From cfddc744fb2994c043d976f3bf5a73f894d87153 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 13:34:45 +0200 Subject: [PATCH 1/9] Update RHOAI --- values-datacenter.yaml | 2 +- values-factory.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/values-datacenter.yaml b/values-datacenter.yaml index f8be4f663..c3da330bf 100644 --- a/values-datacenter.yaml +++ b/values-datacenter.yaml @@ -68,7 +68,7 @@ clusterGroup: ods: name: rhods-operator - channel: stable-2.16 + channel: stable-2.25 namespace: redhat-ods-operator projects: diff --git a/values-factory.yaml b/values-factory.yaml index 7719c31f3..3c4c82032 100644 --- a/values-factory.yaml +++ b/values-factory.yaml @@ -27,7 +27,7 @@ clusterGroup: namespace: manuela-stormshift-messaging - name: rhods-operator - channel: stable-2.16 + channel: stable-2.25 namespace: redhat-ods-operator projects: From b0839f6f9f56b2f7874722351555d5cd2be1567d Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 14:34:30 +0200 Subject: [PATCH 2/9] Fix makefile after patternizing --- Makefile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Makefile b/Makefile index 038a7904a..f95295389 100644 --- a/Makefile +++ b/Makefile @@ -6,12 +6,6 @@ default: show # No need to add a comment here as help is described in common/ ##@ Pattern tasks -help: - @make -f common/Makefile MAKEFILE_LIST="Makefile common/Makefile" help - -%: - make -f common/Makefile $* - .PHONY: install install: operator-deploy post-install ## installs the pattern, inits the vault and loads the secrets @echo "Installed" From 0bc0ac3121567d85608476218798d3da2a79ed7b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 14:35:05 +0200 Subject: [PATCH 3/9] Drop obsolete makefile targets --- Makefile | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/Makefile b/Makefile index f95295389..e174bc185 100644 --- a/Makefile +++ b/Makefile @@ -3,18 +3,7 @@ include Makefile-common default: show .PHONY: help -# No need to add a comment here as help is described in common/ ##@ Pattern tasks - -.PHONY: install -install: operator-deploy post-install ## installs the pattern, inits the vault and loads the secrets - @echo "Installed" - -.PHONY: post-install -post-install: ## Post-install tasks - make load-secrets - @echo "Done" - .PHONY: check-pipeline-resources check-pipeline-resources: ## wait for all seed resources to be present scripts/check-pipeline-resources.sh From 29e736eb7dea1faee693acc561ca9db889fca794 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 15:31:11 +0200 Subject: [PATCH 4/9] Use new org for utility container --- values-datacenter.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values-datacenter.yaml b/values-datacenter.yaml index c3da330bf..7e154a0b1 100644 --- a/values-datacenter.yaml +++ b/values-datacenter.yaml @@ -219,7 +219,7 @@ clusterGroup: - "upstream_repo_url=https://github.com/validatedpatterns-demos/manuela-dev" timeout: 180 - name: copy-initial-model-to-incluster-s3 - image: quay.io/hybridcloudpatterns/utility-container:latest + image: quay.io/validatedpatterns/utility-container:latest playbook: ./ansible/playbooks/copy_initial_object_to_incluster_s3.yml extravars: - "bucket_name=user-bucket" @@ -227,7 +227,7 @@ clusterGroup: - "object_name=initial_model.joblib" timeout: 180 - name: copy-initial-training-data-to-incluster-s3 - image: quay.io/hybridcloudpatterns/utility-container:latest + image: quay.io/validatedpatterns/utility-container:latest playbook: ./ansible/playbooks/copy_initial_object_to_incluster_s3.yml extravars: - "bucket_name=user-bucket" From f110a1be2caab62aa356743f9f2e3d2797e1cb94 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 15:39:45 +0200 Subject: [PATCH 5/9] Trust in-cluster gitea by default --- ansible/playbooks/clone_upstream_repos_gitea.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/playbooks/clone_upstream_repos_gitea.yml b/ansible/playbooks/clone_upstream_repos_gitea.yml index 1078bdd55..73fb0650e 100644 --- a/ansible/playbooks/clone_upstream_repos_gitea.yml +++ b/ansible/playbooks/clone_upstream_repos_gitea.yml @@ -38,6 +38,7 @@ - name: Does repo already exist ansible.builtin.uri: + validate_certs: false url: "{{ gitea_repos_route }}" register: repo_exists failed_when: false @@ -48,6 +49,7 @@ - name: Migrate repository ansible.builtin.uri: + validate_certs: false url: "{{ gitea_migrate_route }}" user: "{{ gitea_username }}" password: "{{ gitea_password }}" From 5ecebed543f9b3d44420da40b39812be302a4eb8 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 16:01:35 +0200 Subject: [PATCH 6/9] Drop duplicate volumemount in jupyterlab --- .../data-science-project/templates/dev-project.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/datacenter/data-science-project/templates/dev-project.yaml b/charts/datacenter/data-science-project/templates/dev-project.yaml index d71d96afb..e8ef302d8 100644 --- a/charts/datacenter/data-science-project/templates/dev-project.yaml +++ b/charts/datacenter/data-science-project/templates/dev-project.yaml @@ -216,10 +216,6 @@ spec: name: elyra-dsp-details - mountPath: /dev/shm name: shm - - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt - name: ca-bundles - readOnly: true - subPath: ca-bundle.crt image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/industrial-edge:industrial-edge-v0.1.0 workingDir: /opt/app-root/src - resources: From 4a0cb1e1c18375f74a1f3b8ca542d5b32b6ee808 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 16:04:30 +0200 Subject: [PATCH 7/9] Fix ca --- .../datacenter/data-science-project/templates/dev-project.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/datacenter/data-science-project/templates/dev-project.yaml b/charts/datacenter/data-science-project/templates/dev-project.yaml index e8ef302d8..5205f9a10 100644 --- a/charts/datacenter/data-science-project/templates/dev-project.yaml +++ b/charts/datacenter/data-science-project/templates/dev-project.yaml @@ -144,7 +144,7 @@ spec: - mountPath: /dev/shm name: shm - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt - name: ca-bundles + name: trusted-ca-bundle readOnly: true subPath: ca-bundle.crt containers: From 7dc7d5623c812c9dc78aadf65b27f0e1efd2eff2 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 16:16:13 +0200 Subject: [PATCH 8/9] Fix diff --- .../templates/dev-project.yaml | 85 +++++++++++++------ 1 file changed, 60 insertions(+), 25 deletions(-) diff --git a/charts/datacenter/data-science-project/templates/dev-project.yaml b/charts/datacenter/data-science-project/templates/dev-project.yaml index 5205f9a10..1eb68078d 100644 --- a/charts/datacenter/data-science-project/templates/dev-project.yaml +++ b/charts/datacenter/data-science-project/templates/dev-project.yaml @@ -110,24 +110,6 @@ spec: - 'true' weight: 1 initContainers: - - name: fetch-ca - image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/industrial-edge:industrial-edge-v0.1.0 - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/openshift-service-ca/service-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/openshift-service-ca - name: openshift-service-ca - - mountPath: /tmp/ca-bundles - name: ca-bundles - name: git-init image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/industrial-edge:industrial-edge-v0.1.0 imagePullPolicy: Always @@ -135,18 +117,12 @@ spec: - 'sh' - '-c' - >- - if [ ! -d /opt/app-root/src/manuela-dev ]; then export GIT_SSL_CAINFO=/etc/pki/tls/custom-certs/ca-bundle.crt; git clone --single-branch -b {{ .Values.global.git.dev_revision }} {{ $full_giturl }} /opt/app-root/src/manuela-dev; fi + if [ ! -d /opt/app-root/src/manuela-dev ]; then export GIT_SSL_NO_VERIFY=true; git clone --single-branch -b {{ .Values.global.git.dev_revision }} {{ $full_giturl }} /opt/app-root/src/manuela-dev; fi volumeMounts: - mountPath: /opt/app-root/src name: jupyterlab - mountPath: /opt/app-root/runtimes name: elyra-dsp-details - - mountPath: /dev/shm - name: shm - - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt - name: trusted-ca-bundle - readOnly: true - subPath: ca-bundle.crt containers: - resources: limits: @@ -216,6 +192,12 @@ spec: name: elyra-dsp-details - mountPath: /dev/shm name: shm + - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt + - mountPath: /opt/app-root/pipeline-runtimes/ + name: runtime-images image: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/industrial-edge:industrial-edge-v0.1.0 workingDir: /opt/app-root/src - resources: @@ -257,6 +239,8 @@ spec: protocol: TCP imagePullPolicy: Always volumeMounts: + - mountPath: /etc/oauth/client + name: oauth-client - mountPath: /etc/oauth/config name: oauth-config - mountPath: /etc/tls/private @@ -274,6 +258,9 @@ spec: - '--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' - '--email-domain=*' - '--skip-provider-button' + - '--client-id=jupyterlab-ml-development-oauth-client' + - '--client-secret-file=/etc/oauth/client/secret' + - '--scope=user:info user:check-access' - >- --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"jupyterlab","namespace":"$(NAMESPACE)"} - >- @@ -312,6 +299,21 @@ spec: defaultMode: 420 - name: ca-bundles emptyDir: {} + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: workbench-trusted-ca-bundle + optional: true + name: trusted-ca + - configMap: + name: pipeline-runtime-images + optional: true + name: runtime-images + - name: oauth-client + secret: + defaultMode: 420 + secretName: jupyterlab-oauth-client --- apiVersion: objectbucket.io/v1alpha1 kind: ObjectBucketClaim @@ -476,6 +478,14 @@ spec: name: s3-browser - mountPath: /dev/shm name: shm + - mountPath: /etc/pki/tls/custom-certs/ca-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt + - mountPath: /opt/app-root/pipeline-runtimes/ + name: runtime-images + - mountPath: /opt/app-root/runtimes + name: elyra-dsp-details envFrom: - secretRef: name: aws-connection-user-bucket @@ -520,6 +530,8 @@ spec: protocol: TCP imagePullPolicy: Always volumeMounts: + - mountPath: /etc/oauth/client + name: oauth-client - mountPath: /etc/oauth/config name: oauth-config - mountPath: /etc/tls/private @@ -537,6 +549,9 @@ spec: - '--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' - '--email-domain=*' - '--skip-provider-button' + - '--client-id=s3-browser-ml-development-oauth-client' + - '--client-secret-file=/etc/oauth/client/secret' + - '--scope=user:info user:check-access' - >- --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"s3-browser","namespace":"$(NAMESPACE)"} - >- @@ -572,6 +587,25 @@ spec: defaultMode: 420 - name: ca-bundles emptyDir: {} + - configMap: + items: + - key: ca-bundle.crt + path: ca-bundle.crt + name: workbench-trusted-ca-bundle + optional: true + name: trusted-ca + - configMap: + name: pipeline-runtime-images + optional: true + name: runtime-images + - name: elyra-dsp-details + secret: + optional: true + secretName: ds-pipeline-config + - name: oauth-client + secret: + defaultMode: 420 + secretName: s3-browser-oauth-client --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -583,6 +617,7 @@ metadata: subjects: - kind: ServiceAccount name: jupyterlab + namespace: ml-development roleRef: apiGroup: rbac.authorization.k8s.io kind: Role From fc28af04fb2829c1654daf4f30d8554312929d6b Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 17 Apr 2026 17:25:16 +0200 Subject: [PATCH 9/9] Fix gitops checks --- tests/interop/test_subscription_status_edge.py | 2 +- tests/interop/test_subscription_status_hub.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/interop/test_subscription_status_edge.py b/tests/interop/test_subscription_status_edge.py index a5ad2a014..3dc3c6293 100644 --- a/tests/interop/test_subscription_status_edge.py +++ b/tests/interop/test_subscription_status_edge.py @@ -12,7 +12,7 @@ def test_subscription_status_edge(openshift_dyn_client): # These are the operator subscriptions and their associated namespaces expected_subs = { - "openshift-gitops-operator": ["openshift-operators"], + "openshift-gitops-operator": ["openshift-gitops-operator"], "amq-broker-rhel8": ["manuela-stormshift-messaging"], "amq-streams": ["manuela-stormshift-messaging"], "red-hat-camel-k": ["manuela-stormshift-messaging"], diff --git a/tests/interop/test_subscription_status_hub.py b/tests/interop/test_subscription_status_hub.py index 0cd72b81d..5bc301851 100644 --- a/tests/interop/test_subscription_status_hub.py +++ b/tests/interop/test_subscription_status_hub.py @@ -19,7 +19,7 @@ def test_subscription_status_hub(openshift_dyn_client): # These are the operator subscriptions and their associated namespaces if ver == "4.18" or ver == "4.20" or ver == "4.21": expected_subs = { - "openshift-gitops-operator": ["openshift-operators"], + "openshift-gitops-operator": ["openshift-gitops-operator"], "advanced-cluster-management": ["open-cluster-management"], "openshift-pipelines-operator-rh": ["openshift-operators"], "amq-broker-rhel8": ["manuela-tst-all"],