@@ -17,6 +17,24 @@ ${SUBSCRIPTION} ./assets/olm/subscription.yaml
1717${SUBSCRIPTION_NAME } amq-broker
1818${MARKETPLACE_NAMESPACE } openshift-marketplace
1919${OPERATORS_NAMESPACE } openshift-operators
20+ ${OLM_NAMESPACE } openshift-operator-lifecycle-manager
21+
22+ # Test 69867 - single namespace install mode
23+ ${SINGLE_NS } olm-microshift-69867
24+ ${SINGLE_OG } ./assets/olm/og-single.yaml
25+ ${SINGLE_CATALOG } ./assets/olm/nginx-ok-catalog-source-single.yaml
26+ ${SINGLE_CATALOG_NAME } nginx-ok-catalog
27+ ${SINGLE_SUB } ./assets/olm/nginx-ok1-subscription.yaml
28+ ${SINGLE_SUB_NAME } nginx-ok1-1399
29+ ${SINGLE_PKG } nginx-ok1-1399
30+
31+ # Test 69868 - all namespaces install mode with OperatorGroup conflict
32+ ${ALL_OG } ./assets/olm/og-all.yaml
33+ ${ALL_OG_NAME } og-all
34+ ${ALL_CATALOG } ./assets/olm/nginx-ok-catalog-source-all.yaml
35+ ${ALL_CATALOG_NAME } catalog-all
36+ ${ALL_SUB } ./assets/olm/nginx-ok2-subscription.yaml
37+ ${ALL_SUB_NAME } nginx-ok2-1399
2038
2139
2240*** Test Cases ***
@@ -38,6 +56,85 @@ Deploy AmqBroker From Red Hat Operators catalog
3856 ... AND
3957 ... Wait For Deployments Deletion @{deployments }
4058
59+ Install Operator In Single Namespace Mode
60+ [Documentation] Creates a dedicated namespace with a SingleNamespace OperatorGroup
61+ ... targeting the dedicated namespace (${SINGLE_NS}), installs nginx-ok1-1399 operator,
62+ ... verifying successful CSV installation and expected operator resources.
63+ ... Migrated from openshift-tests-private 69867.
64+ [Setup] OLM Should Be Ready
65+
66+ Create Namespace ${SINGLE_NS }
67+ Oc Create -f ${SINGLE_OG }
68+ Oc Create -f ${SINGLE_CATALOG }
69+ Wait Until Keyword Succeeds 10m 15s
70+ ... CatalogSource Should Be Ready ${SINGLE_NS } ${SINGLE_CATALOG_NAME }
71+ Oc Create -f ${SINGLE_SUB }
72+ Wait Until Keyword Succeeds 10m 15s
73+ ... Subscription Should Be AtLatestKnown ${SINGLE_NS } ${SINGLE_SUB_NAME }
74+ ${csv } = Get CSV Name From Subscription ${SINGLE_NS } ${SINGLE_SUB_NAME }
75+ Wait For CSV ${SINGLE_NS } ${csv }
76+ Operator Should Have Expected Resources ${SINGLE_PKG } ${SINGLE_NS }
77+
78+ [Teardown] Single Namespace Test Teardown
79+
80+ Install Operator In All Namespaces Mode With OperatorGroup Conflict
81+ [Documentation] Creates a second AllNamespaces OperatorGroup in openshift-operators
82+ ... alongside the existing global-operators OG, installs nginx-ok2-1399 and verifies
83+ ... the MultipleOperatorGroupsFound error blocks installation. Resolves the conflict by
84+ ... deleting the extra OG and verifies the CSV installs successfully and is copied into
85+ ... the default namespace, confirming AllNamespaces mode propagation.
86+ ... Migrated from openshift-tests-private 69868.
87+ [Setup] OLM Should Be Ready
88+
89+ VAR ${csv } = ${EMPTY }
90+ Oc Get operatorgroup ${OPERATORS_NAMESPACE } global-operators
91+ Oc Create -f ${ALL_OG }
92+ Oc Create -f ${ALL_CATALOG }
93+ Wait Until Keyword Succeeds 10m 15s
94+ ... CatalogSource Should Be Ready ${MARKETPLACE_NAMESPACE } ${ALL_CATALOG_NAME }
95+ Oc Create -f ${ALL_SUB }
96+ Wait Until Keyword Succeeds 10m 15s
97+ ... OperatorGroup Should Have MultipleOperatorGroupsFound ${OPERATORS_NAMESPACE } ${ALL_OG_NAME }
98+ Wait Until Keyword Succeeds 2m 10s
99+ ... Subscription Should Have Empty Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
100+ Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE }
101+ ${csv } = Wait For Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
102+ Wait For CSV ${OPERATORS_NAMESPACE } ${csv }
103+ Wait Until Keyword Succeeds 2m 10s
104+ ... CSV Should Exist In Namespace ${csv } default
105+
106+ [Teardown] All Namespaces Test Teardown ${csv }
107+
108+ OLM Network Policies Are Correctly Configured
109+ [Documentation] Verifies that OLM-managed NetworkPolicies exist with correct pod
110+ ... selectors, policy types, and key ingress/egress port rules.
111+ ... Migrated from openshift-tests-private 83581.
112+ [Setup] OLM Should Be Ready
113+
114+ # catalog-operator: metrics ingress; API server, DNS, and gRPC (50051) egress; pod-scoped
115+ Verify NetworkPolicy Pod Selector Label catalog-operator ${OLM_NAMESPACE } app catalog-operator
116+ Verify NetworkPolicy Policy Types catalog-operator ${OLM_NAMESPACE }
117+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } ingress metrics
118+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } egress 50051
119+
120+ # default-deny-all-traffic: no ingress/egress rules, applies to all pods in OLM namespace
121+ Verify NetworkPolicy Has Empty Pod Selector default-deny-all-traffic ${OLM_NAMESPACE }
122+ Verify NetworkPolicy Policy Types default-deny-all-traffic ${OLM_NAMESPACE }
123+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } ingress ${EMPTY }
124+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } egress ${EMPTY }
125+
126+ # olm-operator: metrics ingress; API server and DNS egress; pod-scoped
127+ Verify NetworkPolicy Pod Selector Label olm-operator ${OLM_NAMESPACE } app olm-operator
128+ Verify NetworkPolicy Policy Types olm-operator ${OLM_NAMESPACE }
129+ Verify NetworkPolicy Spec Field olm-operator ${OLM_NAMESPACE } ingress metrics
130+ Verify NetworkPolicy Spec Field olm-operator ${OLM_NAMESPACE } egress 53
131+
132+ # default-allow-all: both Ingress and Egress defined with no port restrictions in openshift-operators
133+ Verify NetworkPolicy Has Empty Pod Selector default-allow-all ${OPERATORS_NAMESPACE }
134+ Verify NetworkPolicy Policy Types default-allow-all ${OPERATORS_NAMESPACE }
135+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } ingress
136+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } egress
137+
41138
42139*** Keywords ***
43140Setup
@@ -95,7 +192,7 @@ CatalogSource Should Be Ready
95192 TRY
96193 Should Be Equal As Strings READY ${catalog.status.connectionState.lastObservedState }
97194 EXCEPT
98- Run With Kubeconfig oc get events -n openshift-marketplace --sort-by='.lastTimestamp'
195+ Run With Kubeconfig oc get events -n ${ namespace }
99196 Fail Catalog Source Is Not Ready
100197 END
101198
@@ -106,15 +203,17 @@ Create Subscription
106203 ... Subscription Should Be AtLatestKnown ${OPERATORS_NAMESPACE } ${SUBSCRIPTION_NAME }
107204
108205Subscription Should Be AtLatestKnown
109- [Documentation] Checks if subscription has state "AtLeastKnown "
206+ [Documentation] Checks if subscription has state "AtLatestKnown "
110207[Arguments] ${namespace } ${name }
111208 ${sub } = Oc Get subscriptions.operators.coreos.com ${namespace } ${name }
112209 Should Be Equal As Strings AtLatestKnown ${sub.status.state }
113210
114211Get CSV Name From Subscription
115212 [Documentation] Obtains Subscription's CSV name.
116- [Arguments] ${namespace } ${name } # robocop: off=unused-argument
117- ${sub } = Oc Get subscriptions.operators.coreos.com ${OPERATORS_NAMESPACE } ${SUBSCRIPTION_NAME }
213+ [Arguments] ${namespace } ${name }
214+ ${sub } = Oc Get subscriptions.operators.coreos.com ${namespace } ${name }
215+ Should Not Be Empty ${sub.status.currentCSV }
216+ ... msg=Subscription ${name } in ${namespace } has no currentCSV set yet
118217 RETURN ${sub.status.currentCSV }
119218
120219Wait For CSV
@@ -165,6 +264,140 @@ Wait For Deployments Deletion
165264 [Documentation] Wait for Deployments to be deleted.
166265[Arguments] ${namespace } @{deployments }
167266 FOR ${deploy } IN @{deployments }
168- Run With Kubeconfig
169- ... oc wait deployment --for=delete -n ${namespace } ${deploy } --timeout=${DEFAULT_WAIT_TIMEOUT }
267+ Oc Wait -n ${namespace } deployment/${deploy } --for=delete --timeout=${DEFAULT_WAIT_TIMEOUT }
268+ END
269+
270+ Operator Should Have Expected Resources
271+ [Documentation] Verifies that the operators.operators.coreos.com resource for a given
272+ ... package and namespace contains expected resource type references in its status.
273+ ... The Operator resource name follows the convention <package>.<namespace>.
274+ [Arguments] ${package } ${namespace }
275+ ${status } = Oc Get JsonPath
276+ ... operators.operators.coreos.com
277+ ... ${EMPTY }
278+ ... ${package } .${namespace }
279+ ... .status
280+ Should Contain ${status } ClusterRole
281+ Should Contain ${status } ClusterRoleBinding
282+ Should Contain ${status } ClusterServiceVersion
283+ Should Contain ${status } CustomResourceDefinition
284+ Should Contain ${status } Deployment
285+ Should Contain ${status } OperatorCondition
286+ Should Contain ${status } Subscription
287+
288+ Single Namespace Test Teardown
289+ [Documentation] Cleanup resources created by the single namespace install test.
290+ ... Uses Run Keyword And Continue On Failure so all steps run even if one errors.
291+
292+ ... Oc Delete subscription ${SINGLE_SUB_NAME } -n ${SINGLE_NS } --ignore-not-found
293+ Run Keyword And Continue On Failure
294+ ... Oc Delete csv --all -n ${SINGLE_NS } --ignore-not-found
295+ Run Keyword And Continue On Failure
296+ ... Oc Delete catalogsource ${SINGLE_CATALOG_NAME } -n ${SINGLE_NS } --ignore-not-found
297+ Run Keyword And Continue On Failure
298+ ... Oc Delete namespace ${SINGLE_NS } --ignore-not-found
299+
300+ OperatorGroup Should Have MultipleOperatorGroupsFound
301+ [Documentation] Checks that the OperatorGroup status contains the MultipleOperatorGroupsFound condition.
302+ [Arguments] ${namespace } ${name }
303+ ${status } = Oc Get JsonPath operatorgroup ${namespace } ${name } .status
304+ Should Contain ${status } MultipleOperatorGroupsFound
305+
306+ Subscription Should Have Empty Installed CSV
307+ [Documentation] Verifies that the subscription's installedCSV is empty, indicating no CSV
308+ ... has been installed (e.g. due to OperatorGroup conflict). Call this only after confirming
309+ ... the OperatorGroup has MultipleOperatorGroupsFound, which guarantees OLM has reconciled
310+ ... the conflict before the subscription state is checked.
311+ [Arguments] ${namespace } ${name }
312+ ${installed_csv } = Oc Get JsonPath
313+ ... subscriptions.operators.coreos.com
314+ ... ${namespace }
315+ ... ${name }
316+ ... .status.installedCSV
317+ Should Be Empty ${installed_csv }
318+
319+ Wait For Installed CSV
320+ [Documentation] Polls the subscription until installedCSV is set, then returns it.
321+ [Arguments] ${namespace } ${name } ${timeout } =10m
322+ ${csv } = Wait Until Keyword Succeeds ${timeout } 15s
323+ ... Subscription Should Have Installed CSV ${namespace } ${name }
324+ RETURN ${csv }
325+
326+ Subscription Should Have Installed CSV
327+ [Documentation] Fails if the subscription's installedCSV field is empty, returns the CSV name.
328+ [Arguments] ${namespace } ${name }
329+ ${csv } = Oc Get JsonPath
330+ ... subscriptions.operators.coreos.com
331+ ... ${namespace }
332+ ... ${name }
333+ ... .status.installedCSV
334+ Should Not Be Empty ${csv }
335+ RETURN ${csv }
336+
337+ CSV Should Exist In Namespace
338+ [Documentation] Verifies that a CSV with the given name exists in the namespace.
339+ [Arguments] ${csv } ${namespace }
340+ Oc Get clusterserviceversion.operators.coreos.com ${namespace } ${csv }
341+
342+ All Namespaces Test Teardown
343+ [Documentation] Cleanup resources created by the all namespaces install test.
344+ ... When ${csv} is empty (test failed before CSV was recorded), falls back to
345+ ... bulk CSV cleanup to avoid orphaned resources. Uses Run Keyword And Continue On Failure
346+ ... so all steps run even if one errors.
347+ [Arguments] ${csv } =${EMPTY }
348+ Run Keyword And Continue On Failure
349+ ... Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
350+ Run Keyword And Continue On Failure
351+ ... Oc Delete subscription ${ALL_SUB_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
352+ IF "${csv } " != "${EMPTY } "
353+ Run Keyword And Continue On Failure
354+ ... Oc Delete csv ${csv } -n ${OPERATORS_NAMESPACE } --ignore-not-found
355+ ELSE
356+ Log csv not recorded; attempting bulk CSV cleanup to avoid orphaned resources WARN
357+ Run Keyword And Continue On Failure
358+ ... Oc Delete csv --all -n ${OPERATORS_NAMESPACE } --ignore-not-found
359+ END
360+ Run Keyword And Continue On Failure
361+ ... Oc Delete catalogsource ${ALL_CATALOG_NAME } -n ${MARKETPLACE_NAMESPACE } --ignore-not-found
362+
363+ Verify NetworkPolicy Pod Selector Label
364+ [Documentation] Verifies that a NetworkPolicy's podSelector has the expected label key=value.
365+ [Arguments] ${name } ${namespace } ${label_key } ${expected_value }
366+ ${actual } = Oc Get JsonPath
367+ ... networkpolicy
368+ ... ${namespace }
369+ ... ${name }
370+ ... .spec.podSelector.matchLabels.${label_key }
371+ Should Be Equal ${actual } ${expected_value }
372+
373+ Verify NetworkPolicy Has Empty Pod Selector
374+ [Documentation] Verifies that a NetworkPolicy's podSelector has no matchLabels
375+ ... (i.e. applies to all pods in the namespace).
376+ [Arguments] ${name } ${namespace }
377+ ${labels } = Oc Get JsonPath
378+ ... networkpolicy
379+ ... ${namespace }
380+ ... ${name }
381+ ... .spec.podSelector.matchLabels
382+ Should Be Empty ${labels }
383+
384+ Verify NetworkPolicy Policy Types
385+ [Documentation] Verifies that a NetworkPolicy has both Ingress and Egress policy types.
386+ [Arguments] ${name } ${namespace }
387+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Ingress
388+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Egress
389+
390+ Verify NetworkPolicy Spec Field
391+ [Documentation] Gets .spec.${field} from a NetworkPolicy and asserts based on ${expected}:
392+ ... - not provided (defaults to ${NONE}): asserts the field value is not empty
393+ ... - ${EMPTY}: asserts the field value is empty (deny-all / no rules check)
394+ ... - any other string: asserts the field value contains that string (port or type check)
395+ [Arguments] ${name } ${namespace } ${field } ${expected } =${NONE }
396+ ${value } = Oc Get JsonPath networkpolicy ${namespace } ${name } .spec.${field }
397+ IF $expected is None
398+ Should Not Be Empty ${value }
399+ ELSE IF $expected == ''
400+ Should Be Empty ${value }
401+ ELSE
402+ Should Contain ${value } ${expected }
170403 END
0 commit comments