CFE-910: RouteExternalCertificate validation in openshift-kube-apiserver custom resource validator

[swghosh]

Adds validation gated by RouteExternalCertificate FeatureGate (initially as TechPreview) for custom resource validation in o/kube-apiserver of Route resources.

This is a follow-up over #1852 (which added OpenShift-specific feature gates to kube-apiserver), this intends to add Route validation logic for External Certificates (certificates loaded from secret references instead of entire certificate values being part of route resource).

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 111bba5|UPSTREAM: : Add RouteExternalCertificate validation: does not specify an upstream backport in the commit message
• 4dd5e93|UPSTREAM: : Bump deps for api and library-go: does not specify an upstream backport in the commit message
• 58c8b6b|UPSTREAM: : Bump deps library-go, DNM: forked repo replace, for tests: does not specify an upstream backport in the commit message
• f441ffb|UPSTREAM: : Add openshift feature gates to kube-apiserver: does not specify an upstream backport in the commit message
• fe98fc7|UPSTREAM: : Add context to ObjectValidator: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 48188aa|UPSTREAM: : Add RouteExternalCertificate validation: does not specify an upstream backport in the commit message
• 4dd5e93|UPSTREAM: : Bump deps for api and library-go: does not specify an upstream backport in the commit message
• 58c8b6b|UPSTREAM: : Bump deps library-go, DNM: forked repo replace, for tests: does not specify an upstream backport in the commit message
• f441ffb|UPSTREAM: : Add openshift feature gates to kube-apiserver: does not specify an upstream backport in the commit message
• fe98fc7|UPSTREAM: : Add context to ObjectValidator: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 3d81a3a|UPSTREAM: : Add RouteExternalCertificate validation: does not specify an upstream backport in the commit message
• 7571922|UPSTREAM: : Bump deps library-go, DNM: forked repo replace, for tests: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@swghosh: This pull request references CFE-910 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Adds validation gated by RouteExternalCertificate FeatureGate (initially as TechPreview) for custom resource validation in o/kube-apiserver of Route resources.

/hold
till openshift/library-go#1625 gets merged

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@swghosh: This pull request references CFE-910 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Adds validation gated by RouteExternalCertificate FeatureGate (initially as TechPreview) for custom resource validation in o/kube-apiserver of Route resources.

/hold
till openshift/library-go#1625 gets merged

This is a follow-up over #1852 (which added OpenShift-specific feature gates to kube-apiserver), this intends to add Route validation logic for External Certificates (certificates loaded from secret references instead of entire certificate values being part of route resource).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[swghosh]

/cc @vrutkovs @soltysh
FYI for now :)

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 3e5f1da|UPSTREAM: : Bump deps openshift/library-go: does not specify an upstream backport in the commit message
• dea2a65|UPSTREAM: : Add RouteExternalCertificate validation in Route ObjectValidator: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@swghosh: This pull request references CFE-910 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Adds validation gated by RouteExternalCertificate FeatureGate (initially as TechPreview) for custom resource validation in o/kube-apiserver of Route resources.

This is a follow-up over #1852 (which added OpenShift-specific feature gates to kube-apiserver), this intends to add Route validation logic for External Certificates (certificates loaded from secret references instead of entire certificate values being part of route resource).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[swghosh]

/cc @vrutkovs
Ti's ready for your review!

[vrutkovs]

/lgtm

[chiragkyal]

We should get reviews from NE team as well.
/cc @alebedev87 @Miciah
/hold

[swghosh]

/test e2e-aws-ovn-serial
/test e2e-gcp-ovn-upgrade
/test e2e-aws-ovn-fips

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6b4d6cb and 2 for PR HEAD c0bf247 in total

[soltysh]

/hold
the fips failure looks legit

[soltysh]

I'm landing #1941 which doesn't have fips issues, and this PR will need to be rebased and the last 2 commits should be squashed into one. This should help with fips.

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 1448e1c|UPSTREAM: : Add RouteExternalCertificate validation in Route ObjectValidator: does not specify an upstream backport in the commit message
• 410ba70|UPSTREAM: : Fix incorrect type casting in admission validate_apiserver: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 1448e1c|UPSTREAM: : Add RouteExternalCertificate validation in Route ObjectValidator: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@swghosh: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 1448e1c|UPSTREAM: : Add RouteExternalCertificate validation in Route ObjectValidator: does not specify an upstream backport in the commit message
• 410ba70|UPSTREAM: : Fix incorrect type casting in admission validate_apiserver: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[swghosh]

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_kubernetes/1904/pull-ci-openshift-kubernetes-master-e2e-aws-ovn-fips/1779978059932241920 > https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_kubernetes/1904/pull-ci-openshift-kubernetes-master-e2e-aws-ovn-fips/1779978059932241920/artifacts/e2e-aws-ovn-fips/gather-extra/artifacts/pods/openshift-authentication_oauth-openshift-55ffbc97dc-5vvrp_oauth-openshift.log

Copying system trust bundle
+ FIPS mode is enabled, but the required OpenSSL backend is unavailable

The root cause for those FIPS e2e failures seem to be because oauth-server osinserver command running as pods in the openshift-authentication namespace fails to start the binary. Looks like a problem with loading the requisite FIPS certified OpenSSL lib, probably related: https://access.redhat.com/solutions/7046917.

depends on: openshift/oauth-server#145

[swghosh]

/test unit

[swghosh]

/remove-hold
fips test have passed

/retest-required

[soltysh]

/remove-label backports/unvalidated-commits
/label backports/validated-commits
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah, sanchezl, soltysh, swghosh, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 0fdcb8e and 2 for PR HEAD 410ba70 in total

[openshift-ci]

@swghosh: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.