WIP: OTA-1956: install: Add a TechPreviewNoUpgrade cluster-update console plugin#1388
Open
wking wants to merge 4 commits into
Open
WIP: OTA-1956: install: Add a TechPreviewNoUpgrade cluster-update console plugin#1388wking wants to merge 4 commits into
wking wants to merge 4 commits into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
Contributor
|
@wking: This pull request references OTA-1956 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds Kubernetes/OpenShift manifests to install the Cluster Updates console plugin: a namespace with pod-security labels and annotations, a default-deny NetworkPolicy, a hardened Deployment and ClusterIP Service, ServiceMonitor and PrometheusRule alerts, a ConsolePlugin resource, an ImageStream reference, and a small test change to skip ChangesCluster Update Console Plugin
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 13 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (13 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml`:
- Around line 13-16: The NetworkPolicy as written uses podSelector: {} and
policyTypes: [Ingress, Egress], which creates a default-deny for all pods;
change the podSelector to target only the console-plugin pods by matching the
plugin's label (e.g., matchLabels for the plugin deployment/service) instead of
{} or, if you intend to keep default-deny, add explicit allow rules: in the same
NetworkPolicy add ingress rules permitting traffic from the console/frontend
selector (or namespace) and add egress rules allowing DNS (UDP/TCP 53), the
Kubernetes API server, and any external endpoints the plugin needs; reference
the podSelector, policyTypes, Ingress and Egress fields when making these
changes so the policy only isolates the plugin pods as intended rather than all
pods.
In `@install/0000_50_cluster-update-console-plugin_50_deployment.yaml`:
- Around line 47-65: The volumeMount name "cluster-update-console-plugin" in the
container spec does not match the declared volume
"cluster-update-console-plugin-cert", causing the mount to fail; update the
volumeMount name to "cluster-update-console-plugin-cert" (or rename the volume
to match) so the names align between the volumeMount entry and the volumes list
(look for the volumeMounts.name and volumes.name fields).
In `@install/0000_50_cluster-update-console-plugin_60_service.yaml`:
- Around line 18-34: Remove the stray/malformed second Service block that
defines "name: cluster-version-operator" (the orphaned lines starting after the
metadata) and replace it with a proper spec: for the existing Service resource
named "openshift-cluster-update-console-plugin" so the name matches the
ConsolePlugin backend, which expects "cluster-update-console-plugin"; ensure the
Service's metadata.name is corrected to "cluster-update-console-plugin" (no
"openshift-" prefix) or update the ConsolePlugin to match—then add a spec that
contains the selector "k8s-app: cluster-update-console-plugin" and a ports entry
(e.g., name: metrics, port: 9099, targetPort: metrics) to expose the plugin
metrics instead of the unrelated "cluster-version-operator" fragment.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 57e8afcc-7964-49f1-8538-116d60ef55b5
📒 Files selected for processing (7)
install/0000_50_cluster-update-console-plugin_10_namespace.yamlinstall/0000_50_cluster-update-console-plugin_20_networkpolicy.yamlinstall/0000_50_cluster-update-console-plugin_50_deployment.yamlinstall/0000_50_cluster-update-console-plugin_60_service.yamlinstall/0000_50_cluster-update-console-plugin_80_servicemonitor.yamlinstall/0000_50_cluster-update-console-plugin_90_consoleplugin.yamlinstall/image-references
Comment on lines
+13
to
+16
| podSelector: {} | ||
| policyTypes: | ||
| - Ingress | ||
| - Egress |
There was a problem hiding this comment.
This default-deny policy will fully isolate the plugin pods.
