Merge pull request #482 from gkurz/backports-for-1.8.1

Backports for 1.8.1

Dockerfile

@@ -1,7 +1,7 @@
 # Use OpenShift golang builder image
 # These images needs to be synced with the images in the Makefile.
-ARG BUILDER_IMAGE=${BUILDER_IMAGE:-registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.21-openshift-4.16}
-ARG TARGET_IMAGE=${TARGET_IMAGE:-registry.ci.openshift.org/ocp/4.16:base}
+ARG BUILDER_IMAGE=${BUILDER_IMAGE:-registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.22-openshift-4.17}
+ARG TARGET_IMAGE=${TARGET_IMAGE:-registry.ci.openshift.org/ocp/4.17:base}
 FROM ${BUILDER_IMAGE} AS builder
 
 WORKDIR /workspace

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.8.0  ## OSC_VERSION
+VERSION ?= 1.8.1  ## OSC_VERSION
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -64,8 +64,8 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 # These images needs to be synced with the default values in the Dockerfile.
-BUILDER_IMAGE ?= registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.21-openshift-4.16
-TARGET_IMAGE  ?= registry.ci.openshift.org/ocp/4.16:base
+BUILDER_IMAGE ?= registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.22-openshift-4.17
+TARGET_IMAGE  ?= registry.ci.openshift.org/ocp/4.17:base
 # CONTAINER_TOOL defines the container tool to be used for building images.
 # Be aware that the target commands are only tested with Docker which is
 # scaffolded by default. However, you might want to replace it to use other

bundle/manifests/operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    release: prometheus-operator
+  name: operator-metrics-monitor
+spec:
+  endpoints:
+  - interval: 30s
+    path: /metrics
+    port: "8091"
+    scrapeTimeout: 10s
+  selector:
+    matchLabels:
+      app: operator-metrics-server

bundle/manifests/operator-metrics-service_v1_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app: operator-metrics-server
+  name: operator-metrics-service
+spec:
+  ports:
+  - port: 8091
+    protocol: TCP
+    targetPort: 8091
+  selector:
+    app: operator-metrics-server
+status:
+  loadBalancer: {}

bundle/manifests/osc-alerts_monitoring.coreos.com_v1_prometheusrule.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: osc-alerts
+spec:
+  groups:
+  - name: osc_alerts
+    rules:
+    - alert: KataRemoteWorkloadFailureHigh
+      annotations:
+        description: The failure ratio of kata-remote workloads is above 25% for more
+          than 30 minutes. This may indicate issues with the runtime or configuration.
+        summary: High Kata Remote Workload Failure Ratio
+      expr: kata_remote_workload_failure_ratio > 25
+      for: 30m
+      labels:
+        severity: warning
+    - alert: kata_active_instance
+      annotations:
+        summary: Kata instance alive signal
+      expr: vector(1)
+      labels:
+        purpose: alive_signal
+        severity: info

bundle/manifests/sandboxed-containers-operator.clusterserviceversion.yaml

@@ -13,15 +13,15 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    createdAt: "2024-10-04T09:21:08Z"
+    createdAt: "2024-11-29T15:05:07Z"
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "false"
     features.operators.openshift.io/proxy-aware: "false"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
-    olm.skipRange: '>=1.1.0 <1.8.0'  ## OSC_VERSION
+    olm.skipRange: '>=1.1.0 <1.8.1'
     operatorframework.io/suggested-namespace: openshift-sandboxed-containers-operator
     operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
       Platform Plus"]'
@@ -32,7 +32,7 @@ metadata:
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/os.linux: supported
-  name: sandboxed-containers-operator.v1.8.0  ## OSC_VERSION
+  name: sandboxed-containers-operator.v1.8.1
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
@@ -411,25 +411,25 @@ spec:
                 - name: PEERPODS_NAMESPACE
                   value: openshift-sandboxed-containers-operator
                 - name: RELATED_IMAGE_KATA_MONITOR
-                  value: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.0  ## OSC_VERSION
+                  value: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.1
                 - name: SANDBOXED_CONTAINERS_EXTENSION
                   value: kata-containers
                 - name: RELATED_IMAGE_CAA
-                  value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.0  ## OSC_VERSION
+                  value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.1
                 - name: RELATED_IMAGE_PEERPODS_WEBHOOK
-                  value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.0  ## OSC_VERSION
+                  value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.1
                 - name: RELATED_IMAGE_PODVM_BUILDER
-                  value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+                  value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1
                 - name: RELATED_IMAGE_PODVM_PAYLOAD
-                  value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.0  ## OSC_VERSION
+                  value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.1
                 envFrom:
                 - secretRef:
                     name: peer-pods-secret
                     optional: true
                 - configMapRef:
                     name: peer-pods-cm
                     optional: true
-                image: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator:v1.8.0  ## OSC_VERSION
+                image: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator:v1.8.1
                 imagePullPolicy: Always
                 name: manager
                 ports:
@@ -508,6 +508,31 @@ spec:
                   defaultMode: 384
                   optional: true
                   secretName: ssh-key-secret
+      - label:
+          app: operator-metrics-server
+        name: operator-metrics-server
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: operator-metrics-server
+          strategy: {}
+          template:
+            metadata:
+              labels:
+                app: operator-metrics-server
+            spec:
+              containers:
+              - command:
+                - /metrics-server
+                image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.1
+                name: metrics-server
+                ports:
+                - containerPort: 8091
+                resources:
+                  requests:
+                    cpu: 50m
+                    memory: 64Mi
       permissions:
       - rules:
         - apiGroups:
@@ -566,18 +591,18 @@ spec:
   provider:
     name: Red Hat
   relatedImages:
-  - image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.0  ## OSC_VERSION
+  - image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.1
     name: kata-monitor
-  - image: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.0  ## OSC_VERSION
+  - image: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.1
     name: caa
-  - image: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.0  ## OSC_VERSION
+  - image: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.1
     name: peerpods-webhook
-  - image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+  - image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1
     name: podvm-builder
-  - image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.0  ## OSC_VERSION
+  - image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.1
     name: podvm-payload
-  replaces: sandboxed-containers-operator.v1.7.0  ## OSC_VERSION_BEFORE
-  version: 1.8.0  ## VERSION
+  replaces: sandboxed-containers-operator.v1.8.0
+  version: 1.8.1
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

config/manager/kustomization.yaml

@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator
-  newTag: v1.8.0  ## OSC_VERSION
+  newTag: v1.8.1

config/manager/manager.yaml

@@ -77,17 +77,17 @@ spec:
             - name: PEERPODS_NAMESPACE
               value: "openshift-sandboxed-containers-operator"
             - name: RELATED_IMAGE_KATA_MONITOR
-              value: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.0  ## OSC_VERSION
+              value: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.1  ## OSC_VERSION
             - name: SANDBOXED_CONTAINERS_EXTENSION
               value: kata-containers
             - name: RELATED_IMAGE_CAA
-              value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.0  ## OSC_VERSION
+              value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:1.8.1  ## OSC_VERSION
             - name: RELATED_IMAGE_PEERPODS_WEBHOOK
-              value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.0 ## OSC_VERSION
+              value: registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9:1.8.1 ## OSC_VERSION
             - name: RELATED_IMAGE_PODVM_BUILDER
-              value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+              value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1  ## OSC_VERSION
             - name: RELATED_IMAGE_PODVM_PAYLOAD
-              value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.0  ## OSC_VERSION
+              value: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.1  ## OSC_VERSION
           imagePullPolicy: Always
           resources:
             limits:

config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml

@@ -20,7 +20,7 @@ metadata:
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
-    olm.skipRange: '>=1.1.0 <1.8.0'  ## OSC_VERSION
+    olm.skipRange: '>=1.1.0 <1.8.1'
     operatorframework.io/suggested-namespace: openshift-sandboxed-containers-operator
     operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
       Platform Plus"]'
@@ -31,7 +31,7 @@ metadata:
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/os.linux: supported
-  name: sandboxed-containers-operator.v1.8.0  ## OSC_VERSION
+  name: sandboxed-containers-operator.v1.8.0
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
@@ -372,8 +372,8 @@ spec:
   minKubeVersion: 1.28.0
   provider:
     name: Red Hat
-  replaces: sandboxed-containers-operator.v1.7.0  ## OSC_VERSION_BEFORE
-  version: 1.8.0  ## OSC_VERSION
+  replaces: sandboxed-containers-operator.v1.8.0
+  version: 1.8.1
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

config/metrics/kustomization.yaml

@@ -2,3 +2,4 @@ resources:
   - metrics-deployment.yaml
   - metrics-service.yaml
   - metrics-servicemonitor.yaml
+  - metrics-prometheus-rules.yaml

config/metrics/metrics-deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: metrics-server
-          image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.7.0
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9:1.8.1  ## OSC_VERSION
           command: ["/metrics-server"]
           ports:
             - containerPort: 8091

config/peerpods/podvm/azure-podvm-image-handler.sh

@@ -774,9 +774,25 @@ function delete_image_using_id() {
     # IMAGE_ID shouldn't be empty
     [[ -z "${IMAGE_ID}" ]] && error_exit "IMAGE_ID is empty"
 
-    # Delete the image
+    # Rightmost element of the input is <image-version>
+    IMAGE_VERSION=${IMAGE_ID##*/}
+
+    # Get the id of the source image
+    SOURCE_ID=$(az sig image-version show --resource-group "${AZURE_RESOURCE_GROUP}" \
+        --gallery-name "${IMAGE_GALLERY_NAME}" \
+        --gallery-image-definition "${IMAGE_DEFINITION_NAME}" \
+        --gallery-image-version "${IMAGE_VERSION}" \
+        --query "storageProfile.source.id" --output tsv) ||
+        error_exit "Failed to get the source id for image ${IMAGE_GALLERY_NAME} version ${IMAGE_VERSION} with definition ${IMAGE_DEFINITION_NAME}"
+
+    # Delete the image version
     az sig image-version delete --ids "${IMAGE_ID}" ||
-        error_exit "Failed to delete the image"
+        error_exit "Failed to delete image version ${IMAGE_ID}"
+
+    # Delete the source image
+    az image delete --ids "${SOURCE_ID}" ||
+        error_exit "Failed to delete the source image ${SOURCE_ID}"
+
 
     # Remove the image id annotation from peer-pods-cm configmap
     delete_image_id_annotation_from_peer_pods_cm

config/peerpods/podvm/osc-podvm-create-job.yaml

@@ -15,7 +15,7 @@ spec:
       # /podvm-binaries.tar.gz /payload/podvm-binaries.tar.gz
       initContainers:
         - name: copy
-          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.0  ## OSC_VERSION
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9:1.8.1  ## OSC_VERSION
           command: ["/bin/sh", "-c"]
           args:
             - |
@@ -29,7 +29,7 @@ spec:
         - name: create
           # Binaries like kubectl, packer and yq are expected to be under /usr/local/bin
           # podvm binaries are expected to be under /payload/podvm-binaries.tar.gz
-          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1  ## OSC_VERSION
           # This image contains the following
           # azure-podvm-image-handler.sh script under /scripts/azure-podvm-image-handler.sh
           # aws-podvm-image-handler.sh script under /scripts/aws-podvm-image-handler.sh

config/peerpods/podvm/osc-podvm-delete-job.yaml

@@ -19,7 +19,7 @@ spec:
           # aws-podvm-image-handler.sh script under /scripts/aws-podvm-image-handler.sh
           # sources for cloud-api-adaptor under /src/cloud-api-adaptor
           # Binaries like kubectl, packer and yq under /usr/local/bin
-          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1  ## OSC_VERSION
           securityContext:
             runAsUser: 0 # needed for container mode dnf access
           env:

config/peerpods/podvm/osc-podvm-gallery-delete-job.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: delete-gallery
-          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.0  ## OSC_VERSION
+          image: registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9:1.8.1  ## OSC_VERSION
           securityContext:
             runAsUser: 0 # needed for container mode dnf access
           envFrom:

config/samples/deploy.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
  DisplayName: My Operator Catalog
  sourceType: grpc
- image:  quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator-catalog:v1.8.0  ## OSC_VERSION
+ image:  quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-operator-catalog:v1.8.1  ## OSC_VERSION
  updateStrategy:
    registryPoll:
       interval: 5m
@@ -36,4 +36,4 @@ spec:
   name: sandboxed-containers-operator
   source: my-operator-catalog
   sourceNamespace: openshift-marketplace
-  startingCSV: sandboxed-containers-operator.v1.8.0  ## OSC_VERSION
+  startingCSV: sandboxed-containers-operator.v1.8.1  ## OSC_VERSION