Skip to content

OCPBUGS-23969,OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main#1230

Open
SchSeba wants to merge 19 commits into
openshift:mainfrom
SchSeba:merge-bot-master
Open

OCPBUGS-23969,OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main#1230
SchSeba wants to merge 19 commits into
openshift:mainfrom
SchSeba:merge-bot-master

Conversation

@SchSeba

@SchSeba SchSeba commented May 26, 2026

Copy link
Copy Markdown
Contributor

No description provided.

SchSeba and others added 3 commits December 23, 2025 16:29
Signed-off-by: Sebastian Sch <sebassch@gmail.com>
add validation webhooks for netfilter nic selector
When a SriovNetwork has a LASTNETWORKNAMESPACE annotation pointing to
a namespace where the old NetworkAttachmentDefinition no longer exists,
the reconciler returned a NotFound error and blocked creation of the
new NAD. Handle NotFound errors gracefully by logging and continuing,
so cleanup of non-existent resources does not prevent forward progress.

Also fixes swapped Namespace/Name fields in the error log message.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from Billy99 and s1061123 May 26, 2026 23:49
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 26, 2026
SchSeba added 2 commits May 27, 2026 08:52
Fix the rdma test, when the device plugin is restarted, the allocatable resource goes to 0 and then back to the original value
that caused the test to fail.

To not have a flaky test we don't use the consistency check, but an eventually check.

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
Fix NAD creation blocked by stale LASTNETWORKNAMESPACE annotation
@SchSeba SchSeba force-pushed the merge-bot-master branch 5 times, most recently from 1975115 to a726344 Compare May 31, 2026 23:49
@SchSeba SchSeba force-pushed the merge-bot-master branch from a726344 to cb549d2 Compare June 1, 2026 23:49
A node can start with Drain_Required, which only triggers a partial drain for
SR-IOV workloads. If the daemon later detects that the same change also
requires a reboot, such as an RDMA subsystem mode change or firmware-related
update, it could observe DrainComplete and proceed to reboot even though the
node never went through a full drain.

Fix this by resetting the desired drain state back to Idle whenever a reboot
becomes required during or after a partial drain. This forces the operator to
finish the rollback to Idle, after which the daemon re-requests
Reboot_Required and gets a full drain before rebooting.

Add daemon tests that cover the drain-to-reboot escalation flow and the main
non-regression cases around partial and full drain handling.

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@SchSeba SchSeba force-pushed the merge-bot-master branch 7 times, most recently from 7b8bf41 to 8e66677 Compare June 8, 2026 23:50
@SchSeba SchSeba force-pushed the merge-bot-master branch from 8e66677 to 8c6017f Compare June 9, 2026 23:50
@SchSeba

SchSeba commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

/retitle OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main

@openshift-ci openshift-ci Bot changed the title Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main OCPBUGS-64886: Merge https://github.com/k8snetworkplumbingwg/sriov-network-operator:master into main Jun 10, 2026
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 10, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@SchSeba: This pull request references Jira Issue OCPBUGS-64886, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@SchSeba

SchSeba commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@SchSeba SchSeba force-pushed the merge-bot-master branch from 793b6ee to 02e7d42 Compare June 26, 2026 23:49
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@SchSeba SchSeba force-pushed the merge-bot-master branch 2 times, most recently from a4e9c5e to 8d80384 Compare June 28, 2026 23:49
SchSeba added 2 commits June 29, 2026 09:54
fix(daemon): require a full drain before reboot escalation
This commit add support for Cyphers and Version in the TLS configuration.

We pass the variables for the following components
* operator-webhook
* resource-injector
* metrics exporter rbac-proxy

In case of openshift cluster we add a watch to the API config CR,
so if the user update the cluster level CR with custom TLS configuration our operator
will follow the same configuration

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
@SchSeba SchSeba force-pushed the merge-bot-master branch from 8d80384 to 3a520eb Compare June 29, 2026 23:49
SchSeba added 2 commits June 30, 2026 05:43
Signed-off-by: Sebastian Sch <sebassch@gmail.com>
…Spec

Bump openshift/api to release-5.0 which adds the Groups field to
TLSProfileSpec (openshift/api#2583). This allows configuring TLS
supported groups (formerly elliptic curves) for the TLS handshake,
including post-quantum hybrid groups like X25519MLKEM768.

Changes:
- Add CurvePreferences field to consts.TLSConfig and wire it through
  the full TLS configuration pipeline (orchestrator, controller,
  templates, webhook)
- Extract Groups from the OpenShift APIServer TLS profile and propagate
  to operand DaemonSets via --tls-curve-preferences flag
- Operator converts group names to numeric CurveID values before
  passing to the webhook, matching the Kubernetes apiserver pattern
  (fs.Int32SliceVar for --tls-curve-preferences)
- Webhook accepts numeric Go crypto/tls CurveID values directly
  (e.g. 29,23,24) without hardcoded validation; supported values
  depend on the Go version used
- Add TLS_CURVE_PREFERENCES env var for vanilla Kubernetes (Helm values
  and deploy manifest)
- Add CurveNamesToIDs() to convert group names to numeric IDs in the
  operator controller before rendering webhook manifests
- Add ParseCurvePreferencesFromIDs() for the webhook to parse numeric
  CurveID values into []tls.CurveID
- Add TODO for kube-rbac-proxy curve preferences support (blocked on
  kube-rbac-proxy/kube-rbac-proxy#414)
- Update test CRD to CustomNoUpgrade variant with groups field
- Refactor conformance tests: extract operandTLSTarget list and
  assertAllOperandsHaveTLSArgs helper to reduce duplication
- Add unit tests for curve preferences in utils, orchestrator, and
  controller packages

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
@zeeke

zeeke commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/retest
/lgtm
/verified later by @zhiqiangf

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@zeeke: Only users can be targets for the /verified later command.

Details

In response to this:

/retest
/lgtm
/verified later by @zhiqiangf

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 30, 2026
Enable TLS cipher, version, and curve preferences control across operator components
@SchSeba SchSeba force-pushed the merge-bot-master branch from 3a520eb to c87fca2 Compare June 30, 2026 23:49
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 30, 2026
@SchSeba SchSeba force-pushed the merge-bot-master branch from c87fca2 to 15921a7 Compare July 1, 2026 23:49
@zeeke

zeeke commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/retest
/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SchSeba, zeeke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-merge-bot Bot pushed a commit that referenced this pull request Jul 2, 2026
The upstream merge (PR #1230) adds a watch on APIServer resources
for TLS cipher/version control. Add the apiservers RBAC permission
to the CSV files, deploy clusterrole, and Helm chart so the operator
ServiceAccount can get/list/watch config.openshift.io apiservers.

Without this, OLM-installed operators crash on startup because the
informer for APIServer objects is denied by RBAC.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@SchSeba SchSeba force-pushed the merge-bot-master branch from 15921a7 to 40457ac Compare July 2, 2026 23:49
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@SchSeba SchSeba force-pushed the merge-bot-master branch from 40457ac to 1da660d Compare July 3, 2026 23:49
@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

@SchSeba: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/operator-e2e 1da660d link true /test operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants