feat(deploy): deploy cryostat 3.0

[Josh-Matsuoka]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

Fixes: Part 1 of #710

Description of the change:

This change deploys cryostat 3.0 bits (3.0 base image, storage, database) without auth, addressing the first part of #710

[andrewazores]

Doesn't seem to compile, just me?

$ make manager
mkdir -p /home/work/workspace/cryostat-operator/bin
test -s /home/work/workspace/cryostat-operator/bin/controller-gen && /home/work/workspace/cryostat-operator/bin/controller-gen --version | grep -q 0.11.1 || \
GOBIN=/home/work/workspace/cryostat-operator/bin go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.11.1
/home/work/workspace/cryostat-operator/bin/controller-gen rbac:roleName=role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
envsubst < hack/image_tag_patch.yaml.in > config/default/image_tag_patch.yaml
envsubst < hack/image_pull_patch.yaml.in > config/default/image_pull_patch.yaml
go generate ./...
/home/work/workspace/cryostat-operator/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
test -s /home/work/workspace/cryostat-operator/bin/go-license || GOBIN=/home/work/workspace/cryostat-operator/bin go install github.com/palantir/go-license@v1.29.0
Adding license...
/home/work/workspace/cryostat-operator/bin/go-license --config=go-license.yml api/v1beta1/groupversion_info.go api/v1beta1/cryostat_conversion.go api/v1beta1/cryostat_conversion_test.go api/v1beta1/cryostat_suite_test.go api/v1beta1/cryostat_types.go api/v1beta1/zz_generated.deepcopy.go api/v1beta2/cryostat_conversion.go api/v1beta2/cryostat_types.go api/v1beta2/groupversion_info.go api/v1beta2/zz_generated.deepcopy.go internal/controllers/common/resource_definitions/certificates.go internal/controllers/common/resource_definitions/resource_definitions.go internal/controllers/common/tls.go internal/controllers/common/finalizer_utils.go internal/controllers/common/common_utils.go internal/controllers/constants/constants.go internal/controllers/model/instance.go internal/controllers/configmaps.go internal/controllers/secrets.go internal/controllers/suite_test.go internal/controllers/insights/apicast.go internal/controllers/insights/insights.go internal/controllers/insights/insights_controller.go internal/controllers/insights/insights_controller_test.go internal/controllers/insights/insights_controller_unit_test.go internal/controllers/insights/insights_suite_test.go internal/controllers/insights/setup.go internal/controllers/insights/setup_test.go internal/controllers/insights/test/manager.go internal/controllers/insights/test/utils.go internal/controllers/insights/test/resources.go internal/controllers/openshift.go internal/controllers/certmanager.go internal/controllers/const_generated.go internal/controllers/cryostat_controller.go internal/controllers/cryostat_controller_test.go internal/controllers/ingresses.go internal/controllers/pvc.go internal/controllers/rbac.go internal/controllers/reconciler.go internal/controllers/reconciler_test.go internal/controllers/routes.go internal/controllers/services.go internal/images/custom-scorecard-tests/main.go internal/test/scorecard/clients.go internal/test/scorecard/openshift.go internal/test/scorecard/tests.go internal/test/expect.go internal/test/clients.go internal/test/conversion.go internal/test/reconciler.go internal/test/resources.go internal/tools/const_generator.go internal/main.go internal/webhooks/cryostat_webhook.go internal/webhooks/defaulter.go internal/webhooks/test/resources.go internal/webhooks/validator.go internal/webhooks/validator_test.go internal/webhooks/webhook_suite_test.go
go fmt ./...
go vet ./...
# github.com/cryostatio/cryostat-operator/internal/controllers/common/resource_definitions
internal/controllers/common/resource_definitions/resource_definitions.go:1126:63: cr.Spec.SecurityOptions.StorageSecurityContext undefined (type *"github.com/cryostatio/cryostat-operator/api/v1beta2".SecurityOptions has no field or method StorageSecurityContext)
internal/controllers/common/resource_definitions/resource_definitions.go:1127:41: cr.Spec.SecurityOptions.StorageSecurityContext undefined (type *"github.com/cryostatio/cryostat-operator/api/v1beta2".SecurityOptions has no field or method StorageSecurityContext)
internal/controllers/common/resource_definitions/resource_definitions.go:1148:63: cr.Spec.SecurityOptions.DatabaseSecurityContext undefined (type *"github.com/cryostatio/cryostat-operator/api/v1beta2".SecurityOptions has no field or method DatabaseSecurityContext)
internal/controllers/common/resource_definitions/resource_definitions.go:1149:41: cr.Spec.SecurityOptions.DatabaseSecurityContext undefined (type *"github.com/cryostatio/cryostat-operator/api/v1beta2".SecurityOptions has no field or method DatabaseSecurityContext)

[Josh-Matsuoka]

It looks like there's a missing commit or two from what I have, hang on while I resolve some merge conflicts

[andrewazores]

$ make bundle
mkdir -p /home/work/workspace/cryostat-operator/bin
test -s /home/work/workspace/cryostat-operator/bin/controller-gen && /home/work/workspace/cryostat-operator/bin/controller-gen --version | grep -q 0.11.1 || \
GOBIN=/home/work/workspace/cryostat-operator/bin go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.11.1
/home/work/workspace/cryostat-operator/bin/controller-gen rbac:roleName=role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
envsubst < hack/image_tag_patch.yaml.in > config/default/image_tag_patch.yaml
envsubst < hack/image_pull_patch.yaml.in > config/default/image_pull_patch.yaml
test -s /home/work/workspace/cryostat-operator/bin/kustomize || { curl -Ss "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s -- 3.8.7 /home/work/workspace/cryostat-operator/bin; }
/home/work/bin/operator-sdk generate kustomize manifests -q
cd config/manager && /home/work/workspace/cryostat-operator/bin/kustomize edit set image controller=quay.io/cryostat/cryostat-operator:3.0.0-dev
/home/work/workspace/cryostat-operator/bin/kustomize build config/manifests | /home/work/bin/operator-sdk generate bundle -q --overwrite --version 3.0.0-dev  
INFO[0004] Creating bundle.Dockerfile                   
INFO[0004] Creating bundle/metadata/annotations.yaml    
INFO[0004] Bundle metadata generated successfully       
/home/work/bin/operator-sdk bundle validate ./bundle
ERRO[0000] Error: Value operator.cryostat.io/v1beta1, Kind=ClusterCryostat: CRD "operator.cryostat.io/v1beta1, Kind=ClusterCryostat" is present in bundle "cryostat-operator.v3.0.0-dev" but not defined in CSV 
make: *** [Makefile:287: bundle] Error 1

[andrewazores]

Should the StorageConfig also be included here?

[andrewazores]

I think some changes need to be made in ex. NewCoreContainer as well. The 3.0 image needs fairly different configuration compared to 2.4.0 - a lot of the old environment variables have been renamed or removed, and the 3.0 container will also need to be configured to tell it the URLs of its storage and database containers.

[andrewazores]

Still hitting "Application is not available" unfortunately, but I think I can make some more progress here with just service/route configuration stuff and mostly ignoring TLS.

[andrewazores]

Ah, DISABLE_SERVICE_TLS was only half the picture. I have been using make create_cryostat_cr so I also needed to edit the CR with enableCertManager: false. After that:

Some more progress. At least I can get into the web UI now, or make HTTP requests to the Route in general.

[andrewazores]

It looks like the request was blocked by my browser because the original request went through the Route, which has TLS edge termination enabled, but Cryostat responded with a HTTP 308 redirection response where the Location header used http://. I think it's doing that because Quarkus doesn't know that it is behind such a TLS terminating proxy (the Route).

If I use HTTPie instead of a web browser, since this is more lenient about these issues, it follows the redirect response with no problem:

$ https -v --follow https://cryostat-sample-cryostat3.apps-crc.testing/api/v1/targets
GET /api/v1/targets HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2



HTTP/1.1 308 Permanent Redirect
cache-control: no-cache
content-length: 0
location: http://cryostat-sample-cryostat3.apps-crc.testing/api/v3/targets
set-cookie: fce4e72d4c886214e0add5b2a1b0822e=957f357f1c504be2ada71f6882e15474; path=/; HttpOnly; Secure; SameSite=None



GET /api/v3/targets HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2



HTTP/1.1 302 Found
cache-control: no-cache
content-length: 0
location: https://cryostat-sample-cryostat3.apps-crc.testing/api/v3/targets



GET /api/v3/targets HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: fce4e72d4c886214e0add5b2a1b0822e=957f357f1c504be2ada71f6882e15474
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2



HTTP/1.1 200 OK
cache-control: no-cache
content-encoding: gzip
content-length: 28
content-type: application/json;charset=UTF-8

[]

$ https -v --follow --form https://cryostat-sample-cryostat3.apps-crc.testing/api/v2/targets connectUrl='localhost:0' alias=self
POST /api/v2/targets HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 35
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2

connectUrl=localhost%3A0&alias=self

HTTP/1.1 201 Created
content-length: 310
content-type: application/json;charset=UTF-8
location: http://cryostat-sample-cryostat3.apps-crc.testing/api/v3/targets/1
set-cookie: fce4e72d4c886214e0add5b2a1b0822e=957f357f1c504be2ada71f6882e15474; path=/; HttpOnly; Secure; SameSite=None

{
    "data": {
        "result": {
            "agent": false,
            "alias": "self",
            "annotations": {
                "cryostat": {
                    "REALM": "Custom Targets"
                },
                "platform": {}
            },
            "connectUrl": "service:jmx:rmi:///jndi/rmi://localhost:0/jmxrmi",
            "id": 1,
            "jvmId": "-mCG7v2KUyH6CQH8cBcSOj810BjJU-PMKbHpFmGIobU=",
            "labels": {}
        }
    },
    "meta": {
        "status": "Created",
        "type": "application/json"
    }
}

$ https -v --follow https://cryostat-sample-cryostat3.apps-crc.testing/api/v3/targets
GET /api/v3/targets HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2



HTTP/1.1 200 OK
cache-control: no-cache
content-encoding: gzip
content-length: 221
content-type: application/json;charset=UTF-8
set-cookie: fce4e72d4c886214e0add5b2a1b0822e=957f357f1c504be2ada71f6882e15474; path=/; HttpOnly; Secure; SameSite=None

[
    {
        "agent": false,
        "alias": "self",
        "annotations": {
            "cryostat": {
                "REALM": "Custom Targets"
            },
            "platform": {}
        },
        "connectUrl": "service:jmx:rmi:///jndi/rmi://localhost:0/jmxrmi",
        "id": 1,
        "jvmId": "-mCG7v2KUyH6CQH8cBcSOj810BjJU-PMKbHpFmGIobU=",
        "labels": {}
    }
]

