Check test images

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
openshift · Mar 27, 2024 · 9ff34c6 · 9ff34c6
1 parent d9520b6
commit 9ff34c6
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 2 deletions.
diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.14__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.14__periodics.yaml
@@ -225,6 +225,14 @@ tests:
       HYPERSHIFT_NODE_COUNT: "2"
       MCE_VERSION: "2.4"
       ODF_OPERATOR_SUB_CHANNEL: stable-4.14
+      TEST_SKIPS: Image policy should update OpenShift object image fields when local
+        names are on\|Image policy should update standard Kube object image fields
+        when local names are on\|oc tag should preserve image reference for external
+        images\|Image policy should perform lookup when the Deployment gets the resolve-names
+        annotation later\|Image policy should perform lookup when the object has the
+        resolve-names annotation\|PersistentVolumes NFS when invoking the Recycle
+        reclaim policy should test that a PV becomes Available and is clean after
+        the PVC is deleted.
     workflow: hypershift-mce-kubevirt-baremetalds-disconnected-conformance
 - as: e2e-mce-power-conformance
   cron: 0 4 * * *

diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.15__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.15__periodics.yaml
@@ -166,6 +166,23 @@ tests:
       MCE_VERSION: "2.5"
       ODF_OPERATOR_SUB_CHANNEL: stable-4.14
     workflow: hypershift-mce-kubevirt-baremetalds-conformance
+- as: e2e-kubevirt-mce-baremetalds-disconnected-conformance
+  cron: 0 8 * * *
+  steps:
+    cluster_profile: equinix-ocp-metal
+    env:
+      HYPERSHIFT_NODE_COUNT: "2"
+      MCE_VERSION: "2.5"
+      ODF_OPERATOR_SUB_CHANNEL: stable-4.14
+      TEST_SKIPS: Image policy should update OpenShift object image fields when local
+        names are on\|Image policy should update standard Kube object image fields
+        when local names are on\|oc tag should preserve image reference for external
+        images\|Image policy should perform lookup when the Deployment gets the resolve-names
+        annotation later\|Image policy should perform lookup when the object has the
+        resolve-names annotation\|PersistentVolumes NFS when invoking the Recycle
+        reclaim policy should test that a PV becomes Available and is clean after
+        the PVC is deleted.
+    workflow: hypershift-mce-kubevirt-baremetalds-disconnected-conformance
 - as: e2e-kubevirt-aws-csi
   cron: 0 4 * * *
   steps:

diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.15-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.15-periodics.yaml
@@ -618,6 +618,87 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 0 8 * * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.15
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: equinix-ocp-metal
+    ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-metal
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.15"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-hypershift-release-4.15-periodics-e2e-kubevirt-mce-baremetalds-disconnected-conformance
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/e2e-kubevirt-mce-baremetalds-disconnected-conformance-cluster-profile
+      - --target=e2e-kubevirt-mce-baremetalds-disconnected-conformance
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/e2e-kubevirt-mce-baremetalds-disconnected-conformance-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-equinix-ocp-metal
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 0 4 * * *

diff --git a/ci-operator/step-registry/hypershift/conformance/hypershift-conformance-chain.yaml b/ci-operator/step-registry/hypershift/conformance/hypershift-conformance-chain.yaml
@@ -4,11 +4,51 @@ chain:
   - as: conformance-tests
     from: tests
     commands: |-
+      set -x
+
+      function patch_image_streams() {
+        # workaround for https://issues.redhat.com/browse/OCPBUGS-31446
+        # imagestreams on the hosted cluster are ignoring
+        # the CA injected at creation/(installation) time.
+        # see: https://issues.redhat.com/browse/RFE-3093
+        # and: https://github.com/openshift/enhancements/pull/416/commits/e46072ecf77b58c79b4bece5e0c6a5a5546a1b8a
+
+        echo "### Patching image streams on the hostedcluster"
+        echo "#### Add trust for the mirroring registry"
+        oc get cm -n openshift-config user-ca-bundle -o json | jq -r '.data["ca-bundle.crt"]' > /tmp/ca-bundle.crt
+        oc create configmap registry-config --from-file=${DS_REGISTRY//:/..}=/tmp/ca-bundle.crt -n openshift-config
+        oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
+        sleep 60
+
+        DEVSCRIPTS_RELEASE_IMAGE_REPO=${DS_REGISTRY}/localimages/local-release-image
+        #PREV_KUBECONFIG=${KUBECONFIG}
+        #export KUBECONFIG=${SHARED_DIR}/nested_kubeconfig
+        IMAGESTREAMS=$(oc get imagestreams -n openshift -o=name)
+        for isName in ${IMAGESTREAMS}; do
+          echo "#### Patching ${isName} using insecure registry"
+          FROM=$(oc get -n openshift ${isName} -o=jsonpath={.spec.tags[0].from.name})
+          EXT_REG=${FROM%%@*}
+          INT_PULL_URL=${FROM/$EXT_REG/$DEVSCRIPTS_RELEASE_IMAGE_REPO}
+          oc patch -n openshift ${isName} --type json -p "[{\"op\": \"replace\", \"path\": \"/spec/tags/0/importPolicy/insecure\", \"value\": true}, {\"op\": \"replace\", \"path\": \"/spec/tags/0/from/name\", \"value\": \"${INT_PULL_URL}\"}]"
+        done
+        #export KUBECONFIG=${PREV_KUBECONFIG}
+
+        ### tests like "services when running openshift cluster on KubeVirt virtual machines should allow connections to pods from infra cluster pod *"
+        ### requires tools imagestream to be correctly refenced also on the infra cluster
+        isName=imagestream.image.openshift.io/tools
+        echo "#### Patching ${isName} using insecure registry"
+        FROM=$(oc --kubeconfig=${HYPERSHIFT_MANAGEMENT_CLUSTER_KUBECONFIG}  get -n openshift ${isName} -o=jsonpath={.spec.tags[0].from.name})
+        EXT_REG=${FROM%%@*}
+        INT_PULL_URL=${FROM/$EXT_REG/$DEVSCRIPTS_RELEASE_IMAGE_REPO}
+        oc patch --kubeconfig=${HYPERSHIFT_MANAGEMENT_CLUSTER_KUBECONFIG} -n openshift ${isName} --type json -p "[{\"op\": \"replace\", \"path\": \"/spec/tags/0/importPolicy/insecure\", \"value\": true}, {\"op\": \"replace\", \"path\": \"/spec/tags/0/from/name\", \"value\": \"${INT_PULL_URL}\"}]"
+        ###
+      }
+
       function mirror_test_images() {
         echo "### Mirroring test images"
       
         DEVSCRIPTS_TEST_IMAGE_REPO=${DS_REGISTRY}/localimages/local-test-image
-      
+
         openshift-tests images --to-repository ${DEVSCRIPTS_TEST_IMAGE_REPO} > /tmp/mirror
         scp "${SSHOPTS[@]}" /tmp/mirror "root@${IP}:/tmp/mirror"
       
@@ -17,8 +57,11 @@ chain:
       oc image mirror -f /tmp/mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json
       oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.8  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-28-registry-k8s-io-pause-3-8-aP7uYsw5XCmoDy5W
       oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.9  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-27-registry-k8s-io-pause-3-9-p9APyPDU5GsW02Rk
+      oc image mirror --registry-config ${DS_WORKING_DIR}/pull_secret.json --filter-by-os="linux/${ARCHITECTURE}.*" registry.k8s.io/pause:3.9  $DEVSCRIPTS_TEST_IMAGE_REPO:e2e-28-registry-k8s-io-pause-3-9-p9APyPDU5GsW02Rk
       EOF
+
         TEST_ARGS+=$(echo " --from-repository ${DEVSCRIPTS_TEST_IMAGE_REPO} ")
+
       }
       
       CLUSTER_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)"
@@ -87,6 +130,7 @@ chain:
           if [[ "${DISCONNECTED}" == "true" ]];
           then
             mirror_test_images
+            patch_image_streams
             export TEST_PROVIDER='{"type":"kubevirt","disconnected":true}'
           else
             export TEST_PROVIDER='{"type":"kubevirt"}'

diff --git a/...rshift/kubevirt/install/disconnected/hypershift-kubevirt-install-disconnected-commands.sh b/...rshift/kubevirt/install/disconnected/hypershift-kubevirt-install-disconnected-commands.sh
@@ -145,6 +145,18 @@ spec:
     source: quay.io/openshift-cnv
 END
 
+cat << END | oc apply -f -
+apiVersion: config.openshift.io/v1
+kind: ImageDigestMirrorSet
+metadata:
+  name: redhat-operator-index-0-fixes
+spec:
+  imageDigestMirrors:
+  - mirrors:
+    - \${mirror_registry}/openshift4/ose-kube-rbac-proxy
+    source: registry.redhat.io/openshift4/ose-kube-rbac-proxy
+END
+
 echo "7: Waiting for the new ImageContentSourcePolicy to be updated on machines"
 oc wait clusteroperators/machine-config --for=condition=Upgradeable=true --timeout=15m
 

diff --git a/...ed/conformance/hypershift-mce-kubevirt-baremetalds-disconnected-conformance-workflow.yaml b/...ed/conformance/hypershift-mce-kubevirt-baremetalds-disconnected-conformance-workflow.yaml
@@ -23,6 +23,7 @@ workflow:
     allow_best_effort_post_steps: true
     allow_skip_on_success: true
     post:
+    - ref: wait # TODO: remove me
     - ref: hypershift-mce-dump
     - chain: gather-core-dump
     - chain: hypershift-mce-kubevirt-destroy

diff --git a/ci-operator/step-registry/wait/wait-ref.yaml b/ci-operator/step-registry/wait/wait-ref.yaml
@@ -1,6 +1,6 @@
 ref:
   as: wait
-  from: cli
+  from: upi-installer
   grace_period: 5m
   timeout: 72h0m0s
   cli: latest