OCPBUGS-33378: Verify Build Webhooks on Upgrade #28783
Conversation
openshift-ci-robot
added
jira/severity-important
|
@adambkaplan: This pull request references Jira Issue OCPBUGS-33378, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@adambkaplan: This pull request references Jira Issue OCPBUGS-33378, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/hold
adambkaplan
force-pushed
the
unauth-webhook-on-upgrade
branch
from
76f3d0c
to
cdcc3ef
Compare
|
Maintaining hold - this PR now depends on #28781 |
adambkaplan
force-pushed
the
unauth-webhook-on-upgrade
branch
from
cdcc3ef
to
b4686c2
Compare
|
/retest-required |
|
@stbenjam: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5c5ad590-0d7b-11ef-9e75-f6489e31cd5e-0 |
|
/payload-job periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn-upgrade |
|
@stbenjam: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/73cf03e0-0d7b-11ef-8969-56421e5d3111-0 |
|
/lgtm Should be ok to remove the hold once we get clean micro and minor upgrade signal (see above) |
openshift-ci
bot
added
lgtm
…ticated-webhook-bc" This reverts commit e3c844d, restoring the test changes in origin#28750.
Updating the build suite test to verify the unautenticated build webhook behavior on upgrade. For clusters upgrading from v4.15 or earlier to v4.16, unauthenticated webhooks should continue to be allowed. For clusters that upgrade from v4.16 to a later version, unauthenticated webhooks should be denied by default. Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
adambkaplan
force-pushed
the
unauth-webhook-on-upgrade
branch
from
b4686c2
to
4820d3e
Compare
|
/payload-job periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-rt-upgrade |
|
@stbenjam: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/10091070-0d7c-11ef-857e-f5518f7e2113-0 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, stbenjam The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
|
||
| // AUTH-509: Webhooks do not allow unauthenticated requests by default. | ||
| // Create a role binding which allows unauthenticated webhooks. | ||
| g.BeforeEach(func() { |
There was a problem hiding this comment.
Note - for clusters upgrading from 4.15 or earlier, this is effectively a no-op. system:unauthenticated is granted the system:webhooks role globally.
|
/retest-required |
|
/payload-job periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-rt-upgrade |
|
@adambkaplan: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0c1e6a80-0e05-11ef-8a55-969d840c8a15-0 |
|
/hold cancel Payload upgrade test from 4.15 stable to 4.16 passed 🎉 |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/retest-required |
|
/retest |
|
@adambkaplan: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Job Failure Risk Analysis for sha: 4820d3e
|
|
/hold Revision 4820d3e was retested 3 times: holding |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
openshift-merge-bot
bot
merged commit a177aa9
into
openshift:master
|
@adambkaplan: Jira Issue OCPBUGS-33378: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-33378 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build openshift-enterprise-tests-container-v4.17.0-202405111718.p0.ga177aa9.assembly.stream.el9 for distgit openshift-enterprise-tests. |
Updating the build suite test to verify the unautenticated build webhook behavior on upgrade. For clusters upgrading from v4.15 or earlier to v4.16, unauthenticated webhooks should continue to be allowed. For clusters that upgrade from v4.16 to a later version, unauthenticated webhooks should be denied by default.