✨Namespace and PVC probes

Makefile

@@ -243,9 +243,10 @@ verify-crd-compatibility: $(CRD_DIFF) manifests
 .PHONY: test
 test: manifests generate fmt lint test-unit test-e2e test-regression #HELP Run all tests.
 
+E2E_TIMEOUT ?= 10m
 .PHONY: e2e
 e2e: #EXHELP Run the e2e tests.
-	go test -count=1 -v ./test/e2e/features_test.go
+	go test -count=1 -v ./test/e2e/features_test.go -timeout=$(E2E_TIMEOUT)
 
 E2E_REGISTRY_NAME := docker-registry
 E2E_REGISTRY_NAMESPACE := operator-controller-e2e
@@ -317,6 +318,7 @@ test-experimental-e2e: GO_BUILD_EXTRA_FLAGS := -cover
 test-experimental-e2e: COVERAGE_NAME := experimental-e2e
 test-experimental-e2e: export MANIFEST := $(EXPERIMENTAL_RELEASE_MANIFEST)
 test-experimental-e2e: PROMETHEUS_VALUES := helm/prom_experimental.yaml
+test-experimental-e2e: E2E_TIMEOUT := 15m
 test-experimental-e2e: run-internal image-registry prometheus e2e e2e-coverage kind-clean #HELP Run experimental e2e test suite on local kind cluster
 
 .PHONY: prometheus

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"sync"
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -462,10 +463,13 @@ func (c *ClusterExtensionRevisionReconciler) toBoxcutterRevision(ctx context.Con
 		previousObjs[i] = rev
 	}
 
+	if err = initializeProbes(); err != nil {
+		return nil, nil, err
+	}
 	opts := []boxcutter.RevisionReconcileOption{
 		boxcutter.WithPreviousOwners(previousObjs),
 		boxcutter.WithProbe(boxcutter.ProgressProbeType, probing.And{
-			deploymentProbe, statefulSetProbe, crdProbe, issuerProbe, certProbe,
+			&namespaceActiveProbe, deploymentProbe, statefulSetProbe, crdProbe, issuerProbe, certProbe, &pvcBoundProbe,
 		}),
 	}
 
@@ -511,6 +515,28 @@ func EffectiveCollisionProtection(cp ...ocv1.CollisionProtection) ocv1.Collision
 	return ecp
 }
 
+// initializeProbes is used to initialize CEL probes once, so we don't recreate them on every reconcile
+var initializeProbes = sync.OnceValue(func() error {
+	nsCEL, err := probing.NewCELProbe(namespaceActiveCEL, `namespace phase must be "Active"`)
+	if err != nil {
+		return fmt.Errorf("initializing namespace CEL probe: %w", err)
+	}
+	pvcCEL, err := probing.NewCELProbe(pvcBoundCEL, `persistentvolumeclaim phase must be "Bound"`)
+	if err != nil {
+		return fmt.Errorf("initializing PVC CEL probe: %w", err)
+	}
+	namespaceActiveProbe = probing.GroupKindSelector{
+		GroupKind: schema.GroupKind{Group: corev1.GroupName, Kind: "Namespace"},
+		Prober:    nsCEL,
+	}
+	pvcBoundProbe = probing.GroupKindSelector{
+		GroupKind: schema.GroupKind{Group: corev1.GroupName, Kind: "PersistentVolumeClaim"},
+		Prober:    pvcCEL,
+	}
+
+	return nil
+})
+
 var (
 	deploymentProbe = &probing.GroupKindSelector{
 		GroupKind: schema.GroupKind{Group: appsv1.GroupName, Kind: "Deployment"},
@@ -542,6 +568,14 @@ var (
 		},
 	}
 
+	// namespaceActiveCEL is a CEL rule which asserts that the namespace is in "Active" phase
+	namespaceActiveCEL   = `self.status.phase == "Active"`
+	namespaceActiveProbe probing.GroupKindSelector
+
+	// pvcBoundCEL is a CEL rule which asserts that the PVC is in "Bound" phase
+	pvcBoundCEL   = `self.status.phase == "Bound"`
+	pvcBoundProbe probing.GroupKindSelector
+
 	// deplStaefulSetProbe probes Deployment, StatefulSet objects.
 	deplStatefulSetProbe = &probing.ObservedGenerationProbe{
 		Prober: probing.And{

test/e2e/README.md

@@ -199,6 +199,7 @@ Leverage existing steps for common operations:
 Use these variables in YAML templates:
 
 - `${NAME}`: Scenario-specific ClusterExtension name (e.g., `ce-123`)
+- `${CER_NAME}`: Scenario-specific ClusterExtensionRevision name (e.g., `cer-123`; for applying CERs directly)
 - `${TEST_NAMESPACE}`: Scenario-specific namespace (e.g., `ns-123`)
 - `${CATALOG_IMG}`: Catalog image reference (defaults to in-cluster registry, overridable via `CATALOG_IMG` env var)
 

test/e2e/features/revision.feature

@@ -0,0 +1,137 @@
+@BoxcutterRuntime
+Feature: Install ClusterExtensionRevision
+
+  As an OLM user I would like to install a cluster extension revision directly, without using the cluster extension API.
+
+  Background:
+    Given OLM is available
+    And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE}
+
+  Scenario: Probe failure for PersistentVolumeClaim halts phase progression 
+    When ClusterExtensionRevision is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtensionRevision
+      metadata:
+        annotations:
+          olm.operatorframework.io/service-account-name: olm-sa
+          olm.operatorframework.io/service-account-namespace: ${TEST_NAMESPACE}
+        name: ${CER_NAME}
+      spec:
+        lifecycleState: Active
+        collisionProtection: Prevent
+        phases:
+        - name: pvc
+          objects:
+          - object:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              metadata:
+                name: test-pvc
+                namespace: ${TEST_NAMESPACE}
+              spec:
+                accessModes:
+                - ReadWriteOnce
+                storageClassName: ""
+                volumeName: test-pv
+                resources:
+                  requests:
+                    storage: 1Mi
+        - name: configmap
+          objects:
+          - object:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: test-configmap
+                namespace: ${TEST_NAMESPACE}
+              data:
+                name: test-configmap
+                version: v1.2.0
+        revision: 1
+      """
+
+    Then resource "persistentvolumeclaim/test-pvc" is installed
+    And ClusterExtensionRevision "${CER_NAME}" reports Available as False with Reason ProbeFailure and Message:
+    """
+      Object PersistentVolumeClaim.v1 ${TEST_NAMESPACE}/test-pvc: persistentvolumeclaim phase must be "Bound"
+    """
+    And resource "configmap/test-configmap" is not installed
+
+  Scenario: Phases progress when PersistentVolumeClaim becomes "Bound"
+    When ClusterExtensionRevision is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtensionRevision
+      metadata:
+        annotations:
+          olm.operatorframework.io/service-account-name: olm-sa
+          olm.operatorframework.io/service-account-namespace: ${TEST_NAMESPACE}
+        name: ${CER_NAME}
+      spec:
+        lifecycleState: Active
+        collisionProtection: Prevent
+        phases:
+        - name: pvc
+          objects:
+          - object:
+              apiVersion: v1
+              kind: PersistentVolumeClaim
+              metadata:
+                name: test-pvc
+                namespace: ${TEST_NAMESPACE}
+              spec:
+                accessModes:
+                - ReadWriteOnce
+                storageClassName: ""
+                volumeName: test-pv
+                resources:
+                  requests:
+                    storage: 1Mi
+          - object:
+              apiVersion: v1
+              kind: PersistentVolume
+              metadata:
+                name: test-pv
+              spec:
+                accessModes:
+                - ReadWriteOnce
+                capacity:
+                  storage: 1Mi
+                claimRef:
+                  apiVersion: v1
+                  kind: PersistentVolumeClaim
+                  name: test-pvc
+                  namespace: ${TEST_NAMESPACE}
+                persistentVolumeReclaimPolicy: Delete
+                storageClassName: ""
+                volumeMode: Filesystem
+                local:
+                  path: /tmp/persistent-volume
+                nodeAffinity:
+                  required:
+                    nodeSelectorTerms:
+                    - matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: NotIn
+                        values:
+                        - a-node-name-that-should-not-exist
+        - name: configmap
+          objects:
+          - object:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: test-configmap
+                namespace: ${TEST_NAMESPACE}
+              data:
+                name: test-configmap
+                version: v1.2.0
+        revision: 1
+      """
+
+    Then ClusterExtensionRevision "${CER_NAME}" reports Progressing as True with Reason Succeeded
+    And ClusterExtensionRevision "${CER_NAME}" reports Available as True with Reason ProbesSucceeded
+    And resource "persistentvolume/test-pv" is installed
+    And resource "persistentvolumeclaim/test-pvc" is installed
+    And resource "configmap/test-configmap" is installed

test/e2e/steps/hooks.go

@@ -27,12 +27,13 @@ type resource struct {
 }
 
 type scenarioContext struct {
-	id                   string
-	namespace            string
-	clusterExtensionName string
-	removedResources     []unstructured.Unstructured
-	backGroundCmds       []*exec.Cmd
-	metricsResponse      map[string]string
+	id                           string
+	namespace                    string
+	clusterExtensionName         string
+	clusterExtensionRevisionName string
+	removedResources             []unstructured.Unstructured
+	backGroundCmds               []*exec.Cmd
+	metricsResponse              map[string]string
 
 	extensionObjects []client.Object
 }
@@ -142,9 +143,10 @@ func CheckFeatureTags(ctx context.Context, sc *godog.Scenario) (context.Context,
 
 func CreateScenarioContext(ctx context.Context, sc *godog.Scenario) (context.Context, error) {
 	scCtx := &scenarioContext{
-		id:                   sc.Id,
-		namespace:            fmt.Sprintf("ns-%s", sc.Id),
-		clusterExtensionName: fmt.Sprintf("ce-%s", sc.Id),
+		id:                           sc.Id,
+		namespace:                    fmt.Sprintf("ns-%s", sc.Id),
+		clusterExtensionName:         fmt.Sprintf("ce-%s", sc.Id),
+		clusterExtensionRevisionName: fmt.Sprintf("cer-%s", sc.Id),
 	}
 	return context.WithValue(ctx, scenarioContextKey, scCtx), nil
 }
@@ -176,13 +178,16 @@ func ScenarioCleanup(ctx context.Context, _ *godog.Scenario, err error) (context
 	if sc.clusterExtensionName != "" {
 		forDeletion = append(forDeletion, resource{name: sc.clusterExtensionName, kind: "clusterextension"})
 	}
+	if sc.clusterExtensionRevisionName != "" {
+		forDeletion = append(forDeletion, resource{name: sc.clusterExtensionRevisionName, kind: "clusterextensionrevision"})
+	}
 	forDeletion = append(forDeletion, resource{name: sc.namespace, kind: "namespace"})
-	go func() {
-		for _, r := range forDeletion {
-			if _, err := k8sClient("delete", r.kind, r.name, "--ignore-not-found=true"); err != nil {
-				logger.Info("Error deleting resource", "name", r.name, "namespace", sc.namespace, "stderr", stderrOutput(err))
+	for _, r := range forDeletion {
+		go func(res resource) {
+			if _, err := k8sClient("delete", res.kind, res.name, "--ignore-not-found=true"); err != nil {
+				logger.Info("Error deleting resource", "name", res.name, "namespace", sc.namespace, "stderr", stderrOutput(err))
 			}
-		}
-	}()
+		}(r)
+	}
 	return ctx, nil
 }

test/e2e/steps/steps.go

@@ -71,7 +71,9 @@ func RegisterSteps(sc *godog.ScenarioContext) {
 	sc.Step(`^(?i)ClusterExtension reports ([[:alnum:]]+) as ([[:alnum:]]+) with Reason ([[:alnum:]]+)$`, ClusterExtensionReportsConditionWithoutMsg)
 	sc.Step(`^(?i)ClusterExtension reports ([[:alnum:]]+) as ([[:alnum:]]+)$`, ClusterExtensionReportsConditionWithoutReason)
 	sc.Step(`^(?i)ClusterExtensionRevision "([^"]+)" reports ([[:alnum:]]+) as ([[:alnum:]]+) with Reason ([[:alnum:]]+)$`, ClusterExtensionRevisionReportsConditionWithoutMsg)
+	sc.Step(`^(?i)ClusterExtensionRevision "([^"]+)" reports ([[:alnum:]]+) as ([[:alnum:]]+) with Reason ([[:alnum:]]+) and Message:$`, ClusterExtensionRevisionReportsConditionWithMsg)
 	sc.Step(`^(?i)ClusterExtension reports ([[:alnum:]]+) transition between (\d+) and (\d+) minutes since its creation$`, ClusterExtensionReportsConditionTransitionTime)
+	sc.Step(`^(?i)ClusterExtensionRevision is applied(?:\s+.*)?$`, ResourceIsApplied)
 	sc.Step(`^(?i)ClusterExtensionRevision "([^"]+)" is archived$`, ClusterExtensionRevisionIsArchived)
 	sc.Step(`^(?i)ClusterExtensionRevision "([^"]+)" contains annotation "([^"]+)" with value$`, ClusterExtensionRevisionHasAnnotationWithValue)
 	sc.Step(`^(?i)ClusterExtensionRevision "([^"]+)" has label "([^"]+)" with value "([^"]+)"$`, ClusterExtensionRevisionHasLabelWithValue)
@@ -80,7 +82,7 @@ func RegisterSteps(sc *godog.ScenarioContext) {
 	sc.Step(`^(?i)resource "([^"]+)" is installed$`, ResourceAvailable)
 	sc.Step(`^(?i)resource "([^"]+)" is available$`, ResourceAvailable)
 	sc.Step(`^(?i)resource "([^"]+)" is removed$`, ResourceRemoved)
-	sc.Step(`^(?i)resource "([^"]+)" is eventually not found$`, ResourceEventuallyNotFound)
+	sc.Step(`^(?i)resource "([^"]+)" is (?:eventually not found|not installed)$`, ResourceEventuallyNotFound)
 	sc.Step(`^(?i)resource "([^"]+)" exists$`, ResourceAvailable)
 	sc.Step(`^(?i)resource is applied$`, ResourceIsApplied)
 	sc.Step(`^(?i)resource "deployment/test-operator" reports as (not ready|ready)$`, MarkTestOperatorNotReady)
@@ -186,6 +188,7 @@ func substituteScenarioVars(content string, sc *scenarioContext) string {
 	vars := map[string]string{
 		"TEST_NAMESPACE": sc.namespace,
 		"NAME":           sc.clusterExtensionName,
+		"CER_NAME":       sc.clusterExtensionRevisionName,
 		"CATALOG_IMG":    "docker-registry.operator-controller-e2e.svc.cluster.local:5000/e2e/test-catalog:v1",
 	}
 	if v, found := os.LookupEnv("CATALOG_IMG"); found {
@@ -235,8 +238,8 @@ func ClusterExtensionVersionUpdate(ctx context.Context, version string) error {
 	return err
 }
 
-// ResourceIsApplied applies the provided YAML resource to the cluster and in case of ClusterExtension it captures its name in the test context
-// so that it can be referred to in later steps with ${NAME}
+// ResourceIsApplied applies the provided YAML resource to the cluster and in case of ClusterExtension or ClusterExtensionRevision it captures
+// its name in the test context so that it can be referred to in later steps with ${NAME} or ${CER_NAME}, respectively
 func ResourceIsApplied(ctx context.Context, yamlTemplate *godog.DocString) error {
 	sc := scenarioCtx(ctx)
 	yamlContent := substituteScenarioVars(yamlTemplate.Content, sc)
@@ -246,10 +249,12 @@ func ResourceIsApplied(ctx context.Context, yamlTemplate *godog.DocString) error
 	}
 	out, err := k8scliWithInput(yamlContent, "apply", "-f", "-")
 	if err != nil {
-		return fmt.Errorf("failed to apply resource %v %w", out, err)
+		return fmt.Errorf("failed to apply resource %v; err: %w; stderr: %s", out, err, stderrOutput(err))
 	}
 	if res.GetKind() == "ClusterExtension" {
 		sc.clusterExtensionName = res.GetName()
+	} else if res.GetKind() == "ClusterExtensionRevision" {
+		sc.clusterExtensionRevisionName = res.GetName()
 	}
 	return nil
 }
@@ -378,6 +383,17 @@ type msgMatchFn func(string) bool
 
 func alwaysMatch(_ string) bool { return true }
 
+func messageComparison(ctx context.Context, msg *godog.DocString) msgMatchFn {
+	msgCmp := alwaysMatch
+	if msg != nil {
+		expectedMsg := substituteScenarioVars(strings.Join(strings.Fields(msg.Content), " "), scenarioCtx(ctx))
+		msgCmp = func(actual string) bool {
+			return actual == expectedMsg
+		}
+	}
+	return msgCmp
+}
+
 func waitForCondition(ctx context.Context, resourceType, resourceName, conditionType, conditionStatus string, conditionReason *string, msgCmp msgMatchFn) error {
 	require.Eventually(godog.T(ctx), func() bool {
 		v, err := k8sClient("get", resourceType, resourceName, "-o", fmt.Sprintf("jsonpath={.status.conditions[?(@.type==\"%s\")]}", conditionType))
@@ -412,14 +428,7 @@ func waitForExtensionCondition(ctx context.Context, conditionType, conditionStat
 // ClusterExtensionReportsCondition waits for the ClusterExtension to have a condition matching the specified type,
 // status, reason, and exact message. Polls with timeout.
 func ClusterExtensionReportsCondition(ctx context.Context, conditionType, conditionStatus, conditionReason string, msg *godog.DocString) error {
-	msgCmp := alwaysMatch
-	if msg != nil {
-		expectedMsg := substituteScenarioVars(strings.Join(strings.Fields(msg.Content), " "), scenarioCtx(ctx))
-		msgCmp = func(actual string) bool {
-			return actual == expectedMsg
-		}
-	}
-	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, msgCmp)
+	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, messageComparison(ctx, msg))
 }
 
 // ClusterExtensionReportsConditionWithMessageFragment waits for the ClusterExtension to have a condition matching
@@ -512,6 +521,12 @@ func ClusterExtensionRevisionReportsConditionWithoutMsg(ctx context.Context, rev
 	return waitForCondition(ctx, "clusterextensionrevision", substituteScenarioVars(revisionName, scenarioCtx(ctx)), conditionType, conditionStatus, &conditionReason, nil)
 }
 
+// ClusterExtensionRevisionReportsConditionWithMsg waits for the named ClusterExtensionRevision to have a condition
+// matching type, status, reason, and message. Polls with timeout.
+func ClusterExtensionRevisionReportsConditionWithMsg(ctx context.Context, revisionName, conditionType, conditionStatus, conditionReason string, msg *godog.DocString) error {
+	return waitForCondition(ctx, "clusterextensionrevision", substituteScenarioVars(revisionName, scenarioCtx(ctx)), conditionType, conditionStatus, &conditionReason, messageComparison(ctx, msg))
+}
+
 // ClusterExtensionRevisionIsArchived waits for the named ClusterExtensionRevision to have Progressing=False
 // with reason Archived. Polls with timeout.
 func ClusterExtensionRevisionIsArchived(ctx context.Context, revisionName string) error {

test/e2e/steps/testdata/rbac-template.yaml

@@ -28,6 +28,8 @@ rules:
       - serviceaccounts
       - events
       - namespaces
+      - persistentvolumes
+      - persistentvolumeclaims
     verbs: [update, create, list, watch, get, delete, patch]
   - apiGroups: ["apps"]
     resources: