OKD-259: Test OKD Feature set Against OKD and OCP clusters

go.mod

@@ -61,10 +61,10 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20251218142942-7ecc8801b9df
 	github.com/openshift-kni/commatrix v0.0.5-0.20251111204857-e5a931eff73f
-	github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7
+	github.com/openshift/api v0.0.0-20260114133223-6ab113cb7368
 	github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d
 	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
-	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
+	github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13
 	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
 	github.com/operator-framework/api v0.36.0
 	github.com/ovn-org/ovn-kubernetes/go-controller v0.0.0-20250118001652-a8b9c3c31417

go.sum

@@ -828,14 +828,14 @@ github.com/openshift-eng/openshift-tests-extension v0.0.0-20251218142942-7ecc880
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20251218142942-7ecc8801b9df/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
 github.com/openshift-kni/commatrix v0.0.5-0.20251111204857-e5a931eff73f h1:E72Zoc+JImPehBrXkgaCbIDbSFuItvyX6RCaZ0FQE5k=
 github.com/openshift-kni/commatrix v0.0.5-0.20251111204857-e5a931eff73f/go.mod h1:cDVdp0eda7EHE6tLuSeo4IqPWdAX/KJK+ogBirIGtsI=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7 h1:Ot2fbEEPmF3WlPQkyEW/bUCV38GMugH/UmZvxpWceNc=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/openshift/api v0.0.0-20260114133223-6ab113cb7368 h1:kSr3DOlq0NCrHd65HB2o/pBsks7AfRm+fkpf9RLUPoc=
+github.com/openshift/api v0.0.0-20260114133223-6ab113cb7368/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d h1:Mfya3RxHWvidOrKyHj3bmFn5x2B89DLZIvDAhwm+C2s=
 github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d/go.mod h1:zm2/rIUp0p83pz0/1kkSoKTqhTr3uUKSKQ9fP7Z3g7Y=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
+github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds=
+github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4=
 github.com/openshift/kubernetes v1.30.1-0.20251017123720-96593f323733 h1:Mpab1CmJPLVWGB0CNGoWnup/NScvv55MVPe94c8JgUk=
 github.com/openshift/kubernetes v1.30.1-0.20251017123720-96593f323733/go.mod h1:w3+IfrXNp5RosdDXg3LB55yijJqR/FwouvVntYHQf0o=
 github.com/openshift/kubernetes/staging/src/k8s.io/api v0.0.0-20251017123720-96593f323733 h1:42lm41QwjG8JoSicx4FHcuIG2kxHxlUnz6c+ftg2e0E=

test/e2e/upgrade/monitor.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"math/rand"
+	"reflect"
 	"strings"
 	"text/tabwriter"
 	"time"
@@ -38,7 +39,7 @@ func (m *versionMonitor) Check(initialGeneration int64, desired configv1.Update)
 	m.lastCV = cv
 
 	if cv.Status.ObservedGeneration > initialGeneration {
-		if cv.Spec.DesiredUpdate == nil || desired != *cv.Spec.DesiredUpdate {
+		if cv.Spec.DesiredUpdate == nil || !reflect.DeepEqual(desired, *cv.Spec.DesiredUpdate) {
 			return nil, "", fmt.Errorf("desired cluster version was changed by someone else: %v", cv.Spec.DesiredUpdate)
 		}
 	}

test/extended/apiserver/featuregate_okd.go

@@ -0,0 +1,55 @@
+package apiserver
+
+import (
+	"context"
+	"strings"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+
+	configv1 "github.com/openshift/api/config/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+)
+
+// isOKD checks if the cluster is an OKD cluster by examining the version string
+func isOKD(oc *exutil.CLI) (bool, error) {
+	current, err := exutil.GetCurrentVersion(context.TODO(), oc.AdminConfig())
+	if err != nil {
+		return false, err
+	}
+	return strings.Contains(current, "okd-scos"), nil
+}
+
+var _ = g.Describe("[sig-api-machinery][Feature:FeatureGate][OCPFeatureGate:OKD]", func() {
+	defer g.GinkgoRecover()
+
+	oc := exutil.NewCLI("featuregate-okd")
+
+	g.It("should reject OKD featureset on OCP clusters [apigroup:config.openshift.io]", func() {
+		// Skip this test on OKD clusters - OKD featureset is allowed on OKD
+		okdCluster, err := isOKD(oc)
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to determine if cluster is OKD")
+		if okdCluster {
+			g.Skip("Skipping test on OKD cluster - OKD featureset is allowed on OKD")
+		}
+
+		// Get current FeatureGate
+		fgClient := oc.AdminConfigClient().ConfigV1().FeatureGates()
+		fg, err := fgClient.Get(context.Background(), "cluster", metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "Failed to get cluster FeatureGate")
+
+		// Attempt to set OKD featureset using dry-run
+		fg.Spec.FeatureSet = configv1.OKD
+		_, err = fgClient.Update(context.Background(), fg, metav1.UpdateOptions{
+			DryRun: []string{metav1.DryRunAll},
+		})
+
+		// Expect validation error on OCP clusters
+		o.Expect(err).To(o.HaveOccurred(), "OKD featureset should be rejected on OCP clusters")
+		o.Expect(err.Error()).To(o.ContainSubstring("OKD featureset is not supported on OpenShift clusters"))
+		o.Expect(k8serrors.IsInvalid(err)).To(o.BeTrue(), "Error should be an Invalid error")
+	})
+})

test/extended/imagepolicy/imagepolicy.go

@@ -337,10 +337,10 @@ func generateClusterImagePolicies() map[string]configv1.ClusterImagePolicy {
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyClusterImagePolicyName},
 			Spec: configv1.ClusterImagePolicySpec{
 				Scopes: []configv1.ImageScope{testSignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PublicKeyRootOfTrust,
-						PublicKey: &configv1.PublicKey{
+						PublicKey: &configv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUoFUoYAReKXGy59xe5SQOk2aJ8o+
 2/Yz5Y8GcN3zFE6ViIvkGnHhMlAhXaX/bo0M9R62s0/6q++T7uwNFuOg8A==
@@ -361,10 +361,10 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUoFUoYAReKXGy59xe5SQOk2aJ8o+
 			ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorClusterImagePolicyName},
 			Spec: configv1.ClusterImagePolicySpec{
 				Scopes: []configv1.ImageScope{testSignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PublicKeyRootOfTrust,
-						PublicKey: &configv1.PublicKey{
+						PublicKey: &configv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
 60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
@@ -385,10 +385,10 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPKIClusterImagePolicyName},
 			Spec: configv1.ClusterImagePolicySpec{
 				Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PKIRootOfTrust,
-						PKI: &configv1.PKI{
+						PKI: &configv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
 MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
 fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
@@ -423,10 +423,10 @@ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
 			ObjectMeta: metav1.ObjectMeta{Name: pkiClusterImagePolicyName},
 			Spec: configv1.ClusterImagePolicySpec{
 				Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PKIRootOfTrust,
-						PKI: &configv1.PKI{
+						PKI: &configv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
 MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
 BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
@@ -479,10 +479,10 @@ L8ITFP+Nw9Meiw4etw59CTAPCc7l4Zvwr1K2ZTBmVGxrqdasiqpI0utG69aItsPi
 			ObjectMeta: metav1.ObjectMeta{Name: invalidEmailPKIClusterImagePolicyName},
 			Spec: configv1.ClusterImagePolicySpec{
 				Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PKIRootOfTrust,
-						PKI: &configv1.PKI{
+						PKI: &configv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
 MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
 BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ
@@ -541,10 +541,10 @@ func generateImagePolicies() map[string]configv1.ImagePolicy {
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyImagePolicyName},
 			Spec: configv1.ImagePolicySpec{
 				Scopes: []configv1.ImageScope{testSignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PublicKeyRootOfTrust,
-						PublicKey: &configv1.PublicKey{
+						PublicKey: &configv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUoFUoYAReKXGy59xe5SQOk2aJ8o+
 2/Yz5Y8GcN3zFE6ViIvkGnHhMlAhXaX/bo0M9R62s0/6q++T7uwNFuOg8A==
@@ -565,10 +565,10 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUoFUoYAReKXGy59xe5SQOk2aJ8o+
 			ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorImagePolicyName},
 			Spec: configv1.ImagePolicySpec{
 				Scopes: []configv1.ImageScope{testSignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PublicKeyRootOfTrust,
-						PublicKey: &configv1.PublicKey{
+						PublicKey: &configv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: []byte(`-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
 60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
@@ -589,10 +589,10 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
 			ObjectMeta: metav1.ObjectMeta{Name: invalidPKIImagePolicyName},
 			Spec: configv1.ImagePolicySpec{
 				Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PKIRootOfTrust,
-						PKI: &configv1.PKI{
+						PKI: &configv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
 MIICYDCCAgagAwIBAgIUTq5IQKTGqI9XDqGzdGzm8mI43qkwCgYIKoZIzj0EAwIw
 fDELMAkGA1UEBhMCLS0xDjAMBgNVBAgTBVNUQVRFMREwDwYDVQQHEwhMT0NBTElU
@@ -627,10 +627,10 @@ TAIhALlR4yZRRYv2iaVPdgaptAI0LoDAtEUiO8Rb9FWJzpAN
 			ObjectMeta: metav1.ObjectMeta{Name: pkiImagePolicyName},
 			Spec: configv1.ImagePolicySpec{
 				Scopes: []configv1.ImageScope{testPKISignedPolicyScope},
-				Policy: configv1.Policy{
+				Policy: configv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: configv1.PolicyRootOfTrust{
 						PolicyType: configv1.PKIRootOfTrust,
-						PKI: &configv1.PKI{
+						PKI: &configv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData: []byte(`-----BEGIN CERTIFICATE-----
 MIIFvzCCA6egAwIBAgIUZnH3ITyYQMAp6lvNYc0fjRzzuBcwDQYJKoZIhvcNAQEL
 BQAwbjELMAkGA1UEBhMCRVMxETAPBgNVBAcMCFZhbGVuY2lhMQswCQYDVQQKDAJJ