From 4e7db01996719bf774828752af018b2e446b77e2 Mon Sep 17 00:00:00 2001 From: wangke19 Date: Tue, 9 Dec 2025 16:39:40 +0800 Subject: [PATCH 1/3] Reapply "OCPBUGS-60853: make TLS registry tests required" This reverts commit 714b0f2190c567325d3187dcacd6edaea8ffac69. --- test/extended/operators/certs.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/extended/operators/certs.go b/test/extended/operators/certs.go index f55053a3af7c..d0feaa7ab149 100644 --- a/test/extended/operators/certs.go +++ b/test/extended/operators/certs.go @@ -276,11 +276,8 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g if len(newTLSRegistry.CertKeyPairs) > 0 || len(newTLSRegistry.CertificateAuthorityBundles) > 0 { registryString, err := json.MarshalIndent(newTLSRegistry, "", " ") if err != nil { - // g.Fail("Failed to marshal registry %#v: %v", newTLSRegistry, err) testresult.Flakef("Failed to marshal registry %#v: %v", newTLSRegistry, err) } - // TODO: uncomment when test no longer fails and enhancement is merged - // g.Fail(fmt.Sprintf("Unregistered TLS certificates:\n%s", registryString)) testresult.Flakef("Unregistered TLS certificates found:\n%s\nSee tls/ownership/README.md in origin repo", registryString) } }) @@ -291,9 +288,13 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g o.Expect(err).NotTo(o.HaveOccurred()) if len(messages) > 0 { +<<<<<<< HEAD // TODO: uncomment when test no longer fails and enhancement is merged // g.Fail(strings.Join(messages, "\n")) testresult.Flakef("%s", strings.Join(messages, "\n")) +======= + g.Fail(strings.Join(messages, "\n")) +>>>>>>> 1e1a521985 (Reapply "OCPBUGS-60853: make TLS registry tests required") } }) From 6ecd8061ee7a374c480d2bec095823b0a2f565d3 Mon Sep 17 00:00:00 2001 From: wangke19 Date: Tue, 9 Dec 2025 16:44:49 +0800 Subject: [PATCH 2/3] cert tests: mark TLS certificate tests as informing Add ote.Informing() to both certificate tests so that failures are recorded but don't block CI jobs: - all tls artifacts must be registered - all registered tls artifacts must have no metadata violation regressions This allows the tests to continue gathering data without blocking development while certificates are being properly registered and metadata is being fixed. --- test/extended/operators/certs.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/test/extended/operators/certs.go b/test/extended/operators/certs.go index d0feaa7ab149..19c55f7f3904 100644 --- a/test/extended/operators/certs.go +++ b/test/extended/operators/certs.go @@ -26,6 +26,7 @@ import ( g "github.com/onsi/ginkgo/v2" o "github.com/onsi/gomega" + ote "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo" "github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphanalysis" "github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi" @@ -175,7 +176,7 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g o.Expect(err).NotTo(o.HaveOccurred()) }) - g.It("all tls artifacts must be registered", func() { + g.It("all tls artifacts must be registered", ote.Informing(), func() { violationsPKIContent, err := certs.GetPKIInfoFromEmbeddedOwnership(ownership.PKIViolations) o.Expect(err).NotTo(o.HaveOccurred()) @@ -282,19 +283,13 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g } }) - g.It("all registered tls artifacts must have no metadata violation regressions", func() { + g.It("all registered tls artifacts must have no metadata violation regressions", ote.Informing(), func() { violationRegressionOptions := ensure_no_violation_regression.NewEnsureNoViolationRegressionOptions(ownership.AllViolations, genericclioptions.NewTestIOStreamsDiscard()) messages, _, err := violationRegressionOptions.HaveViolationsRegressed([]*certgraphapi.PKIList{actualPKIContent}) o.Expect(err).NotTo(o.HaveOccurred()) if len(messages) > 0 { -<<<<<<< HEAD - // TODO: uncomment when test no longer fails and enhancement is merged - // g.Fail(strings.Join(messages, "\n")) testresult.Flakef("%s", strings.Join(messages, "\n")) -======= - g.Fail(strings.Join(messages, "\n")) ->>>>>>> 1e1a521985 (Reapply "OCPBUGS-60853: make TLS registry tests required") } }) From b3135b26625c8de9038d97a6a42e97063a8c3cb3 Mon Sep 17 00:00:00 2001 From: wangke19 Date: Mon, 15 Dec 2025 12:06:24 +0800 Subject: [PATCH 3/3] cert tests: skip TLS certificate tests on ROSA clusters Add IsRosaCluster() function to test/extended/util/framework.go and use it to skip TLS certificate tests on ROSA clusters, similar to how we skip for MicroShift and Hypershift. ROSA clusters do not auto-collect TLS certificates the same way as standard OpenShift clusters. --- test/extended/operators/certs.go | 3 +++ test/extended/util/framework.go | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/test/extended/operators/certs.go b/test/extended/operators/certs.go index 19c55f7f3904..7caffb91fb87 100644 --- a/test/extended/operators/certs.go +++ b/test/extended/operators/certs.go @@ -105,6 +105,9 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g if ok, _ := exutil.IsHypershift(ctx, configClient); ok { g.Skip("hypershift does not auto-collect TLS.") } + if ok, _ := exutil.IsRosaCluster(oc); ok { + g.Skip("ROSA does not auto-collect TLS.") + } var err error onDiskPKIContent := &certgraphapi.PKIList{} diff --git a/test/extended/util/framework.go b/test/extended/util/framework.go index d2815ae01bea..40140de53347 100644 --- a/test/extended/util/framework.go +++ b/test/extended/util/framework.go @@ -2337,6 +2337,16 @@ func IsMicroShiftCluster(kubeClient k8sclient.Interface) (bool, error) { return true, nil } +// IsRosaCluster returns "true" if a cluster is ROSA, +// "false" otherwise. +func IsRosaCluster(oc *CLI) (bool, error) { + product, err := oc.WithoutNamespace().AsAdmin().Run("get").Args("clusterclaims/product.open-cluster-management.io", "-o=jsonpath={.spec.value}").Output() + if err != nil { + return false, nil + } + return strings.Compare(product, "ROSA") == 0, nil +} + func IsTwoNodeFencing(ctx context.Context, configClient clientconfigv1.Interface) bool { infrastructure, err := configClient.ConfigV1().Infrastructures().Get(ctx, "cluster", metav1.GetOptions{}) if err != nil {