$ https -v --follow --form https://cryostat-sample-cryostat3.apps-crc.testing/api/v3/targets/1/recordings recordingName=test events=template=ALL
POST /api/v3/targets/1/recordings HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 40
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: cryostat-sample-cryostat3.apps-crc.testing
User-Agent: HTTPie/3.2.2

recordingName=test&events=template%3DALL

HTTP/1.1 201 Created
content-length: 315
content-type: application/json;charset=UTF-8
set-cookie: fce4e72d4c886214e0add5b2a1b0822e=957f357f1c504be2ada71f6882e15474; path=/; HttpOnly; Secure; SameSite=None

{
    "continuous": true,
    "downloadUrl": "/api/v3/activedownload/1",
    "duration": 0,
    "id": 1,
    "maxAge": 0,
    "maxSize": 0,
    "metadata": {
        "expiry": null,
        "labels": {
            "template.name": "ALL",
            "template.type": "TARGET"
        }
    },
    "name": "test",
    "remoteId": 1,
    "reportUrl": "/api/v3/targets/1/reports/1",
    "startTime": 1712863244670,
    "state": "RUNNING",
    "toDisk": true
}

[andrewazores]

Got it.

This was still done with enableCertManager: false in the CR. I'm not sure if leaving it enabled will break things, but it certainly won't do what it is intended to do. But maybe that does make sense to address later when the authproxy is introduced, since then cert-manager can inject certs to that container to handle TLS for everything.

Update: just checked and enableCertManager: true in the CR still ends up with "Application is not available", presumably because it's trying to do Route re-encryption rather than edge termination. But there is no TLS to re-encrypt on the inside.

[andrewazores]

#795 linked above is a new PR I have based on top of this one wherein I'm working on cleaning things up some more - removing no longer used certificate volume mounts and TLS handling, fixing some environment variable names, things like that. It's pretty noisy since a lot of things are touched so I figured it was better to keep it as a separate changeset for ease of review.

[Josh-Matsuoka]

Is there anything else that needs to be fixed here? Otherwise I'll get the merge conflicts cleaned up.

[andrewazores]

I think the Makefile adjustment(s) above need to be included so that this PR is at least buildable on its own. After that it can be used to deploy a non-TLS deployment, so I think it would be fine to merge into the upstream branch and continue building from there. @ebaron wdyt?

[andrewazores]

Lots of test failures during build now after syncing the latest upstream changes.

[ebaron]

I think the Makefile adjustment(s) above need to be included so that this PR is at least buildable on its own. After that it can be used to deploy a non-TLS deployment, so I think it would be fine to merge into the upstream branch and continue building from there. @ebaron wdyt?

Sounds good to me. I'm fine with restoring the missing functionality over other PRs.

[andrewazores]

Lots of test failures during build now after syncing the latest upstream changes.

internal/test/resources.go looks like some of my adjustments got wiped out after the sync to main. Trying to restore it now.

[andrewazores]

make generate manifests manager test-envtest oci-build bundle bundle-build all works now.

make scorecard seems to silently hang? It's stuck at:

mkdir -p /home/work/workspace/cryostat-operator/bin
test -s /home/work/workspace/cryostat-operator/bin/kustomize || { curl -Ss "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s -- 3.8.7 /home/work/workspace/cryostat-operator/bin; }
oc create namespace cryostat-operator-scorecard && oc label --overwrite namespace cryostat-operator-scorecard pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted
namespace/cryostat-operator-scorecard created
namespace/cryostat-operator-scorecard labeled
cd internal/images/custom-scorecard-tests/rbac/ && /home/work/workspace/cryostat-operator/bin/kustomize edit set namespace cryostat-operator-scorecard
/home/work/workspace/cryostat-operator/bin/kustomize build internal/images/custom-scorecard-tests/rbac/ | oc apply -f -
serviceaccount/cryostat-scorecard created
role.rbac.authorization.k8s.io/cryostat-scorecard created
clusterrole.rbac.authorization.k8s.io/cryostat-scorecard created
rolebinding.rbac.authorization.k8s.io/cryostat-scorecard created
clusterrolebinding.rbac.authorization.k8s.io/cryostat-scorecard created
/home/work/bin/operator-sdk run bundle -n cryostat-operator-scorecard --timeout 20m quay.io/cryostat/cryostat-operator-bundle:3.0.0-dev --security-context-config=restricted 
INFO[0007] Creating a File-Based Catalog of the bundle "quay.io/cryostat/cryostat-operator-bundle:3.0.0-dev" 
INFO[0007] Generated a valid File-Based Catalog         
INFO[0015] Created registry pod: quay-io-cryostat-cryostat-operator-bundle-3-0-0-dev 
INFO[0015] Created CatalogSource: cryostat-operator-catalog 
INFO[0015] OperatorGroup "operator-sdk-og" created      
INFO[0015] Created Subscription: cryostat-operator-v3-0-0-dev-sub 

It doesn't look like it is making any progress to actually installing anything in the cryostat-operator-scorecard namespace however.

$ oc get all
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
NAME                                                      READY   STATUS    RESTARTS   AGE
pod/quay-io-cryostat-cryostat-operator-bundle-3-0-0-dev   1/1     Running   0          4m21s

$ oc logs -f pod/quay-io-cryostat-cryostat-operator-bundle-3-0-0-dev
Defaulted container "registry-grpc" out of: registry-grpc, registry-grpc-init (init)
time="2024-04-18T14:40:46Z" level=info msg="starting pprof endpoint" address="localhost:6060"
time="2024-04-18T14:40:46Z" level=info msg="serving registry" configs=/cryostat-operator-catalog-configs port=50051
time="2024-04-18T14:40:46Z" level=info msg="stopped caching cpu profile data" address="localhost:6060"
^C

[andrewazores]

I see what seems to be the same scorecard behaviour on main, so now I'm not sure if the problem is with my crc cluster or my approach to running scorecard tests...

