microshift-io · ggiguash · Oct 16, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
@@ -117,23 +117,23 @@ run:
 .PHONY: run-ready
 run-ready:
 	@echo "Waiting 5m for the MicroShift service to be ready"
-	@for _ in $$(seq 300); do \
+	@for _ in $$(seq 60); do \
 		if sudo podman exec -i "${USHIFT_IMAGE}" systemctl -q is-active microshift.service ; then \
 			printf "\nOK\n" && exit 0; \
 		fi ; \
-		echo -n "." && sleep 1 ; \
+		echo -n "." && sleep 5 ; \
 	done ; \
 	printf "\nFAILED\n" && exit 1
 
 .PHONY: run-healthy
 run-healthy:
-	@echo "Waiting 10m for the MicroShift service to be healthy"
+	@echo "Waiting 15m for the MicroShift service to be healthy"
 	@for _ in $$(seq 60); do \
 		state=$$(sudo podman exec -i "${USHIFT_IMAGE}" systemctl show --property=SubState --value greenboot-healthcheck) ; \
 		if [ "$${state}" = "exited" ] ; then \
 			printf "\nOK\n" && exit 0; \
 		fi ; \
-		echo -n "." && sleep 10 ; \
+		echo -n "." && sleep 15 ; \
 	done ; \
 	printf "\nFAILED\n" && exit 1
 

@@ -71,9 +71,9 @@ The following options can be specified in the make command line using the `NAME=
 
 This step includes:
 * Loading the `openvswitch` module required when OVN-K CNI driver is used
-  when compiled with the non-default `WITH_KINDNET=0` build option.
+  when compiled with the non-default `WITH_KINDNET=0` image build option.
 * Preparing a 1GB TopoLVM CSI backend on the host to be used by MicroShift when
-  compiled with the default `WITH_TOPOLVM=1` build option.
+  compiled with the default `WITH_TOPOLVM=1` image build option.
 
 ```bash
 make run

@@ -42,15 +42,23 @@ RUN "${USHIFT_PREBUILD_SCRIPT}" --replace "${OKD_REPO}" "${OKD_VERSION_TAG}"
 
 # Building all MicroShift downstream RPMs and SRPMs
 # hadolint ignore=DL3059
-RUN WITH_KINDNET=1 MICROSHIFT_VARIANT="community" \
-        make -C "${HOME}/microshift" rpm srpm
+RUN MICROSHIFT_VARIANT="community" make -C "${HOME}/microshift" rpm srpm
+
+# Building Kindnet upstream RPM
+COPY --chown=${USER}:${USER} ./src/kindnet/kindnet.spec "${HOME}/microshift/packaging/rpm/microshift.spec"
+COPY --chown=${USER}:${USER} ./src/kindnet/assets/  "${HOME}/microshift/assets/optional/"
+COPY --chown=${USER}:${USER} ./src/kindnet/dropins/ "${HOME}/microshift/packaging/kindnet/"
+COPY --chown=${USER}:${USER} ./src/kindnet/crio.conf.d/ "${HOME}/microshift/packaging/crio.conf.d/"
+# Prepare and build Kindnet upstream RPM
+RUN "${USHIFT_PREBUILD_SCRIPT}" --replace-kindnet "${OKD_REPO}" "${OKD_VERSION_TAG}" && \
+    MICROSHIFT_VARIANT="community" make -C "${HOME}/microshift" rpm
 
 # Building TopoLVM upstream RPM
-COPY --chmod=644 ./src/topolvm/topolvm.spec "${HOME}/microshift/packaging/rpm/microshift.spec"
-COPY ./src/topolvm/assets/  "${HOME}/microshift/assets/optional/topolvm/"
-COPY ./src/topolvm/dropins/ "${HOME}/microshift/packaging/microshift/dropins/"
-COPY ./src/topolvm/greenboot/ "${HOME}/microshift/packaging/greenboot/"
-COPY ./src/topolvm/release/ "${HOME}/microshift/assets/optional/topolvm/"
+COPY --chown=${USER}:${USER} ./src/topolvm/topolvm.spec "${HOME}/microshift/packaging/rpm/microshift.spec"
+COPY --chown=${USER}:${USER} ./src/topolvm/assets/  "${HOME}/microshift/assets/optional/topolvm/"
+COPY --chown=${USER}:${USER} ./src/topolvm/dropins/ "${HOME}/microshift/packaging/microshift/dropins/"
+COPY --chown=${USER}:${USER} ./src/topolvm/greenboot/ "${HOME}/microshift/packaging/greenboot/"
+COPY --chown=${USER}:${USER} ./src/topolvm/release/ "${HOME}/microshift/assets/optional/topolvm/"
 RUN MICROSHIFT_VARIANT="community" make -C "${HOME}/microshift" rpm
 
 # Post-build MicroShift configuration

@@ -4,7 +4,7 @@ set -euo pipefail
 MICROSHIFT_ROOT="/home/microshift/microshift"
 declare -A UNAME_TO_GOARCH_MAP=( ["x86_64"]="amd64" ["aarch64"]="arm64" )
 
-verify(){
+verify() {
     local -r okd_url=$1
     local -r okd_releaseTag=$2
 
@@ -14,11 +14,11 @@ verify(){
     fi
 }
 
-replace_assets(){
+replace_base_assets() {
     local -r okd_url=$1
     local -r okd_releaseTag=$2
     local -r arch=$(uname -m)
-    local -r temp_release_json=$(mktemp "/tmp/release-${arch}.XXXXX.json")
+    local -r temp_json=$(mktemp "/tmp/release-${arch}.XXXXX.json")
 
     # replace Microshift images with upstream (from OKD release)
     for op in $(jq -e -r  '.images | keys []' "${MICROSHIFT_ROOT}/assets/release/release-${arch}.json")
@@ -27,40 +27,33 @@ replace_assets(){
         image=$(oc adm release info --image-for="${op}" "${okd_url}:${okd_releaseTag}" || true)
         if [ -n "${image}" ] ; then
             echo "${op} ${image}"
-            jq --arg a "${op}" --arg b "${image}"  '.images[$a] = $b' "${MICROSHIFT_ROOT}/assets/release/release-${arch}.json" >"${temp_release_json}"
-            mv "${temp_release_json}" "${MICROSHIFT_ROOT}/assets/release/release-${arch}.json"
+            jq --arg a "${op}" --arg b "${image}"  '.images[$a] = $b' "${MICROSHIFT_ROOT}/assets/release/release-${arch}.json" >"${temp_json}"
+            mv "${temp_json}" "${MICROSHIFT_ROOT}/assets/release/release-${arch}.json"
         fi
     done
 
     pod_image=$(oc adm release info --image-for=pod "${okd_url}:${okd_releaseTag}" || true)
     # update the infra pods for crio
     sed -i 's,pause_image .*,pause_image = '"\"${pod_image}\""',' "${MICROSHIFT_ROOT}/packaging/crio.conf.d/10-microshift_${UNAME_TO_GOARCH_MAP[${arch}]}.conf"
+}
 
-    # kube proxy is required for kindnet
-    kube_proxy_okd_image_with_hash=$(oc adm release info --image-for="kube-proxy" "${okd_url}:${okd_releaseTag}")
-    echo "kube-proxy ${kube_proxy_okd_image_with_hash}"
-    # The OKD image we retrieve is in the format quay.io/okd/scos-content@sha256:<hash>,
-    # where the image name and digest (hash) are combined in a single string.
-    # However, in the kustomization.${arch}.yaml file, we need the image name (newName) and
-    # the digest in separate fields. To achieve this, we first extract the image name and digest
-    # using parameter expansion, then use the yq command to insert these values into the
-    # appropriate places within the YAML file.
-    kube_proxy_okd_image_name="${kube_proxy_okd_image_with_hash%%@*}"
-    kube_proxy_okd_image_hash="${kube_proxy_okd_image_with_hash##*@}"
-    # install yq tool to update the image and hash
+replace_olm_assets() {
+    local -r okd_url=$1
+    local -r okd_releaseTag=$2
+    local -r arch=$(uname -m)
+    local -r temp_json=$(mktemp "/tmp/release-olm-${arch}.XXXXX.json")
+
+    # Install the yq tool
     "${MICROSHIFT_ROOT}"/scripts/fetch_tools.sh yq
-    "${MICROSHIFT_ROOT}"/_output/bin/yq eval ".images[] |= select(.name == \"kube-proxy\") |= (.newName = \"${kube_proxy_okd_image_name}\" | .digest = \"${kube_proxy_okd_image_hash}\")" -i "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/kustomization.${arch}.yaml"
-    jq --arg img "$kube_proxy_okd_image_with_hash" '.images["kube-proxy"] = $img' "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/release-kube-proxy-${arch}.json" >"${temp_release_json}"
-    mv "${temp_release_json}" "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/release-kube-proxy-${arch}.json"
 
-    # replace olm images with upstream (from OKD release)
+    # Replace olm images with upstream (from OKD release)
     # This is extracted from openshift/microshift/scripts/auto-rebase/rebase.sh and modified to work with OKD release
     local olm_image_refs_file="${MICROSHIFT_ROOT}/assets/optional/operator-lifecycle-manager/image-references"
     local kustomization_arch_file="${MICROSHIFT_ROOT}/assets/optional/operator-lifecycle-manager/kustomization.${arch}.yaml"
     local olm_release_json="${MICROSHIFT_ROOT}/assets/optional/operator-lifecycle-manager/release-olm-${arch}.json"
 
     # Create the OLM release-${arch}.json file with base structure
-    jq -n '{"release": {"base": "unknown"}, "images": {}}' > "${olm_release_json}"
+    jq -n '{"release": {"base": "upstream"}, "images": {}}' > "${olm_release_json}"
 
     # Create extra kustomization for each arch in separate file
     cat <<EOF > "${kustomization_arch_file}"
@@ -92,8 +85,8 @@ EOF
 EOF
 
             # Update JSON file
-            jq --arg container "${container}" --arg img "${new_image}" '.images[$container] = $img' "${olm_release_json}" >"${temp_release_json}"
-            mv "${temp_release_json}" "${olm_release_json}"
+            jq --arg container "${container}" --arg img "${new_image}" '.images[$container] = $img' "${olm_release_json}" >"${temp_json}"
+            mv "${temp_json}" "${olm_release_json}"
         fi
     done
 
@@ -126,32 +119,71 @@ EOF
     fi
 }
 
-fix_rpm_spec(){
+replace_kindnet_assets() {
+    local -r okd_url=$1
+    local -r okd_releaseTag=$2
+    local -r arch=$(uname -m)
+    local -r temp_json=$(mktemp "/tmp/release-kindnet-${arch}.XXXXX.json")
+
+    # Install the yq tool
+    "${MICROSHIFT_ROOT}"/scripts/fetch_tools.sh yq
+
+    # kube proxy is required for kindnet
+    local -r image_with_hash=$(oc adm release info --image-for="kube-proxy" "${okd_url}:${okd_releaseTag}")
+    echo "kube-proxy ${image_with_hash}"
+    # The OKD image we retrieve is in the format quay.io/okd/scos-content@sha256:<hash>,
+    # where the image name and digest (hash) are combined in a single string.
+    # However, in the kustomization.${arch}.yaml file, we need the image name (newName) and
+    # the digest in separate fields. To achieve this, we first extract the image name and digest
+    # using parameter expansion, then use the yq command to insert these values into the
+    # appropriate places within the YAML file.
+    local -r image_name="${image_with_hash%%@*}"
+    local -r image_hash="${image_with_hash##*@}"
+
+    # Update the image and hash
+    "${MICROSHIFT_ROOT}"/_output/bin/yq eval \
+        ".images[] |= select(.name == \"kube-proxy\") |= (.newName = \"${image_name}\" | .digest = \"${image_hash}\")" \
+        -i "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/kustomization.${arch}.yaml"
+    jq --arg img "$image_with_hash" '.images["kube-proxy"] = $img' \
+        "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/release-kube-proxy-${arch}.json" >"${temp_json}"
+    mv "${temp_json}" "${MICROSHIFT_ROOT}/assets/optional/kube-proxy/release-kube-proxy-${arch}.json"
+}
+
+fix_rpm_spec() {
     # Fix the RPM spec by removing the microshift-networking package hard dependency
     sed -i 's/Requires: microshift-networking/Recommends: microshift-networking/' "${MICROSHIFT_ROOT}/packaging/rpm/microshift.spec"
 }
 
 usage() {
     echo "Usage:"
-    echo "$(basename "$0") --verify  OKD_URL RELEASE_TAG         verify upstream release"
-    echo "$(basename "$0") --replace OKD_URL RELEASE_TAG         replace microshift assets with upstream images"
+    echo "$(basename "$0") --verify          OKD_URL RELEASE_TAG    verify OKD upstream release"
+    echo "$(basename "$0") --replace         OKD_URL RELEASE_TAG    replace MicroShift assets with OKD upstream images"
+    echo "$(basename "$0") --replace-kindnet OKD_URL RELEASE_TAG    replace Kindnet assets with OKD upstream images"
     exit 1
 }
 
-if [ $# -eq 3 ] ; then
-    case "$1" in
-    --replace)
-        verify "$2" "$3"
-        replace_assets "$2" "$3"
-        fix_rpm_spec
-        ;;
-    --verify)
-        verify "$2" "$3"
-        ;;
-    *)
-        usage
-        ;;
-    esac
-else
+#
+# Main
+#
+if [ $# -ne 3 ] ; then
     usage
 fi
+
+case "$1" in
+--replace)
+    verify              "$2" "$3"
+    replace_base_assets "$2" "$3"
+    replace_olm_assets  "$2" "$3"
+    fix_rpm_spec
+    ;;
+--replace-kindnet)
+    verify                 "$2" "$3"
+    replace_kindnet_assets "$2" "$3"
+    ;;
+--verify)
+    verify "$2" "$3"
+    ;;
+*)
+    usage
+    ;;
+esac
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-kindnet
+  labels:
+    name: kube-kindnet
+    openshift.io/run-level: "0"
+    openshift.io/cluster-monitoring: "true"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  annotations:
+    openshift.io/node-selector: ""
+    openshift.io/description: "kindnet Kubernetes components"
+    workload.openshift.io/allowed: "management"
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kindnet
+  namespace: kube-kindnet
@@ -0,0 +1,88 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kindnet
+rules:
+  - apiGroups: [""]
+    resources:
+      - namespaces
+      - nodes
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+      - update
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+      - delete
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+  - apiGroups: [""]
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ["", "events.k8s.io"]
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups: ["security.openshift.io"]
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+    resourceNames:
+      - privileged
+  - apiGroups: [""]
+    resources:
+      - "nodes/status"
+    verbs:
+      - patch
+      - update
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ['authentication.k8s.io']
+    resources: ['tokenreviews']
+    verbs: ['create']
+  - apiGroups: ['authorization.k8s.io']
+    resources: ['subjectaccessreviews']
+    verbs: ['create']
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kindnet
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kindnet
+subjects:
+  - kind: ServiceAccount
+    name: kindnet
+    namespace: kube-kindnet