Automate OCP-42543: should not install resources annotated with release.openshift.io/delete=true

Author: JianLi-RH

.openshift-tests-extension/openshift_payload_cluster-version-operator.json

@@ -38,5 +38,19 @@
     "source": "openshift:payload:cluster-version-operator",
     "lifecycle": "blocking",
     "environmentSelector": {}
+  },
+  {
+    "name": "[Jira:\"Cluster Version Operator\"] cluster-version-operator should not install resources annotated with release.openshift.io/delete=true",
+    "labels": {
+      "42543": {},
+      "Conformance": {},
+      "High": {}
+    },
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:cluster-version-operator",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
   }
 ]

test/cvo/cvo.go

@@ -1,7 +1,12 @@
 package cvo
 
 import (
+	"bytes"
 	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -13,6 +18,7 @@ import (
 	"github.com/openshift/cluster-version-operator/test/oc"
 	ocapi "github.com/openshift/cluster-version-operator/test/oc/api"
 	"github.com/openshift/cluster-version-operator/test/util"
+	"github.com/openshift/library-go/pkg/manifest"
 )
 
 var logger = g.GinkgoLogr.WithName("cluster-version-operator-tests")
@@ -84,4 +90,58 @@ var _ = g.Describe(`[Jira:"Cluster Version Operator"] cluster-version-operator`,
 		sccAnnotation := cvoPod.Annotations["openshift.io/scc"]
 		o.Expect(sccAnnotation).To(o.Equal("hostaccess"), "Expected the annotation 'openshift.io/scc annotation' on pod %s to have the value 'hostaccess', but got %s", cvoPod.Name, sccAnnotation)
 	})
+
+	g.It(`should not install resources annotated with release.openshift.io/delete=true`, g.Label("Conformance", "High", "42543"), func() {
+		ctx := context.Background()
+		err := util.SkipIfHypershift(ctx, restCfg)
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to determine if cluster is HyperShift")
+		err = util.SkipIfMicroshift(ctx, restCfg)
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to determine if cluster is MicroShift")
+
+		// Initialize the ocapi.OC instance
+		g.By("Setting up oc")
+		ocClient, err := oc.NewOC(ocapi.Options{Logger: logger, Timeout: 90 * time.Second})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		g.By("Extracting manifests in the release")
+		annotation := "release.openshift.io/delete"
+		tempDir, err := os.MkdirTemp("", "OTA-42543-manifest-")
+		o.Expect(err).NotTo(o.HaveOccurred(), "create temp manifest dir failed")
+		manifestDir := ocapi.ReleaseExtractOptions{To: tempDir}
+		logger.Info(fmt.Sprintf("Extract manifests to: %s", manifestDir.To))
+		defer func() { _ = os.RemoveAll(manifestDir.To) }()
+		err = ocClient.AdmReleaseExtract(manifestDir)
+		o.Expect(err).NotTo(o.HaveOccurred(), "extracting manifests failed")
+
+		files, err := os.ReadDir(manifestDir.To)
+		o.Expect(err).NotTo(o.HaveOccurred())
+		g.By(fmt.Sprintf("Checking if getting manifests with %s on the cluster led to not-found error", annotation))
+		for _, manifestFile := range files {
+			// if strings.Contains(strings.ToLower(manifestFile.Name()), "cleanup") {
+			// 	logger.Info(fmt.Sprintf("skipping file %s because it matches cleanup filter", manifestFile.Name()))
+			// 	continue
+			// }
+
+			filePath := filepath.Join(manifestDir.To, manifestFile.Name())
+			raw, err := os.ReadFile(filePath)
+			if err != nil {
+				o.Expect(err).NotTo(o.HaveOccurred(), "failed to read manifest file")
+			}
+			manifests, err := manifest.ParseManifests(bytes.NewReader(raw))
+			if err != nil {
+				// files like release-metadata are not manifest file, so skip them
+				logger.Error(err, "failed to parse manifest file: "+filePath)
+			}
+
+			for _, ms := range manifests {
+				ann := ms.Obj.GetAnnotations()
+				if ann == nil || ann[annotation] != "true" {
+					continue
+				}
+				manifestFilePath := filepath.Join(manifestDir.To, manifestFile.Name())
+				err := util.GetManifestExpectNotFoundError(ms)
+				o.Expect(err).To(o.HaveOccurred(), "The deleted manifest should not be installed, but actually installed:"+manifestFilePath+", manifest name: "+ms.Obj.GetName())
+			}
+		}
+	})
 })

