@@ -17,6 +17,24 @@ ${SUBSCRIPTION} ./assets/olm/subscription.yaml
1717${SUBSCRIPTION_NAME } amq-broker
1818${MARKETPLACE_NAMESPACE } openshift-marketplace
1919${OPERATORS_NAMESPACE } openshift-operators
20+ ${OLM_NAMESPACE } openshift-operator-lifecycle-manager
21+
22+ # Single namespace install mode
23+ ${SINGLE_NS } olm-microshift-single
24+ ${SINGLE_OG } ./assets/olm/og-single.yaml
25+ ${SINGLE_CATALOG } ./assets/olm/nginx-ok-catalog-source-single.yaml
26+ ${SINGLE_CATALOG_NAME } nginx-ok-catalog
27+ ${SINGLE_SUB } ./assets/olm/nginx-ok1-subscription.yaml
28+ ${SINGLE_SUB_NAME } nginx-ok1-1399
29+ ${SINGLE_PKG } nginx-ok1-1399
30+
31+ # All namespaces install mode with OperatorGroup conflict
32+ ${ALL_OG } ./assets/olm/og-all.yaml
33+ ${ALL_OG_NAME } og-all
34+ ${ALL_CATALOG } ./assets/olm/nginx-ok-catalog-source-all.yaml
35+ ${ALL_CATALOG_NAME } catalog-all
36+ ${ALL_SUB } ./assets/olm/nginx-ok2-subscription.yaml
37+ ${ALL_SUB_NAME } nginx-ok2-1399
2038
2139
2240*** Test Cases ***
@@ -36,7 +54,85 @@ Deploy AmqBroker From Red Hat Operators catalog
3654 ... AND
3755 ... Delete CSV ${OPERATORS_NAMESPACE } ${csv }
3856 ... AND
39- ... Wait For Deployments Deletion @{deployments }
57+ ... Wait For Deployments Deletion ${OPERATORS_NAMESPACE } @{deployments }
58+
59+ Install Operator In Single Namespace Mode
60+ [Documentation] Creates a dedicated namespace with a SingleNamespace OperatorGroup
61+ ... targeting the dedicated namespace (${SINGLE_NS}), installs nginx-ok1-1399 operator,
62+ ... verifying successful CSV installation and expected operator resources.
63+ ... Migrated from openshift-tests-private 69867.
64+ [Setup] OLM Should Be Ready
65+
66+ Create Namespace ${SINGLE_NS }
67+ Oc Create -f ${SINGLE_OG }
68+ Oc Create -f ${SINGLE_CATALOG }
69+ Wait Until Keyword Succeeds 10m 15s
70+ ... CatalogSource Should Be Ready ${SINGLE_NS } ${SINGLE_CATALOG_NAME }
71+ Oc Create -f ${SINGLE_SUB }
72+ Wait Until Keyword Succeeds 10m 15s
73+ ... Subscription Should Be AtLatestKnown ${SINGLE_NS } ${SINGLE_SUB_NAME }
74+ ${csv } = Get CSV Name From Subscription ${SINGLE_NS } ${SINGLE_SUB_NAME }
75+ Wait For CSV ${SINGLE_NS } ${csv }
76+ Operator Should Have Expected Resources ${SINGLE_PKG } ${SINGLE_NS }
77+
78+ [Teardown] Single Namespace Test Teardown
79+
80+ Install Operator In All Namespaces Mode With OperatorGroup Conflict
81+ [Documentation] Creates a second AllNamespaces OperatorGroup in openshift-operators
82+ ... alongside the existing global-operators OG, installs nginx-ok2-1399 and verifies
83+ ... the MultipleOperatorGroupsFound error blocks installation. Resolves the conflict by
84+ ... deleting the extra OG and verifies the CSV installs successfully and is copied into
85+ ... the default namespace, confirming AllNamespaces mode propagation.
86+ ... Migrated from openshift-tests-private 69868.
87+ [Setup] OLM Should Be Ready
88+
89+ VAR ${csv } = ${EMPTY }
90+ Oc Get operatorgroup ${OPERATORS_NAMESPACE } global-operators
91+ Oc Create -f ${ALL_OG }
92+ Oc Create -f ${ALL_CATALOG }
93+ Wait Until Keyword Succeeds 10m 15s
94+ ... CatalogSource Should Be Ready ${MARKETPLACE_NAMESPACE } ${ALL_CATALOG_NAME }
95+ Oc Create -f ${ALL_SUB }
96+ Wait Until Keyword Succeeds 10m 15s
97+ ... OperatorGroup Should Have MultipleOperatorGroupsFound ${OPERATORS_NAMESPACE } ${ALL_OG_NAME }
98+ Wait Until Keyword Succeeds 2m 10s
99+ ... Subscription Should Have Empty Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
100+ Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE }
101+ ${csv } = Wait For Installed CSV ${OPERATORS_NAMESPACE } ${ALL_SUB_NAME }
102+ Wait Until Keyword Succeeds 2m 10s
103+ ... CSV Should Exist In Namespace ${csv } default
104+
105+ [Teardown] All Namespaces Test Teardown ${csv }
106+
107+ OLM Network Policies Are Correctly Configured
108+ [Documentation] Verifies that OLM-managed NetworkPolicies exist with correct pod
109+ ... selectors, policy types, and key ingress/egress port rules.
110+ ... Migrated from openshift-tests-private 83581.
111+ [Setup] OLM Should Be Ready
112+
113+ # catalog-operator: metrics ingress; API server, DNS, and gRPC (50051) egress; pod-scoped
114+ Verify NetworkPolicy Pod Selector Label catalog-operator ${OLM_NAMESPACE } app catalog-operator
115+ Verify NetworkPolicy Policy Types catalog-operator ${OLM_NAMESPACE }
116+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } ingress metrics
117+ Verify NetworkPolicy Spec Field catalog-operator ${OLM_NAMESPACE } egress 50051
118+
119+ # default-deny-all-traffic: no ingress/egress rules, applies to all pods in OLM namespace
120+ Verify NetworkPolicy Has Empty Pod Selector default-deny-all-traffic ${OLM_NAMESPACE }
121+ Verify NetworkPolicy Policy Types default-deny-all-traffic ${OLM_NAMESPACE }
122+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } ingress ${EMPTY }
123+ Verify NetworkPolicy Spec Field default-deny-all-traffic ${OLM_NAMESPACE } egress ${EMPTY }
124+
125+ # olm-operator: metrics ingress; API server and DNS egress; pod-scoped
126+ Verify NetworkPolicy Pod Selector Label olm-operator ${OLM_NAMESPACE } app olm-operator
127+ Verify NetworkPolicy Policy Types olm-operator ${OLM_NAMESPACE }
128+ Verify NetworkPolicy Spec Field olm-operator ${OLM_NAMESPACE } ingress metrics
129+ Verify NetworkPolicy Spec Field olm-operator ${OLM_NAMESPACE } egress 53
130+
131+ # default-allow-all: both Ingress and Egress defined with no port restrictions in openshift-operators
132+ Verify NetworkPolicy Has Empty Pod Selector default-allow-all ${OPERATORS_NAMESPACE }
133+ Verify NetworkPolicy Policy Types default-allow-all ${OPERATORS_NAMESPACE }
134+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } ingress
135+ Verify NetworkPolicy Spec Field default-allow-all ${OPERATORS_NAMESPACE } egress
40136
41137
42138*** Keywords ***
@@ -95,7 +191,7 @@ CatalogSource Should Be Ready
95191 TRY
96192 Should Be Equal As Strings READY ${catalog.status.connectionState.lastObservedState }
97193 EXCEPT
98- Run With Kubeconfig oc get events -n openshift-marketplace --sort-by='.lastTimestamp'
194+ Run With Kubeconfig oc get events -n ${ namespace }
99195 Fail Catalog Source Is Not Ready
100196 END
101197
@@ -106,15 +202,17 @@ Create Subscription
106202 ... Subscription Should Be AtLatestKnown ${OPERATORS_NAMESPACE } ${SUBSCRIPTION_NAME }
107203
108204Subscription Should Be AtLatestKnown
109- [Documentation] Checks if subscription has state "AtLeastKnown "
205+ [Documentation] Checks if subscription has state "AtLatestKnown "
110206[Arguments] ${namespace } ${name }
111207 ${sub } = Oc Get subscriptions.operators.coreos.com ${namespace } ${name }
112208 Should Be Equal As Strings AtLatestKnown ${sub.status.state }
113209
114210Get CSV Name From Subscription
115211 [Documentation] Obtains Subscription's CSV name.