[andrewazores]

Okay, running with a different cluster has the scorecards running and passing as expected on main. With this PR they do run, but judging by the logs it's still deploying 2.5.0-snapshot:

...
		LOG:
			Importing certificate /truststore/operator/..2024_04_23_13_47_13.1523729528/cryostat-report-ca.crt ...
		Certificate was added to keystore
		[Storing /opt/cryostat.d/truststore.p12]
		+ exec java -XX:+CrashOnOutOfMemoryError -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djavax.net.ssl.trustStore=/opt/cryostat.d/truststore.p12 -Djavax.net.ssl.trustStorePassword=HDPxbU3-To9M_F3nNglHGz7mXzgXHLI1 -Dcom.sun.management.jmxremote.autodiscovery=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/tmp/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/tmp/jmxremote.access -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.keyStore=/var/run/secrets/operator.cryostat.io/cryostat-report-tls/keystore.p12 -Djavax.net.ssl.keyStorePassword=fwNAkcNNGIi9ZB7FJY81 -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.registry.ssl=true -cp '/app/resources:/app/classes:/app/libs/cryostat-core-2.30.1.jar:/app/libs/common-8.2.0.jar:/app/libs/encoder-1.2.3.jar:/app/libs/lz4-java-1.8.0.jar:/app/libs/flightrecorder-8.2.0.jar:/app/libs/flightrecorder.rules-8.2.0.jar:/app/libs/flightrecorder.rules.jdk-8.2.0.jar:/app/libs/jdp-8.2.0.jar:/app/libs/nashorn-core-15.4.jar:/app/libs/asm-7.3.1.jar:/app/libs/asm-commons-7.3.1.jar:/app/libs/asm-analysis-7.3.1.jar:/app/libs/asm-tree-7.3.1.jar:/app/libs/asm-util-7.3.1.jar:/app/libs/openshift-client-6.7.2.jar:/app/libs/openshift-client-api-6.7.2.jar:/app/libs/openshift-model-6.7.2.jar:/app/libs/kubernetes-model-common-6.7.2.jar:/app/libs/jackson-annotations-2.15.0.jar:/app/libs/openshift-model-clusterautoscaling-6.7.2.jar:/app/libs/openshift-model-operator-6.7.2.jar:/app/libs/openshift-model-operatorhub-6.7.2.jar:/app/libs/openshift-model-machine-6.7.2.jar:/app/libs/openshift-model-whereabouts-6.7.2.jar:/app/libs/openshift-model-monitoring-6.7.2.jar:/app/libs/openshift-model-storageversionmigrator-6.7.2.jar:/app/libs/openshift-model-tuned-6.7.2.jar:/app/libs/openshift-model-console-6.7.2.jar:/app/libs/openshift-model-config-6.7.2.jar:/app/libs/openshift-model-machineconfig-6.7.2.jar:/app/libs/openshift-model-miscellaneous-6.7.2.jar:/app/libs/openshift-model-hive-6.7.2.jar:/app/libs/openshift-model-installer-6.7.2.jar:/app/libs/generex-1.0.2.jar:/app/libs/automaton-1.11-8.jar:/app/libs/kubernetes-client-6.7.2.jar:/app/libs/kubernetes-client-api-6.7.2.jar:/app/libs/kubernetes-model-core-6.7.2.jar:/app/libs/kubernetes-model-gatewayapi-6.7.2.jar:/app/libs/kubernetes-model-resource-6.7.2.jar:/app/libs/kubernetes-model-rbac-6.7.2.jar:/app/libs/kubernetes-model-admissionregistration-6.7.2.jar:/app/libs/kubernetes-model-apps-6.7.2.jar:/app/libs/kubernetes-model-autoscaling-6.7.2.jar:/app/libs/kubernetes-model-apiextensions-6.7.2.jar:/app/libs/kubernetes-model-batch-6.7.2.jar:/app/libs/kubernetes-model-certificates-6.7.2.jar:/app/libs/kubernetes-model-coordination-6.7.2.jar:/app/libs/kubernetes-model-discovery-6.7.2.jar:/app/libs/kubernetes-model-events-6.7.2.jar:/app/libs/kubernetes-model-extensions-6.7.2.jar:/app/libs/kubernetes-model-flowcontrol-6.7.2.jar:/app/libs/kubernetes-model-networking-6.7.2.jar:/app/libs/kubernetes-model-metrics-6.7.2.jar:/app/libs/kubernetes-model-policy-6.7.2.jar:/app/libs/kubernetes-model-scheduling-6.7.2.jar:/app/libs/kubernetes-model-storageclass-6.7.2.jar:/app/libs/kubernetes-model-node-6.7.2.jar:/app/libs/snakeyaml-engine-2.6.jar:/app/libs/jackson-dataformat-yaml-2.15.0.jar:/app/libs/snakeyaml-2.0.jar:/app/libs/jackson-datatype-jsr310-2.15.0.jar:/app/libs/jackson-databind-2.15.0.jar:/app/libs/jackson-core-2.15.0.jar:/app/libs/kubernetes-httpclient-okhttp-6.7.2.jar:/app/libs/okhttp-3.12.12.jar:/app/libs/okio-1.15.0.jar:/app/libs/logging-interceptor-3.12.12.jar:/app/libs/zjsonpatch-0.3.0.jar:/app/libs/dagger-2.47.jar:/app/libs/javax.inject-1.jar:/app/libs/commons-lang3-3.13.0.jar:/app/libs/commons-codec-1.16.0.jar:/app/libs/commons-io-2.13.0.jar:/app/libs/commons-validator-1.7.jar:/app/libs/commons-beanutils-1.9.4.jar:/app/libs/commons-digester-2.1.jar:/app/libs/commons-logging-1.2.jar:/app/libs/commons-collections-3.2.2.jar:/app/libs/httpclient-4.5.14.jar:/app/libs/httpcore-4.4.16.jar:/app/libs/vertx-web-4.4.9.jar:/app/libs/vertx-web-common-4.4.9.jar:/app/libs/vertx-auth-common-4.4.9.jar:/app/libs/vertx-bridge-common-4.4.9.jar:/app/libs/vertx-core-4.4.9.jar:/app/libs/netty-handler-4.1.108.Final.jar:/app/libs/netty-codec-4.1.108.Final.jar:/app/libs/netty-handler-proxy-4.1.108.Final.jar:/app/libs/netty-codec-socks-4.1.108.Final.jar:/app/libs/netty-codec-http-4.1.108.Final.jar:/app/libs/netty-codec-http2-4.1.108.Final.jar:/app/libs/netty-resolver-4.1.108.Final.jar:/app/libs/netty-resolver-dns-4.1.108.Final.jar:/app/libs/netty-codec-dns-4.1.108.Final.jar:/app/libs/vertx-web-client-4.4.9.jar:/app/libs/vertx-uri-template-4.4.9.jar:/app/libs/vertx-web-graphql-4.4.9.jar:/app/libs/graphql-java-20.4.jar:/app/libs/java-dataloader-3.2.0.jar:/app/libs/reactive-streams-1.0.3.jar:/app/libs/graphql-java-extended-scalars-20.2.jar:/app/libs/nimbus-jose-jwt-9.31.jar:/app/libs/jcip-annotations-1.0-1.jar:/app/libs/bcprov-jdk18on-1.76.jar:/app/libs/jasypt-1.9.3.jar:/app/libs/jasypt-hibernate5-1.9.3.jar:/app/libs/slf4j-api-1.7.36.jar:/app/libs/slf4j-jdk14-1.7.36.jar:/app/libs/gson-2.10.1.jar:/app/libs/caffeine-3.1.6.jar:/app/libs/jsoup-1.16.1.jar:/app/libs/hibernate-core-5.6.14.Final.jar:/app/libs/jboss-logging-3.4.3.Final.jar:/app/libs/javax.persistence-api-2.2.jar:/app/libs/byte-buddy-1.12.18.jar:/app/libs/antlr-2.7.7.jar:/app/libs/jboss-transaction-api_1.2_spec-1.1.1.Final.jar:/app/libs/jandex-2.4.2.Final.jar:/app/libs/classmate-1.5.1.jar:/app/libs/javax.activation-api-1.2.0.jar:/app/libs/hibernate-commons-annotations-5.1.2.Final.jar:/app/libs/jaxb-api-2.3.1.jar:/app/libs/jaxb-runtime-2.3.1.jar:/app/libs/txw2-2.3.1.jar:/app/libs/istack-commons-runtime-3.0.7.jar:/app/libs/stax-ex-1.8.jar:/app/libs/FastInfoset-1.2.15.jar:/app/libs/hibernate-types-55-2.21.1.jar:/app/libs/h2-2.1.214.jar:/app/libs/postgresql-42.7.2.jar:/app/libs/netty-transport-native-epoll-4.1.108.Final-linux-x86_64.jar:/app/libs/netty-common-4.1.108.Final.jar:/app/libs/netty-buffer-4.1.108.Final.jar:/app/libs/netty-transport-4.1.108.Final.jar:/app/libs/netty-transport-native-unix-common-4.1.108.Final.jar:/app/libs/netty-transport-classes-epoll-4.1.108.Final.jar:/opt/cryostat.d/clientlib.d/*' @/app/jib-main-class-file
		Apr 23, 2024 1:47:19 PM io.cryostat.configuration.ConfigurationModule provideConfigurationPath
		INFO: Local config path set as /opt/cryostat.d/conf.d
		Apr 23, 2024 1:47:19 PM org.hibernate.jpa.internal.util.LogHelper logPersistenceUnitInformation
		INFO: HHH000204: Processing PersistenceUnitInfo [name: io.cryostat]
		Apr 23, 2024 1:47:19 PM org.hibernate.Version logVersion
		INFO: HHH000412: Hibernate ORM core version 5.6.14.Final
		Apr 23, 2024 1:47:20 PM org.hibernate.annotations.common.reflection.java.JavaReflectionManager <clinit>
		INFO: HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
		Apr 23, 2024 1:47:20 PM org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl configure
		WARN: HHH10001002: Using Hibernate built-in connection pool (not for production use!)
		Apr 23, 2024 1:47:20 PM org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl buildCreator
		INFO: HHH10001005: using driver [org.h2.Driver] at URL [jdbc:h2:file:/opt/cryostat.d/conf.d/h2;INIT=create domain if not exists jsonb as varchar]
		Apr 23, 2024 1:47:20 PM org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl buildCreator
		INFO: HHH10001001: Connection properties: {password=****, user=cryostat-report}
		Apr 23, 2024 1:47:20 PM org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl buildCreator
		INFO: HHH10001003: Autocommit mode: false
		Apr 23, 2024 1:47:20 PM org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl$PooledConnections <init>
		INFO: HHH000115: Hibernate connection pool size: 20 (min=1)
		Apr 23, 2024 1:47:20 PM org.hibernate.dialect.Dialect <init>
		INFO: HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
		Apr 23, 2024 1:47:21 PM org.hibernate.resource.transaction.backend.jdbc.internal.DdlTransactionIsolatorNonJtaImpl getIsolatedConnection
		INFO: HHH10001501: Connection obtained from JdbcConnectionAccess [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess@6213df5] for (non-JTA) DDL execution was not in auto-commit mode; the Connection 'local transaction' will be committed and the Connection will be set into auto-commit mode.
		Apr 23, 2024 1:47:21 PM org.hibernate.engine.transaction.jta.platform.internal.JtaPlatformInitiator initiateService
		INFO: HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
		Apr 23, 2024 1:47:21 PM io.cryostat.Cryostat start
		INFO: cryostat started, version: v2.5.0-dev-123-gb2e0c30b.
		Apr 23, 2024 1:47:21 PM io.cryostat.net.SslConfiguration <init>
		INFO: Selected SSL KeyStore strategy with keystore /var/run/secrets/operator.cryostat.io/cryostat-report-tls/keystore.p12
		Apr 23, 2024 1:47:21 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.net.HttpServer Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : false,
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:21 PM io.cryostat.net.HttpServer lambda$start$0
		INFO: HTTPS service running on https://cryostat-report-cryostat-operator-scorecard.apps.rosa.qmrcn-oimow-95u.ok1t.p3.openshiftapps.com:443
		Apr 23, 2024 1:47:21 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.net.HttpServer Verticle [09c96827-869d-49ec-a00b-f41dfd0b21e2]
		Apr 23, 2024 1:47:21 PM io.cryostat.platform.PlatformModule provideAuthManager
		INFO: Selecting configured AuthManager "io.cryostat.net.openshift.OpenShiftAuthManager"
		Apr 23, 2024 1:47:21 PM io.cryostat.MainModule provideSavedRecordingsPath
		INFO: Local save path for flight recordings set as /opt/cryostat.d/recordings.d
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.net.web.WebServer Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : false,
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.net.web.WebServer Verticle [32afb6db-1614-4d61-b029-6593c5e2a1f5]
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.messaging.MessagingServer Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : false,
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.messaging.MessagingServer start
		INFO: Max concurrent WebSocket connections: 2147483647
