.0- \n Where is defined in the Release Configuration definitions in the openshift/release repo: https://github.com/openshift/release/blob/e5c9122144c09c4095f0f87888b9685712dc7b1e/core-services/release-controller/_releases/release-ocp-4.y-stable.json#L20-L30 \n Mapping from a Release to ReleasePayload: A ReleasePayload will always be named after the Release that it corresponds to, with the addition of a random string suffix. Both objects will reside in the same namespace. \n For a release: `ocp/release:4.9.0-0.nightly-2021-09-27-105859` A corresponding ReleasePayload will exist: `ocp/4.9.0-0.nightly-2021-09-27-105859` \n Mapping from ReleasePayload to Release: A ReleasePayload is decorated with a couple labels that will point back to the Release that it corresponds to: - release.openshift.io/imagestream=release - release.openshift.io/imagestreamtag-name=4.9.0-0.nightly-2021-09-27-105859 \n Because the ReleasePayload and the Release will both reside in the same namespace, the release that created the ReleasePayload will be located here: \n /: \n Similarly, the ReleasePayload object itself also has the PayloadCoordinates (.spec.payloadCoordinates) that point back to the Release as well: \n spec: payloadCoordinates: imagestreamName: release imagestreamTagName: 4.9.0-0.nightly-2021-09-27-105859 namespace: ocp \n The release that created the ReleasePayload will be located here: \n /: \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec the inputs used to create the ReleasePayload - type: object - properties: - payloadCoordinates: - description: PayloadCoordinates the coordinates of the imagestreamtag that this ReleasePayload was created from - type: object - properties: - imagestreamName: - description: 'ImagestreamName is the location of the configured "release" imagestream - This is a configurable parameter ("to") passed into the release-controller via the ReleaseConfig''s defined here: https://github.com/openshift/release/blob/master/core-services/release-controller/_releases' - type: string - imagestreamTagName: - description: ImagestreamTagName is the name of the actual release - type: string - namespace: - description: Namespace must match that of the ReleasePayload - type: string - payloadCreationConfig: - description: PayloadCreationConfig the configuration used when creating the ReleasePayload - type: object - properties: - prowCoordinates: - description: ProwCoordinates houses the configuration for Prow - type: object - properties: - namespace: - description: Namespace the namespace where Prow is configured to run prowv1.ProwJobs - type: string - releaseCreationCoordinates: - description: ReleaseCreationCoordinates houses the configuration of the release creation job - type: object - properties: - namespace: - description: Namespace the namespace where the release creation batchv1.Jobs are created - type: string - releaseCreationJobName: - description: ReleaseCreationJobName the name the release creation batchv1.Job - type: string - releaseMirrorCoordinates: - description: ReleaseMirrorCoordinates houses the configuration of the release mirror job - type: object - properties: - namespace: - description: Namespace the namespace where the release mirror batchv1.Jobs are created - type: string - releaseMirrorJobName: - description: ReleaseCreationJobName the name the release mirror batchv1.Job - type: string - payloadOverride: - description: PayloadOverride specified when manual intervention is required to manually Accept or Reject a ReleasePayload - type: object - properties: - override: - description: Override specifies the ReleasePayloadOverride to apply to the ReleasePayload - type: string - reason: - description: Reason is a human-readable string that specifies the reason for manually overriding the Acceptance/Rejections of a ReleasePayload - type: string - payloadVerificationConfig: - description: PayloadVerificationConfig the configuration that will be used to verify this ReleasePayload - type: object - properties: - blockingJobs: - description: BlockingJobs are release verification jobs that will prevent a ReleasePayload from being Accepted if the job fails - type: array - items: - description: CIConfiguration is an Openshift CI system's job definition of a verification test to run against a ReleasePayload - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the actual name of the prowjob definition as stored in the CI Job Configuration. This value is used to lookup and read in the prowjob for processing by the release-controller - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test. This value will be used as the key to look up the configuration and the results of the respective verification test - type: string - maxRetries: - description: MaxRetries Maximum retry attempts for the job. Defaults to 0 - do not retry on fail - type: integer - informingJobs: - description: InformingJobs are release verification jobs used to execute tests against a ReleasePayload - type: array - items: - description: CIConfiguration is an Openshift CI system's job definition of a verification test to run against a ReleasePayload - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the actual name of the prowjob definition as stored in the CI Job Configuration. This value is used to lookup and read in the prowjob for processing by the release-controller - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test. This value will be used as the key to look up the configuration and the results of the respective verification test - type: string - maxRetries: - description: MaxRetries Maximum retry attempts for the job. Defaults