USHIFT-647: skip non-existing resources from security.openshift.io

[pacevedom]

/cc @ingvagabund

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pacevedom
Once this PR has been reviewed and has the lgtm label, please assign soltysh for approval by writing /assign @soltysh in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• test/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@pacevedom: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-etcd-scaling	662d3a6	link	false	/test e2e-aws-ovn-etcd-scaling
ci/prow/e2e-aws-ovn-single-node	662d3a6	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-azure-ovn-etcd-scaling	662d3a6	link	false	/test e2e-azure-ovn-etcd-scaling
ci/prow/e2e-openstack-ovn	662d3a6	link	false	/test e2e-openstack-ovn
ci/prow/e2e-aws-ovn-upgrade	662d3a6	link	false	/test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-single-node-upgrade	662d3a6	link	false	/test e2e-aws-ovn-single-node-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[ingvagabund]

This will show the test as passed, not skipped. This needs to be g.Skip instead.

[pacevedom]

Can't skip the whole test, as this is only skipping specific resources from an API group. Using g.Skip would mean skipping the entire API group.

[ingvagabund]

Which is the expected behavior. Unless, the g.It gets moved on the level of individual resources. The test is designed to fail as a single apigroup. With the continue left the test will be seen as passed where it should be skipped or failed.

E.g. https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/27615/pull-ci-openshift-origin-master-e2e-openstack-ovn/1603879105109954560

An API group is either installed or not installed. We do not assume existince/non-existence of individual resource inside a single api group.

[chiragkyal]

If the behaviour of the test is to fail/skip as a single apigroup, then we need to use g.Skip instead. @pacevedom WDYT?

[ingvagabund]

The test is expected to test entire api group as a whole. If either of the resources is missing, an api group is not considered as fully tested. Which will break the original assumption of testing all the enumerated resources.

It is questionable whether an api group can be only partially tested. That would require properly checking each resource in each apigroup. Which is something that has not been done so far IINM. If the goal is to only test a subset of security.openshift.io group for MicroShift, then I would suggest to consider breaking this specific api group into two of the same group just different list of resources (as long as it make sense). Or figuring out a different way how to partially test this group. E.g. introducing a new test just for it.

[chiragkyal]

@ingvagabund I checked that all the three resources present under "security.openshift.io" apigroup are not present for MicroShift. What if we skip this entire apigroup because it's applicable for this apigroup only ? Something like

if !exist && groupName == "security.openshift.io" {
	g.Skip(fmt.Sprintf("Resource %s does not exist, skipping", bt.Resource))
}

This will avoid partial testing of other apigroups.

[ingvagabund]

https://github.com/openshift/microshift/blob/main/docs/enabled_apis.md mentions SecurityContextConstraints of security.openshift.io/v1

[chiragkyal]

Added a commit here, which skips only security.openshift.io group if any of its resources are not present.

Then added a new test which checks the resources applicable to MicroShift (e.g SecurityContextConstraints)

Please let me know your thoughts on this.

[ingvagabund]

This will show the test as passed, not skipped. This needs to be g.Skip instead.

[pacevedom]

Can't skip the whole test, as this is only skipping specific resources from an API group. Using g.Skip would mean skipping the entire API group.

[dhellmann]

@ingvagabund @pacevedom , what's the status of this work?

[ingvagabund]

#27615 (comment) waiting for resolution

[chiragkyal]

I've opened #27897 PR to address this one.

[chiragkyal]

/close

#27897 PR got merged, so it's obsolete now.

[openshift-ci]

@chiragkyal: Closed this PR.

In response to this:

/close

#27897 PR got merged, so it's obsolete now.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.