@@ -17,6 +17,24 @@ ${SUBSCRIPTION} ./assets/olm/subscription.yaml
1717${SUBSCRIPTION_NAME } amq-broker
1818${MARKETPLACE_NAMESPACE } openshift-marketplace
1919${OPERATORS_NAMESPACE } openshift-operators
20+ ${OLM_NAMESPACE } openshift-operator-lifecycle-manager
21+
22+ # Test 69867 - single namespace install mode
23+ ${SINGLE_NS } olm-microshift-69867
24+ ${SINGLE_OG } ./assets/olm/og-single.yaml
25+ ${SINGLE_CATALOG } ./assets/olm/nginx-ok-catalog-source-single.yaml
26+ ${SINGLE_CATALOG_NAME } nginx-ok-catalog
27+ ${SINGLE_SUB } ./assets/olm/nginx-ok1-subscription.yaml
28+ ${SINGLE_SUB_NAME } nginx-ok1-1399
29+ ${SINGLE_PKG } nginx-ok1-1399
30+
31+ # Test 69868 - all namespaces install mode with OperatorGroup conflict
32+ ${ALL_OG } ./assets/olm/og-all.yaml
33+ ${ALL_OG_NAME } og-all
34+ ${ALL_CATALOG } ./assets/olm/nginx-ok-catalog-source-all.yaml
35+ ${ALL_CATALOG_NAME } catalog-all
36+ ${ALL_SUB } ./assets/olm/nginx-ok2-subscription.yaml
37+ ${ALL_SUB_NAME } nginx-ok2-1399
2038
2139
2240*** Test Cases ***
@@ -38,6 +56,80 @@ Deploy AmqBroker From Red Hat Operators catalog
3856 ... AND
3957 ... Wait For Deployments Deletion @{deployments }
4058
59+ Install Operator In Single Namespace Mode
60+ [Documentation] Creates a dedicated namespace with a SingleNamespace OperatorGroup
61+ ... and installs nginx-ok1-1399 operator, verifying successful CSV installation
62+ ... and expected operator resources. Migrated from openshift-tests-private 69867.
63+ [Setup] OLM Should Be Ready
64+
65+ Create Namespace ${SINGLE_NS }
66+ Oc Create -f ${SINGLE_OG }
67+ Oc Create -f ${SINGLE_CATALOG }
68+ Wait Until Keyword Succeeds 10m 15s
69+ ... CatalogSource Should Be Ready ${SINGLE_NS } ${SINGLE_CATALOG_NAME }
70+ Oc Create -f ${SINGLE_SUB }
71+ Wait Until Keyword Succeeds 10m 15s
72+ ... Subscription Should Be AtLatestKnown ${SINGLE_NS } ${SINGLE_SUB_NAME }
73+ ${csv } = Get CSV Name From Subscription ${SINGLE_NS } ${SINGLE_SUB_NAME }
74+ Wait For CSV ${SINGLE_NS } ${csv }
75+ Operator Should Have Expected Resources ${SINGLE_PKG } ${SINGLE_NS }
76+
77+ [Teardown] Single Namespace Test Teardown
78+
79+ Install Operator In All Namespaces Mode With OperatorGroup Conflict
80+ [Documentation] Creates a second AllNamespaces OperatorGroup in openshift-operators
81+ ... alongside the existing global-operators OG, installs nginx-ok2-1399 and verifies
82+ ... the MultipleOperatorGroupsFound error blocks installation. Resolves the conflict by
83+ ... deleting the extra OG and verifies the CSV installs successfully.
84+ ... Migrated from openshift-tests-private 69868.
85+ [Setup] OLM Should Be Ready
86+
87+ VAR ${csv } = ${EMPTY }
88+ Oc Get operatorgroup ${OPERATORS_NAMESPACE } global-operators
89+ Oc Create -f ${ALL_OG }
90+ Oc Create -f ${ALL_CATALOG }
91+ Wait Until Keyword Succeeds 10m 15s
92+ ... CatalogSource Should Be Ready ${MARKETPLACE_NAMESPACE } ${ALL_CATALOG_NAME }
93+ Oc Create -f ${ALL_SUB }
94+ Wait Until Keyword Succeeds 2m 10s
95+ ... OperatorGroup Should Have MultipleOperatorGroupsFound ${OPERATORS_NAMESPACE } ${ALL_OG_NAME }
96+ Subscription Should Have Empty Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
97+ Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE }
98+ ${csv } = Wait For Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
99+ Wait For CSV ${OPERATORS_NAMESPACE } ${csv }
100+ Wait Until Keyword Succeeds 2m 10s
101+ ... CSV Should Exist In Namespace ${csv } default
102+
103+ [Teardown] All Namespaces Test Teardown ${csv }
104+
105+ OLM Network Policies Are Correctly Configured
106+ [Documentation] Verifies that OLM-managed NetworkPolicies exist with correct pod
107+ ... selectors, policy types, and key ingress/egress port rules.
108+ ... Migrated from openshift-tests-private 83581.
109+
110+ # catalog-operator: metrics ingress, grpc (50051) + DNS egress, pod-scoped
111+ Verify NetworkPolicy Pod Selector Label catalog-operator ${OLM_NAMESPACE } app catalog-operator
112+ Verify NetworkPolicy Policy Types catalog-operator ${OLM_NAMESPACE }
113+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } ingress metrics
114+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } egress 50051
115+
116+ # default-deny-all-traffic: no rules, applies to all pods in OLM namespace
117+ Verify NetworkPolicy Has Empty Pod Selector default-deny-all-traffic ${OLM_NAMESPACE }
118+ Verify NetworkPolicy Policy Types default-deny-all-traffic ${OLM_NAMESPACE }
119+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } ingress ${EMPTY }
120+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } egress ${EMPTY }
121+
122+ # olm-operator: metrics ingress, DNS egress, pod-scoped
123+ Verify NetworkPolicy Pod Selector Label olm-operator ${OLM_NAMESPACE } app olm-operator
124+ Verify NetworkPolicy Policy Types olm-operator ${OLM_NAMESPACE }
125+ Verify NetworkPolicy Spec Field olm-operator ${OLM_NAMESPACE } ingress metrics
126+
127+ # default-allow-all: permits all traffic in openshift-operators namespace
128+ Verify NetworkPolicy Has Empty Pod Selector default-allow-all ${OPERATORS_NAMESPACE }
129+ Verify NetworkPolicy Policy Types default-allow-all ${OPERATORS_NAMESPACE }
130+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } ingress
131+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } egress
132+
41133
42134*** Keywords ***
43135Setup
@@ -113,8 +205,8 @@ Subscription Should Be AtLatestKnown
113205
114206Get CSV Name From Subscription
115207 [Documentation] Obtains Subscription's CSV name.
116- [Arguments] ${namespace } ${name } # robocop: off=unused-argument
117- ${sub } = Oc Get subscriptions.operators.coreos.com ${OPERATORS_NAMESPACE } ${SUBSCRIPTION_NAME }
208+ [Arguments] ${namespace } ${name }
209+ ${sub } = Oc Get subscriptions.operators.coreos.com ${namespace } ${name }
118210 RETURN ${sub.status.currentCSV }
119211
120212Wait For CSV
@@ -165,6 +257,126 @@ Wait For Deployments Deletion
165257 [Documentation] Wait for Deployments to be deleted.
166258[Arguments] ${namespace } @{deployments }
167259 FOR ${deploy } IN @{deployments }
168- Run With Kubeconfig
169- ... oc wait deployment --for=delete -n ${namespace } ${deploy } --timeout=${DEFAULT_WAIT_TIMEOUT }
260+ Oc Wait deployment --for=delete -n ${namespace } ${deploy } --timeout=${DEFAULT_WAIT_TIMEOUT }
261+ END
262+
263+ Operator Should Have Expected Resources
264+ [Documentation] Verifies that the operators.operators.coreos.com resource for a given
265+ ... package and namespace contains expected resource type references in its status.
266+ [Arguments] ${package } ${namespace }
267+ ${status } = Oc Get JsonPath
268+ ... operators.operators.coreos.com
269+ ... ${EMPTY }
270+ ... ${package } .${namespace }
271+ ... .status
272+ Should Contain ${status } ClusterRole
273+ Should Contain ${status } ClusterRoleBinding
274+ Should Contain ${status } ClusterServiceVersion
275+ Should Contain ${status } CustomResourceDefinition
276+ Should Contain ${status } Deployment
277+ Should Contain ${status } OperatorCondition
278+ Should Contain ${status } Subscription
279+
280+ Single Namespace Test Teardown
281+ [Documentation] Cleanup resources created by the single namespace install test.
282+ ${SINGLE_SUB_NAME } -n ${SINGLE_NS } --ignore-not-found
283+ Oc Delete csv --all -n ${SINGLE_NS } --ignore-not-found
284+ Oc Delete catalogsource ${SINGLE_CATALOG_NAME } -n ${SINGLE_NS } --ignore-not-found
285+ Oc Delete namespace ${SINGLE_NS } --ignore-not-found
286+
287+ OperatorGroup Should Have MultipleOperatorGroupsFound
288+ [Documentation] Checks that the OperatorGroup status contains the MultipleOperatorGroupsFound condition.
289+ [Arguments] ${namespace } ${name }
290+ ${status } = Oc Get JsonPath operatorgroup ${namespace } ${name } .status
291+ Should Contain ${status } MultipleOperatorGroupsFound
292+
293+ Subscription Should Have Empty Installed CSV
294+ [Documentation] Verifies that the subscription's installedCSV is empty,
295+ ... indicating no CSV has been installed (e.g. due to OperatorGroup conflict).
296+ [Arguments] ${namespace } ${name }
297+ ${installed_csv } = Oc Get JsonPath
298+ ... subscriptions.operators.coreos.com
299+ ... ${namespace }
300+ ... ${name }
301+ ... .status.installedCSV
302+ Should Be Empty ${installed_csv }
303+
304+ Wait For Installed CSV
305+ [Documentation] Polls the subscription until installedCSV is set, then returns it.
306+ [Arguments] ${namespace } ${name } ${timeout } =10m
307+ Wait Until Keyword Succeeds ${timeout } 15s
308+ ... Subscription Should Have Installed CSV ${namespace } ${name }
309+ ${csv } = Oc Get JsonPath
310+ ... subscriptions.operators.coreos.com
311+ ... ${namespace }
312+ ... ${name }
313+ ... .status.installedCSV
314+ RETURN ${csv }
315+
316+ Subscription Should Have Installed CSV
317+ [Documentation] Fails if the subscription's installedCSV field is empty.
318+ [Arguments] ${namespace } ${name }
319+ ${csv } = Oc Get JsonPath
320+ ... subscriptions.operators.coreos.com
321+ ... ${namespace }
322+ ... ${name }
323+ ... .status.installedCSV
324+ Should Not Be Empty ${csv }
325+
326+ CSV Should Exist In Namespace
327+ [Documentation] Verifies that a CSV with the given name exists in the namespace.
328+ [Arguments] ${csv } ${namespace }
329+ ${output } = Run With Kubeconfig oc get csv -n ${namespace }
330+ Should Contain ${output } ${csv }
331+
332+ All Namespaces Test Teardown
333+ [Documentation] Cleanup resources created by the all namespaces install test.
334+ [Arguments] ${csv } =${EMPTY }
335+ Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
336+ Oc Delete subscription ${ALL_SUB_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
337+ IF "${csv } " != "${EMPTY } "
338+ Oc Delete csv ${csv } -n ${OPERATORS_NAMESPACE } --ignore-not-found
339+ END
340+ Oc Delete catalogsource ${ALL_CATALOG_NAME } -n ${MARKETPLACE_NAMESPACE } --ignore-not-found
341+
342+ Verify NetworkPolicy Pod Selector Label
343+ [Documentation] Verifies that a NetworkPolicy's podSelector has the expected label key=value.
344+ [Arguments] ${name } ${namespace } ${label_key } ${expected_value }
345+ ${actual } = Oc Get JsonPath
346+ ... networkpolicy
347+ ... ${namespace }
348+ ... ${name }
349+ ... .spec.podSelector.matchLabels.${label_key }
350+ Should Be Equal ${actual } ${expected_value }
351+
352+ Verify NetworkPolicy Has Empty Pod Selector
353+ [Documentation] Verifies that a NetworkPolicy's podSelector has no matchLabels
354+ ... (i.e. applies to all pods in the namespace).
355+ [Arguments] ${name } ${namespace }
356+ ${labels } = Oc Get JsonPath
357+ ... networkpolicy
358+ ... ${namespace }
359+ ... ${name }
360+ ... .spec.podSelector.matchLabels
361+ Should Be Empty ${labels }
362+
363+ Verify NetworkPolicy Policy Types
364+ [Documentation] Verifies that a NetworkPolicy has both Ingress and Egress policy types.
365+ [Arguments] ${name } ${namespace }
366+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Ingress
367+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Egress
368+
369+ Verify NetworkPolicy Spec Field
370+ [Documentation] Gets .spec.${field} from a NetworkPolicy and asserts based on ${expected}:
371+ ... - omitted: field must not be empty (allow-all check)
372+ ... - ${EMPTY}: field must be empty (deny-all / no rules check)
373+ ... - any string: field output must contain that string (port or type check)
374+ [Arguments] ${name } ${namespace } ${field } ${expected } =${NONE }
375+ ${value } = Oc Get JsonPath networkpolicy ${namespace } ${name } .spec.${field }
376+ IF $expected is None
377+ Should Not Be Empty ${value }
378+ ELSE IF $expected == ''
379+ Should Be Empty ${value }
380+ ELSE
381+ Should Contain ${value } ${expected }
170382 END
0 commit comments