to 0 - do not retry on fail - type: integer - payloadVerificationDataSource: - description: PayloadVerificationDataSource where JobRunResult will be collected from. - type: string - default: BuildFarmLookup - enum: - - BuildFarmLookup - - ImageStreamTagAnnotation - x-kubernetes-validations: - - rule: self == oldSelf - message: PayloadVerificationDataSource is immutable - upgradeJobs: - description: UpgradeJobs are automatically generated jobs used to execute upgrade tests against a ReleasePayload - type: array - items: - description: CIConfiguration is an Openshift CI system's job definition of a verification test to run against a ReleasePayload - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the actual name of the prowjob definition as stored in the CI Job Configuration. This value is used to lookup and read in the prowjob for processing by the release-controller - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test. This value will be used as the key to look up the configuration and the results of the respective verification test - type: string - maxRetries: - description: MaxRetries Maximum retry attempts for the job. Defaults to 0 - do not retry on fail - type: integer - x-kubernetes-validations: - - rule: '!has(oldSelf.payloadVerificationDataSource) || has(self.payloadVerificationDataSource)' - message: PayloadVerificationDataSource is required once set - releaseCoordinates: - description: ReleaseCoordinates list of ReleaseCoordinates where this ReleasePayload has been, or will be, published - type: array - items: - description: ReleaseCoordinates specifies the location where this ReleasePayload has been, or will be, published to. - type: object - properties: - digest: - type: string - repository: - type: string - tag: - type: string - status: - description: Status is the current status of the ReleasePayload - type: object - properties: - blockingJobResults: - description: BlockingJobResults stores the results of all blocking jobs - type: array - items: - description: JobStatus encapsulates the name of the job, all the results of the jobs, and an aggregated result of all the jobs - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the name of the prowjob definition as stored in the CI Job Configuration - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test - type: string - maxRetries: - description: MaxRetries maximum times to retry a job - type: integer - results: - description: JobRunResults contains the links for individual jobs - type: array - items: - description: JobRunResult the results of a prowjob run The release-controller creates ProwJobs (prowv1.ProwJob) during the sync_ready control loop and relies on an informer to process jobs, that it created, as they are completed. The JobRunResults will be created, by the release-controller during the sync_ready loop and updated whenever any changes, to the respective job is received by the informer. - type: object - properties: - completionTime: - description: CompletionTime timestamp for when the prow pipeline controller observes the final state of the ProwJob For instance, if a client Aborts a ProwJob, the Pipeline controller will receive notification of the change and update the PtowJob's Status accordingly. - type: string - format: date-time - coordinates: - description: Coordinates the location of the job - type: object - properties: - cluster: - type: string - name: - type: string - namespace: - type: string - humanProwResultsURL: - description: HumanProwResultsURL the html link to the prow results - type: string - startTime: - description: StartTime timestamp for when the prowjob was created - type: string - format: date-time - state: - description: State the current state of the job run - type: string - upgradeType: - description: UpgradeType the type of upgrade performed via this job - type: string - state: - description: AggregateState is the overall success/failure of all the executed jobs - type: string - conditions: - description: Conditions communicates the state of the ReleasePayload. Supported conditions include PayloadCreated, PayloadFailed, PayloadAccepted, and PayloadRejected. - type: array - items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - type: object - required: - - lastTransitionTime - - message - - reason - - status - - type - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - type: string - format: date-time - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - type: string - maxLength: 32768 - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - type: integer - format: int64 - minimum: 0 - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - type: string - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - status: - description: status of the condition, one of True, False, Unknown. - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - type: string - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - informingJobResults: - description: InformingJobResults stores the results of all informing jobs - type: array - items: - description: JobStatus encapsulates the name of the job, all the results of the jobs, and an aggregated result of all the jobs - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the name of the prowjob definition as stored in the CI Job Configuration - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test - type: string - maxRetries: - description: MaxRetries maximum times to retry a job - type: integer - results: - description: JobRunResults contains the links for individual jobs - type: array - items: - description: JobRunResult the results of a prowjob run The release-controller creates ProwJobs (prowv1.ProwJob) during the sync_ready control loop and relies on an informer to process jobs, that it created, as they are completed. The JobRunResults will be created, by the release-controller during the sync_ready loop and updated whenever any changes, to the respective job is received by the informer. - type: object - properties: - completionTime: - description: CompletionTime timestamp for when the prow pipeline controller observes the final state of the ProwJob For instance, if a client Aborts a ProwJob, the Pipeline controller will receive notification of the change and update the PtowJob's Status accordingly. - type: string - format: date-time - coordinates: - description: Coordinates the location of the job - type: object - properties: - cluster: - type: string - name: - type: string - namespace: - type: string - humanProwResultsURL: - description: HumanProwResultsURL the html link to the prow results - type: string - startTime: - description: StartTime timestamp for when the prowjob was created - type: string - format: date-time - state: - description: State the current state of the job run - type: string - upgradeType: - description: UpgradeType the type of upgrade performed via this job - type: string - state: - description: AggregateState is the overall success/failure of all the executed jobs - type: string - releaseCreationJobResult: - description: ReleaseCreationJobResult stores the coordinates and status of the release creation job that is created, by the release-controller, to create the release imagestream defined by the PayloadCoordinates in the ReleasePayloadSpec. If the release creation job fails to get created or completes unsuccessfully, the ReleasePayload will automatically be "Rejected". If the release creation job is successful, the release-controller will then begin the validation process. - type: object - properties: - coordinates: - description: Coordinates the location of the batch/v1 Job - type: object - properties: - name: - type: string - namespace: - type: string - message: - description: Message is a human-readable message indicating details about the result of the release creation job - type: string - status: - description: Status is the current status of the release creation job - type: string - releaseMirrorJobResult: - description: ReleaseMirrorJobResult stores the coordinates and status of the release mirror job that is created, by the release-controller, to mirror the release, defined by the PayloadCoordinates in the ReleasePayloadSpec, to an external registry. If the release mirror job fails to get created or completes unsuccessfully, the ReleasePayload may still be processed and verified accordingly. If the release mirror job is successful, then this ReleasePayload will be available in the external registry. - type: object - properties: - coordinates: - description: Coordinates the location of the batch/v1 Job - type: object - properties: - name: - type: string - namespace: - type: string - message: - description: Message is a human-readable message indicating details about the result of the release mirror job - type: string - status: - description: Status is the current status of the release mirror job - type: string - upgradeJobResults: - description: UpgradeJobResults stores the results of generated upgrade jobs - type: array - items: - description: JobStatus encapsulates the name of the job, all the results of the jobs, and an aggregated result of all the jobs - type: object - properties: - analysisJobCount: - description: AnalysisJobCount Number of asynchronous jobs to execute for release analysis. - type: integer - ciConfigurationJobName: - description: CIConfigurationJobName is the name of the prowjob definition as stored in the CI Job Configuration - type: string - ciConfigurationName: - description: CIConfigurationName the unique name given to a verification test - type: string - maxRetries: - description: MaxRetries maximum times to retry a job - type: integer - results: - description: JobRunResults contains the links for individual jobs - type: array - items: - description: JobRunResult the results of a prowjob run The release-controller creates ProwJobs (prowv1.ProwJob) during the sync_ready control loop and relies on an informer to process jobs, that it created, as they are completed. The JobRunResults will be created, by the release-controller during the sync_ready loop and updated whenever any changes, to the respective job is received by the informer. - type: object - properties: - completionTime: - description: CompletionTime timestamp for when the prow pipeline controller observes the final state of the ProwJob For instance, if a client Aborts a ProwJob, the Pipeline controller will receive notification of the change and update the PtowJob's Status accordingly. - type: string - format: date-time - coordinates: - description: Coordinates the location of the job - type: object - properties: - cluster: - type: string - name: - type: string - namespace: - type: string - humanProwResultsURL: - description: HumanProwResultsURL the html link to the prow results - type: string - startTime: - description: StartTime timestamp for when the prowjob was created - type: string - format: date-time - state: - description: State the current state of the job run - type: string - upgradeType: - description: UpgradeType the type of upgrade performed via this job - type: string - state: - description: AggregateState is the overall success/failure of all the executed jobs - type: string - served: true - storage: true - subresources: - status: {}