Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix OCP node OVN check #11861

Merged
merged 2 commits into from
Apr 23, 2024
Merged

Fix OCP node OVN check #11861

merged 2 commits into from
Apr 23, 2024

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Apr 19, 2024
edited

Description:

  • The OVAL check for OCP node platform check was outdated and only worked correctly on 4.12 and 4.13.
  • The checked path has different contents on 4.14+
  • Let's check OVN config on a path that is common for 4.12+.
    • /var/run/multus/cni/net.d/10-ovn-kubernetes.conf
  • Delete e2e files for 4.12 and 4.13 that are aligned with the default e2e.yml file.

Rationale:

  • The way multus-shim configures OVN on 4.12 and 4.13 is different from 4.14 on.

Review hints:

Manually tested on 4.12 and 4.14:

oc get ccr | grep ovn 
upstream-ocp4-cis-node-master-file-groupowner-ovn-cni-server-sock                      PASS     medium
upstream-ocp4-cis-node-master-file-groupowner-ovn-db-files                             PASS     medium
upstream-ocp4-cis-node-master-file-owner-ovn-cni-server-sock                           PASS     medium
upstream-ocp4-cis-node-master-file-owner-ovn-db-files                                  PASS     medium
upstream-ocp4-cis-node-master-file-permissions-ovn-cni-server-sock                     PASS     medium
upstream-ocp4-cis-node-master-file-permissions-ovn-db-files                            PASS     medium
upstream-ocp4-cis-node-worker-file-groupowner-ovn-cni-server-sock                      PASS     medium
upstream-ocp4-cis-node-worker-file-groupowner-ovn-db-files                             PASS     medium
upstream-ocp4-cis-node-worker-file-owner-ovn-cni-server-sock                           PASS     medium
upstream-ocp4-cis-node-worker-file-owner-ovn-db-files                                  PASS     medium
upstream-ocp4-cis-node-worker-file-permissions-ovn-cni-server-sock                     PASS     medium
upstream-ocp4-cis-node-worker-file-permissions-ovn-db-files                            PASS     medium

Raw results before patch:

<definition definition_id="oval:ssg-installed_app_is_ocp4_node_on_openshift-ovn:def:1" result="false" version="1">
  <criteria operator="AND" result="false">
    <criterion test_ref="oval:ssg-test_ocp4_on_openshift-ovn:tst:1" version="1" result="false"/>
    <criterion test_ref="oval:ssg-test_file_for_ocp4_node_network:tst:1" version="1" result="true"/>
  </criteria>
</definition>

Raw resutlts after patch:

<definition definition_id="oval:ssg-installed_app_is_ocp4_node_on_openshift-ovn:def:1" result="true" version="1">
  <criteria operator="AND" result="true">
    <criterion test_ref="oval:ssg-test_ocp4_on_openshift-ovn:tst:1" version="1" result="true"/>
    <criterion test_ref="oval:ssg-test_file_for_ocp4_node_network:tst:1" version="1" result="true"/>
  </criteria>
</definition>

@yuumasato
Adjust OCP OVN platform check
1e41aeb 
Adjust the path where we check for OVN configuration.
The new path works from 4.12 to latest release 4.15.
@yuumasato
Align OVN e2e results with fixed platform check
7925bd0 
Adust the e2e test results for the corrected OVN platform check.
@yuumasato yuumasato added the OpenShift OpenShift product related. label Apr 19, 2024
@yuumasato yuumasato requested a review from rhmdnd April 19, 2024 18:21
@yuumasato
Copy link
Member Author

yuumasato commented Apr 19, 2024
edited

/test help

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis

@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node

@github-actions GitHub Actions
Copy link

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11861
This image was built from commit: 7925bd0

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11861

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11861 make deploy-local

@yuumasato yuumasato changed the title Update OCP node OVN check Fix OCP node OVN check Apr 19, 2024
@codeclimate CodeClimate
Copy link

codeclimate bot commented Apr 19, 2024

Code Climate has analyzed commit 7925bd0 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.2% (0.0% change).

View more on Code Climate.

@yuumasato
Copy link
Member Author

/test 4.16-e2e-aws-ocp4-cis

rhmdnd
rhmdnd approved these changes Apr 22, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rhmdnd rhmdnd mentioned this pull request Apr 22, 2024
Merged
@Vincent056 Vincent056 merged commit c8d9096 into ComplianceAsCode:master Apr 23, 2024
52 checks passed
@yuumasato yuumasato deleted the update_ocp_ovn_check branch April 23, 2024 11:02
@yuumasato yuumasato added this to the 0.1.73 milestone Apr 23, 2024
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Apr 23, 2024
Vincent056 added a commit to Vincent056/cac-content-fork that referenced this pull request May 7, 2024
@Vincent056
OCP4: Fix e2e ci assertions
28c07e5 
Fixing expected assertion result for rule file-permissions-cni-conf and file-groupowner-ovn-db-files, file-permissions-cni-conf should pass on ocp version >= 4.15, align file-groupowner-ovn-db-files with ComplianceAsCode#11861
@Vincent056 Vincent056 mentioned this pull request May 7, 2024
Merged
Vincent056 added a commit to Vincent056/cac-content-fork that referenced this pull request May 8, 2024
@Vincent056
OCP4: Fix e2e ci assertions
a7ab619 
Fixing expected assertion result for rule file-permissions-cni-conf and file-groupowner-ovn-db-files, file-permissions-cni-conf should pass on ocp version >= 4.15, align file-groupowner-ovn-db-files with ComplianceAsCode#11861
Vincent056 added a commit to Vincent056/cac-content-fork that referenced this pull request May 8, 2024
@Vincent056
OCP4: Fix e2e ci assertions
61006fb 
Fixing expected assertion result for rule file-permissions-cni-conf and file-groupowner-ovn-db-files, file-permissions-cni-conf should pass on ocp version >= 4.15, align file-groupowner-ovn-db-files with ComplianceAsCode#11861
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@BhargaviGudi BhargaviGudi Awaiting requested review from BhargaviGudi

Assignees

@Vincent056 Vincent056

Labels
OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@yuumasato @rhmdnd @Mab879 @Vincent056