Merge pull request #30863 from smg247/non-payload-ote

TRT-2295: admit and extract non-payload OTE binaries

Author: openshift-merge-bot[bot]

cmd/openshift-tests/openshift-tests.go

@@ -23,6 +23,7 @@ import (
 	"github.com/openshift/origin/pkg/cmd/openshift-tests/dev"
 	"github.com/openshift/origin/pkg/cmd/openshift-tests/disruption"
 	e2e_analysis "github.com/openshift/origin/pkg/cmd/openshift-tests/e2e-analysis"
+	extensionadmission "github.com/openshift/origin/pkg/cmd/openshift-tests/extension-admission"
 	"github.com/openshift/origin/pkg/cmd/openshift-tests/images"
 	"github.com/openshift/origin/pkg/cmd/openshift-tests/list"
 	"github.com/openshift/origin/pkg/cmd/openshift-tests/monitor"
@@ -112,6 +113,7 @@ func main() {
 		timeline.NewTimelineCommand(ioStreams),
 		run_disruption.NewRunInClusterDisruptionMonitorCommand(ioStreams),
 		collectdiskcertificates.NewRunCollectDiskCertificatesCommand(ioStreams),
+		extensionadmission.NewExtensionAdmissionCommand(ioStreams),
 		versioncmd.NewVersionCommand(ioStreams),
 	)
 

pkg/apis/testextension/v1/doc.go

@@ -0,0 +1,5 @@
+// +k8s:deepcopy-gen=package
+
+// Package v1 contains API Schema definitions for the testextension v1 API group
+// +groupName=testextension.redhat.io
+package v1

pkg/apis/testextension/v1/register.go

@@ -0,0 +1,14 @@
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	GroupName = "testextension.redhat.io"
+	Version   = "v1"
+)
+
+var (
+	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: Version}
+)

pkg/apis/testextension/v1/types.go

@@ -0,0 +1,44 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TestExtensionAdmission controls which ImageStreams are permitted to provide extension test binaries
+type TestExtensionAdmission struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TestExtensionAdmissionSpec   `json:"spec"`
+	Status TestExtensionAdmissionStatus `json:"status,omitempty"`
+}
+
+// TestExtensionAdmissionSpec defines the desired state of TestExtensionAdmission
+type TestExtensionAdmissionSpec struct {
+	// Permit is a list of permitted ImageStream patterns in format "namespace/imagestream".
+	// Supports wildcards like "openshift/*", "*/*", or specific "namespace/stream"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	Permit []string `json:"permit"`
+}
+
+// TestExtensionAdmissionStatus defines the observed state of TestExtensionAdmission
+type TestExtensionAdmissionStatus struct {
+	// Conditions represent the latest available observations of an object's state
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TestExtensionAdmissionList contains a list of TestExtensionAdmission
+type TestExtensionAdmissionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TestExtensionAdmission `json:"items"`
+}