With Line 13 selecting all pods and Line 15-16 denying both directions without any allow policy in this PR, console-to-plugin traffic and required outbound traffic (for example DNS/API) will be blocked.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml` around
lines 13 - 16, The NetworkPolicy as written uses podSelector: {} and
policyTypes: [Ingress, Egress], which creates a default-deny for all pods;
change the podSelector to target only the console-plugin pods by matching the
plugin's label (e.g., matchLabels for the plugin deployment/service) instead of
{} or, if you intend to keep default-deny, add explicit allow rules: in the same
NetworkPolicy add ingress rules permitting traffic from the console/frontend
selector (or namespace) and add egress rules allowing DNS (UDP/TCP 53), the
Kubernetes API server, and any external endpoints the plugin needs; reference
the podSelector, policyTypes, Ingress and Egress fields when making these
changes so the policy only isolates the plugin pods as intended rather than all
pods.
wking
changed the title
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
wking
force-pushed
the
cluster-update-console-plugin
branch
from
612aac0 to
eda10fc
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml (1)
13-16:⚠️ Potential issue | 🟠 Major | ⚡ Quick winNamespace-wide deny will isolate all pods unless allow policies are added.
podSelector: {}with both Ingress and Egress deny types blocks traffic for every pod in the namespace. If this is intended as baseline deny, pair it with explicit allow policies in this change set (or narrow the selector to plugin pods).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml` around lines 13 - 16, The NetworkPolicy currently uses podSelector: {} with policyTypes: Ingress and Egress which enforces namespace-wide deny; narrow the scope or add explicit allow rules: change the podSelector to target only console plugin pods (e.g., by label selector for the plugin) or include companion NetworkPolicy objects that explicitly allow required Ingress and/or Egress traffic for the plugin (reference podSelector and policyTypes in this manifest and ensure allow policies cover necessary ports/peers).install/0000_50_cluster-update-console-plugin_60_service.yaml (1)
4-4:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winService name mismatches ConsolePlugin backend reference.
This Service is
openshift-cluster-update-console-plugin, but the ConsolePlugin backend points tocluster-update-console-plugin. The plugin backend won’t resolve this Service as-is.Suggested minimal fix
- name: openshift-cluster-update-console-plugin + name: cluster-update-console-plugin🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@install/0000_50_cluster-update-console-plugin_60_service.yaml` at line 4, The Service resource name "openshift-cluster-update-console-plugin" does not match the ConsolePlugin backend service name "cluster-update-console-plugin"; update one to match the other so the ConsolePlugin backend can resolve the Service—either rename the Service name value to "cluster-update-console-plugin" or change the ConsolePlugin backend service reference to "openshift-cluster-update-console-plugin", and ensure any references to Service name in resources or RBAC (if present) are updated consistently (check the Service resource name and the ConsolePlugin backend.service.name fields).
🧹 Nitpick comments (1)
install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml (1)
4-4: ⚡ Quick winUse a component-scoped NetworkPolicy name.
default-denyis too generic forinstall/**manifests; include the full component name to keep resource ownership clear.As per coding guidelines, "Resource names should use the full component name (e.g.,
cluster-version-operator) not acronyms."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml` at line 4, The NetworkPolicy currently uses the generic name "default-deny"; rename the resource to a component-scoped DNS-1123-compliant name that includes the full component identifier (for example, "cluster-update-console-plugin-default-deny" or similar) by updating the metadata.name value for the NetworkPolicy resource (the symbol "default-deny") and any references to that name; ensure the new name follows lowercase/dash rules and update related manifests or Role/RoleBinding references if they refer to "default-deny".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml`:
- Around line 13-16: The NetworkPolicy currently uses podSelector: {} with
policyTypes: Ingress and Egress which enforces namespace-wide deny; narrow the
scope or add explicit allow rules: change the podSelector to target only console
plugin pods (e.g., by label selector for the plugin) or include companion
NetworkPolicy objects that explicitly allow required Ingress and/or Egress
traffic for the plugin (reference podSelector and policyTypes in this manifest
and ensure allow policies cover necessary ports/peers).
In `@install/0000_50_cluster-update-console-plugin_60_service.yaml`:
- Line 4: The Service resource name "openshift-cluster-update-console-plugin"
does not match the ConsolePlugin backend service name
"cluster-update-console-plugin"; update one to match the other so the
ConsolePlugin backend can resolve the Service—either rename the Service name
value to "cluster-update-console-plugin" or change the ConsolePlugin backend
service reference to "openshift-cluster-update-console-plugin", and ensure any
references to Service name in resources or RBAC (if present) are updated
consistently (check the Service resource name and the ConsolePlugin
backend.service.name fields).
