Skip to content

CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks#31382

Open
YamunadeviShanmugam wants to merge 4 commits into
openshift:mainfrom
YamunadeviShanmugam:migrate_otp_feature_gates
Open

CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks#31382
YamunadeviShanmugam wants to merge 4 commits into
openshift:mainfrom
YamunadeviShanmugam:migrate_otp_feature_gates

Conversation

@YamunadeviShanmugam

@YamunadeviShanmugam YamunadeviShanmugam commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

PR_Results_FeatureGates_Webhooks_Pullsecret.txt
Adds apiserver test cases migrated to the OTE

Feature Gate tests (featuregate.go):

  • OCP-66921 — Verifies rejected/removed feature sets
  • OCP-74460 — Verifies NoUpgrade feature sets are immutable once set
  • OCP-80286 — Handle undecryptable resources: corrupts a secret in etcd, enables AllowUnsafeMalformedObjectDeletion gate, verifies kube-apiserver detects corruption, deletes via feature gate or direct etcd cleanup, confirms recovery
  • OCP-80554 — CBOR workflow: enables CBOR feature gates, verifies GET/POST/DELETE of resources using application/cbor content type

Pull Secret tests (pull_secrets.go):

  • OCP-24377 — Validates global pull secret functionality
  • OCP-12036 — Wrong credentials fail build
  • OCP-11138 — Incorrectly formed pull secrets fail deploy
  • OCP-70369 — Bound service account tokens for pull secrets

Webhook tests (webhooks.go):

  • OCP-55494 —Webhook fails to rollout latest DC
  • OCP-77919 —HPA/oc scale works with OPA webhooks
  • OCP-53230 —Kubernetes validating admission webhookbypass
  • OCP-50362 —Cluster handles bad admission webhooks correctly
  • OCP-28030 — Validates admission webhooks with unreachable services
  • OCP-50188 — APF stress test: runs kube-burner CPU stress workload for 20 minutes while monitoring cluster health, webhook behavior, and resource utilization
  • OCP-47198 — ClusterResourceQuota enforcement across namespaces

helpers.go — Shared helpers
kube-burner configs — Pod template and job config for CPU stress testing with PodSecurity privileged namespace labels

Testing
Pull secret
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-12036] User can pull a private image from a registry when a pull secret is defined [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11905] Use well-formed pull secret with incorrect credentials will fail to build and deploy [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11138] Deploy will fail with incorrectly formed pull secrets [apigroup:build.openshift.io][apigroup:apps.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-70369] Use bound service account tokens when generating pull secrets [apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"

Feature Gates
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-1] should reject removed LatencySensitive featureset [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-2][OCP-74460] NoUpgrade featuresets are immutable once set [Slow][Disruptive][apigroup:config.openshift.io][Timeout:30m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80286] Handle undecryptable resources [Slow][Disruptive][apigroup:config.openshift.io][apigroup:operator.openshift.io][Timeout:90m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80554] Verify the CBOR workflow [Slow][Disruptive][apigroup:config.openshift.io][Timeout:60m] [Serial]"

Webhooks
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-55494] When using webhooks fails to rollout latest deploymentconfig [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-77919] HPA/oc scale and DeploymentConfig should be working with OPA webhooks [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-53230] Kubernetes validating admission webhook bypass [Serial][apigroup:admissionregistration.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50362] Verify cluster handles bad admission webhooks correctly [Serial][apigroup:config.openshift.io][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50223] Checks on different bad admission webhook errors and kube-apiserver status [Serial][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io][Timeout:15m] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50188] Prepare upgrade cluster under APF stress [Slow][Disruptive][apigroup:config.openshift.io][Timeout:40m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP] ClusterResourceQuota objects validation [apigroup:quota.openshift.io][apigroup:monitoring.coreos.com] [Suite:openshift/conformance/parallel]"

Summary by CodeRabbit

Summary by CodeRabbit

  • Tests
    • Expanded extended apiserver E2E coverage for API server feature gates (including NoUpgrade immutability, recovery from corrupted objects, and CBOR workflows).
    • Added new pull-secret E2E scenarios (valid pulls, invalid/malformed secret handling, and service-account token–based reconciliation checks).
    • Added admission webhook and upgrade/operator robustness scenarios (policy enforcement, validating webhook behavior, and error recovery).
    • Introduced additional apiserver E2E utilities and kube-burner CPU stress + quota validation test assets.

Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci
openshift-ci Bot requested review from p0lyn0mial and rexagod July 14, 2026 04:43
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds extensive OpenShift API server extended tests covering feature gates, CBOR operations, image pull secrets, admission webhooks, operator recovery, ClusterResourceQuota enforcement, APF stress, authentication, audit, encryption, and certificate validation, supported by shared helpers and embedded kube-burner fixtures.

Changes

API server extended test coverage

Layer / File(s) Summary
Shared API server test infrastructure
test/extended/apiserver/helpers.go, test/extended/testdata/apiserver/*, test/extended/testdata/bindata.go
Adds shared command, polling, endpoint, operator, webhook, quota, health, load, kube-burner, and embedded fixture helpers.
Feature-gate and CBOR workflows
go.mod, test/extended/apiserver/featuregate.go
Adds feature-set validation, NoUpgrade immutability, malformed-object deletion, and CBOR pod lifecycle tests; declares CBOR as a direct dependency.
Image pull-secret behavior
test/extended/apiserver/pull_secrets.go
Tests valid, invalid, missing, mismatched, and bound-service-account image pull-secret behavior.
Webhook and operator validation
test/extended/apiserver/webhooks.go
Adds OPA admission tests, validating-webhook denial checks, malformed webhook upgrade scenarios, and operator condition recovery checks.
Stress and quota validation
test/extended/apiserver/webhooks.go
Adds APF stress verification and ClusterResourceQuota tests covering resource limits, operator health, logs, and node load.
Authentication and API server utilities
test/extended/apiserverauth/apiserver_util.go
Adds encryption, audit, health, workload, RapidAST, certificate, authentication, and cluster-operability utilities.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ExtendedTest
  participant OPAWebhook
  participant KubeAPIServer
  participant Resource
  ExtendedTest->>OPAWebhook: configure policy and TLS
  ExtendedTest->>KubeAPIServer: submit resource operation
  KubeAPIServer->>OPAWebhook: admission review
  OPAWebhook-->>KubeAPIServer: allow or deny
  KubeAPIServer->>Resource: apply accepted operation
  ExtendedTest->>KubeAPIServer: verify operator conditions and resource state
Loading

Suggested reviewers: p0lyn0mial, rexagod


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 4 warnings)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error Several new helpers log raw command output and endpoint URLs (e.g. ExecCommandOnPod, checkURLEndpointAccess, audit logs), which can expose hostnames or secrets. Redact or remove raw pod/audit output and URL logging; emit only sanitized summaries, resource names, or error codes.
Test Structure And Quality ⚠️ Warning Several tests leave cluster-scoped changes behind (featuregate/cluster and cluster-admin bindings), and the CBOR curl calls have no explicit timeout. Add AfterEach/defer cleanup for cluster-scoped RBAC/featuregate changes and give the CBOR curl/cluster interactions explicit request timeouts or contexts.
Microshift Test Compatibility ⚠️ Warning OCP-50223 has no MicroShift guard/tag, but it uses kube-apiserver ClusterOperator status and oc.SetupProject()/project resources, both unsupported on MicroShift. Add [apigroup:config.openshift.io] (or an IsMicroShiftCluster() skip) to OCP-50223, or remove the ClusterOperator/project usage so it won’t run on MicroShift.
Topology-Aware Scheduling Compatibility ⚠️ Warning LoadCPUMemWorkload hard-codes a master nodeSelector/toleration without topology checks, so it breaks on External/HyperShift clusters. Gate clusterbuster on control-plane topology or remove the master selector; skip External clusters and use topology-aware scheduling before launching load.
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning FAIL: new pull-secret tests fetch from quay.io/github.com, and added helpers build host:port URLs via fmt.Sprintf; webhooks also hardcode 127.0.0.1 in cert SAN. Use mirrored/internal images or [Skipped:Disconnected], build URLs with net.JoinHostPort, and make localhost/SAN handling IPv6-aware (including ::1 when needed).
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: migrating OTE tests for pull secrets, feature gates, and webhooks.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All added Ginkgo Describe/It titles are static strings; no titles interpolate pod/node/namespace names, timestamps, UUIDs, or other runtime values.
Single Node Openshift (Sno) Test Compatibility ✅ Passed New tests use standard APIs and workloads; the only node-aware test patches one master node and checks worker/master load without requiring distinct nodes.
Ote Binary Stdout Contract ✅ Passed No stdout writes appear in process-level code; the only Println found is inside a helper function, not main/init/suite setup.
No-Weak-Crypto ✅ Passed The diff only uses standard tls/x509 handling; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret/token comparisons were found.
Container-Privileges ✅ Passed The added kube-burner pod/job manifests contain no privileged, host*, SYS_ADMIN, or allowPrivilegeEscalation settings; other privileged strings are in helpers or preexisting generated assets.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 15

🧹 Nitpick comments (6)
test/extended/prometheus/upgrade.go (1)

118-123: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Simplify substring counting and avoid searching YAML metadata.

Using a regular expression to match a static string is inefficient, and printing the resulting slice of identical strings (e.g., [failed failed]) is not helpful for debugging. Furthermore, searching the full -o yaml output risks matching the word failed in annotations, labels, or other metadata, leading to false positives.

Consider outputting only the .data payload and using strings.Count for a simpler, clearer, and more robust check. As per coding guidelines, favor clarity and maintainability over cleverness.

♻️ Proposed refactor for clarity and accuracy
-		result, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("cm/log", "-n", "ocp-34223-proj", "-o", "yaml").Output()
+		result, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("cm/log", "-n", "ocp-34223-proj", "-o", "jsonpath={.data}").Output()
 		o.Expect(err).NotTo(o.HaveOccurred())
-		failures := regexp.MustCompile(`failed`).FindAllString(result, -1)
-		if len(failures) > 1 {
-			e2e.Failf("upgrade disruption detected in monitor log: %v", failures)
+		failuresCount := strings.Count(result, "failed")
+		if failuresCount > 1 {
+			e2e.Failf("upgrade disruption detected in monitor log: found 'failed' %d times", failuresCount)
 		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/prometheus/upgrade.go` around lines 118 - 123, Update the
Prometheus upgrade check around the oc.AsAdmin().WithoutNamespace().Run call to
request only the ConfigMap’s .data payload instead of full YAML, then replace
the regexp-based failure search with strings.Count. Preserve the existing
threshold of more than one occurrence, and report the count in e2e.Failf rather
than a slice of repeated matches.

Source: Coding guidelines

test/extended/apiserver/helpers.go (2)

271-271: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Use net.JoinHostPort instead of fmt.Sprintf for host:port.

Raw %s:%s breaks for IPv6 hostnames (missing bracket notation); net.JoinHostPort handles this correctly.

-targetURL := fmt.Sprintf("https://%s:%s/healthz", fqdnName, port)
+targetURL := fmt.Sprintf("https://%s/healthz", net.JoinHostPort(fqdnName, port))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/apiserver/helpers.go` at line 271, Update the targetURL
construction to use net.JoinHostPort with fqdnName and port, preserving the
/healthz suffix so host:port formatting remains correct for IPv4, hostnames, and
IPv6 addresses.

Source: Linters/SAST tools


264-269: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set an explicit MinVersion on the TLS client config.

Go's client-side default minimum is currently TLS 1.2, but pinning it explicitly (ideally TLS 1.3) documents intent and protects against future default changes.

 TLSClientConfig: &tls.Config{
     RootCAs: caCertPool,
+    MinVersion: tls.VersionTLS13,
 },
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/apiserver/helpers.go` around lines 264 - 269, Update the TLS
client configuration in the HTTP transport to set an explicit MinVersion,
preferably tls.VersionTLS13, while preserving the existing RootCAs
configuration.

Source: Linters/SAST tools

test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml (1)

8-21: 🔒 Security & Privacy | 🔵 Trivial

No explicit securityContext on the stress container.

Checkov flags missing allowPrivilegeEscalation: false and root-container admission. In practice this is mitigated since loadCPUMemWorkload (helpers.go) explicitly labels the target namespace pod-security.kubernetes.io/enforce=privileged before applying this template, so it's not a functional blocker — but adding an explicit securityContext would still be good defense-in-depth per the path instructions for Kubernetes manifests.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml` around lines
8 - 21, Add an explicit securityContext to the stress container in
kube-burner-cpu-stress-pod.yml, setting allowPrivilegeEscalation to false and
configuring the container to run as a non-root user where compatible with the
stress image. Keep the existing command, resources, and restart policy
unchanged.

Sources: Path instructions, Linters/SAST tools

test/extended/apiserver/webhooks.go (2)

146-240: 📐 Maintainability & Code Quality | 🔵 Trivial

Duplicated namespace/DC-creation/rollout-wait flow between OCP-55494 and OCP-77919.

Both g.It blocks repeat the same "create test-ns, label it, create mydc, wait for rollout" sequence almost verbatim (159-178 vs 213-232). Could be extracted into a shared helper to reduce duplication, though this is purely a maintainability nit for test code.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/apiserver/webhooks.go` around lines 146 - 240, Extract the
duplicated namespace creation, labeling, DeploymentConfig creation, and initial
rollout-wait sequence from the OCP-55494 and OCP-77919 g.It blocks into a shared
helper. Replace both inline flows with calls to that helper, preserving their
existing namespace names, assertions, polling behavior, and error messages.

66-98: 🔒 Security & Privacy | 🔵 Trivial

Avoid bash -c shell wrapper for exec.Command.

Static analysis (OpenGrep/ast-grep) flags every exec.Command("bash", "-c", <dynamic string>) call in this file as a command-injection risk. None of the interpolated values here are attacker-controlled (they're tmpdir paths built from os.TempDir()+compat_otp.GetRandomString(), or fixed constants like dirname/exceptions), so this isn't currently exploitable, but it's a recurring anti-pattern the path instructions call out explicitly for command execution. Prefer invoking binaries directly (e.g. exec.Command("openssl", "genrsa", "-out", caKeypem, "2048")) instead of shelling out, which also sidesteps future risk if any of these values are ever derived from less-trusted input.

As per path instructions, **/*.{py,js,ts,go,rs,java,rb,php,kt,swift,cs}: "Command: no shell=True, os.system, or backtick exec with user input."

Also applies to: 120-122, 181-190, 535-536, 554-555

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/apiserver/webhooks.go` around lines 66 - 98, Replace the
dynamic bash -c invocations in the webhook certificate setup and the other
flagged command-execution sites with direct exec.Command calls, passing the
executable and each argument separately. Update the command loops and related
symbols such as serverconfCMD so no shell command strings are constructed or
interpreted, while preserving the existing OpenSSL and file-generation behavior.

Sources: Path instructions, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/apiserver/featuregate.go`:
- Around line 190-215: Extract the duplicated feature-gate restoration logic
from both deferred restore blocks into a shared restoreFeatureGateConfig helper,
placed with the existing helpers. Have it accept the CLI and original feature
settings, build and apply the same patch, and return any patch error; update
both tests to call it while preserving their existing warning and kube-apiserver
stabilization behavior.
- Around line 234-286: Extract the duplicated customNoUpgrade merge, patch, and
kube-apiserver rollout logic from the two tests into a shared enableFeatureGates
helper accepting oc and gatesToAdd and returning whether all requested gates
were already enabled plus an error. Update both call sites to use the helper,
preserving existing feature-set selection, no-change handling, rollout waits,
and health verification while differing only in the gate names passed.
- Around line 535-539: Update the deletion poll assigned to errDel so it
verifies that the pod get operation returns a NotFound/error condition, matching
the existing pollUntilDeleted pattern, instead of checking table output for the
quoted “Running” status. Keep polling while the pod exists and return success
only after test-pod-nginx has been deleted, preserving
compat_otp.AssertWaitPollNoErr for reporting failures.
- Around line 412-428: The kubeconfig extraction block should use
client-go/clientcmd parsing instead of grep/awk/base64 pipelines. Replace the
dead clusterName lookup and shell commands with loading the selected kubeconfig
context, retrieving its cluster CA and user client certificate/key data, and
writing those bytes directly to certCA, clientKey, and clientCert while
preserving the existing error assertions.

In `@test/extended/apiserver/helpers.go`:
- Around line 469-489: Update getServiceIP so the all-namespaces service
cluster-IP query runs once before the lastOctet loop; retain its error
assertion, then check the returned service IP list against each candidate in
memory while preserving the existing fallback when no address is available.
- Around line 273-297: Update the polling callback around client.Get to create
an HTTP request using the provided ctx and execute it through the existing
client, ensuring each attempt is canceled when the poll context expires.
Configure an appropriate client-level timeout as an additional bound, while
preserving the existing retry and certificate-processing behavior.
- Around line 599-611: Update checkResources to count output rows rather than
whitespace-separated fields: after trimming each successful resource output,
count its lines and store that value in counts[resource]. Preserve the existing
handling for command errors and empty output.
- Around line 566-597: Update checkClusterLoad so memory parsing uses the second
percentage on each node line rather than the first CPU percentage; ensure
memTotal reflects MEMORY% while CPU parsing remains unchanged. Use the existing
cpuMatches and memMatches flow, or otherwise parse the output columns
explicitly.
- Around line 613-675: Update loadCPUMemWorkload to launch kube-burner with
exec.CommandContext and a bounded timeout, creating and cancelling the context
around the child process execution. Preserve the existing arguments,
CombinedOutput handling, and skip message while ensuring a stuck process is
terminated after the timeout.

In `@test/extended/apiserver/webhooks.go`:
- Around line 108-110: Update setupOPAWebhook and the corresponding second g.It
block to revoke the privileged SCC grant during deferred cleanup. Add cleanup
that removes the system:serviceaccount:opa:default subject from the privileged
SCC binding using the matching oc adm policy command, while preserving the
existing namespace and opa-viewer cleanup.
- Around line 520-543: Ensure the APF stress scenario does not continue when the
pre-check in checkClusterLoad prevents loadCPUMemWorkload from starting. Track
whether the stress workload was launched, then fail fast or skip before the
verification poll when it was not started; retain the existing cleanup defer
only for a started workload and keep the normal pod-completion and health checks
for the active workload path.
- Around line 601-652: The quota-boundary checks currently reuse the initial
pods and resource usage snapshot despite creating a ServiceMonitor beforehand.
Re-query the cluster resource quota status immediately before the ServiceMonitor
and pod boundary loops, refresh the relevant usage values (including pods and
ServiceMonitors), and use those refreshed counts to determine expected successes
and quota-exceeded cases.

In `@test/extended/prometheus/upgrade.go`:
- Around line 114-116: Update the ConfigMap existence check around cmExistsCmd
and err so the test skips only when the command reports a resource-not-found
condition, including the expected “NotFound” response for a specific cm/log
query. Do not skip for arbitrary command execution errors; propagate or fail
those errors through the existing test error-handling path.
- Line 111: Handle the error returned by Execute() in the deferred namespace
cleanup for ocp-34223-proj. Update the defer logic around
AsAdmin().WithoutNamespace().Run("delete") so cleanup failures are explicitly
checked and reported, without silently discarding the error.

In `@test/extended/testdata/apiserver/kube-burner-cpu-stress.yml`:
- Around line 11-13: Regenerate the embedded assets represented by
test/extended/testdata/bindata.go from the corrected
test/extended/testdata/apiserver/kube-burner-cpu-stress.yml, using the
repository’s standard generation command such as make update. Ensure
_testExtendedTestdataApiserverKubeBurnerCpuStressYml matches podWait: true and
cleanup: false; both listed sites require synchronization, with no manual
divergence between the source fixture and compiled asset.

---

Nitpick comments:
In `@test/extended/apiserver/helpers.go`:
- Line 271: Update the targetURL construction to use net.JoinHostPort with
fqdnName and port, preserving the /healthz suffix so host:port formatting
remains correct for IPv4, hostnames, and IPv6 addresses.
- Around line 264-269: Update the TLS client configuration in the HTTP transport
to set an explicit MinVersion, preferably tls.VersionTLS13, while preserving the
existing RootCAs configuration.

In `@test/extended/apiserver/webhooks.go`:
- Around line 146-240: Extract the duplicated namespace creation, labeling,
DeploymentConfig creation, and initial rollout-wait sequence from the OCP-55494
and OCP-77919 g.It blocks into a shared helper. Replace both inline flows with
calls to that helper, preserving their existing namespace names, assertions,
polling behavior, and error messages.
- Around line 66-98: Replace the dynamic bash -c invocations in the webhook
certificate setup and the other flagged command-execution sites with direct
exec.Command calls, passing the executable and each argument separately. Update
the command loops and related symbols such as serverconfCMD so no shell command
strings are constructed or interpreted, while preserving the existing OpenSSL
and file-generation behavior.

In `@test/extended/prometheus/upgrade.go`:
- Around line 118-123: Update the Prometheus upgrade check around the
oc.AsAdmin().WithoutNamespace().Run call to request only the ConfigMap’s .data
payload instead of full YAML, then replace the regexp-based failure search with
strings.Count. Preserve the existing threshold of more than one occurrence, and
report the count in e2e.Failf rather than a slice of repeated matches.

In `@test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml`:
- Around line 8-21: Add an explicit securityContext to the stress container in
kube-burner-cpu-stress-pod.yml, setting allowPrivilegeEscalation to false and
configuring the container to run as a non-root user where compatible with the
stress image. Keep the existing command, resources, and restart policy
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9832f67a-fdf7-45b3-afb3-bb006aa05ecc

📥 Commits

Reviewing files that changed from the base of the PR and between 0f64c49 and 6722b7e.

📒 Files selected for processing (9)
  • go.mod
  • test/extended/apiserver/featuregate.go
  • test/extended/apiserver/helpers.go
  • test/extended/apiserver/pull_secrets.go
  • test/extended/apiserver/webhooks.go
  • test/extended/prometheus/upgrade.go
  • test/extended/testdata/apiserver/kube-burner-cpu-stress-pod.yml
  • test/extended/testdata/apiserver/kube-burner-cpu-stress.yml
  • test/extended/testdata/bindata.go

Comment thread test/extended/apiserver/featuregate.go
Comment thread test/extended/apiserver/featuregate.go Outdated
Comment thread test/extended/apiserver/featuregate.go Outdated
Comment thread test/extended/apiserver/featuregate.go
Comment thread test/extended/apiserver/helpers.go
Comment thread test/extended/apiserver/webhooks.go
Comment thread test/extended/apiserver/webhooks.go
Comment thread test/extended/prometheus/upgrade.go Outdated
Comment thread test/extended/prometheus/upgrade.go Outdated
Comment thread test/extended/testdata/apiserver/kube-burner-cpu-stress.yml
@YamunadeviShanmugam
YamunadeviShanmugam force-pushed the migrate_otp_feature_gates branch from 2b72d09 to ab3de70 Compare July 14, 2026 05:45
@YamunadeviShanmugam

YamunadeviShanmugam commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

/retitle CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks

@openshift-ci openshift-ci Bot changed the title Migrate OTE for Pull Secrets, Feature Gates and Webhooks CNTRLPLANE-2157: Migrate OTE for Pull Secrets, Feature Gates and Webhooks Jul 14, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 14, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 14, 2026

Copy link
Copy Markdown

@YamunadeviShanmugam: This pull request references CNTRLPLANE-2157 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Adds apiserver test cases migrated to the OTE

Feature Gate tests (featuregate.go):

  • OCP-66921 — Verifies rejected/removed feature sets
  • OCP-74460 — Verifies NoUpgrade feature sets are immutable once set
  • OCP-80286 — Handle undecryptable resources: corrupts a secret in etcd, enables AllowUnsafeMalformedObjectDeletion gate, verifies kube-apiserver detects corruption, deletes via feature gate or direct etcd cleanup, confirms recovery
  • OCP-80554 — CBOR workflow: enables CBOR feature gates, verifies GET/POST/DELETE of resources using application/cbor content type

Pull Secret tests (pull_secrets.go):

  • OCP-24377 — Validates global pull secret functionality
  • OCP-12036 — Wrong credentials fail build
  • OCP-11138 — Incorrectly formed pull secrets fail deploy
  • OCP-70369 — Bound service account tokens for pull secrets

Webhook tests (webhooks.go):

  • OCP-55494 —Webhook fails to rollout latest DC
  • OCP-77919 —HPA/oc scale works with OPA webhooks
  • OCP-53230 —Kubernetes validating admission webhookbypass
  • OCP-50362 —Cluster handles bad admission webhooks correctly
  • OCP-28030 — Validates admission webhooks with unreachable services
  • OCP-50188 — APF stress test: runs kube-burner CPU stress workload for 20 minutes while monitoring cluster health, webhook behavior, and resource utilization
  • OCP-47198 — ClusterResourceQuota enforcement across namespaces

helpers.go — Shared helpers
kube-burner configs — Pod template and job config for CPU stress testing with PodSecurity privileged namespace labels

Testing
Pull secret
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-12036] User can pull a private image from a registry when a pull secret is defined [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11905] Use well-formed pull secret with incorrect credentials will fail to build and deploy [Serial][apigroup:build.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-11138] Deploy will fail with incorrectly formed pull secrets [apigroup:build.openshift.io][apigroup:apps.openshift.io][apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:PullSecret] [OTP][OCP-70369] Use bound service account tokens when generating pull secrets [apigroup:image.openshift.io] [Suite:openshift/conformance/parallel]"

Feature Gates
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-1] should reject removed LatencySensitive featureset [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-66921-2][OCP-74460] NoUpgrade featuresets are immutable once set [Slow][Disruptive][apigroup:config.openshift.io][Timeout:30m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80286] Handle undecryptable resources [Slow][Disruptive][apigroup:config.openshift.io][apigroup:operator.openshift.io][Timeout:90m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:FeatureGate] [OTP][OCP-80554] Verify the CBOR workflow [Slow][Disruptive][apigroup:config.openshift.io][Timeout:60m] [Serial]"

Webhooks
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-55494] When using webhooks fails to rollout latest deploymentconfig [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-77919] HPA/oc scale and DeploymentConfig should be working with OPA webhooks [Disruptive][apigroup:apps.openshift.io] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:Webhooks] [OTP][OCP-53230] Kubernetes validating admission webhook bypass [Serial][apigroup:admissionregistration.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50362] Verify cluster handles bad admission webhooks correctly [Serial][apigroup:config.openshift.io][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50223] Checks on different bad admission webhook errors and kube-apiserver status [Serial][apigroup:admissionregistration.k8s.io][apigroup:apiextensions.k8s.io][Timeout:15m] [Suite:openshift/conformance/serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP][OCP-50188] Prepare upgrade cluster under APF stress [Slow][Disruptive][apigroup:config.openshift.io][Timeout:40m] [Serial]"
./openshift-tests run-test "[sig-api-machinery][Feature:APIServer][Feature:UpgradeWebhooks] [OTP] ClusterResourceQuota objects validation [apigroup:quota.openshift.io][apigroup:monitoring.coreos.com] [Suite:openshift/conformance/parallel]"

Summary by CodeRabbit

  • New Features

  • Added comprehensive API server end-to-end coverage for feature gates, CBOR requests, pull secrets, admission webhooks, upgrades, quotas, and corrupted resources.

  • Added validation for webhook admission behavior, image-pull failures, service account token reconciliation, and API server recovery.

  • Added CPU stress workload fixtures for performance and stability testing.

  • Tests

  • Added health checks, operator-state validation, workload monitoring, and cluster recovery assertions across new scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Comment thread test/extended/apiserver/featuregate.go Outdated
@YamunadeviShanmugam
YamunadeviShanmugam force-pushed the migrate_otp_feature_gates branch from ab3de70 to 2e67fa2 Compare July 17, 2026 06:36
Comment thread test/extended/apiserver/featuregate.go Outdated
e2e "k8s.io/kubernetes/test/e2e/framework"
)

var _ = g.Describe("[sig-api-machinery][Feature:APIServer][Feature:FeatureGate]", func() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this [Feature:FeatureGate]"

Comment thread test/extended/apiserver/featuregate.go Outdated
Comment thread test/extended/apiserver/featuregate.go Outdated
@YamunadeviShanmugam
YamunadeviShanmugam force-pushed the migrate_otp_feature_gates branch 4 times, most recently from 0266077 to f610846 Compare July 17, 2026 09:20
@YamunadeviShanmugam

Copy link
Copy Markdown
Contributor Author

@coderabbitai: review

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

@YamunadeviShanmugam I’ll review the changes in #31382.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 17

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/apiserverauth/apiserver_util.go`:
- Around line 1312-1349: Update clientCurl’s TLS configuration to remove
InsecureSkipVerify and configure TLSClientConfig.RootCAs with the trusted
cluster CA pool, preserving bearer-token requests while enforcing server
certificate verification through the configured proxy.
- Around line 509-520: Update GetAlertsByName to use alertName when processing
the result from mon.GetAlerts, returning only the matching alert rather than all
alerts; preserve the existing error handling and return an appropriate empty
result when no alert matches.
- Around line 2035-2049: Update parseRapidastJsonReport to unmarshal jsonContent
into the expected RapiDAST report structure instead of counting risk codes with
regexes, and return parsing or validation errors to the caller. Require the
findings section to be present and valid before calculating riskHigh and
riskMedium, so missing or malformed reports fail closed rather than being
treated as clean scans.
- Around line 246-278: The stability delay inside waitCoBecomes must not bypass
the PollUntilContextTimeout deadline. Replace the blocking time.Sleep in the
True/False/False health branch with a context-aware timer that returns when cxt
is canceled or its duration elapses, preserving the final status recheck only
after the delay completes.
- Around line 2300-2313: The configuration flow around getSAToken must not
persist the privileged token in the caller’s file or a ConfigMap. Generate a
fresh per-attempt configuration from the original configFile by replacing
AUTH_TOKEN in memory, store it through a Secret or projected token mechanism,
and ensure retries obtain and use a newly generated token for the current
service account.
- Around line 2395-2421: The pod readiness result and pod-log retrieval error
are currently ignored, allowing unavailable scan reports to pass. In the
readiness polling flow, capture the error returned by
wait.PollUntilContextTimeout and fail the operation with diagnostics when it is
non-nil; then update the GetSpecificPodLogs handling to return false with the
underlying error instead of substituting placeholder logs. Ensure every Go error
return in this flow is handled.
- Around line 2470-2495: Update the endpoint-reporting logic around the
verification summary and the loops near the later report blocks to derive
coverage and status from the parsed report and testedEndpoints data. Require
each requested Kubernetes and OpenShift endpoint to be present in the report,
fail the test when any endpoint is missing, and remove unconditional “COVERED”,
“PASS”, or “WARN” output; print statuses only from actual findings and test
results.
- Around line 1217-1235: The kube-apiserver branch of verifyHypershiftCiphers
must stop interpolating the ConfigMap output into jq via bash -c. Parse the JSON
in out directly in Go, following the existing verifyCiphers approach, and derive
servingInfo.cipherSuites and servingInfo.minTLSVersion without invoking a shell
or reparsing cluster-controlled content.
- Around line 1488-1521: Update urlHealthCheck and the corresponding helper at
the second polling block so each HTTP operation creates an
http.NewRequestWithContext using the polling context and executes it with
client.Do instead of client.Get. Configure an appropriate client timeout, and
construct both HTTPS endpoints with net.JoinHostPort rather than string
formatting, preserving existing polling and response handling.
- Line 533: Update LoadCPUMemWorkload and both clusterbuster workload
invocations to honor workLoadtime instead of hard-coding 7200 seconds. Run
clusterbuster directly with a bounded context rather than through a shell
background command, retain control of the process, and ensure it is awaited or
stopped before the function returns so no load survives into later specs or
deferred cleanup.
- Around line 1086-1091: Update getNewUser to pass the command variable, which
contains “htpasswd”, to exec.LookPath instead of the literal string “command”;
preserve the existing missing-command failure handling.
- Around line 228-243: Update CheckIfResourceAvailable so the loop validates
every entry in resourceNames with the existing expectation, rather than
returning during the first iteration. Return the complete output and success
status only after all requested resource names have been checked.
- Around line 1679-1710: Replace the three error-message checks using
strings.ContainsAny in clusterSanityCheck with strings.Contains, preserving each
existing target message and diagnostic behavior. Update the checks for node
access, certificate verification, and project creation errors; do not alter
unrelated retry or logging logic.
- Around line 1827-1857: In createSecretsWithQuotaValidation, validate the
quota-rejection error specifically instead of treating any failure as success.
Replace the literal strings.Contains check with matching that recognizes the
expected “secrets.*forbidden: exceeded quota” pattern, and assert that this
match succeeds when the quota is reached so authentication, transport, or syntax
errors fail the test.
- Around line 97-111: In compareAPIServerWebhookConditions, avoid mutating the
conditionStatus parameter when handling a flow-collector webhook match. Create a
per-iteration or per-poll local expected-status value initialized from
conditionStatus, override only that local value to "True", and compare against
it so the original status remains unchanged for subsequent conditionTypes.
- Around line 136-166: Update the encryption-type validation in the function
containing the etcd encryption-prefix polling so unsupported or disabled values
return an error immediately instead of only logging and continuing. Preserve the
existing polling behavior for the supported aesabc and aesgcm values, and ensure
the returned error clearly identifies the invalid encryption type.
- Around line 170-185: Update GetEncryptionKeyNumber to return the command and
strconv.Atoi errors instead of logging them and returning a nil error. Compile
the patten regex with error handling rather than regexp.MustCompile, and
validate that FindAllStringIndex returns at least one match before indexing
locs; return an appropriate error for invalid patterns or no matches.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e7c511c0-8c66-4ba7-868e-ecb27a0a9c36

📥 Commits

Reviewing files that changed from the base of the PR and between 2e67fa2 and f610846.

📒 Files selected for processing (5)
  • test/extended/apiserver/featuregate.go
  • test/extended/apiserver/helpers.go
  • test/extended/apiserver/webhooks.go
  • test/extended/apiserverauth/apiserver_util.go
  • test/extended/testdata/bindata.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • test/extended/apiserver/webhooks.go
  • test/extended/apiserver/featuregate.go
  • test/extended/apiserver/helpers.go

Comment thread test/extended/apiserverauth/apiserver_util.go Outdated
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go Outdated
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
Comment thread test/extended/apiserverauth/apiserver_util.go
@YamunadeviShanmugam
YamunadeviShanmugam force-pushed the migrate_otp_feature_gates branch 2 times, most recently from 8f46c0b to 755ab8e Compare July 17, 2026 10:00
Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>
@YamunadeviShanmugam
YamunadeviShanmugam force-pushed the migrate_otp_feature_gates branch from 755ab8e to 05c0f5e Compare July 17, 2026 10:19
@YamunadeviShanmugam

Copy link
Copy Markdown
Contributor Author

@coderabbitai: Addressed the review comments, Skipped the Issues for valid reasons

  • CheckIfResourceAvailable - Current code is correct (uses o.Expect which fails immediately)
  • LoadCPUMemWorkload - Complex process management refactor needed
  • clientCurl TLS - Security-sensitive change requiring CA pool implementation
  • parseRapidastJsonReport - Requires RapiDAST schema knowledge
  • getSAToken persistence - Complex security refactor needed
  • endpoint-reporting logic - Complex flow requiring comprehensive testing

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@YamunadeviShanmugam Thanks for the detailed disposition.

  • CheckIfResourceAvailable: agreed—because o.Expect fails immediately, the flagged control-flow concern does not apply.
  • The remaining items involve broader process-management, TLS trust, security, schema, or reporting-flow work. Keeping those out of this migration PR is reasonable.

If you decide to track any of the deferred items separately, let me know and I can create focused follow-up GitHub issues.

This commit fixes two CI verification failures:

1. Add missing test data files that were referenced in tests but not
   committed to the repository:
   - application-template-stibuild.json
   - ocp-70369.yaml, ocp10873-dc.yaml, ocp10873-svc.json
   - ocp9853-limits.yaml, ocp9853-quota.yaml

2. Fix KUBECONFIG requirement in compat_otp package init() function.
   The init() was unconditionally requiring KUBECONFIG to be set,
   which caused `go run ./cmd/openshift-tests images` to fail during
   the verify-generated step. Now it skips the check when
   OPENSHIFT_SKIP_EXTERNAL_TESTS is set, allowing non-test commands
   to run without requiring KUBECONFIG.

Signed-off-by: Yamunadevi Shanmugam <yshanmug@redhat.com>

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the e2e-images-update Related to images used by e2e tests label Jul 17, 2026
@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: YamunadeviShanmugam
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@YamunadeviShanmugam: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 3a3474a link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

e2e-images-update Related to images used by e2e tests jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants