OCPBUGS-19716: Enable proxy cert test to run in CI #1823
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
saifshaikh48
changed the title
|
/test vsphere-proxy-e2e-operator |
saifshaikh48
changed the title
openshift-ci-robot
added
jira/valid-reference
|
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
3 times, most recently
from
b307bcd
to
0dc1a99
Compare
|
/test vsphere-proxy-e2e-operator cherry-picked from #1800 which had green CI. let's see if there is a timing issue in the tests |
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
2 times, most recently
from
2cb0f8d
to
d145394
Compare
|
/test vsphere-proxy-e2e-operator |
|
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
saifshaikh48
changed the title
| // First requires data to be written to a file and then provide the file path the cert constructor | ||
| "Set-Content C:\\Temp\\cert.pem $certString;"+ | ||
| "$expectedCert=[System.Security.Cryptography.X509Certificates.X509Certificate2]::new(\\\"C:\\Temp\\cert.pem\\\");"+ |
There was a problem hiding this comment.
I also tried with passing the cert byte data directly to the X509Certificate2 constructor and, interestingly enough, reading from a file was consistently speedier.
There was a problem hiding this comment.
@saifshaikh48 thanks for working on this, PTAL at my comments.
hack/run-ci-e2e-test.sh
Outdated
| @@ -160,7 +160,7 @@ if [[ "$TEST" = "all" || "$TEST" = "basic" ]]; then | |||
| printf "\n####### Testing service reconciliation #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
| go test ./test/e2e/... -run=TestWMCO/service_reconciliation -v -timeout=20m -args $GO_TEST_ARGS | |||
| printf "\n####### Testing cluster-wide proxy #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
| go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=10m -args $GO_TEST_ARGS | |||
| go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=45m -args $GO_TEST_ARGS | |||
There was a problem hiding this comment.
This is a 350% timeout increase. Did you run this with a dev cluster? Wondering what is the average run time?
There was a problem hiding this comment.
Do you know what part of the test is taking a long time to run?
There was a problem hiding this comment.
average runtime is 25-30min, cert test is the one that takes a long time as CNO injects 100+ certs into the proxy certs CM. Checking each one on each Win node takes a long while
hack/run-ci-e2e-test.sh
Outdated
| @@ -160,7 +160,7 @@ if [[ "$TEST" = "all" || "$TEST" = "basic" ]]; then | |||
| printf "\n####### Testing service reconciliation #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
| go test ./test/e2e/... -run=TestWMCO/service_reconciliation -v -timeout=20m -args $GO_TEST_ARGS | |||
| printf "\n####### Testing cluster-wide proxy #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
| go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=10m -args $GO_TEST_ARGS | |||
| go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=45m -args $GO_TEST_ARGS | |||
There was a problem hiding this comment.
Do you know what part of the test is taking a long time to run?
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
6 times, most recently
from
1ae9961
to
f53040d
Compare
|
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test vsphere-proxy-e2e-operator Green locally 🚀 |
This test is flaking consistently after we fix the way we check for proxy enabled in the e2e tests. This test has been temporarily disabled until we address it (timing issue).
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
from
f53040d
to
c19ff74
Compare
test/e2e/main_test.go
Outdated
| // proxyEnabled indicates whether a cluster-wide proxy is in use in the test environment | ||
| proxyEnabled bool |
There was a problem hiding this comment.
Why should this be added to the testContext struct?
Based on the way this is used I suggest just calling testContext.client.IsProxyEnabled() instead.
Caching it in this way doesn't seem useful enough to justify, and could cause problems if the proxy status is changed after testContext is initialized.
test/e2e/clusterinfo/openshift.go
Outdated
| @@ -93,3 +93,12 @@ func (o *OpenShift) GetInfrastructure() (*config.Infrastructure, error) { | |||
| } | |||
| return infra, nil | |||
| } | |||
|
|
|||
| // IsProxyEnabled queries the Proxy resource to see if a cluster-wide proxy is enabled in this environment | |||
| func (o *OpenShift) IsProxyEnabled() (bool, error) { | |||
There was a problem hiding this comment.
nit: consider renaming this to ProxyEnabled, just personal preference as it seems more natural to me:
if o.ProxyEnabled{}
vs
if o.IsProxyEnabled{}
test/e2e/proxy_test.go
Outdated
| var patches []*patch.JSONPatch | ||
| patches = append(patches, patch.NewJSONPatch("replace", "/spec/trustedCA/name", userCABundleName)) |
There was a problem hiding this comment.
patches := []*patch.JSONPatch{patch.NewJSONPatch("replace", "/spec/trustedCA/name", userCABundleName)}
test/e2e/proxy_test.go
Outdated
| "Where-Object {$_.Subject -eq '%s'}).Count", string(subjectBytes)) | ||
| out, err := tc.runPowerShellSSHJob(fmt.Sprintf("get-cert-%d", i), command, addr) | ||
| // Read in one cert at a time and test it exists in the Windows instance's system store | ||
| scanner := bufio.NewScanner(strings.NewReader(trustedCABundle)) |
There was a problem hiding this comment.
Have you looked at https://pkg.go.dev/encoding/pem#Decode?
It looks like this functionality might be built in.
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
if block.Type == "CERTIFICATE"{
Bringing this up because this code + splitAtPEMCert() seems to be duplicated from the WICD code. Keeping things simpler here and using stdlib functions might make things easier to maintain.
Not sure if decoding the actual data causes a problem for this. Re-encoding the individual blocks with pem.Encode before doing the comparison is always an option :)
There was a problem hiding this comment.
Good point, I initially was using pem.Decode in the source code but had to move away from that approach to avoid reading an arbitrary number of certs into memory. I don't see any issue using it in the test code (where we are controlling the # of certs)
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
from
c19ff74
to
53895f8
Compare
This commit updates the way we are retrieving the proxy object in test cluster. The previous check cluster.isProxyEnabled() looks at the env vars in the environment from where it is called. The test pod doesn't run on the e2e cluster where proxy is enabled and WMCO is running. It runs in an ephemeral namespace on the CI cluster where the check will always return false. Co-authored-by: Mansi Kulkarni <mankulka@redhat.com>
In proxied clusters, this commit configures the proxy to use user-provided additional certs by creating a ConfigMap (that CNO merges with other proxy certs it deems necessary).
This commit fixes the proxy certificate import test. Ensuring certs where present in the Windows store by comparing subjects was not working properly since Windows and Golang extract the subject from the cert data differently, in incompatible formats. Instead, we now compare expected and actual certificates directly through powershell. It moves the cert validation test before the environment variable tests occur since the env var removal test removes the cluster-wide proxy/makes WMCO delete the TrustedCAConfigMap which the cert test relies on. This commit also increases the time limit for running proxy test suite to avoid timeouts now that the fixed tests run.
saifshaikh48
force-pushed
the
fixproxycerttest2
branch
from
53895f8
to
3bb78e6
Compare
|
/test vsphere-proxy-e2e-operator |
|
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saifshaikh48, sebsoto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/cherry-pick release-4.14 |
|
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@saifshaikh48: Jira Issue OCPBUGS-19716: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-19716 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@saifshaikh48: new pull request created: #1860 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Proxy tests were not actually running due to an issue with the proxy enabled check.
When enabled, a few of the tests were failing so one was patched and the other was
disabled with the fix coming in another PR (#1800).