openshift · JianLi-RH · Mar 24, 2026 · Mar 25, 2026 · coderabbitai · Mar 25, 2026
diff --git a/.openshift-tests-extension/openshift_payload_cluster-version-operator.json b/.openshift-tests-extension/openshift_payload_cluster-version-operator.json
@@ -72,5 +72,19 @@
     "source": "openshift:payload:cluster-version-operator",
     "lifecycle": "blocking",
     "environmentSelector": {}
+  },
+  {
+    "name": "[Jira:\"Cluster Version Operator\"] cluster-version-operator should not install resources annotated with release.openshift.io/delete=true",
+    "labels": {
+      "42543": {},
+      "Conformance": {},
+      "High": {}
+    },
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:cluster-version-operator",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
   }
 ]
diff --git a/pkg/cvo/external/dynamicclient/client.go b/pkg/cvo/external/dynamicclient/client.go
@@ -0,0 +1,14 @@
+package dynamicclient
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+
+	internaldynamicclient "github.com/openshift/cluster-version-operator/pkg/cvo/internal/dynamicclient"
+)
+
+// New returns the resource client using a singleton factory
+func New(config *rest.Config, gvk schema.GroupVersionKind, namespace string) (dynamic.ResourceInterface, error) {
+	return internaldynamicclient.New(config, gvk, namespace)
+}
diff --git a/test/cvo/cvo.go b/test/cvo/cvo.go
@@ -4,14 +4,18 @@ package cvo
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	g "github.com/onsi/ginkgo/v2"
 	o "github.com/onsi/gomega"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
+	"github.com/openshift/cluster-version-operator/pkg/cvo/external/dynamicclient"
 	"github.com/openshift/cluster-version-operator/pkg/external"
 	"github.com/openshift/cluster-version-operator/test/oc"
 	ocapi "github.com/openshift/cluster-version-operator/test/oc/api"
@@ -99,4 +103,48 @@ var _ = g.Describe(`[Jira:"Cluster Version Operator"] cluster-version-operator`,
 		sccAnnotation := cvoPod.Annotations["openshift.io/scc"]
 		o.Expect(sccAnnotation).To(o.Equal("hostaccess"), "Expected the annotation 'openshift.io/scc annotation' on pod %s to have the value 'hostaccess', but got %s", cvoPod.Name, sccAnnotation)
 	})
+
+	g.It(`should not install resources annotated with release.openshift.io/delete=true`, g.Label("Conformance", "High", "42543"), func() {
+		ctx := context.Background()
+		err := util.SkipIfHypershift(ctx, restCfg)
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to determine if cluster is HyperShift")
+		err = util.SkipIfMicroshift(ctx, restCfg)
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to determine if cluster is MicroShift")
+
+		pods, err := util.GetPodsByNamespace(ctx, kubeClient, external.DefaultCVONamespace, map[string]string{"k8s-app": "cluster-version-operator"})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(pods).NotTo(o.BeEmpty(), "Expected at least one CVO pod")
+
+		annotation := "release.openshift.io/delete"
+		manifestDir := "/release-manifests/"
+		command := []string{"find", manifestDir, "-iname", "*.yaml", "-exec", "grep", "-l", annotation, "{}", ";"}
+		files, err := util.ListFilesInPodContainer(ctx, restCfg, command, external.DefaultCVONamespace, pods[0].Name, "cluster-version-operator")
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(files).ToNot(o.BeEmpty(), "Expected to find files in manifests directory of CVO pod, but found none")
+
+		for _, f := range files {
+			fileContent, err := util.GetFileContentInPodContainer(ctx, restCfg, external.DefaultCVONamespace, pods[0].Name, "cluster-version-operator", f)
+			o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("Failed to get content of file %s in CVO pod", f))
+			o.Expect(fileContent).ToNot(o.BeEmpty(), fmt.Sprintf("Expected to get content of file %s in CVO pod, but got empty content", f))
+
+			if !strings.Contains(fileContent, annotation) {
+				continue
+			}
+
+			manifest, err := util.ParseManifest(fileContent)
+			o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("Failed to parse manifest content of file %s in CVO pod", f))
+
+			ann := manifest.Obj.GetAnnotations()
+			if ann[annotation] != "true" {
+				continue
+			}
+			logger.Info("Checking file: ", f, ", GVK:", manifest.GVK.String(), ", Name: ", manifest.Obj.GetName(), ", Namespace: ", manifest.Obj.GetNamespace())
+			client, err := dynamicclient.New(restCfg, manifest.GVK, manifest.Obj.GetNamespace())
+			o.Expect(err).NotTo(o.HaveOccurred())
+			_, err = client.Get(ctx, manifest.Obj.GetName(), metav1.GetOptions{})
+			o.Expect(apierrors.IsNotFound(err)).To(o.BeTrue(),
+				fmt.Sprintf("The deleted manifest should not be installed, but actually installed: manifest: %s %s in namespace %s from file %q, error: %v",
+					manifest.GVK, manifest.Obj.GetName(), manifest.Obj.GetNamespace(), f, err))
+		}
+	})
 })
diff --git a/test/oc/api/api.go b/test/oc/api/api.go
@@ -7,7 +7,8 @@ import (
 )
 
 type ReleaseExtractOptions struct {
-	To string
+	To       string
+	AuthFile string
 }
 
 type VersionOptions struct {

diff --git a/test/oc/cli/cli.go b/test/oc/cli/cli.go
@@ -83,6 +83,9 @@ func NewOCCli(o api.Options) (api.OC, error) {
 
 func (c *client) AdmReleaseExtract(o api.ReleaseExtractOptions) error {
 	args := []string{"adm", "release", "extract", fmt.Sprintf("--to=%s", o.To)}
+	if o.AuthFile != "" {
+		args = append(args, fmt.Sprintf("--registry-config=%s", o.AuthFile))
+	}
 	_, err := c.executor.Run(args...)
 	if err != nil {
 		return err

diff --git a/test/util/util.go b/test/util/util.go
@@ -4,17 +4,21 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"io"
+	"os"
 	"strings"
 	"time"
 
 	g "github.com/onsi/ginkgo/v2"
 	o "github.com/onsi/gomega"
+	"github.com/pkg/errors"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -23,6 +27,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	clientconfigv1 "github.com/openshift/client-go/config/clientset/versioned"
+	libmanifest "github.com/openshift/library-go/pkg/manifest"
 
 	"github.com/openshift/cluster-version-operator/pkg/external"
 )
@@ -103,6 +108,134 @@ func SkipIfMicroshift(ctx context.Context, restConfig *rest.Config) error {
 	return nil
 }
 
+// GetAuthFile retrieves the auth file from the specified secret and writes it to a temporary file, returning the file path.
+// e.g.: ns="openshift-config", secretName="pull-secret", key=".dockerconfigjson"
+func GetAuthFile(ctx context.Context, client kubernetes.Interface, ns string, secretName string, key string) (filePath string, err error) {
+	sec, err := client.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+	secretData, ok := sec.Data[key]
+	if !ok {
+		return "", fmt.Errorf("auth key not found in secret %s/%s", ns, secretName)
+	}
+	f, err := os.CreateTemp("", "ota-*")
+	if err != nil {
+		return "", fmt.Errorf("error creating temp file: %v", err)
+	}
+	defer func() {
+		_ = f.Close()
+	}()
+	if _, err := f.Write(secretData); err != nil {
+		_ = os.Remove(f.Name())
+		return "", fmt.Errorf("error writing to temp file: %v", err)
+	}
+	return f.Name(), nil
+}
+
+// GetPodsByNamespace retrieves the list of pods in the specified namespace with the given label selector.
+func GetPodsByNamespace(ctx context.Context, client kubernetes.Interface, namespace string, labelSelector map[string]string) ([]corev1.Pod, error) {
+	podList, err := client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{
+		LabelSelector: labels.FormatLabels(labelSelector),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error listing pods in namespace %s with label selector %v: %v", namespace, labelSelector, err)
+	}
+	return podList.Items, nil
+}
+
+// ListFilesInPodContainer executes the given command in the specified container of a pod and returns the output as a list of strings.
+func ListFilesInPodContainer(ctx context.Context, restConfig *rest.Config, command []string, namespace string, podName string, containerName string) ([]string, error) {
+	kubeClient, err := GetKubeClient(restConfig)
+	if err != nil {
+		return nil, err
+	}
+	results := []string{}
+	req := kubeClient.CoreV1().RESTClient().Post().
+		Resource("pods").
+		Name(podName).
+		Namespace(namespace).
+		SubResource("exec").
+		VersionedParams(&corev1.PodExecOptions{
+			Command:   command,
+			Container: containerName,
+			Stdout:    true,
+			Stderr:    true,
+		}, scheme.ParameterCodec)
+	exec, err := remotecommand.NewSPDYExecutor(restConfig, "POST", req.URL())
+	if err != nil {
+		return nil, fmt.Errorf("error creating executor for pod %s/%s: %v", namespace, podName, err)
+	}
+	var stdoutBuf, stderrBuf bytes.Buffer
+	err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+		Stdout: &stdoutBuf,
+		Stderr: &stderrBuf,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error executing command in pod %s/%s: %v, stderr: %s", namespace, podName, err, stderrBuf.String())
+	}
+	files := strings.Split(stdoutBuf.String(), "\n")
+	for _, file := range files {
+		if file == "" {
+			continue
+		}
+		results = append(results, file)
+	}
+	return results, nil
+}
+
+// GetFileContentInPodContainer executes the command to read the content of a file in the specified container of a pod and returns the content as a string.
+func GetFileContentInPodContainer(ctx context.Context, restConfig *rest.Config, namespace string, podName string, containerName string, filePath string) (string, error) {
+	kubeClient, err := GetKubeClient(restConfig)
+	if err != nil {
+		return "", err
+	}
+	command := []string{"cat", filePath}
+	req := kubeClient.CoreV1().RESTClient().Post().
+		Resource("pods").
+		Name(podName).
+		Namespace(namespace).
+		SubResource("exec").
+		VersionedParams(&corev1.PodExecOptions{
+			Command:   command,
+			Container: containerName,
+			Stdout:    true,
+			Stderr:    true,
+		}, scheme.ParameterCodec)
+	exec, err := remotecommand.NewSPDYExecutor(restConfig, "POST", req.URL())
+	if err != nil {
+		return "", fmt.Errorf("error creating executor for pod %s/%s: %v", namespace, podName, err)
+	}
+	var stdoutBuf, stderrBuf bytes.Buffer
+	err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+		Stdout: &stdoutBuf,
+		Stderr: &stderrBuf,
+	})
+	if err != nil {
+		return "", fmt.Errorf("error executing command in pod %s/%s: %v, stderr: %s", namespace, podName, err, stderrBuf.String())
+	}
+	return stdoutBuf.String(), nil
+}
+
+// ParseManifest parses the given file content as a Kubernetes manifest and returns a Manifest object.
+func ParseManifest(fileContent string) (libmanifest.Manifest, error) {
+	d := yaml.NewYAMLOrJSONDecoder(strings.NewReader(fileContent), 1024)
+	for {
+		m := libmanifest.Manifest{}
+		if err := d.Decode(&m); err != nil {
+			if err == io.EOF {
+				return m, nil
+			}
+			return m, errors.Wrapf(err, "error parsing")
+		}
+		m.Raw = bytes.TrimSpace(m.Raw)
+		if len(m.Raw) == 0 || bytes.Equal(m.Raw, []byte("null")) {
+			continue
+		}
+		return m, nil
+	}
+}
+
 // GetRestConfig loads the Kubernetes REST configuration from KUBECONFIG environment variable.
 func GetRestConfig() (*rest.Config, error) {
 	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(clientcmd.NewDefaultClientConfigLoadingRules(), &clientcmd.ConfigOverrides{}).ClientConfig()