Add CI tests for ConfigurablePKI installer feature#77043
Add CI tests for ConfigurablePKI installer feature#77043hasbro17 wants to merge 1 commit intoopenshift:mainfrom
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/pj-rehearse |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
The rehearsals will of course fail until the installer support for PKI is actually merged from openshift/installer#10396 The goal is to merge this first and then run the presubmits on the installer PR to validate the PKI featuregate workflow. |
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
1c7d82c to
ada480e
Compare
|
/pj-rehearse |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
Alright, the pki cert and CR verification test seems to be checking everything correctly now: |
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
ada480e to
a04896f
Compare
hasbro17
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest |
|
/testwith openshift/installer/main/e2e-aws-ovn-pki-default openshift/installer#10396 |
|
@hasbro17, |
|
/pj-rehearse --pull=openshift/installer#10396 pull-ci-openshift-installer-main-e2e-aws-ovn-pki-default |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse --pull=openshift/installer#10396 pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hasbro17: job(s): --pull=openshift/installer#10396 either don't exist or were not found to be affected, and cannot be rehearsed |
|
@hasbro17: job(s): --pull=openshift/installer#10396 either don't exist or were not found to be affected, and cannot be rehearsed |
| post: | ||
| - chain: gather-core-dump | ||
| - chain: ipi-aws-post | ||
| pre: | ||
| - chain: openshift-installer-pki-ipi-conf | ||
| - ref: ipi-conf-telemetry | ||
| - ref: ipi-conf-aws | ||
| - ref: ipi-conf-aws-byo-ipv4-pool-public | ||
| - ref: ipi-install-monitoringpvc | ||
| - chain: aws-provision-iam-user-minimal-permission | ||
| - ref: rhcos-conf-osstream | ||
| - chain: ipi-install | ||
| test: | ||
| - ref: openshift-installer-pki-verify | ||
| - ref: openshift-e2e-test |
There was a problem hiding this comment.
You should use the existing openshift-e2e-aws workflow and edit ipi-conf-aws to read your environment variable and set the install config fields that way. it will be simpler.
here's an example pr: #73270
There was a problem hiding this comment.
That looks much simpler, thanks for the tip.
| FEATURE_GATES: '["ConfigurablePKI=true"]' | ||
| FEATURE_SET: CustomNoUpgrade |
There was a problem hiding this comment.
The feature is in the TechPreviewNoUpgrade feature set, so you can just set the feature set to TechPreviewNoUpgrade
There was a problem hiding this comment.
I wanted to very specifically test only the ConfigurablePKI feature but I guess it would be good to see that this plays nicely with other techpreview features turned on as well.
| keyC valueC | ||
| workflow: openshift-e2e-aws | ||
| - always_run: false | ||
| as: e2e-aws-ovn-pki-default |
There was a problem hiding this comment.
I think -ovn is supposed to be at the end of the job name. not sure if that matters anymore.
There was a problem hiding this comment.
I see many other presubmits/jobs using it right after the platform. E.g:
- e2e-aws-ovn-dualstack-ipv6-primary-techpreview
- e2e-aws-ovn-proxy
Honestly not sure it's even needed but I just followed the existing convention.
There was a problem hiding this comment.
@hasbro17 Per the convention, -techpreview postfix is supposed to be at the end of the job name for the jobs enabled TP.
And should these jobs to be added to openshift-installer-release-4.22.yaml/openshift-installer-release-4.23.yaml/openshift-installer-release-5.0.yaml as well?
There was a problem hiding this comment.
@yunjiang29 Updated the job names. I figured the jobs would auto sync from main to 4.22/4.23/5.0 but I've added them nevertheless.
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
a04896f to
1b547d7
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: hasbro17 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
1b547d7 to
e1df452
Compare
Whoops, I need to find my new presubmits/periodics. |
|
/pj-rehearse periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-default |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hasbro17: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command. |
1 similar comment
|
@hasbro17: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command. |
|
Alright, the tests are failing as expected: |
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
e1df452 to
a91ae7d
Compare
|
/pj-rehearse |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hasbro17: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command. |
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
a91ae7d to
fcc832f
Compare
|
/pj-rehearse pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa |
|
@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@hasbro17: job(s): pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa either don't exist or were not found to be affected, and cannot be rehearsed |
|
@hasbro17: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command. |
| - as: periodic-e2e-aws-ovn-pki-default-techpreview | ||
| interval: 72h | ||
| steps: | ||
| cluster_profile: openshift-org-aws | ||
| env: | ||
| EXPECTED_ALGORITHM: ECDSA | ||
| EXPECTED_KEY_PARAM: secp384r1 | ||
| FEATURE_SET: TechPreviewNoUpgrade | ||
| test: | ||
| - ref: openshift-installer-pki-verify | ||
| - ref: openshift-e2e-test | ||
| workflow: openshift-e2e-aws | ||
| - as: periodic-e2e-aws-ovn-pki-rsa-techpreview | ||
| interval: 72h | ||
| steps: | ||
| cluster_profile: openshift-org-aws | ||
| env: | ||
| EXPECTED_ALGORITHM: RSA | ||
| EXPECTED_KEY_PARAM: "4096" | ||
| FEATURE_SET: TechPreviewNoUpgrade | ||
| PKI_ALGORITHM: RSA | ||
| PKI_RSA_KEY_SIZE: "4096" | ||
| test: | ||
| - ref: openshift-installer-pki-verify | ||
| - ref: openshift-e2e-test | ||
| workflow: openshift-e2e-aws |
There was a problem hiding this comment.
I don't think we need periodics, particularly at this stage in the development cycle?
There was a problem hiding this comment.
Yeah it's a bit early. This can wait until we need pass rates for graduating to GA later and have a more comprehensive test. Will remove them.
The ConfigurablePKI feature gate changes installer-generated signer certificates from RSA-2048 to ECDSA P-384 by default. Add CI coverage to validate both the default ECDSA behavior and explicit RSA-4096 override, using TechPreviewNoUpgrade. A new openshift-installer-pki-verify step checks the 7 cluster-accessible signer CA secrets and PKI CR post-install, running before the e2e suite to fail fast on mismatches. Assisted-by: Claude Code (Opus 4.6)
hasbro17
force-pushed
the
configurable-pki-ci-test
branch
from
fcc832f to
791c8dd
Compare
|
[REHEARSALNOTIFIER]
A total of 16793 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@hasbro17: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
This provides the presubmits for the installer support of the PKI config openshift/installer#10396
Summary
The
ConfigurablePKIfeature gate changes installer-generated signer certificates fromRSA-2048toECDSA P-384by default. This PR adds CI coverage to validate both the default ECDSA behavior and explicitRSA-4096override, usingTechPreviewNoUpgrade.New step-registry component:
openshift-installer-pki-verify(ref) — Checks 7 cluster-accessible signer CA secrets and the PKI CR post-install. Runs before the e2e suite to fail fast on mismatches. Outputs a pass/fail summary tableand writes full certificate details to the artifact directory.
ipi-conf-awsmodifications:Adds
PKI_ALGORITHM,PKI_RSA_KEY_SIZE,PKI_ECDSA_CURVEenv vars with empty defaults (no impact on existing jobs). WhenPKI_ALGORITHMis set, injects thepkisection intoinstall-config.yaml.New CI jobs (
openshift/installer,main+ release branches 4.22, 4.23, 5.0):Optional presubmits:
e2e-aws-ovn-pki-default-techpreview— Feature gate ON, no explicit config → expectsECDSA P-384signerse2e-aws-ovn-pki-rsa-techpreview— Feature gate ON, explicitRSA-4096→ expectsRSA-4096signers