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.messaging.MessagingServer Verticle [3310a9d7-8a5f-4a44-abc0-1195992a8f12]
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.rules.RuleProcessor Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : true,
		  "workerPoolName" : "io.cryostat.rules.RuleProcessor-worker",
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.rules.RuleProcessor Verticle [bcf9c803-3dfa-464c-b72f-277d41df6567]
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.recordings.RecordingMetadataManager Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : true,
		  "workerPoolName" : "io.cryostat.recordings.RecordingMetadataManager-worker",
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.recordings.RecordingMetadataManager Verticle [f9eaab4b-bb91-4dba-aa79-edd654d81628]
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.discovery.DiscoveryStorage Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : true,
		  "workerPoolName" : "io.cryostat.discovery.DiscoveryStorage-worker",
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.VerticleDeployer deploy
		INFO: Deploying io.cryostat.discovery.BuiltInDiscovery Verticle with options: {
		  "ha" : false,
		  "instances" : 1,
		  "maxWorkerExecuteTime" : 60000000000,
		  "maxWorkerExecuteTimeUnit" : "NANOSECONDS",
		  "worker" : true,
		  "workerPoolName" : "io.cryostat.discovery.BuiltInDiscovery-worker",
		  "workerPoolSize" : 20
		}
		Apr 23, 2024 1:47:22 PM io.cryostat.platform.internal.PodmanPlatformStrategy getPlatformClient
		INFO: Selected PodmanPlatformStrategy Strategy
		Apr 23, 2024 1:47:22 PM io.cryostat.platform.internal.DockerPlatformStrategy getPlatformClient
		INFO: Selected DockerPlatformStrategy Strategy
		Apr 23, 2024 1:47:22 PM io.cryostat.platform.internal.DefaultPlatformStrategy getPlatformClient
		INFO: Selected Default Platform Strategy
		Apr 23, 2024 1:47:22 PM io.cryostat.platform.internal.KubeApiPlatformStrategy getPlatformClient
		INFO: Selected KubeApiPlatformStrategy Strategy
		Apr 23, 2024 1:47:23 PM io.cryostat.platform.internal.KubeApiPlatformClient$1 lambda$initialize$0
		INFO: Started Endpoints SharedInformer for namespace "cryostat-operator-scorecard"
		Apr 23, 2024 1:47:23 PM io.cryostat.platform.internal.CustomTargetPlatformStrategy getPlatformClient
		INFO: Selected Default Platform Strategy
		Apr 23, 2024 1:47:23 PM io.cryostat.discovery.BuiltInDiscovery lambda$start$5
		INFO: Starting built-in discovery with CustomTargetPlatformClient
		Apr 23, 2024 1:47:23 PM io.cryostat.platform.internal.KubeApiPlatformStrategy getPlatformClient
		INFO: Selected OpenShiftPlatformStrategy Strategy
		Apr 23, 2024 1:47:23 PM io.cryostat.discovery.BuiltInDiscovery lambda$start$5
		INFO: Starting built-in discovery with KubeApiPlatformClient
		Apr 23, 2024 1:47:23 PM io.cryostat.platform.internal.KubeApiPlatformClient$1 lambda$initialize$0
		INFO: Started Endpoints SharedInformer for namespace "cryostat-operator-scorecard"
		Apr 23, 2024 1:47:23 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.discovery.BuiltInDiscovery Verticle [312fc126-00c5-44c6-be47-6d2a1c4082b8]
		Apr 23, 2024 1:47:23 PM io.cryostat.VerticleDeployer lambda$deploy$0
		INFO: Deployed io.cryostat.discovery.DiscoveryStorage Verticle [31576b66-f318-4ac2-bf6d-ffdb7bf7ce90]
		Apr 23, 2024 1:47:23 PM io.cryostat.recordings.RecordingMetadataManager lambda$start$7
		INFO: Starting archive migration
		Apr 23, 2024 1:47:23 PM io.cryostat.recordings.RecordingArchiveHelper lambda$migrate$0
		INFO: Skipping archive migration: appears to be a special location: file-uploads
		Apr 23, 2024 1:47:23 PM io.cryostat.recordings.RecordingMetadataManager lambda$start$7
		INFO: Successfully migrated archives
		Apr 23, 2024 1:47:23 PM io.cryostat.recordings.RecordingMetadataManager pruneStaleMetadata
		INFO: Beginning to prune potentially stale metadata...
		Apr 23, 2024 1:47:23 PM io.cryostat.recordings.RecordingMetadataManager lambda$start$7
		INFO: Successfully pruned all stale metadata
		Apr 23, 2024 1:47:26 PM org.slf4j.impl.JDK14LoggerAdapter fillCallerData
		INFO: 10.129.0.2 - - [Tue, 23 Apr 2024 13:47:26 GMT] 6ms "GET /health/liveness HTTP/1.1" 204 0 bytes "-" "kube-probe/1.27"
		Apr 23, 2024 1:47:27 PM io.cryostat.recordings.JvmIdHelper resolveId
		INFO: Observing new target: io.cryostat.platform.ServiceRef@12cad5c3[alias=cryostat-report-7dfb8bbfd6-xks7x,annotations=io.cryostat.platform.ServiceRef$Annotations@6f797b79[cryostat={HOST=10.129.0.59, PORT=9091, NAMESPACE=cryostat-operator-scorecard, POD_NAME=cryostat-report-7dfb8bbfd6-xks7x, REALM=KubernetesApi},platform={openshift.io/scc=restricted-v2, seccomp.security.alpha.kubernetes.io/pod=runtime/default, k8s.ovn.org/pod-networks={"default":{"ip_addresses":["10.129.0.59/23"],"mac_address":"0a:58:0a:81:00:3b","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.59/23","gateway_ip":"10.129.0.1"}}, k8s.v1.cni.cncf.io/network-status=[{
		    "name": "ovn-kubernetes",
		    "interface": "eth0",
		    "ips": [
		        "10.129.0.59"
		    ],
		    "mac": "0a:58:0a:81:00:3b",
		    "default": true,
		    "dns": {}
		}]}],jvmId=<null>,labels={app=cryostat-report, pod-template-hash=7dfb8bbfd6, component=cryostat, kind=cryostat},serviceUri=service:jmx:rmi:///jndi/rmi://10-129-0-59.cryostat-operator-scorecard.pod:9091/jmxrmi]
...

