OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints #29339

vrutkovs · 2024-12-03T13:40:14Z

Add tests which check that kube-apiserver is reachable via service network, external and internal api endpoints.

In standarf e2e test flow this is being verified by monitor test, but cert rotation tests are disruptive and can't observe the cluster when time is being skewed to emulate age. As a result, these tests need to be oneshot verification tests

openshift-ci-robot · 2024-12-03T13:40:20Z

@vrutkovs: This pull request references Jira Issue OCPBUGS-43777, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.19.0) matches configured target version for branch (4.19.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Add tests which check that kube-apiserver is reachable via service network, external and internal api endpoints

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

vrutkovs · 2024-12-04T10:40:10Z

/retest

openshift-trt · 2024-12-04T15:26:36Z

Job Failure Risk Analysis for sha: 6252a14

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-kube-apiserver-rollout	IncompleteTests Tests for this run (103) are below the historical average (1373): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6	IncompleteTests Tests for this run (103) are below the historical average (2601): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn	IncompleteTests Tests for this run (103) are below the historical average (2397): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	IncompleteTests Tests for this run (102) are below the historical average (2746): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

everettraven · 2024-12-04T16:15:35Z

test/extended/apiserver/access.go

+				} else {
+					apiPath = strings.Replace(externalAPIUrl.Host, "api.", "api-int.", 1)
+				}


Is api-int.* always going to resolve to the internal API server endpoint?

Would pulling the internal API server URL using infra.Status.APIServerInternalURL be more reflective of the flow that a user/client may attempt to take if they were to look at the Infrastructure API?

Yes, good point. iiuc Hypershift may use a different URL for internal URL

Fixed in e1fd7a8

openshift-trt · 2024-12-05T12:11:06Z

Job Failure Risk Analysis for sha: e1fd7a8

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-serial	Medium [bz-kube-apiserver][invariant] alert/KubeAPIErrorBudgetBurn should not be at or above info This test has passed 97.73% of 44 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.19-e2e-aws-ovn-serial' 'periodic-ci-openshift-release-master-ci-4.19-e2e-aws-ovn-serial'] in the last 14 days. Open Bugs alert/KubeAPIErrorBudgetBurn should not be at or above info
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	Low [sig-node] static pods should start after being created This test has passed 70.73% of 164 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi Network:ovn NetworkStack:ipv4 Platform:aws SecurityMode:default Topology:single Upgrade:micro] in the last week. Open Bugs Static pod controller pods sometimes fail to start [etcd] --- [sig-node] static pods should start after being created This test has passed 70.73% of 164 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi Network:ovn NetworkStack:ipv4 Platform:aws SecurityMode:default Topology:single Upgrade:micro] in the last week. Open Bugs Static pod controller pods sometimes fail to start [etcd]

openshift-trt · 2024-12-05T16:32:17Z

Job Failure Risk Analysis for sha: c030cf7

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	Low [sig-node] static pods should start after being created This test has passed 71.07% of 159 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi Network:ovn NetworkStack:ipv4 Platform:aws SecurityMode:default Topology:single Upgrade:micro] in the last week. Open Bugs Static pod controller pods sometimes fail to start [etcd] --- [sig-node] static pods should start after being created This test has passed 71.07% of 159 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi Network:ovn NetworkStack:ipv4 Platform:aws SecurityMode:default Topology:single Upgrade:micro] in the last week. Open Bugs Static pod controller pods sometimes fail to start [etcd]

everettraven

Changes look reasonable to me.

/lgtm

openshift-trt · 2024-12-06T15:49:05Z

Job Failure Risk Analysis for sha: 587d445

Job Name	Failure Risk
pull-ci-openshift-origin-master-okd-scos-e2e-aws-ovn	IncompleteTests Tests for this run (20) are below the historical average (2329): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

everettraven

/lgtm

deads2k · 2025-01-09T16:00:53Z

test/extended/apiserver/access.go

+	"github.com/openshift/origin/test/extended/util/image"
+)
+
+var _ = g.Describe("[Conformance][sig-api-machinery][Feature:APIServer] kube-apiserver should be accessible via", func() {


Can you add a comment describing the need for a specific one-off test to verify that the certificates function properly after rotation as you indicated in slack? It's not obvious. After that I think it's good to approve.

Add tests which check that kube-apiserver is reachable via service network, external and internal api endpoints

deads2k · 2025-01-09T16:08:51Z

/lgtm
/approve

openshift-ci · 2025-01-09T16:09:37Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, everettraven, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

vrutkovs · 2025-01-09T16:28:34Z

/label acknowledge-critical-fixes-only

openshift-ci-robot · 2025-01-09T18:41:41Z

/retest-required

Remaining retests: 0 against base HEAD 727cacc and 2 for PR HEAD 885d4a4 in total

openshift-ci-robot · 2025-01-09T21:41:51Z

/retest-required

Remaining retests: 0 against base HEAD 9d28990 and 1 for PR HEAD 885d4a4 in total

openshift-ci · 2025-01-10T05:35:31Z

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-kube-apiserver-rollout	`885d4a4`	link	false	`/test e2e-metal-ipi-ovn-kube-apiserver-rollout`
ci/prow/e2e-openstack-ovn	`885d4a4`	link	false	`/test e2e-openstack-ovn`
ci/prow/e2e-gcp-csi	`885d4a4`	link	false	`/test e2e-gcp-csi`
ci/prow/e2e-aws-csi	`885d4a4`	link	false	`/test e2e-aws-csi`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2025-01-10T05:40:17Z

@vrutkovs: Jira Issue OCPBUGS-43777: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

openshift/cluster-kube-apiserver-operator#1759 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-43777 has not been moved to the MODIFIED state.