---
Nitpick comments:
In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml`:
- Line 4: The NetworkPolicy currently uses the generic name "default-deny";
rename the resource to a component-scoped DNS-1123-compliant name that includes
the full component identifier (for example,
"cluster-update-console-plugin-default-deny" or similar) by updating the
metadata.name value for the NetworkPolicy resource (the symbol "default-deny")
and any references to that name; ensure the new name follows lowercase/dash
rules and update related manifests or Role/RoleBinding references if they refer
to "default-deny".
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 80d8a20e-32f7-4b5c-a5ed-6d5166be7a3f
📒 Files selected for processing (7)
install/0000_50_cluster-update-console-plugin_10_namespace.yamlinstall/0000_50_cluster-update-console-plugin_20_networkpolicy.yamlinstall/0000_50_cluster-update-console-plugin_50_deployment.yamlinstall/0000_50_cluster-update-console-plugin_60_service.yamlinstall/0000_50_cluster-update-console-plugin_80_servicemonitor.yamlinstall/0000_50_cluster-update-console-plugin_90_consoleplugin.yamlinstall/image-references
🚧 Files skipped from review as they are similar to previous changes (4)
- install/0000_50_cluster-update-console-plugin_10_namespace.yaml
- install/image-references
- install/0000_50_cluster-update-console-plugin_50_deployment.yaml
- install/0000_50_cluster-update-console-plugin_80_servicemonitor.yaml
The console folks are pushing to decentralize console implementation from [1], so we've created a new console plugin for cluster updates [2]. It's built by both CI [3] and ART [4]. Checking on app.ci ImageStreams: $ oc whoami -c default/api-ci-l2s4-p1-openshiftapps-com:6443/wking $ oc -n ocp get -o json imagestream 5.0 | jq -r '.status.tags[] | select(.tag == "cluster-update-console-plugin").items[] | .created + " " + .image' 2026-05-01T20:55:38Z sha256:10e4f1b5763f40372823173b2a9528777ff8e97d416c5447e10df023c0e35656 2026-04-29T05:00:56Z sha256:b0433455cbbff13bdda03ee78371e18c139adebc00432dea716e8cdf83eeb042 2026-04-17T11:10:31Z sha256:e1296b64ffb35757fb2fb56bb5dd9cbd55c7f17f9f59c0a10a2d71a0ad6702d3 $ oc -n ocp get -o json imagestream 5.0-art-latest | jq -r '.status.tags[] | select(.tag == "cluster-update-console-plugin").items[] | .created + " " + .image' 2026-05-12T19:45:33Z sha256:b943be0ae0eba97c27741d0184e99a77ea928749cc578ae7e17a8e5329652642 2026-05-12T14:42:55Z sha256:c29ba37ef5a426de5320d680d3fb58befc530274e6df4c32b4dc4fd0acaaaae0 2026-05-12T09:02:35Z sha256:901bc6aac1142fe1da2a756bb4d91ae8fe14b459ce2bf9904ceae6d2fc818fc2 2026-05-12T04:38:56Z sha256:1f4e8b200d97f82db1784b4d7fc9f0bd3ccaf2cc664fd5f0ff6b80485da16950 2026-05-11T22:54:34Z sha256:d369ca7c73d7a3abe159e9e6f5644f63e0b091f0b75f202773a023e91c7faaf6 This commit sets up an image-references file [5], so 'oc adm release new ...' knows that we'll want that image injected in the Deployment manifest. I'm using placeholder.url.oc.will.replace.this.example.org as part of my placeholder name. That's similar to the machine-config operator's use of placeholder.url.oc.will.replace.this.org [6], except that I'm using a subdomain of the reserved example.com [7], to avoid any possible confusion with an actually in-use domain. The new manifests are in run-level 50, which is the default, so they can roll out in parallel with other components to avoid slowing updates. The new manifests are tried to the Console capability [8] and the TechPreviewNoUpgrade feature set [9] (in the absence of a specific feature gate for this functionality). I'm just carrying the old exclude.release.openshift.io/internal-openshift-hosted annotation over from other CVO manifests. It predates cluster profiles [10], and I'm not sure anyone still uses it, but it seems like the CVO should be consistent about whether it matters or not anymore. Perhaps we can drop it from all CVO manifests in follow-up work. Otherwise these manifests are loosely based on my attempts to meld the plugin's Help chart templates [11] with existing CVO manifest conventions. [1]: https://github.com/openshift/console [2]: https://github.com/openshift/cluster-update-console-plugin [3]: openshift/release#77945 [4]: openshift-eng/ocp-build-data#10393 [5]: https://github.com/openshift/enhancements/blob/4f67eee19ad16f1d5e9e8a2622b708e2ea6d8e6a/dev-guide/cluster-version-operator/dev/operators.md#how-do-i-ensure-the-right-images-get-used-by-my-manifests [6]: https://github.com/openshift/machine-config-operator/blob/99cb8a46e6a31b2b72d6a8371c6cd4ee45393263/install/image-references#L10 [7]: https://www.rfc-editor.org/rfc/rfc6761#section-6.5 [8]: https://github.com/openshift/enhancements/blob/4f67eee19ad16f1d5e9e8a2622b708e2ea6d8e6a/enhancements/installer/component-selection.md#manifest-annotations [9]: https://github.com/openshift/enhancements/blob/4f67eee19ad16f1d5e9e8a2622b708e2ea6d8e6a/enhancements/update/cvo-techpreview-manifests.md#proposal [10]: https://github.com/openshift/enhancements/blob/4f67eee19ad16f1d5e9e8a2622b708e2ea6d8e6a/enhancements/update/ibm-public-cloud-support.md#cluster-version-operator-changes-for-beta [11]: https://github.com/openshift/cluster-update-console-plugin/tree/9778f4fc0c19e60cad55a45591a066b6b7a3cb12/charts/openshift-console-plugin/templates
wking
force-pushed
the
cluster-update-console-plugin
branch
from
eda10fc to
62d193f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml`:
- Line 10: The manifest currently only has
include.release.openshift.io/self-managed-high-availability: "true", which may
unintentionally restrict profile inclusion; update the cluster-profile
annotations on this manifest to either add the standard set used by install
manifests (e.g., include.release.openshift.io/self-managed: "true",
include.release.openshift.io/managed: "true" alongside the existing
include.release.openshift.io/self-managed-high-availability: "true") or add an
in-file comment/PR description that explicitly justifies why only
include.release.openshift.io/self-managed-high-availability is required; change
the annotation keys in the YAML (referencing the annotation name
include.release.openshift.io/self-managed-high-availability) or add the
additional include.release.openshift.io/* keys so the manifest is included in
all intended cluster profiles.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 01e45865-f5de-4def-ae29-f1cfdbe7268b
📒 Files selected for processing (7)
install/0000_50_cluster-update-console-plugin_10_namespace.yamlinstall/0000_50_cluster-update-console-plugin_20_networkpolicy.yamlinstall/0000_50_cluster-update-console-plugin_50_deployment.yamlinstall/0000_50_cluster-update-console-plugin_60_service.yamlinstall/0000_50_cluster-update-console-plugin_80_servicemonitor.yamlinstall/0000_50_cluster-update-console-plugin_90_consoleplugin.yamlinstall/image-references
✅ Files skipped from review due to trivial changes (3)
- install/image-references
- install/0000_50_cluster-update-console-plugin_60_service.yaml
- install/0000_50_cluster-update-console-plugin_10_namespace.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
- install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml
- install/0000_50_cluster-update-console-plugin_50_deployment.yaml
- install/0000_50_cluster-update-console-plugin_80_servicemonitor.yaml
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" |
There was a problem hiding this comment.
Broaden (or explicitly justify) cluster-profile inclusion annotations.
On Line [10], only include.release.openshift.io/self-managed-high-availability: "true" is present, which can unintentionally exclude this manifest from other self-managed profiles. If that’s not intentional, add the standard profile includes used by install manifests.
