-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-19716: Enable proxy cert test to run in CI #1823
Conversation
Skipping CI for Draft Pull Request. |
/test vsphere-proxy-e2e-operator |
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
b307bcd
to
0dc1a99
Compare
/test vsphere-proxy-e2e-operator cherry-picked from #1800 which had green CI. let's see if there is a timing issue in the tests |
2cb0f8d
to
d145394
Compare
/test vsphere-proxy-e2e-operator |
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
// First requires data to be written to a file and then provide the file path the cert constructor | ||
"Set-Content C:\\Temp\\cert.pem $certString;"+ | ||
"$expectedCert=[System.Security.Cryptography.X509Certificates.X509Certificate2]::new(\\\"C:\\Temp\\cert.pem\\\");"+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also tried with passing the cert byte data directly to the X509Certificate2
constructor and, interestingly enough, reading from a file was consistently speedier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saifshaikh48 thanks for working on this, PTAL at my comments.
hack/run-ci-e2e-test.sh
Outdated
@@ -160,7 +160,7 @@ if [[ "$TEST" = "all" || "$TEST" = "basic" ]]; then | |||
printf "\n####### Testing service reconciliation #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
go test ./test/e2e/... -run=TestWMCO/service_reconciliation -v -timeout=20m -args $GO_TEST_ARGS | |||
printf "\n####### Testing cluster-wide proxy #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=10m -args $GO_TEST_ARGS | |||
go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=45m -args $GO_TEST_ARGS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a 350% timeout increase. Did you run this with a dev cluster? Wondering what is the average run time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know what part of the test is taking a long time to run?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
average runtime is 25-30min, cert test is the one that takes a long time as CNO injects 100+ certs into the proxy certs CM. Checking each one on each Win node takes a long while
hack/run-ci-e2e-test.sh
Outdated
@@ -160,7 +160,7 @@ if [[ "$TEST" = "all" || "$TEST" = "basic" ]]; then | |||
printf "\n####### Testing service reconciliation #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
go test ./test/e2e/... -run=TestWMCO/service_reconciliation -v -timeout=20m -args $GO_TEST_ARGS | |||
printf "\n####### Testing cluster-wide proxy #######\n" >> "$ARTIFACT_DIR"/wmco.log | |||
go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=10m -args $GO_TEST_ARGS | |||
go test ./test/e2e/... -run=TestWMCO/cluster-wide_proxy -v -timeout=45m -args $GO_TEST_ARGS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know what part of the test is taking a long time to run?
1ae9961
to
f53040d
Compare
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19716, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test vsphere-proxy-e2e-operator Green locally 🚀 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[proxy_test] Disable env var removal test
Lets be consistent with commit naming. [tests] Disable proxy env var removal
This test is flaking consistently after we fix the way we check for proxy enabled in the e2e tests. This test has been temporarily disabled until we address it (timing issue).
f53040d
to
c19ff74
Compare
test/e2e/main_test.go
Outdated
// proxyEnabled indicates whether a cluster-wide proxy is in use in the test environment | ||
proxyEnabled bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why should this be added to the testContext struct?
Based on the way this is used I suggest just calling testContext.client.IsProxyEnabled()
instead.
Caching it in this way doesn't seem useful enough to justify, and could cause problems if the proxy status is changed after testContext is initialized.
test/e2e/clusterinfo/openshift.go
Outdated
@@ -93,3 +93,12 @@ func (o *OpenShift) GetInfrastructure() (*config.Infrastructure, error) { | |||
} | |||
return infra, nil | |||
} | |||
|
|||
// IsProxyEnabled queries the Proxy resource to see if a cluster-wide proxy is enabled in this environment | |||
func (o *OpenShift) IsProxyEnabled() (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: consider renaming this to ProxyEnabled
, just personal preference as it seems more natural to me:
if o.ProxyEnabled{}
vs
if o.IsProxyEnabled{}
test/e2e/proxy_test.go
Outdated
var patches []*patch.JSONPatch | ||
patches = append(patches, patch.NewJSONPatch("replace", "/spec/trustedCA/name", userCABundleName)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
patches := []*patch.JSONPatch{patch.NewJSONPatch("replace", "/spec/trustedCA/name", userCABundleName)}
test/e2e/proxy_test.go
Outdated
"Where-Object {$_.Subject -eq '%s'}).Count", string(subjectBytes)) | ||
out, err := tc.runPowerShellSSHJob(fmt.Sprintf("get-cert-%d", i), command, addr) | ||
// Read in one cert at a time and test it exists in the Windows instance's system store | ||
scanner := bufio.NewScanner(strings.NewReader(trustedCABundle)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you looked at https://pkg.go.dev/encoding/pem#Decode?
It looks like this functionality might be built in.
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
if block.Type == "CERTIFICATE"{
Bringing this up because this code + splitAtPEMCert() seems to be duplicated from the WICD code. Keeping things simpler here and using stdlib functions might make things easier to maintain.
Not sure if decoding the actual data causes a problem for this. Re-encoding the individual blocks with pem.Encode
before doing the comparison is always an option :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I initially was using pem.Decode in the source code but had to move away from that approach to avoid reading an arbitrary number of certs into memory. I don't see any issue using it in the test code (where we are controlling the # of certs)
c19ff74
to
53895f8
Compare
This commit updates the way we are retrieving the proxy object in test cluster. The previous check cluster.isProxyEnabled() looks at the env vars in the environment from where it is called. The test pod doesn't run on the e2e cluster where proxy is enabled and WMCO is running. It runs in an ephemeral namespace on the CI cluster where the check will always return false. Co-authored-by: Mansi Kulkarni <mankulka@redhat.com>
In proxied clusters, this commit configures the proxy to use user-provided additional certs by creating a ConfigMap (that CNO merges with other proxy certs it deems necessary).
This commit fixes the proxy certificate import test. Ensuring certs where present in the Windows store by comparing subjects was not working properly since Windows and Golang extract the subject from the cert data differently, in incompatible formats. Instead, we now compare expected and actual certificates directly through powershell. It moves the cert validation test before the environment variable tests occur since the env var removal test removes the cluster-wide proxy/makes WMCO delete the TrustedCAConfigMap which the cert test relies on. This commit also increases the time limit for running proxy test suite to avoid timeouts now that the fixed tests run.
53895f8
to
3bb78e6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from me. I will let @sebsoto give the approval given he had requested changes.
/test vsphere-proxy-e2e-operator |
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saifshaikh48, sebsoto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-4.14 |
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@saifshaikh48: Jira Issue OCPBUGS-19716: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-19716 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@saifshaikh48: new pull request created: #1860 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Proxy tests were not actually running due to an issue with the proxy enabled check.
When enabled, a few of the tests were failing so one was patched and the other was
disabled with the fix coming in another PR (#1800).