OPRUN-3941: [OTE] Add webhook tests (without should be tolerant to openshift-service-ca certificate rotation) #442
Conversation
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
from
112467e to
07d5c5a
Compare
|
|
||
| It("should be tolerant to openshift-service-ca certificate rotation", func(ctx SpecContext) { | ||
| // FIXME: https://issues.redhat.com/browse/OCPBUGS-60564 | ||
| Skip("Skipping this test until we ensure that it can work reliably") |
There was a problem hiding this comment.
This test must be skipped for now.
We will work on it in a follow up
|
/payload-aggregate-with-prs periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5 |
1 similar comment
|
/payload-aggregate-with-prs periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5 |
|
/payload-aggregate-with-prs periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 10 |
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
2 times, most recently
from
baa450a to
0415e67
Compare
|
/payload-aggregate-with-prs periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 10 |
|
/payload-aggregate periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 10 |
|
@camilamacedo86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b96934e0-7a1f-11f0-91bf-2cddbeabd8dd-0 |
|
/payload-aggregate periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 10 |
|
@camilamacedo86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/94147170-7a77-11f0-9e36-38ae811e5825-0 |
|
/restest-required |
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
from
0415e67 to
3a22145
Compare
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
from
3a22145 to
d778da1
Compare
camilamacedo86
changed the title
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/payload-aggregate periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5 |
|
@camilamacedo86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/af81eff0-7b94-11f0-93ec-12968849859f-0 |
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
from
d778da1 to
697e82c
Compare
|
@camilamacedo86: This pull request references OPRUN-3941 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| @@ -85,7 +81,7 @@ var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLM][Skipped:Disconnected] OLMv1 | |||
| DeferCleanup(fileCleanup) | |||
| By(fmt.Sprintf("created operator tarball %q", fileOperator)) | |||
|
|
|||
| By(fmt.Sprintf("starting the operator build with %q via RAW URL", cmdLine)) | |||
| By("starting the operator build via RAW URL") | |||
There was a problem hiding this comment.
A RAW URL usually means a direct link to the unprocessed (raw) content of a file, without any extra formatting, preview, or surrounding interface.
Example:
- Regular URL: https://github.com/user/repo/blob/main/file.txt
- Raw URL:https://raw.githubusercontent.com/user/repo/main/file.txt
The change here is just because we are using the utils, so we don't need or have cmdLine anymore.
There was a problem hiding this comment.
Requested in the PR to add the follow ups (which is in hold because we cannot add the test that fails): #430 (comment)
There was a problem hiding this comment.
In this particular case, it is invoking a k8s API via a URL (using --raw) rather than allowing the client (kubectl or oc) to determine the URL to use. This is needed because building an image is a specific Openshift operation not supported by kubectl. Although it is supported by oc, I wanted to make it generic enough to allow kubectl to be used. Because of this raw URL use, we can't directly use the k8sClient API.
| if CurrentSpecReport().Failed() { | ||
| By("dumping pod logs for debugging") | ||
| helpers.GetAllPodLogs(ctx, webhookOperatorInstallNamespace) | ||
| helpers.DescribePods(ctx, webhookOperatorInstallNamespace) | ||
| helpers.DescribeClusterCatalogs(ctx) | ||
| helpers.DescribeAllClusterExtensions(ctx, webhookOperatorInstallNamespace) | ||
| By("dumping webhook diagnostics") | ||
| // Additional diagnostics specific for this test | ||
| helpers.RunAndPrint(ctx, "get", "secret", "-n", webhookOperatorInstallNamespace, webhookServiceCert, "-oyaml") | ||
| helpers.RunAndPrint(ctx, "get", "mutatingwebhookconfigurations.admissionregistration.k8s.io", "-oyaml") | ||
| helpers.RunAndPrint(ctx, "get", "validatingwebhookconfigurations.admissionregistration.k8s.io", "-oyaml") | ||
| } |
There was a problem hiding this comment.
Rethinking this: do we need all these? Fyi the original PR has the executil.DumpPodsLogs etc etc which I pulled in without any changes...but rethinking this now: this is over explaining things. We'll get all of these from the must gather of the test cluster.
There was a problem hiding this comment.
Not exactly — the must-gather isn’t collected before we run all the cleanups.
Yes, we need this, but it will only appear if/when a test fails, and only for that specific test (similar to how it works in ocp/origin) if we develop it this way.
There was a problem hiding this comment.
There are definitely circumstances where we need to gather this data before the must-gather, e.g. in the case he pod is deleted during the test.
There was a problem hiding this comment.
Also note that secrets are not part of the must gather.
| It("should be tolerant to tls secret deletion", func(ctx SpecContext) { | ||
| certificateSecretName := webhookServiceCert | ||
| By("ensuring secret exists before deletion attempt") | ||
| Eventually(func(g Gomega) { | ||
| secret := &corev1.Secret{} | ||
| err := k8sClient.Get(ctx, client.ObjectKey{Name: certificateSecretName, Namespace: webhookOperatorInstallNamespace}, secret) | ||
| g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get secret %s/%s", webhookOperatorInstallNamespace, certificateSecretName)) | ||
| }).WithTimeout(1 * time.Minute).WithPolling(5 * time.Second).Should(Succeed()) | ||
|
|
||
| By("checking webhook is responsive through secret recreation after manual deletion") | ||
| tlsSecret := &corev1.Secret{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: certificateSecretName, | ||
| Namespace: webhookOperatorInstallNamespace, | ||
| }, | ||
| } | ||
| err := k8sClient.Delete(ctx, tlsSecret, client.PropagationPolicy(metav1.DeletePropagationBackground)) | ||
| Expect(client.IgnoreNotFound(err)).ToNot(HaveOccurred()) | ||
|
|
||
| DeferCleanup(func() { | ||
| // Specific check for this test | ||
| if CurrentSpecReport().Failed() { | ||
| By("dumping certificate details for debugging") | ||
| secret := &corev1.Secret{} | ||
| if err := k8sClient.Get(ctx, client.ObjectKey{ | ||
| Name: webhookServiceCert, | ||
| Namespace: webhookOperatorInstallNamespace, | ||
| }, secret); err == nil { | ||
| if crt, ok := secret.Data["tls.crt"]; ok && len(crt) > 0 { | ||
| printTLSCertInfo(crt) | ||
| } else { | ||
| _, _ = GinkgoWriter.Write([]byte("[diag] tls.crt key not found or empty in secret\n")) | ||
| } | ||
| } else { | ||
| fmt.Fprintf(GinkgoWriter, "[diag] failed to get secret for cert dump: %v\n", err) | ||
| } | ||
| } | ||
| }) | ||
|
|
||
| By("waiting for the webhook operator's service certificate secret to be recreated and populated") | ||
| Eventually(func(g Gomega) { | ||
| secret := &corev1.Secret{} | ||
| err := k8sClient.Get(ctx, client.ObjectKey{Name: certificateSecretName, Namespace: webhookOperatorInstallNamespace}, secret) | ||
| if apierrors.IsNotFound(err) { | ||
| GinkgoLogr.Info(fmt.Sprintf("Secret %s/%s not found yet (still polling for recreation)", webhookOperatorInstallNamespace, certificateSecretName)) | ||
| return | ||
| } | ||
| g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get webhook service certificate secret %s/%s: %v", webhookOperatorInstallNamespace, certificateSecretName, err)) | ||
| g.Expect(secret.Data).ToNot(BeEmpty(), "expected webhook service certificate secret data to not be empty after recreation") | ||
| }).WithTimeout(5*time.Minute).WithPolling(10*time.Second).Should(Succeed(), "webhook service certificate secret did not get recreated and populated within timeout") | ||
|
|
||
| Eventually(func(g Gomega) { | ||
| resourceName := fmt.Sprintf("tls-deletion-test-%s", rand.String(5)) | ||
| resource := newWebhookTest(resourceName, webhookOperatorInstallNamespace, true) | ||
|
|
||
| _, err := dynamicClient.Resource(webhookTestV1).Namespace(webhookOperatorInstallNamespace).Create(ctx, resource, metav1.CreateOptions{}) | ||
| g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to create test resource %s: %v", resourceName, err)) | ||
|
|
||
| err = dynamicClient.Resource(webhookTestV1).Namespace(webhookOperatorInstallNamespace).Delete(ctx, resource.GetName(), metav1.DeleteOptions{}) | ||
| g.Expect(client.IgnoreNotFound(err)).ToNot(HaveOccurred(), fmt.Sprintf("failed to delete test resource %s: %v", resourceName, err)) | ||
| }).WithTimeout(5 * time.Minute).WithPolling(10 * time.Second).Should(Succeed()) | ||
| }) | ||
| }) |
There was a problem hiding this comment.
Can we stick to whatever was here only please: https://github.com/openshift/origin/pull/30059/files#diff-6dd6fa78ac85235012d3c9910f8510bc1640c830a83888681bd5922cec0dffcbR166-R188
All of these print stuff is okay when debugging but feels unclean in a prod environment to run every time. And is also a lot of code to review, which means a lot of surface area for bugs.
There was a problem hiding this comment.
The print is required when errors occur, otherwise we don’t get the information needed for debugging.
The output will only appear if the test fails — that’s the key point to keep in mind.
See the snippet below and note the guard: if CurrentSpecReport().Failed().
The only change here compared to the previously approved PR is the code inside that if block.
By the way, you were one of the folks who originally requested additional dumps and logs 🙂
There was a problem hiding this comment.
As the information is available when the test fails, and is silent otherwise, I think we are fine.
There was a problem hiding this comment.
The changes to this file are not strictly related to the subject of this PR. It is mostly some cleanup using other APIs (i.e. to find a command-line client), to avoid duplication. The changes are fine. So, while it may not belong as part of this PR, I'm not going to push for it to be separated.
There was a problem hiding this comment.
Also, this could've used some of the new helpers that were written in this PR (e.g. NewClusterCatalog), but things can be combined later as needed.
There was a problem hiding this comment.
(Admittedly, I did write this fairly independently of the rest of the code, where there wasn't that much infrastructure in-place.)
| // Verify that the tool is working by checking its version. | ||
| if err := exec.Command(t, "version", "--client").Run(); err == nil { | ||
| return t, nil | ||
| } |
There was a problem hiding this comment.
Not sure this is strictly necessary, but it does ensure that the client can be executed.
There was a problem hiding this comment.
I think is good right to ensure that all is fine mainly because we can either run locally
| // RunAndPrint runs a `kubectl/oc` command via RunK8sCommand and writes both stdout and stderr | ||
| // to the GinkgoWriter. It also prints the exact command being run. | ||
| func RunAndPrint(ctx context.Context, args ...string) { | ||
| fmt.Fprintf(GinkgoWriter, "\n[diag] running: oc %s\n", strings.Join(args, " ")) |
There was a problem hiding this comment.
Technically, it's not running oc, but could be running kubectl, so the statement "It also prints the exact command being run" is in correct.
A nit, some arguments might contain spaces, that might accidentally be interpreted as separate commands when printed in this manner. I wonder if it's worthwhile to add quotes around each of args?
There was a problem hiding this comment.
Here should be
fmt.Fprintf(GinkgoWriter, "\n[diag] running: %s\n", strings.Join(args, " "))
Only.
I think we can add that I wonder if it's worthwhile to add quotes around each of args?
| "strings" | ||
|
|
||
| //nolint:staticcheck // ST1001: dot-imports for readability | ||
| . "github.com/onsi/ginkgo/v2" |
There was a problem hiding this comment.
The alternative would be to use g as the import reference. That might improve readability more than using . (and the consequences surrounding that).
There was a problem hiding this comment.
IHMO the g is hard to understand because one we need to add g other o. But we are doing it in all files (not only on those), while I agree that can be debatable can we agree taht if we change that would be in a follow up so we can change all places?
| } | ||
|
|
||
| func subHeader(format string, a ...any) { | ||
| fmt.Fprintf(GinkgoWriter, "\n--- %s ---\n", fmt.Sprintf(format, a...)) |
There was a problem hiding this comment.
Nit: I almost want the --- and === to be the same length.
| } | ||
|
|
||
| // DescribeClusterCatalogs lists all ClusterCatalogs and runs `describe` on each. | ||
| func DescribeClusterCatalogs(ctx context.Context) { |
There was a problem hiding this comment.
Nit, below "All" is used in the function name for ClusterExtensions, but not ClusterCatalogs.
There was a problem hiding this comment.
We could rename for DescribeAllClusterCatalogs
| // printTLSCertInfo parses a PEM-encoded TLS certificate and prints useful debug info. | ||
| // It shows validity period and SANs (DNS/IP) to help debug webhook cert issues. |
There was a problem hiding this comment.
This function feels as though it should be in the helpers package.
There was a problem hiding this comment.
It seems valid only for this specific case scenario that is why it is here
| fmt.Fprintf(GinkgoWriter, "[diag] Subject: %s\n", cert.Subject.String()) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] Issuer: %s\n", cert.Issuer.String()) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] Valid From: %s\n", cert.NotBefore.Format(time.RFC3339)) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] Valid Until: %s\n", cert.NotAfter.Format(time.RFC3339)) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] IsCA: %t\n", cert.IsCA) |
There was a problem hiding this comment.
nit: serial number might be useful here.
There was a problem hiding this comment.
Interest yep we might could either add as well
| webhookServiceCert = "webhook-operator-webhook-service-cert" | ||
| ) | ||
|
|
||
| var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks", |
| helpers.DescribeAllClusterExtensions(ctx, webhookOperatorInstallNamespace) | ||
| By("dumping webhook diagnostics") | ||
| // Additional diagnostics specific for this test | ||
| helpers.RunAndPrint(ctx, "get", "secret", "-n", webhookOperatorInstallNamespace, webhookServiceCert, "-oyaml") |
There was a problem hiding this comment.
Should this be using the printTLSCertInfo function below? I'm a bit concerned about dumping out secret contents (although admittedly, it's only a temporary secret for the lifetime of the service in question).
There was a problem hiding this comment.
I think is is fine for this reason, and it could help us diagnostic issues
| k8sClient = env.Get().K8sClient | ||
| restCfg := env.Get().RestCfg | ||
| var err error | ||
| dynamicClient, err = dynamic.NewForConfig(restCfg) |
There was a problem hiding this comment.
Why is this being used rather than k8sClient? We should just have to add the scheme and we'd be good to go?
There was a problem hiding this comment.
It's only used for 2 types of resources.
There was a problem hiding this comment.
- Controller-runtime client.Client (k8sClient) -> Only works with structured, typed client. (e.g., corev1.Secret, olmv1.ClusterCatalog).
- dynamic.Interface (dynamicClient) -> This is a generic, unstructured client. -> We need it because we are constructing the
webhookTestV1
We are testing webhook behavior for a CRD (WebhookTest) defined by an operator. That is why we used it. To do:
The dynamic client provides a way to create, get, and delete arbitrary resources using only their Group/Version/Resource identifiers
There was a problem hiding this comment.
Hmmm... so we can't add that API to our scheme? These are coreos APIs... But I see your point.
There was a problem hiding this comment.
For our APIs, we add the schema once in the test env and then use typed objects.
- Example: usage in helpers/cluster_extension.go works because we register the API in env/cluster.go.
For the operator under test, it doesn’t seems to make sense to import and register its schema for all tests. We don’t know where its Go types are, and we don’t want to depend on them. Instead, we just use the dynamic client with unstructured.
I think we can might say
- Our APIs (same repo) + K8s : add schema + typed k8sClient is fine.
- Other operator’s CRDs/thridy-parties : it is easier use dynamic client.
|
Most of the nits, can be fixed up later, but I do question the use of |
|
Dumping out the secret as a secret is not all that useful, having it printed out as a certificate will be much more useful, and since the key is not included in the dump, we won’t be potentially tagged with data leakage. If you can fix that, I’d be OK with the PR, and the nits fixed later |
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics. - Include targeted certificate details dump (`tls.crt` parse) when failures occur. - Add additional check to verify webhook responsiveness after certificate rotation. This change is a refactor of code from openshift/origin#30059. Assisted-by: Gemini
camilamacedo86
force-pushed
the
add-webhook-tests-with-skip-certca
branch
from
697e82c to
1f2debf
Compare
|
|
||
| fmt.Fprintf(GinkgoWriter, "[diag] Subject: %s\n", cert.Subject.String()) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] Issuer: %s\n", cert.Issuer.String()) | ||
| fmt.Fprintf(GinkgoWriter, "[diag] Serial Number: %X\n", cert.SerialNumber) |
There was a problem hiding this comment.
@tmshort ^ added :-)
|
Thank you a lot for your help !!! |
| // Add quotes only if whitespace or special chars are present | ||
| if strings.ContainsAny(a, " \t") { | ||
| quoted[i] = fmt.Sprintf("%q", a) | ||
| } else { | ||
| quoted[i] = a | ||
| } |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anik120, camilamacedo86, tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/test openshift-e2e-aws |
|
@camilamacedo86: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit fbdba7b
into
openshift:main
|
[ART PR BUILD NOTIFIER] Distgit: ose-olm-operator-controller |
|
[ART PR BUILD NOTIFIER] Distgit: ose-olm-catalogd |
PR Description
It reintroduces the reverted PR #434,
but without the failing test (as agreed in Slack thread).
The base reference for this file is #442, which was reverted [#434].
Delta Summary (New vs Old)
Removed test
❌
It("should be tolerant to openshift-service-ca certificate rotation", …)‣ Failed → reason for the revert
Added (requested in #424 review
✅ Diagnostics & dumps
AfterEachfailure hook → pod logs, resource describes, webhook config dumpsDeferCleanupin TLS secret test → dump cert details on failureprintTLSCertInfo()util → parse & log Subject/Issuer/Validity/SANs✅ Const
webhookServiceCert = "webhook-operator-webhook-service-cert"(instead of fixed string literal)Renamed / Changed
🔄
webhookTestGVRV1→webhookTestV1(requested in #424 review🔄
webhookTestGVRV2→webhookTestV2(requested in #424 review🔄
newWebhookTestV1()→newWebhookTest()(requested in #424 review🔄 Namespace deletion →
wait.PollUntilContextTimeout→Eventually(5m timeout, avoid flakes)🔄 TLS secret recreation wait → 2m → 5m (to avoid flakes)
📌 To check the delta, compare the
webhook.gofile from the old merged+reverted PR and the new version in this PR. All the other files are utils.Tests
Tested locally
Passing in e2e / pre-merge
Verified with /payload-aggregate See details on https://pr-payload-tests.ci.openshift.org/runs/ci/af81eff0-7b94-11f0-93ec-12968849859f-0