CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks#31382
CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks#31382YamunadeviShanmugam wants to merge 4 commits into
Conversation
Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds extensive OpenShift API server extended tests covering feature gates, CBOR operations, image pull secrets, admission webhooks, operator recovery, ClusterResourceQuota enforcement, APF stress, authentication, audit, encryption, and certificate validation, supported by shared helpers and embedded kube-burner fixtures. ChangesAPI server extended test coverage
Estimated code review effort: 5 (Critical) | ~120 minutes Sequence Diagram(s)sequenceDiagram
participant ExtendedTest
participant OPAWebhook
participant KubeAPIServer
participant Resource
ExtendedTest->>OPAWebhook: configure policy and TLS
ExtendedTest->>KubeAPIServer: submit resource operation
KubeAPIServer->>OPAWebhook: admission review
OPAWebhook-->>KubeAPIServer: allow or deny
KubeAPIServer->>Resource: apply accepted operation
ExtendedTest->>KubeAPIServer: verify operator conditions and resource state
Suggested reviewers: Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 4 warnings)
✅ Passed checks (10 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 15
🧹 Nitpick comments (6)
test/extended/prometheus/upgrade.go (1)
118-123: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winSimplify substring counting and avoid searching YAML metadata.
Using a regular expression to match a static string is inefficient, and printing the resulting slice of identical strings (e.g.,
[failed failed]) is not helpful for debugging. Furthermore, searching the full-o yamloutput risks matching the wordfailedin annotations, labels, or other metadata, leading to false positives.Consider outputting only the
.datapayload and usingstrings.Countfor a simpler, clearer, and more robust check. As per coding guidelines, favor clarity and maintainability over cleverness.♻️ Proposed refactor for clarity and accuracy
- result, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("cm/log", "-n", "ocp-34223-proj", "-o", "yaml").Output() + result, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("cm/log", "-n", "ocp-34223-proj", "-o", "jsonpath={.data}").Output() o.Expect(err).NotTo(o.HaveOccurred()) - failures := regexp.MustCompile(`failed`).FindAllString(result, -1) - if len(failures) > 1 { - e2e.Failf("upgrade disruption detected in monitor log: %v", failures) + failuresCount := strings.Count(result, "failed") + if failuresCount > 1 { + e2e.Failf("upgrade disruption detected in monitor log: found 'failed' %d times", failuresCount) }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/prometheus/upgrade.go` around lines 118 - 123, Update the Prometheus upgrade check around the oc.AsAdmin().WithoutNamespace().Run call to request only the ConfigMap’s .data payload instead of full YAML, then replace the regexp-based failure search with strings.Count. Preserve the existing threshold of more than one occurrence, and report the count in e2e.Failf rather than a slice of repeated matches.Source: Coding guidelines
test/extended/apiserver/helpers.go (2)
271-271: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winUse
net.JoinHostPortinstead offmt.Sprintffor host:port.Raw
%s:%sbreaks for IPv6 hostnames (missing bracket notation);net.JoinHostPorthandles this correctly.-targetURL := fmt.Sprintf("https://%s:%s/healthz", fqdnName, port) +targetURL := fmt.Sprintf("https://%s/healthz", net.JoinHostPort(fqdnName, port))🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/apiserver/helpers.go` at line 271, Update the targetURL construction to use net.JoinHostPort with fqdnName and port, preserving the /healthz suffix so host:port formatting remains correct for IPv4, hostnames, and IPv6 addresses.Source: Linters/SAST tools
264-269: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet an explicit
MinVersionon the TLS client config.Go's client-side default minimum is currently TLS 1.2, but pinning it explicitly (ideally TLS 1.3) documents intent and protects against future default changes.
TLSClientConfig: &tls.Config{ RootCAs: caCertPool, + MinVersion: tls.VersionTLS13, },🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/apiserver/helpers.go` around lines 264 - 269, Update the TLS client configuration in the HTTP transport to set an explicit MinVersion, preferably tls.VersionTLS13, while preserving the existing RootCAs configuration.Source: Linters/SAST tools
test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml (1)
8-21: 🔒 Security & Privacy | 🔵 TrivialNo explicit
securityContexton the stress container.Checkov flags missing
allowPrivilegeEscalation: falseand root-container admission. In practice this is mitigated sinceloadCPUMemWorkload(helpers.go) explicitly labels the target namespacepod-security.kubernetes.io/enforce=privilegedbefore applying this template, so it's not a functional blocker — but adding an explicitsecurityContextwould still be good defense-in-depth per the path instructions for Kubernetes manifests.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml` around lines 8 - 21, Add an explicit securityContext to the stress container in kube-burner-cpu-stress-pod.yml, setting allowPrivilegeEscalation to false and configuring the container to run as a non-root user where compatible with the stress image. Keep the existing command, resources, and restart policy unchanged.Sources: Path instructions, Linters/SAST tools
test/extended/apiserver/webhooks.go (2)
146-240: 📐 Maintainability & Code Quality | 🔵 TrivialDuplicated namespace/DC-creation/rollout-wait flow between OCP-55494 and OCP-77919.
Both
g.Itblocks repeat the same "create test-ns, label it, create mydc, wait for rollout" sequence almost verbatim (159-178 vs 213-232). Could be extracted into a shared helper to reduce duplication, though this is purely a maintainability nit for test code.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/apiserver/webhooks.go` around lines 146 - 240, Extract the duplicated namespace creation, labeling, DeploymentConfig creation, and initial rollout-wait sequence from the OCP-55494 and OCP-77919 g.It blocks into a shared helper. Replace both inline flows with calls to that helper, preserving their existing namespace names, assertions, polling behavior, and error messages.
66-98: 🔒 Security & Privacy | 🔵 TrivialAvoid
bash -cshell wrapper for exec.Command.Static analysis (OpenGrep/ast-grep) flags every
exec.Command("bash", "-c", <dynamic string>)call in this file as a command-injection risk. None of the interpolated values here are attacker-controlled (they'retmpdirpaths built fromos.TempDir()+compat_otp.GetRandomString(), or fixed constants likedirname/exceptions), so this isn't currently exploitable, but it's a recurring anti-pattern the path instructions call out explicitly for command execution. Prefer invoking binaries directly (e.g.exec.Command("openssl", "genrsa", "-out", caKeypem, "2048")) instead of shelling out, which also sidesteps future risk if any of these values are ever derived from less-trusted input.As per path instructions,
**/*.{py,js,ts,go,rs,java,rb,php,kt,swift,cs}: "Command: no shell=True, os.system, or backtick exec with user input."Also applies to: 120-122, 181-190, 535-536, 554-555
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/apiserver/webhooks.go` around lines 66 - 98, Replace the dynamic bash -c invocations in the webhook certificate setup and the other flagged command-execution sites with direct exec.Command calls, passing the executable and each argument separately. Update the command loops and related symbols such as serverconfCMD so no shell command strings are constructed or interpreted, while preserving the existing OpenSSL and file-generation behavior.Sources: Path instructions, Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/apiserver/featuregate.go`:
- Around line 190-215: Extract the duplicated feature-gate restoration logic
from both deferred restore blocks into a shared restoreFeatureGateConfig helper,
placed with the existing helpers. Have it accept the CLI and original feature
settings, build and apply the same patch, and return any patch error; update
both tests to call it while preserving their existing warning and kube-apiserver
stabilization behavior.
- Around line 234-286: Extract the duplicated customNoUpgrade merge, patch, and
kube-apiserver rollout logic from the two tests into a shared enableFeatureGates
helper accepting oc and gatesToAdd and returning whether all requested gates
were already enabled plus an error. Update both call sites to use the helper,
preserving existing feature-set selection, no-change handling, rollout waits,
and health verification while differing only in the gate names passed.
- Around line 535-539: Update the deletion poll assigned to errDel so it
verifies that the pod get operation returns a NotFound/error condition, matching
the existing pollUntilDeleted pattern, instead of checking table output for the
quoted “Running” status. Keep polling while the pod exists and return success
only after test-pod-nginx has been deleted, preserving
compat_otp.AssertWaitPollNoErr for reporting failures.
- Around line 412-428: The kubeconfig extraction block should use
client-go/clientcmd parsing instead of grep/awk/base64 pipelines. Replace the
dead clusterName lookup and shell commands with loading the selected kubeconfig
context, retrieving its cluster CA and user client certificate/key data, and
writing those bytes directly to certCA, clientKey, and clientCert while
preserving the existing error assertions.
In `@test/extended/apiserver/helpers.go`:
- Around line 469-489: Update getServiceIP so the all-namespaces service
cluster-IP query runs once before the lastOctet loop; retain its error
assertion, then check the returned service IP list against each candidate in
memory while preserving the existing fallback when no address is available.
- Around line 273-297: Update the polling callback around client.Get to create
an HTTP request using the provided ctx and execute it through the existing
client, ensuring each attempt is canceled when the poll context expires.
Configure an appropriate client-level timeout as an additional bound, while
preserving the existing retry and certificate-processing behavior.
- Around line 599-611: Update checkResources to count output rows rather than
whitespace-separated fields: after trimming each successful resource output,
count its lines and store that value in counts[resource]. Preserve the existing
handling for command errors and empty output.
- Around line 566-597: Update checkClusterLoad so memory parsing uses the second
percentage on each node line rather than the first CPU percentage; ensure
memTotal reflects MEMORY% while CPU parsing remains unchanged. Use the existing
cpuMatches and memMatches flow, or otherwise parse the output columns
explicitly.
- Around line 613-675: Update loadCPUMemWorkload to launch kube-burner with
exec.CommandContext and a bounded timeout, creating and cancelling the context
around the child process execution. Preserve the existing arguments,
CombinedOutput handling, and skip message while ensuring a stuck process is
terminated after the timeout.
In `@test/extended/apiserver/webhooks.go`:
- Around line 108-110: Update setupOPAWebhook and the corresponding second g.It
block to revoke the privileged SCC grant during deferred cleanup. Add cleanup
that removes the system:serviceaccount:opa:default subject from the privileged
SCC binding using the matching oc adm policy command, while preserving the
existing namespace and opa-viewer cleanup.
- Around line 520-543: Ensure the APF stress scenario does not continue when the
pre-check in checkClusterLoad prevents loadCPUMemWorkload from starting. Track
whether the stress workload was launched, then fail fast or skip before the
verification poll when it was not started; retain the existing cleanup defer
only for a started workload and keep the normal pod-completion and health checks
for the active workload path.
- Around line 601-652: The quota-boundary checks currently reuse the initial
pods and resource usage snapshot despite creating a ServiceMonitor beforehand.
Re-query the cluster resource quota status immediately before the ServiceMonitor
and pod boundary loops, refresh the relevant usage values (including pods and
ServiceMonitors), and use those refreshed counts to determine expected successes
and quota-exceeded cases.
In `@test/extended/prometheus/upgrade.go`:
- Around line 114-116: Update the ConfigMap existence check around cmExistsCmd
and err so the test skips only when the command reports a resource-not-found
condition, including the expected “NotFound” response for a specific cm/log
query. Do not skip for arbitrary command execution errors; propagate or fail
those errors through the existing test error-handling path.
- Line 111: Handle the error returned by Execute() in the deferred namespace
cleanup for ocp-34223-proj. Update the defer logic around
AsAdmin().WithoutNamespace().Run("delete") so cleanup failures are explicitly
checked and reported, without silently discarding the error.
In `@test/extended/testdata/apiserver/kube-burner-cpu-stress.yml`:
- Around line 11-13: Regenerate the embedded assets represented by
test/extended/testdata/bindata.go from the corrected
test/extended/testdata/apiserver/kube-burner-cpu-stress.yml, using the
repository’s standard generation command such as make update. Ensure
_testExtendedTestdataApiserverKubeBurnerCpuStressYml matches podWait: true and
cleanup: false; both listed sites require synchronization, with no manual
divergence between the source fixture and compiled asset.
---
Nitpick comments:
In `@test/extended/apiserver/helpers.go`:
- Line 271: Update the targetURL construction to use net.JoinHostPort with
fqdnName and port, preserving the /healthz suffix so host:port formatting
remains correct for IPv4, hostnames, and IPv6 addresses.
- Around line 264-269: Update the TLS client configuration in the HTTP transport
to set an explicit MinVersion, preferably tls.VersionTLS13, while preserving the
existing RootCAs configuration.
In `@test/extended/apiserver/webhooks.go`:
- Around line 146-240: Extract the duplicated namespace creation, labeling,
DeploymentConfig creation, and initial rollout-wait sequence from the OCP-55494
and OCP-77919 g.It blocks into a shared helper. Replace both inline flows with
calls to that helper, preserving their existing namespace names, assertions,
polling behavior, and error messages.
- Around line 66-98: Replace the dynamic bash -c invocations in the webhook
certificate setup and the other flagged command-execution sites with direct
exec.Command calls, passing the executable and each argument separately. Update
the command loops and related symbols such as serverconfCMD so no shell command
strings are constructed or interpreted, while preserving the existing OpenSSL
and file-generation behavior.
In `@test/extended/prometheus/upgrade.go`:
- Around line 118-123: Update the Prometheus upgrade check around the
oc.AsAdmin().WithoutNamespace().Run call to request only the ConfigMap’s .data
payload instead of full YAML, then replace the regexp-based failure search with
strings.Count. Preserve the existing threshold of more than one occurrence, and
report the count in e2e.Failf rather than a slice of repeated matches.
In `@test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml`:
- Around line 8-21: Add an explicit securityContext to the stress container in
kube-burner-cpu-stress-pod.yml, setting allowPrivilegeEscalation to false and
configuring the container to run as a non-root user where compatible with the
stress image. Keep the existing command, resources, and restart policy
unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 9832f67a-fdf7-45b3-afb3-bb006aa05ecc
📒 Files selected for processing (9)
go.modtest/extended/apiserver/featuregate.gotest/extended/apiserver/helpers.gotest/extended/apiserver/pull_secrets.gotest/extended/apiserver/webhooks.gotest/extended/prometheus/upgrade.gotest/extended/testdata/apiserver/kube-burner-cpu-stress-pod.ymltest/extended/testdata/apiserver/kube-burner-cpu-stress.ymltest/extended/testdata/bindata.go
2b72d09 to
ab3de70
Compare
|
/retitle CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks |
|
@YamunadeviShanmugam: This pull request references CNTRLPLANE-2157 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ab3de70 to
2e67fa2
Compare
| e2e "k8s.io/kubernetes/test/e2e/framework" | ||
| ) | ||
|
|
||
| var _ = g.Describe("[sig-api-machinery][Feature:APIServer][Feature:FeatureGate]", func() { |
There was a problem hiding this comment.
remove this [Feature:FeatureGate]"
0266077 to
f610846
Compare
|
@coderabbitai: review |
|
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Actionable comments posted: 17
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/apiserverauth/apiserver_util.go`:
- Around line 1312-1349: Update clientCurl’s TLS configuration to remove
InsecureSkipVerify and configure TLSClientConfig.RootCAs with the trusted
cluster CA pool, preserving bearer-token requests while enforcing server
certificate verification through the configured proxy.
- Around line 509-520: Update GetAlertsByName to use alertName when processing
the result from mon.GetAlerts, returning only the matching alert rather than all
alerts; preserve the existing error handling and return an appropriate empty
result when no alert matches.
- Around line 2035-2049: Update parseRapidastJsonReport to unmarshal jsonContent
into the expected RapiDAST report structure instead of counting risk codes with
regexes, and return parsing or validation errors to the caller. Require the
findings section to be present and valid before calculating riskHigh and
riskMedium, so missing or malformed reports fail closed rather than being
treated as clean scans.
- Around line 246-278: The stability delay inside waitCoBecomes must not bypass
the PollUntilContextTimeout deadline. Replace the blocking time.Sleep in the
True/False/False health branch with a context-aware timer that returns when cxt
is canceled or its duration elapses, preserving the final status recheck only
after the delay completes.
- Around line 2300-2313: The configuration flow around getSAToken must not
persist the privileged token in the caller’s file or a ConfigMap. Generate a
fresh per-attempt configuration from the original configFile by replacing
AUTH_TOKEN in memory, store it through a Secret or projected token mechanism,
and ensure retries obtain and use a newly generated token for the current
service account.
- Around line 2395-2421: The pod readiness result and pod-log retrieval error
are currently ignored, allowing unavailable scan reports to pass. In the
readiness polling flow, capture the error returned by
wait.PollUntilContextTimeout and fail the operation with diagnostics when it is
non-nil; then update the GetSpecificPodLogs handling to return false with the
underlying error instead of substituting placeholder logs. Ensure every Go error
return in this flow is handled.
- Around line 2470-2495: Update the endpoint-reporting logic around the
verification summary and the loops near the later report blocks to derive
coverage and status from the parsed report and testedEndpoints data. Require
each requested Kubernetes and OpenShift endpoint to be present in the report,
fail the test when any endpoint is missing, and remove unconditional “COVERED”,
“PASS”, or “WARN” output; print statuses only from actual findings and test
results.
- Around line 1217-1235: The kube-apiserver branch of verifyHypershiftCiphers
must stop interpolating the ConfigMap output into jq via bash -c. Parse the JSON
in out directly in Go, following the existing verifyCiphers approach, and derive
servingInfo.cipherSuites and servingInfo.minTLSVersion without invoking a shell
or reparsing cluster-controlled content.
- Around line 1488-1521: Update urlHealthCheck and the corresponding helper at
the second polling block so each HTTP operation creates an
http.NewRequestWithContext using the polling context and executes it with
client.Do instead of client.Get. Configure an appropriate client timeout, and
construct both HTTPS endpoints with net.JoinHostPort rather than string
formatting, preserving existing polling and response handling.
- Line 533: Update LoadCPUMemWorkload and both clusterbuster workload
invocations to honor workLoadtime instead of hard-coding 7200 seconds. Run
clusterbuster directly with a bounded context rather than through a shell
background command, retain control of the process, and ensure it is awaited or
stopped before the function returns so no load survives into later specs or
deferred cleanup.
- Around line 1086-1091: Update getNewUser to pass the command variable, which
contains “htpasswd”, to exec.LookPath instead of the literal string “command”;
preserve the existing missing-command failure handling.
- Around line 228-243: Update CheckIfResourceAvailable so the loop validates
every entry in resourceNames with the existing expectation, rather than
returning during the first iteration. Return the complete output and success
status only after all requested resource names have been checked.
- Around line 1679-1710: Replace the three error-message checks using
strings.ContainsAny in clusterSanityCheck with strings.Contains, preserving each
existing target message and diagnostic behavior. Update the checks for node
access, certificate verification, and project creation errors; do not alter
unrelated retry or logging logic.
- Around line 1827-1857: In createSecretsWithQuotaValidation, validate the
quota-rejection error specifically instead of treating any failure as success.
Replace the literal strings.Contains check with matching that recognizes the
expected “secrets.*forbidden: exceeded quota” pattern, and assert that this
match succeeds when the quota is reached so authentication, transport, or syntax
errors fail the test.
- Around line 97-111: In compareAPIServerWebhookConditions, avoid mutating the
conditionStatus parameter when handling a flow-collector webhook match. Create a
per-iteration or per-poll local expected-status value initialized from
conditionStatus, override only that local value to "True", and compare against
it so the original status remains unchanged for subsequent conditionTypes.
- Around line 136-166: Update the encryption-type validation in the function
containing the etcd encryption-prefix polling so unsupported or disabled values
return an error immediately instead of only logging and continuing. Preserve the
existing polling behavior for the supported aesabc and aesgcm values, and ensure
the returned error clearly identifies the invalid encryption type.
- Around line 170-185: Update GetEncryptionKeyNumber to return the command and
strconv.Atoi errors instead of logging them and returning a nil error. Compile
the patten regex with error handling rather than regexp.MustCompile, and
validate that FindAllStringIndex returns at least one match before indexing
locs; return an appropriate error for invalid patterns or no matches.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: e7c511c0-8c66-4ba7-868e-ecb27a0a9c36
📒 Files selected for processing (5)
test/extended/apiserver/featuregate.gotest/extended/apiserver/helpers.gotest/extended/apiserver/webhooks.gotest/extended/apiserverauth/apiserver_util.gotest/extended/testdata/bindata.go
🚧 Files skipped from review as they are similar to previous changes (3)
- test/extended/apiserver/webhooks.go
- test/extended/apiserver/featuregate.go
- test/extended/apiserver/helpers.go
8f46c0b to
755ab8e
Compare
Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
755ab8e to
05c0f5e
Compare
|
@coderabbitai: Addressed the review comments, Skipped the Issues for valid reasons
|
|
Tip For best results, initiate chat on the files or code changes.
If you decide to track any of the deferred items separately, let me know and I can create focused follow-up GitHub issues. |
This commit fixes two CI verification failures: 1. Add missing test data files that were referenced in tests but not committed to the repository: - application-template-stibuild.json - ocp-70369.yaml, ocp10873-dc.yaml, ocp10873-svc.json - ocp9853-limits.yaml, ocp9853-quota.yaml 2. Fix KUBECONFIG requirement in compat_otp package init() function. The init() was unconditionally requiring KUBECONFIG to be set, which caused `go run ./cmd/openshift-tests images` to fail during the verify-generated step. Now it skips the check when OPENSHIFT_SKIP_EXTERNAL_TESTS is set, allowing non-test commands to run without requiring KUBECONFIG. Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: YamunadeviShanmugam The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@YamunadeviShanmugam: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
PR_Results_FeatureGates_Webhooks_Pullsecret.txt
Adds apiserver test cases migrated to the OTE
Feature Gate tests (featuregate.go):
Pull Secret tests (pull_secrets.go):
Webhook tests (webhooks.go):
helpers.go — Shared helpers
kube-burner configs — Pod template and job config for CPU stress testing with PodSecurity privileged namespace labels
Testing
Pull secret
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-12036] User can pull a private image from a registry when a pull secret is defined [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11905] Use well-formed pull secret with incorrect credentials will fail to build and deploy [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11138] Deploy will fail with incorrectly formed pull secrets [apigroup:build.openshift.io][apigroup:apps.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-70369] Use bound service account tokens when generating pull secrets [apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"
Feature Gates
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-1] should reject removed LatencySensitive featureset [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-2][OCP-74460] NoUpgrade featuresets are immutable once set [Slow][Disruptive][apigroup:config.openshift.io][Timeout:30m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80286] Handle undecryptable resources [Slow][Disruptive][apigroup:config.openshift.io][apigroup:operator.openshift.io][Timeout:90m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80554] Verify the CBOR workflow [Slow][Disruptive][apigroup:config.openshift.io][Timeout:60m] [Serial]"
Webhooks
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-55494] When using webhooks fails to rollout latest deploymentconfig [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-77919] HPA/oc scale and DeploymentConfig should be working with OPA webhooks [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-53230] Kubernetes validating admission webhook bypass [Serial][apigroup:admissionregistration.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50362] Verify cluster handles bad admission webhooks correctly [Serial][apigroup:config.openshift.io][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50223] Checks on different bad admission webhook errors and kube-apiserver status [Serial][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io][Timeout:15m] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50188] Prepare upgrade cluster under APF stress [Slow][Disruptive][apigroup:config.openshift.io][Timeout:40m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP] ClusterResourceQuota objects validation [apigroup:quota.openshift.io][apigroup:monitoring.coreos.com] [Suite:openshift/conformance/parallel]"
Summary by CodeRabbit
Summary by CodeRabbit