Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat : Valid (SingleNamespaced) Operator Installation in tenant namespace #2589

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat : Valid (SingleNamespaced) Operator Installation in tenant namespace #2589

wants to merge 6 commits into from
+392 −125

Conversation

bnshr
Copy link
Contributor

@bnshr bnshr commented Nov 25, 2024

Refers the issue

@bnshr bnshr marked this pull request as draft November 25, 2024 14:08
@bnshr bnshr force-pushed the CNFCERT-1088 branch 3 times, most recently from 98cb58b to 56d4773 Compare November 25, 2024 14:39
@dcibot
Copy link
Collaborator

dcibot commented Nov 25, 2024

from change #2589:

@bnshr bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 1f928d0 to e3fd824 Compare November 25, 2024 15:09
@dcibot
Copy link
Collaborator

dcibot commented Nov 25, 2024

from change #2589:

@bnshr bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 33278d6 to 26570f7 Compare November 25, 2024 16:20
@dcibot
Copy link
Collaborator

dcibot commented Nov 25, 2024

from change #2589:

@bnshr bnshr marked this pull request as ready for review November 25, 2024 19:17
sebrandon1
sebrandon1 reviewed Nov 25, 2024
View reviewed changes
Copy link
Member

@sebrandon1 sebrandon1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial set of comments

tests/operator/suite.go Outdated Show resolved Hide resolved
tests/operator/helper.go Outdated Show resolved Hide resolved
tests/operator/helper.go Outdated Show resolved Hide resolved
tests/operator/helper.go Show resolved Hide resolved
@bnshr bnshr force-pushed the CNFCERT-1088 branch 5 times, most recently from fad4dfa to 822dfe9 Compare November 26, 2024 16:15
@bnshr bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 2ba0ff8 to 475f7b6 Compare November 27, 2024 20:29
@bnshr bnshr mentioned this pull request Nov 28, 2024
Merged
greyerof
greyerof reviewed Nov 29, 2024
View reviewed changes
tests/operator/suite.go Outdated Show resolved Hide resolved
@bnshr bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 100a06b to 4a90823 Compare January 22, 2025 17:12
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/suite.go Outdated Show resolved Hide resolved
@bnshr bnshr force-pushed the CNFCERT-1088 branch 3 times, most recently from f1e2476 to 0e6d3e1 Compare January 22, 2025 17:52
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/helper.go Outdated Show resolved Hide resolved
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
CATALOG.md Outdated Show resolved Hide resolved
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/helper.go Outdated Show resolved Hide resolved
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/helper.go Outdated Show resolved Hide resolved
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/suite.go Outdated Show resolved Hide resolved
edcdavid
edcdavid reviewed Jan 22, 2025
View reviewed changes
tests/operator/helper.go
validOwnerFound := false
for _, owner := range topOwners {
if owner.Kind == v1alpha1.ClusterServiceVersionKind && owner.Namespace == namespace {
foundCsvs[owner.Name] = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may need more checks here. other valid top owner could be the operands created based on the crds installed by this operator. Actually these operands can only be installed in the single operator namespace. For instance, for prometheus, pods belonging to the prometheus object top owner should be valid. We could list all the crds installs by this operator by reading the crd label: "operatorframework.io/installed-alongside-..." or similar then use the crd name to identify valid top owners.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edcdavid that's only valid for operators installed with the ownNamespace mode. For singleNamespace operators, the controller is running in namespace A and watches for CRs in namespace B, so, in theory, operand pods should only be found in namespace B.

The problem is the requirement only referes to SingleNamespaced and AllNamespaced operators... so what about ownNamespaced and multiNamespaced ones?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, you are right about single namespace vs own namespace, in single namespace only mode, the operand should be in only in namespace B, sorry for the confusion. So in this case, we still need a way to ignore the csv that will be created in namespace B otherwise it will be picked up as an operator namespace.

Copy link
Member

@edcdavid edcdavid Jan 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is the requirement only referes to SingleNamespaced and AllNamespaced operators... so what about ownNamespaced and multiNamespaced ones?

In my opinion, the multi namespace is similar to the single namespace and it would make sense to support it here.

