feat : Valid (SingleNamespaced) Operator Installation in tenant namespace #2589

+	operatorNamespaces := make(map[string]bool)
+	for _, operator := range env.Operators {
+		operatorNamespaces[operator.Namespace] = true
+	}
+
+	for operatorNamespace := range operatorNamespaces {


Just thinking aloud.

Suggested change

operatorNamespaces := make(map[string]bool)

for _, operator := range env.Operators {

operatorNamespaces[operator.Namespace] = true

}

for operatorNamespace := range operatorNamespaces {

singleNamespaceOperators := make(map[string]bool)

for _, operator := range env.Operators {

// Add short circuit/not add cluster wide namespace to the list.

singleNamespaceOperators[operator.Namespace] = true

}

for operatorNamespace := range singleNamespaceOperators {

I mark this as resolved by adding a new helper function to generate all non-compliant object message which would help to understand what conditions fail this test. Unit test is added for the same as well.

tests/operator/suite.go

tests/operator/helper.go

CATALOG.md

tests/operator/helper.go

edcdavid · 2025-01-22T19:47:53Z

tests/operator/helper.go

+	if len(podsBelongingToNoOperators) == 0 && allOperatorsFoundInNamespaceAreValid {
+		return true, singleNamespacedCsvs, allNamespacedCsvs, podsBelongingToNoOperators, nil
+	} else {
+		return false, singleNamespacedCsvs, allNamespacedCsvs, podsBelongingToNoOperators, err


return nil here

tests/operator/suite.go

edcdavid · 2025-01-22T20:15:45Z

tests/operator/helper.go

+		validOwnerFound := false
+		for _, owner := range topOwners {
+			if owner.Kind == v1alpha1.ClusterServiceVersionKind && owner.Namespace == namespace {
+				foundCsvs[owner.Name] = true


We may need more checks here. other valid top owner could be the operands created based on the crds installed by this operator. Actually these operands can only be installed in the single operator namespace. For instance, for prometheus, pods belonging to the prometheus object top owner should be valid. We could list all the crds installs by this operator by reading the crd label: "operatorframework.io/installed-alongside-..." or similar then use the crd name to identify valid top owners.

@edcdavid that's only valid for operators installed with the ownNamespace mode. For singleNamespace operators, the controller is running in namespace A and watches for CRs in namespace B, so, in theory, operand pods should only be found in namespace B.

The problem is the requirement only referes to SingleNamespaced and AllNamespaced operators... so what about ownNamespaced and multiNamespaced ones?

ah, you are right about single namespace vs own namespace, in single namespace only mode, the operand should be in only in namespace B, sorry for the confusion. So in this case, we still need a way to ignore the csv that will be created in namespace B otherwise it will be picked up as an operator namespace.

The problem is the requirement only referes to SingleNamespaced and AllNamespaced operators... so what about ownNamespaced and multiNamespaced ones?

In my opinion, the multi namespace is similar to the single namespace and it would make sense to support it here.

dcibot · 2025-01-22T20:38:41Z

from change #2589:

SUCCESS https://www.distributed-ci.io/jobs/b73cd31a-38da-4805-8bc9-23ac3745d36c/jobStates

dcibot · 2025-01-23T08:04:31Z

from change #2589:

SUCCESS https://www.distributed-ci.io/jobs/d73113b7-90a5-4bc3-a865-f6414ef4b94a/jobStates

dcibot · 2025-01-23T10:26:32Z

from change #2589:

SUCCESS https://www.distributed-ci.io/jobs/9d22627d-1c84-49f2-8f1a-0d2b4ca2c804/jobStates

tests/operator/helper.go

dcibot · 2025-01-24T16:21:06Z

from change #2589:

SUCCESS https://www.distributed-ci.io/jobs/a69ff64c-3d2f-40f0-a048-880c143e4510/jobStates

dcibot · 2025-01-24T18:43:28Z

from change #2589:

SUCCESS https://www.distributed-ci.io/jobs/054d456a-7f06-4a38-8e09-257a9ff5156a/jobStates

bnshr marked this pull request as draft November 25, 2024 14:08

bnshr force-pushed the CNFCERT-1088 branch 3 times, most recently from 98cb58b to 56d4773 Compare November 25, 2024 14:39

bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 1f928d0 to e3fd824 Compare November 25, 2024 15:09

bnshr force-pushed the CNFCERT-1088 branch from 8b18241 to b4a0129 Compare November 25, 2024 16:11

bnshr added the dci-disable label Nov 25, 2024

bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 33278d6 to 26570f7 Compare November 25, 2024 16:20

bnshr force-pushed the CNFCERT-1088 branch from 26570f7 to 178eabe Compare November 25, 2024 17:08

bnshr marked this pull request as ready for review November 25, 2024 19:17

sebrandon1 reviewed Nov 25, 2024

View reviewed changes

tests/operator/suite.go Outdated Show resolved Hide resolved

tests/operator/helper.go Outdated Show resolved Hide resolved

tests/operator/helper.go Outdated Show resolved Hide resolved

tests/operator/helper.go Show resolved Hide resolved

bnshr force-pushed the CNFCERT-1088 branch 5 times, most recently from fad4dfa to 822dfe9 Compare November 26, 2024 16:15

sebrandon1 added self-hosted-disable v1.6 BP Update labels Nov 26, 2024

bnshr force-pushed the CNFCERT-1088 branch from c4a0c1f to cc41ebc Compare November 27, 2024 20:07

Operator Installation outside of targetNamespace

823568a

bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 2ba0ff8 to 475f7b6 Compare November 27, 2024 20:29

bnshr mentioned this pull request Nov 28, 2024

Add nginx operator for testing redhat-best-practices-for-k8s/certsuite-sample-workload#515

Merged

bnshr force-pushed the CNFCERT-1088 branch from 475f7b6 to 30ba6a2 Compare November 28, 2024 15:48

greyerof reviewed Nov 29, 2024

View reviewed changes

tests/operator/suite.go Outdated Show resolved Hide resolved

bnshr force-pushed the CNFCERT-1088 branch from 9b77267 to e7b2431 Compare January 22, 2025 15:31

sebrandon1 reviewed Jan 22, 2025

View reviewed changes

bnshr force-pushed the CNFCERT-1088 branch 2 times, most recently from 100a06b to 4a90823 Compare January 22, 2025 17:12