Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-19648: Network identity: node-specific certificate in ovnkube-node, admission webhook #1983

Merged
merged 1 commit into from Sep 22, 2023
Merged

OCPBUGS-19648: Network identity: node-specific certificate in ovnkube-node, admission webhook #1983

merged 1 commit into from Sep 22, 2023

Conversation

kyrtapz
Copy link
Contributor

@kyrtapz kyrtapz commented Sep 4, 2023
edited

This PR enables the network-identity webhook introduced in ovn-kubernetes.
It is not ovn-kubernetes specific as it is going to be required for multus with different CNIs.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 4, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 4, 2023

@kyrtapz: GitHub didn't allow me to request PR reviews from the following users: kyrtapz.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc
/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 4, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 4, 2023

/test e2e-gcp-ovn
/test e2e-hypershift-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-ovn-hybrid-step-registry
/test e2e-ovn-ipsec-step-registry

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 4, 2023

/test e2e-gcp-ovn
/test e2e-hypershift-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-ovn-hybrid-step-registry
/test e2e-ovn-ipsec-step-registry

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 4, 2023

/retest

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 5, 2023

/test e2e-hypershift-ovn
/test e2e-gcp-ovn-upgrade

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 5, 2023

/test e2e-hypershift-ovn
/test e2e-gcp-ovn-upgrade

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 6, 2023

/retest

@kyrtapz kyrtapz force-pushed the network-identity branch 2 times, most recently from 9f14125 to 180f6f0 Compare September 7, 2023 14:12
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 7, 2023

/test images

@kyrtapz kyrtapz marked this pull request as ready for review September 8, 2023 07:04
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 8, 2023
@kyrtapz kyrtapz force-pushed the network-identity branch 3 times, most recently from 2393501 to 00b3c84 Compare September 11, 2023 12:49
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 11, 2023

/test qe-perfscale-aws-ovn-cluster-density

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 12, 2023
@tssurya
Copy link
Contributor

tssurya commented Sep 12, 2023

/test qe-perfscale-aws-ovn-cluster-density

@jtaleric
Copy link

/test

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 12, 2023

@jtaleric: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.14-upgrade-from-stable-4.13-images
  • /test e2e-aws-ovn-network-migration
  • /test e2e-aws-ovn-windows
  • /test e2e-aws-sdn-multi
  • /test e2e-aws-sdn-network-migration-rollback
  • /test e2e-aws-sdn-network-reverse-migration
  • /test e2e-gcp-ovn
  • /test e2e-gcp-sdn
  • /test e2e-hypershift-ovn
  • /test e2e-metal-ipi-ovn-ipv6
  • /test e2e-vsphere-ovn-windows
  • /test images
  • /test lint
  • /test unit
  • /test verify

The following commands are available to trigger optional jobs:

  • /test 4.14-upgrade-from-stable-4.13-e2e-aws-ovn-upgrade
  • /test 4.14-upgrade-from-stable-4.13-e2e-azure-ovn-upgrade
  • /test 4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-upgrade
  • /test e2e-aws-hypershift-ovn-kubevirt
  • /test e2e-aws-ovn-local-to-shared-gateway-mode-migration
  • /test e2e-aws-ovn-serial
  • /test e2e-aws-ovn-shared-to-local-gateway-mode-migration-periodic
  • /test e2e-aws-ovn-single-node
  • /test e2e-aws-sdn-upgrade
  • /test e2e-azure-ovn
  • /test e2e-azure-ovn-dualstack
  • /test e2e-azure-ovn-manual-oidc
  • /test e2e-gcp-ovn-upgrade
  • /test e2e-metal-ipi-ovn-ipv6-ipsec
  • /test e2e-network-mtu-migration-ovn-ipv4
  • /test e2e-network-mtu-migration-ovn-ipv6
  • /test e2e-network-mtu-migration-sdn-ipv4
  • /test e2e-openstack-kuryr
  • /test e2e-openstack-ovn
  • /test e2e-openstack-sdn
  • /test e2e-ovn-hybrid-step-registry
  • /test e2e-ovn-ipsec-step-registry
  • /test e2e-ovn-step-registry
  • /test e2e-vsphere-ovn
  • /test e2e-vsphere-ovn-dualstack
  • /test qe-perfscale-aws-ovn-cluster-density

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-openshift-cluster-network-operator-master-4.14-upgrade-from-stable-4.13-images
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-hypershift-ovn-kubevirt
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-serial
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-shared-to-local-gateway-mode-migration-periodic
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-single-node
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-windows
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-sdn-multi
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-sdn-network-migration-rollback
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-sdn-network-reverse-migration
  • pull-ci-openshift-cluster-network-operator-master-e2e-aws-sdn-upgrade
  • pull-ci-openshift-cluster-network-operator-master-e2e-azure-ovn
  • pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn
  • pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-upgrade
  • pull-ci-openshift-cluster-network-operator-master-e2e-gcp-sdn
  • pull-ci-openshift-cluster-network-operator-master-e2e-hypershift-ovn
  • pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-ipv6
  • pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-ipv6-ipsec
  • pull-ci-openshift-cluster-network-operator-master-e2e-network-mtu-migration-ovn-ipv4
  • pull-ci-openshift-cluster-network-operator-master-e2e-network-mtu-migration-ovn-ipv6
  • pull-ci-openshift-cluster-network-operator-master-e2e-network-mtu-migration-sdn-ipv4
  • pull-ci-openshift-cluster-network-operator-master-e2e-openstack-ovn
  • pull-ci-openshift-cluster-network-operator-master-e2e-openstack-sdn
  • pull-ci-openshift-cluster-network-operator-master-e2e-ovn-hybrid-step-registry
  • pull-ci-openshift-cluster-network-operator-master-e2e-ovn-ipsec-step-registry
  • pull-ci-openshift-cluster-network-operator-master-e2e-ovn-step-registry
  • pull-ci-openshift-cluster-network-operator-master-e2e-vsphere-ovn
  • pull-ci-openshift-cluster-network-operator-master-e2e-vsphere-ovn-dualstack
  • pull-ci-openshift-cluster-network-operator-master-e2e-vsphere-ovn-windows
  • pull-ci-openshift-cluster-network-operator-master-images
  • pull-ci-openshift-cluster-network-operator-master-lint
  • pull-ci-openshift-cluster-network-operator-master-unit
  • pull-ci-openshift-cluster-network-operator-master-verify

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 12, 2023
@tssurya
Copy link
Contributor

tssurya commented Sep 12, 2023

/test qe-perfscale-aws-ovn-cluster-density

@zshi-redhat
Copy link
Contributor

/retest-required

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 22, 2023

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.14-upgrade-from-stable-4.13-e2e-aws-ovn-upgrade e36760e link false /test 4.14-upgrade-from-stable-4.13-e2e-aws-ovn-upgrade
ci/prow/4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-upgrade e36760e link false /test 4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-upgrade
ci/prow/4.14-upgrade-from-stable-4.13-e2e-azure-ovn-upgrade e36760e link false /test 4.14-upgrade-from-stable-4.13-e2e-azure-ovn-upgrade
ci/prow/e2e-vsphere-ovn-dualstack f677aea link false /test e2e-vsphere-ovn-dualstack
ci/prow/e2e-aws-hypershift-ovn-kubevirt f677aea link false /test e2e-aws-hypershift-ovn-kubevirt
ci/prow/e2e-aws-sdn-network-reverse-migration f677aea link true /test e2e-aws-sdn-network-reverse-migration
ci/prow/e2e-ovn-ipsec-step-registry f677aea link false /test e2e-ovn-ipsec-step-registry
ci/prow/e2e-network-mtu-migration-ovn-ipv6 f677aea link false /test e2e-network-mtu-migration-ovn-ipv6
ci/prow/e2e-aws-ovn-serial f677aea link false /test e2e-aws-ovn-serial
ci/prow/e2e-aws-sdn-network-migration-rollback f677aea link true /test e2e-aws-sdn-network-migration-rollback
ci/prow/e2e-vsphere-ovn f677aea link false /test e2e-vsphere-ovn
ci/prow/e2e-gcp-ovn-upgrade f677aea link false /test e2e-gcp-ovn-upgrade
ci/prow/e2e-network-mtu-migration-ovn-ipv4 f677aea link false /test e2e-network-mtu-migration-ovn-ipv4
ci/prow/e2e-network-mtu-migration-sdn-ipv4 f677aea link false /test e2e-network-mtu-migration-sdn-ipv4
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec f677aea link false /test e2e-metal-ipi-ovn-ipv6-ipsec

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@zshi-redhat
Copy link
Contributor

/retest-required

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 22, 2023

/test e2e-aws-ovn-serial
/test e2e-gcp-ovn-upgrade

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 22, 2023

The current CI state is good, most of the failing jobs do not seem to be related to my changes:

ci/prow/e2e-aws-hypershift-ovn-kubevirt
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-network-mtu-migration-ovn-ipv4 
ci/prow/e2e-network-mtu-migration-ovn-ipv6
ci/prow/e2e-network-mtu-migration-sdn-ipv4
ci/prow/e2e-ovn-ipsec-step-registry
ci/prow/e2e-vsphere-ovn
ci/prow/e2e-vsphere-ovn-dualstack 
ci/prow/e2e-aws-ovn-serial

I am pushing a fix that only affects the ipsec deployments so we can use the previous signal if needed.

@kyrtapz
Network identity: node-specific certificate in ovnkube-node, validati…
af4540a 
…ng webhook

Signed-off-by: Patryk Diak <pdiak@redhat.com>
@jcaamano
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 22, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 22, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcaamano, knobunc, kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kyrtapz kyrtapz changed the title Network identity: node-specific certificate in ovnkube-node, admission webhook OCPBUGS-19648: Network identity: node-specific certificate in ovnkube-node, admission webhook Sep 22, 2023
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Sep 22, 2023
@openshift-ci-robot
Copy link
Contributor

@kyrtapz: This pull request references Jira Issue OCPBUGS-19648, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.15.0) matches configured target version for branch (4.15.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR enables the network-identity webhook introduced in ovn-kubernetes.
It is not ovn-kubernetes specific as it is going to be required for multus with different CNIs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 22, 2023

/test e2e-ovn-ipsec-step-registry

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Sep 22, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 22, 2023
@knobunc
Copy link
Contributor

knobunc commented Sep 22, 2023

/retest-required

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD c097483 and 2 for PR HEAD af4540a in total

@knobunc
Copy link
Contributor

knobunc commented Sep 22, 2023

/retest-required

@knobunc
Copy link
Contributor

knobunc commented Sep 22, 2023

/test e2e-ovn-ipsec-step-registry

@knobunc
Copy link
Contributor

knobunc commented Sep 22, 2023

/test e2e-metal-ipi-ovn-ipv6-ipsec

@jcaamano
Copy link
Contributor

We can't get a proper signal on the ipsec jobs due to CI outage. We are confident the issue that was introduced in this PR is fixed and that there shouldn't be any other issue. Since the ipsec jobs were not passing anyway, there needs to be an effort afterwards to fix them. I will update with a bug reference for this.

The other requried jobs were green previous to the last push which should only affect the ipsec jobs.

In the interest of time, I will override the required jobs.

/override ci/prow/e2e-aws-ovn-windows
/override ci/prow/e2e-aws-sdn-multi
/override ci/prow/e2e-aws-sdn-network-migration-rollback
/override ci/prow/e2e-aws-sdn-network-reverse-migration
/override ci/prow/e2e-metal-ipi-ovn-ipv6
/override ci/prow/e2e-gcp-ovn
/override ci/prow/e2e-vsphere-ovn-windows

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 22, 2023

@jcaamano: Overrode contexts on behalf of jcaamano: ci/prow/e2e-aws-ovn-windows, ci/prow/e2e-aws-sdn-multi, ci/prow/e2e-aws-sdn-network-migration-rollback, ci/prow/e2e-aws-sdn-network-reverse-migration, ci/prow/e2e-gcp-ovn, ci/prow/e2e-metal-ipi-ovn-ipv6, ci/prow/e2e-vsphere-ovn-windows

In response to this:

We can't get a proper signal on the ipsec jobs due to CI outage. We are confident the issue that was introduced in this PR is fixed and that there shouldn't be any other issue. Since the ipsec jobs were not passing anyway, there needs to be an effort afterwards to fix them. I will update with a bug reference for this.

The other requried jobs were green previous to the last push which should only affect the ipsec jobs.

In the interest of time, I will override the required jobs.

/override ci/prow/e2e-aws-ovn-windows
/override ci/prow/e2e-aws-sdn-multi
/override ci/prow/e2e-aws-sdn-network-migration-rollback
/override ci/prow/e2e-aws-sdn-network-reverse-migration
/override ci/prow/e2e-metal-ipi-ovn-ipv6
/override ci/prow/e2e-gcp-ovn
/override ci/prow/e2e-vsphere-ovn-windows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit bc8c360 into openshift:master Sep 22, 2023
15 of 33 checks passed
@openshift-ci-robot
Copy link
Contributor

@kyrtapz: Jira Issue OCPBUGS-19648: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-19648 has been moved to the MODIFIED state.

In response to this:

This PR enables the network-identity webhook introduced in ovn-kubernetes.
It is not ovn-kubernetes specific as it is going to be required for multus with different CNIs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot
Copy link
Contributor

Fix included in accepted release 4.15.0-0.nightly-2023-09-27-073353

@JacobTanenbaum JacobTanenbaum mentioned this pull request Feb 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcaamano jcaamano jcaamano left review comments

@anuragthehatter anuragthehatter Awaiting requested review from anuragthehatter

Assignees

@jcaamano jcaamano

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@kyrtapz @tssurya @jtaleric @abhat @jcaamano @knobunc @dougbtv @zshi-redhat @openshift-ci-robot @openshift-merge-robot