Skip to content

CNTRLPLANE-947: E2E test adaptations for OIDC #30292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

CNTRLPLANE-947: E2E test adaptations for OIDC #30292

wants to merge 4 commits into from

Conversation

@liouk
Copy link
Member

@liouk liouk commented Sep 23, 2025
edited
Loading

In order to be able to run openshift's conformance e2e test suite on a cluster with external OIDC configured, we must skip any tests that are inherently irrelevant to OIDC (for example, tests against the OAuth APIs must be skipped, as these APIs do not exist in a cluster with external OIDC).

However, there's a number of tests that we want to avoid skipping (e.g. checking apiserver availability); this PR makes adaptations to such tests that currently break when OIDC is configured but we don't want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 23, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check more flexible.
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@liouk liouk force-pushed the e2e-oidc-adaptations branch from 5ba6028 to f2f53d9 Compare September 23, 2025 08:54
@liouk
operators: define set of required conditions that depend on cluster r…
55b6a13 
…untime

Also define what conditions to expect for the authentication operator depending on
configured auth type.
@liouk
operators: log cluster operator name for unexpected error
c109961
@liouk liouk force-pushed the e2e-oidc-adaptations branch from f2f53d9 to c109961 Compare September 23, 2025 09:10
@liouk liouk mentioned this pull request Sep 23, 2025
Closed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk changed the title WIP: CNTRLPLANE-947: E2E test adaptations for OIDC CNTRLPLANE-947: E2E test adaptations for OIDC Sep 23, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk changed the title CNTRLPLANE-947: E2E test adaptations for OIDC WIP: CNTRLPLANE-947: E2E test adaptations for OIDC Sep 23, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 30, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

In order to be able to run openshift's conformance e2e test suite on a cluster with external OIDC configured, we must skip any tests that are inherently irrelevant to OIDC (for example, tests against the OAuth APIs must be skipped, as these APIs do not exist in a cluster with external OIDC).

However, there's a number of tests that we want to avoid skipping (e.g. checking apiserver availability); this PR makes adaptations to such tests that currently break when OIDC is configured but we don't want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk
Copy link
Member Author

liouk commented Oct 1, 2025

/retest-required

@sdodson
Copy link
Member

sdodson commented Oct 1, 2025

@liouk What's the minimal set of required tests you'd like to see pass here before this merges. I don't want to get stuck in a retest quagmire.

@liouk
Copy link
Member Author

liouk commented Oct 2, 2025

@sdodson when it comes to making sure that the changes in this PR do not break existing tests, I've already seen enough successful runs of the tests changed in the jobs that have already run successfully.

From the current failing jobs, the ones that contain the updated tests are the following:

  • e2e-aws-ovn
  • e2e-aws-ovn-single-node-upgrade
  • e2e-aws-proxy
  • e2e-openstack-ovn

However these aren't required anyway, so I doubt we should block this PR until these succeed.

Apart from verifying we're not breaking any existing tests, I would like to see the results of the jobs introduced with openshift/release#66981 and I'm planning on running the conformance suites at a local cluster -- however I am not aware of any way to run those jobs on the CI and include the changes of this PR before it merges (let me know if there's a way!).

@liouk liouk changed the title WIP: CNTRLPLANE-947: E2E test adaptations for OIDC CNTRLPLANE-947: E2E test adaptations for OIDC Oct 2, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 2, 2025
@sdodson
Copy link
Member

sdodson commented Oct 6, 2025

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk, sdodson
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 17, 2025
edited
Loading

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-upgrade c109961 link false /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-cgroupsv2 c109961 link false /test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-metal-ipi-serial-2of2 c109961 link false /test e2e-metal-ipi-serial-2of2
ci/prow/e2e-aws-ovn-single-node-upgrade c109961 link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-edge-zones c109961 link false /test e2e-aws-ovn-edge-zones
ci/prow/e2e-aws-ovn-single-node-serial c109961 link false /test e2e-aws-ovn-single-node-serial
ci/prow/e2e-openstack-ovn c109961 link false /test e2e-openstack-ovn
ci/prow/e2e-aws-disruptive c109961 link false /test e2e-aws-disruptive
ci/prow/e2e-aws-ovn-kube-apiserver-rollout c109961 link false /test e2e-aws-ovn-kube-apiserver-rollout
ci/prow/e2e-aws-proxy c109961 link false /test e2e-aws-proxy
ci/prow/e2e-metal-ipi-serial-ovn-ipv6-2of2 c109961 link false /test e2e-metal-ipi-serial-ovn-ipv6-2of2
ci/prow/e2e-gcp-ovn-techpreview-serial-1of2 c109961 link false /test e2e-gcp-ovn-techpreview-serial-1of2
ci/prow/e2e-aws-ovn-single-node c109961 link false /test e2e-aws-ovn-single-node
ci/prow/okd-scos-e2e-aws-ovn c109961 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn c109961 link false /test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@liouk
Copy link
Member Author

liouk commented Oct 23, 2025

/retest-required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@sdodson sdodson Awaiting requested review from sdodson

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liouk @openshift-ci-robot @sdodson