OCPBUGS-38499: Fix integration tests

[pawanpinjarkar]

• Use $AUTH_FILE for the valid pullSecret in CI.
• Update the pull secret in the expected install-config file when AUTH_FILE is set.
• Check if the image files contain the pull-secret.yaml file.
• Use $OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE to replace test data and pass it to the test script environment. - This is typically set in a CI job to reference the ephemeral payload release.
• Skip errors when the test does not require reading install-config.yaml.

[pawanpinjarkar]

/test

[pawanpinjarkar]

/test ?

[pawanpinjarkar]

/test integration-tests

[openshift-ci]

@pawanpinjarkar: The following commands are available to trigger required jobs:

• /test altinfra-images
• /test aro-unit
• /test e2e-agent-compact-ipv4
• /test e2e-aws-ovn
• /test e2e-aws-ovn-edge-zones-manifest-validation
• /test e2e-aws-ovn-upi
• /test e2e-azure-ovn
• /test e2e-azure-ovn-upi
• /test e2e-gcp-ovn
• /test e2e-gcp-ovn-upi
• /test e2e-metal-ipi-ovn-ipv6
• /test e2e-openstack-ovn
• /test e2e-vsphere-ovn
• /test e2e-vsphere-ovn-upi
• /test gofmt
• /test golint
• /test govet
• /test images
• /test integration-tests
• /test okd-images
• /test okd-unit
• /test okd-verify-codegen
• /test openstack-manifests
• /test shellcheck
• /test terraform-images
• /test terraform-verify-vendor
• /test tf-lint
• /test unit
• /test verify-codegen
• /test verify-vendor
• /test yaml-lint

The following commands are available to trigger optional jobs:

• /test altinfra-e2e-aws-custom-security-groups
• /test altinfra-e2e-aws-ovn
• /test altinfra-e2e-aws-ovn-fips
• /test altinfra-e2e-aws-ovn-imdsv2
• /test altinfra-e2e-aws-ovn-localzones
• /test altinfra-e2e-aws-ovn-proxy
• /test altinfra-e2e-aws-ovn-public-ipv4-pool
• /test altinfra-e2e-aws-ovn-shared-vpc
• /test altinfra-e2e-aws-ovn-shared-vpc-local-zones
• /test altinfra-e2e-aws-ovn-shared-vpc-wavelength-zones
• /test altinfra-e2e-aws-ovn-single-node
• /test altinfra-e2e-aws-ovn-wavelengthzones
• /test altinfra-e2e-azure-capi-ovn
• /test altinfra-e2e-azure-ovn-shared-vpc
• /test altinfra-e2e-gcp-capi-ovn
• /test altinfra-e2e-gcp-ovn-byo-network-capi
• /test altinfra-e2e-gcp-ovn-secureboot-capi
• /test altinfra-e2e-gcp-ovn-xpn-capi
• /test altinfra-e2e-ibmcloud-capi-ovn
• /test altinfra-e2e-nutanix-capi-ovn
• /test altinfra-e2e-openstack-capi-ccpmso
• /test altinfra-e2e-openstack-capi-ccpmso-zone
• /test altinfra-e2e-openstack-capi-dualstack
• /test altinfra-e2e-openstack-capi-dualstack-upi
• /test altinfra-e2e-openstack-capi-dualstack-v6primary
• /test altinfra-e2e-openstack-capi-externallb
• /test altinfra-e2e-openstack-capi-nfv-intel
• /test altinfra-e2e-openstack-capi-ovn
• /test altinfra-e2e-openstack-capi-proxy
• /test altinfra-e2e-powervs-capi-ovn
• /test altinfra-e2e-vsphere-capi-multi-vcenter-ovn
• /test altinfra-e2e-vsphere-capi-ovn
• /test altinfra-e2e-vsphere-capi-static-ovn
• /test altinfra-e2e-vsphere-capi-zones
• /test azure-ovn-marketplace-images
• /test e2e-agent-compact-ipv4-appliance-diskimage
• /test e2e-agent-compact-ipv4-none-platform
• /test e2e-agent-ha-dualstack
• /test e2e-agent-sno-ipv4-pxe
• /test e2e-agent-sno-ipv6
• /test e2e-aws-overlay-mtu-ovn-1200
• /test e2e-aws-ovn-custom-iam-profile
• /test e2e-aws-ovn-edge-zones
• /test e2e-aws-ovn-fips
• /test e2e-aws-ovn-heterogeneous
• /test e2e-aws-ovn-imdsv2
• /test e2e-aws-ovn-proxy
• /test e2e-aws-ovn-public-subnets
• /test e2e-aws-ovn-shared-vpc-custom-security-groups
• /test e2e-aws-ovn-shared-vpc-edge-zones
• /test e2e-aws-ovn-single-node
• /test e2e-aws-ovn-techpreview
• /test e2e-aws-ovn-upgrade
• /test e2e-aws-ovn-workers-rhel8
• /test e2e-aws-upi-proxy
• /test e2e-azure-ovn-resourcegroup
• /test e2e-azure-ovn-shared-vpc
• /test e2e-azure-ovn-techpreview
• /test e2e-azurestack
• /test e2e-azurestack-upi
• /test e2e-crc
• /test e2e-external-aws
• /test e2e-external-aws-ccm
• /test e2e-gcp-ovn-byo-vpc
• /test e2e-gcp-ovn-heterogeneous
• /test e2e-gcp-ovn-techpreview
• /test e2e-gcp-ovn-xpn
• /test e2e-gcp-secureboot
• /test e2e-gcp-upgrade
• /test e2e-gcp-upi-xpn
• /test e2e-ibmcloud-ovn
• /test e2e-metal-assisted
• /test e2e-metal-ipi-ovn
• /test e2e-metal-ipi-ovn-dualstack
• /test e2e-metal-ipi-ovn-swapped-hosts
• /test e2e-metal-ipi-ovn-virtualmedia
• /test e2e-metal-single-node-live-iso
• /test e2e-nutanix-ovn
• /test e2e-openstack-ccpmso
• /test e2e-openstack-ccpmso-zone
• /test e2e-openstack-dualstack
• /test e2e-openstack-dualstack-upi
• /test e2e-openstack-externallb
• /test e2e-openstack-nfv-intel
• /test e2e-openstack-proxy
• /test e2e-vsphere-multi-vcenter-ovn
• /test e2e-vsphere-ovn-techpreview
• /test e2e-vsphere-ovn-upi-zones
• /test e2e-vsphere-ovn-zones
• /test e2e-vsphere-ovn-zones-techpreview
• /test e2e-vsphere-static-ovn
• /test okd-e2e-agent-compact-ipv4
• /test okd-e2e-agent-ha-dualstack
• /test okd-e2e-agent-sno-ipv6
• /test okd-e2e-aws-ovn
• /test okd-e2e-aws-ovn-upgrade
• /test okd-e2e-gcp
• /test okd-e2e-gcp-ovn-upgrade
• /test okd-e2e-vsphere
• /test okd-scos-e2e-aws-ovn
• /test okd-scos-images
• /test tf-fmt

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-installer-master-altinfra-images
• pull-ci-openshift-installer-master-aro-unit
• pull-ci-openshift-installer-master-e2e-aws-ovn
• pull-ci-openshift-installer-master-gofmt
• pull-ci-openshift-installer-master-golint
• pull-ci-openshift-installer-master-govet
• pull-ci-openshift-installer-master-images
• pull-ci-openshift-installer-master-okd-unit
• pull-ci-openshift-installer-master-okd-verify-codegen
• pull-ci-openshift-installer-master-shellcheck
• pull-ci-openshift-installer-master-tf-fmt
• pull-ci-openshift-installer-master-tf-lint
• pull-ci-openshift-installer-master-unit
• pull-ci-openshift-installer-master-verify-codegen
• pull-ci-openshift-installer-master-verify-vendor
• pull-ci-openshift-installer-master-yaml-lint

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@pawanpinjarkar: This pull request explicitly references no jira issue.

Details

In response to this:

Use $AUTH_FILE for valid pullSecret when OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE is set

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

/cc @rwsu @sadasu

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/retest-required

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/retest-required

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/cc @bfournie

[sadasu]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sadasu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sadasu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zaneb]

Should we move this down to line 296 so we are only skipping the byteCompare() (i.e. still check that the file exists in the place we expect it)?

Even then though, looking at some of the actual tests, we pass a pull secret like:

pullSecret: '{"auths": {"quay.io": {"auth": "c3VwZXItc2VjcmV0Cg=="}}}'

and in the output expect something like:

apiVersion: v1
kind: Secret
metadata:
  creationTimestamp: null
  name: ostest-pull-secret
  namespace: cluster0
stringData:
  .dockerconfigjson: |-
    {
      "auths": {
        "quay.io": {
          "auth": "c3VwZXItc2VjcmV0Cg=="
        }
      }
    }

so there's a lot we are missing by not checking the content.

Maybe we could take a similar approach to the release image and do something like:

pullSecret: '{"auths": {"quay.io": {"auth": "$QUAY_PULL_SECRET_AUTH"}}, {"ci.openshift.org": {"auth": "$OPENSHIFTCI_PULL_SECRET_AUTH"}}}'

(note - I don't actually know what the pull secret we get in CI looks like or how much of it we need.)

Then we could just set the values in the environment, wouldn't have to load-and-save the install-config, and could verify the full output format.

[pawanpinjarkar]

So the case you were referring, for example, is https://github.com/openshift/installer/blob/master/cmd/openshift-install/testdata/agent/image/manifests/default_manifests.txt but here we are comparing the pull-secret with its contents correctly, isn't it? e.g. in

installer/cmd/openshift-install/testdata/agent/image/manifests/default_manifests.txt

Line 11 in 275af57

isocmp agent.x86_64.iso /etc/assisted/manifests/pull-secret.yaml expected/pull-secret.yaml

we are checking the contents of /etc/assisted/manifests/pull-secret.yaml against expected/pull-secret.yaml ?

[pawanpinjarkar]

Sample CI pull-secret looks like this -

{
    "auths": {
        "image-registry.openshift-image-registry.svc.cluster.local:5000": {
            "auth": "$A"
        },
        "image-registry.openshift-image-registry.svc:5000": {
            "auth": "$B"
        },
        "qci-pull-through-cache-us-east-1-ci.apps.ci.l2s4.p1.openshiftapps.com": {
            "auth": "$C"
        },
        "quay-proxy.ci.openshift.org": {
            "auth": "$C"
        },
        "quay.io": {
            "auth": "$D",
            "email": "[email protected]"
        },
        "quay.io/openshift/ci": {
            "auth": "$C"
        },
        "registry.build05.ci.openshift.org": {
            "auth": "$E"
        },
        "registry.ci.openshift.org": {
            "auth": "$F"
        }
    }
}

The email is the actual one, so we'll need to handle it carefully in the code to avoid exposing it. However, I'm struggling to understand the advantage of using the real pull secret and embedding it in the actual and expected test data. Currently, we're already validating the content of the pull secret effectively.

[zaneb]

Yeah, replacing all of that would be messy.
Presumably the only thing we use the pull secret for in the integration tests is to grab the ISO from the release image? If it turned out that a pull secret with only a couple of these auths was sufficient, then that starts to look more feasible.

So the case you were referring, for example, is https://github.com/openshift/installer/blob/master/cmd/openshift-install/testdata/agent/image/manifests/default_manifests.txt but here we are comparing the pull-secret with its contents correctly, isn't it? e.g. in

installer/cmd/openshift-install/testdata/agent/image/manifests/default_manifests.txt

Line 11 in 275af57
isocmp agent.x86_64.iso /etc/assisted/manifests/pull-secret.yaml expected/pull-secret.yaml
we are checking the contents of /etc/assisted/manifests/pull-secret.yaml against expected/pull-secret.yaml ?

We were, but this change to isoCmp() means that we will no longer actually compare the contents in CI. So if any of the formatting around the pull secret changes, we will not be able to detect it.

[pawanpinjarkar]

So if any of the formatting around the pull secret changes, we will not be able to detect it.

The e2e jobs will fail in those case

[bfournie]

/lgtm

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[pawanpinjarkar]

/test integration-tests

[andfasano]

Thanks @pawanpinjarkar latest changes look fine to me. Can you please fix the linting issues (and possibly squash the commits)?

[andfasano]

/retest

[openshift-ci]

@pawanpinjarkar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-vsphere-ovn	8050cecfeebd3ce21fd1a5c265fb692012f72fe4	link	false	/test okd-scos-e2e-vsphere-ovn
ci/prow/e2e-agent-compact-ipv4-appliance-diskimage	ca075d2	link	false	/test e2e-agent-compact-ipv4-appliance-diskimage
ci/prow/okd-e2e-agent-compact-ipv4	ca075d2	link	false	/test okd-e2e-agent-compact-ipv4

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pawanpinjarkar]

/jira refresh

[openshift-ci-robot]

@pawanpinjarkar: This pull request references Jira Issue OCPBUGS-38499, which is invalid:

• expected the bug to target the "4.18.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

/jira refresh

[openshift-ci-robot]

@pawanpinjarkar: This pull request references Jira Issue OCPBUGS-38499, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/lgtm

[pawanpinjarkar]

/cherrypick release-4.17

[openshift-cherrypick-robot]

@pawanpinjarkar: once the present PR merges, I will cherry-pick it on top of release-4.17 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@pawanpinjarkar: Jira Issue OCPBUGS-38499: All pull requests linked via external trackers have merged:

• openshift/installer#8789

Jira Issue OCPBUGS-38499 has been moved to the MODIFIED state.

Details

In response to this:

• Use $AUTH_FILE for the valid pullSecret in CI.
• Update the pull secret in the expected install-config file when AUTH_FILE is set.
• Check if the image files contain the pull-secret.yaml file.
• Use $OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE to replace test data and pass it to the test script environment. - This is typically set in a CI job to reference the ephemeral payload release.
• Skip errors when the test does not require reading install-config.yaml.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@pawanpinjarkar: new pull request created: #9018

Details

In response to this:

/cherrypick release-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.