feat : Operator Installation outside of targetNamespace #2589
Conversation
bnshr
force-pushed
the
CNFCERT-1088
branch
3 times, most recently
from
98cb58b to
56d4773
Compare
|
from change #2589: |
bnshr
force-pushed
the
CNFCERT-1088
branch
2 times, most recently
from
1f928d0 to
e3fd824
Compare
|
from change #2589: |
bnshr
force-pushed
the
CNFCERT-1088
branch
2 times, most recently
from
33278d6 to
26570f7
Compare
|
from change #2589: |
bnshr
force-pushed
the
CNFCERT-1088
branch
5 times, most recently
from
fad4dfa to
822dfe9
Compare
bnshr
force-pushed
the
CNFCERT-1088
branch
2 times, most recently
from
2ba0ff8 to
475f7b6
Compare
|
|
||
| csvNamespace := csv.Namespace | ||
| operatorNamespace := csv.Annotations["olm.operatorNamespace"] | ||
| targetNamespaces := operator.TargetNamespaces |
There was a problem hiding this comment.
Maybe I'm wrong but, to me, "tenant app namespaces" are the ones declared in certsuite_config.yaml (field targetNamespaces), not the operator.TargetNamespaces (which comes from operatorGroup.spec.targetNamespaces).
So isn't it good enough just checking whether the operator installation namespace (operator.Csv.Annotations["olm.operatorNamespace"]) is in the certsuite_config.yaml's "targetNamespaces" field?
There was a problem hiding this comment.
As per the requirement, the tenant dedicated operator namespace is mentioned by the namespace where CR is allowed to be created. In any case, we are not considering any other namespace other than the config file specified namespaces for our testing. But the check on targetNamespace is better to be done in the operator specific way (generic), instead of going back to our configuration.
There was a problem hiding this comment.
The requirement for this test is:
Operators are not permitted to be installed into a tenant app namespace. Operators that are installed with the "Single Namespace" olm install mode must be installed into the tenants dedicated operator namespace. Upstream 3rd party operators will be installed Globally with "All Namespaces" olm install mode into the openshift-operators namespace.
In my understanding, the idea of this test is to make sure that tenants dedicate a special namespace for installing operator(s) and that it is not shared with other CNF application namespaces. So I would expect the dedicated operator namespace to be part of the certsuite_config.yaml's "targetNamespaces" filed as @greyerof mentioned, since this hold the namespaces under test. Also, this reserved namespace should only be holding resources deployed/owned by the operator. So if non-operator pods are found in a namespace containing operator pods/resources, the test should fail.
Refers the issue