OCPBUGS-23969,OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main#1230
OCPBUGS-23969,OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main#1230SchSeba wants to merge 19 commits into
Conversation
Signed-off-by: Sebastian Sch <sebassch@gmail.com>
add validation webhooks for netfilter nic selector
When a SriovNetwork has a LASTNETWORKNAMESPACE annotation pointing to a namespace where the old NetworkAttachmentDefinition no longer exists, the reconciler returned a NotFound error and blocked creation of the new NAD. Handle NotFound errors gracefully by logging and continuing, so cleanup of non-existent resources does not prevent forward progress. Also fixes swapped Namespace/Name fields in the error log message. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix the rdma test, when the device plugin is restarted, the allocatable resource goes to 0 and then back to the original value that caused the test to fail. To not have a flaky test we don't use the consistency check, but an eventually check. Signed-off-by: Sebastian Sch <sebassch@gmail.com>
Fix NAD creation blocked by stale LASTNETWORKNAMESPACE annotation
1975115 to
a726344
Compare
fix rdma test
A node can start with Drain_Required, which only triggers a partial drain for SR-IOV workloads. If the daemon later detects that the same change also requires a reboot, such as an RDMA subsystem mode change or firmware-related update, it could observe DrainComplete and proceed to reboot even though the node never went through a full drain. Fix this by resetting the desired drain state back to Idle whenever a reboot becomes required during or after a partial drain. This forces the operator to finish the rollback to Idle, after which the daemon re-requests Reboot_Required and gets a full drain before rebooting. Add daemon tests that cover the drain-to-reboot escalation flow and the main non-regression cases around partial and full drain handling. Signed-off-by: Sebastian Sch <sebassch@gmail.com> Co-authored-by: Cursor <cursoragent@cursor.com>
7b8bf41 to
8e66677
Compare
|
/retitle OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main |
|
@SchSeba: This pull request references Jira Issue OCPBUGS-64886, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
793b6ee to
02e7d42
Compare
a4e9c5e to
8d80384
Compare
fix(daemon): require a full drain before reboot escalation
This commit add support for Cyphers and Version in the TLS configuration. We pass the variables for the following components * operator-webhook * resource-injector * metrics exporter rbac-proxy In case of openshift cluster we add a watch to the API config CR, so if the user update the cluster level CR with custom TLS configuration our operator will follow the same configuration Signed-off-by: Sebastian Sch <sebassch@gmail.com>
8d80384 to
3a520eb
Compare
Signed-off-by: Sebastian Sch <sebassch@gmail.com>
…Spec Bump openshift/api to release-5.0 which adds the Groups field to TLSProfileSpec (openshift/api#2583). This allows configuring TLS supported groups (formerly elliptic curves) for the TLS handshake, including post-quantum hybrid groups like X25519MLKEM768. Changes: - Add CurvePreferences field to consts.TLSConfig and wire it through the full TLS configuration pipeline (orchestrator, controller, templates, webhook) - Extract Groups from the OpenShift APIServer TLS profile and propagate to operand DaemonSets via --tls-curve-preferences flag - Operator converts group names to numeric CurveID values before passing to the webhook, matching the Kubernetes apiserver pattern (fs.Int32SliceVar for --tls-curve-preferences) - Webhook accepts numeric Go crypto/tls CurveID values directly (e.g. 29,23,24) without hardcoded validation; supported values depend on the Go version used - Add TLS_CURVE_PREFERENCES env var for vanilla Kubernetes (Helm values and deploy manifest) - Add CurveNamesToIDs() to convert group names to numeric IDs in the operator controller before rendering webhook manifests - Add ParseCurvePreferencesFromIDs() for the webhook to parse numeric CurveID values into []tls.CurveID - Add TODO for kube-rbac-proxy curve preferences support (blocked on kube-rbac-proxy/kube-rbac-proxy#414) - Update test CRD to CustomNoUpgrade variant with groups field - Refactor conformance tests: extract operandTLSTarget list and assertAllOperandsHaveTLSArgs helper to reduce duplication - Add unit tests for curve preferences in utils, orchestrator, and controller packages Signed-off-by: Sebastian Sch <sebassch@gmail.com>
|
/retest |
|
@zeeke: Only users can be targets for the DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Enable TLS cipher, version, and curve preferences control across operator components
3a520eb to
c87fca2
Compare
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SchSeba, zeeke The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The upstream merge (PR #1230) adds a watch on APIServer resources for TLS cipher/version control. Add the apiservers RBAC permission to the CSV files, deploy clusterrole, and Helm chart so the operator ServiceAccount can get/list/watch config.openshift.io apiservers. Without this, OLM-installed operators crash on startup because the informer for APIServer objects is denied by RBAC. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
New changes are detected. LGTM label has been removed. |
|
@SchSeba: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
No description provided.