OCPBUGS-62929: Check router RBAC before external cert ops #30395

bentito · 2025-10-17T17:37:00Z

Added a wait step so the router service account’s RBAC settles before we create or update routes that use external certificates. The new helper impersonates the router SA and polls for get/list/watch access on the referenced secret, which eliminates the Forbidden errors that were flaking CI when the admission webhook fired during RBAC propagation

openshift-ci-robot · 2025-10-17T17:37:06Z

@bentito: This pull request references Jira Issue OCPBUGS-62929, which is invalid:

expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Added a wait step so the router service account’s RBAC settles before we create or update routes that use external certificates. The new helper impersonates the router SA and polls for get/list/watch access on the referenced secret, which eliminates the Forbidden errors that were flaking CI when the admission webhook fired during RBAC propagation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-10-17T17:38:25Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bentito
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

test/extended/router/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

bentito · 2025-10-17T17:39:17Z

/jira refresh

openshift-ci-robot · 2025-10-17T17:39:24Z

@bentito: This pull request references Jira Issue OCPBUGS-62929, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.21.0) matches configured target version for branch (4.21.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-trt · 2025-10-17T22:11:29Z

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: e3f4c0f

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] server supports sending resources in Table format [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by metadata client's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2	Medium - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod with container resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-1of2	High - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod, 1 container with resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] reflector doesn't support receiving resources as Tables [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by client-go's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by dynamic client's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should be requested by informers when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should be requested by metadatainformer when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	High - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod with container resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	High - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod, 1 container with resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	High - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod, no container resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	High - "[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod, no container resources [Suite:openshift/conformance/serial] [Suite:k8s]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.

New tests seen in this PR at sha: e3f4c0f

"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] reflector doesn't support receiving resources as Tables [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] server supports sending resources in Table format [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by client-go's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by dynamic client's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should NOT be requested by metadata client's List method when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should be requested by informers when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-api-machinery] API Streaming (aka. WatchList) [FeatureGate:WatchList] [Beta] [Serial] should be requested by metadatainformer when WatchListClient is enabled [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod with container resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod, 1 container with resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Burstable QoS pod, no container resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod with container resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod, 1 container with resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
"[sig-node] Pod Level Resources [Serial] [Feature:PodLevelResources] [FeatureGate:PodLevelResources] [Beta] Guaranteed QoS pod, no container resources [Suite:openshift/conformance/serial] [Suite:k8s]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]

bentito · 2025-10-18T22:05:00Z

/retest

bentito · 2025-10-19T02:12:39Z

/retest

Miciah

The PR has a more detailed description than the commit message. Can you add the PR description to the commit message, and also add a link to https://issues.redhat.com/browse/OCPBUGS-62929?

Do we need a similar wait for the tests that delete RBAC or secrets? I don't know whether those tests have been flaky, but it seems to me that we might have race conditions in those tests too.

test/extended/router/external_certificate.go

Ensure the RouteExternalCertificate tests wait until the openshift-ingress/router serviceaccount can get/list/watch the external certificate secret before creating or patching routes so the admission webhook no longer races RBAC propagation. OCPBUGS-62929 https://issues.redhat.com/browse/OCPBUGS-62929

bentito · 2025-10-21T18:10:14Z

Do we need a similar wait for the tests that delete RBAC or secrets? I don't know whether those tests have been flaky, but it seems to me that we might have race conditions in those tests too.

I don't think so, here's why:

Secret deletions already flow through checkRouteStatus, which polls until the router reports ExternalCertificateValidationFailed, so we’re effectively waiting for the controller to observe the change (test/extended/router/external_certificate.go:239).
RBAC deletions exercised in the “routes are not reachable” path also use that same status poll, so propagation is covered there (test/extended/router/external_certificate.go:293).
The update scenarios that expect an API call to be rejected rely on the apiserver RBAC authorizer evaluating permissions synchronously at request time. Once the role binding is deleted, the admission stack should block the request immediately.

So there’s no extra wait needed, I think, atm.
NB: I also didn't hunt for related flakes though

chiragkyal · 2025-10-22T10:45:00Z

test/extended/router/external_certificate.go

+	}
+
+	return wait.PollUntilContextTimeout(context.Background(), time.Second, changeTimeoutSeconds*time.Second, false, func(ctx context.Context) (bool, error) {
+		for _, secretName := range secretNames {


Since we want to poll for each secret, shouldn't we call thewait.PollUntilContextTimeout function inside the loop?

The existing structure already iterates over every secret on each poll tick and only returns true once all of them succeed. Moving the polling inside the loop would serialize the waits and could stretch the total wait time to number of secrets * timeout.

chiragkyal · 2025-10-22T10:46:57Z

test/extended/router/external_certificate.go

+				return false, err
+			}
+
+			watcher, err := client.CoreV1().Secrets(namespace).Watch(ctx, metav1.ListOptions{


Cannot we use listOpts, which was defined earlier?

We can’t safely reuse the earlier listOpts because it has Limit: 1. Watches reject requests that include a limit, so the code intentionally builds a fresh ListOptions without that field for the watch call. Reusing the old struct would risk sending an invalid watch request unless we mutate it first, which would be harder to read than just constructing a new one.

bentito · 2025-10-22T15:57:32Z

/retest

bentito · 2025-10-22T16:50:18Z

/retest

openshift-ci · 2025-10-22T19:14:21Z

@bentito: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	`bf0e17c`	link	false	`/test okd-scos-e2e-aws-ovn`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-trt · 2025-10-22T19:20:31Z

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: bf0e17c

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	High - "Import the release payload "nightly-arm64" from an external source" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift-serial	High - "Import the release payload "nightly-arm64" from an external source" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: bf0e17c

"Import the release payload "nightly-arm64" from an external source" [Total: 4, Pass: 4, Fail: 0, Flake: 0]

bentito · 2025-10-23T18:13:49Z

@Miciah : The cycle before, there were 5 failing e2e but none for this flake in question, and currently we have 1 failing e2e and not b/c of this flake. Can you take another review pass?

bentito · 2025-10-23T18:14:35Z

/assign @Miciah

candita · 2025-10-30T20:40:45Z

/assign @rfredette

openshift-ci bot requested review from candita and miheer October 17, 2025 17:38

openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Oct 17, 2025

openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Oct 17, 2025

openshift-ci bot requested a review from lihongan October 17, 2025 17:39

bentito force-pushed the OCPBUGS-62929 branch from e3f4c0f to eaaec8d Compare October 21, 2025 15:17

Miciah reviewed Oct 21, 2025

View reviewed changes

test/extended/router/external_certificate.go Show resolved Hide resolved

bentito force-pushed the OCPBUGS-62929 branch from eaaec8d to bf0e17c Compare October 21, 2025 18:08

chiragkyal reviewed Oct 22, 2025

View reviewed changes

bentito requested a review from Miciah October 23, 2025 12:31

openshift-ci bot assigned Miciah Oct 23, 2025

openshift-ci bot assigned rfredette Oct 30, 2025

OCPBUGS-62929: Check router RBAC before external cert ops #30395

Are you sure you want to change the base?

OCPBUGS-62929: Check router RBAC before external cert ops #30395

Uh oh!

Conversation

bentito commented Oct 17, 2025

Uh oh!

openshift-ci-robot commented Oct 17, 2025

Uh oh!

openshift-ci bot commented Oct 17, 2025

Uh oh!

bentito commented Oct 17, 2025

Uh oh!

openshift-ci-robot commented Oct 17, 2025

Uh oh!

openshift-trt bot commented Oct 17, 2025

Uh oh!

bentito commented Oct 18, 2025

Uh oh!

bentito commented Oct 19, 2025

Uh oh!

Miciah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

bentito commented Oct 21, 2025

Uh oh!

chiragkyal Oct 22, 2025

Choose a reason for hiding this comment

Uh oh!

bentito Oct 23, 2025

Choose a reason for hiding this comment

Uh oh!

chiragkyal Oct 22, 2025

Choose a reason for hiding this comment

Uh oh!

bentito Oct 23, 2025

Choose a reason for hiding this comment

Uh oh!

bentito commented Oct 22, 2025

Uh oh!

bentito commented Oct 22, 2025

Uh oh!

openshift-ci bot commented Oct 22, 2025

Uh oh!

openshift-trt bot commented Oct 22, 2025

Uh oh!

bentito commented Oct 23, 2025

Uh oh!

bentito commented Oct 23, 2025

Uh oh!

candita commented Oct 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants