[release-4.20] OCPBUGS-76856: cert tests: mark TLS registry test as informing#1
Open
wangke19 wants to merge 53 commits intorelease-4.20from
Open
[release-4.20] OCPBUGS-76856: cert tests: mark TLS registry test as informing#1wangke19 wants to merge 53 commits intorelease-4.20from
wangke19 wants to merge 53 commits intorelease-4.20from
Conversation
We block use of that API in OCP, so the test fails.
Add nil checks to recordTestResultInMonitor, recordTestResultInLog, and TestEnded functions to prevent segmentation faults when testRunResult is nil during error conditions like network connectivity issues.
…-4.20 OCPBUGS-46422: Skip ServiceCIDR in etcd_storage_path test (4.20)
Validates that KubeVirt VMs with preconfigured MAC and IP addresses maintain those addresses correctly before and after a vmi with duplicate IP/MAC request is made, and that the vmi with the duplicate address get the appropriate address conflict error event. Co-authored-by: Miguel Duarte Barroso <mdbarroso@redhat.com> Signed-off-by: Ram Lavi <ralavi@redhat.com> (cherry picked from commit 6dd2a93)
The requested IPs for the primary UDN attachment are not in the VMI spec, but in an annotation in the VMI. Hence, we need to fetch that particular annotation, and set it in the duplicate VMI. This was implemented using the builder pattern, since I suspect in the future we will need to further customize the VMI spec / metadata; this will make it simpler to extend the framework in the future. Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com> (cherry picked from commit 13fdf10)
This way we can ensure appropriate cases are caught in a generic way. With it, we can safely expect to find IP conflicts when there are duplicate IPs in the network. In future commits, we will be able to catch MAC conflicts when there are duplicate MACs in the network Co-authored-by: Ram Lavi <ralavi@redhat.com> Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com> (cherry picked from commit fdb0584)
Use GetIPAddressFamily and utilnet IP string helpers to filter preconfigured IPs to only include addresses supported by the cluster under test. Signed-off-by: Patryk Diak <pdiak@redhat.com>
…erry-pick-30224-to-release-4.20 [release-4.20] OCPBUGS-62841: fix(test): prevent nil pointer dereference in ginkgo test runner
…release-4.20-n [release-4.20] OCPBUGS-63513:Migrate OCP-32383 to upstream
…lease-4.20 [release-4.20] OCPBUGS-63171: Add imagestream update dryrun test
…est on ARO and Baremetal Hypershift
…erType enum Replaced three boolean flags (isHypershift, isAROHCPCluster, isBareMetalHypershift) with a single HostedClusterType enum field for better code maintainability and extensibility. Also added a comment explaining why ARO HCP uses port 7443. Changes: - Introduced HostedClusterType enum with values: Standalone, AROHCP, BareMetal, Other - Replaced three boolean fields with single hostedClusterType field - Updated all conditional logic to use the enum pattern - Added comment for ARO HCP port 7443 usage - Improved semantic clarity by aligning with HyperShift terminology This refactoring makes it easier to add new hosted cluster types in the future and prevents contradictory states from occurring. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…erry-pick-30307-to-release-4.20 [release-4.20] OCPBUGS-63725: CNTRLPLANE-1766:fix(disruption): Using correct internal LB of apiserver for monitor test on ARO and Baremetal Hypershift
…erry-pick-30338-to-release-4.20 OCPBUGS-64593: [release-4.20] NO-JIRA: Filter preconfiguredIPs based on cluster IP family support
…erry-pick-30390-to-release-4.20 [release-4.20] OCPBUGS-64598: Updated the upgrade duration limit to 100 minutes for ppc64le
This adds comprehensive e2e tests to verify that storage-related operators and controllers have the required network policy labels and that NetworkPolicy resources exist with correct pod selectors. Changes: - Add namespace constants to helpers.go for reuse across storage tests - Add storage_networkpolicy.go with tests for CSO and CSI operators - Verify required network policy labels on deployments - Validate NetworkPolicy resources in storage namespaces - Skip these tests on MicroShift clusters where they are not applicable - Temporarily disabled ManilaCSINamespace check due to OCPBUGS-61175
…erry-pick-29912-to-release-4.20 [release-4.20] OCPBUGS-63656: Redact bearertoken in TestContext
OCPBUGS-46422: Add test that the ServiceCIDR API is blocked [4.20]
…cy-e2e-4.20 OCPBUGS-64777: [release-4.20] Add e2e tests for storage network policy
If the virtctl download/unpack fails in the middle the downloadFile can leave a corrupted file behind, this change ensure file is removed if function do not correctly finish. Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Verify KubeVirt VMs with preconfigured MAC address retain a requested MAC address before and after another VM is created requesting the same MAC address. And verify the other VM requesting the same MAC address get the appropriate address conflict error event. Signed-off-by: Or Mergi <ormergi@redhat.com> (cherry picked from commit 0c58f2a)
Signed-off-by: Ankita Thomas <ankithom@redhat.com>
…ase-4.20-test OCPNODE-3912: Add a test for NodeSizing default change to OCP 4.20
…-ngopalak/release-4.20-test [release-4.20] OCPBUGS-66979: Revert "OCPNODE-3912: Add a test for NodeSizing default change to OCP 4.20"
…erry-pick-30564-to-release-4.20 [release-4.20] OCPBUGS-66365: update watch request limits for marketplace-operator
…0-4.20 [release-4.20] OCPBUGS-66963: Fix MachineConfigNode test in two-node fencing clusters
…tection-e2e [release-4.20] OCPBUGS-64836: back-port IP & MAC conflict detection e2e tests
…erry-pick-30485-to-release-4.20 OCPBUGS-66072: [release-4.20] net(virt) remove virtctl if not correctly retrieved
…yloadImage Signed-off-by: Paul Bastide <pbastide@redhat.com>
…erry-pick-30610-to-release-4.20 [release-4.20] OCPBUGS-69686: BeforeEach was indirectly called in DetermineReleasePayloadImage
we know [0][1] "[sig-network] Netpol" tests from k8s are heavy and they can have negative side effects. Reducing them to only run two at a time to alleviate the side effects. [0] https://issues.redhat.com/browse/OCPBUGS-57665 [1] https://github.com/openshift/origin/pull/26775/changes#diff-998be43366fe821c61ca242aa34949870c9c6df2572cc060000e4cd990a72bebL58-L62 Signed-off-by: Jamo Luhrsen <jluhrsen@gmail.com>
…)" This reverts commit 10dab7a.
This commit refactors TestTLSDefaults to use the same port-forwarding approach as TestTLSMinimumVersions, which fixes DNS resolution failures when running in CI as a pod. Problem: When the test runs as a pod in the cluster, it attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). However, the pod's internal DNS cannot resolve this external hostname, resulting in: dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host Solution: Use forwardPortAndExecute() to create a port-forward tunnel to the apiserver service in openshift-kube-apiserver namespace, then test against localhost:<forwarded-port>. This approach: - Works both in-cluster (CI) and externally (with kubeconfig) - Eliminates DNS resolution issues entirely - Is consistent with TestTLSMinimumVersions pattern - Includes built-in retry logic (3 attempts) - Simplifies the code by removing URL parsing and env var detection Changes: - Removed net/url and os imports (no longer needed) - Wrapped TLS version and cipher tests in forwardPortAndExecute callback - Changed error reporting from t.Errorf() to returning errors for retry support - Tests now connect to localhost via port-forward tunnel
Remove the IPv4-only restriction from TLS tests to support IPv6 clusters. The tests use port-forwarding to localhost, which works for both IPv4 and IPv6 environments since localhost resolves appropriately in both cases. Changes: - Removed IPv4-only check in BeforeEach that skipped tests on IPv6 clusters - Removed unused networking import This allows the TLS configuration tests to run on: - IPv4-only clusters - IPv6-only clusters - Dual-stack (IPv4+IPv6) clusters
Update the comment explaining why cipher suite tests are constrained to TLS 1.2 to be more technically accurate. The previous comment suggested this was about "Go 1.23+ behavior", but the real issue is fundamental to how TLS 1.3 works: - The intermediate profile allows both TLS 1.2 and TLS 1.3 - Clients negotiate TLS 1.3 when MaxVersion is unspecified and server supports it - TLS 1.3 spec predefines cipher suites and doesn't support configuration - Therefore, specifying any cipher suite has no effect with TLS 1.3 - Forcing TLS 1.2 allows actual testing of cipher suite restrictions This makes the reasoning clearer for future maintainers.
The file test/extended/util/compat_otp/testdata/opm/render/validate/catalog-error/operator-2/index.json is an intentionally malformed JSON file used to test error handling in the catalog validation code. It contains multiple JSON objects without being wrapped in an array, which is the expected error case. Add this file to the excluded_files list in verify-jsonformat.sh to prevent it from failing JSON validation checks during CI.
Run hack/update-generated.sh to regenerate test annotations after adding the new TestTLSMinimumVersions test. This adds the test to the annotations map so it can be properly tagged with [Suite:openshift/conformance/parallel].
…erry-pick-30618-to-release-4.20 [release-4.20] OCPBUGS-72412, OCPBUGS-72413: only run Netpol two at a time
…-release-4.20 [release-4.20] OCPBUGS-72395: Unrevert TLS tests with fixes
Add ote.Informing() to both certificate tests so that failures are recorded but don't block CI jobs: - all tls artifacts must be registered - all registered tls artifacts must have no metadata violation regressions This allows the tests to continue gathering data without blocking development while certificates are being properly registered and metadata is being fixed.
Add IsRosaCluster() function to test/extended/util/framework.go and use it to skip TLS certificate tests on ROSA clusters, similar to how we skip for MicroShift and Hypershift. ROSA clusters do not auto-collect TLS certificates the same way as standard OpenShift clusters.
wangke19
force-pushed
the
backport-30779-to-release-4.20
branch
from
3d0d83c to
b5159c9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a backport of openshift#30779 to release-4.20.
Summary
This PR backports changes to mark TLS certificate tests as informing and skip them on ROSA clusters.
Changes
Related
Test Plan
The changes have been cherry-picked from the tested commits in openshift#30779.