OCPBUGS-10714: gatewayclass: Update for OSSM 2.4 API change

[Miciah]

Update for an API change in ServiceMeshControlPlane in OSSM 2.4.

maistra/istio-operator@ecd25d5 replaced the spec.techPreview.controlPlaneMode field with a new spec.mode field. Specifying spec.techPreview.controlPlaneMode now elicits the following error message:

failed to create ServiceMeshControlPlane openshift-ingress/openshift-gateway: admission webhook "smcp.validation.maistra.io" denied the request: the spec.techPreview.controlPlaneMode field is not supported in version 2.4+; use spec.mode

To resolve this issue, this PR bumps the vendored Maistra API version and changes the gatewayclass controller to use the new spec.mode field in the ServiceMeshControlPlane CR.

• go.mod: Bump github.com/maistra/istio-operator to v0.0.0-20230322122339-793794762e67.
• go.sum:
• vendor/*: Regenerate.
• pkg/operator/controller/gatewayclass/servicemeshcontrolplane.go (desiredServiceMeshControlPlane): Update to use the new spec.mode field instead of spec.techPreview.controlPlanemode.

[openshift-ci-robot]

@Miciah: This pull request references Jira Issue OCPBUGS-10714, which is invalid:

• expected the bug to target the "4.14.0" version, but it targets "4.13.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Update for an API change in ServiceMeshControlPlane in OSSM 2.4.

maistra/istio-operator@ecd25d5 replaced the spec.techPreview.controlPlaneMode field with a new spec.mode field. Specifying spec.techPreview.controlPlaneMode now elicits the following error message:

failed to create ServiceMeshControlPlane openshift-ingress/openshift-gateway: admission webhook "smcp.validation.maistra.io" denied the request: the spec.techPreview.controlPlaneMode field is not supported in version 2.4+; use spec.mode

To resolve this issue, this PR bumps the vendored Maistra API version and changes the gatewayclass controller to use the new spec.mode field in the ServiceMeshControlPlane CR.

• go.mod: Bump github.com/maistra/istio-operator to v0.0.0-20230322122339-793794762e67.
• go.sum:
• vendor/*: Regenerate.
• pkg/operator/controller/gatewayclass/servicemeshcontrolplane.go (desiredServiceMeshControlPlane): Update to use the new spec.mode field instead of spec.techPreview.controlPlanemode.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

The verify job failed because I failed to notice and git add a new file under vendor/. Next push will add this file.

[candita]

openshift cluster install failed with cluster creation

/test e2e-aws-operator

[candita]

TestClientTLS failure:
curl: (56) OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0

/test e2e-azure-operator

[gcs278]

Simple fix, and it's behind a feature gate.
/lgtm

[candita]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [candita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Miciah]

e2e-aws-ovn-serial failed because of pathologically repeating events:

event happened 21 times, something is wrong: node/ip-10-0-162-91.us-west-2.compute.internal hmsg/e277cb97cf - pathological/true reason/ErrorReconcilingNode roles/worker [k8s.ovn.org/node-chassis-id annotation not found for node ip-10-0-162-91.us-west-2.compute.internal, macAddress annotation not found for node "ip-10-0-162-91.us-west-2.compute.internal" , k8s.ovn.org/l3-gateway-config annotation not found for node "ip-10-0-162-91.us-west-2.compute.internal"] From: 17:47:14Z To: 17:47:15Z result=reject 
event happened 22 times, something is wrong: node/ip-10-0-162-91.us-west-2.compute.internal hmsg/e277cb97cf - pathological/true reason/ErrorReconcilingNode roles/worker [k8s.ovn.org/node-chassis-id annotation not found for node ip-10-0-162-91.us-west-2.compute.internal, macAddress annotation not found for node "ip-10-0-162-91.us-west-2.compute.internal" , k8s.ovn.org/l3-gateway-config annotation not found for node "ip-10-0-162-91.us-west-2.compute.internal"] From: 17:47:15Z To: 17:47:16Z result=reject }

I've seen similar "macAddress annotation not found for node" failures before. I filed https://issues.redhat.com/browse/OCPBUGS-10841 to track the issue.
/test e2e-aws-ovn-serial

e2e-aws-ovn-upgrade failed because [sig-api-machinery] disruption/cache-kube-api connection/new should be available throughout the test failed. I suspect this is a flaky test, and it is not clear how the changes in this PR could have any impact on API availability.
/test e2e-aws-ovn-upgrade

e2e-azure-operator failed because TestRouteMetricsControllerRouteAndNamespaceSelector failed. Search.ci shows a few similar failures, and this has come up in the past on a few other PRs (see #849 (comment) and #834 (comment)), so this appears to be a somewhat rare flake.
/test e2e-azure-operator

e2e-azure-ovn failed because [sig-auth][Feature:SCC][Early] should not have pod creation failures during install failed:

{  fail [github.com/openshift/origin/test/extended/authorization/scc.go:69]: 1 pods failed before test on SCC errors
Error creating: pods "azure-file-csi-driver-node-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[5]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[6]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[7]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[9]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[10]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.initContainers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.initContainers[0].securityContext.containers[0].hostPort: Invalid value: 10302: Host ports are not allowed to be used, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 10302: Host ports are not allowed to be used, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[1].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[1].securityContext.containers[0].hostPort: Invalid value: 10302: Host ports are not allowed to be used, spec.containers[2].securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used, spec.containers[2].securityContext.containers[0].hostPort: Invalid value: 10302: Host ports are not allowed to be used, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] for DaemonSet.apps/v1/azure-file-csi-driver-node -n openshift-cluster-csi-drivers happened 12 times

Search.ci shows a few similar failures. I filed https://issues.redhat.com/browse/OCPBUGS-10842 to track the issue.
/test e2e-azure-ovn

e2e-aws-operator failed because TestClientTLS failed. I've seen this flake a lot recently. I filed https://issues.redhat.com/browse/OCPBUGS-10846 to track the issue.
/test e2e-aws-operator

[Miciah]

/jira refresh

e2e-aws-operator failed because TestAWSELBConnectionIdleTimeout and TestClientTLS failed.
/test e2e-aws-operator

e2e-azure-operator failed because TestUnmanagedDNSToManagedDNSInternalIngressController failed. I filed https://issues.redhat.com/browse/OCPBUGS-2493 https://issues.redhat.com/browse/OCPBUGS-10983 to track this failure.
/test e2e-azure-operator

e2e-aws-ovn-serial failed because of https://issues.redhat.com/browse/OCPBUGS-10841 again.
/test e2e-aws-ovn-serial

[openshift-ci-robot]

@Miciah: This pull request references Jira Issue OCPBUGS-10714, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

Details

In response to this:

/jira refresh

e2e-aws-operator failed because TestAWSELBConnectionIdleTimeout and TestClientTLS failed.
/test e2e-aws-operator

e2e-azure-operator failed because TestUnmanagedDNSToManagedDNSInternalIngressController failed. I flied https://issues.redhat.com/browse/OCPBUGS-2493 to track this failure.
/test e2e-azure-operator

e2e-aws-ovn-serial failed because of https://issues.redhat.com/browse/OCPBUGS-10841 again.
/test e2e-aws-ovn-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD a29464e and 2 for PR HEAD 09277e9 in total

[Miciah]

e2e-azure-operator failed because TestClientTLS failed.
/test e2e-azure-operator

e2e-aws-ovn-serial failed because of pathologically repeating events (https://issues.redhat.com/browse/OCPBUGS-10841).
/test e2e-aws-ovn-serial

[Miciah]

e2e-azure-operator failed because TestClientTLS failed.
/test e2e-azure-operator

e2e-aws-ovn-serial failed because node count should match or exceed machine count failed:

{  
            Timed out waiting for node count (5) to equal or exceed machine count (6).
            NAMESPACE               NAME                                                 PHASE         TYPE         REGION      ZONE         AGE
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-master-0                  Running       m6a.xlarge   us-west-2   us-west-2a   29m
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-master-1                  Running       m6a.xlarge   us-west-2   us-west-2c   29m
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-master-2                  Running       m6a.xlarge   us-west-2   us-west-2a   29m
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-worker-us-west-2a-4znpg   Running       m6a.xlarge   us-west-2   us-west-2a   24m
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-worker-us-west-2a-clbzz   Provisioned   m6a.xlarge   us-west-2   us-west-2a   24m
openshift-machine-api   ci-op-st6bymvb-52591-fkk2v-worker-us-west-2c-4gdqr   Running       m6a.xlarge   us-west-2   us-west-2c   24m
            NAME                                         STATUS   ROLES                  AGE   VERSION
ip-10-0-136-40.us-west-2.compute.internal    Ready    control-plane,master   29m   v1.26.2+54b5520
ip-10-0-150-180.us-west-2.compute.internal   Ready    control-plane,master   30m   v1.26.2+54b5520
ip-10-0-184-112.us-west-2.compute.internal   Ready    worker                 22m   v1.26.2+54b5520
ip-10-0-212-229.us-west-2.compute.internal   Ready    control-plane,master   30m   v1.26.2+54b5520
ip-10-0-222-85.us-west-2.compute.internal    Ready    worker                 18m   v1.26.2+54b5520
          }

/test e2e-aws-ovn-serial

[gcs278]

e2e-aws-ovn-serial failed with k8s.ovn.org/node-chassis-id annotation not found for node ip-10-0-165-199.ec2.internal, macAddress annotation not found for node "ip-10-0-165-199.ec2.internal"

e2e-azure-operator failed with TestClientTLS again
/retest-required

[candita]

/retest-required

[gcs278]

I think we are blocked on #904 for TestClientTLS

But this time we also got Node process segfaulted, which was due to Haproxy 2.6.12.

/test e2e-azure-operator

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e93984f and 1 for PR HEAD 09277e9 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 469a84e and 0 for PR HEAD 09277e9 in total

[openshift-ci-robot]

/hold

Revision 09277e9 was retested 3 times: holding

[Miciah]

e2e-aws-operator failed because TestUnmanagedDNSToManagedDNSInternalIngressController failed:

util_test.go:90: retrying client call due to: Get "http://ab0334948707c4719a1b669d84aedfbd-1834534123.us-east-1.elb.amazonaws.com/": EOF
    unmanaged_dns_test.go:318: failed to verify connectivity with workload with reqURL http://ab0334948707c4719a1b669d84aedfbd-1834534123.us-east-1.elb.amazonaws.com/ using external client: timed out waiting for the condition
    panic.go:522: deleted ingresscontroller unmanaged-migrated-internal

This is a different failure from the "failed to delete route" error in OCPBUGS-10983.
/test e2e-aws-operator

e2e-gcp-operator failed because TestRouterCompressionOperation failed:

     router_compression_test.go:209: compression error: expected "gzip", got "" for canary route 

/test e2e-gcp-operator

[openshift-ci]

@Miciah: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Miciah]

/hold cancel

[Miciah]

/cherry-pick release-4.13

[openshift-cherrypick-robot]

@Miciah: once the present PR merges, I will cherry-pick it on top of release-4.13 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@Miciah: Jira Issue OCPBUGS-10714: All pull requests linked via external trackers have merged:

• openshift/cluster-ingress-operator#901

Jira Issue OCPBUGS-10714 has been moved to the MODIFIED state.

Details

In response to this:

Update for an API change in ServiceMeshControlPlane in OSSM 2.4.

maistra/istio-operator@ecd25d5 replaced the spec.techPreview.controlPlaneMode field with a new spec.mode field. Specifying spec.techPreview.controlPlaneMode now elicits the following error message:

failed to create ServiceMeshControlPlane openshift-ingress/openshift-gateway: admission webhook "smcp.validation.maistra.io" denied the request: the spec.techPreview.controlPlaneMode field is not supported in version 2.4+; use spec.mode

To resolve this issue, this PR bumps the vendored Maistra API version and changes the gatewayclass controller to use the new spec.mode field in the ServiceMeshControlPlane CR.

• go.mod: Bump github.com/maistra/istio-operator to v0.0.0-20230322122339-793794762e67.
• go.sum:
• vendor/*: Regenerate.
• pkg/operator/controller/gatewayclass/servicemeshcontrolplane.go (desiredServiceMeshControlPlane): Update to use the new spec.mode field instead of spec.techPreview.controlPlanemode.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@Miciah: new pull request created: #917

Details

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-ingress-operator-container-v4.14.0-202304281956.p0.ged5d8f8.assembly.stream for distgit ose-cluster-ingress-operator.
All builds following this will include this PR.