In response to this:

Add tests which check that kube-apiserver is reachable via service network, external and internal api endpoints.

In standarf e2e test flow this is being verified by monitor test, but cert rotation tests are disruptive and can't observe the cluster when time is being skewed to emulate age. As a result, these tests need to be oneshot verification tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-01-10T08:28:37Z

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-tests
This PR has been included in build openshift-enterprise-tests-container-v4.19.0-202501100737.p0.gb573a5b.assembly.stream.el9.
All builds following this will include this PR.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 3, 2024

openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Dec 3, 2024

openshift-ci bot requested review from wangke19, c3d and sjenning December 3, 2024 13:40

vrutkovs force-pushed the access-kube-apiserver branch from 24188fa to 6252a14 Compare December 3, 2024 14:22

vrutkovs changed the title ~~OCPBUGS-43777: apiserver: add tests to verify login via various methods~~ OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints Dec 4, 2024

everettraven reviewed Dec 4, 2024

View reviewed changes

vrutkovs force-pushed the access-kube-apiserver branch from 6252a14 to e1fd7a8 Compare December 5, 2024 08:18

vrutkovs force-pushed the access-kube-apiserver branch from e1fd7a8 to c030cf7 Compare December 5, 2024 12:40

everettraven approved these changes Dec 5, 2024

View reviewed changes

openshift-ci bot assigned everettraven Dec 5, 2024

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 5, 2024

vrutkovs force-pushed the access-kube-apiserver branch from c030cf7 to 587d445 Compare December 6, 2024 11:00

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 6, 2024

vrutkovs mentioned this pull request Jan 9, 2025

OCPBUGS-43777: cert-rotation: run tests which runs deployment and create projects openshift/release#58130

Open

everettraven approved these changes Jan 9, 2025

View reviewed changes

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025

deads2k reviewed Jan 9, 2025

View reviewed changes

apiserver: add tests to verify login via various methods

885d4a4

Add tests which check that kube-apiserver is reachable via service network, external and internal api endpoints

vrutkovs force-pushed the access-kube-apiserver branch from 587d445 to 885d4a4 Compare January 9, 2025 16:08

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 9, 2025

openshift-ci bot assigned deads2k Jan 9, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 9, 2025

openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Jan 9, 2025

openshift-merge-bot bot merged commit b573a5b into openshift:master Jan 10, 2025
25 of 29 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints #29339

OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints #29339

vrutkovs commented Dec 3, 2024 •

edited

Loading

openshift-ci-robot commented Dec 3, 2024

vrutkovs commented Dec 4, 2024

openshift-trt bot commented Dec 4, 2024

everettraven Dec 4, 2024

vrutkovs Dec 4, 2024

vrutkovs Dec 5, 2024 •

edited

Loading

openshift-trt bot commented Dec 5, 2024

openshift-trt bot commented Dec 5, 2024

everettraven left a comment

openshift-trt bot commented Dec 6, 2024

everettraven left a comment

deads2k Jan 9, 2025

vrutkovs Jan 9, 2025

deads2k commented Jan 9, 2025

openshift-ci bot commented Jan 9, 2025

vrutkovs commented Jan 9, 2025

openshift-ci-robot commented Jan 9, 2025

openshift-ci-robot commented Jan 9, 2025

openshift-ci bot commented Jan 10, 2025

openshift-ci-robot commented Jan 10, 2025

openshift-bot commented Jan 10, 2025

OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints #29339

OCPBUGS-43777: apiserver: add tests to verify kube-apiserver is accessible via different endpoints #29339

Conversation

vrutkovs commented Dec 3, 2024 • edited Loading

openshift-ci-robot commented Dec 3, 2024

vrutkovs commented Dec 4, 2024

openshift-trt bot commented Dec 4, 2024

everettraven Dec 4, 2024

Choose a reason for hiding this comment

vrutkovs Dec 4, 2024

Choose a reason for hiding this comment

vrutkovs Dec 5, 2024 • edited Loading

Choose a reason for hiding this comment

openshift-trt bot commented Dec 5, 2024

openshift-trt bot commented Dec 5, 2024

everettraven left a comment

Choose a reason for hiding this comment

openshift-trt bot commented Dec 6, 2024

everettraven left a comment

Choose a reason for hiding this comment

deads2k Jan 9, 2025

Choose a reason for hiding this comment

vrutkovs Jan 9, 2025

Choose a reason for hiding this comment

deads2k commented Jan 9, 2025

openshift-ci bot commented Jan 9, 2025

vrutkovs commented Jan 9, 2025

openshift-ci-robot commented Jan 9, 2025

openshift-ci-robot commented Jan 9, 2025

openshift-ci bot commented Jan 10, 2025

openshift-ci-robot commented Jan 10, 2025

openshift-bot commented Jan 10, 2025

vrutkovs commented Dec 3, 2024 •

edited

Loading

vrutkovs Dec 5, 2024 •

edited

Loading