pkg/cmd/openshift-tests/extension-admission/extension_admission_command.go

@@ -0,0 +1,217 @@
+package extensionadmission
+
+import (
+	_ "embed"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/kubectl/pkg/util/templates"
+	"sigs.k8s.io/yaml"
+
+	testextensionv1 "github.com/openshift/origin/pkg/apis/testextension/v1"
+	"github.com/openshift/origin/pkg/cmd"
+	exutil "github.com/openshift/origin/test/extended/util"
+)
+
+//go:embed testextensionadmission-crd.yaml
+var crdYAML []byte
+
+func NewExtensionAdmissionCommand(ioStreams genericclioptions.IOStreams) *cobra.Command {
+	o := &extensionAdmissionOptions{
+		ioStreams: ioStreams,
+	}
+
+	command := &cobra.Command{
+		Use:   "extension-admission",
+		Short: "Manage TestExtensionAdmission resources",
+		Long: templates.LongDesc(`
+		Manage TestExtensionAdmission resources for controlling which ImageStreams
+		are permitted to provide extension test binaries.
+
+		TestExtensionAdmission acts as an admission controller to determine which
+		ImageStreams are permitted to provide test binaries outside the main
+		OpenShift release payload.
+
+		To list or delete TestExtensionAdmission resources, use standard kubectl/oc commands:
+		  oc get testextensionadmissions
+		  oc delete testextensionadmission <name>
+		`),
+		PersistentPreRun: cmd.NoPrintVersion,
+	}
+
+	command.AddCommand(
+		newInstallCRDCommand(o),
+		newCreateCommand(o),
+	)
+
+	return command
+}
+
+type extensionAdmissionOptions struct {
+	ioStreams genericclioptions.IOStreams
+}
+
+func newInstallCRDCommand(o *extensionAdmissionOptions) *cobra.Command {
+	command := &cobra.Command{
+		Use:   "install-crd",
+		Short: "Install the TestExtensionAdmission CRD",
+		Long: templates.LongDesc(`
+		Install the TestExtensionAdmission CustomResourceDefinition to the cluster.
+
+		This CRD must be installed before creating TestExtensionAdmission instances.
+		`),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return o.installCRD()
+		},
+	}
+
+	return command
+}
+
+func newCreateCommand(o *extensionAdmissionOptions) *cobra.Command {
+	createOpts := &createOptions{
+		extensionAdmissionOptions: o,
+	}
+
+	command := &cobra.Command{
+		Use:   "create NAME --permit=PATTERN [--permit=PATTERN...]",
+		Short: "Create a TestExtensionAdmission resource",
+		Long: templates.LongDesc(`
+		Create a TestExtensionAdmission resource with the specified permit patterns.
+
+		Permit patterns are in the format "namespace/imagestream" and support wildcards:
+		  - "openshift/*" - All ImageStreams in the openshift namespace
+		  - "test-extensions/*" - All ImageStreams in test-extensions namespace
+		  - "my-ns/my-stream" - Specific ImageStream
+		  - "*/*" - All ImageStreams in all namespaces (use with caution)
+
+		Example:
+		  openshift-tests extension-admission create my-admission \
+		    --permit=openshift/* \
+		    --permit=test-extensions/*
+		`),
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			createOpts.name = args[0]
+			return createOpts.create()
+		},
+	}
+
+	command.Flags().StringSliceVar(&createOpts.permits, "permit", nil, "Permit pattern(s) (can be specified multiple times)")
+	command.MarkFlagRequired("permit")
+
+	return command
+}
+
+type createOptions struct {
+	*extensionAdmissionOptions
+	name    string
+	permits []string
+}
+
+func (o *createOptions) create() error {
+	if len(o.permits) == 0 {
+		return fmt.Errorf("at least one --permit pattern is required")
+	}
+
+	// Create the TestExtensionAdmission object
+	admission := &testextensionv1.TestExtensionAdmission{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: testextensionv1.SchemeGroupVersion.String(),
+			Kind:       "TestExtensionAdmission",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: o.name,
+		},
+		Spec: testextensionv1.TestExtensionAdmissionSpec{
+			Permit: o.permits,
+		},
+	}
+
+	// Convert to YAML
+	yamlBytes, err := yaml.Marshal(admission)
+	if err != nil {
+		return fmt.Errorf("failed to marshal TestExtensionAdmission to YAML: %w", err)
+	}
+
+	// Apply using kubectl/oc
+	artifactName := fmt.Sprintf("testextensionadmission-%s.yaml", o.name)
+	if err := o.applyYAML(yamlBytes, artifactName); err != nil {
+		return fmt.Errorf("failed to apply TestExtensionAdmission: %w", err)
+	}
+
+	fmt.Fprintf(o.ioStreams.Out, "TestExtensionAdmission %q created successfully\n", o.name)
+	return nil
+}
+
+func (o *extensionAdmissionOptions) installCRD() error {
+	if err := o.applyYAML(crdYAML, "testextensionadmission-crd.yaml"); err != nil {
+		return fmt.Errorf("failed to install CRD: %w", err)
+	}
+
+	fmt.Fprintln(o.ioStreams.Out, "TestExtensionAdmission CRD installed successfully")
+	return nil
+}
+
+// saveToArtifactDir saves the YAML content to ARTIFACT_DIR if the environment variable is set.
+// This helps with debugging by preserving the applied manifests.
+func saveToArtifactDir(yamlBytes []byte, basename string) {
+	artifactDir := os.Getenv("ARTIFACT_DIR")
+	if artifactDir == "" {
+		return
+	}
+
+	// Create a timestamped filename to avoid collisions
+	timestamp := time.Now().UTC().Format("20060102-150405")
+	filename := fmt.Sprintf("%s-%s", timestamp, basename)
+	artifactPath := filepath.Join(artifactDir, filename)
+
+	if err := os.WriteFile(artifactPath, yamlBytes, 0644); err != nil {
+		// Don't fail the operation, just log the error
+		fmt.Fprintf(os.Stderr, "Warning: Failed to save artifact to %s: %v\n", artifactPath, err)
+		return
+	}
+
+	fmt.Fprintf(os.Stderr, "Saved artifact to %s\n", artifactPath)
+}
+
+func (o *extensionAdmissionOptions) applyYAML(yamlBytes []byte, artifactName string) error {
+	// Write YAML to a temporary file
+	tmpFile, err := os.CreateTemp("", "testextensionadmission-*.yaml")
+	if err != nil {
+		return fmt.Errorf("failed to create temp file: %w", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	if _, err := tmpFile.Write(yamlBytes); err != nil {
+		tmpFile.Close()
+		return fmt.Errorf("failed to write YAML to temp file: %w", err)
+	}
+	tmpFile.Close()
+
+	// Use oc apply via exec.Command
+	ocPath := "oc"
+	kubeconfig := exutil.KubeConfigPath()
+
+	var cmd *exec.Cmd
+	if kubeconfig != "" {
+		cmd = exec.Command(ocPath, "--kubeconfig="+kubeconfig, "apply", "-f", tmpFile.Name())
+	} else {
+		cmd = exec.Command(ocPath, "apply", "-f", tmpFile.Name())
+	}
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("oc apply failed: %w\nOutput: %s", err, string(output))
+	}
+
+	fmt.Fprintf(o.ioStreams.Out, "%s", string(output))
+	saveToArtifactDir(yamlBytes, artifactName)
+	return nil
+}

pkg/cmd/openshift-tests/extension-admission/testextensionadmission-crd.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: testextensionadmissions.testextension.redhat.io
+spec:
+  group: testextension.redhat.io
+  names:
+    kind: TestExtensionAdmission
+    listKind: TestExtensionAdmissionList
+    plural: testextensionadmissions
+    singular: testextensionadmission
+    shortNames:
+      - tea
+  scope: Cluster
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          description: TestExtensionAdmission controls which ImageStreams are permitted to provide extension test binaries
+          properties:
+            spec:
+              type: object
+              description: Specification of permitted ImageStreams
+              properties:
+                permit:
+                  type: array
+                  description: List of permitted ImageStream patterns in format "namespace/imagestream". Each segment must be either "*" (wildcard) or a valid name (no embedded wildcards). Examples - "openshift/*", "*/*", "namespace/stream"
+                  minItems: 1
+                  items:
+                    type: string
+                    pattern: '^(\*|[a-zA-Z0-9]([-_a-zA-Z0-9]*[a-zA-Z0-9])?)/(\*|[a-zA-Z0-9]([-_a-zA-Z0-9]*[a-zA-Z0-9])?)$'
+              required:
+                - permit
+            status:
+              type: object
+              description: Status of the TestExtensionAdmission
+              x-kubernetes-preserve-unknown-fields: true
+      subresources:
+        status: {}

pkg/cmd/openshift-tests/images/images_command.go

@@ -147,7 +147,7 @@ func createImageMirrorForInternalImages(prefix string, ref reference.DockerImage
 		// Extract all test binaries
 		extractionContext, extractionContextCancel := context.WithTimeout(context.Background(), 30*time.Minute)
 		defer extractionContextCancel()
-		cleanUpFn, externalBinaries, err := extensions.ExtractAllTestBinaries(extractionContext, 10)
+		cleanUpFn, externalBinaries, _, err := extensions.ExtractAllTestBinaries(extractionContext, 10)
 		if err != nil {
 			return nil, err
 		}

pkg/cmd/openshift-tests/list/extensions.go

@@ -47,7 +47,7 @@ func NewListExtensionsCommand(streams genericclioptions.IOStreams) *cobra.Comman
 			}
 
 			// Extract all test binaries from the release payload
-			cleanup, binaries, err := extensions.ExtractAllTestBinaries(ctx, 10)
+			cleanup, binaries, _, err := extensions.ExtractAllTestBinaries(ctx, 10)
 			if err != nil {
 				return fmt.Errorf("failed to extract test binaries: %w", err)
 			}