[andrewazores]

Trying this now:

$ make test-scorecard BUNDLE_IMG=quay.io/andrewazores/cryostat-operator-bundle:3.0.0-dev

[andrewazores]

  Normal   Pulling         32s (x3 over 72s)  kubelet            Pulling image "quay.io/cryostat/cryostat-operator-scorecard:3.0.0-20240404171904"
  Warning  Failed          31s (x3 over 72s)  kubelet            Failed to pull image "quay.io/cryostat/cryostat-operator-scorecard:3.0.0-20240404171904": rpc error: code = Unknown desc = reading manifest 3.0.0-20240404171904 in quay.io/cryostat/cryostat-operator-scorecard: manifest unknown
  Warning  Failed          31s (x3 over 72s)  kubelet            Error: ErrImagePull
  Normal   BackOff         5s (x4 over 71s)   kubelet            Back-off pulling image "quay.io/cryostat/cryostat-operator-scorecard:3.0.0-20240404171904"
  Warning  Failed          5s (x4 over 71s)   kubelet            Error: ImagePullBackOff

@ebaron @mwangggg how do I get this to run with my custom scorecard image? I tried building with OPERATOR_IMG, CUSTOM_SCORECARD_IMG, and BUNDLE_IMG set and pushed all the resulting images to my quay.io/andrewazores, but when I run the tests with the same variables set it still wants to run the wrong scorecard.

[andrewazores]

Got help instructions from Ming, looks like I have the scorecard running for this PR now.

[andrewazores]

...

14:42:50 +0000] "GET /health/liveness HTTP/1.1" 204 -
		failed to store logs for container cryostat-recording in pod cryostat-recording-5c5bd696f5-x2sww: context deadline exceeded
		
		
		CRYOSTAT-RECORDING-JFR-DATASOURCE CONTAINER LOG:
		
			INFO exec -a "java" java -XX:MaxRAMPercentage=80.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+ExitOnOutOfMemoryError -XX:-ExitOnOutOfMemoryError -Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager -cp "." -jar /deployments/quarkus-run.jar 
		INFO running in /deployments
		__  ____  __  _____   ___  __ ____  ______ 
		 --/ __ \/ / / / _ | / _ \/ //_/ / / / __/ 
		 -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \   
		--\___\_\____/_/ |_/_/|_/_/|_|\____/___/   
		2024-04-23 14:32:23,613 INFO  [io.quarkus] (main) jfr-datasource 2.5.0-SNAPSHOT on JVM (powered by Quarkus 3.2.9.Final) started in 0.774s. Listening on: http://0.0.0.0:8989
		2024-04-23 14:32:23,669 INFO  [io.quarkus] (main) Profile prod activated. 
		2024-04-23 14:32:23,669 INFO  [io.quarkus] (main) Installed features: [cdi, reactive-routes, smallrye-context-propagation, vertx]
		failed to store logs for container cryostat-recording-jfr-datasource in pod cryostat-recording-5c5bd696f5-x2sww: context deadline exceeded
		