116- [Arguments] ${namespace } ${name } # robocop: off=unused-argument
117- ${sub } = Oc Get subscriptions.operators.coreos.com ${OPERATORS_NAMESPACE } ${SUBSCRIPTION_NAME }
212+ [Arguments] ${namespace } ${name }
213+ ${sub } = Oc Get subscriptions.operators.coreos.com ${namespace } ${name }
214+ Should Not Be Empty ${sub.status.currentCSV }
215+ ... msg=Subscription ${name } in ${namespace } has no currentCSV set yet
118216 RETURN ${sub.status.currentCSV }
119217
120218Wait For CSV
@@ -165,6 +263,140 @@ Wait For Deployments Deletion
165263 [Documentation] Wait for Deployments to be deleted.
166264[Arguments] ${namespace } @{deployments }
167265 FOR ${deploy } IN @{deployments }
168- Run With Kubeconfig
169- ... oc wait deployment --for=delete -n ${namespace } ${deploy } --timeout=${DEFAULT_WAIT_TIMEOUT }
266+ Oc Wait -n ${namespace } deployment/${deploy } --for=delete --timeout=${DEFAULT_WAIT_TIMEOUT }
267+ END
268+
269+ Operator Should Have Expected Resources
270+ [Documentation] Verifies that the operators.operators.coreos.com resource for a given
271+ ... package and namespace contains expected resource type references in its status.
272+ ... The Operator resource name follows the convention <package>.<namespace>.
273+ [Arguments] ${package } ${namespace }
274+ ${status } = Oc Get JsonPath
275+ ... operators.operators.coreos.com
276+ ... ${EMPTY }
277+ ... ${package } .${namespace }
278+ ... .status
279+ Should Contain ${status } ClusterRole
280+ Should Contain ${status } ClusterRoleBinding
281+ Should Contain ${status } ClusterServiceVersion
282+ Should Contain ${status } CustomResourceDefinition
283+ Should Contain ${status } Deployment
284+ Should Contain ${status } OperatorCondition
285+ Should Contain ${status } Subscription
286+
287+ Single Namespace Test Teardown
288+ [Documentation] Cleanup resources created by the single namespace install test.
289+ ... Uses Run Keyword And Continue On Failure so all steps run even if one errors.
290+
291+ ... Oc Delete subscription ${SINGLE_SUB_NAME } -n ${SINGLE_NS } --ignore-not-found
292+ Run Keyword And Continue On Failure
293+ ... Oc Delete csv --all -n ${SINGLE_NS } --ignore-not-found
294+ Run Keyword And Continue On Failure
295+ ... Oc Delete catalogsource ${SINGLE_CATALOG_NAME } -n ${SINGLE_NS } --ignore-not-found
296+ Run Keyword And Continue On Failure
297+ ... Oc Delete namespace ${SINGLE_NS } --ignore-not-found
298+
299+ OperatorGroup Should Have MultipleOperatorGroupsFound
300+ [Documentation] Checks that the OperatorGroup status contains the MultipleOperatorGroupsFound condition.
301+ [Arguments] ${namespace } ${name }
302+ ${status } = Oc Get JsonPath operatorgroup ${namespace } ${name } .status
303+ Should Contain ${status } MultipleOperatorGroupsFound
304+
305+ Subscription Should Have Empty Installed CSV
306+ [Documentation] Verifies that the subscription's installedCSV is empty, indicating no CSV
307+ ... has been installed (e.g. due to OperatorGroup conflict). Call this only after confirming
308+ ... the OperatorGroup has MultipleOperatorGroupsFound, which guarantees OLM has reconciled
309+ ... the conflict before the subscription state is checked.
310+ [Arguments] ${namespace } ${name }
311+ ${installed_csv } = Oc Get JsonPath
312+ ... subscriptions.operators.coreos.com
313+ ... ${namespace }
314+ ... ${name }
315+ ... .status.installedCSV
316+ Should Be Empty ${installed_csv }
317+
318+ Wait For Installed CSV
319+ [Documentation] Polls the subscription until installedCSV is set, then returns it.
320+ [Arguments] ${namespace } ${name } ${timeout } =10m
321+ ${csv } = Wait Until Keyword Succeeds ${timeout } 15s
322+ ... Subscription Should Have Installed CSV ${namespace } ${name }
323+ RETURN ${csv }
324+
325+ Subscription Should Have Installed CSV
326+ [Documentation] Fails if the subscription's installedCSV field is empty, returns the CSV name.
