Add etcd signer verification and etcd-operator presubmits for ConfigurablePKI feature

[hasbro17]

Follow up to #77043
Adding tests for openshift/cluster-etcd-operator#1593

Summary

• Extend openshift-installer-pki-verify to unconditionally check etcd-signer and etcd-metrics-signer secrets (9 total, up from 7)
• Add EXPECTED_PKI_MODE env var to support mode: Default (pki section omitted) vs mode: Custom (explicit pki.signerCertificates)
• Add optional PKI presubmit jobs to cluster-etcd-operator main config (e2e-aws-ovn-pki-default-techpreview, e2e-aws-ovn-pki-rsa-techpreview)

Test plan

• /test e2e-aws-ovn-pki-default-techpreview on etcd-operator PR validates ECDSA P-384 default behavior
• /test e2e-aws-ovn-pki-rsa-techpreview on etcd-operator PR validates explicit RSA-4096 override

Summary by CodeRabbit

• Tests
  • Added E2E test jobs for validating ECDSA (secp384r1) default and RSA 4096 PKI modes on AWS.
  • Enhanced PKI verification to support validating expected PKI modes across installer versions.
  • Extended PKI verification to include etcd-related PKI signer secrets.

[coderabbitai]

Walkthrough

This pull request introduces PKI mode verification infrastructure for OpenShift installers. Two new E2E test jobs are added to validate default ECDSA and RSA PKI modes on AWS, with the EXPECTED_PKI_MODE environment variable propagated across five installer configuration versions. The PKI verification script is enhanced to dynamically validate against the expected PKI mode and verify additional etcd-related signer secrets.

Changes

Cohort / File(s)	Summary
Test Job Definitions ci-operator/config/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main.yaml	Two new optional E2E jobs added: e2e-aws-ovn-pki-default-techpreview (ECDSA/secp384r1 PKI validation) and e2e-aws-ovn-pki-rsa-techpreview (RSA 4096 PKI validation). Both target openshift-org-aws cluster profile and use the openshift-e2e-aws workflow.
Installer Configuration ci-operator/config/openshift/installer/openshift-installer-main.yaml, openshift-installer-release-4.22.yaml, openshift-installer-release-4.23.yaml, openshift-installer-release-5.0.yaml, openshift-installer-release-5.1.yaml	Added EXPECTED_PKI_MODE: Default environment variable to the e2e-aws-ovn-pki-default-techpreview job's openshift-installer-pki-verify step configuration across all installer versions.
PKI Verification Logic ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh, openshift-installer-pki-verify-ref.yaml	Script now validates PKI mode dynamically against ${EXPECTED_PKI_MODE} instead of hard-coding "Custom". Added etcd-signer and etcd-metrics-signer to signer verification set. Ref definition documents the new EXPECTED_PKI_MODE parameter with "Custom" as default value.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main changes: adding etcd signer verification to the PKI verification script and introducing new presubmit jobs for etcd-operator testing within the ConfigurablePKI feature. The title is specific, concise, and reflects the primary objectives of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies CI configuration files and bash scripts without introducing or modifying any Ginkgo test definitions, so the stable test names check does not apply.
Test Structure And Quality	✅ Passed	This custom check for Ginkgo test code quality is not applicable to this pull request. The PR contains only CI configuration files (YAML) and a bash shell script for PKI verification. No Ginkgo test code files (_test.go) are added, modified, or removed.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The changes are purely CI orchestration configuration in the openshift/release repository: two new job definitions in YAML that reference existing test steps and workflows, plus a bash verification script that checks for certificate properties. The actual Ginkgo tests being orchestrated are defined in other repositories. Since no new Ginkgo test code is introduced, the MicroShift API compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes consist solely of CI/operator configuration files (YAML), a bash verification script for PKI checks, and step registry metadata. The PR modifies CI job definitions and infrastructure verification tools, not test code with Ginkgo test declarations like It(), Describe(), Context(), or When(). Since no new Ginkgo e2e tests are introduced, the SNO compatibility check is not applicable to this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI configuration files and test scripts; no deployment manifests, operator code, controllers, or scheduling constraints present.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI operator configuration YAML files and bash verification scripts, not OTE binary Go code or test binaries communicating via JSON stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Pull request contains only CI infrastructure changes (YAML configs and bash helper script), not new Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@hasbro17: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-etcd-operator-main-e2e-aws-ovn-pki-default-techpreview	openshift/cluster-etcd-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-etcd-operator-main-e2e-aws-ovn-pki-rsa-techpreview	openshift/cluster-etcd-operator	presubmit	Presubmit changed
pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-pki-default-techpreview	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-main-e2e-aws-ovn-pki-default-techpreview	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-5.1-e2e-aws-ovn-pki-default-techpreview	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-pki-default-techpreview	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-pki-default-techpreview	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa-techpreview	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-5.1-e2e-aws-ovn-pki-rsa-techpreview	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-pki-rsa-techpreview	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-pki-rsa-techpreview	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-pki-rsa-techpreview	openshift/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-main-e2e-aws-ovn-pki-default-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-main-e2e-aws-ovn-pki-rsa-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-5.1-e2e-aws-ovn-pki-default-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-5.1-e2e-aws-ovn-pki-rsa-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-5.0-e2e-aws-ovn-pki-default-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-5.0-e2e-aws-ovn-pki-rsa-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-4.23-e2e-aws-ovn-pki-default-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-4.23-e2e-aws-ovn-pki-rsa-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-4.22-e2e-aws-ovn-pki-default-techpreview	openshift-priv/installer	presubmit	Registry content changed
pull-ci-openshift-priv-installer-release-4.22-e2e-aws-ovn-pki-rsa-techpreview	openshift-priv/installer	presubmit	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

🧹 Nitpick comments (2)

ci-operator/config/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main.yaml (1)

289-303: ⚡ Quick win

Set EXPECTED_PKI_MODE explicitly in the RSA job to avoid implicit coupling to ref defaults.

Line 290 onward currently inherits the step default. Pinning it in-job makes intent explicit and avoids accidental behavior drift if the ref default ever changes.

♻️ Proposed fix

 - always_run: false
   as: e2e-aws-ovn-pki-rsa-techpreview
   optional: true
   steps:
     cluster_profile: openshift-org-aws
     env:
       EXPECTED_ALGORITHM: RSA
       EXPECTED_KEY_PARAM: "4096"
+      EXPECTED_PKI_MODE: Custom
       FEATURE_SET: TechPreviewNoUpgrade
       PKI_ALGORITHM: RSA
       PKI_RSA_KEY_SIZE: "4096"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/config/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main.yaml`
around lines 289 - 303, The job e2e-aws-ovn-pki-rsa-techpreview currently relies
on a ref default for PKI mode; explicitly set the EXPECTED_PKI_MODE environment
variable in that job's env block (alongside EXPECTED_ALGORITHM,
EXPECTED_KEY_PARAM, PKI_ALGORITHM, PKI_RSA_KEY_SIZE) to "RSA" so the behavior is
pinned regardless of changes in the referenced refs like
openshift-installer-pki-verify.

ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh (1)

130-135: ⚡ Quick win

Use structured field lookup for PKI mode instead of grepping YAML.

Line 130 currently parses mode via grep "mode:", which can misread future YAML changes. Querying .spec.mode directly is safer and still simple.

♻️ Proposed fix

-  mode=$(echo "${pki_cr}" | grep "mode:" | head -1 | awk '{print $2}' || true)
+  mode=$(oc get pki cluster -o jsonpath='{.spec.mode}' 2>/dev/null || true)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh`
around lines 130 - 135, Replace the fragile grep-based YAML parsing for `mode`
with a structured lookup into `.spec.mode`; specifically, instead of using the
`grep|head|awk` pipeline on `pki_cr`, extract the field via a YAML/JSON parser
(e.g., `yq` or `jq`/`oc/kubectl --output=jsonpath`) so `mode=$(echo "${pki_cr}"
| yq e '.spec.mode' - 2>/dev/null || true)` (or the equivalent jsonpath
invocation) is used; keep the rest of the logic (the comparison against
EXPECTED_PKI_MODE, logging to ARTIFACT_LOG, and setting pki_status="FAIL")
unchanged and reference `pki_cr`, `EXPECTED_PKI_MODE`, `ARTIFACT_LOG`, and
`pki_status` when making the replacement.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@ci-operator/config/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main.yaml`:
- Around line 289-303: The job e2e-aws-ovn-pki-rsa-techpreview currently relies
on a ref default for PKI mode; explicitly set the EXPECTED_PKI_MODE environment
variable in that job's env block (alongside EXPECTED_ALGORITHM,
EXPECTED_KEY_PARAM, PKI_ALGORITHM, PKI_RSA_KEY_SIZE) to "RSA" so the behavior is
pinned regardless of changes in the referenced refs like
openshift-installer-pki-verify.

In
`@ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh`:
- Around line 130-135: Replace the fragile grep-based YAML parsing for `mode`
with a structured lookup into `.spec.mode`; specifically, instead of using the
`grep|head|awk` pipeline on `pki_cr`, extract the field via a YAML/JSON parser
(e.g., `yq` or `jq`/`oc/kubectl --output=jsonpath`) so `mode=$(echo "${pki_cr}"
| yq e '.spec.mode' - 2>/dev/null || true)` (or the equivalent jsonpath
invocation) is used; keep the rest of the logic (the comparison against
EXPECTED_PKI_MODE, logging to ARTIFACT_LOG, and setting pki_status="FAIL")
unchanged and reference `pki_cr`, `EXPECTED_PKI_MODE`, `ARTIFACT_LOG`, and
`pki_status` when making the replacement.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ffcee320-13a9-4ea5-ba59-57aeb58e0a1a

📥 Commits

Reviewing files that changed from the base of the PR and between e7dea04 and 9b84f15.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift/cluster-etcd-operator/openshift-cluster-etcd-operator-main.yaml
• ci-operator/config/openshift/installer/openshift-installer-main.yaml
• ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml
• ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml
• ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml
• ci-operator/config/openshift/installer/openshift-installer-release-5.1.yaml
• ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh
• ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.yaml

[openshift-ci]

@hasbro17: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hasbro17]

/pj-rehearse

[openshift-merge-bot]

@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rh-roman]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hasbro17, rh-roman
Once this PR has been reviewed and has the lgtm label, please assign zaneb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-etcd-operator/OWNERS [hasbro17,rh-roman]
• ci-operator/config/openshift/installer/OWNERS
• ci-operator/jobs/openshift/cluster-etcd-operator/OWNERS [hasbro17,rh-roman]
• ci-operator/step-registry/openshift/installer/pki/verify/OWNERS [hasbro17,rh-roman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment