SREP-862: Add support for osdctl network verify-egress --pod-mode
#784
Conversation
Implement --pod-mode flag to run egress verification using Kubernetes Jobs instead of cloud instances, providing more accurate results by testing from within the actual cluster environment. Key features: - New --pod-mode flag enables Kubernetes-based verification - Automatic region detection from OCM for AWS clusters - Manual region override with --region flag - Configurable namespace with --namespace flag (default: openshift-network-diagnostics) - Custom kubeconfig support with --kubeconfig flag - Automatic probe switching to curl (required for pod mode) - Comprehensive input validation with clear error messages - Mutual exclusivity with cloud-specific flags Benefits: - No cloud credentials required - Tests actual cluster network environment - More accurate results than external instance testing - Secure execution with restrictive pod security contexts Usage examples: osdctl network verify-egress --cluster-id my-cluster --pod-mode osdctl network verify-egress --pod-mode --platform aws-classic --region us-east-1 Includes comprehensive unit test coverage with 21 new tests covering: - Input validation logic - Region detection (OCM vs manual) - Probe validation and switching - AWS config generation - Error handling scenarios 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
joshbranham
added
the
kind/feature
openshift-ci-robot
added
the
jira/valid-reference
|
@joshbranham: This pull request references SREP-862 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
openshift-ci
bot
added
the
approved
|
@joshbranham: This pull request references SREP-862 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
|
/lgtm |
openshift-ci
bot
added
lgtm
|
@joshbranham: This pull request references SREP-862 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@joshbranham: This pull request references SREP-862 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
joshbranham
force-pushed
the
feature/add-network-verifier-pod-mode
branch
from
29e33f5 to
558fcaf
Compare
|
@joshbranham: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dakotalongRH, joshbranham, reedcort The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…penshift#784) * Bump osd-network-verifier and dependencies * Add pod mode support to osdctl network verify-egress Implement --pod-mode flag to run egress verification using Kubernetes Jobs instead of cloud instances, providing more accurate results by testing from within the actual cluster environment. Key features: - New --pod-mode flag enables Kubernetes-based verification - Automatic region detection from OCM for AWS clusters - Manual region override with --region flag - Configurable namespace with --namespace flag (default: openshift-network-diagnostics) - Custom kubeconfig support with --kubeconfig flag - Automatic probe switching to curl (required for pod mode) - Comprehensive input validation with clear error messages - Mutual exclusivity with cloud-specific flags Benefits: - No cloud credentials required - Tests actual cluster network environment - More accurate results than external instance testing - Secure execution with restrictive pod security contexts Usage examples: osdctl network verify-egress --cluster-id my-cluster --pod-mode osdctl network verify-egress --pod-mode --platform aws-classic --region us-east-1 Includes comprehensive unit test coverage with 21 new tests covering: - Input validation logic - Region detection (OCM vs manual) - Probe validation and switching - AWS config generation - Error handling scenarios 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Use backplane as preference for getting k8s credentials * Docs and fmt * Consolidate and cleanup tests * Pull in actual osd-network-verifier release, update region flag --------- Co-authored-by: Claude <noreply@anthropic.com>
…penshift#784) * Bump osd-network-verifier and dependencies * Add pod mode support to osdctl network verify-egress Implement --pod-mode flag to run egress verification using Kubernetes Jobs instead of cloud instances, providing more accurate results by testing from within the actual cluster environment. Key features: - New --pod-mode flag enables Kubernetes-based verification - Automatic region detection from OCM for AWS clusters - Manual region override with --region flag - Configurable namespace with --namespace flag (default: openshift-network-diagnostics) - Custom kubeconfig support with --kubeconfig flag - Automatic probe switching to curl (required for pod mode) - Comprehensive input validation with clear error messages - Mutual exclusivity with cloud-specific flags Benefits: - No cloud credentials required - Tests actual cluster network environment - More accurate results than external instance testing - Secure execution with restrictive pod security contexts Usage examples: osdctl network verify-egress --cluster-id my-cluster --pod-mode osdctl network verify-egress --pod-mode --platform aws-classic --region us-east-1 Includes comprehensive unit test coverage with 21 new tests covering: - Input validation logic - Region detection (OCM vs manual) - Probe validation and switching - AWS config generation - Error handling scenarios 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Use backplane as preference for getting k8s credentials * Docs and fmt * Consolidate and cleanup tests * Pull in actual osd-network-verifier release, update region flag --------- Co-authored-by: Claude <noreply@anthropic.com>
5 participants
This extends the existing
osdctl network verify-egresscommand to support our new--pod-modefeature inosd-network-verifier.It relies on OCM and Backplane to fetch cluster data, and then constructs the necessary config to perform egress validation.
Of note, the
CaCertoption is not supported, as this will be configured automatically since the verification runs as a Pod in the cluster.This code was written in conjunction with
claude, and commits reflect that.Sample Run