SPLAT-2220: tests/ote: introduce openshift-only e2e to validate feature by feature gate

[mtulio]

Summary

This PR introduces OpenShift-specific e2e tests for the AWSServiceLBNetworkSecurityGroup feature gate, which enables managed security groups for Network Load Balancers (NLB).

The tests introduced in this proposal exercises the feature, which is currently (4.21) under TechPreviewNoUpgrade feature set, validating the following changes exposed by the feature:

• cloud config option NLBSecurityGroupMode is added and set to value Managed, so that CCM controller will react to new configuration by default creating security groups for all NLBs
• ensure load balancer bound to the service is created with managed security group
• ensure the default router's service NLB, openshift-component mainly impacted and targeted by this change, is created with managed security group

Test Coverage

The test suite includes three comprehensive test cases:

1. Cloud Config Validation - Verifies cloud-config ConfigMap contains NLBSecurityGroupMode = Managed
2. NLB Service Creation - Creates a test NLB service and validates security groups are attached
3. Default Ingress Controller - Validates the default router NLB has security groups attached

Test Behavior

• TechPreviewNoUpgrade feature set: Tests execute and validate functionality
• Default/GA feature set: Tests skip when feature gate is disabled
• Tests accessible via OpenShift Test Extension (OTE) binary interface

Validation

• ✅ CI tests passing on both e2e-aws-ovn and e2e-aws-ovn-techpreview
• ✅ Tests correctly skip when feature gate disabled
• ✅ Tests validate managed security group attachment to NLBs

Note to Reviewer

There are two commits on this PR:

• the new e2e test package using the ginkgo DSL, imported by OTE: UPSTREAM: : test/ote added tests for NLB SG feature
• go.mod dependencies (vendoring) updates required in the OTE (only downstream) binary: UPSTREAM: : test/ote/vendor update dependencies

Jira: SPLAT-2220

Reviewed-by: Claude Sonnet 4.5 noreply@anthropic.com (also generated summary and function comments)

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[mtulio]

/test ?

[mtulio]

/test e2e-aws-ovn-techpreview

[mtulio]

/test e2e-aws-ovn-techpreview

[mtulio]

2/3 tests with prefix cloud-provider-aws-e2e-openshift succeeded. The cloud-config check failed due test not considering tabulation between k/v of the config. I just fixed it, let me get more signals for both TP and regular/GA:

/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn

[mtulio]

Perfect, both e2e-aws-ovn(1) and e2e-aws-ovn-techpreview(2) are now green, and tests with prefix cloud-provider-aws-e2e-openshift are passing in the TPNU(2) and skipped in the default/GA(1) feature set.

I just sent cleaned up the code to capture readiness.

/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2220 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

SPLAT-2220

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2220 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR introduces an openshift-only e2e tests to validate OpenShift features, merging those on tests exposed by OTE to the test framework.

SPLAT-2220

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/test okd-scos-images

[mtulio]

Second round of jobs are passing for test prefix cloud-provider-aws-e2e-openshift:

• e2e-aws-ovn: have 3/3 skipped tests
• e2e-aws-ovn-techpreview: have 3/3 passed tests

I just added minor changes improving how the feature gate is validated from the cluster, instead of unstructured API validation, now it is using the openshift API. Re-run for green signals:

/test e2e-aws-ovn-techpreview

Tested locally successfully (except last one which was skipped due my cluster limitation: non NLB for ingress):

  Ran 1 of 1 Specs in 1.978 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

]	Command being timed: "./aws-cloud-controller-manager-tests-ext run-test [cloud-provider-aws-e2e-openshift] loadbalancer NLB feature AWSServiceLBNetworkSecurityGroup should have NLBSecurityGroupMode with 'Managed value in cloud-config [Suite:openshift/conformance/parallel]"


$./aws-cloud-controller-manager-tests-ext run-test "[cloud-provider-aws-e2e-openshift] loadbalancer NLB feature AWSServiceLBNetworkSecurityGroup should create NLB service with security group attached [Suite:openshift/conformance/parallel]"
...

  Ran 1 of 1 Specs in 7.440 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
...

$(which time) -v ./aws-cloud-controller-manager-tests-ext run-test "[cloud-provider-aws-e2e-openshift] loadbalancer NLB feature AWSServiceLBNetworkSecurityGroup should have security groups attached to default ingress controller NLB [Suite:openshift/conformance/parallel]"

  Ran 0 of 1 Specs in 1.752 seconds
  SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 1 Skipped

[rvanderp3]

/lgtm

[mtulio]

/retest-required

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2220 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR introduces an openshift-only e2e tests to validate OpenShift features, merging those on tests exposed by OTE to the test framework.

Summary

This PR introduces OpenShift-specific e2e tests for the AWSServiceLBNetworkSecurityGroup feature gate, which enables managed security groups for Network Load Balancers (NLB).

The tests introduced in this proposal exercises the feature, which is currently (4.21) under TechPreviewNoUpgrade feature set, validating the following changes exposed by the feature:

• cloud config option NLBSecurityGroupMode is added and set to value Managed, so that CCM controller will react to new configuration by default creating security groups for all NLBs
• ensure load balancer bound to the service is created with managed security group
• ensure the default router's service NLB, openshift-component mainly impacted and targeted by this change, is created with managed security group

Test Coverage

The test suite includes three comprehensive test cases:

1. Cloud Config Validation - Verifies cloud-config ConfigMap contains NLBSecurityGroupMode = Managed
2. NLB Service Creation - Creates a test NLB service and validates security groups are attached
3. Default Ingress Controller - Validates the default router NLB has security groups attached

Test Behavior

• TechPreviewNoUpgrade feature set: Tests execute and validate functionality
• Default/GA feature set: Tests skip when feature gate is disabled
• Tests accessible via OpenShift Test Extension (OTE) binary interface

Validation

• ✅ CI tests passing on both e2e-aws-ovn and e2e-aws-ovn-techpreview
• ✅ Tests correctly skip when feature gate disabled
• ✅ Tests validate managed security group attachment to NLBs

Jira: SPLAT-2220

SPLAT-2220

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2220 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR introduces an openshift-only e2e tests to validate OpenShift features, merging those on tests exposed by OTE to the test framework.

Summary

This PR introduces OpenShift-specific e2e tests for the AWSServiceLBNetworkSecurityGroup feature gate, which enables managed security groups for Network Load Balancers (NLB).

The tests introduced in this proposal exercises the feature, which is currently (4.21) under TechPreviewNoUpgrade feature set, validating the following changes exposed by the feature:

• cloud config option NLBSecurityGroupMode is added and set to value Managed, so that CCM controller will react to new configuration by default creating security groups for all NLBs
• ensure load balancer bound to the service is created with managed security group
• ensure the default router's service NLB, openshift-component mainly impacted and targeted by this change, is created with managed security group

Test Coverage

The test suite includes three comprehensive test cases:

1. Cloud Config Validation - Verifies cloud-config ConfigMap contains NLBSecurityGroupMode = Managed
2. NLB Service Creation - Creates a test NLB service and validates security groups are attached
3. Default Ingress Controller - Validates the default router NLB has security groups attached

Test Behavior

• TechPreviewNoUpgrade feature set: Tests execute and validate functionality
• Default/GA feature set: Tests skip when feature gate is disabled
• Tests accessible via OpenShift Test Extension (OTE) binary interface

Validation

• ✅ CI tests passing on both e2e-aws-ovn and e2e-aws-ovn-techpreview
• ✅ Tests correctly skip when feature gate disabled
• ✅ Tests validate managed security group attachment to NLBs

Note to Reviewer

There are two commits on this PR:

• the new e2e test package using the ginkgo DSL, imported by OTE: UPSTREAM: : test/ote added tests for NLB SG feature
• go.mod dependencies (vendoring) updates required in the OTE (only downstream) binary: UPSTREAM: : test/ote/vendor update dependencies

Jira: SPLAT-2220

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/verified by @mtulio #126 (comment)

[openshift-ci-robot]

@mtulio: This PR has been marked as verified by @mtulio https://github.com/openshift/cloud-provider-aws/pull/126#issuecomment-3880959472.

Details

In response to this:

/verified by @mtulio #126 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/assign @nrb @elmiko

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2220 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

This PR introduces OpenShift-specific e2e tests for the AWSServiceLBNetworkSecurityGroup feature gate, which enables managed security groups for Network Load Balancers (NLB).

The tests introduced in this proposal exercises the feature, which is currently (4.21) under TechPreviewNoUpgrade feature set, validating the following changes exposed by the feature:

• cloud config option NLBSecurityGroupMode is added and set to value Managed, so that CCM controller will react to new configuration by default creating security groups for all NLBs
• ensure load balancer bound to the service is created with managed security group
• ensure the default router's service NLB, openshift-component mainly impacted and targeted by this change, is created with managed security group

Test Coverage

The test suite includes three comprehensive test cases:

1. Cloud Config Validation - Verifies cloud-config ConfigMap contains NLBSecurityGroupMode = Managed
2. NLB Service Creation - Creates a test NLB service and validates security groups are attached
3. Default Ingress Controller - Validates the default router NLB has security groups attached

Test Behavior

• TechPreviewNoUpgrade feature set: Tests execute and validate functionality
• Default/GA feature set: Tests skip when feature gate is disabled
• Tests accessible via OpenShift Test Extension (OTE) binary interface

Validation

• ✅ CI tests passing on both e2e-aws-ovn and e2e-aws-ovn-techpreview
• ✅ Tests correctly skip when feature gate disabled
• ✅ Tests validate managed security group attachment to NLBs

Note to Reviewer

There are two commits on this PR:

• the new e2e test package using the ginkgo DSL, imported by OTE: UPSTREAM: : test/ote added tests for NLB SG feature
• go.mod dependencies (vendoring) updates required in the OTE (only downstream) binary: UPSTREAM: : test/ote/vendor update dependencies

Jira: SPLAT-2220

Reviewed-by: Claude Sonnet 4.5 noreply@anthropic.com (also generated summary and function comments)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

Last commit only removed header comments.

/verified by #126 (comment)

[openshift-ci-robot]

@mtulio: This PR has been marked as verified by https://github.com/openshift/cloud-provider-aws/pull/126#issuecomment-3881773775.

Details

In response to this:

Last commit only removed header comments.

/verified by #126 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/test e2e-aws-ovn-techpreview

[openshift-ci]

@mtulio: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mtulio]

This is a critical feature for product:
/label acknowledge-critical-fixes-only

[jcpowermac]

/lgtm

[nrb]

/lgtm
/approve

[nrb]

Might be nice to mark this as a GinkgoHelper in case we hit errors, but not a blocker.

[mtulio]

Good suggestion, Nolan. Since this PR has been merged, I created the card SPLAT-2638 to track this.

[mtulio]

thanks for reviewing

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment