From d945b8a3bc7df65071c3267309d742a6c90a73d3 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Fri, 5 Jun 2026 13:32:02 -0500 Subject: [PATCH 01/18] USHIFT-6951: add metrics-server Kubernetes manifests Co-Authored-By: Claude Opus 4.6 --- .../optional/metrics-server/00-namespace.yaml | 9 ++ ...1-cluster-role-binding-auth-delegator.yaml | 17 +++ .../01-cluster-role-binding.yaml | 18 +++ .../metrics-server/01-cluster-role.yaml | 25 ++++ .../01-role-binding-auth-reader.yaml | 18 +++ .../metrics-server/01-service-account.yaml | 10 ++ .../02-configmap-audit-profiles.yaml | 45 +++++++ .../metrics-server/03-deployment.yaml | 114 ++++++++++++++++++ .../metrics-server/04-api-service.yaml | 21 ++++ .../optional/metrics-server/04-service.yaml | 22 ++++ .../metrics-server/kustomization.aarch64.yaml | 4 + .../metrics-server/kustomization.x86_64.yaml | 4 + .../metrics-server/kustomization.yaml | 13 ++ .../release-metrics-server-aarch64.json | 8 ++ .../release-metrics-server-x86_64.json | 8 ++ 15 files changed, 336 insertions(+) create mode 100644 assets/optional/metrics-server/00-namespace.yaml create mode 100644 assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml create mode 100644 assets/optional/metrics-server/01-cluster-role-binding.yaml create mode 100644 assets/optional/metrics-server/01-cluster-role.yaml create mode 100644 assets/optional/metrics-server/01-role-binding-auth-reader.yaml create mode 100644 assets/optional/metrics-server/01-service-account.yaml create mode 100644 assets/optional/metrics-server/02-configmap-audit-profiles.yaml create mode 100644 assets/optional/metrics-server/03-deployment.yaml create mode 100644 assets/optional/metrics-server/04-api-service.yaml create mode 100644 assets/optional/metrics-server/04-service.yaml create mode 100644 assets/optional/metrics-server/kustomization.aarch64.yaml create mode 100644 assets/optional/metrics-server/kustomization.x86_64.yaml create mode 100644 assets/optional/metrics-server/kustomization.yaml create mode 100644 assets/optional/metrics-server/release-metrics-server-aarch64.json create mode 100644 assets/optional/metrics-server/release-metrics-server-x86_64.json diff --git a/assets/optional/metrics-server/00-namespace.yaml b/assets/optional/metrics-server/00-namespace.yaml new file mode 100644 index 0000000000..17f727565a --- /dev/null +++ b/assets/optional/metrics-server/00-namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-monitoring + labels: + name: openshift-monitoring + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml b/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml new file mode 100644 index 0000000000..fad58afef1 --- /dev/null +++ b/assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: auth-delegator + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/01-cluster-role-binding.yaml b/assets/optional/metrics-server/01-cluster-role-binding.yaml new file mode 100644 index 0000000000..8a32b85158 --- /dev/null +++ b/assets/optional/metrics-server/01-cluster-role-binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring +- kind: User + name: system:metrics-server diff --git a/assets/optional/metrics-server/01-cluster-role.yaml b/assets/optional/metrics-server/01-cluster-role.yaml new file mode 100644 index 0000000000..19be5ca4b0 --- /dev/null +++ b/assets/optional/metrics-server/01-cluster-role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - nodes/metrics + verbs: + - get +- apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch diff --git a/assets/optional/metrics-server/01-role-binding-auth-reader.yaml b/assets/optional/metrics-server/01-role-binding-auth-reader.yaml new file mode 100644 index 0000000000..6b11a238ce --- /dev/null +++ b/assets/optional/metrics-server/01-role-binding-auth-reader.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server-auth-reader + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/01-service-account.yaml b/assets/optional/metrics-server/01-service-account.yaml new file mode 100644 index 0000000000..310685e790 --- /dev/null +++ b/assets/optional/metrics-server/01-service-account.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml new file mode 100644 index 0000000000..1cff598a6d --- /dev/null +++ b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +data: + metadata-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Metadata" + "omitStages": + - "RequestReceived" + "rules": + - "level": "Metadata" + none-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "None" + "omitStages": + - "RequestReceived" + "rules": + - "level": "None" + request-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Request" + "omitStages": + - "RequestReceived" + "rules": + - "level": "Request" + requestresponse-profile.yaml: |- + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "RequestResponse" + "omitStages": + - "RequestReceived" + "rules": + - "level": "RequestResponse" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server-audit-profiles + namespace: openshift-monitoring diff --git a/assets/optional/metrics-server/03-deployment.yaml b/assets/optional/metrics-server/03-deployment.yaml new file mode 100644 index 0000000000..23cdafb3e1 --- /dev/null +++ b/assets/optional/metrics-server/03-deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + strategy: + type: Recreate + template: + metadata: + annotations: + openshift.io/required-scc: restricted-v2 + target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + spec: + containers: + - args: + - --secure-port=10250 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt + - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt + - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --shutdown-send-retry-after=true + - --shutdown-delay-duration=150s + - --disable-http2-serving=true + image: quay.io/openshift/kube-metrics-server + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 10250 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 20 + resources: + requests: + cpu: 1m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: secret-metrics-server-tls + - mountPath: /etc/tls/metrics-server-client-certs + name: secret-metrics-server-client-certs + - mountPath: /etc/tls/kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - mountPath: /etc/audit + name: metrics-server-audit-profiles + readOnly: true + - mountPath: /var/log/metrics-server + name: audit-log + readOnly: false + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + terminationGracePeriodSeconds: 170 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - name: secret-metrics-server-client-certs + secret: + secretName: metrics-server-client-certs + - name: secret-metrics-server-tls + secret: + secretName: metrics-server-tls + - configMap: + name: kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - emptyDir: {} + name: audit-log + - configMap: + name: metrics-server-audit-profiles + name: metrics-server-audit-profiles diff --git a/assets/optional/metrics-server/04-api-service.yaml b/assets/optional/metrics-server/04-api-service.yaml new file mode 100644 index 0000000000..54303f0d9d --- /dev/null +++ b/assets/optional/metrics-server/04-api-service.yaml @@ -0,0 +1,21 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: false + service: + name: metrics-server + namespace: openshift-monitoring + port: 443 + version: v1beta1 + versionPriority: 100 diff --git a/assets/optional/metrics-server/04-service.yaml b/assets/optional/metrics-server/04-service.yaml new file mode 100644 index 0000000000..3a485b2dad --- /dev/null +++ b/assets/optional/metrics-server/04-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + openshift.io/description: Expose the metrics-server web server on port 443. This port is for internal use, and no other usage is guaranteed. + service.beta.openshift.io/serving-cert-secret-name: metrics-server-tls + labels: + app.kubernetes.io/component: metrics-server + app.kubernetes.io/managed-by: cluster-monitoring-operator + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring + name: metrics-server + namespace: openshift-monitoring +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: metrics-server + app.kubernetes.io/part-of: openshift-monitoring diff --git a/assets/optional/metrics-server/kustomization.aarch64.yaml b/assets/optional/metrics-server/kustomization.aarch64.yaml new file mode 100644 index 0000000000..e80886329f --- /dev/null +++ b/assets/optional/metrics-server/kustomization.aarch64.yaml @@ -0,0 +1,4 @@ +images: + - name: quay.io/openshift/kube-metrics-server + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d diff --git a/assets/optional/metrics-server/kustomization.x86_64.yaml b/assets/optional/metrics-server/kustomization.x86_64.yaml new file mode 100644 index 0000000000..831caab705 --- /dev/null +++ b/assets/optional/metrics-server/kustomization.x86_64.yaml @@ -0,0 +1,4 @@ +images: + - name: quay.io/openshift/kube-metrics-server + newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev + digest: sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7 diff --git a/assets/optional/metrics-server/kustomization.yaml b/assets/optional/metrics-server/kustomization.yaml new file mode 100644 index 0000000000..ca034994ff --- /dev/null +++ b/assets/optional/metrics-server/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 00-namespace.yaml + - 01-service-account.yaml + - 01-cluster-role.yaml + - 01-cluster-role-binding.yaml + - 01-cluster-role-binding-auth-delegator.yaml + - 01-role-binding-auth-reader.yaml + - 02-configmap-audit-profiles.yaml + - 03-deployment.yaml + - 04-service.yaml + - 04-api-service.yaml diff --git a/assets/optional/metrics-server/release-metrics-server-aarch64.json b/assets/optional/metrics-server/release-metrics-server-aarch64.json new file mode 100644 index 0000000000..c748ed629d --- /dev/null +++ b/assets/optional/metrics-server/release-metrics-server-aarch64.json @@ -0,0 +1,8 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d" + } +} diff --git a/assets/optional/metrics-server/release-metrics-server-x86_64.json b/assets/optional/metrics-server/release-metrics-server-x86_64.json new file mode 100644 index 0000000000..1a15957d8c --- /dev/null +++ b/assets/optional/metrics-server/release-metrics-server-x86_64.json @@ -0,0 +1,8 @@ +{ + "release": { + "base": "placeholder" + }, + "images": { + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7" + } +} From 136f7dc5d5a6769754590343fe240745fc0d69ce Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Fri, 5 Jun 2026 13:32:13 -0500 Subject: [PATCH 02/18] USHIFT-6951: integrate metrics-server lifecycle management Co-Authored-By: Claude Opus 4.6 --- .../pkg/util/cryptomaterial/certinfo.go | 4 + pkg/cmd/init.go | 9 +- pkg/cmd/metrics.go | 120 ++++++++++++++++++ pkg/cmd/run.go | 12 ++ .../microshift_optional_workloads.go | 17 ++- pkg/util/cryptomaterial/certinfo.go | 4 + 6 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 pkg/cmd/metrics.go diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go b/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go index aed383b9fa..4e8c50989e 100644 --- a/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go +++ b/etcd/vendor/github.com/openshift/microshift/pkg/util/cryptomaterial/certinfo.go @@ -74,6 +74,10 @@ func AdminKubeconfigClientCertDir(certsDir string) string { return filepath.Join(AdminKubeconfigSignerDir(certsDir), "admin-kubeconfig-client") } +func MetricsServerKubeletClientCertDir(certsDir string) string { + return filepath.Join(KubeAPIServerToKubeletSignerCertDir(certsDir), "metrics-server-kubelet-client") +} + // KubeletCSRSignerSignerCertDir returns path to the signer that signs kubelet CSRs // and the signer that signs CSRs of the CSR API func KubeletCSRSignerSignerCertDir(certsDir string) string { diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 50851ed33e..de2e2a40a3 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -155,6 +155,13 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) { Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity), }, UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}}, + }).WithClientCertificates( + &certchains.ClientCertificateSigningRequestInfo{ + CSRMeta: certchains.CSRMeta{ + Name: "metrics-server-kubelet-client", + Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity), + }, + UserInfo: &user.DefaultInfo{Name: "system:metrics-server"}, }), // admin-kubeconfig-signer @@ -175,7 +182,7 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) { Name: "openshift-observability-client", Validity: alignValidity(cryptomaterial.ShortLivedCertificateValidity), }, - UserInfo: &user.DefaultInfo{Name: "openshift-observability-client", Groups: []string{""}}, + UserInfo: &user.DefaultInfo{Name: "openshift-observability-client"}, }, ), diff --git a/pkg/cmd/metrics.go b/pkg/cmd/metrics.go new file mode 100644 index 0000000000..2e1bb08fbd --- /dev/null +++ b/pkg/cmd/metrics.go @@ -0,0 +1,120 @@ +package cmd + +import ( + "context" + "fmt" + "os" + "time" + + "github.com/openshift/microshift/pkg/config" + "github.com/openshift/microshift/pkg/util" + "github.com/openshift/microshift/pkg/util/cryptomaterial" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog/v2" +) + +const metricsServerManifestPath = "/usr/lib/microshift/manifests.d/080-microshift-metrics-server" + +func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error { + exists, err := util.PathExists(metricsServerManifestPath) + if err != nil { + return err + } + if !exists { + klog.V(2).Infof("Metrics-server manifests not found at %s, skipping cert provisioning", metricsServerManifestPath) + return nil + } + + kubeconfigPath := cfg.KubeConfigPath(config.KubeAdmin) + + restCfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath) + if err != nil { + return fmt.Errorf("building kubeconfig: %w", err) + } + clientset, err := kubernetes.NewForConfig(restCfg) + if err != nil { + return fmt.Errorf("creating clientset: %w", err) + } + const ns = "openshift-monitoring" + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) { + _, err := clientset.CoreV1().Namespaces().Get(ctx, ns, metav1.GetOptions{}) + if err == nil { + return true, nil + } + if !apierrors.IsNotFound(err) { + return false, fmt.Errorf("getting namespace %s: %w", ns, err) + } + klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", ns) + return false, nil + }) + if err != nil { + return fmt.Errorf("waiting for namespace %s: %w", ns, err) + } + + certsDir := cryptomaterial.CertsDirectory(config.DataDir) + + certDir := cryptomaterial.MetricsServerKubeletClientCertDir(certsDir) + certPEM, err := os.ReadFile(cryptomaterial.ClientCertPath(certDir)) + if err != nil { + return err + } + keyPEM, err := os.ReadFile(cryptomaterial.ClientKeyPath(certDir)) + if err != nil { + return err + } + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "metrics-server-client-certs", + Namespace: ns, + Annotations: map[string]string{ + "openshift.io/owning-component": "metrics-server", + }, + }, + Type: corev1.SecretTypeTLS, + Data: map[string][]byte{ + "tls.crt": certPEM, + "tls.key": keyPEM, + }, + } + _, err = clientset.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) + if apierrors.IsAlreadyExists(err) { + _, err = clientset.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + } + if err != nil { + return fmt.Errorf("applying metrics-server client cert secret: %w", err) + } + + caPEM, err := os.ReadFile(cryptomaterial.KubeletClientCAPath(certsDir)) + if err != nil { + return err + } + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "kubelet-serving-ca-bundle", + Namespace: ns, + Annotations: map[string]string{ + "openshift.io/owning-component": "metrics-server", + }, + }, + Data: map[string]string{ + "ca-bundle.crt": string(caPEM), + }, + } + _, err = clientset.CoreV1().ConfigMaps(ns).Create(ctx, cm, metav1.CreateOptions{}) + if apierrors.IsAlreadyExists(err) { + _, err = clientset.CoreV1().ConfigMaps(ns).Update(ctx, cm, metav1.UpdateOptions{}) + } + if err != nil { + return fmt.Errorf("applying kubelet serving CA configmap: %w", err) + } + + klog.Infof("Provisioned metrics-server kubelet client cert and CA bundle") + return nil +} diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index 94c2fbd8f6..a48a7320b3 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -303,6 +303,18 @@ func RunMicroshift(cfg *config.Config) error { // After MicroShift's core becomes ready, run the kustomizer (delete and/or apply manifests). kustomize.NewKustomizer(cfg).RunStandalone(runCtx) + // Provision certs for optional components after kustomize creates their namespaces. + go func() { + defer func() { + if r := recover(); r != nil { + klog.Errorf("Panic in metrics-server cert provisioning: %v", r) + } + }() + if err := provisionMetricsServerCerts(runCtx, cfg); err != nil { + klog.Errorf("Failed to provision metrics-server certs: %v", err) + } + }() + // Watch for SIGTERM or service error to exit, now that we are ready. select { case <-sigTerm: diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index 80e2d9a3b0..22e68dbcc2 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -38,6 +38,21 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ Namespace: "sriov-network-operator", Workloads: NamespaceWorkloads{Deployments: []string{"sriov-network-operator"}}, }, + + "/usr/lib/microshift/manifests.d/080-microshift-metrics-server": { + Namespace: "openshift-monitoring", + Workloads: NamespaceWorkloads{Deployments: []string{"metrics-server"}}, + }, +} + +// mergeWorkloads merges two NamespaceWorkloads, returning a new NamespaceWorkloads. This is helpful for cases +// where components from multiple sources are deployed to the same namespace. +func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads { + return NamespaceWorkloads{ + Deployments: append(existing.Deployments, incoming.Deployments...), + DaemonSets: append(existing.DaemonSets, incoming.DaemonSets...), + StatefulSets: append(existing.StatefulSets, incoming.StatefulSets...), + } } // fillOptionalMicroShiftWorkloads assembles list of optional MicroShift workloads @@ -73,7 +88,7 @@ func fillOptionalMicroShiftWorkloads(workloadsToCheck map[string]NamespaceWorklo } klog.Infof("Optional component path exists and is configured: %s - expecting %v in namespace %q", path, ow.Workloads.String(), ow.Namespace) - workloadsToCheck[ow.Namespace] = ow.Workloads + workloadsToCheck[ow.Namespace] = mergeWorkloads(workloadsToCheck[ow.Namespace], ow.Workloads) } return nil } diff --git a/pkg/util/cryptomaterial/certinfo.go b/pkg/util/cryptomaterial/certinfo.go index aed383b9fa..4e8c50989e 100644 --- a/pkg/util/cryptomaterial/certinfo.go +++ b/pkg/util/cryptomaterial/certinfo.go @@ -74,6 +74,10 @@ func AdminKubeconfigClientCertDir(certsDir string) string { return filepath.Join(AdminKubeconfigSignerDir(certsDir), "admin-kubeconfig-client") } +func MetricsServerKubeletClientCertDir(certsDir string) string { + return filepath.Join(KubeAPIServerToKubeletSignerCertDir(certsDir), "metrics-server-kubelet-client") +} + // KubeletCSRSignerSignerCertDir returns path to the signer that signs kubelet CSRs // and the signer that signs CSRs of the CSR API func KubeletCSRSignerSignerCertDir(certsDir string) string { From 9ab42881cb6d1cc5290354bed103e500e60f1871 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Fri, 5 Jun 2026 13:32:19 -0500 Subject: [PATCH 03/18] USHIFT-6951: add metrics rebase automation Co-Authored-By: Claude Opus 4.6 --- scripts/auto-rebase/assets.yaml | 23 +++++++ scripts/auto-rebase/assets_metrics.yaml | 88 +++++++++++++++++++++++ scripts/auto-rebase/rebase.sh | 92 ++++++++++++++++++++++++- 3 files changed, 201 insertions(+), 2 deletions(-) create mode 100644 scripts/auto-rebase/assets_metrics.yaml diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml index b4f34d3f6c..4a55700927 100644 --- a/scripts/auto-rebase/assets.yaml +++ b/scripts/auto-rebase/assets.yaml @@ -301,6 +301,29 @@ assets: - file: service.yaml - file: serviceaccount.yaml + - dir: optional/metrics-server/ + ignore: "MicroShift-specific metrics-server manifests sourced from CMO" + files: + - file: 00-namespace.yaml + - file: 01-cluster-role-binding-auth-delegator.yaml + - file: 01-cluster-role-binding.yaml + - file: 01-cluster-role.yaml + - file: 01-role-binding-auth-reader.yaml + - file: 01-service-account.yaml + - file: 02-configmap-audit-profiles.yaml + - file: 03-deployment.yaml + - file: 04-api-service.yaml + - file: 04-service.yaml + - file: kustomization.yaml + - file: kustomization.x86_64.yaml + ignore: "gets generated during image rebase" + - file: kustomization.aarch64.yaml + ignore: "gets generated during image rebase" + - file: release-metrics-server-x86_64.json + ignore: "gets generated during image rebase" + - file: release-metrics-server-aarch64.json + ignore: "gets generated during image rebase" + - dir: optional/observability/ ignore: "they don't exist in upstream repository - only in microshift" files: diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml new file mode 100644 index 0000000000..0afaa7279b --- /dev/null +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -0,0 +1,88 @@ +assets: + - dir: optional/metrics-server/ + no_clean: True + src: cluster-monitoring-operator/assets/metrics-server/ + files: + - file: 00-namespace.yaml + ignore: "Provided by MicroShift" + - file: 01-service-account.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role.yaml + ignore: "Provided by MicroShift" + - file: clusterrole-aggregated-metrics-reader.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role-binding.yaml + ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" + - file: 01-cluster-role-binding-auth-delegator.yaml + ignore: "Provided by MicroShift" + - file: 01-role-binding-auth-reader.yaml + ignore: "Provided by MicroShift" + - file: 02-configmap-audit-profiles.yaml + ignore: "Provided by MicroShift" + - file: 03-deployment.yaml + ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" + - file: 04-service.yaml + ignore: "MicroShift uses service-ca annotation for serving cert" + - file: 04-api-service.yaml + ignore: "Provided by MicroShift" + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" + - file: release-metrics-server-aarch64.json + ignore: "Provided by MicroShift" + - file: release-metrics-server-x86_64.json + ignore: "Provided by MicroShift" + + - dir: optional/node-exporter/ + no_clean: True + src: cluster-monitoring-operator/assets/node-exporter/ + files: + - file: 01-service-account.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role-binding.yaml + ignore: "Provided by MicroShift" + - file: 01-security-context-constraints.yaml + ignore: "Provided by MicroShift" + - file: 02-kube-rbac-proxy-secret.yaml + ignore: "Provided by MicroShift" + - file: 02-accelerators-collector-configmap.yaml + ignore: "Provided by MicroShift" + - file: 03-daemonset.yaml + ignore: "MicroShift removes metrics-client-ca volume/mount/arg (populated by CMO at runtime)" + - file: 04-service.yaml + ignore: "Provided by MicroShift" + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" + + - dir: optional/kube-state-metrics/ + no_clean: True + src: cluster-monitoring-operator/assets/kube-state-metrics/ + files: + - file: 01-service-account.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role-binding.yaml + ignore: "Provided by MicroShift" + - file: 02-kube-rbac-proxy-secret.yaml + ignore: "Provided by MicroShift" + - file: 02-custom-resource-state-configmap.yaml + - file: 03-deployment.yaml + ignore: "MicroShift overrides: Recreate strategy, removes metrics-client-ca, image placeholders" + - file: 04-service.yaml + ignore: "Provided by MicroShift" + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index 1bcdb6cae5..f7ab20f106 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -38,6 +38,7 @@ REBASE_USE_SSH="${REBASE_USE_SSH:-false}" EMBEDDED_COMPONENTS="route-controller-manager cluster-policy-controller hyperkube etcd kube-storage-version-migrator cluster-config-api" EMBEDDED_COMPONENT_OPERATORS="cluster-kube-apiserver-operator cluster-kube-controller-manager-operator cluster-openshift-controller-manager-operator cluster-kube-scheduler-operator machine-config-operator operator-lifecycle-manager" LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator service-ca-operator cluster-network-operator cluster-csi-snapshot-controller-operator" +OPTIONAL_COMPONENTS="cluster-monitoring-operator" declare -a ARCHS=("amd64" "arm64") declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" ) @@ -200,7 +201,7 @@ download_release() { component=$(echo "${line}" | cut -d ' ' -f 1) repo=$(echo "${line}" | cut -d ' ' -f 2) commit=$(echo "${line}" | cut -d ' ' -f 3) - if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]]; then + if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]] || [[ "${OPTIONAL_COMPONENTS}" == *"${component}"* ]]; then clone_repo "${repo}" "${commit}" "." echo "${repo} embedded-component ${commit}" >> "${new_commits_file}" echo @@ -663,7 +664,6 @@ copy_manifests() { "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets.yaml" } - # Updates embedded component manifests by gathering these from various places # in the staged repos and copying them into the asset directory. update_openshift_manifests() { @@ -921,6 +921,7 @@ EOF update_olm_images update_multus_images + update_metrics_images popd >/dev/null } @@ -1111,6 +1112,93 @@ EOF done # for goarch } +update_metrics_images() { + title "Rebasing metrics component images" + + # Maps kustomization image name -> OCP release tag name + declare -A METRICS_IMAGE_MAP=( + ["quay.io/openshift/kube-metrics-server"]="kube-metrics-server" + ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics" + ["quay.io/openshift/node-exporter"]="prometheus-node-exporter" + ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy" + ) + + # Maps component dir -> release JSON key -> OCP release tag name + declare -A METRICS_COMPONENT_JSON_KEY=( + ["metrics-server"]="metrics_server" + ["kube-state-metrics"]="kube_state_metrics" + ["node-exporter"]="node_exporter" + ) + + # Maps release JSON key -> OCP release tag name + declare -A METRICS_EXPORTER_JSON_MAP=( + ["metrics_server"]="kube-metrics-server" + ["kube_state_metrics"]="kube-state-metrics" + ["node_exporter"]="prometheus-node-exporter" + ) + + for goarch in amd64 arm64; do + arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} + + local release_file="${STAGING_DIR}/release_${goarch}.json" + + local base_release + base_release=$(jq -r ".metadata.version" "${release_file}") + + # Generate per-component release JSON and kustomization files + for component_dir in metrics-server kube-state-metrics node-exporter; do + [[ -d "${REPOROOT}/assets/optional/${component_dir}" ]] || continue + + # Generate per-component release JSON + local json_key="${METRICS_COMPONENT_JSON_KEY[$component_dir]}" + local release_tag="${METRICS_EXPORTER_JSON_MAP[$json_key]}" + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local component_release_json="${REPOROOT}/assets/optional/${component_dir}/release-${component_dir}-${arch}.json" + jq -n --arg base "$base_release" --arg img "${new_image}" \ + "{\"release\": {\"base\": \$base}, \"images\": {\"${json_key}\": \$img}}" > "${component_release_json}" + + local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml" + + cat < "${kustomization_arch_file}" +images: +EOF + + # Read image names from the base kustomization and deployment/daemonset + local image_names + image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ + | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + + for orig_image in ${image_names}; do + local release_tag="${METRICS_IMAGE_MAP[$orig_image]:-}" + if [[ -z "${release_tag}" ]]; then + >&2 echo "ERROR: Unknown metrics image '${orig_image}' in ${component_dir}" + return 1 + fi + + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Image for release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local new_image_name="${new_image%@*}" + local new_image_digest="${new_image#*@}" + + cat <> "${kustomization_arch_file}" + - name: ${orig_image} + newName: ${new_image_name} + digest: ${new_image_digest} +EOF + done + done + done +} + update_olm_images() { title "Rebasing operator-lifecycle-manager manifests" From 6bc30af19201f3254fc5a2c5694c5e04429d2e7d Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Fri, 5 Jun 2026 13:32:46 -0500 Subject: [PATCH 04/18] USHIFT-6951: package metrics-server RPM and observability integration Co-Authored-By: Claude Opus 4.6 --- .../microshift-observability.service | 2 +- .../otelcol.d/microshift-metrics-server.yaml | 26 +++++++++ packaging/rpm/microshift.spec | 56 +++++++++++++++++++ test/bin/common.sh | 2 + 4 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 packaging/observability/otelcol.d/microshift-metrics-server.yaml diff --git a/packaging/observability/microshift-observability.service b/packaging/observability/microshift-observability.service index 2fc2e984dc..826c2f86db 100644 --- a/packaging/observability/microshift-observability.service +++ b/packaging/observability/microshift-observability.service @@ -8,7 +8,7 @@ ConditionPathExists=/var/lib/microshift/resources/observability-client/kubeconfi Environment=KUBECONFIG=/var/lib/microshift/resources/observability-client/kubeconfig Environment=K8S_NODE_NAME="%l" ExecStartPre=/usr/bin/mkdir -p /var/lib/microshift-observability -ExecStart=/usr/bin/opentelemetry-collector --config=/etc/microshift/observability/opentelemetry-collector.yaml +ExecStart=/bin/bash -c 'ARGS="--config=file:/etc/microshift/observability/opentelemetry-collector.yaml"; for f in /etc/microshift/observability/otelcol.d/*.yaml; do [ -f "$$f" ] && ARGS="$$ARGS --config=file:$$f"; done; exec /usr/bin/opentelemetry-collector $$ARGS' Restart=always User=root diff --git a/packaging/observability/otelcol.d/microshift-metrics-server.yaml b/packaging/observability/otelcol.d/microshift-metrics-server.yaml new file mode 100644 index 0000000000..e18788969f --- /dev/null +++ b/packaging/observability/otelcol.d/microshift-metrics-server.yaml @@ -0,0 +1,26 @@ +receivers: + prometheus/metrics_server: + config: + scrape_configs: + - job_name: metrics-server + scrape_interval: 30s + scheme: https + tls_config: + ca_file: /var/lib/microshift/certs/service-ca/ca.crt + server_name: metrics-server.openshift-monitoring.svc + kubernetes_sd_configs: + - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig + role: endpoints + namespaces: + names: [openshift-monitoring] + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: metrics-server;https + +service: + pipelines: + metrics/metrics_server: + receivers: [prometheus/metrics_server] + processors: [batch] + exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index 6362e4f552..e47fac2ca9 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -236,6 +236,7 @@ and can be used to embed those images into osbuilder blueprints or bootc contain Summary: OpenTelemetry-Collector configured for MicroShift BuildArch: noarch Requires: microshift = %{version} +Requires: microshift-metrics-server = %{version} Requires: opentelemetry-collector %description observability @@ -261,6 +262,25 @@ The microshift-cert-manager-release-info package provides release information fi release. These files contain the list of container image references used by Cert Manager and can be used to embed those images into osbuilder blueprints or bootc containerfiles. +%package metrics-server +Summary: Kubernetes metrics-server for MicroShift +ExclusiveArch: x86_64 aarch64 +Requires: microshift = %{version} + +%description metrics-server +The microshift-metrics-server package provides the metrics-server for MicroShift. +Install this package to enable kubectl top and resource metrics via the Metrics API. + +%package metrics-server-release-info +Summary: Release information for metrics-server for MicroShift +BuildArch: noarch +Requires: microshift-release-info = %{version} + +%description metrics-server-release-info +The microshift-metrics-server-release-info package provides release information files for this +release. These files contain the list of container image references used by the metrics-server +and can be used to embed those images into osbuilder blueprints or bootc containerfiles. + %package sriov Summary: SR-IOV Network Operator for MicroShift ExclusiveArch: x86_64 aarch64 @@ -562,7 +582,9 @@ install -p -m644 assets/optional/ai-model-serving/release-ai-model-serving-x86_6 # observability install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability +install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d install -p -m644 packaging/observability/*.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/ +install -p -m644 packaging/observability/otelcol.d/microshift-metrics-server.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ # Explicit copy of large config as default. Not using symlink to avoid accidental package upgrade overwriting user config if the user edits the config without copying (i.e. edits the target of symlink). install -p -m644 packaging/observability/opentelemetry-collector-large.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml install -p -m644 packaging/observability/microshift-observability.service %{buildroot}%{_unitdir}/ @@ -599,6 +621,31 @@ cat assets/optional/cert-manager/manager/images-x86_64.yaml >> %{buildroot}/%{_p mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release install -p -m644 assets/optional/cert-manager/release-cert-manager-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ +# metrics-server +install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/00-namespace.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-service-account.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role-binding.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-cluster-role-binding-auth-delegator.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/01-role-binding-auth-reader.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/02-configmap-audit-profiles.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/03-deployment.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/04-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/04-api-service.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +install -p -m644 assets/optional/metrics-server/kustomization.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server + +%ifarch %{arm} aarch64 +cat assets/optional/metrics-server/kustomization.aarch64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml +%endif +%ifarch x86_64 +cat assets/optional/metrics-server/kustomization.x86_64.yaml >> %{buildroot}/%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/kustomization.yaml +%endif + +# metrics-server-release-info +mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release +install -p -m644 assets/optional/metrics-server/release-metrics-server-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ + # sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd @@ -790,10 +837,12 @@ fi %files observability %dir %{_prefix}/lib/microshift/manifests.d/003-microshift-observability %dir %{_sysconfdir}/microshift/observability/ +%dir %{_sysconfdir}/microshift/observability/otelcol.d %{_unitdir}/microshift-observability.service %config(noreplace) %{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml %{_sysconfdir}/microshift/observability/opentelemetry-collector-*.yaml %{_prefix}/lib/microshift/manifests.d/003-microshift-observability/* +%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-server.yaml %files cert-manager %dir %{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager @@ -802,6 +851,13 @@ fi %files cert-manager-release-info %{_datadir}/microshift/release/release-cert-manager-{x86_64,aarch64}.json +%files metrics-server +%dir %{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server +%{_prefix}/lib/microshift/manifests.d/080-microshift-metrics-server/* + +%files metrics-server-release-info +%{_datadir}/microshift/release/release-metrics-server-{x86_64,aarch64}.json + %files sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov %dir %{_prefix}/lib/microshift/manifests.d/070-microshift-sriov/crd diff --git a/test/bin/common.sh b/test/bin/common.sh index ef682a676f..8b092354b8 100644 --- a/test/bin/common.sh +++ b/test/bin/common.sh @@ -388,6 +388,8 @@ MICROSHIFT_Y2_OPTIONAL_RPMS_LIST=( microshift-cert-manager-release-info microshift-sriov microshift-sriov-release-info + microshift-metrics-server + microshift-metrics-server-release-info ) MICROSHIFT_Y1_OPTIONAL_RPMS_LIST=( "${MICROSHIFT_Y2_OPTIONAL_RPMS_LIST[@]}" From 4943cfb14b8416d4d52df2b2a73cbfbae6a35482 Mon Sep 17 00:00:00 2001 From: Jon Cope Date: Sat, 6 Jun 2026 10:48:42 -0500 Subject: [PATCH 05/18] USHIFT-6951: fix otelcol test config for metrics drop-in compatibility Add otlp exporter stub to the observability test config so that metrics drop-in configs (which define pipelines exporting to otlp) don't crash otelcol when the test replaces the production config. Co-Authored-By: Claude Opus 4.6 --- test/assets/observability/otel_config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/assets/observability/otel_config.yaml b/test/assets/observability/otel_config.yaml index 4565f82077..25609b2d17 100644 --- a/test/assets/observability/otel_config.yaml +++ b/test/assets/observability/otel_config.yaml @@ -59,6 +59,10 @@ exporters: enabled: true otlphttp/loki: # only for logs, exports the logs in the loki server endpoint: "http://{{LOKI_HOST}}:{{LOKI_PORT}}/otlp" + otlp: + endpoint: "localhost:4317" + tls: + insecure: true extensions: file_storage: From 0f5a0f36fd3d1daba1818308a6b6a94b4e60b212 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 9 Jun 2026 17:14:30 -0500 Subject: [PATCH 06/18] USHIFT-6951: unquote YAML keys in audit profiles configmap Strip JSON-style quoted keys from the embedded audit policy documents to match the repo's YAML conventions. Values remain quoted. No functional change. Co-Authored-By: Claude Opus 4.6 Signed-off-by: Jonathan H. Cope --- .../02-configmap-audit-profiles.yaml | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml index 1cff598a6d..1d8761e393 100644 --- a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml +++ b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml @@ -1,41 +1,41 @@ apiVersion: v1 data: metadata-profile.yaml: |- - "apiVersion": "audit.k8s.io/v1" - "kind": "Policy" - "metadata": - "name": "Metadata" - "omitStages": + apiVersion: "audit.k8s.io/v1" + kind: "Policy" + metadata: + name: "Metadata" + omitStages: - "RequestReceived" - "rules": - - "level": "Metadata" + rules: + - level: "Metadata" none-profile.yaml: |- - "apiVersion": "audit.k8s.io/v1" - "kind": "Policy" - "metadata": - "name": "None" - "omitStages": + apiVersion: "audit.k8s.io/v1" + kind: "Policy" + metadata: + name: "None" + omitStages: - "RequestReceived" - "rules": - - "level": "None" + rules: + - level: "None" request-profile.yaml: |- - "apiVersion": "audit.k8s.io/v1" - "kind": "Policy" - "metadata": - "name": "Request" - "omitStages": + apiVersion: "audit.k8s.io/v1" + kind: "Policy" + metadata: + name: "Request" + omitStages: - "RequestReceived" - "rules": - - "level": "Request" + rules: + - level: "Request" requestresponse-profile.yaml: |- - "apiVersion": "audit.k8s.io/v1" - "kind": "Policy" - "metadata": - "name": "RequestResponse" - "omitStages": + apiVersion: "audit.k8s.io/v1" + kind: "Policy" + metadata: + name: "RequestResponse" + omitStages: - "RequestReceived" - "rules": - - "level": "RequestResponse" + rules: + - level: "RequestResponse" kind: ConfigMap metadata: labels: From 41d2ad866e83e6b67c273488d7104e8d228a258e Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Thu, 11 Jun 2026 17:57:56 -0500 Subject: [PATCH 07/18] USHIFT-6951: fix otelcol arg expansion and add missing release JSON entries Use a bash array for otelcol config arguments to prevent word-splitting, and add generated release JSON entries for node-exporter and kube-state-metrics in assets_metrics.yaml to match metrics-server. Signed-off-by: Jonathan H. Cope --- packaging/observability/microshift-observability.service | 2 +- scripts/auto-rebase/assets_metrics.yaml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/packaging/observability/microshift-observability.service b/packaging/observability/microshift-observability.service index 826c2f86db..e628bb6fd8 100644 --- a/packaging/observability/microshift-observability.service +++ b/packaging/observability/microshift-observability.service @@ -8,7 +8,7 @@ ConditionPathExists=/var/lib/microshift/resources/observability-client/kubeconfi Environment=KUBECONFIG=/var/lib/microshift/resources/observability-client/kubeconfig Environment=K8S_NODE_NAME="%l" ExecStartPre=/usr/bin/mkdir -p /var/lib/microshift-observability -ExecStart=/bin/bash -c 'ARGS="--config=file:/etc/microshift/observability/opentelemetry-collector.yaml"; for f in /etc/microshift/observability/otelcol.d/*.yaml; do [ -f "$$f" ] && ARGS="$$ARGS --config=file:$$f"; done; exec /usr/bin/opentelemetry-collector $$ARGS' +ExecStart=/bin/bash -c 'ARGS=("--config=file:/etc/microshift/observability/opentelemetry-collector.yaml"); for f in /etc/microshift/observability/otelcol.d/*.yaml; do [ -f "$$f" ] && ARGS+=("--config=file:$$f"); done; exec /usr/bin/opentelemetry-collector "$${ARGS[@]}"' Restart=always User=root diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index 0afaa7279b..e0a248f924 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -62,6 +62,10 @@ assets: ignore: "Provided by MicroShift" - file: kustomization.aarch64.yaml ignore: "Provided by MicroShift" + - file: release-node-exporter-aarch64.json + ignore: "Provided by MicroShift" + - file: release-node-exporter-x86_64.json + ignore: "Provided by MicroShift" - dir: optional/kube-state-metrics/ no_clean: True @@ -86,3 +90,7 @@ assets: ignore: "Provided by MicroShift" - file: kustomization.aarch64.yaml ignore: "Provided by MicroShift" + - file: release-kube-state-metrics-aarch64.json + ignore: "Provided by MicroShift" + - file: release-kube-state-metrics-x86_64.json + ignore: "Provided by MicroShift" From 3527bde99e702d587fd7299e62c1d4f796e0e8c5 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 21:42:17 -0500 Subject: [PATCH 08/18] USHIFT-6951: update rebase artifacts and de-dup assets tracker Signed-off-by: Jonathan H. Cope --- Makefile.kube_git.var | 2 +- Makefile.version.aarch64.var | 2 +- Makefile.version.x86_64.var | 2 +- .../multus/kustomization.aarch64.yaml | 4 +- .../multus/kustomization.x86_64.yaml | 4 +- .../multus/release-multus-aarch64.json | 6 +- .../multus/release-multus-x86_64.json | 6 +- .../metrics-server/kustomization.aarch64.yaml | 2 +- .../metrics-server/kustomization.x86_64.yaml | 2 +- .../release-metrics-server-aarch64.json | 4 +- .../release-metrics-server-x86_64.json | 4 +- .../kustomization.aarch64.yaml | 10 +- .../kustomization.x86_64.yaml | 10 +- .../release-olm-aarch64.json | 8 +- .../release-olm-x86_64.json | 8 +- assets/release/release-aarch64.json | 18 +- assets/release/release-x86_64.json | 18 +- .../cmd/k8s-tests-ext/k8s-tests.go | 8 + go.mod | 2 +- go.sum | 4 +- .../crio.conf.d/10-microshift_amd64.conf | 2 +- .../crio.conf.d/10-microshift_arm64.conf | 2 +- scripts/auto-rebase/assets.yaml | 23 -- scripts/auto-rebase/assets_metrics.yaml | 61 ----- scripts/auto-rebase/changelog.txt | 230 ++++++++++++++++-- scripts/auto-rebase/commits.txt | 41 ++-- scripts/auto-rebase/last_rebase.sh | 2 +- scripts/auto-rebase/presubmit.py | 1 + .../pkg/route/ingress/ingress.go | 4 +- .../ingressip/service_ingressip_controller.go | 19 +- .../pkg/utils/ipallocator/README.md | 23 ++ .../pkg/utils/ipallocator/allocator.go | 176 ++++++++++++++ .../pkg/utils/ipallocator/ipallocator.go | 210 ++++++++++++++++ vendor/modules.txt | 3 +- 34 files changed, 719 insertions(+), 202 deletions(-) create mode 100644 vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md create mode 100644 vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go create mode 100644 vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var index 5b01a5a264..b457dc70b5 100644 --- a/Makefile.kube_git.var +++ b/Makefile.kube_git.var @@ -1,5 +1,5 @@ KUBE_GIT_MAJOR=1 KUBE_GIT_MINOR=35 KUBE_GIT_VERSION=v1.35.3 -KUBE_GIT_COMMIT=872bd3722d0954b31459f715fbd4fb7612aaf338 +KUBE_GIT_COMMIT=d8d517e6bbe7cf7359026cac26bb96ea45e18806 KUBE_GIT_TREE_STATE=clean diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var index ff987370b4..db648f7911 100644 --- a/Makefile.version.aarch64.var +++ b/Makefile.version.aarch64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-10-025037 +OCP_VERSION := 5.0.0-0.nightly-arm64-2026-06-14-225436 diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var index a931f60b4f..e695f2586b 100644 --- a/Makefile.version.x86_64.var +++ b/Makefile.version.x86_64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-2026-06-09-112600 +OCP_VERSION := 5.0.0-0.nightly-2026-06-14-221055 diff --git a/assets/components/multus/kustomization.aarch64.yaml b/assets/components/multus/kustomization.aarch64.yaml index 773e81016a..f7c4d8ece4 100644 --- a/assets/components/multus/kustomization.aarch64.yaml +++ b/assets/components/multus/kustomization.aarch64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5 + digest: sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27 - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3 + digest: sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558 diff --git a/assets/components/multus/kustomization.x86_64.yaml b/assets/components/multus/kustomization.x86_64.yaml index 89dcabff80..bae8465054 100644 --- a/assets/components/multus/kustomization.x86_64.yaml +++ b/assets/components/multus/kustomization.x86_64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d + digest: sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72 + digest: sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json index e989ae6e20..f6a97b1530 100644 --- a/assets/components/multus/release-multus-aarch64.json +++ b/assets/components/multus/release-multus-aarch64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-10-025037" + "base": "5.0.0-0.nightly-arm64-2026-06-14-225436" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:12f6644c521588d72e607d5761c7fa3e9a73bb0aab88b08420a8c5e4d4236ec5", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fc47b7c1f5138b74498c9c7ce7ad845f8fe73aa51fed2c735d6ebfa8882545a3" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fbc294064821a949122c19e8d01b9049e431b5144a26c251103d6679a4bbfa27", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:14d52df91337b4c53777c351589adc82772a0f6e0fe3f40abf17c305163ef558" } } diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json index 702fdc0e29..ed1a78d9af 100644 --- a/assets/components/multus/release-multus-x86_64.json +++ b/assets/components/multus/release-multus-x86_64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-09-112600" + "base": "5.0.0-0.nightly-2026-06-14-221055" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:457d82310a2ecd6823e5eb2a1650d14443c2730ecda4d62ad8b88d181f63463d", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:db6025036ff280675e8d784ab0457acfcfa29ec4af35e823e64f04901d39da72" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:131da38b7935bb3497cacaf564697508d8298ffacb19b06df4d0ab2fd16bef9f", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7335aca1b6454b6b5f02fecd7a062eaf27fe4c2367f9ddf071eedb80b47ce7ab" } } diff --git a/assets/optional/metrics-server/kustomization.aarch64.yaml b/assets/optional/metrics-server/kustomization.aarch64.yaml index e80886329f..694213e29a 100644 --- a/assets/optional/metrics-server/kustomization.aarch64.yaml +++ b/assets/optional/metrics-server/kustomization.aarch64.yaml @@ -1,4 +1,4 @@ images: - name: quay.io/openshift/kube-metrics-server newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d + digest: sha256:80743f7b701994e9bffcdbccccf31815d506a322bacd6edf16b4dcd01d3686ba diff --git a/assets/optional/metrics-server/kustomization.x86_64.yaml b/assets/optional/metrics-server/kustomization.x86_64.yaml index 831caab705..b770c95d2d 100644 --- a/assets/optional/metrics-server/kustomization.x86_64.yaml +++ b/assets/optional/metrics-server/kustomization.x86_64.yaml @@ -1,4 +1,4 @@ images: - name: quay.io/openshift/kube-metrics-server newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7 + digest: sha256:cabd43c39e5bcc2f8326e5db8e0a91ddae4cfcd2e206ff18c49df934346f8014 diff --git a/assets/optional/metrics-server/release-metrics-server-aarch64.json b/assets/optional/metrics-server/release-metrics-server-aarch64.json index c748ed629d..6009b817b9 100644 --- a/assets/optional/metrics-server/release-metrics-server-aarch64.json +++ b/assets/optional/metrics-server/release-metrics-server-aarch64.json @@ -1,8 +1,8 @@ { "release": { - "base": "placeholder" + "base": "5.0.0-0.nightly-arm64-2026-06-14-225436" }, "images": { - "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:35daed97a2d279f2543334cfb209f81be440e423042cc7dae6784985d71f2f8d" + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:80743f7b701994e9bffcdbccccf31815d506a322bacd6edf16b4dcd01d3686ba" } } diff --git a/assets/optional/metrics-server/release-metrics-server-x86_64.json b/assets/optional/metrics-server/release-metrics-server-x86_64.json index 1a15957d8c..d64aab1619 100644 --- a/assets/optional/metrics-server/release-metrics-server-x86_64.json +++ b/assets/optional/metrics-server/release-metrics-server-x86_64.json @@ -1,8 +1,8 @@ { "release": { - "base": "placeholder" + "base": "5.0.0-0.nightly-2026-06-14-221055" }, "images": { - "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cb84656c5b900f21b7984f917ac0473cf7b5e58cd1ec7d782b01fbe99d39bee7" + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cabd43c39e5bcc2f8326e5db8e0a91ddae4cfcd2e206ff18c49df934346f8014" } } diff --git a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml index d7f365ab30..df56db8e85 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1 + digest: sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818 + digest: sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2 + digest: sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5 patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml index b607a5ae73..bf9f325896 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b + digest: sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690 + digest: sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d + digest: sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256 patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json index 7e3b68ea10..2de2747f9a 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-10-025037" + "base": "5.0.0-0.nightly-arm64-2026-06-14-225436" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a65b0dcf06f57dd03e2569f33649f06bc51f0845ceea01ecb141b76eaea485c1", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:15d824e3b808602a5b4257a9aa51a807745754a46322c43ba4ba01ee56d73818", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc04e20fa27e35dd2ff9ebace50af735f81cd80f412c866e64763b8c95b68b09", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:57e853d5b140ce4989658f3b3b0b42898fd623f196a2be368c296df4603aa272", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5" } } diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json index 5179725c0b..5e1ec26ef2 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-09-112600" + "base": "5.0.0-0.nightly-2026-06-14-221055" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1e28d2b718e7ad024fd6ac20e5ec4ac5e30ebcc81c136b0c733165a47483625b", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cae1efda5b44d38b54fbc0fa7acee126a8334b4af380691f8c05981d27afb690", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dfaf388e82381af5c124796edde6ae3f7bb356adb4ec729f3f09589bdeee5804", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ed441d972938bc6739adc652748aa5fba137cbd7b045e401c66c72a9f6781ef1", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256" } } diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 7ceb44b017..123e1a73ec 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-10-025037" + "base": "5.0.0-0.nightly-arm64-2026-06-14-225436" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:335cc4f16ae535d0d2e72206f63bba97db6c7f3d7ae8896842e179548e1db76b", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9c3900c948954ad3c9206147f75a9cd3039e6e95947f4bf82ee994db9317202a", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b3308350dc53d829dcdad213454159c207ecc634dd2378db4916dea3614c9c9c", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6f5dc0bdcbb044810e7b09b01f80df866b3c3af938bd150d818c2914344fb4b2", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:59eba69120cff661709251ed6c21cc5b53ec8f288b5576014f8d893705153e99", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:56ac733f8a19c57d0027aba6bebd7063d85f1cf1b6f474c0180cd8f7d862c71f", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cbcbf4bacdc37322bfa70addad27cbc09d1d57dae05e0be5c0bdbab27fd4edc3", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0e892562882a04fffb983830bf38dd7ae8d3af0ab063ef63ff91b8794164ce6f", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:dc9c14cf3b0cf83f73640ebe44b855d4c37a09b91fd279bcf89cd1c7f1ae0d13", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:baae88272255e16c2f87060440acb446429409d672cb6d6a7ce8e8658e404344", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9ccb2f5ee2a82e65010b23308a5a87d166a15d39de330f552d63fcdb219826f5", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:2929931b3af6be09e54828dadc3638877d7bc4c50a506bece55adba4ac184352", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1172f9ca3672d5447e523300f0eaa9f2189360e415d0f59d15446c8f3d6b9df2", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c518baeaee5a42942eeb8b6d2b6145c994cc3c003eede138d0f6024a75dff0be", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:e77365e44676fbd8ab9e4ce53f3a406856bbdfef3467c545a7df1197d84477af", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a1d1ef4683809a939a4c7e44d459e141c9c1be5808bfba303fd7a422373a5070" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:027953dca1752d0a4723426385fd68c368b744bce34a14677d0d6240d91f7fec" } } diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index a79a10a009..a324dfdf92 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-09-112600" + "base": "5.0.0-0.nightly-2026-06-14-221055" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:4e9157049bcb87590c356e522fb74ddb350b5f6e375f2007e36b20ecc841cd13", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:3707f170213eda5d37f45c8f2f5605c3d4db80acd55f3b7943d90ad0248f8582", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:39fdc41a150c6665c192f1ec06563c5c1f7b8f65e8377a5e2d16cf495c5bca50", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cd84fae073953125e6eed47e7feacb146161df6d5222f5d899704686f917c50d", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:78d59d56dd6fb55ffa858fc96f7e67193a28b3baac9cfca46ee1b6a1a4e1bca4", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0b69d8c02c7d6231928b1737e74ee30ade20bce70887b6c7c1d68ae034bc9dcd", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:065512cd13378b366cd1adad78b9047f099bd777dccd0dbb4a99f25f504381e4", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:38f9415aaedc4192ce1ad8d4aa9fd7fbf7901153bea22445b59cf7aa2aa11a47", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:72415bafd446512cfcaf6f14fc081a35cf8b1c37bd97ed004b7f39f92b263194", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8cc4dc6be6d9768a3433176222105503aaa9416c40e13b04dce33c1a8e5c4547", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ad6e02eccba4091228187fae03a434bbec1c4481261d7dfd05282542e82c4256", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c015028192789c72cce5a4050d9e061caf82850227b16e37ff6ec62bad111832", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8b02980a346029f27b7dbac48a8c2ef3a9e82d09d8e2d8ce90043d8112631eef", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5447a0041b961413fd9440f1afd59fadc5aca516f8b5aefa1af809534a2d80a1", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:10c9ccab4f2857d113b55e12cac29aed0dc97d5a4e29ed2e4ea0f77551ee55f8", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c254280d6a89ed1d0c570544fd1ae40e804fc3c81dc671d161e56bb922add9e9" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ddf6df0d50205edf7af3ce2efded17ad9cf405ca5b3c9875d85a1af5a4122bf6" } } diff --git a/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go b/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go index 640062df5f..113f3dab1c 100644 --- a/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go +++ b/deps/github.com/openshift/kubernetes/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go @@ -70,9 +70,16 @@ func main() { Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]')) && labels.exists(l, l == "Conformance")`)}, }) + // AddGlobalSuite so the umbrella starts with zero qualifiers and inherits + // exclusively from its children via mergeParentQualifiers in origin. + kubeTestsExtension.AddGlobalSuite(e.Suite{ + Name: "kubernetes/conformance", + }) + kubeTestsExtension.AddSuite(e.Suite{ Name: "kubernetes/conformance/parallel", Parents: []string{ + "kubernetes/conformance", "openshift/conformance/parallel", }, Qualifiers: []string{withExcludedTestsFilter(`(!name.contains('[Serial]') && !labels.exists(l, l == '[Serial]'))`)}, @@ -81,6 +88,7 @@ func main() { kubeTestsExtension.AddSuite(e.Suite{ Name: "kubernetes/conformance/serial", Parents: []string{ + "kubernetes/conformance", "openshift/conformance/serial", }, Qualifiers: []string{withExcludedTestsFilter(`(name.contains('[Serial]') || labels.exists(l, l == '[Serial]'))`)}, diff --git a/go.mod b/go.mod index f265c6ee06..3df196fb1d 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( github.com/gogo/protobuf v1.3.2 github.com/golang/snappy v0.0.4 github.com/openshift/cluster-policy-controller v0.0.0-20260420102459-bb429f5b2a7d - github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5 + github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56 github.com/prometheus/client_model v0.6.2 github.com/prometheus/common v0.67.5 github.com/prometheus/prometheus v0.302.1 diff --git a/go.sum b/go.sum index b20160773d..32c6a6492e 100644 --- a/go.sum +++ b/go.sum @@ -330,8 +330,8 @@ github.com/openshift/library-go v0.0.0-20260520180710-3a6f949c22c3 h1:AHjJETxL4n github.com/openshift/library-go v0.0.0-20260520180710-3a6f949c22c3/go.mod h1:gKG9lctU0yEftSoT3DUyeIWz1oAgF0EHUpwI4pnCo4o= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= -github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5 h1:s6RpuCCneK83XdWh6KHb1kpoXSR3hI/ZG8g5b/M4+N8= -github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5/go.mod h1:CQPEBwTmpfLFhayttl243qBVr3CeBXpsUBsF5bQFvNg= +github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56 h1:hX5oJuUnVXDk3FBDiMiteZWy+b+JSP7UcQdlcqBSD/o= +github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56/go.mod h1:D5jarnF94awXjzy6WNR/pImmNof2fuyI612hqjhfy/4= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac h1:D7Ex9/u5HMz+xvqel1RCCO1AxVG7XRAx9AcP02/nyzk= github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac/go.mod h1:x2keWyG0K1WmZeZLRh+z4fWwcqp99Yu9/HAiMucj5D0= diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf index bc2042e60d..0748a135fd 100644 --- a/packaging/crio.conf.d/10-microshift_amd64.conf +++ b/packaging/crio.conf.d/10-microshift_amd64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0b69d8c02c7d6231928b1737e74ee30ade20bce70887b6c7c1d68ae034bc9dcd" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8b02980a346029f27b7dbac48a8c2ef3a9e82d09d8e2d8ce90043d8112631eef" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/packaging/crio.conf.d/10-microshift_arm64.conf b/packaging/crio.conf.d/10-microshift_arm64.conf index 2bc16bcbfc..402898457a 100644 --- a/packaging/crio.conf.d/10-microshift_arm64.conf +++ b/packaging/crio.conf.d/10-microshift_arm64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:56ac733f8a19c57d0027aba6bebd7063d85f1cf1b6f474c0180cd8f7d862c71f" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1172f9ca3672d5447e523300f0eaa9f2189360e415d0f59d15446c8f3d6b9df2" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml index 4a55700927..b4f34d3f6c 100644 --- a/scripts/auto-rebase/assets.yaml +++ b/scripts/auto-rebase/assets.yaml @@ -301,29 +301,6 @@ assets: - file: service.yaml - file: serviceaccount.yaml - - dir: optional/metrics-server/ - ignore: "MicroShift-specific metrics-server manifests sourced from CMO" - files: - - file: 00-namespace.yaml - - file: 01-cluster-role-binding-auth-delegator.yaml - - file: 01-cluster-role-binding.yaml - - file: 01-cluster-role.yaml - - file: 01-role-binding-auth-reader.yaml - - file: 01-service-account.yaml - - file: 02-configmap-audit-profiles.yaml - - file: 03-deployment.yaml - - file: 04-api-service.yaml - - file: 04-service.yaml - - file: kustomization.yaml - - file: kustomization.x86_64.yaml - ignore: "gets generated during image rebase" - - file: kustomization.aarch64.yaml - ignore: "gets generated during image rebase" - - file: release-metrics-server-x86_64.json - ignore: "gets generated during image rebase" - - file: release-metrics-server-aarch64.json - ignore: "gets generated during image rebase" - - dir: optional/observability/ ignore: "they don't exist in upstream repository - only in microshift" files: diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml index e0a248f924..7fecda282e 100644 --- a/scripts/auto-rebase/assets_metrics.yaml +++ b/scripts/auto-rebase/assets_metrics.yaml @@ -9,8 +9,6 @@ assets: ignore: "Provided by MicroShift" - file: 01-cluster-role.yaml ignore: "Provided by MicroShift" - - file: clusterrole-aggregated-metrics-reader.yaml - ignore: "Provided by MicroShift" - file: 01-cluster-role-binding.yaml ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" - file: 01-cluster-role-binding-auth-delegator.yaml @@ -35,62 +33,3 @@ assets: ignore: "Provided by MicroShift" - file: release-metrics-server-x86_64.json ignore: "Provided by MicroShift" - - - dir: optional/node-exporter/ - no_clean: True - src: cluster-monitoring-operator/assets/node-exporter/ - files: - - file: 01-service-account.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role-binding.yaml - ignore: "Provided by MicroShift" - - file: 01-security-context-constraints.yaml - ignore: "Provided by MicroShift" - - file: 02-kube-rbac-proxy-secret.yaml - ignore: "Provided by MicroShift" - - file: 02-accelerators-collector-configmap.yaml - ignore: "Provided by MicroShift" - - file: 03-daemonset.yaml - ignore: "MicroShift removes metrics-client-ca volume/mount/arg (populated by CMO at runtime)" - - file: 04-service.yaml - ignore: "Provided by MicroShift" - - file: kustomization.yaml - ignore: "Provided by MicroShift" - - file: kustomization.x86_64.yaml - ignore: "Provided by MicroShift" - - file: kustomization.aarch64.yaml - ignore: "Provided by MicroShift" - - file: release-node-exporter-aarch64.json - ignore: "Provided by MicroShift" - - file: release-node-exporter-x86_64.json - ignore: "Provided by MicroShift" - - - dir: optional/kube-state-metrics/ - no_clean: True - src: cluster-monitoring-operator/assets/kube-state-metrics/ - files: - - file: 01-service-account.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role-binding.yaml - ignore: "Provided by MicroShift" - - file: 02-kube-rbac-proxy-secret.yaml - ignore: "Provided by MicroShift" - - file: 02-custom-resource-state-configmap.yaml - - file: 03-deployment.yaml - ignore: "MicroShift overrides: Recreate strategy, removes metrics-client-ca, image placeholders" - - file: 04-service.yaml - ignore: "Provided by MicroShift" - - file: kustomization.yaml - ignore: "Provided by MicroShift" - - file: kustomization.x86_64.yaml - ignore: "Provided by MicroShift" - - file: kustomization.aarch64.yaml - ignore: "Provided by MicroShift" - - file: release-kube-state-metrics-aarch64.json - ignore: "Provided by MicroShift" - - file: release-kube-state-metrics-x86_64.json - ignore: "Provided by MicroShift" diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index f8de7a5969..ac45b5b06c 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,39 +1,223 @@ -- cluster-kube-apiserver-operator embedded-component 24b60d04b3478e04a728fb0ae1385abc6a478d20 to a61282875d032c4b8cc7ea5567830942583ec378 - - 75e998a 2026-06-08T13:41:30+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to 0469313 - - e126bb0 2026-06-01T12:29:56+02:00 Fix kube-apiserver-to-kubelet-signer refresh interval +- api embedded-component 1194f4c62539275cd6dec231cc2bf7e0a010bd94 to 992ec954f8b3debeb041fa3f17caf27b264d9fb8 + - 6889b9c1 2026-06-10T16:13:57+01:00 rewrite api review command to skill + - e8598fc2 2026-06-10T13:12:05Z Revert "SPLAT-2793: Promoted VSphereMultiVCenterDay2 feature gate to TP" + - 936a2b0a 2026-06-09T09:32:35-04:00 Promoted VSphereMultiVCenterDay2 feature gate to TP + - ee7dc415 2026-06-07T19:39:21Z Updating ose-cluster-config-api-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-cluster-config-api.yml + - b4b461bd 2026-06-04T19:21:24+02:00 Remove all KMS changes from retention PR vs rebase base + - 94f7c093 2026-06-04T18:44:42+02:00 Drop unrelated apiservers KMS test changes from retention PR + - d4cc57b4 2026-06-04T17:40:33+02:00 Revert unrelated KMS changes to match master + - c67898b0 2026-06-04T17:12:29+02:00 fix review comments + - a8a2c339 2026-06-04T17:12:29+02:00 Tombstone legacy retention fields and tighten duration/size validation + - f6e2e929 2026-06-04T17:12:28+02:00 Fix retention API schema compatibility and validation tests + - 68a8b0db 2026-06-04T17:12:28+02:00 Clarify retention duration semantics and fix tombstone comments + - 602d6f4e 2026-06-04T17:12:28+02:00 Use Prometheus Operator retention strings in ClusterMonitoring API + - db4e70fa 2026-06-04T17:11:47+02:00 Use durationInHours for Prometheus retention and tune limits + - b479107f 2026-06-04T10:27:34-04:00 promote OSStreams to GA in self-managed clusters + - a6130498 2026-05-18T13:43:30+01:00 Add eval suite for /api-review command + - 8ecf6a78 2026-05-14T11:13:38-04:00 Lower maximum allowed etcd quota from 32 to 16GiB -- cluster-kube-controller-manager-operator embedded-component 9d636ab4992bd501006d2b0c1d3ac512666c6ca7 to c35307f04313369c9ba4dcab3308506a3987065e - - aa0c868 2026-06-03T17:05:46+05:30 fix lock failure cases +- cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94 to ed3c0c6b8b1639d8688309c3e999a6f037436d62 + - 9915fa5 2026-06-09T12:19:21+02:00 Fix group snapshots on HyperShift + - a2cf0e8 2026-06-06T13:54:10Z Updating ose-cluster-csi-snapshot-controller-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-cluster-csi-snapshot-controller-operator.yml -- etcd embedded-component c543fe15324510d13e896c31232ecd5d100d9de5 to bf6c0094589afdf6c814a28c24f8f1bb5a577816 - - d4656811 2026-06-06T16:04:21Z Updating ose-etcd-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-etcd.yml +- cluster-dns-operator embedded-component 65d60f9c12297a91ee89359e90f591fd44e661b0 to 4556c40798213ee824f76c26bef66865326fe08b + - d4284dc 2026-05-18T14:30:22-04:00 NE-2391: Add Force management state to docs + - 2fa1fac 2026-04-24T09:33:58-04:00 Address CodeRabbit review feedback + - 75d5e62 2026-04-23T17:50:34-04:00 NE-2391: Add progressive disclosure AI agent context -- machine-config-operator embedded-component 62b06d28399b348cb7238d32ad74b9a978c4292f to 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5 - - cfb74c3e 2026-06-05T13:08:35-04:00 Fix error wrapping and error message casing - - a96a9248 2026-06-05T08:57:59Z MCO-2321: adapt osimagestream tests to clusters with rhel-10 default stream - - b547d0ae 2026-06-04T07:50:22-04:00 avoid running IRI deletion tests for standard e2e IRI tests - - 55be329d 2026-06-03T14:48:40+05:30 Reorder functions to match source file sequence - - 02d7d918 2026-06-02T20:20:43+05:30 Add bootstrap infrastructure and migrate test 53960 - - 80b16676 2026-06-02T20:20:43+05:30 Migrate registry tests from openshift-tests-private - - dbea5e53 2026-05-28T15:23:08-04:00 bootimage: use version for vsphere hotloop check +- cluster-ingress-operator embedded-component 140e0bf13b3d01c369672c766c44b4be0b4ec78c to 6c84b7c7250e7412502382dca7d1f065f94fed5b + - b2875a0b 2026-06-09T17:43:53-04:00 Add aswinsuryan (asuryana@redhat.com) to OWNERS + - 5fcf1a07 2026-06-09T14:58:48+01:00 Replace iptables with nftables in TestConnectTimeout e2e test + - 77b06b59 2026-06-08T18:06:45-03:00 OCPBUGS-87205: Add configuration override for X-SSL strip + - 02ace843 2026-06-07T07:43:53Z Updating ose-cluster-ingress-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-cluster-ingress-operator.yml -- operator-framework-olm embedded-component a1de734673fb56da500b6ea212a70d50bd5740ab to c0b1b223882bd7657853441ccf18099527a8841b - - 230f72bf 2026-06-05T10:25:33-04:00 [CARRY] fix unit test failure - - 2d13397d 2026-06-05T06:43:47-04:00 UPSTREAM: : Update to golang 1.26.3 and openshift-4.23 builders +- cluster-kube-apiserver-operator embedded-component a61282875d032c4b8cc7ea5567830942583ec378 to 8fe970955c77da87fbbcf2c8f9e0665548185fce + - 4a28fda 2026-06-12T10:54:29-04:00 bump(openshift/library-go): to get KMS plugin CA bundle wiring + - 3cda3c4 2026-06-11T10:11:56+02:00 NO-JIRA: Automatic agentic rebase: Update library-go to 7fd5f33 -- oc image-amd64 d1f312bb855e741cadb8b3ac419d2cb3f3fd7ba5 to 4007283544cbc3609f90375b7a8efd395561612f - - c57c61a1 2026-06-08T04:25:30Z Updating openshift-enterprise-deployer-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/openshift-enterprise-deployer.yml +- cluster-monitoring-operator is a new embedded-component dependency -- csi-external-snapshotter image-arm64 77d02e52a442c1a98457797bf8eb5777489aabae to 6411c3232ca015c2a02ece1d5a675045d17031cd +- csi-external-snapshotter embedded-component 77d02e52a442c1a98457797bf8eb5777489aabae to e695e2bd0b548afd0fce049d86d4af29dd34e574 + - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: : Rebase external-snapshotter to v8.6.0 + - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: : Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml + - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: : Add OpenShift files - 872813a 2026-06-07T12:35:43Z UPSTREAM: : Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml + - af6ba61 2026-06-05T21:55:26Z UPSTREAM: : Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml + - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0 + - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates + - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a + - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates + - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server. + - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1 + - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72 + - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366. + - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment + - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper. + - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 + - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion + - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797 + - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests + - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8 + - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version + - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs + - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1 + - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots + - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests + - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs + - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7 + - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test + - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA + - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates + - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0 + - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c + - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests + - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions + - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar + - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller + - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates + - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal -- router image-arm64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 to 808b0001233b4c084694244f25cd53c3808c4e81 +- kubernetes embedded-component 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806 + - 59c831f7c 2026-06-06T16:54:59-04:00 UPSTREAM: : add kubernetes/conformance umbrella suite + +- machine-config-operator embedded-component 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5 to 6a2c5c65419c3e9c3028f6bd9344690f48ae837c + - 4be5fa97 2026-06-12T12:40:02+02:00 MCO-2344: Revert MCO-2343 + - b0d6754e 2026-06-11T14:19:57-04:00 tests: update custom containerfile OCB test to work in disconnected environments + - 2c81fec6 2026-06-11T18:42:55+05:30 Add fix for TC 59424 + - 2f47b964 2026-06-10T02:54:33-04:00 move helpers in iri e2e main test + - 34a93a4e 2026-06-10T11:57:49+05:30 MCO-2209 MCO-2213 MCO-2233: Migrate security, daemon, and kernel TCs from otp3 mco.go + - 4016370d 2026-06-10T11:57:13+05:30 Update OWNERS: update current MCO team members + - 8959e528 2026-06-08T20:02:57+02:00 MCO-2343: Temporary make MCO default to rhel-9 + - ea093553 2026-06-08T09:21:56+02:00 OCPBUGS-87635: Fix MCP.status.osImageStream + - 73caf416 2026-06-06T22:07:29Z Updating ose-machine-config-operator-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-machine-config-operator.yml + - 23696fbf 2026-06-05T14:44:41-04:00 Added check for missingAnnotation + - ce58f78d 2026-06-05T13:50:04-04:00 Added a if-statement to compare images + - 4dc05f6f 2026-06-05T13:55:40+05:30 OCPBUGS-78524: Create mco_extensions.go suite with USBGuard, install all extensions, and invalid extensions tests + - 65934067 2026-06-05T12:58:31+05:30 OCP-88729: Only wait on last MachineConfig deletion to avoid double-waiting + - 2f91e47a 2026-06-05T12:58:31+05:30 OCP-88729: Use mc.DeleteWithWait() for cleanup instead of raw oc delete + - 7222f9d1 2026-06-05T12:58:31+05:30 OCP-88729: Optimize cleanup by deleting both MachineConfigs in one shot + - 0a2ade7a 2026-06-05T12:58:30+05:30 Move OCP-88729 USBGuard test to mco_kernel.go and add extension RPM verification + - 78749cea 2026-06-04T15:56:52+05:30 Fix kubelet certificate wait loop in criometricsproxy.yaml and update init container's volumeMount to /var/lib/kubelet + - 36c7cead 2026-06-02T12:13:48+05:30 OCPNODE-4487: replace --system-reserved flags with config drop-in Remove EnvironmentFile=/etc/node-sizing.env and the --system-reserved command-line flag from kubelet.service. The auto-sizing script now writes a KubeletConfiguration drop-in file to /etc/openshift/kubelet.conf.d/20-auto-sizing.conf, which kubelet reads via --config-dir. Add --config-dir to master and arbiter kubelet.service for consistency with workers. + +- operator-framework-olm embedded-component c0b1b223882bd7657853441ccf18099527a8841b to 3eb13541cac6e2c0110329b37cb5375ddb52ecc0 + - 0e8033fe 2026-06-10T08:01:50Z Updating operator-registry-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/da480a0c5a26a42e950fbcaf77b64918e1d76442/images/operator-registry.yml + +- route-controller-manager embedded-component 1916ceb059f500f06e8552f88bf38cd09f9522fd to e454c01fbe561cce9973f54b1ddbcdd35a9d18ff + - d4a98a4 2026-06-02T15:09:50-03:00 OCPBUGS-86886: (vendor) Use the copied ipallocator utils + - f51ec5e 2026-06-02T15:04:33-03:00 OCPBUGS-86886: Use the copied ipallocator utils + - b547252 2026-06-02T15:04:07-03:00 OCPBUGS-86886: Copy ipallocator code to route-controller-manager + - 31a2af8 2026-06-02T13:48:36-03:00 OCPBUGS-86886: (vendor) modernize dependency of k8s imports + - 5a43a7e 2026-06-02T13:48:36-03:00 OCPBUGS-86886: modernize dependency of k8s imports + +- service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17 + - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically + - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes + +- oc image-amd64 4007283544cbc3609f90375b7a8efd395561612f to 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 + - 4c50d0b4 2026-06-11T14:13:12-04:00 spec: Recommend bash-completion instead of requiring it + +- csi-external-snapshotter image-amd64 77d02e52a442c1a98457797bf8eb5777489aabae to e695e2bd0b548afd0fce049d86d4af29dd34e574 + - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: : Rebase external-snapshotter to v8.6.0 + - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: : Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml + - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: : Add OpenShift files + - 872813a 2026-06-07T12:35:43Z UPSTREAM: : Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml + - af6ba61 2026-06-05T21:55:26Z UPSTREAM: : Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml + - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0 + - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates + - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a + - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates + - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server. + - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1 + - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72 + - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366. + - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment + - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper. + - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 + - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion + - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797 + - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests + - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8 + - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version + - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs + - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1 + - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots + - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests + - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs + - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7 + - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test + - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA + - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates + - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0 + - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c + - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests + - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions + - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar + - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller + - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates + - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal + +- router image-amd64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 to ce3479af6677053650d617a8165ce80c1178597c - d180c82 2026-06-08T18:21:01-03:00 OCPBUGS-87205: fix comments on template - 861e7c2 2026-06-08T11:47:45-03:00 Update images/router/haproxy/conf/haproxy-config.template - fca5221 2026-06-08T11:47:45-03:00 Expand list of stripped X-SSL-Client-* headers - ef98dff 2026-06-08T11:47:45-03:00 Rename env var to ROUTER_MUTUAL_TLS_HEADER_FILTER - 2e0ec41 2026-06-08T11:47:45-03:00 OCPBUGS-86718: Strip X-SSL-Client-* headers for plain HTTP + - befe5dd 2026-06-07T22:20:03Z Updating ose-haproxy-router-base-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-haproxy-router-base.yml -- kubernetes image-arm64 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806 +- kubernetes image-amd64 872bd3722d0954b31459f715fbd4fb7612aaf338 to d8d517e6bbe7cf7359026cac26bb96ea45e18806 - 59c831f7c 2026-06-06T16:54:59-04:00 UPSTREAM: : add kubernetes/conformance umbrella suite +- service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17 + - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically + - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes + +- oc image-arm64 4007283544cbc3609f90375b7a8efd395561612f to 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 + - 4c50d0b4 2026-06-11T14:13:12-04:00 spec: Recommend bash-completion instead of requiring it + +- csi-external-snapshotter image-arm64 6411c3232ca015c2a02ece1d5a675045d17031cd to e695e2bd0b548afd0fce049d86d4af29dd34e574 + - 56ba1dc 2026-06-11T13:36:34Z UPSTREAM: revert: : Rebase external-snapshotter to v8.6.0 + - 151ed79 2026-06-10T12:38:21+02:00 UPSTREAM: : Updating ose-csi-snapshot-controller-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-csi-snapshot-controller.yml + - c611294 2026-06-09T14:07:00+02:00 UPSTREAM: : Add OpenShift files + - af6ba61 2026-06-05T21:55:26Z UPSTREAM: : Updating ose-csi-external-snapshotter-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/7691ed4dc0b6585b358f9e73fb736ace9a48a286/images/ose-csi-external-snapshotter.yml + - d920dc6 2026-05-27T22:18:07-04:00 Add changelog for v8.6.0 + - 41cb4da 2026-05-27T05:36:33Z Bump the k8s-dependencies group across 1 directory with 2 updates + - e3d7c8b 2026-05-26T17:51:49Z Squashed 'release-tools/' changes from e019f2a72..31186bf0a + - c57619a 2026-05-25T17:14:54Z Bump the github-dependencies group across 1 directory with 34 updates + - fce55ed 2026-05-22T19:31:15Z Add timeouts to webhook server. + - ac46e7f 2026-05-20T10:01:48+02:00 Bump k8s dependencies to v1.36.1 + - e38b2f6 2026-05-19T16:31:31+02:00 Squashed 'release-tools/' changes from 909252797..e019f2a72 + - 4907b0a 2026-05-14T10:35:25+05:30 Add newClaimPendingRestoreFromVolumeSnapshot and a TestDeleteSync case that asserts syncSnapshot returns an error and emits SnapshotDeletePending while a Pending PVC's dataSource references the snapshot, matching the requeue behavior for issue #1366. + - 9c09524 2026-04-29T09:56:41+05:30 Address review: clarify snapshot-in-use errors and group snapshot requeue comment + - 21c0111 2026-04-29T09:34:52+05:30 Fix requeue on VolumeSnapshot deletion when used for PVC restore When a VolumeSnapshot is deleted while a PVC is still being created from it, the controller blocked deletion but returned nil, so the workqueue never retried. Return an error so the snapshot is requeued and deletion is retried once the PVC is no longer in use. Same fix applied for VolumeGroupSnapshot in the group snapshot helper. + - f3f8db4 2026-04-22T11:23:08Z Bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 + - e8f6849 2026-04-20T13:28:17+02:00 Fix VolumeSnapshotContent deletion + - 9773a35 2026-04-17T03:00:21Z Squashed 'release-tools/' changes from de06a09a7..909252797 + - 1aececd 2026-04-16T12:44:28-04:00 Update unit tests + - f298d12 2026-04-16T11:26:01-04:00 Update go version to 1.25.8 + - c28b251 2026-04-16T11:26:01-04:00 Set v1beta2 as stored version + - 027ff6f 2026-04-16T11:25:54-04:00 Update controllers to use v1 VolumeGroupSnapshot APIs + - 7810fa8 2026-04-16T11:23:47-04:00 Move VolumeGroupSnapshot API to V1 + - 86c1a6c 2026-04-15T19:55:40-04:00 Add unit tests for group snapshots + - 13bf493 2026-04-15T18:26:54Z Run Trivy scan on schedule instead of pull requests + - fad717c 2026-04-15T12:32:14-04:00 Update go.opentelemetry.io/otel libs + - 72ee717 2026-04-15T10:57:54-04:00 Squashed 'release-tools/' changes from 119a53c3c..de06a09a7 + - c34d0df 2026-04-08T14:17:37-04:00 Fix data race in metrics test + - 4a8f5b5 2026-03-31T13:27:30+02:00 fix: pin github action to exact SHA + - 93ef9f3 2026-03-23T11:35:40Z Bump the github-dependencies group across 1 directory with 39 updates + - c18f4ec 2026-03-22T19:22:58+01:00 security: Update trivy-action to v0.35.0 + - 77c491f 2026-03-15T22:27:40-04:00 Squashed 'release-tools/' changes from 1e81e752e..119a53c3c + - 8c992f2 2026-03-03T13:37:39-05:00 Add more unit tests + - 97f3abc 2026-03-03T13:03:59+05:30 deploy: update sidecar image versions + - dec67ea 2026-02-27T12:54:09-05:00 Add unit tests for volume group snapshot controller in sidecar + - ee18dbc 2026-02-17T16:28:28-05:00 Add unit tests for group snapshots in snapshot-controller + - bb34c93 2026-02-16T12:29:17Z Bump the github-dependencies group with 11 updates + - 658c1ac 2025-10-19T14:06:14+03:00 [snapshot-controller] Do not modify error when retrying PVC finalizer removal + +- router image-arm64 808b0001233b4c084694244f25cd53c3808c4e81 to ce3479af6677053650d617a8165ce80c1178597c + - befe5dd 2026-06-07T22:20:03Z Updating ose-haproxy-router-base-container image to be consistent with ART for 5.0 Reconciling with https://github.com/openshift-eng/ocp-build-data/tree/af322abdd1a4d7d0161a69a16369a0ab1748515a/images/ose-haproxy-router-base.yml + +- service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b to 35cf51895f4dc77dca8a709e7635980753f87e17 + - 97a337e 2026-06-10T16:02:10+02:00 Watch CA bundle files for changes and reload dynamically + - 792dd4a 2026-06-10T16:00:29+02:00 deps: Update library-go and add k8s.io/kubernetes + diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index da804158be..d1cbbbea14 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,35 +1,36 @@ -https://github.com/openshift/api embedded-component 1194f4c62539275cd6dec231cc2bf7e0a010bd94 -https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94 -https://github.com/openshift/cluster-dns-operator embedded-component 65d60f9c12297a91ee89359e90f591fd44e661b0 -https://github.com/openshift/cluster-ingress-operator embedded-component 140e0bf13b3d01c369672c766c44b4be0b4ec78c -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component a61282875d032c4b8cc7ea5567830942583ec378 +https://github.com/openshift/api embedded-component 992ec954f8b3debeb041fa3f17caf27b264d9fb8 +https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component ed3c0c6b8b1639d8688309c3e999a6f037436d62 +https://github.com/openshift/cluster-dns-operator embedded-component 4556c40798213ee824f76c26bef66865326fe08b +https://github.com/openshift/cluster-ingress-operator embedded-component 6c84b7c7250e7412502382dca7d1f065f94fed5b +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 8fe970955c77da87fbbcf2c8f9e0665548185fce https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component c35307f04313369c9ba4dcab3308506a3987065e https://github.com/openshift/cluster-kube-scheduler-operator embedded-component d43423b583269eea8236040424609c3f108ac9c4 +https://github.com/openshift/cluster-monitoring-operator embedded-component 641c1f8278616fb6e8274aeadb1d125a1536ab6c https://github.com/openshift/cluster-network-operator embedded-component 6dc18040e7c214f6a1db25b6f5ef4642c6c6a186 https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component 34f95b07f4afbc47558e54e4fa2710fd692e615e https://github.com/openshift/cluster-policy-controller embedded-component bb429f5b2a7d77791110b06d8ec5c017183e3ab9 -https://github.com/openshift/csi-external-snapshotter embedded-component 77d02e52a442c1a98457797bf8eb5777489aabae +https://github.com/openshift/csi-external-snapshotter embedded-component e695e2bd0b548afd0fce049d86d4af29dd34e574 https://github.com/openshift/etcd embedded-component bf6c0094589afdf6c814a28c24f8f1bb5a577816 -https://github.com/openshift/kubernetes embedded-component 872bd3722d0954b31459f715fbd4fb7612aaf338 +https://github.com/openshift/kubernetes embedded-component d8d517e6bbe7cf7359026cac26bb96ea45e18806 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6 -https://github.com/openshift/machine-config-operator embedded-component 62dbab4477ce608b73bb8d4b190b0f522d2a5bb5 +https://github.com/openshift/machine-config-operator embedded-component 6a2c5c65419c3e9c3028f6bd9344690f48ae837c https://github.com/openshift/openshift-controller-manager embedded-component 5631cf493b006cbc72a8600a7435813272d71940 -https://github.com/openshift/operator-framework-olm embedded-component c0b1b223882bd7657853441ccf18099527a8841b -https://github.com/openshift/route-controller-manager embedded-component 1916ceb059f500f06e8552f88bf38cd09f9522fd -https://github.com/openshift/service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b -https://github.com/openshift/oc image-amd64 4007283544cbc3609f90375b7a8efd395561612f +https://github.com/openshift/operator-framework-olm embedded-component 3eb13541cac6e2c0110329b37cb5375ddb52ecc0 +https://github.com/openshift/route-controller-manager embedded-component e454c01fbe561cce9973f54b1ddbcdd35a9d18ff +https://github.com/openshift/service-ca-operator embedded-component 35cf51895f4dc77dca8a709e7635980753f87e17 +https://github.com/openshift/oc image-amd64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 https://github.com/openshift/coredns image-amd64 3c21b066c9bd86caa06f790dcd1c046667875d46 -https://github.com/openshift/csi-external-snapshotter image-amd64 77d02e52a442c1a98457797bf8eb5777489aabae -https://github.com/openshift/router image-amd64 a86164c8ebaed55a2a28451fa913a04f10cc9a72 +https://github.com/openshift/csi-external-snapshotter image-amd64 e695e2bd0b548afd0fce049d86d4af29dd34e574 +https://github.com/openshift/router image-amd64 ce3479af6677053650d617a8165ce80c1178597c https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3 https://github.com/openshift/ovn-kubernetes image-amd64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c -https://github.com/openshift/kubernetes image-amd64 872bd3722d0954b31459f715fbd4fb7612aaf338 -https://github.com/openshift/service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b -https://github.com/openshift/oc image-arm64 4007283544cbc3609f90375b7a8efd395561612f +https://github.com/openshift/kubernetes image-amd64 d8d517e6bbe7cf7359026cac26bb96ea45e18806 +https://github.com/openshift/service-ca-operator image-amd64 35cf51895f4dc77dca8a709e7635980753f87e17 +https://github.com/openshift/oc image-arm64 40ce70fca070aafb0273563ce5a7f0a5ba1fcdb2 https://github.com/openshift/coredns image-arm64 3c21b066c9bd86caa06f790dcd1c046667875d46 -https://github.com/openshift/csi-external-snapshotter image-arm64 6411c3232ca015c2a02ece1d5a675045d17031cd -https://github.com/openshift/router image-arm64 808b0001233b4c084694244f25cd53c3808c4e81 +https://github.com/openshift/csi-external-snapshotter image-arm64 e695e2bd0b548afd0fce049d86d4af29dd34e574 +https://github.com/openshift/router image-arm64 ce3479af6677053650d617a8165ce80c1178597c https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3 https://github.com/openshift/ovn-kubernetes image-arm64 e9295c0d0d7caa1eda7cc9f2f3900c64096c943c https://github.com/openshift/kubernetes image-arm64 d8d517e6bbe7cf7359026cac26bb96ea45e18806 -https://github.com/openshift/service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b +https://github.com/openshift/service-ca-operator image-arm64 35cf51895f4dc77dca8a709e7635980753f87e17 diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 0f507bbbc8..e4651d4e92 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-09-112600" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-10-025037" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-14-221055" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-14-225436" diff --git a/scripts/auto-rebase/presubmit.py b/scripts/auto-rebase/presubmit.py index 5e90ed4639..3a98d94158 100755 --- a/scripts/auto-rebase/presubmit.py +++ b/scripts/auto-rebase/presubmit.py @@ -29,6 +29,7 @@ "./scripts/auto-rebase/assets_ai_model_serving.yaml", "./scripts/auto-rebase/assets_cert_manager.yaml", "./scripts/auto-rebase/assets_sriov.yaml", + "./scripts/auto-rebase/assets_metrics.yaml", ] diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go index 82e02ff93d..4177fd1166 100644 --- a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go +++ b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingress/ingress.go @@ -27,6 +27,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" coreinformers "k8s.io/client-go/informers/core/v1" networkingv1informers "k8s.io/client-go/informers/networking/v1" + "k8s.io/client-go/kubernetes/scheme" kv1core "k8s.io/client-go/kubernetes/typed/core/v1" kv1networking "k8s.io/client-go/kubernetes/typed/networking/v1" corelisters "k8s.io/client-go/listers/core/v1" @@ -35,7 +36,6 @@ import ( "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" "k8s.io/component-base/metrics/legacyregistry" - "k8s.io/kubernetes/pkg/api/legacyscheme" routev1 "github.com/openshift/api/route/v1" routeclient "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1" @@ -177,7 +177,7 @@ func NewController(eventsClient kv1core.EventsGetter, routeClient routeclient.Ro broadcaster.StartLogging(klog.Infof) // TODO: remove the wrapper when every clients have moved to use the clientset. broadcaster.StartRecordingToSink(&kv1core.EventSinkImpl{Interface: eventsClient.Events("")}) - recorder := broadcaster.NewRecorder(legacyscheme.Scheme, corev1.EventSource{Component: "ingress-to-route-controller"}) + recorder := broadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: "ingress-to-route-controller"}) c := &Controller{ eventRecorder: recorder, diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go index 5f20dcae53..fbbff11eb2 100644 --- a/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go +++ b/vendor/github.com/openshift/route-controller-manager/pkg/route/ingressip/service_ingressip_controller.go @@ -18,15 +18,14 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" kclientset "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" kcoreclient "k8s.io/client-go/kubernetes/typed/core/v1" kv1core "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" - "k8s.io/kubernetes/pkg/api/legacyscheme" - "k8s.io/kubernetes/pkg/controller" - "k8s.io/kubernetes/pkg/registry/core/service/allocator" - "k8s.io/kubernetes/pkg/registry/core/service/ipallocator" + + "github.com/openshift/route-controller-manager/pkg/utils/ipallocator" ) const ( @@ -85,7 +84,7 @@ type serviceChange struct { func NewIngressIPController(services cache.SharedIndexInformer, kc kclientset.Interface, ipNet *net.IPNet, resyncInterval time.Duration) *IngressIPController { eventBroadcaster := record.NewBroadcaster() eventBroadcaster.StartRecordingToSink(&kv1core.EventSinkImpl{Interface: kc.CoreV1().Events("")}) - recorder := eventBroadcaster.NewRecorder(legacyscheme.Scheme, v1.EventSource{Component: "ingressip-controller"}) + recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "ingressip-controller"}) ic := &IngressIPController{ client: kc.CoreV1(), @@ -115,9 +114,7 @@ func NewIngressIPController(services cache.SharedIndexInformer, kc kclientset.In ic.changeHandler = ic.processChange ic.persistenceHandler = persistService - ic.ipAllocator, _ = ipallocator.New(ipNet, func(max int, rangeSpec string, offset int) (allocator.Interface, error) { - return allocator.NewAllocationMap(max, rangeSpec), nil - }) + ic.ipAllocator, _ = ipallocator.NewInMemory(ipNet) ic.allocationMap = make(map[string]string) ic.requeuedAllocations = sets.NewString() @@ -138,7 +135,7 @@ func (ic *IngressIPController) enqueueChange(new interface{}, old interface{}) { if new != nil { // Queue the key needed to retrieve the lastest state from the // cache when the change is processed. - key, err := controller.KeyFunc(new) + key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(new) if err != nil { utilruntime.HandleError(fmt.Errorf("Couldn't get key for object %+v: %v", new, err)) return @@ -274,7 +271,7 @@ func (ic *IngressIPController) processInitialSync() bool { // Add pending service additions back to the queue in consistent order. sort.Sort(serviceAge(pendingServices)) for _, service := range pendingServices { - if key, err := controller.KeyFunc(service); err == nil { + if key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(service); err == nil { klog.V(5).Infof("Adding service back to queue: %v ", key) change := &serviceChange{key: key} ic.queue.Add(change) @@ -443,7 +440,7 @@ func (ic *IngressIPController) clearOldAllocation(new, old *v1.Service) bool { // New allocation differs from old due to update or deletion // Get the key from the old service since the new service may be nil - if key, err := controller.KeyFunc(old); err == nil { + if key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(old); err == nil { ic.clearLocalAllocation(key, oldIP) return true } else { diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md new file mode 100644 index 0000000000..f5e0b550fb --- /dev/null +++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/README.md @@ -0,0 +1,23 @@ +# ipallocator + +Minimal in-memory IP range allocator for assigning IPs from a CIDR block. + +## Provenance + +This code is copied from two packages in **k8s.io/kubernetes v1.35.0**: + +- `k8s.io/kubernetes/pkg/registry/core/service/allocator` — bitmap allocator +- `k8s.io/kubernetes/pkg/registry/core/service/ipallocator` — IP range wrapper + +Only the code paths used by the IngressIP controller (`pkg/route/ingressip/`) are +included. The following features from the original were removed: + +- Metrics recording (`metricsRecorderInterface`, Prometheus counters) +- Dry-run support (`DryRun()`, `dryRunRange`) +- Snapshot/restore (`Snapshot()`, `Restore()`, `NewFromSnapshot`) +- IPFamily tracking (`IPFamily()`, `api.IPFamily` dependency) +- Factory pattern (`New()` with `AllocatorWithOffsetFactory`) +- Unused methods: `ForEach()`, `Destroy()`, `CIDR()`, `Used()`, `EnableMetrics()` + +This eliminates the dependency on `k8s.io/kubernetes` (the monorepo). +IP math uses `k8s.io/utils/net` which is a standalone module. diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go new file mode 100644 index 0000000000..fd07023dee --- /dev/null +++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/allocator.go @@ -0,0 +1,176 @@ +/* +Copyright 2015 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipallocator + +import ( + "fmt" + "math/big" + "math/rand" + "sync" + "time" +) + +// allocatorInterface manages the allocation of items out of a range. +type allocatorInterface interface { + Allocate(int) (bool, error) + AllocateNext() (int, bool, error) + Release(int) error + Has(int) bool + Free() int +} + +// allocationBitmap is a contiguous block of resources that can be allocated atomically. +// +// Each resource has an offset. The internal structure is a bitmap, with a bit for each offset. +// +// If a resource is taken, the bit at that offset is set to one. +// r.count is always equal to the number of set bits and can be recalculated at any time +// by counting the set bits in r.allocated. +type allocationBitmap struct { + strategy bitAllocator + max int + rangeSpec string + + lock sync.Mutex + count int + allocated *big.Int +} + +var _ allocatorInterface = &allocationBitmap{} + +// bitAllocator represents a search strategy in the allocation map for a valid item. +type bitAllocator interface { + AllocateBit(allocated *big.Int, max, count int) (int, bool) +} + +// newAllocationMapWithOffset creates an allocation bitmap using a random scan strategy that +// allows to pass an offset that divides the allocation bitmap in two blocks. +// The first block of values will not be used for random value assigned by the AllocateNext() +// method until the second block of values has been exhausted. +func newAllocationMapWithOffset(max int, rangeSpec string, offset int) *allocationBitmap { + return &allocationBitmap{ + strategy: randomScanStrategyWithOffset{ + rand: rand.New(rand.NewSource(time.Now().UnixNano())), + offset: offset, + }, + allocated: big.NewInt(0), + count: 0, + max: max, + rangeSpec: rangeSpec, + } +} + +// Allocate attempts to reserve the provided item. +// Returns true if it was allocated, false if it was already in use. +func (r *allocationBitmap) Allocate(offset int) (bool, error) { + r.lock.Lock() + defer r.lock.Unlock() + + if offset < 0 || offset >= r.max { + return false, fmt.Errorf("offset %d out of range [0,%d]", offset, r.max) + } + if r.allocated.Bit(offset) == 1 { + return false, nil + } + r.allocated = r.allocated.SetBit(r.allocated, offset, 1) + r.count++ + return true, nil +} + +// AllocateNext reserves one of the items from the pool. +// (0, false, nil) may be returned if there are no items left. +func (r *allocationBitmap) AllocateNext() (int, bool, error) { + r.lock.Lock() + defer r.lock.Unlock() + + next, ok := r.strategy.AllocateBit(r.allocated, r.max, r.count) + if !ok { + return 0, false, nil + } + r.count++ + r.allocated = r.allocated.SetBit(r.allocated, next, 1) + return next, true, nil +} + +// Release releases the item back to the pool. Releasing an +// unallocated item or an item out of the range is a no-op and +// returns no error. +func (r *allocationBitmap) Release(offset int) error { + r.lock.Lock() + defer r.lock.Unlock() + + if r.allocated.Bit(offset) == 0 { + return nil + } + + r.allocated = r.allocated.SetBit(r.allocated, offset, 0) + r.count-- + return nil +} + +// Has returns true if the provided item is already allocated and a call +// to Allocate(offset) would fail. +func (r *allocationBitmap) Has(offset int) bool { + r.lock.Lock() + defer r.lock.Unlock() + + return r.allocated.Bit(offset) == 1 +} + +// Free returns the count of items left in the range. +func (r *allocationBitmap) Free() int { + r.lock.Lock() + defer r.lock.Unlock() + return r.max - r.count +} + +// randomScanStrategyWithOffset chooses a random address from the provided big.Int and then scans +// forward looking for the next available address. The big.Int range is subdivided so it will try +// to allocate first from the reserved upper range of addresses (it will wrap the upper subrange if necessary). +// If there is no free address it will try to allocate one from the lower range too. +type randomScanStrategyWithOffset struct { + rand *rand.Rand + offset int +} + +func (rss randomScanStrategyWithOffset) AllocateBit(allocated *big.Int, max, count int) (int, bool) { + if count >= max { + return 0, false + } + subrangeMax := max - rss.offset + start := rss.rand.Intn(subrangeMax) + for i := 0; i < subrangeMax; i++ { + at := rss.offset + ((start + i) % subrangeMax) + if allocated.Bit(at) == 0 { + return at, true + } + } + + // Guard against rand.Intn(0) panic when offset is 0. + if rss.offset > 0 { + start = rss.rand.Intn(rss.offset) + for i := 0; i < rss.offset; i++ { + at := (start + i) % rss.offset + if allocated.Bit(at) == 0 { + return at, true + } + } + } + return 0, false +} + +var _ bitAllocator = randomScanStrategyWithOffset{} diff --git a/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go new file mode 100644 index 0000000000..77450783ff --- /dev/null +++ b/vendor/github.com/openshift/route-controller-manager/pkg/utils/ipallocator/ipallocator.go @@ -0,0 +1,210 @@ +/* +Copyright 2015 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipallocator + +import ( + "errors" + "fmt" + "math/big" + "net" + + netutils "k8s.io/utils/net" +) + +var ( + ErrFull = errors.New("range is full") + ErrAllocated = errors.New("provided IP is already allocated") +) + +type ErrNotInRange struct { + IP net.IP + ValidRange string +} + +func (e *ErrNotInRange) Error() string { + return fmt.Sprintf("the provided IP (%v) is not in the valid range. The range of valid IPs is %s", e.IP, e.ValidRange) +} + +// Range is a contiguous block of IPs that can be allocated atomically. +// +// The internal structure of the range is: +// +// For CIDR 10.0.0.0/24 +// 254 addresses usable out of 256 total (minus base and broadcast IPs) +// The number of usable addresses is r.max +// +// CIDR base IP CIDR broadcast IP +// 10.0.0.0 10.0.0.255 +// | | +// 0 1 2 3 4 5 ... ... 253 254 255 +// | | +// r.base r.base + r.max +// | | +// offset #0 of r.allocated last offset of r.allocated +type Range struct { + net *net.IPNet + base *big.Int + max int + + alloc allocatorInterface +} + +// NewInMemory creates an in-memory IP allocator over a net.IPNet. +func NewInMemory(cidr *net.IPNet) (*Range, error) { + max := netutils.RangeSize(cidr) + base := netutils.BigForIP(cidr.IP) + rangeSpec := cidr.String() + + if netutils.IsIPv6CIDR(cidr) { + if max > 65536 { + max = 65536 + } + } else { + // Don't use the IPv4 network's broadcast address. + max-- + } + + // Don't use the network's ".0" address. + base.Add(base, big.NewInt(1)) + max-- + + if max < 0 { + max = 0 + } + + r := Range{ + net: cidr, + base: base, + max: maximum(0, int(max)), + } + + offset := calculateRangeOffset(cidr) + r.alloc = newAllocationMapWithOffset(r.max, rangeSpec, offset) + return &r, nil +} + +func maximum(a, b int) int { + if a > b { + return a + } + return b +} + +// Free returns the count of IP addresses left in the range. +func (r *Range) Free() int { + return r.alloc.Free() +} + +// Allocate attempts to reserve the provided IP. ErrNotInRange or +// ErrAllocated will be returned if the IP is not valid for this range +// or has already been reserved. ErrFull will be returned if there +// are no addresses left. +func (r *Range) Allocate(ip net.IP) error { + ok, offset := r.contains(ip) + if !ok { + return &ErrNotInRange{ip, r.net.String()} + } + + allocated, err := r.alloc.Allocate(offset) + if err != nil { + return err + } + if !allocated { + return ErrAllocated + } + return nil +} + +// AllocateNext reserves one of the IPs from the pool. ErrFull may +// be returned if there are no addresses left. +func (r *Range) AllocateNext() (net.IP, error) { + offset, ok, err := r.alloc.AllocateNext() + if err != nil { + return nil, err + } + if !ok { + return nil, ErrFull + } + return netutils.AddIPOffset(r.base, offset), nil +} + +// Release releases the IP back to the pool. Releasing an +// unallocated IP or an IP out of the range is a no-op and +// returns no error. +func (r *Range) Release(ip net.IP) error { + ok, offset := r.contains(ip) + if !ok { + return nil + } + return r.alloc.Release(offset) +} + +// Has returns true if the provided IP is already allocated and a call +// to Allocate(ip) would fail with ErrAllocated. +func (r *Range) Has(ip net.IP) bool { + ok, offset := r.contains(ip) + if !ok { + return false + } + return r.alloc.Has(offset) +} + +// contains returns true and the offset if the ip is in the range, and false +// and 0 otherwise. The first and last addresses of the CIDR are omitted. +func (r *Range) contains(ip net.IP) (bool, int) { + if !r.net.Contains(ip) { + return false, 0 + } + + offset := calculateIPOffset(r.base, ip) + if offset < 0 || offset >= r.max { + return false, 0 + } + return true, offset +} + +// calculateIPOffset calculates the integer offset of ip from base such that +// base + offset = ip. It requires ip >= base. +func calculateIPOffset(base *big.Int, ip net.IP) int { + return int(big.NewInt(0).Sub(netutils.BigForIP(ip), base).Int64()) +} + +// calculateRangeOffset estimates the offset used on the range for static allocation based on +// the following formula `min(max($min, cidrSize/$step), $max)`, described as ~never less than +// $min or more than $max, with a graduated step function between them~. The function returns 0 +// if any of the parameters is invalid. +func calculateRangeOffset(cidr *net.IPNet) int { + const ( + min = 16 + max = 256 + step = 16 + ) + + cidrSize := netutils.RangeSize(cidr) + if cidrSize <= min { + return 0 + } + + offset := cidrSize / step + if offset < min { + return min + } + if offset > max { + return max + } + return int(offset) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index d48af84e56..6a562993c1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -798,13 +798,14 @@ github.com/openshift/library-go/pkg/route/validation github.com/openshift/library-go/pkg/security/ldaputil github.com/openshift/library-go/pkg/security/uid github.com/openshift/library-go/pkg/serviceability -# github.com/openshift/route-controller-manager v0.0.0-20260526224403-1916ceb059f5 +# github.com/openshift/route-controller-manager v0.0.0-20260611182032-e454c01fbe56 ## explicit; go 1.25.0 github.com/openshift/route-controller-manager/pkg/cmd/controller github.com/openshift/route-controller-manager/pkg/cmd/route-controller-manager github.com/openshift/route-controller-manager/pkg/route/ingress github.com/openshift/route-controller-manager/pkg/route/ingressip github.com/openshift/route-controller-manager/pkg/routecontroller +github.com/openshift/route-controller-manager/pkg/utils/ipallocator github.com/openshift/route-controller-manager/pkg/version # github.com/ovn-kubernetes/libovsdb v0.8.2-0.20260302130604-c07ce22366ac ## explicit; go 1.24.0 From 2db418ba26df3dd9e227190aebeec171f09bbb04 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:18:30 -0500 Subject: [PATCH 09/18] USHIFT-6951: move metrics cert provisioning to pkg/components Signed-off-by: Jonathan H. Cope --- pkg/cmd/run.go | 8 ++---- pkg/{cmd => components}/metrics.go | 39 ++++++++++++++---------------- 2 files changed, 20 insertions(+), 27 deletions(-) rename pkg/{cmd => components}/metrics.go (69%) diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index a48a7320b3..e1be072438 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -14,6 +14,7 @@ import ( "github.com/coreos/go-systemd/daemon" "github.com/openshift/microshift/pkg/admin/data" "github.com/openshift/microshift/pkg/admin/prerun" + "github.com/openshift/microshift/pkg/components" "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/controllers" "github.com/openshift/microshift/pkg/controllers/c2cc" @@ -305,12 +306,7 @@ func RunMicroshift(cfg *config.Config) error { // Provision certs for optional components after kustomize creates their namespaces. go func() { - defer func() { - if r := recover(); r != nil { - klog.Errorf("Panic in metrics-server cert provisioning: %v", r) - } - }() - if err := provisionMetricsServerCerts(runCtx, cfg); err != nil { + if err := components.ProvisionMetricsServerCerts(runCtx, cfg); err != nil { klog.Errorf("Failed to provision metrics-server certs: %v", err) } }() diff --git a/pkg/cmd/metrics.go b/pkg/components/metrics.go similarity index 69% rename from pkg/cmd/metrics.go rename to pkg/components/metrics.go index 2e1bb08fbd..b97e7e4da2 100644 --- a/pkg/cmd/metrics.go +++ b/pkg/components/metrics.go @@ -1,4 +1,4 @@ -package cmd +package components import ( "context" @@ -13,14 +13,15 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/tools/clientcmd" "k8s.io/klog/v2" ) -const metricsServerManifestPath = "/usr/lib/microshift/manifests.d/080-microshift-metrics-server" +const ( + metricsServerManifestPath = "/usr/lib/microshift/manifests.d/080-microshift-metrics-server" + metricsServerNamespace = "openshift-monitoring" +) -func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error { +func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error { exists, err := util.PathExists(metricsServerManifestPath) if err != nil { return err @@ -32,28 +33,24 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error kubeconfigPath := cfg.KubeConfigPath(config.KubeAdmin) - restCfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath) - if err != nil { - return fmt.Errorf("building kubeconfig: %w", err) - } - clientset, err := kubernetes.NewForConfig(restCfg) + clientset, err := getKubernetesClient(kubeconfigPath) if err != nil { return fmt.Errorf("creating clientset: %w", err) } - const ns = "openshift-monitoring" + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) { - _, err := clientset.CoreV1().Namespaces().Get(ctx, ns, metav1.GetOptions{}) + _, err := clientset.CoreV1().Namespaces().Get(ctx, metricsServerNamespace, metav1.GetOptions{}) if err == nil { return true, nil } if !apierrors.IsNotFound(err) { - return false, fmt.Errorf("getting namespace %s: %w", ns, err) + return false, fmt.Errorf("getting namespace %s: %w", metricsServerNamespace, err) } - klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", ns) + klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", metricsServerNamespace) return false, nil }) if err != nil { - return fmt.Errorf("waiting for namespace %s: %w", ns, err) + return fmt.Errorf("waiting for namespace %s: %w", metricsServerNamespace, err) } certsDir := cryptomaterial.CertsDirectory(config.DataDir) @@ -71,7 +68,7 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "metrics-server-client-certs", - Namespace: ns, + Namespace: metricsServerNamespace, Annotations: map[string]string{ "openshift.io/owning-component": "metrics-server", }, @@ -82,9 +79,9 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error "tls.key": keyPEM, }, } - _, err = clientset.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) + _, err = clientset.CoreV1().Secrets(metricsServerNamespace).Create(ctx, secret, metav1.CreateOptions{}) if apierrors.IsAlreadyExists(err) { - _, err = clientset.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + _, err = clientset.CoreV1().Secrets(metricsServerNamespace).Update(ctx, secret, metav1.UpdateOptions{}) } if err != nil { return fmt.Errorf("applying metrics-server client cert secret: %w", err) @@ -98,7 +95,7 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "kubelet-serving-ca-bundle", - Namespace: ns, + Namespace: metricsServerNamespace, Annotations: map[string]string{ "openshift.io/owning-component": "metrics-server", }, @@ -107,9 +104,9 @@ func provisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error "ca-bundle.crt": string(caPEM), }, } - _, err = clientset.CoreV1().ConfigMaps(ns).Create(ctx, cm, metav1.CreateOptions{}) + _, err = clientset.CoreV1().ConfigMaps(metricsServerNamespace).Create(ctx, cm, metav1.CreateOptions{}) if apierrors.IsAlreadyExists(err) { - _, err = clientset.CoreV1().ConfigMaps(ns).Update(ctx, cm, metav1.UpdateOptions{}) + _, err = clientset.CoreV1().ConfigMaps(metricsServerNamespace).Update(ctx, cm, metav1.UpdateOptions{}) } if err != nil { return fmt.Errorf("applying kubelet serving CA configmap: %w", err) From 42996d695f4dfb04023a1b827a1ed981f9d8cde2 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:18:33 -0500 Subject: [PATCH 10/18] USHIFT-6951: fix metrics-server cert provisioning reliability use resourceapply for idempotent secret/configmap apply with retry, return (false, nil) on transient API errors so polling continues, propagate errors synchronously instead of fire-and-forget goroutine Signed-off-by: Jonathan H. Cope --- pkg/cmd/run.go | 8 +++----- pkg/components/metrics.go | 35 +++++++++++++++++++++++++---------- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go index e1be072438..99b4864bad 100644 --- a/pkg/cmd/run.go +++ b/pkg/cmd/run.go @@ -305,11 +305,9 @@ func RunMicroshift(cfg *config.Config) error { kustomize.NewKustomizer(cfg).RunStandalone(runCtx) // Provision certs for optional components after kustomize creates their namespaces. - go func() { - if err := components.ProvisionMetricsServerCerts(runCtx, cfg); err != nil { - klog.Errorf("Failed to provision metrics-server certs: %v", err) - } - }() + if err := components.ProvisionMetricsServerCerts(runCtx, cfg); err != nil { + return fmt.Errorf("failed to provision metrics-server certs: %w", err) + } // Watch for SIGTERM or service error to exit, now that we are ready. select { diff --git a/pkg/components/metrics.go b/pkg/components/metrics.go index b97e7e4da2..5dac438fa7 100644 --- a/pkg/components/metrics.go +++ b/pkg/components/metrics.go @@ -6,6 +6,8 @@ import ( "os" "time" + "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourceapply" "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/util" "github.com/openshift/microshift/pkg/util/cryptomaterial" @@ -14,6 +16,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/klog/v2" + "k8s.io/utils/clock" ) const ( @@ -21,6 +24,8 @@ const ( metricsServerNamespace = "openshift-monitoring" ) +var metricsEventRecorder events.Recorder = events.NewLoggingEventRecorder("microshift-metrics-server", clock.RealClock{}) + func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error { exists, err := util.PathExists(metricsServerManifestPath) if err != nil { @@ -44,7 +49,8 @@ func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error return true, nil } if !apierrors.IsNotFound(err) { - return false, fmt.Errorf("getting namespace %s: %w", metricsServerNamespace, err) + klog.Errorf("getting namespace %s: %v", metricsServerNamespace, err) + return false, nil } klog.V(2).Infof("Waiting for namespace %s to be created by kustomize", metricsServerNamespace) return false, nil @@ -79,10 +85,15 @@ func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error "tls.key": keyPEM, }, } - _, err = clientset.CoreV1().Secrets(metricsServerNamespace).Create(ctx, secret, metav1.CreateOptions{}) - if apierrors.IsAlreadyExists(err) { - _, err = clientset.CoreV1().Secrets(metricsServerNamespace).Update(ctx, secret, metav1.UpdateOptions{}) - } + + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (bool, error) { + _, _, err := resourceapply.ApplySecret(ctx, clientset.CoreV1(), metricsEventRecorder, secret) + if err != nil { + klog.Errorf("applying metrics-server client cert secret: %v", err) + return false, nil + } + return true, nil + }) if err != nil { return fmt.Errorf("applying metrics-server client cert secret: %w", err) } @@ -104,12 +115,16 @@ func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error "ca-bundle.crt": string(caPEM), }, } - _, err = clientset.CoreV1().ConfigMaps(metricsServerNamespace).Create(ctx, cm, metav1.CreateOptions{}) - if apierrors.IsAlreadyExists(err) { - _, err = clientset.CoreV1().ConfigMaps(metricsServerNamespace).Update(ctx, cm, metav1.UpdateOptions{}) - } + + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (bool, error) { + _, _, err := resourceapply.ApplyConfigMap(ctx, clientset.CoreV1(), metricsEventRecorder, cm) + if err != nil { + return false, fmt.Errorf("applying kubelet serving CA configmap: %w", err) + } + return true, nil + }) if err != nil { - return fmt.Errorf("applying kubelet serving CA configmap: %w", err) + return fmt.Errorf("applying kubelet serving CA configmap: %v", err) } klog.Infof("Provisioned metrics-server kubelet client cert and CA bundle") From 47da5eae8c8a336145647082e11da97a4bfb245d Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Tue, 16 Jun 2026 22:18:36 -0500 Subject: [PATCH 11/18] USHIFT-6951: narrow kubelet serving CA bundle for metrics-server add KubeletServingCAPath containing only kubelet-signer and kube-csr-signer; use it instead of the broader KubeletClientCAPath Signed-off-by: Jonathan H. Cope --- pkg/cmd/init.go | 4 ++++ pkg/components/metrics.go | 2 +- pkg/util/cryptomaterial/certinfo.go | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index de2e2a40a3..8c8e9ec6ff 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -371,6 +371,10 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) { []string{"admin-kubeconfig-signer"}, []string{"kubelet-signer"}, []string{"kubelet-signer", "kube-csr-signer"}, + ).WithCABundle( + cryptomaterial.KubeletServingCAPath(certsDir), + []string{"kubelet-signer"}, + []string{"kubelet-signer", "kube-csr-signer"}, ).WithCABundle( cryptomaterial.ServiceAccountTokenCABundlePath(certsDir), []string{"kube-apiserver-localhost-signer"}, diff --git a/pkg/components/metrics.go b/pkg/components/metrics.go index 5dac438fa7..3539cb0de6 100644 --- a/pkg/components/metrics.go +++ b/pkg/components/metrics.go @@ -98,7 +98,7 @@ func ProvisionMetricsServerCerts(ctx context.Context, cfg *config.Config) error return fmt.Errorf("applying metrics-server client cert secret: %w", err) } - caPEM, err := os.ReadFile(cryptomaterial.KubeletClientCAPath(certsDir)) + caPEM, err := os.ReadFile(cryptomaterial.KubeletServingCAPath(certsDir)) if err != nil { return err } diff --git a/pkg/util/cryptomaterial/certinfo.go b/pkg/util/cryptomaterial/certinfo.go index 4e8c50989e..12c413d114 100644 --- a/pkg/util/cryptomaterial/certinfo.go +++ b/pkg/util/cryptomaterial/certinfo.go @@ -171,6 +171,10 @@ func KubeletClientCAPath(certsDir string) string { return filepath.Join(certsDir, "ca-bundle", "kubelet-ca.crt") } +func KubeletServingCAPath(certsDir string) string { + return filepath.Join(certsDir, "ca-bundle", "kubelet-serving-ca.crt") +} + func ServiceAccountTokenCABundlePath(certsDir string) string { return filepath.Join(certsDir, "ca-bundle", "service-account-token-ca.crt") } From 1bf63f2fde76dd8bd2ec9588b2d830f1a4e1372b Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 00:47:29 -0500 Subject: [PATCH 12/18] USHIFT-6951: use slices.Concat in mergeWorkloads Co-Authored-By: Claude Opus 4.6 --- pkg/healthcheck/microshift_optional_workloads.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/healthcheck/microshift_optional_workloads.go b/pkg/healthcheck/microshift_optional_workloads.go index 22e68dbcc2..7772b1e36c 100644 --- a/pkg/healthcheck/microshift_optional_workloads.go +++ b/pkg/healthcheck/microshift_optional_workloads.go @@ -1,6 +1,8 @@ package healthcheck import ( + "slices" + "github.com/openshift/microshift/pkg/config" "github.com/openshift/microshift/pkg/util" "k8s.io/klog/v2" @@ -45,13 +47,12 @@ var optionalWorkloadPaths = map[string]optionalWorkloads{ }, } -// mergeWorkloads merges two NamespaceWorkloads, returning a new NamespaceWorkloads. This is helpful for cases -// where components from multiple sources are deployed to the same namespace. +// mergeWorkloads combines two NamespaceWorkloads into one. func mergeWorkloads(existing, incoming NamespaceWorkloads) NamespaceWorkloads { return NamespaceWorkloads{ - Deployments: append(existing.Deployments, incoming.Deployments...), - DaemonSets: append(existing.DaemonSets, incoming.DaemonSets...), - StatefulSets: append(existing.StatefulSets, incoming.StatefulSets...), + Deployments: slices.Concat(existing.Deployments, incoming.Deployments), + DaemonSets: slices.Concat(existing.DaemonSets, incoming.DaemonSets), + StatefulSets: slices.Concat(existing.StatefulSets, incoming.StatefulSets), } } From 65c16038c91cdb924b64e4d29bbecca1da04f6cb Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 12:18:24 -0500 Subject: [PATCH 13/18] USHIFT-6951: remove otel-collector integration from metrics-server Remove otelcol drop-in config, revert observability service ExecStart to single-config mode, and drop otelcol-related lines from the RPM spec. Observability integration is deferred to a follow-up PR. Signed-off-by: Jonathan H. Cope --- .../microshift-observability.service | 2 +- .../otelcol.d/microshift-metrics-server.yaml | 26 ------------------- packaging/rpm/microshift.spec | 5 ---- 3 files changed, 1 insertion(+), 32 deletions(-) delete mode 100644 packaging/observability/otelcol.d/microshift-metrics-server.yaml diff --git a/packaging/observability/microshift-observability.service b/packaging/observability/microshift-observability.service index e628bb6fd8..2fc2e984dc 100644 --- a/packaging/observability/microshift-observability.service +++ b/packaging/observability/microshift-observability.service @@ -8,7 +8,7 @@ ConditionPathExists=/var/lib/microshift/resources/observability-client/kubeconfi Environment=KUBECONFIG=/var/lib/microshift/resources/observability-client/kubeconfig Environment=K8S_NODE_NAME="%l" ExecStartPre=/usr/bin/mkdir -p /var/lib/microshift-observability -ExecStart=/bin/bash -c 'ARGS=("--config=file:/etc/microshift/observability/opentelemetry-collector.yaml"); for f in /etc/microshift/observability/otelcol.d/*.yaml; do [ -f "$$f" ] && ARGS+=("--config=file:$$f"); done; exec /usr/bin/opentelemetry-collector "$${ARGS[@]}"' +ExecStart=/usr/bin/opentelemetry-collector --config=/etc/microshift/observability/opentelemetry-collector.yaml Restart=always User=root diff --git a/packaging/observability/otelcol.d/microshift-metrics-server.yaml b/packaging/observability/otelcol.d/microshift-metrics-server.yaml deleted file mode 100644 index e18788969f..0000000000 --- a/packaging/observability/otelcol.d/microshift-metrics-server.yaml +++ /dev/null @@ -1,26 +0,0 @@ -receivers: - prometheus/metrics_server: - config: - scrape_configs: - - job_name: metrics-server - scrape_interval: 30s - scheme: https - tls_config: - ca_file: /var/lib/microshift/certs/service-ca/ca.crt - server_name: metrics-server.openshift-monitoring.svc - kubernetes_sd_configs: - - kubeconfig_file: /var/lib/microshift/resources/observability-client/kubeconfig - role: endpoints - namespaces: - names: [openshift-monitoring] - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: metrics-server;https - -service: - pipelines: - metrics/metrics_server: - receivers: [prometheus/metrics_server] - processors: [batch] - exporters: [otlp] diff --git a/packaging/rpm/microshift.spec b/packaging/rpm/microshift.spec index e47fac2ca9..e720a65bad 100644 --- a/packaging/rpm/microshift.spec +++ b/packaging/rpm/microshift.spec @@ -236,7 +236,6 @@ and can be used to embed those images into osbuilder blueprints or bootc contain Summary: OpenTelemetry-Collector configured for MicroShift BuildArch: noarch Requires: microshift = %{version} -Requires: microshift-metrics-server = %{version} Requires: opentelemetry-collector %description observability @@ -582,9 +581,7 @@ install -p -m644 assets/optional/ai-model-serving/release-ai-model-serving-x86_6 # observability install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability -install -d -m755 %{buildroot}/%{_sysconfdir}/microshift/observability/otelcol.d install -p -m644 packaging/observability/*.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/ -install -p -m644 packaging/observability/otelcol.d/microshift-metrics-server.yaml %{buildroot}%{_sysconfdir}/microshift/observability/otelcol.d/ # Explicit copy of large config as default. Not using symlink to avoid accidental package upgrade overwriting user config if the user edits the config without copying (i.e. edits the target of symlink). install -p -m644 packaging/observability/opentelemetry-collector-large.yaml -D %{buildroot}%{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml install -p -m644 packaging/observability/microshift-observability.service %{buildroot}%{_unitdir}/ @@ -837,12 +834,10 @@ fi %files observability %dir %{_prefix}/lib/microshift/manifests.d/003-microshift-observability %dir %{_sysconfdir}/microshift/observability/ -%dir %{_sysconfdir}/microshift/observability/otelcol.d %{_unitdir}/microshift-observability.service %config(noreplace) %{_sysconfdir}/microshift/observability/opentelemetry-collector.yaml %{_sysconfdir}/microshift/observability/opentelemetry-collector-*.yaml %{_prefix}/lib/microshift/manifests.d/003-microshift-observability/* -%config(noreplace) %{_sysconfdir}/microshift/observability/otelcol.d/microshift-metrics-server.yaml %files cert-manager %dir %{_prefix}/lib/microshift/manifests.d/060-microshift-cert-manager From b81b9c60b1478f4d7d6becb3b72c57477f1f8d2f Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 12:18:24 -0500 Subject: [PATCH 14/18] USHIFT-6951: remove metrics-server rebase logic from shared files Move MS asset tracking and image update logic out of the shared rebase.sh. Delete the separate assets_metrics.yaml and update presubmit.py to reference the new unified asset file. Signed-off-by: Jonathan H. Cope --- scripts/auto-rebase/assets_metrics.yaml | 35 ---------- scripts/auto-rebase/presubmit.py | 2 +- scripts/auto-rebase/rebase.sh | 92 +------------------------ 3 files changed, 3 insertions(+), 126 deletions(-) delete mode 100644 scripts/auto-rebase/assets_metrics.yaml diff --git a/scripts/auto-rebase/assets_metrics.yaml b/scripts/auto-rebase/assets_metrics.yaml deleted file mode 100644 index 7fecda282e..0000000000 --- a/scripts/auto-rebase/assets_metrics.yaml +++ /dev/null @@ -1,35 +0,0 @@ -assets: - - dir: optional/metrics-server/ - no_clean: True - src: cluster-monitoring-operator/assets/metrics-server/ - files: - - file: 00-namespace.yaml - ignore: "Provided by MicroShift" - - file: 01-service-account.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role.yaml - ignore: "Provided by MicroShift" - - file: 01-cluster-role-binding.yaml - ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" - - file: 01-cluster-role-binding-auth-delegator.yaml - ignore: "Provided by MicroShift" - - file: 01-role-binding-auth-reader.yaml - ignore: "Provided by MicroShift" - - file: 02-configmap-audit-profiles.yaml - ignore: "Provided by MicroShift" - - file: 03-deployment.yaml - ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" - - file: 04-service.yaml - ignore: "MicroShift uses service-ca annotation for serving cert" - - file: 04-api-service.yaml - ignore: "Provided by MicroShift" - - file: kustomization.yaml - ignore: "Provided by MicroShift" - - file: kustomization.x86_64.yaml - ignore: "Provided by MicroShift" - - file: kustomization.aarch64.yaml - ignore: "Provided by MicroShift" - - file: release-metrics-server-aarch64.json - ignore: "Provided by MicroShift" - - file: release-metrics-server-x86_64.json - ignore: "Provided by MicroShift" diff --git a/scripts/auto-rebase/presubmit.py b/scripts/auto-rebase/presubmit.py index 3a98d94158..ea3f6199b4 100755 --- a/scripts/auto-rebase/presubmit.py +++ b/scripts/auto-rebase/presubmit.py @@ -29,7 +29,7 @@ "./scripts/auto-rebase/assets_ai_model_serving.yaml", "./scripts/auto-rebase/assets_cert_manager.yaml", "./scripts/auto-rebase/assets_sriov.yaml", - "./scripts/auto-rebase/assets_metrics.yaml", + "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml", ] diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index f7ab20f106..1bcdb6cae5 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -38,7 +38,6 @@ REBASE_USE_SSH="${REBASE_USE_SSH:-false}" EMBEDDED_COMPONENTS="route-controller-manager cluster-policy-controller hyperkube etcd kube-storage-version-migrator cluster-config-api" EMBEDDED_COMPONENT_OPERATORS="cluster-kube-apiserver-operator cluster-kube-controller-manager-operator cluster-openshift-controller-manager-operator cluster-kube-scheduler-operator machine-config-operator operator-lifecycle-manager" LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator service-ca-operator cluster-network-operator cluster-csi-snapshot-controller-operator" -OPTIONAL_COMPONENTS="cluster-monitoring-operator" declare -a ARCHS=("amd64" "arm64") declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" ) @@ -201,7 +200,7 @@ download_release() { component=$(echo "${line}" | cut -d ' ' -f 1) repo=$(echo "${line}" | cut -d ' ' -f 2) commit=$(echo "${line}" | cut -d ' ' -f 3) - if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]] || [[ "${OPTIONAL_COMPONENTS}" == *"${component}"* ]]; then + if [[ "${EMBEDDED_COMPONENTS}" == *"${component}"* ]] || [[ "${LOADED_COMPONENTS}" == *"${component}"* ]] || [[ "${EMBEDDED_COMPONENT_OPERATORS}" == *"${component}"* ]]; then clone_repo "${repo}" "${commit}" "." echo "${repo} embedded-component ${commit}" >> "${new_commits_file}" echo @@ -664,6 +663,7 @@ copy_manifests() { "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets.yaml" } + # Updates embedded component manifests by gathering these from various places # in the staged repos and copying them into the asset directory. update_openshift_manifests() { @@ -921,7 +921,6 @@ EOF update_olm_images update_multus_images - update_metrics_images popd >/dev/null } @@ -1112,93 +1111,6 @@ EOF done # for goarch } -update_metrics_images() { - title "Rebasing metrics component images" - - # Maps kustomization image name -> OCP release tag name - declare -A METRICS_IMAGE_MAP=( - ["quay.io/openshift/kube-metrics-server"]="kube-metrics-server" - ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics" - ["quay.io/openshift/node-exporter"]="prometheus-node-exporter" - ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy" - ) - - # Maps component dir -> release JSON key -> OCP release tag name - declare -A METRICS_COMPONENT_JSON_KEY=( - ["metrics-server"]="metrics_server" - ["kube-state-metrics"]="kube_state_metrics" - ["node-exporter"]="node_exporter" - ) - - # Maps release JSON key -> OCP release tag name - declare -A METRICS_EXPORTER_JSON_MAP=( - ["metrics_server"]="kube-metrics-server" - ["kube_state_metrics"]="kube-state-metrics" - ["node_exporter"]="prometheus-node-exporter" - ) - - for goarch in amd64 arm64; do - arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} - - local release_file="${STAGING_DIR}/release_${goarch}.json" - - local base_release - base_release=$(jq -r ".metadata.version" "${release_file}") - - # Generate per-component release JSON and kustomization files - for component_dir in metrics-server kube-state-metrics node-exporter; do - [[ -d "${REPOROOT}/assets/optional/${component_dir}" ]] || continue - - # Generate per-component release JSON - local json_key="${METRICS_COMPONENT_JSON_KEY[$component_dir]}" - local release_tag="${METRICS_EXPORTER_JSON_MAP[$json_key]}" - local new_image - new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") - if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then - >&2 echo "ERROR: Release tag '${release_tag}' not found in payload for ${component_dir}" - return 1 - fi - local component_release_json="${REPOROOT}/assets/optional/${component_dir}/release-${component_dir}-${arch}.json" - jq -n --arg base "$base_release" --arg img "${new_image}" \ - "{\"release\": {\"base\": \$base}, \"images\": {\"${json_key}\": \$img}}" > "${component_release_json}" - - local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml" - - cat < "${kustomization_arch_file}" -images: -EOF - - # Read image names from the base kustomization and deployment/daemonset - local image_names - image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ - | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) - - for orig_image in ${image_names}; do - local release_tag="${METRICS_IMAGE_MAP[$orig_image]:-}" - if [[ -z "${release_tag}" ]]; then - >&2 echo "ERROR: Unknown metrics image '${orig_image}' in ${component_dir}" - return 1 - fi - - local new_image - new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") - if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then - >&2 echo "ERROR: Image for release tag '${release_tag}' not found in payload for ${component_dir}" - return 1 - fi - local new_image_name="${new_image%@*}" - local new_image_digest="${new_image#*@}" - - cat <> "${kustomization_arch_file}" - - name: ${orig_image} - newName: ${new_image_name} - digest: ${new_image_digest} -EOF - done - done - done -} - update_olm_images() { title "Rebasing operator-lifecycle-manager manifests" From 2f1c37405b1fae38c9dc588a69dbe00a7fcb55d2 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 12:18:24 -0500 Subject: [PATCH 15/18] USHIFT-6951: add standalone cluster-monitoring-operator rebase script Add rebase_cluster_monitoring_operator.sh and its asset manifest for rebasing metrics exporters from the cluster-monitoring-operator repo. The script handles download, manifest copy, and image updates for all three exporters, keyed on which asset directories exist on the branch. Signed-off-by: Jonathan H. Cope --- .../assets_cluster_monitoring_operator.yaml | 35 ++ .../rebase_cluster_monitoring_operator.sh | 319 ++++++++++++++++++ 2 files changed, 354 insertions(+) create mode 100644 scripts/auto-rebase/assets_cluster_monitoring_operator.yaml create mode 100755 scripts/auto-rebase/rebase_cluster_monitoring_operator.sh diff --git a/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml new file mode 100644 index 0000000000..7fecda282e --- /dev/null +++ b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml @@ -0,0 +1,35 @@ +assets: + - dir: optional/metrics-server/ + no_clean: True + src: cluster-monitoring-operator/assets/metrics-server/ + files: + - file: 00-namespace.yaml + ignore: "Provided by MicroShift" + - file: 01-service-account.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role.yaml + ignore: "Provided by MicroShift" + - file: 01-cluster-role-binding.yaml + ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" + - file: 01-cluster-role-binding-auth-delegator.yaml + ignore: "Provided by MicroShift" + - file: 01-role-binding-auth-reader.yaml + ignore: "Provided by MicroShift" + - file: 02-configmap-audit-profiles.yaml + ignore: "Provided by MicroShift" + - file: 03-deployment.yaml + ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" + - file: 04-service.yaml + ignore: "MicroShift uses service-ca annotation for serving cert" + - file: 04-api-service.yaml + ignore: "Provided by MicroShift" + - file: kustomization.yaml + ignore: "Provided by MicroShift" + - file: kustomization.x86_64.yaml + ignore: "Provided by MicroShift" + - file: kustomization.aarch64.yaml + ignore: "Provided by MicroShift" + - file: release-metrics-server-aarch64.json + ignore: "Provided by MicroShift" + - file: release-metrics-server-x86_64.json + ignore: "Provided by MicroShift" diff --git a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh new file mode 100755 index 0000000000..0b039ce108 --- /dev/null +++ b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh @@ -0,0 +1,319 @@ +#!/usr/bin/env bash +# shellcheck disable=all +# Copyright 2022 The MicroShift authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o errexit +set -o errtrace +set -o nounset +set -o pipefail + +shopt -s expand_aliases +shopt -s extglob + +#debugging options +#trap 'echo "#L$LINENO: $BASH_COMMAND" >&2' DEBUG +#set -xo functrace +#PS4='+ $LINENO ' +REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")" +STAGING_DIR="$REPOROOT/_output/staging" +PULL_SECRET_FILE="${HOME}/.pull-secret.json" +REBASE_USE_SSH="${REBASE_USE_SSH:-false}" + +declare -a ARCHS=("amd64" "arm64") +declare -A GOARCH_TO_UNAME_MAP=( ["amd64"]="x86_64" ["arm64"]="aarch64" ) + +# Maps kustomization image name -> OCP release tag name +declare -A IMAGE_MAP=( + ["quay.io/openshift/kube-metrics-server"]="kube-metrics-server" + ["quay.io/openshift/kube-state-metrics"]="kube-state-metrics" + ["quay.io/openshift/node-exporter"]="prometheus-node-exporter" + ["quay.io/openshift/kube-rbac-proxy"]="kube-rbac-proxy" +) + +# Maps component dir -> release JSON key +declare -A COMPONENT_JSON_KEY=( + ["metrics-server"]="metrics_server" + ["kube-state-metrics"]="kube_state_metrics" + ["node-exporter"]="node_exporter" +) + +# Maps release JSON key -> OCP release tag name +declare -A EXPORTER_TAG_MAP=( + ["metrics_server"]="kube-metrics-server" + ["kube_state_metrics"]="kube-state-metrics" + ["node_exporter"]="prometheus-node-exporter" +) + +title() { + echo -e "\E[34m$1\E[00m"; +} + +retry_cmd() { + local -r max_attempts=5 + local timeout=1 + local attempt=1 + local exit_code=0 + + while (( attempt <= max_attempts )); do + if "$@"; then + return 0 + else + exit_code=$? + fi + echo "Attempt ${attempt} of ${max_attempts} failed (exit code ${exit_code}). Retrying in ${timeout}s..." + sleep "${timeout}" + attempt=$(( attempt + 1 )) + timeout=$(( timeout * 2 )) + done + + echo "Command failed after ${max_attempts} attempts: $@" + return "${exit_code}" +} + +check_preconditions() { + if ! hash yq; then + title "Installing yq" + sudo DEST_DIR=/usr/bin/ "${REPOROOT}/scripts/fetch_tools.sh" yq + fi + + if ! hash python3; then + echo "ERROR: python3 is not present on the system - please install" + exit 1 + fi + + if ! python3 -c "import yaml"; then + echo "ERROR: missing python's yaml library - please install" + exit 1 + fi +} + +clone_repo() { + local repo="$1" + local commit="$2" + local destdir="$3" + + local repodir="${destdir}/${repo##*/}" + + if [[ -d "${repodir}" ]]; then + return + fi + + if "${REBASE_USE_SSH}"; then + repo="git@github.com:${repo#https://github.com/}" + fi + + git init "${repodir}" + pushd "${repodir}" >/dev/null + git remote add origin "${repo}" + retry_cmd git fetch origin --quiet --filter=tree:0 --tags "${commit}" + git checkout "${commit}" + popd >/dev/null +} + +download_cluster_monitoring_operator() { + local release_image_amd64="$1" + local release_image_arm64="$2" + + rm -rf "${STAGING_DIR}" + mkdir -p "${STAGING_DIR}" + pushd "${STAGING_DIR}" >/dev/null + + local authentication="" + if [[ -f "${PULL_SECRET_FILE}" ]]; then + authentication="-a ${PULL_SECRET_FILE}" + else + >&2 echo "Warning: no pull secret found at ${PULL_SECRET_FILE}" + fi + + title "# Fetching release info for ${release_image_amd64} (amd64)" + oc adm release info ${authentication} "${release_image_amd64}" -o json > release_amd64.json + title "# Fetching release info for ${release_image_arm64} (arm64)" + oc adm release info ${authentication} "${release_image_arm64}" -o json > release_arm64.json + + title "# Extracting cluster-monitoring-operator source commit" + cat release_amd64.json \ + | jq -r '.references.spec.tags[] | "\(.name) \(.annotations."io.openshift.build.source-location") \(.annotations."io.openshift.build.commit.id")"' > source-commits + + local cmo_line + cmo_line=$(grep '^cluster-monitoring-operator ' source-commits) || { + >&2 echo "ERROR: cluster-monitoring-operator not found in release payload" + return 1 + } + + local repo commit + repo=$(echo "${cmo_line}" | cut -d ' ' -f 2) + commit=$(echo "${cmo_line}" | cut -d ' ' -f 3) + + title "# Cloning cluster-monitoring-operator at ${commit}" + clone_repo "${repo}" "${commit}" "." + + popd >/dev/null +} + +update_node_exporter_manifests() { + [[ -d "${REPOROOT}/assets/optional/node-exporter" ]] || return 0 + + title "Rebasing node-exporter manifests" + + local ne_ds="${REPOROOT}/assets/optional/node-exporter/03-daemonset.yaml" + + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds" + yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ne_ds" + yq -i '.spec.template.spec.initContainers[0].image = "quay.io/openshift/node-exporter"' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--secure-listen-address="))) |= "--secure-listen-address=0.0.0.0:9100"' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ne_ds" + yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ne_ds" + yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ne_ds" + yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ne_ds" + yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ne_ds" + + yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "node-exporter-tls")).readOnly = true' "$ne_ds" + + local ne_secret="${REPOROOT}/assets/optional/node-exporter/02-kube-rbac-proxy-secret.yaml" + sed -i '/"user":/,/"name":/d' "$ne_secret" +} + +update_cluster_monitoring_operator_images() { + title "Rebasing metrics component images" + + for goarch in amd64 arm64; do + local arch=${GOARCH_TO_UNAME_MAP["${goarch}"]:-noarch} + local release_file="${STAGING_DIR}/release_${goarch}.json" + + local base_release + base_release=$(jq -r ".metadata.version" "${release_file}") + + for component_dir in metrics-server kube-state-metrics node-exporter; do + [[ -d "${REPOROOT}/assets/optional/${component_dir}" ]] || continue + + local json_key="${COMPONENT_JSON_KEY[$component_dir]}" + local release_tag="${EXPORTER_TAG_MAP[$json_key]}" + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local component_release_json="${REPOROOT}/assets/optional/${component_dir}/release-${component_dir}-${arch}.json" + jq -n --arg base "$base_release" --arg img "${new_image}" \ + "{\"release\": {\"base\": \$base}, \"images\": {\"${json_key}\": \$img}}" > "${component_release_json}" + + local kustomization_arch_file="${REPOROOT}/assets/optional/${component_dir}/kustomization.${arch}.yaml" + + cat < "${kustomization_arch_file}" +images: +EOF + + local image_names + image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ + | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + + for orig_image in ${image_names}; do + local release_tag="${IMAGE_MAP[$orig_image]:-}" + if [[ -z "${release_tag}" ]]; then + >&2 echo "ERROR: Unknown metrics image '${orig_image}' in ${component_dir}" + return 1 + fi + + local new_image + new_image=$(jq -r ".references.spec.tags[] | select(.name == \"${release_tag}\") | .from.name" "${release_file}") + if [[ -z "${new_image}" || "${new_image}" == "null" ]]; then + >&2 echo "ERROR: Image for release tag '${release_tag}' not found in payload for ${component_dir}" + return 1 + fi + local new_image_name="${new_image%@*}" + local new_image_digest="${new_image#*@}" + + cat <> "${kustomization_arch_file}" + - name: ${orig_image} + newName: ${new_image_name} + digest: ${new_image_digest} +EOF + done + done + done +} + +copy_manifests() { + title "Copying manifests" + "$REPOROOT/scripts/auto-rebase/handle_assets.py" "./scripts/auto-rebase/assets_cluster_monitoring_operator.yaml" +} + +update_last_rebase() { + local release_image_amd64="$1" + local release_image_arm64="$2" + + title "## Updating last_rebase_cluster_monitoring_operator.sh" + + local last_rebase_script="${REPOROOT}/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh" + + rm -f "${last_rebase_script}" + cat - >"${last_rebase_script}" < Date: Fri, 19 Jun 2026 12:36:23 -0500 Subject: [PATCH 16/18] update last_rebase_cluster_monitoring_operator.sh --- scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh | 2 ++ 1 file changed, 2 insertions(+) create mode 100755 scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh diff --git a/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh new file mode 100755 index 0000000000..f61200df82 --- /dev/null +++ b/scripts/auto-rebase/last_rebase_cluster_monitoring_operator.sh @@ -0,0 +1,2 @@ +#!/bin/bash -x +./scripts/auto-rebase/rebase_cluster_monitoring_operator.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-06-19-155631" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-06-19-154904" From 12015f38c9bb90d446ecdd143ac0f18e5dbb5fe9 Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 16:42:46 -0500 Subject: [PATCH 17/18] to simply merging of the components the CMO rebase script is now identical across the 3 PRs Signed-off-by: Jonathan H. Cope --- .../assets_cluster_monitoring_operator.yaml | 32 +++++----- .../rebase_cluster_monitoring_operator.sh | 58 ++++++++++++++++++- 2 files changed, 74 insertions(+), 16 deletions(-) diff --git a/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml index 7fecda282e..9a86ad1eac 100644 --- a/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml +++ b/scripts/auto-rebase/assets_cluster_monitoring_operator.yaml @@ -4,32 +4,34 @@ assets: src: cluster-monitoring-operator/assets/metrics-server/ files: - file: 00-namespace.yaml - ignore: "Provided by MicroShift" + ignore: "MicroShift-specific, no upstream equivalent" + git_restore: True - file: 01-service-account.yaml - ignore: "Provided by MicroShift" + src: service-account.yaml - file: 01-cluster-role.yaml - ignore: "Provided by MicroShift" + src: cluster-role.yaml - file: 01-cluster-role-binding.yaml - ignore: "MicroShift adds User: system:metrics-server subject for dedicated kubelet client cert" + src: cluster-role-binding.yaml - file: 01-cluster-role-binding-auth-delegator.yaml - ignore: "Provided by MicroShift" + src: cluster-role-binding-auth-delegator.yaml - file: 01-role-binding-auth-reader.yaml - ignore: "Provided by MicroShift" + src: role-binding-auth-reader.yaml - file: 02-configmap-audit-profiles.yaml - ignore: "Provided by MicroShift" + src: configmap-audit-profiles.yaml - file: 03-deployment.yaml - ignore: "MicroShift customizes replicas, strategy, image placeholder, and cert volumes" + src: deployment.yaml - file: 04-service.yaml - ignore: "MicroShift uses service-ca annotation for serving cert" + src: service.yaml - file: 04-api-service.yaml - ignore: "Provided by MicroShift" + src: api-service.yaml - file: kustomization.yaml - ignore: "Provided by MicroShift" + ignore: "MicroShift-specific kustomization" + git_restore: True - file: kustomization.x86_64.yaml - ignore: "Provided by MicroShift" + ignore: "gets generated during image rebase" - file: kustomization.aarch64.yaml - ignore: "Provided by MicroShift" + ignore: "gets generated during image rebase" - file: release-metrics-server-aarch64.json - ignore: "Provided by MicroShift" + ignore: "gets generated during image rebase" - file: release-metrics-server-x86_64.json - ignore: "Provided by MicroShift" + ignore: "gets generated during image rebase" diff --git a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh index 0b039ce108..be1124f04e 100755 --- a/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh +++ b/scripts/auto-rebase/rebase_cluster_monitoring_operator.sh @@ -163,6 +163,58 @@ download_cluster_monitoring_operator() { popd >/dev/null } +update_metrics_server_manifests() { + [[ -d "${REPOROOT}/assets/optional/metrics-server" ]] || return 0 + + title "Rebasing metrics-server manifests" + + local ms_crb="${REPOROOT}/assets/optional/metrics-server/01-cluster-role-binding.yaml" + yq -i '.subjects += [{"kind": "User", "name": "system:metrics-server"}]' "$ms_crb" + + local ms_deploy="${REPOROOT}/assets/optional/metrics-server/03-deployment.yaml" + yq -i '.spec.replicas = 1' "$ms_deploy" + yq -i '.spec.strategy = {"type": "Recreate"}' "$ms_deploy" + yq -i 'del(.spec.template.spec.affinity)' "$ms_deploy" + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-metrics-server"' "$ms_deploy" + yq -i '.spec.template.spec.containers[0].securityContext.capabilities.drop = ["ALL"]' "$ms_deploy" +} + +update_kube_state_metrics_manifests() { + [[ -d "${REPOROOT}/assets/optional/kube-state-metrics" ]] || return 0 + + title "Rebasing kube-state-metrics manifests" + + local ksm_deploy="${REPOROOT}/assets/optional/kube-state-metrics/03-deployment.yaml" + + yq -i '.spec.template.spec.containers[0].image = "quay.io/openshift/kube-state-metrics"' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].image = "quay.io/openshift/kube-rbac-proxy"' "$ksm_deploy" + + yq -i '.spec.template.spec.containers[0].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].securityContext = {"allowPrivilegeEscalation": false, "readOnlyRootFilesystem": true, "runAsNonRoot": true}' "$ksm_deploy" + yq -i '.spec.template.spec.securityContext = {"runAsNonRoot": true}' "$ksm_deploy" + + yq -i '.spec.template.spec.containers[0].resources.limits = {"cpu": "100m", "memory": "200Mi"}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].resources.limits = {"cpu": "20m", "memory": "40Mi"}' "$ksm_deploy" + + yq -i '(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy" + yq -i '(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "kube-state-metrics-tls")).readOnly = true' "$ksm_deploy" + + yq -i '(.spec.template.spec.containers[1].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy" + yq -i '(.spec.template.spec.containers[2].args[] | select(test("--client-ca-file="))) |= "--client-ca-file=/etc/tls/client-ca/ca.crt"' "$ksm_deploy" + yq -i 'del(.spec.template.spec.volumes[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i '.spec.template.spec.volumes += [{"hostPath": {"path": "/var/lib/microshift/certs/admin-kubeconfig-signer/ca.crt", "type": "File"}, "name": "admin-kubeconfig-signer-ca"}]' "$ksm_deploy" + yq -i 'del(.spec.template.spec.containers[1].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i 'del(.spec.template.spec.containers[2].volumeMounts[] | select(.name == "metrics-client-ca"))' "$ksm_deploy" + yq -i '.spec.template.spec.containers[1].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy" + yq -i '.spec.template.spec.containers[2].volumeMounts += [{"mountPath": "/etc/tls/client-ca/ca.crt", "name": "admin-kubeconfig-signer-ca", "readOnly": true}]' "$ksm_deploy" + + local ksm_secret="${REPOROOT}/assets/optional/kube-state-metrics/02-kube-rbac-proxy-secret.yaml" + sed -i '/"user":/,/"name":/d' "$ksm_secret" +} + update_node_exporter_manifests() { [[ -d "${REPOROOT}/assets/optional/node-exporter" ]] || return 0 @@ -221,7 +273,7 @@ EOF local image_names image_names=$(grep -h 'image:' "${REPOROOT}/assets/optional/${component_dir}/"*.yaml 2>/dev/null \ - | sed 's/.*image: *//; s/:.*//; s/@.*//' | sort -u) + | sed 's/.*image: *//; s/"//g; s/:.*//; s/@.*//' | sort -u | grep -v '^$') for orig_image in ${image_names}; do local release_tag="${IMAGE_MAP[$orig_image]:-}" @@ -282,6 +334,8 @@ rebase_cluster_monitoring_operator_to() { local release_image_arm64="$2" download_cluster_monitoring_operator "${release_image_amd64}" "${release_image_arm64}" copy_manifests + update_metrics_server_manifests + update_kube_state_metrics_manifests update_node_exporter_manifests update_cluster_monitoring_operator_images update_last_rebase "${release_image_amd64}" "${release_image_arm64}" @@ -313,6 +367,8 @@ case "$command" in ;; manifests) copy_manifests + update_metrics_server_manifests + update_kube_state_metrics_manifests update_node_exporter_manifests ;; *) usage;; From e6f9dc8931e98d247cc6ba4912847ede750be23f Mon Sep 17 00:00:00 2001 From: "Jonathan H. Cope" Date: Fri, 19 Jun 2026 16:43:37 -0500 Subject: [PATCH 18/18] executed rebase script Signed-off-by: Jonathan H. Cope --- .../01-cluster-role-binding.yaml | 10 +- .../02-configmap-audit-profiles.yaml | 56 +++---- .../metrics-server/03-deployment.yaml | 152 +++++++++--------- .../metrics-server/kustomization.aarch64.yaml | 2 +- .../metrics-server/kustomization.x86_64.yaml | 2 +- .../release-metrics-server-aarch64.json | 4 +- .../release-metrics-server-x86_64.json | 4 +- 7 files changed, 115 insertions(+), 115 deletions(-) diff --git a/assets/optional/metrics-server/01-cluster-role-binding.yaml b/assets/optional/metrics-server/01-cluster-role-binding.yaml index 8a32b85158..0bf14bd3e2 100644 --- a/assets/optional/metrics-server/01-cluster-role-binding.yaml +++ b/assets/optional/metrics-server/01-cluster-role-binding.yaml @@ -11,8 +11,8 @@ roleRef: kind: ClusterRole name: system:metrics-server subjects: -- kind: ServiceAccount - name: metrics-server - namespace: openshift-monitoring -- kind: User - name: system:metrics-server + - kind: ServiceAccount + name: metrics-server + namespace: openshift-monitoring + - kind: User + name: system:metrics-server diff --git a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml index 1d8761e393..1cff598a6d 100644 --- a/assets/optional/metrics-server/02-configmap-audit-profiles.yaml +++ b/assets/optional/metrics-server/02-configmap-audit-profiles.yaml @@ -1,41 +1,41 @@ apiVersion: v1 data: metadata-profile.yaml: |- - apiVersion: "audit.k8s.io/v1" - kind: "Policy" - metadata: - name: "Metadata" - omitStages: + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Metadata" + "omitStages": - "RequestReceived" - rules: - - level: "Metadata" + "rules": + - "level": "Metadata" none-profile.yaml: |- - apiVersion: "audit.k8s.io/v1" - kind: "Policy" - metadata: - name: "None" - omitStages: + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "None" + "omitStages": - "RequestReceived" - rules: - - level: "None" + "rules": + - "level": "None" request-profile.yaml: |- - apiVersion: "audit.k8s.io/v1" - kind: "Policy" - metadata: - name: "Request" - omitStages: + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "Request" + "omitStages": - "RequestReceived" - rules: - - level: "Request" + "rules": + - "level": "Request" requestresponse-profile.yaml: |- - apiVersion: "audit.k8s.io/v1" - kind: "Policy" - metadata: - name: "RequestResponse" - omitStages: + "apiVersion": "audit.k8s.io/v1" + "kind": "Policy" + "metadata": + "name": "RequestResponse" + "omitStages": - "RequestReceived" - rules: - - level: "RequestResponse" + "rules": + - "level": "RequestResponse" kind: ConfigMap metadata: labels: diff --git a/assets/optional/metrics-server/03-deployment.yaml b/assets/optional/metrics-server/03-deployment.yaml index 23cdafb3e1..1830ee8fc2 100644 --- a/assets/optional/metrics-server/03-deployment.yaml +++ b/assets/optional/metrics-server/03-deployment.yaml @@ -28,87 +28,87 @@ spec: app.kubernetes.io/part-of: openshift-monitoring spec: containers: - - args: - - --secure-port=10250 - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=15s - - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt - - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt - - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key - - --tls-cert-file=/etc/tls/private/tls.crt - - --tls-private-key-file=/etc/tls/private/tls.key - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - --shutdown-send-retry-after=true - - --shutdown-delay-duration=150s - - --disable-http2-serving=true - image: quay.io/openshift/kube-metrics-server - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: https - scheme: HTTPS - periodSeconds: 10 - name: metrics-server - ports: - - containerPort: 10250 - name: https - protocol: TCP - readinessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: https - scheme: HTTPS - initialDelaySeconds: 20 - periodSeconds: 20 - resources: - requests: - cpu: 1m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /etc/tls/private - name: secret-metrics-server-tls - - mountPath: /etc/tls/metrics-server-client-certs - name: secret-metrics-server-client-certs - - mountPath: /etc/tls/kubelet-serving-ca-bundle - name: configmap-kubelet-serving-ca-bundle - - mountPath: /etc/audit - name: metrics-server-audit-profiles - readOnly: true - - mountPath: /var/log/metrics-server - name: audit-log - readOnly: false + - args: + - --secure-port=10250 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --kubelet-certificate-authority=/etc/tls/kubelet-serving-ca-bundle/ca-bundle.crt + - --kubelet-client-certificate=/etc/tls/metrics-server-client-certs/tls.crt + - --kubelet-client-key=/etc/tls/metrics-server-client-certs/tls.key + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --shutdown-send-retry-after=true + - --shutdown-delay-duration=150s + - --disable-http2-serving=true + image: "quay.io/openshift/kube-metrics-server" + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 10250 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 20 + resources: + requests: + cpu: 1m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: secret-metrics-server-tls + - mountPath: /etc/tls/metrics-server-client-certs + name: secret-metrics-server-client-certs + - mountPath: /etc/tls/kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - mountPath: /etc/audit + name: metrics-server-audit-profiles + readOnly: true + - mountPath: /var/log/metrics-server + name: audit-log + readOnly: false nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server terminationGracePeriodSeconds: 170 tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/master volumes: - - name: secret-metrics-server-client-certs - secret: - secretName: metrics-server-client-certs - - name: secret-metrics-server-tls - secret: - secretName: metrics-server-tls - - configMap: - name: kubelet-serving-ca-bundle - name: configmap-kubelet-serving-ca-bundle - - emptyDir: {} - name: audit-log - - configMap: + - name: secret-metrics-server-client-certs + secret: + secretName: metrics-server-client-certs + - name: secret-metrics-server-tls + secret: + secretName: metrics-server-tls + - configMap: + name: kubelet-serving-ca-bundle + name: configmap-kubelet-serving-ca-bundle + - emptyDir: {} + name: audit-log + - configMap: + name: metrics-server-audit-profiles name: metrics-server-audit-profiles - name: metrics-server-audit-profiles diff --git a/assets/optional/metrics-server/kustomization.aarch64.yaml b/assets/optional/metrics-server/kustomization.aarch64.yaml index 694213e29a..0a79cdb357 100644 --- a/assets/optional/metrics-server/kustomization.aarch64.yaml +++ b/assets/optional/metrics-server/kustomization.aarch64.yaml @@ -1,4 +1,4 @@ images: - name: quay.io/openshift/kube-metrics-server newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:80743f7b701994e9bffcdbccccf31815d506a322bacd6edf16b4dcd01d3686ba + digest: sha256:790dcea1d4cf5eb3a989bf3d14d460148d23a743951644668a300b7fc21f29ec diff --git a/assets/optional/metrics-server/kustomization.x86_64.yaml b/assets/optional/metrics-server/kustomization.x86_64.yaml index b770c95d2d..49529cad12 100644 --- a/assets/optional/metrics-server/kustomization.x86_64.yaml +++ b/assets/optional/metrics-server/kustomization.x86_64.yaml @@ -1,4 +1,4 @@ images: - name: quay.io/openshift/kube-metrics-server newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:cabd43c39e5bcc2f8326e5db8e0a91ddae4cfcd2e206ff18c49df934346f8014 + digest: sha256:0590e13d7955f71db964f601f5ce6c66416a1e2e5acee5c2831f41fb2b13435c diff --git a/assets/optional/metrics-server/release-metrics-server-aarch64.json b/assets/optional/metrics-server/release-metrics-server-aarch64.json index 6009b817b9..c12ffcbb53 100644 --- a/assets/optional/metrics-server/release-metrics-server-aarch64.json +++ b/assets/optional/metrics-server/release-metrics-server-aarch64.json @@ -1,8 +1,8 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-06-14-225436" + "base": "5.0.0-0.nightly-arm64-2026-06-19-154904" }, "images": { - "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:80743f7b701994e9bffcdbccccf31815d506a322bacd6edf16b4dcd01d3686ba" + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:790dcea1d4cf5eb3a989bf3d14d460148d23a743951644668a300b7fc21f29ec" } } diff --git a/assets/optional/metrics-server/release-metrics-server-x86_64.json b/assets/optional/metrics-server/release-metrics-server-x86_64.json index d64aab1619..57ab6cbd6a 100644 --- a/assets/optional/metrics-server/release-metrics-server-x86_64.json +++ b/assets/optional/metrics-server/release-metrics-server-x86_64.json @@ -1,8 +1,8 @@ { "release": { - "base": "5.0.0-0.nightly-2026-06-14-221055" + "base": "5.0.0-0.nightly-2026-06-19-155631" }, "images": { - "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cabd43c39e5bcc2f8326e5db8e0a91ddae4cfcd2e206ff18c49df934346f8014" + "metrics_server": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0590e13d7955f71db964f601f5ce6c66416a1e2e5acee5c2831f41fb2b13435c" } }