@dcibot
Copy link
Collaborator

dcibot commented Jan 22, 2025

from change #2589:

@bnshr bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from a019beb to 23f4b89 Compare January 23, 2025 07:39
@dcibot
Copy link
Collaborator

dcibot commented Jan 23, 2025

from change #2589:

@dcibot
Copy link
Collaborator

dcibot commented Jan 23, 2025

from change #2589:

edcdavid
edcdavid reviewed Jan 23, 2025
View reviewed changes
tests/operator/helper.go Outdated Show resolved Hide resolved
@bnshr bnshr changed the title feat : Proper operator installation inside tenant namespace feat : (SingleNamespaced) Operator Installation in tenant namespace Jan 24, 2025
@bnshr bnshr changed the title feat : (SingleNamespaced) Operator Installation in tenant namespace feat : Valid (SingleNamespaced) Operator Installation in tenant namespace Jan 24, 2025
@dcibot
Copy link
Collaborator

dcibot commented Jan 24, 2025

from change #2589:

@dcibot
Copy link
Collaborator

dcibot commented Jan 24, 2025

from change #2589:

@greyerof
Copy link
Contributor

Leaving this comment just to summarize what we've been talking in the internal meeting:

ns1
  operatorgroup's.targetNamespaces = ns2
  subsOp1
  subsOp2
  csvOp1  -> valid
  csvOp2  -> valid

  op1-controller-pod  -> valid
  op2-controller-pod  -> valid
  
  csvOp3        -> invalid
  workload-pod  -> invalid
ns2
  csvOp1
  csvOp2
  
  Op1CR
  Op2CR
  op1-operand-pod1
  op2-operand-pods1
  
ns3
  workload-pod1
  workload-pod2
  
ns4
 operatogroup's.targetNamespaces = ns1
 subsOp3

In ns1, due to operatogroup's.targetNamespaces = ns2, only singleNamespaced operators are allowed, therefore there should be only controller pods of Op1 and Op2. Any workload pod, operand pod or csv from singleNamespace operators installed in a different ns (e.g. csvOp3) should make the tc to fail.

@bnshr
Copy link
Contributor Author

bnshr commented Jan 27, 2025

In ns1, due to operatogroup's.targetNamespaces = ns2, only singleNamespaced operators are allowed, therefore there should be only controller pods of Op1 and Op2. Any workload pod, operand pod or csv from singleNamespace operators installed in a different ns (e.g. csvOp3) should make the tc to fail.

What messages do we expect for non-compliant namespaces / operators?

@greyerof
Copy link
Contributor

In ns1, due to operatogroup's.targetNamespaces = ns2, only singleNamespaced operators are allowed, therefore there should be only controller pods of Op1 and Op2. Any workload pod, operand pod or csv from singleNamespace operators installed in a different ns (e.g. csvOp3) should make the tc to fail.

What messages do we expect for non-compliant namespaces / operators?

Not a strong opinion on this, but I think we should use the ReportObject's "AddField" method to include every resource found that makes that namespace not compatible with the operator under test. E.g.:

nonCompliantNs := NewNamespacedReportObject("Namespace ns1 is not a valid dedicated namespace for singleNamespace operators", testhelper.Namespace, false, operatorNamespace)
// For any workload pod (not belonging to any operator)
for _, podName := range podsBelongingToNoOperators {
	nonCompliantNs.AddField("Invalid pods found",podName)
}

// For CSV founds in ns1 that belong to ownNamespace/multiNamespace operators not installed in ns1.
for _, csvName := range csvNotBelongingToSingleNamespaceOperators {
	nonCompliantNs.AddField("Invalid CSV found",csvName)
}

// For any operand pod not belonging to the singleNamespace operators installed in ns1
for _, podName := range operandPodNotBelongingToSingleNamespaceOperators {
	nonCompliantNs.AddField("Invalid operand pod found",csvName)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greyerof greyerof greyerof left review comments

@edcdavid edcdavid edcdavid left review comments

@sebrandon1 sebrandon1 sebrandon1 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
v1.6 BP Update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bnshr @dcibot @greyerof @sebrandon1 @edcdavid