Suggested manifest update
metadata:
name: openshift-cluster-update-console-plugin
annotations:
kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates.
capability.openshift.io/name: Console
release.openshift.io/feature-set: TechPreviewNoUpgrade
exclude.release.openshift.io/internal-openshift-hosted: "true"
include.release.openshift.io/self-managed-high-availability: "true"
+ include.release.openshift.io/single-node-developer: "true"
+ include.release.openshift.io/ibm-cloud-managed: "true"As per coding guidelines, "All manifests must have appropriate cluster-profile annotations (include.release.openshift.io/self-managed-high-availability, etc.)".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| include.release.openshift.io/self-managed-high-availability: "true" | |
| metadata: | |
| name: openshift-cluster-update-console-plugin | |
| annotations: | |
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | |
| capability.openshift.io/name: Console | |
| release.openshift.io/feature-set: TechPreviewNoUpgrade | |
| exclude.release.openshift.io/internal-openshift-hosted: "true" | |
| include.release.openshift.io/self-managed-high-availability: "true" | |
| include.release.openshift.io/single-node-developer: "true" | |
| include.release.openshift.io/ibm-cloud-managed: "true" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml` at line
10, The manifest currently only has
include.release.openshift.io/self-managed-high-availability: "true", which may
unintentionally restrict profile inclusion; update the cluster-profile
annotations on this manifest to either add the standard set used by install
manifests (e.g., include.release.openshift.io/self-managed: "true",
include.release.openshift.io/managed: "true" alongside the existing
include.release.openshift.io/self-managed-high-availability: "true") or add an
in-file comment/PR description that explicitly justifies why only
include.release.openshift.io/self-managed-high-availability is required; change
the annotation keys in the YAML (referencing the annotation name
include.release.openshift.io/self-managed-high-availability) or add the
additional include.release.openshift.io/* keys so the manifest is included in
all intended cluster profiles.
Avoid:
$ go test ./pkg/payload
...
--- FAIL: Test_cvoManifests (0.02s)
--- FAIL: Test_cvoManifests/install_dir (0.02s)
render_test.go:355: failed to load manifests: error parsing: error unmarshaling JSON: while decoding JSON: Resource with fields Group: "image.openshift.io" Kind: "ImageStream" Name: "" must contain kubernetes required fields kind and name
...
These image-refernces files are helpers for 'oc adm release new ...',
they don't need all the properties set that they'd need to be pushed
into a cluster.
Member
Author
|
/test e2e-agnostic-ovn-upgrade-into-change |
Member
|
/retest |
wking
added a commit
to wking/cluster-version-operator
that referenced
this pull request
Jun 1, 2026
…Users false Cluster Bot 'launch 5.0.0-0.ci gcp,techpreview' [1]. Also asked for a release image that has my change via Cluster Bot 'build 5.0.0-0.ci,openshift#1388' [2]. Launch the update: $ oc adm release info registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release:latest | grep Pull Pull From: registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release@sha256:2cdcefbd1857a6f58a538e1ccc4460c89798318c35b9d51a2d2ff74d05e2fc1f $ oc adm upgrade --to-image registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release@sha256:2cdcefbd1857a6f58a538e1ccc4460c89798318c35b9d51a2d2ff74d05e2fc1f gather-extra artifacts in the run [3] show the Deployment struggling: $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608/artifacts/launch/gather-extra/artifacts/clusterversion.json | jq -r '.items[].status.conditions[] | select(.type == "Failing").message' deployment openshift-cluster-update-console-plugin/cluster-update-console-plugin has a replica failure FailedCreate: pods "cluster-update-console-plugin-547878cc4d-" is forbidden: unable to validate against any security context constraint: provider restricted-v3: .spec.hostUsers: Invalid value: null: Host Users must be set to false [1]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608 [2]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/release-openshift-origin-installer-launch-aws-modern/2060017269097893888 [3]: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608/artifacts/launch/gather-extra/artifacts/
