Merge pull request red-hat-data-services#198 from VaishnaviHire/rhoai…

…_release_2.8

RHOAI-v2.8: Sync from upstream

.gitignore

@@ -53,4 +53,8 @@ scripts/gke/build/**
 
 odh-manifests/
 
-cover.out
+cover.out
+
+# Ignore any local.mk files that would be consumed by the Makefile
+local.mk
+

CONTRIBUTING.md

@@ -43,3 +43,17 @@ echo 'export PATH=${PATH}:~/bin' >> ~/.zshrc
 echo 'export GOPROXY=https://proxy.golang.org' >> ~/.zshrc
 ```
 
+## Using a local.mk file to override Makefile variables for your development environment
+
+To support the ability for a developer to customize the Makefile execution to support their development environment, you can create a `local.mk` file in the root of this repo to specify custom values that match your environment.
+
+```
+$ cat local.mk
+VERSION=9.9.9
+IMAGE_TAG_BASE=quay.io/my-dev-env/opendatahub-operator
+IMG_TAG=my-dev-tag
+OPERATOR_NAMESPACE=my-dev-odh-operator-system
+IMAGE_BUILD_FLAGS=--build-arg USE_LOCAL=true
+E2E_TEST_FLAGS="--skip-deletion=true" -timeout 15m
+```
+

Makefile

@@ -3,21 +3,16 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-ifneq ($(USER),)
-IMAGE_OWNER = $(USER)
-else
-IMAGE_OWNER = opendatahub
-endif
-VERSION ?= 2.4.0
+VERSION ?= 2.7.0
 # IMAGE_TAG_BASE defines the opendatahub.io namespace and part of the image name for remote images.
 # This variable is used to construct full image tags for bundle and catalog images.
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
 # opendatahub.io/opendatahub-operator-bundle:$VERSION and opendatahub.io/opendatahub-operator-catalog:$VERSION.
-IMAGE_TAG_BASE = quay.io/$(IMAGE_OWNER)/opendatahub-operator
+IMAGE_TAG_BASE ?= quay.io/opendatahub/opendatahub-operator
 
 # keep the name based on IMG which already used from command line
-IMG_TAG = latest
+IMG_TAG ?= latest
 # Update IMG to a variable, to keep it consistent across versions for OpenShift CI
 IMG = $(IMAGE_TAG_BASE):$(IMG_TAG)
 # BUNDLE_IMG defines the image:tag used for the bundle.
@@ -96,10 +91,19 @@ E2E_TEST_FLAGS = "--skip-deletion=false" -timeout 15m # See README.md, default g
 # Default image-build is to not use local odh-manifests folder
 # set to "true" to use local instead
 # see target "image-build"
-IMAGE_BUILD_FLAGS = --build-arg USE_LOCAL=false
+IMAGE_BUILD_FLAGS ?= --build-arg USE_LOCAL=false
+
+# Read any custom variables overrides from a local.mk file.  This will only be read if it exists in the 
+# same directory as this Makefile.  Variables can be specified in the standard format supported by 
+# GNU Make since `include` processes any valid Makefile
+# Standard variables override would include anything you would pass at runtime that is different
+# from the defaults specified in this file
+OPERATOR_MAKE_ENV_FILE = local.mk
+-include $(OPERATOR_MAKE_ENV_FILE)
+
 
 .PHONY: default
-default: lint unit-test build
+default: manifests lint unit-test build
 
 ##@ General
 

README.md

@@ -300,3 +300,7 @@ make e2e-test -e OPERATOR_NAMESPACE=<namespace> -e E2E_TEST_FLAGS="--skip-deleti
 ### Troubleshooting
 
 Please refer to [troubleshooting documentation](docs/troubleshooting.md)
+
+### Upgrade testing
+
+Please refer to [upgrade testing documentation](docs/upgrade-testing.md)

apis/dscinitialization/v1/dscinitialization_types.go

@@ -45,9 +45,15 @@ type DSCInitializationSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
 	// +optional
 	ServiceMesh infrav1.ServiceMeshSpec `json:"serviceMesh,omitempty"`
+	// When set to `Managed`, adds odh-trusted-ca-bundle Configmap to all namespaces that includes
+	// cluster-wide Trusted CA Bundle in .data["ca-bundle.crt"].
+	// Additionally, this fields allows admins to add custom CA bundles to the configmap using the .CustomCABundle field.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
+	// +optional
+	TrustedCABundle TrustedCABundleSpec `json:"trustedCABundle,omitempty"`
 	// Internal development useful field to test customizations.
 	// This is not recommended to be used in production environment.
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=5
 	// +optional
 	DevFlags *DevFlags `json:"devFlags,omitempty"`
 }
@@ -73,6 +79,18 @@ type DevFlags struct {
 	ManifestsUri string `json:"manifestsUri,omitempty"`
 }
 
+type TrustedCABundleSpec struct {
+	// managementState indicates whether and how the operator should manage customized CA bundle
+	// +kubebuilder:validation:Enum=Managed;Removed;Unmanaged
+	// +kubebuilder:default=Removed
+	ManagementState operatorv1.ManagementState `json:"managementState"`
+	// A custom CA bundle that will be available for  all  components in the
+	// Data Science Cluster(DSC). This bundle will be stored in odh-trusted-ca-bundle
+	// ConfigMap .data.odh-ca-bundle.crt .
+	// +kubebuilder:default=""
+	CustomCABundle string `json:"customCABundle"`
+}
+
 // DSCInitializationStatus defines the observed state of DSCInitialization.
 type DSCInitializationStatus struct {
 	// Phase describes the Phase of DSCInitializationStatus

apis/features/v1/features_types.go

@@ -23,6 +23,19 @@ type FeatureTracker struct {
 	Status FeatureTrackerStatus `json:"status,omitempty"`
 }
 
+// NewFeatureTracker instantiate FeatureTracker instance.
+func NewFeatureTracker(name, appNamespace string) *FeatureTracker {
+	return &FeatureTracker{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "features.opendatahub.io/v1",
+			Kind:       "FeatureTracker",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: appNamespace + "-" + name,
+		},
+	}
+}
+
 type FeaturePhase string
 type OwnerType string
 

bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml

@@ -123,6 +123,31 @@ spec:
                     pattern: ^(Managed|Unmanaged|Force|Removed)$
                     type: string
                 type: object
+              trustedCABundle:
+                description: When set to `Managed`, adds odh-trusted-ca-bundle Configmap
+                  to all namespaces that includes cluster-wide Trusted CA Bundle in
+                  .data["ca-bundle.crt"]. Additionally, this fields allows admins
+                  to add custom CA bundles to the configmap using the .CustomCABundle
+                  field.
+                properties:
+                  customCABundle:
+                    description: A custom CA bundle that will be available for  all  components
+                      in the Data Science Cluster(DSC). This bundle will be stored
+                      in odh-trusted-ca-bundle ConfigMap .data.odh-ca-bundle.crt .
+                    type: string
+                  managementState:
+                    default: Removed
+                    description: managementState indicates whether and how the operator
+                      should manage customized CA bundle
+                    enum:
+                    - Managed
+                    - Removed
+                    - Unmanaged
+                    pattern: ^(Managed|Unmanaged|Force|Removed)$
+                    type: string
+                required:
+                - managementState
+                type: object
             required:
             - applicationsNamespace
             type: object

bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: prometheus-k8s-viewer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  verbs:
+  - get
+  - watch
+  - list

config/rbac/auth_proxy_role_binding.yaml → bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml

@@ -1,12 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: proxy-rolebinding
+  creationTimestamp: null
+  name: prometheus-k8s-viewer
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: proxy-role
+  name: prometheus-k8s-viewer
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
-  namespace: system
+  name: prometheus-k8s
+  namespace: openshift-monitoring

bundle/manifests/rhods-operator.clusterserviceversion.yaml

@@ -49,9 +49,6 @@ metadata:
               "ray": {
                 "managementState": "Removed"
               },
-              "trustyai": {
-                "managementState": "Managed"
-              },
               "workbenches": {
                 "managementState": "Managed"
               }
@@ -84,6 +81,10 @@ metadata:
                 "namespace": "istio-system"
               },
               "managementState": "Managed"
+            },
+            "trustedCABundle": {
+              "customCABundle": "",
+              "managementState": "Managed"
             }
           }
         },
@@ -156,9 +157,6 @@ metadata:
             },
             "workbenches": {
               "managementState": "Managed"
-            },
-            "trustyai": {
-              "managementState": "Managed"
             }
           }
         }
@@ -201,6 +199,12 @@ spec:
           e.g. it provides unified authentication giving a Single Sign On experience.
         displayName: Service Mesh
         path: serviceMesh
+      - description: When set to `Managed`, adds odh-trusted-ca-bundle Configmap to
+          all namespaces that includes cluster-wide Trusted CA Bundle in .data["ca-bundle.crt"].
+          Additionally, this fields allows admins to add custom CA bundles to the
+          configmap using the .CustomCABundle field.
+        displayName: Trusted CABundle
+        path: trustedCABundle
       - description: Internal development useful field to test customizations. This
           is not recommended to be used in production environment.
         displayName: Dev Flags
@@ -1332,6 +1336,7 @@ spec:
           resources:
           - subscriptions
           verbs:
+          - delete
           - get
           - list
           - watch
@@ -1798,11 +1803,6 @@ spec:
                   requests:
                     cpu: 500m
                     memory: 256Mi
-                securityContext:
-                  allowPrivilegeEscalation: false
-                  capabilities:
-                    drop:
-                    - ALL
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: redhat-ods-operator-controller-manager

components/codeflare/codeflare.go

@@ -108,7 +108,7 @@ func (c *CodeFlare) ReconcileComponent(ctx context.Context, cli client.Client, r
 	// CloudServiceMonitoring handling
 	if platform == deploy.ManagedRhods {
 		if enabled {
-			// first check if the service is up, so prometheus wont fire alerts when it is just startup
+			// first check if the service is up, so prometheus won't fire alerts when it is just startup
 			if err := monitoring.WaitForDeploymentAvailable(ctx, resConf, ComponentName, dscispec.ApplicationsNamespace, 20, 2); err != nil {
 				return fmt.Errorf("deployment for %s is not ready to server: %w", ComponentName, err)
 			}

components/component.go

@@ -60,7 +60,7 @@ type DevFlags struct {
 }
 
 type ManifestsConfig struct {
-	// uri is the URI point to a git repo with tag/branch. e.g  https://github.com/org/repo/tarball/<tag/branch>
+	// uri is the URI point to a git repo with tag/branch. e.g.  https://github.com/org/repo/tarball/<tag/branch>
 	// +optional
 	// +kubebuilder:default:=""
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1
@@ -72,7 +72,7 @@ type ManifestsConfig struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=2
 	ContextDir string `json:"contextDir,omitempty"`
 
-	// sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, `default`, `odh` etc
+	// sourcePath is the subpath within contextDir where kustomize builds start. Examples include any sub-folder or path: `base`, `overlays/dev`, `default`, `odh` etc.
 	// +optional
 	// +kubebuilder:default:=""
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3

components/dashboard/dashboard.go

@@ -172,7 +172,7 @@ func (d *Dashboard) ReconcileComponent(ctx context.Context,
 		// CloudService Monitoring handling
 		if platform == deploy.ManagedRhods {
 			if enabled {
-				// first check if the service is up, so prometheus wont fire alerts when it is just startup
+				// first check if the service is up, so prometheus won't fire alerts when it is just startup
 				if err := monitoring.WaitForDeploymentAvailable(ctx, resConf, ComponentNameSupported, dscispec.ApplicationsNamespace, 20, 3); err != nil {
 					return fmt.Errorf("deployment for %s is not ready to server: %w", ComponentName, err)
 				}

components/datasciencepipelines/datasciencepipelines.go

@@ -98,7 +98,7 @@ func (d *DataSciencePipelines) ReconcileComponent(ctx context.Context,
 	// CloudService Monitoring handling
 	if platform == deploy.ManagedRhods {
 		if enabled {
-			// first check if the service is up, so prometheus wont fire alerts when it is just startup
+			// first check if the service is up, so prometheus won't fire alerts when it is just startup
 			// only 1 replica should be very quick
 			if err := monitoring.WaitForDeploymentAvailable(ctx, resConf, ComponentName, dscispec.ApplicationsNamespace, 10, 1); err != nil {
 				return fmt.Errorf("deployment for %s is not ready to server: %w", ComponentName, err)