Skip to content

OPRUN-3863: Add olmv1 webhook support origin tests#30059

Closed
anik120 wants to merge 2 commits intoopenshift:mainfrom
anik120:olmv1-webhook-support
Closed

OPRUN-3863: Add olmv1 webhook support origin tests#30059
anik120 wants to merge 2 commits intoopenshift:mainfrom
anik120:olmv1-webhook-support

Conversation

@anik120
Copy link
Copy Markdown
Contributor

@anik120 anik120 commented Aug 5, 2025

Taking @perdasilva's #29825 to address blocking comment:

You cannot use beforeall like this in origin, it's not true ginkgo. Every test has to be completely independent because they are run in their own process -- so BeforeAll effectively becomes BeforeEach.. If you need a cluster configuration the job would be dedicated to this purpose, configure it the right way and then run your suite.

OTE has designs for tests tied to configs, but it's not implemented yet. https://github.com/openshift/enhancements/blob/master/enhancements/testing/openshift-tests-extension.md

Original PR description:

Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
(I'm not sure I'd add the last two if it weren't for the need to have 5 tests)

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 5, 2025
@anik120
Add olmv1 webhook support origin tests
6a25d73 
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
Signed-off-by: Anik Bhattacharjee <anbhatta@redhat.com>
@anik120 anik120 force-pushed the olmv1-webhook-support branch from ba45fbc to 6a25d73 Compare August 5, 2025 15:08
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 5, 2025
@openshift-ci openshift-ci Bot requested review from perdasilva and sjenning August 5, 2025 15:08
@anik120 anik120 changed the title Add olmv1 webhook support origin tests OPRUN-3863: Add olmv1 webhook support origin tests Aug 5, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 5, 2025
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Aug 5, 2025
edited by openshift-ci Bot
Loading

@anik120: This pull request references OPRUN-3863 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Taking @perdasilva's #29825 to address blocking comment:

You cannot use beforeall like this in origin, it's not true ginkgo. Every test has to be completely independent because they are run in their own process -- so BeforeAll effectively becomes BeforeEach.. If you need a cluster configuration the job would be dedicated to this purpose, configure it the right way and then run your suite.

OTE has designs for tests tied to configs, but it's not implemented yet. https://github.com/openshift/enhancements/blob/master/enhancements/testing/openshift-tests-extension.md

Original PR description:

Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
(I'm not sure I'd add the last two if it weren't for the need to have 5 tests)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 5, 2025

Updates I made in this PR:

  1. Removed g.BeforeAll() - Replaced with proper g.BeforeEach() setup

  2. Created setupWebhookOperator() helper function - Moved outside the Describe block as a package-level function that handles:

    • OLMv1 capability check
    • Webhook operator catalog creation and serving verification
    • Webhook operator installation and readiness verification

  3. Centralized setup/cleanup - Using g.BeforeEach() and g.AfterEach() blocks:

    • BeforeEach: Calls setup and registers cleanup function
    • AfterEach: Calls cleanup and handles failed test logging

Each g.It() test now focuses purely on its validation logic without setup/teardown boilerplate

@tmshort
Copy link
Copy Markdown
Contributor

tmshort commented Aug 5, 2025

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Aug 5, 2025
@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 6, 2025

/retest-required

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 6, 2025

/payload-job periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 6, 2025

@anik120: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d5402540-72c5-11f0-93eb-36890be0318a-0

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 6, 2025

/test e2e-aws-ovn-serial-2of2

@openshift-trt
Copy link
Copy Markdown

openshift-trt Bot commented Aug 6, 2025

Job Failure Risk Analysis for sha: 6a25d73

Job Name Failure Risk
pull-ci-openshift-origin-main-e2e-aws-disruptive IncompleteTests
Tests for this run (31) are below the historical average (156): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 6a25d73

Job Name New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.

New tests seen in this PR at sha: 6a25d73

  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 7, 2025

/payload-job periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 7, 2025

@anik120: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2bb869c0-7396-11f0-930b-67f82cd1327a-0

@thetechnick
Copy link
Copy Markdown
Contributor

thetechnick commented Aug 7, 2025

/lgtm

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 7, 2025

@sjenning @DennisPeriquet can I get approval for this PR please.

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 7, 2025

/assign @DennisPeriquet

camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 7, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] add webhook tests
85102bf 
Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini
@camilamacedo86 camilamacedo86 mentioned this pull request Aug 7, 2025
Merged
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 7, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] add webhook tests
06f63d7 
Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini
@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 7, 2025
@camilamacedo86
Copy link
Copy Markdown
Contributor

camilamacedo86 commented Aug 7, 2025

/hold cancel

@openshift-ci openshift-ci Bot reopened this Aug 15, 2025
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 15, 2025

@anik120: Reopened this PR.

Details

In response to this:

/reopen

openshift/operator-framework-operator-controller#424 had to be reverted. Want to run some tests here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Aug 15, 2025
edited by openshift-ci Bot
Loading

@anik120: This pull request references OPRUN-3863 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Taking @perdasilva's #29825 to address blocking comment:

You cannot use beforeall like this in origin, it's not true ginkgo. Every test has to be completely independent because they are run in their own process -- so BeforeAll effectively becomes BeforeEach.. If you need a cluster configuration the job would be dedicated to this purpose, configure it the right way and then run your suite.

OTE has designs for tests tied to configs, but it's not implemented yet. https://github.com/openshift/enhancements/blob/master/enhancements/testing/openshift-tests-extension.md

Original PR description:

Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
Adds origin tests for the webhook support feature. Test need to be run serially to enable BeforeSuite functionality which installs the webhook operator for the tests:

check validating webhook
check mutating webhook
check conversion webhook
check service availability during cert secret deletion by continuously creating and deleting a resource after the deletion of the cert secret
check deployment availability during cert rotation, which is forced to happen when the openshift-service-ca signing key gets deleted.
(I'm not sure I'd add the last two if it weren't for the need to have 5 tests)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 15, 2025

/payload-aggregate-with-prs periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 15, 2025

@anik120: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 15, 2025

/payload-aggregateperiodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 15, 2025

@anik120: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 15, 2025

/payload-aggregate periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial 5

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 15, 2025

@anik120: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.20-e2e-gcp-ovn-techpreview-serial

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/70b697e0-7a12-11f0-8696-f57cbfbf49ca-0

camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 15, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests skipping flake test
0415e67 
Skip "should be tolerant to openshift-service-ca certificate rotation". More info: https://issues.redhat.com/browse/OCPBUGS-60564
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 15, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests with enhancements
57ab057 
- Increase the timeout for "should be tolerant to openshift-service-ca certificate rotation" from 2 minutes to 5 minutes to reduce flakes.
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
openshift-bot pushed a commit to openshift-bot/operator-framework-operator-controller that referenced this pull request Aug 16, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] add webhook tests
b42c39b 
Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini
@openshift-trt
Copy link
Copy Markdown

openshift-trt Bot commented Aug 16, 2025

Job Failure Risk Analysis for sha: 36e4247

Job Name Failure Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-single-node-upgrade IncompleteTests

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 36e4247

Job Name New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.

New tests seen in this PR at sha: 36e4247

  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]

@openshift-trt
Copy link
Copy Markdown

openshift-trt Bot commented Aug 16, 2025

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 36e4247

Job Name New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-1of2 Medium - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-serial-2of2 High - "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" is a new test, was only seen in one job, and failed 2 time(s) against the current commit.

New tests seen in this PR at sha: 36e4247

  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 0, Fail: 2, Flake: 0]
  • "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]

@anik120
Copy link
Copy Markdown
Contributor Author

anik120 commented Aug 16, 2025

Looks like the cert rotation test is problematic

[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial] expand_less | 0s
-- | --
{Passed 0 times, failed 5 times, skipped 0 times: we require at least 6 attempts to have a chance at success  name: '[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial]   OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate   rotation [Suite:openshift/conformance/serial]' testsuitename: openshift-tests summary: 'Passed 0 times, failed 5 times, skipped 0 times: we require at least 6 attempts   to have a chance at success' passes: [] failures: - jobrunid: "1956445826951680000"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445826951680000   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445826951680000/artifacts - jobrunid: "1956445827413053440"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827413053440   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827413053440/artifacts - jobrunid: "1956445827861843968"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827861843968   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827861843968/artifacts - jobrunid: "1956445828310634496"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828310634496   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828310634496/artifacts - jobrunid: "1956445828767813632"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828767813632   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828767813632/artifacts skips: [] }

/close

@openshift-ci openshift-ci Bot closed this Aug 16, 2025
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 16, 2025

@anik120: Closed this PR.

Details

In response to this:

Looks like the cert rotation test is problematic

[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation [Suite:openshift/conformance/serial] expand_less | 0s
-- | --
{Passed 0 times, failed 5 times, skipped 0 times: we require at least 6 attempts to have a chance at success  name: '[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial]   OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate   rotation [Suite:openshift/conformance/serial]' testsuitename: openshift-tests summary: 'Passed 0 times, failed 5 times, skipped 0 times: we require at least 6 attempts   to have a chance at success' passes: [] failures: - jobrunid: "1956445826951680000"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445826951680000   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445826951680000/artifacts - jobrunid: "1956445827413053440"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827413053440   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827413053440/artifacts - jobrunid: "1956445827861843968"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827861843968   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445827861843968/artifacts - jobrunid: "1956445828310634496"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828310634496   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828310634496/artifacts - jobrunid: "1956445828767813632"   humanurl: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828767813632   gcsartifacturl: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/openshift-origin-30059-ci-4.20-e2e-gcp-ovn-techpreview-serial/1956445828767813632/artifacts skips: [] }

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 17, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests skipping flake test
3a22145 
Skip "should be tolerant to openshift-service-ca certificate rotation". More info: https://issues.redhat.com/browse/OCPBUGS-60564
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 17, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests with enhancements
60f247f 
- Increase the timeout for "should be tolerant to openshift-service-ca certificate rotation" from 2 minutes to 5 minutes to reduce flakes.
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 17, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests
d778da1 
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 17, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests
697e82c 
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
openshift-bot pushed a commit to openshift-bot/operator-framework-operator-controller that referenced this pull request Aug 18, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] add webhook tests
0cab7d0 
Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini
openshift-bot pushed a commit to openshift-bot/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] add webhook tests
adb0514 
Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook tests
1f2debf 
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
openshift-merge-bot Bot pushed a commit to openshift/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86 @openshift-merge-bot
UPSTREAM: <carry>: [OTE] Add webhook tests
fbdba7b 
- Add dumping of container logs and `kubectl describe pods` output for better diagnostics.
- Include targeted certificate details dump (`tls.crt` parse) when failures occur.
- Add additional check to verify webhook responsiveness after certificate rotation.

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook to validate openshift-service-ca…
fa0cb6e 
… certificate rotation

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook to validate openshift-service-ca…
b736e1b 
… certificate rotation

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
@camilamacedo86 camilamacedo86 mentioned this pull request Aug 19, 2025
Merged
camilamacedo86 added a commit to camilamacedo86/operator-framework-operator-controller that referenced this pull request Aug 19, 2025
@camilamacedo86
UPSTREAM: <carry>: [OTE] Add webhook to validate openshift-service-ca…
fa7e8b5 
… certificate rotation

This change is a refactor of code from openshift/origin#30059.

Assisted-by: Gemini
@camilamacedo86 camilamacedo86 mentioned this pull request Aug 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@perdasilva perdasilva Awaiting requested review from perdasilva

@sjenning sjenning Awaiting requested review from sjenning

1 more reviewer

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thetechnick thetechnick

@camilamacedo86 camilamacedo86

@tmshort tmshort

@DennisPeriquet DennisPeriquet

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@anik120 @openshift-ci-robot @tmshort @thetechnick @camilamacedo86 @DennisPeriquet @openshift-merge-robot