…Users false Cluster Bot 'launch 5.0.0-0.ci gcp,techpreview' [1]. Also asked for a release image that has my change via Cluster Bot 'build 5.0.0-0.ci,openshift#1388' [2]. Launch the update: $ oc adm release info registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release:latest | grep Pull Pull From: registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release@sha256:2cdcefbd1857a6f58a538e1ccc4460c89798318c35b9d51a2d2ff74d05e2fc1f $ oc adm upgrade --force --allow-explicit-upgrade --to-image registry.build10.ci.openshift.org/ci-ln-rmnm9yt/release@sha256:2cdcefbd1857a6f58a538e1ccc4460c89798318c35b9d51a2d2ff74d05e2fc1f --force because the CI image is unsigned, and --allow-explicit-upgrade because it is not recommended by an Update Service, neither one would be something I'd recommend outside of testing on a throw-away cluster. gather-extra artifacts in the run [3] show the Deployment struggling: $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608/artifacts/launch/gather-extra/artifacts/clusterversion.json | jq -r '.items[].status.conditions[] | select(.type == "Failing").message' deployment openshift-cluster-update-console-plugin/cluster-update-console-plugin has a replica failure FailedCreate: pods "cluster-update-console-plugin-547878cc4d-" is forbidden: unable to validate against any security context constraint: provider restricted-v3: .spec.hostUsers: Invalid value: null: Host Users must be set to false [1]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608 [2]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/release-openshift-origin-installer-launch-aws-modern/2060017269097893888 [3]: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-launch-gcp-modern/2060016448293572608/artifacts/launch/gather-extra/artifacts/
…ra nodeSelector Infra Nodes are optional, but not required, and CI clusters don't have them, e.g. [1,2]: $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-1of2/2059320133616144384/artifacts/e2e-aws-ovn-serial/gather-extra/artifacts/nodes.json | jq -r '.items[].metadata.labels' | grep node-role | sort | uniq -c 3 "node-role.kubernetes.io/control-plane": "", 3 "node-role.kubernetes.io/master": "", 3 "node-role.kubernetes.io/worker": "", Without this change, the Pods fail to schedule on that kind of CI cluster: $ oc -n openshift-cluster-update-console-plugin get -o json pods | jq -r '.items[].status.conditions[].message' 0/6 nodes are available: 3 node(s) didn't match Pod's node affinity/selector, 3 node(s) had untolerated taint(s). no new claims to deallocate, preemption: 0/6 nodes are available: 6 Preemption is not helpful for scheduling. We'll probably need to have the CVO manage this Deployment more actively, so it can set useful nodeSelector on clusters which do have infra Nodes. But for now, just drop the selector. [1]: https://amd64.ocp.releases.ci.openshift.org/releasestream/5-dev-preview/release/5.0.0-ec.2 [2]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-1of2/2059320133616144384
wking
force-pushed
the
cluster-update-console-plugin
branch
from
7f509ea to
086ab98
Compare
Contributor
|
@wking: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Member
|
Hey @wking, I took a look at the CI failures. The techpreview jobs (e2e-aws-ovn-techpreview, the serial ones) are failing because of the multi-document YAML in Splitting them into separate files should fix it. The other failures (e2e-agnostic-ovn, e2e-agnostic-operator, hypershift) look like infra flakiness... Azure VMs not provisioning in time, worker nodes not coming up, etc. Unrelated to the PR. One more thing... the ServiceMonitor and PrometheusRule are missing the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The console folks are pushing to decentralize console implementation away from the
consolerepository, so we've created a new console plugin for cluster updates. It's built by both CI and ART. Checking onapp.ciImageStreams:This commit sets up an
image-referencesfile, sooc adm release new ...knows that we'll want that image injected in the Deployment manifest. I'm usingplaceholder.url.oc.will.replace.this.example.orgas part of my placeholder name. That's similar to the machine-config operator's use ofplaceholder.url.oc.will.replace.this.org, except that I'm using a subdomain of the reservedexample.com, to avoid any possible confusion with an actually in-use domain.The new manifests are in run-level 50, which is the default, so they can roll out in parallel with other components to avoid slowing updates.
The new manifests are tried to the
Consolecapability and theTechPreviewNoUpgradefeature set (in the absence of a specific feature gate for this functionality).I'm just carrying the old
exclude.release.openshift.io/internal-openshift-hostedannotation over from other CVO manifests. It predates cluster profiles, and I'm not sure anyone still uses it, but it seems like the CVO should be consistent about whether it matters or not anymore. Perhaps we can drop it from all CVO manifests in follow-up work.Otherwise these manifests are loosely based on my attempts to meld the plugin's Help chart templates with existing CVO manifest conventions.
Summary by CodeRabbit
New Features
Chores
Tests