Merge remote-tracking branch 'origin/master' into efoley_add_crc_mult…

…iversion

.gitleaks.toml

@@ -0,0 +1,8 @@
+[allowlist]
+  description = "Global Allowlist"
+
+  # Ignore based on any subset of the file path
+  paths = [
+    # Ignore all example certs
+    '''roles\/servicetelemetry\/vars\/dummy_user_certs\.yml'''
+  ]

.zuul.yaml

@@ -12,12 +12,38 @@
     required-projects:
       - name: openstack-k8s-operators/ci-framework
         override-checkout: main
+    pre-run:
+      - ci/prepare.yml
+    run:
+      - ci/deploy_stf.yml
+      - ci/test_stf.yml
+    post-run:
+      - ci/post-collect_logs.yml
     nodeset: centos-9-crc-xxl
-    # non-default crc bundles need more time to download
+    # The default (~30 minutes) is not enough to run through all the job stages
     timeout: 3600
+    vars:
+      # Pass vars to crc cli https://review.rdoproject.org/cgit/config/tree/playbooks/crc/simple-start.yaml#n30
+      crc_parameters: '--memory 16000 --disk-size 80 --cpus 6'  # Increase from 14336
 
 - job:
-    name: stf-crc-base
+    name: stf-crc-latest-nightly_bundles
+    parent: stf-base
+    description:
+      Deploy STF nightly bundles
+    vars:
+      scenario: "nightly_bundles"
+
+- job:
+    name: stf-crc-latest-local_build
+    parent: stf-base
+    description: |
+      Build images locally and deploy STF
+    vars:
+      scenario: "local_build"
+
+- job:
+    name: stf-multi-crc-base
     abstract: true
     description: |
       Temperory base job for crc jobs; the crc jobs will eventually use stf-base as a job, once PR
@@ -29,37 +55,39 @@
 
 - job:
     name: stf-crc-ocp410
-    parent: stf-crc-base
+    parent: stf-multi-crc-base
     vars:
       crc_ocp_bundle: 'https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/openshift/4.10.22/crc_libvirt_4.10.22_amd64.crcbundle'
       ocp_version: '4.10.22'
 
 - job:
     name: stf-crc-ocp411
-    parent: stf-crc-base
+    parent: stf-multi-crc-base
     vars:
       crc_ocp_bundle: 'https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/openshift/4.11.18/crc_libvirt_4.11.18_amd64.crcbundle'
       ocp_version: '4.11.18'
 
 - job:
     name: stf-crc-ocp412
-    parent: stf-crc-base
+    parent: stf-multi-crc-base
     vars:
       crc_ocp_bundle: 'https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/openshift/4.12.13/crc_libvirt_4.12.13_amd64.crcbundle'
       ocp_version: '4.12.13'
 
 - job:
     name: stf-crc-ocp413
-    parent: stf-crc-base
+    parent: stf-multi-crc-base
     vars:
-      crc_ocp_bundle: 'https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/openshift/4.13.12/crc_libvirt_4.13.12_amd64.crcbundle'
-      ocp_version: '4.13.12'
+      crc_ocp_bundle: 'https://mirror.openshift.com/pub/openshift-v4/clients/crc/bundles/openshift/4.13.14/crc_libvirt_4.13.14_amd64.crcbundle'
+      ocp_version: '4.13.14'
 
 - project:
     name: infrawatch/service-telemetry-operator
     github-check:
       jobs:
-        - stf-crc-ocp410
+        #- stf-crc-latest-nightly_bundles
+        #- stf-crc-latest-local_build
         - stf-crc-ocp411
         - stf-crc-ocp412
         - stf-crc-ocp413
+

Jenkinsfile

@@ -36,6 +36,7 @@ spec:
           strategy: ephemeral
   transports:
     qdr:
+      auth: none
       enabled: true
       deploymentSize: 1
       web:

build/Dockerfile

@@ -1,14 +1,21 @@
 FROM quay.io/openshift/origin-ansible-operator:4.12
 
+# temporarily switch to root user to adjust image layers
 USER 0
 # Upstream CI builds need the additional EPEL sources for python3-passlib and python3-bcrypt but have no working repos to install epel-release
 # NO_PROXY is undefined in upstream CI builds, but defined (usually blank) during openshift builds (a possibly brittle hack)
 RUN bash -c -- 'if [ "${NO_PROXY:-__ZZZZZ}" == "__ZZZZZ" ]; then echo "Applying upstream EPEL hacks" && echo -e "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2\ndgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018\n+eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy\na8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL\n/Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi\necF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh\nyKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0\nWm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U\npAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4\nETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL\nMoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB\ntChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB\nAgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW\noWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE\n0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF\nalwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw\nNqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI\nWK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4\nbE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz\nxohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv\n9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0\nSGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp\nn7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7\nzKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog==\n=84m8\n-----END PGP PUBLIC KEY BLOCK-----" > /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 && echo -e "[epel]\nname=Extra Packages for Enterprise Linux 8 - \$basearch\nmetalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=\$basearch&infra=\$infra&content=\$contentdir\nenabled=1\ngpgcheck=1\ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8" > /etc/yum.repos.d/epel.repo; fi'
 
-# Required for oauth-proxy
-RUN dnf install -y python3-passlib python3-bcrypt
+# update the base image to allow forward-looking optimistic updates during the testing phase, with the added benefit of helping move closer to passing security scans.
+# -- excludes ansible so it remains at 2.9 tag as shipped with the base image
+# -- installs python3-passlib and python3-bcrypt for oauth-proxy interface
+# -- cleans up the cached data from dnf to keep the image as small as possible
+RUN dnf update -y --exclude=ansible* && dnf install -y python3-passlib python3-bcrypt && dnf clean all && rm -rf /var/cache/dnf
+
+# switch back to user 1001 when running the base image (non-root)
 USER 1001
 
+# copy in required artifacts for the operator
 COPY watches.yaml ${HOME}/watches.yaml
 COPY roles/ ${HOME}/roles/
 COPY collections/ ${HOME}/.ansible/collections/

build/run-ci.yaml

@@ -6,4 +6,10 @@
   tasks:
   - name: Run the STF CI system
     import_role:
-        name: stf-run-ci
+      name: stf-run-ci
+
+  - name: Collect the logs
+    import_role:
+      name: stf-collect-logs
+    vars:
+      logfile_dir: "{{ playbook_dir }}/"

build/stf-collect-logs/README.md

@@ -0,0 +1,38 @@
+stf-collect-logs
+================
+
+This role collects logs that are useful for debugging an STF deployment.
+
+Once the logs are collected, the user will need to fetch the logs themselves.
+
+Requirements
+------------
+
+
+Role Variables
+--------------
+
+* `logfile_dir` - The location that the logs will be created in on the remote host(s).
+
+Dependencies
+------------
+
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+Apache 2
+
+Author Information
+------------------
+
+Red Hat

build/stf-collect-logs/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for stf-collect-logs

build/stf-collect-logs/meta/main.yml

@@ -0,0 +1,15 @@
+galaxy_info:
+  role_name: stf-collect-logs
+  namespace: infrawatch
+
+  author: InfraWatch
+  description: Log collection role for Service Telemetry Framework
+  company: Red Hat
+
+  license: Apache-2.0
+
+  min_ansible_version: 2.1
+
+  galaxy_tags: []
+
+dependencies: []

build/stf-collect-logs/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+- name: "Get builds"
+  ansible.builtin.shell:
+    cmd: |
+      echo "*** [INFO] Showing oc get builds" > {{ logfile_dir }}/post_oc_get_builds.log 2>&1
+      oc -n {{ namespace }} get builds -oyaml >> {{ logfile_dir }}/post_oc_get_builds.log 2>&1
+      echo "*** [INFO] Showing oc get builds -oyaml" >> {{ logfile_dir }}/post_oc_get_builds.log 2>&1
+      oc -n {{ namespace }} get builds -oyaml >> {{ logfile_dir }}/post_oc_get_builds.log 2>&1
+      cat {{ logfile_dir }}/post_oc_get_builds.log
+  ignore_errors: true
+  changed_when: false
+
+- name: "Get subscription details"
+  ansible.builtin.shell:
+    cmd: |
+      oc -n {{ namespace }} get subscriptions > {{ logfile_dir }}/post_oc_get_subscriptions.log 2>&1
+      oc -n {{ namespace }} describe subscription service-telemetry-operator >> {{ logfile_dir }}/post_oc_get_subscriptions.log 2>&1
+  ignore_errors: true
+
+- name: "Get image infos"
+  ansible.builtin.shell:
+    cmd: |
+      echo "[INFO] oc  get images" > {{ logfile_dir }}/post_oc_get_images.log 2>&1
+      oc -n {{ namespace }} get images >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
+      echo "[INFO] oc  get imagestreams" >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
+      oc -n {{ namespace }} get imagestream >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
+      echo "[INFO] oc  get imagestream -oyaml" >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
+      oc -n {{ namespace }} get imagestream -oyaml >> {{ logfile_dir }}/post_oc_get_images.log 2>&1
+  retries: 3
+  delay: 10
+  ignore_errors: true
+
+- name: "Get STO info"
+  ansible.builtin.shell:
+    cmd: |
+      oc -n {{ namespace }} describe pod $(oc -n {{ namespace }} get pod -l name=service-telemetry-operator -ojsonpath='{ .items[].metadata.name }') >> {{ logfile_dir }}/describe_sto.log 2>&1
+  ignore_errors: true
+  retries: 3
+  delay: 10
+
+- name: "Question the deployment"
+  ansible.builtin.shell:
+    cmd: |
+      echo "What images were created in the internal registry?" > {{ logfile_dir }}/post_question_deployment.log 2>&1
+      oc -n {{ namespace }} get images | grep $(oc -n {{ namespace }} registry info --internal) >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+      echo "What state is the STO csv in?" >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+      oc -n {{ namespace }} get csv | grep service-telemetry-operator >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+      oc -n {{ namespace }} get csv $(oc -n {{ namespace }} get csv | grep "service-telemetry-operator" | awk '{ print $1}') -oyaml >> {{ logfile_dir }}/post_question_deployment.log 2>&1
+  register: output
+  retries: 3
+  delay: 10
+
+- name: "Get pods"
+  ansible.builtin.command:
+    cmd: |
+      oc -n {{ namespace }} get pods > {{ logfile_dir }}/post_oc_get_pods.log 2>&1
+      echo "Additional information" >> {{ logfile_dir }}/post_oc_get_pods.log
+      oc -n {{ namespace }} describe pods >> {{ logfile_dir }}/post_oc_get_pods.log 2>&1
+  ignore_errors: true
+  retries: 3
+  delay: 10

build/stf-collect-logs/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for stf-collect-logs

build/stf-run-ci/README.md

@@ -51,8 +51,8 @@ choose to override:
 | `__service_telemetry_trap_oid_prefix`                                | <oid_prefix>                                                | 1.3.6.1.4.1.50495.15                                  | The OID prefix for trap variable bindings.                                                                                                |
 | `__service_telemetry_trap_default_oid`                               | <default_oid>                                               | 1.3.6.1.4.1.50495.15.1.2.1                            | The trap OID if none is found in the Prometheus alert labels.                                                                             |
 | `__service_telemetry_trap_default_severity`                          | <default_severity>                                          | <undefined>                                           | The trap severity if none is found in the Prometheus alert labels.                                                                        |
-| `__service_telemetry_logs_enabled`                                   | {true,false}                                                | false                                                 | Whether to enable logs support in ServiceTelemetry                                                                                        |
 | `__service_telemetry_observability_strategy`                         | <observability_strategy>                                    | `use_redhat`                                          | Which observability strategy to use for deployment. Default is 'use_redhat'. Also supported are 'use_hybrid', 'use_community', and 'none' |
+| `__service_telemetry_transports_qdr_auth`                            | {'none', 'basic'}                                           | `none`                                                | Which auth method to use for QDR. Can be 'none' or 'basic'. Note: 'basic' is not yet supported in smoketests.                             |
 | `__service_telemetry_transports_certificates_endpoint_cert_duration` | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR endpoint certificate (minimum duration is 1h)                                                                         |
 | `__service_telemetry_transports_certificates_ca_cert_duration`       | [ParseDuration](https://golang.org/pkg/time/#ParseDuration) | 70080h                                                | Lifetime of the QDR CA certificate (minimum duration is 1h)                                                                               |
 | `__internal_registry_path`                                           | <registry_path>                                             | image-registry.openshift-image-registry.svc:5000      | Path to internal registry for image path                                                                                                  |

build/stf-run-ci/defaults/main.yml

@@ -26,7 +26,6 @@ __service_telemetry_snmptraps_alert_oid_label: "oid"
 __service_telemetry_snmptraps_trap_oid_prefix: "1.3.6.1.4.1.50495.15"
 __service_telemetry_snmptraps_trap_default_oid: "1.3.6.1.4.1.50495.15.1.2.1"
 __service_telemetry_snmptraps_trap_default_severity: ""
-__service_telemetry_logs_enabled: false
 __service_telemetry_observability_strategy: use_redhat
 __service_telemetry_transports_certificates_endpoint_cert_duration: 70080h
 __service_telemetry_transports_certificates_ca_cert_duration: 70080h

build/stf-run-ci/requirements.txt

@@ -1,8 +1,8 @@
 # https://stackoverflow.com/questions/64073422/importerror-cannot-import-name-oauth1session-from-requests-oauthlib
-requests==2.27.1
+requests==2.31.0
 requests_oauthlib==1.3.0
 # https://github.com/domainaware/parsedmarc/issues/318
-oauthlib==3.2.0
+oauthlib==3.2.2
 kubernetes==24.2.0
 openshift==0.13.1
 ansible-core==2.12.10

build/stf-run-ci/tasks/create_catalog.yml

@@ -32,7 +32,14 @@
   ansible.builtin.set_fact:
     internal_registry: "{{ builder_dockercfg_auth_results['image-registry.openshift-image-registry.svc:5000'] | to_json }}"
 
-- when: query('kubernetes.core.k8s', api_version='v1', kind='Secret', resource_name='service-telemetry-framework-index-dockercfg', namespace=namespace) | length == 0
+- name: Get Secrets to check for service-telemetry-framework-index-dockercfg
+  ansible.builtin.command:
+    cmd: oc get secret -n {{ namespace }} service-telemetry-framework-index-dockercfg
+  register: index_dockercfg_secret
+  ignore_errors: true
+
+# There's an error when the requested resource doesn't exist, so check the rc
+- when: index_dockercfg_secret.rc != 0
   block:
   - name: Create config.json to import as Secret
     ansible.builtin.template:
@@ -43,16 +50,33 @@
 
   - name: Create a Secret for the dockercfg
     ansible.builtin.command: oc create secret generic -n {{ namespace }} service-telemetry-framework-index-dockercfg --from-file=.dockerconfigjson={{ base_dir }}/working/service-telemetry-framework-index/config.json --type=kubernetes.io/dockerconfigjson
+    ignore_errors: true
+
+- name: Get the ose-operator-registry ImageStream
+  ansible.builtin.command:
+    cmd: oc get -n {{ namespace }} ImageStream ose-operator-registry
+  register: ose_op_registry_is
+  ignore_errors: true
 
 - name: Create ImageStream for ose-operator-registry
   ansible.builtin.command: oc import-image -n {{ namespace }} ose-operator-registry:{{ default_operator_registry_image_tag }} --from={{ default_operator_registry_image_base }}:{{ default_operator_registry_image_tag }} --confirm
-  when: query('kubernetes.core.k8s', api_version='v1', kind='ImageStream', resource_name='ose-operator-registry', namespace=namespace) | length == 0
+  when: ose_op_registry_is.rc != 0
+
+- name: Delete the existing imagestream, if it exists
+  ansible.builtin.command: oc delete imagestream -n {{ namespace }} service-telemetry-framework-index
+  ignore_errors: true
 
 - name: Create ImageStream for service-telemetry-framework-index
   ansible.builtin.command: oc create imagestream -n {{ namespace }} service-telemetry-framework-index
-  when: query('kubernetes.core.k8s', api_version='v1', kind='ImageStream', resource_name='service-telemetry-framework-index', namespace=namespace) | length == 0
 
-- name: Create BuildConfig for service-telemetry-framework-index
+- name: Get STF index image stream
+  ansible.builtin.command:
+    cmd: oc get -n {{ namespace }} ImageStream service-telemetry-framework-index
+  register: stf_index_imagestream
+  ignore_errors: true
+
+- when: stf_index_imagestream.rc != 0
+  name: Create BuildConfig for service-telemetry-framework-index
   kubernetes.core.k8s:
     definition:
       apiVersion: build.openshift.io/v1
@@ -78,7 +102,7 @@
           dockerfile: |
             # The base image is expected to contain
             # /bin/opm (with a serve subcommand) and /bin/grpc_health_probe
-            FROM registry.redhat.io/openshift4/ose-operator-registry:v4.13
+            FROM {{default_operator_registry_image_base}}:{{default_operator_registry_image_tag}}
 
             COPY --chmod=666 index.yaml /configs/
 
@@ -97,7 +121,7 @@
           dockerStrategy:
             from:
               kind: ImageStreamTag
-              name: ose-operator-registry:v4.13
+              name: "ose-operator-registry:{{default_operator_registry_image_tag}}"
             volumes:
             - mounts:
               - destinationPath: /opt/app-root/auth

build/stf-run-ci/tasks/deploy_stf.yml

@@ -43,19 +43,15 @@
                 persistent:
                   storageClass: {{ __service_telemetry_storage_persistent_storage_class }}
       {% endif %}
-          logs:
-            loki:
-              enabled: false
-              replicationFactor: 1
-              flavor: 1x.extra-small
-              storage:
-                objectStorageSecret: test
       {% if __service_telemetry_storage_persistent_storage_class is defined %}
                 storageClass: {{ __service_telemetry_storage_persistent_storage_class }}
       {% endif %}
         transports:
           qdr:
             enabled: true
+      {% if __service_telemetry_transports_qdr_auth is defined %}
+            auth: "{{ __service_telemetry_transports_qdr_auth }}"
+      {% endif %}
             certificates:
               endpointCertDuration: {{ __service_telemetry_transports_certificates_endpoint_cert_duration }}
               caCertDuration: {{ __service_telemetry_transports_certificates_ca_cert_duration }}