test/util/connection.go

@@ -0,0 +1,102 @@
+package util
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	imageclientv1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1"
+	securityclientv1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1"
+	operatorsclientv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned/typed/operators/v1"
+	apiextclientv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
+	admissionregistrationclientv1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1"
+	appsclientv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
+	batchclientv1 "k8s.io/client-go/kubernetes/typed/batch/v1"
+	coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	rbacclientv1 "k8s.io/client-go/kubernetes/typed/rbac/v1"
+)
+
+// getKubeConfig get KUBECONFIG file from environment variable
+func getKubeConfig() (*rest.Config, error) {
+	configPath, present := os.LookupEnv("KUBECONFIG")
+	if !present {
+		return nil, errors.New("the environment variable KUBECONFIG must be set")
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", configPath)
+	return config, err
+}
+
+func getImageClient() (*imageclientv1.ImageV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return imageclientv1.NewForConfigOrDie(config), nil
+}
+
+func getSecretClient() (*securityclientv1.SecurityV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return securityclientv1.NewForConfigOrDie(config), nil
+}
+
+func getOperatorClient() (*operatorsclientv1.OperatorsV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return operatorsclientv1.NewForConfigOrDie(config), nil
+}
+
+func getAdmissionRegistrationClient() (*admissionregistrationclientv1.AdmissionregistrationV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return admissionregistrationclientv1.NewForConfigOrDie(config), nil
+}
+
+func getAppsClient() (*appsclientv1.AppsV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return appsclientv1.NewForConfigOrDie(config), nil
+}
+
+func getBatchClient() (*batchclientv1.BatchV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return batchclientv1.NewForConfigOrDie(config), nil
+}
+
+func getCoreV1Client() (*coreclientv1.CoreV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return coreclientv1.NewForConfigOrDie(config), nil
+}
+
+func getRbacV1Client() (*rbacclientv1.RbacV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return rbacclientv1.NewForConfigOrDie(config), nil
+}
+
+func getApiextV1Client() (*apiextclientv1.ApiextensionsV1Client, error) {
+	config, err := getKubeConfig()
+	if err != nil {
+		return nil, fmt.Errorf("unable to load build config: %w", err)
+	}
+	return apiextclientv1.NewForConfigOrDie(config), nil
+}

test/util/util.go

@@ -2,8 +2,20 @@ package util
 
 import (
 	"context"
+	"fmt"
 	"time"
 
+	imagev1 "github.com/openshift/api/image/v1"
+	securityv1 "github.com/openshift/api/security/v1"
+	"github.com/openshift/cluster-version-operator/lib/resourceread"
+	"github.com/openshift/library-go/pkg/manifest"
+	operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
 	g "github.com/onsi/ginkgo/v2"
 	configv1 "github.com/openshift/api/config/v1"
 	clientconfigv1 "github.com/openshift/client-go/config/clientset/versioned"
@@ -16,6 +28,137 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )
 
+// GetManifestExpectNotFoundError get manifest to check if it is installed
+func GetManifestExpectNotFoundError(ms manifest.Manifest) error {
+	obj, err := resourceread.Read(ms.Raw)
+	if err != nil {
+		return err
+	}
+	switch typedObject := obj.(type) {
+	case *imagev1.ImageStream:
+		client, err := getImageClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.ImageStreams(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *securityv1.SecurityContextConstraints:
+		client, err := getSecretClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.SecurityContextConstraints().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *operatorsv1.OperatorGroup:
+		client, err := getOperatorClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.OperatorGroups(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *admissionregistrationv1.ValidatingWebhookConfiguration:
+		client, err := getAdmissionRegistrationClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.ValidatingWebhookConfigurations().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *appsv1.DaemonSet:
+		client, err := getAppsClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.DaemonSets(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *appsv1.Deployment:
+		client, err := getAppsClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.Deployments(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *batchv1.CronJob:
+		client, err := getBatchClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.CronJobs(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *batchv1.Job:
+		client, err := getBatchClient()
+		if err != nil {
+			return err
+		}
+		_, err = client.Jobs(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *corev1.ConfigMap:
+		client, err := getCoreV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.ConfigMaps(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *corev1.Namespace:
+		client, err := getCoreV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.Namespaces().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *corev1.Service:
+		client, err := getCoreV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.Services(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *corev1.ServiceAccount:
+		client, err := getCoreV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.ServiceAccounts(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *rbacv1.ClusterRole:
+		client, err := getRbacV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.ClusterRoles().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *rbacv1.ClusterRoleBinding:
+		client, err := getRbacV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.ClusterRoleBindings().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *rbacv1.Role:
+		client, err := getRbacV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.Roles(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *rbacv1.RoleBinding:
+		client, err := getRbacV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.RoleBindings(typedObject.Namespace).Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	case *apiextensionsv1.CustomResourceDefinition:
+		client, err := getApiextV1Client()
+		if err != nil {
+			return err
+		}
+		_, err = client.CustomResourceDefinitions().Get(context.TODO(), typedObject.Name, metav1.GetOptions{})
+		return err
+	default:
+		return fmt.Errorf("unrecognized manifest type: %T", obj)
+	}
+}
+
 // IsHypershift checks if running on a HyperShift hosted cluster
 // Refer to https://github.com/openshift/origin/blob/31704414237b8bd5c66ad247c105c94abc9470b1/test/extended/util/framework.go#L2301
 func IsHypershift(ctx context.Context, restConfig *rest.Config) (bool, error) {