--------------------------------------------------------------------------------
Image:      quay.io/andrewazores/cryostat-operator-scorecard:3.0.0-20240423142402
Entrypoint: [cryostat-scorecard-tests cryostat-config-change]
Labels:
	"test":"cryostat-config-change"
	"suite":"cryostat"
Results:
	State: fail

	Errors:
		timed out waiting for the condition


--------------------------------------------------------------------------------
Image:      quay.io/andrewazores/cryostat-operator-scorecard:3.0.0-20240423142402
Entrypoint: [cryostat-scorecard-tests cryostat-report]
Labels:
	"suite":"cryostat"
	"test":"cryostat-report"
Results:
	State: fail

	Errors:
		client rate limiter Wait returned an error: context deadline exceeded


Error: error running tests context deadline exceeded
Usage:
  operator-sdk scorecard [flags]

Flags:
  -c, --config string            path to scorecard config file
  -h, --help                     help for scorecard
      --kubeconfig string        kubeconfig path
  -L, --list                     Option to enable listing which tests are run
  -n, --namespace string         namespace to run the test images in
  -o, --output string            Output format for results. Valid values: text, json, xunit (default "text")
      --pod-security string      option to run scorecard with legacy pod security context (default "legacy")
  -l, --selector string          label selector to determine which tests are run
  -s, --service-account string   Service account to use for tests (default "default")
  -x, --skip-cleanup             Disable resource cleanup after tests are run
  -b, --storage-image string     Storage image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-storage@sha256:a3bfda71281393c7794cabdd39c563fb050d3020fd0b642ea164646bdd39a0e2")
  -t, --test-output string       Test output directory. (default "test-output")
  -u, --untar-image string       Untar image to be used by the Scorecard pod (default "quay.io/operator-framework/scorecard-untar@sha256:2e728c5e67a7f4dec0df157a322dd5671212e8ae60f69137463bd4fdfbff8747")
  -w, --wait-time duration       seconds to wait for tests to complete. Example: 35s (default 30s)

Global Flags:
      --plugins strings   plugin keys to be used for this subcommand execution
      --verbose           Enable verbose logging

FATA[1200] error running tests context deadline exceeded 
INFO[0000] subscription "cryostat-operator-v3-0-0-dev-sub" deleted 
INFO[0000] customresourcedefinition "cryostats.operator.cryostat.io" deleted 
INFO[0001] clusterserviceversion "cryostat-operator.v3.0.0-dev" deleted 
INFO[0001] catalogsource "cryostat-operator-catalog" deleted 
INFO[0001] operatorgroup "operator-sdk-og" deleted      
INFO[0001] Operator "cryostat-operator" uninstalled     
serviceaccount "cryostat-scorecard" deleted
role.rbac.authorization.k8s.io "cryostat-scorecard" deleted
clusterrole.rbac.authorization.k8s.io "cryostat-scorecard" deleted
rolebinding.rbac.authorization.k8s.io "cryostat-scorecard" deleted
clusterrolebinding.rbac.authorization.k8s.io "cryostat-scorecard" deleted
Error from server (NotFound): secrets "registry-key" not found
namespace "cryostat-operator-scorecard" deleted
make: *** [Makefile:177: test-scorecard] Error 1

[andrewazores]

Elliott suggests the failure could be because the scorecard tests assume cert-manager is available and enabled, but the state this PR is in right now it only results in a functioning deployment when cert-manager/TLS are disabled. So we can try changing the tests to instead turn off the cert-manager integration via the CR, or else maybe we leave the tests failing for now. There should be a follow-up PR to add oauth2_proxy/openshift-oauth-proxy to the deployment, which will also be where the cert-manager integration should happen for 3.0, so maybe it makes sense to address the scorecard tests at that point.

[ebaron]

Elliott suggests the failure could be because the scorecard tests assume cert-manager is available and enabled, but the state this PR is in right now it only results in a functioning deployment when cert-manager/TLS are disabled. So we can try changing the tests to instead turn off the cert-manager integration via the CR, or else maybe we leave the tests failing for now. There should be a follow-up PR to add oauth2_proxy/openshift-oauth-proxy to the deployment, which will also be where the cert-manager integration should happen for 3.0, so maybe it makes sense to address the scorecard tests at that point.

I'm fine with leaving the tests failing for now. It also serves as a reminder to fix them before release, so we don't forget to re-enable cert-manager there.

[andrewazores]

Okay, just re-verified that DISABLE_SERVICE_TLS=true DEPLOY_NAMESPACE=$(oc project -q) make install deploy is at least still working, and it is. Let's merge this into the upstream feature branch, I'll rebase #795 and get it reviewed and merged, and then we can tackle getting the authproxies deployed and integrated with cert-manager, and then finally fix up the scorecard tests. Sound ok @ebaron ?

[ebaron]

Okay, just re-verified that DISABLE_SERVICE_TLS=true DEPLOY_NAMESPACE=$(oc project -q) make install deploy is at least still working, and it is. Let's merge this into the upstream feature branch, I'll rebase #795 and get it reviewed and merged, and then we can tackle getting the authproxies deployed and integrated with cert-manager, and then finally fix up the scorecard tests. Sound ok @ebaron ?

Sounds good