Merge pull request opendatahub-io#591 from harshad16/sync-may14-main

Sync red-hat-data-services:main with odh:main

Author: harshad16

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -86,7 +86,7 @@ jobs:
       # for bin/buildinputs in scripts/sandbox.py
       - uses: actions/setup-go@v5
         with:
-          cache-dependency-path: "**/*.sum"
+          cache-dependency-path: "scripts/buildinputs/go.sum"
 
       - run: sudo apt-get update
 
@@ -335,7 +335,7 @@ jobs:
       - name: Run Testcontainers container tests (in PyTest)
         run: |
           set -Eeuxo pipefail
-          uv run pytest --capture=fd tests/containers -m 'not openshift' --image="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
+          uv run pytest --capture=fd tests/containers -m 'not openshift and not cuda and not rocm' --image="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
         env:
           DOCKER_HOST: "unix:///var/run/podman/podman.sock"
           TESTCONTAINERS_DOCKER_SOCKET_OVERRIDE: "/var/run/podman/podman.sock"
@@ -379,20 +379,23 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y software-properties-common curl
 
+          # https://github.com/cri-o/packaging?tab=readme-ov-file#distributions-using-deb-packages
+
           curl -fsSL https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/Release.key | \
             sudo gpg --dearmor --batch --yes -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
 
           echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/ /" | \
             sudo tee /etc/apt/sources.list.d/kubernetes.list
 
-          curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/$CRIO_VERSION/deb/Release.key | \
+          curl -fsSL https://download.opensuse.org/repositories/isv:/cri-o:/stable:/$CRIO_VERSION/deb/Release.key | \
             sudo gpg --dearmor --batch --yes -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
 
-          echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/$CRIO_VERSION/deb/ /" | \
+          echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://download.opensuse.org/repositories/isv:/cri-o:/stable:/$CRIO_VERSION/deb/ /" | \
             sudo tee /etc/apt/sources.list.d/cri-o.list
 
           sudo apt-get update
-          sudo apt-get install -y cri-o kubelet kubeadm kubectl
+          # [ERROR FileExisting-conntrack]: conntrack not found in system path
+          sudo apt-get install -y cri-o kubelet kubeadm kubectl conntrack
 
           # make use of /etc/cni/net.d/11-crio-ipv4-bridge.conflist so we don't
           # need a pod network and just use the default bridge
@@ -406,8 +409,12 @@ jobs:
 
           sudo systemctl start crio.service
         env:
-          CRIO_VERSION: v1.30
-          KUBERNETES_VERSION: v1.30
+          CRIO_VERSION: v1.32
+          # This has to be kept in sync with the packages above, otherwise
+          # [ERROR KubeletVersion]: the kubelet version is higher than the control plane version.
+          #  This is not a supported version skew and may lead to a malfunctional cluster.
+          #  Kubelet version: "1.33.0" Control plane version: "1.30.12"
+          KUBERNETES_VERSION: v1.33
 
       - name: Show crio debug data (on failure)
         if: ${{ failure() && steps.have-tests.outputs.tests == 'true' }}
@@ -464,10 +471,6 @@ jobs:
           # Once you have found the failing container, you can inspect its logs with:
           # crictl --runtime-endpoint unix:///var/run/crio/crio.sock logs CONTAINERID
 
-      - name: Untaint the master
-        if: ${{ steps.have-tests.outputs.tests == 'true' }}
-        run: kubectl taint nodes --all node-role.kubernetes.io/control-plane-
-
       - name: Show nodes status and wait for readiness
         if: ${{ steps.have-tests.outputs.tests == 'true' }}
         run: |
@@ -505,7 +508,7 @@ jobs:
         if: ${{ steps.have-tests.outputs.tests == 'true' }}
         run: |
           set -Eeuxo pipefail
-          uv run pytest --capture=fd tests/containers -m 'openshift' --image="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
+          uv run pytest --capture=fd tests/containers -m 'openshift and not cuda and not rocm' --image="${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
         env:
           # TODO(jdanek): this Testcontainers stuff should not be necessary but currently it has to be there
           DOCKER_HOST: "unix:///var/run/podman/podman.sock"
@@ -558,6 +561,56 @@ jobs:
 
       # endregion
 
+      # region check-payload for FIPS compliance
+
+      - id: check-payload-vars
+        run: |
+          echo "GOPATH=${{ github.workspace }}/go-check-payload" >> "$GITHUB_OUTPUT"
+        working-directory: scripts/check-payload
+
+      # for https://github.com/openshift/check-payload to cache the built binary
+      - uses: actions/setup-go@v5
+        with:
+          cache-dependency-path: "scripts/check-payload/go.sum"
+        env:
+          GOPATH: ${{ steps.check-payload-vars.outputs.GOPATH }}
+
+      # F0512 15:43:03.219076 21568 main.go:294] Error: exec: "oc": executable file not found in $PATH
+      - name: Install oc client
+        run: |
+          # Install the oc client
+          curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz -o /tmp/openshift-client-linux.tar.gz
+          tar -xzvf /tmp/openshift-client-linux.tar.gz oc
+          rm -f /tmp/openshift-client-linux.tar.gz
+          sudo mv ./oc /usr/local/bin
+
+      # perform `podman image mount` ourselves, and then follow the scenario from
+      # https://github.com/openshift/check-payload/pull/154, that is because
+      # `check-payload scan image --spec` insists on pulling the image, even if already present,
+      #  that causes trouble when checking PRs (image not pushed) and requires `podman login` as root
+      #  (we run podman as root in the GHA to reuse container storage in Kubernetes)
+      # use sudo to avoid
+      #  podman error (args=[image mount ghcr.io/...])
+      #  (stderr=Error: cannot use command "podman image mount" with the remote podman client
+      # and use --preserve-env=PATH to avoid
+      #  F0512 16:31:58.425584    9911 main.go:294] Error: exec: "podman": executable file not found in $PATH
+      - name: Check image with check-payload for FIPS compliance
+        run: |
+          set -Eeuxo pipefail
+          # resolve podman under current user, not under sudo/root
+          PODMAN="$(which podman)"
+          # mount the image
+          IMAGE_MOUNT_DIR=$(sudo "${PODMAN}" image mount "${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}")
+          # run the check-payload scan
+          sudo --preserve-env=PATH go run github.com/openshift/check-payload scan local --path "${IMAGE_MOUNT_DIR}"
+          # unmount the image
+          sudo "${PODMAN}" image unmount --all
+        working-directory: scripts/check-payload
+        env:
+          GOPATH: ${{ steps.check-payload-vars.outputs.GOPATH }}
+
+      # endregion
+
       # region Typescript (browser) image tests
 
       # https://playwright.dev/docs/ci
@@ -587,7 +640,7 @@ jobs:
             --volume ${PODMAN_SOCK}:/var/run/docker.sock \
             --volume ${PWD}:/mnt \
             --volume /mnt/node_modules \
-            mcr.microsoft.com/playwright:v1.48.1-noble \
+            mcr.microsoft.com/playwright:v1.52.0-noble \
             /bin/bash <<EOF
               set -Eeuxo pipefail
               cd /mnt

.github/workflows/build-notebooks-pr-rhel.yaml

@@ -14,7 +14,7 @@ permissions:
 env:
   # language=json
   contributors: |
-    ["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters"]
+    ["atheo89", "andyatmiami", "caponetto", "daniellutz", "dibryant", "harshad16", "jesuino", "jiridanek", "jstourac", "paulovmr", "Fiona-Waters", "grdryn"]
 
 jobs:
   gen:

.github/workflows/code-quality.yaml

@@ -82,11 +82,13 @@ jobs:
       - name: Validate JSON files (just syntax)
         id: validate-json-files
         run: |
+          set -Eeuxo pipefail
+
           type json_verify || sudo apt-get -y install yajl-tools
           shopt -s globstar
           ret_code=0
           echo "-- Checking a regular '*.json' files"
-          for f in **/*.json; do echo "Checking: '${f}"; echo -n "  > "; cat $f | json_verify || ret_code=1; done
+          for f in **/*.json; do echo "Checking: '${f}"; echo -n "  > "; [[ "$(basename "$f")" == "tsconfig.json" ]] && echo "Skipping ${f}" && continue; cat $f | json_verify || ret_code=1; done
           echo "-- Checking a 'Pipfile.lock' files"
           for f in **/Pipfile.lock; do echo "Checking: '${f}"; echo -n "  > "; cat $f | json_verify || ret_code=1; done
           echo "-- Checking a '*.ipynb' Jupyter notebook files"

.github/workflows/params-env.yaml

@@ -6,9 +6,9 @@ on:  # yamllint disable-line rule:truthy
     paths:
       - 'manifests/base/commit.env'
       - 'manifests/base/params.env'
+      - 'manifests/base/commit-latest.env'
+      - 'manifests/base/params-latest.env'
       - 'ci/check-params-env.sh'
-      - 'ci/check-runtime-images.sh'
-      - 'manifests/base/runtime-*-imagestream.yaml'
   workflow_dispatch:
 
 permissions:
@@ -27,8 +27,3 @@ jobs:
       - name: Validate the 'manifests/base/params.env' file content
         run: |
           bash ./ci/check-params-env.sh
-
-      - name: Validate references for runtime images
-        id: validate-runtime-images-references
-        run: |
-          bash ./ci/check-runtime-images.sh