Skip to content

WIP: CNTRLPLANE-947: E2E test adaptations for OIDC #30292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

WIP: CNTRLPLANE-947: E2E test adaptations for OIDC #30292

wants to merge 4 commits into from

Conversation

liouk
Copy link
Member

@liouk liouk commented Sep 23, 2025
edited
Loading

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 23, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check more flexible.
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 23, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liouk
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liouk liouk force-pushed the e2e-oidc-adaptations branch from 5ba6028 to f2f53d9 Compare September 23, 2025 08:54
@liouk
operators: define set of required conditions that depend on cluster r…
55b6a13 
…untime

Also define what conditions to expect for the authentication operator depending on
configured auth type.
@liouk
operators: log cluster operator name for unexpected error
c109961
@liouk liouk force-pushed the e2e-oidc-adaptations branch from f2f53d9 to c109961 Compare September 23, 2025 09:10
@liouk liouk mentioned this pull request Sep 23, 2025
Open
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk changed the title WIP: CNTRLPLANE-947: E2E test adaptations for OIDC CNTRLPLANE-947: E2E test adaptations for OIDC Sep 23, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 23, 2025
edited by openshift-ci bot
Loading

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR makes e2e test adaptations for the case of a cluster with external OIDC authentication configured. These are tests we do not want to skip completely.

Summary of changes

  • authorization_rbac_proxy: when the users API is not present, the oc user created in this test comes from client.go; the order of the groups is different than the one the test expects, so we must make the test check expect both orders
  • apiserver-external-availability monitor test: this test checks all API servers, including the oauth apiserver; we adapt this test to skip the oauth apiserver when OIDC is configured (as it does not exist)
  • management_plane_operators: when OIDC is configured, the authentication operator does not have some conditions that are listed as always required in this test; this PR introduces a mechanism to determine some cluster-runtime conditions depending on cluster config/state and moves the respective auth operator ones there

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@liouk liouk changed the title CNTRLPLANE-947: E2E test adaptations for OIDC WIP: CNTRLPLANE-947: E2E test adaptations for OIDC Sep 23, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 23, 2025

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-upgrade c109961 link false /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-cgroupsv2 c109961 link false /test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-aws-ovn-fips c109961 link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-serial-2of2 c109961 link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-metal-ipi-serial-2of2 c109961 link false /test e2e-metal-ipi-serial-2of2
ci/prow/e2e-aws-ovn-single-node-upgrade c109961 link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-edge-zones c109961 link false /test e2e-aws-ovn-edge-zones
ci/prow/e2e-aws-ovn-single-node-serial c109961 link false /test e2e-aws-ovn-single-node-serial
ci/prow/e2e-vsphere-ovn-upi c109961 link true /test e2e-vsphere-ovn-upi
ci/prow/e2e-openstack-ovn c109961 link false /test e2e-openstack-ovn
ci/prow/e2e-aws-disruptive c109961 link false /test e2e-aws-disruptive
ci/prow/e2e-aws-ovn-kube-apiserver-rollout c109961 link false /test e2e-aws-ovn-kube-apiserver-rollout
ci/prow/e2e-aws-proxy c109961 link false /test e2e-aws-proxy
ci/prow/e2e-metal-ipi-serial-ovn-ipv6-2of2 c109961 link false /test e2e-metal-ipi-serial-ovn-ipv6-2of2
ci/prow/e2e-gcp-ovn-techpreview-serial-1of2 c109961 link false /test e2e-gcp-ovn-techpreview-serial-1of2
ci/prow/e2e-aws-ovn-single-node c109961 link false /test e2e-aws-ovn-single-node
ci/prow/okd-scos-e2e-aws-ovn c109961 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-serial-1of2 c109961 link true /test e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-ovn c109961 link false /test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@sdodson sdodson Awaiting requested review from sdodson

Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@liouk @openshift-ci-robot