New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test/e2e/prometheusadapter: reenable CA rotation test #576
test/e2e/prometheusadapter: reenable CA rotation test #576
Conversation
/test e2e-aws-operator |
I have to look into this one 🤔
|
I found at least the root cause for the above message: it is the OAuth proxy telling us we're not allowed to execute the request (403). As we don't check the response status code, we try to parse the OAuth login html which causes the above error to be generated. This is unrelated to this PR as it happens in the framework setup but I'll try to fix it here as we're here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Guessing this is good to go?
This reenables the requestheader CA rotation e2e test by using a different method. It deletes the CSR signer secrets causing the extension-apiserver-authentication configmap to be reissued.
59220c0
to
c5a802d
Compare
@lilic now this is good to go, PTAL. I hopefully fixed the outstanding issues with our e2e test client in new commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment otherwise lgtm
_, dockerToken := secret.Annotations["openshift.io/create-dockercfg-secrets"] | ||
e2eToken := strings.Contains(secret.Name, "cluster-monitoring-operator-e2e-token-") | ||
|
||
if !dockerToken && e2eToken { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just add a comment that if its dockerToken that means this token is an invalid one, to avoid future confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good
We have a couple of potential e2e flake sources: 1. We don't check the response code from the prometheus query response. That causes the vanilla http response in case of error to be parsed as JSON which fails. We should bail out with the http status code instead. 2. It happens that we sometimes don't pick the correct token secret. With every service account there are two token secrets. One is the internal Kubernetes service account token, the other one is associated with the internal OpenShift Docker registry. We have to pick the right one otherwise non-deterministically the wrong token will be chosen. This fixes the above two issues.
c5a802d
to
c9e05d6
Compare
@lilic ptal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LiliC, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Seems like a flake |
/retest Please review the full test history for this PR and help us cut down flakes. |
This reenables the requestheader CA rotation e2e test
by using a different method.
It deletes the CSR signer secrets causing the extension-apiserver-authentication
configmap to be reissued.
/cc @openshift/openshift-team-monitoring