-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-33378: Verify Build Webhooks on Upgrade #28783
OCPBUGS-33378: Verify Build Webhooks on Upgrade #28783
Conversation
@adambkaplan: This pull request references Jira Issue OCPBUGS-33378, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@adambkaplan: This pull request references Jira Issue OCPBUGS-33378, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
76f3d0c
to
cdcc3ef
Compare
Maintaining hold - this PR now depends on #28781 |
cdcc3ef
to
b4686c2
Compare
/retest-required |
@stbenjam: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5c5ad590-0d7b-11ef-9e75-f6489e31cd5e-0 |
/payload-job periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn-upgrade |
@stbenjam: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/73cf03e0-0d7b-11ef-8969-56421e5d3111-0 |
/lgtm Should be ok to remove the hold once we get clean micro and minor upgrade signal (see above) |
…ticated-webhook-bc" This reverts commit e3c844d, restoring the test changes in origin#28750.
Updating the build suite test to verify the unautenticated build webhook behavior on upgrade. For clusters upgrading from v4.15 or earlier to v4.16, unauthenticated webhooks should continue to be allowed. For clusters that upgrade from v4.16 to a later version, unauthenticated webhooks should be denied by default. Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
b4686c2
to
4820d3e
Compare
/payload-job periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-rt-upgrade |
@stbenjam: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/10091070-0d7c-11ef-857e-f5518f7e2113-0 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, stbenjam The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
||
// AUTH-509: Webhooks do not allow unauthenticated requests by default. | ||
// Create a role binding which allows unauthenticated webhooks. | ||
g.BeforeEach(func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note - for clusters upgrading from 4.15 or earlier, this is effectively a no-op. system:unauthenticated
is granted the system:webhooks
role globally.
/retest-required |
/payload-job periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-rt-upgrade |
@adambkaplan: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0c1e6a80-0e05-11ef-8a55-969d840c8a15-0 |
/hold cancel Payload upgrade test from 4.15 stable to 4.16 passed 🎉 |
/retest-required |
/retest |
@adambkaplan: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Job Failure Risk Analysis for sha: 4820d3e
|
/hold Revision 4820d3e was retested 3 times: holding |
/hold cancel |
a177aa9
into
openshift:master
@adambkaplan: Jira Issue OCPBUGS-33378: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-33378 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build openshift-enterprise-tests-container-v4.17.0-202405111718.p0.ga177aa9.assembly.stream.el9 for distgit openshift-enterprise-tests. |
Updating the build suite test to verify the unautenticated build webhook behavior on upgrade. For clusters upgrading from v4.15 or earlier to v4.16, unauthenticated webhooks should continue to be allowed. For clusters that upgrade from v4.16 to a later version, unauthenticated webhooks should be denied by default.