327+ [Arguments] ${namespace } ${name }
328+ ${csv } = Oc Get JsonPath
329+ ... subscriptions.operators.coreos.com
330+ ... ${namespace }
331+ ... ${name }
332+ ... .status.installedCSV
333+ Should Not Be Empty ${csv }
334+ RETURN ${csv }
335+
336+ CSV Should Exist In Namespace
337+ [Documentation] Verifies that a CSV with the given name exists in the namespace.
338+ [Arguments] ${csv } ${namespace }
339+ Oc Get clusterserviceversion.operators.coreos.com ${namespace } ${csv }
340+
341+ All Namespaces Test Teardown
342+ [Documentation] Cleanup resources created by the all namespaces install test.
343+ ... When ${csv} is empty (test failed before CSV was recorded), falls back to
344+ ... bulk CSV cleanup to avoid orphaned resources. Uses Run Keyword And Continue On Failure
345+ ... so all steps run even if one errors.
346+ [Arguments] ${csv } =${EMPTY }
347+ Run Keyword And Continue On Failure
348+ ... Oc Delete operatorgroup ${ALL_OG_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
349+ Run Keyword And Continue On Failure
350+ ... Oc Delete subscription ${ALL_SUB_NAME } -n ${OPERATORS_NAMESPACE } --ignore-not-found
351+ IF "${csv } " != "${EMPTY } "
352+ Run Keyword And Continue On Failure
353+ ... Oc Delete csv ${csv } -n ${OPERATORS_NAMESPACE } --ignore-not-found
354+ ELSE
355+ Log csv not recorded; attempting bulk CSV cleanup to avoid orphaned resources WARN
356+ Run Keyword And Continue On Failure
357+ ... Oc Delete csv --all -n ${OPERATORS_NAMESPACE } --ignore-not-found
358+ END
359+ Run Keyword And Continue On Failure
360+ ... Oc Delete catalogsource ${ALL_CATALOG_NAME } -n ${MARKETPLACE_NAMESPACE } --ignore-not-found
361+
362+ Verify NetworkPolicy Pod Selector Label
363+ [Documentation] Verifies that a NetworkPolicy's podSelector has the expected label key=value.
364+ [Arguments] ${name } ${namespace } ${label_key } ${expected_value }
365+ ${actual } = Oc Get JsonPath
366+ ... networkpolicy
367+ ... ${namespace }
368+ ... ${name }
369+ ... .spec.podSelector.matchLabels.${label_key }
370+ Should Be Equal ${actual } ${expected_value }
371+
372+ Verify NetworkPolicy Has Empty Pod Selector
373+ [Documentation] Verifies that a NetworkPolicy's podSelector has no matchLabels
374+ ... (i.e. applies to all pods in the namespace).
375+ [Arguments] ${name } ${namespace }
376+ ${labels } = Oc Get JsonPath
377+ ... networkpolicy
378+ ... ${namespace }
379+ ... ${name }
380+ ... .spec.podSelector.matchLabels
381+ Should Be Empty ${labels }
382+
383+ Verify NetworkPolicy Policy Types
384+ [Documentation] Verifies that a NetworkPolicy has both Ingress and Egress policy types.
385+ [Arguments] ${name } ${namespace }
386+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Ingress
387+ Verify NetworkPolicy Spec Field ${name } ${namespace } policyTypes Egress
388+
389+ Verify NetworkPolicy Spec Field
390+ [Documentation] Gets .spec.${field} from a NetworkPolicy and asserts based on ${expected}:
391+ ... - not provided (defaults to ${NONE}): asserts the field value is not empty
392+ ... - ${EMPTY}: asserts the field value is empty (deny-all / no rules check)
393+ ... - any other string: asserts the field value contains that string (port or type check)
394+ [Arguments] ${name } ${namespace } ${field } ${expected } =${NONE }
395+ ${value } = Oc Get JsonPath networkpolicy ${namespace } ${name } .spec.${field }
396+ IF $expected is None
397+ Should Not Be Empty ${value }
398+ ELSE IF $expected == ''
399+ Should Be Empty ${value }
400+ ELSE
401+ Should Contain ${value } ${expected }
170402 END
0 commit comments