PKI config tests

[kaleemsiddiqu]

Tests for kube-apiserver and service-ca added

Summary by CodeRabbit

• Tests
  • Expanded extended end-to-end coverage for configurable PKI behavior under the feature gate, including registration for PKI suite execution.
  • Added kube-apiserver scenarios to verify certificate regeneration by deleting targeted kube-apiserver-related certificate Secrets, for both uniform and mixed configurations.
  • Added service-ca scenarios to verify regeneration of both signing and serving certificates, validating RSA and ECDSA key/curve parameters across mixed override combinations.
  • Strengthened secret-rotation verification to confirm regenerated Secrets are new and certificates match expected algorithms and parameters.
  • Improved test reliability with cleanup that reliably restores prior PKI configuration even when failures occur.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

Adds extended e2e coverage for configurable PKI profiles. The tests apply PKI settings, trigger secret regeneration, and verify regenerated certificate algorithms and key parameters for kube-apiserver and service-ca.

Changes

Extended PKI e2e coverage

Layer / File(s)	Summary
Registration and shared helpers test/extended/include.go, test/extended/pki/helpers.go	Registers the PKI extended test package and adds helper types and functions for feature-gate checks, PKI configuration updates, certificate parsing, secret rotation, and cleanup.
kube-apiserver suite and uniform cases test/extended/pki/pki_kube_apiserver.go	Sets up the kube-apiserver test suite and runs the uniform RSA and ECDSA regeneration cases with fixed secret targets and certificate assertions.
kube-apiserver mixed cases test/extended/pki/pki_kube_apiserver.go	Runs the mixed kube-apiserver cases with separate signer, serving, and client key expectations and validates the regenerated certificates for each category.
service-ca suite and config checks test/extended/pki/pki_service_ca.go	Sets up the service-ca test suite, checks feature-gate and CRD readiness, applies the configuration matrix, and waits for operator reconciliation and deployment readiness.
service-ca certificate regeneration test/extended/pki/pki_service_ca.go	Deletes signing and service certificate secrets, waits for regeneration, and validates the regenerated CA and service certificates for signer and serving overrides.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• sjenning
• p0lyn0mial
• neisw

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	service-ca uses context.TODO() with an unbounded operator watch and only logs reconciliation failures; both suites also rely on fixed sleeps instead of condition polling.	Add timeout-bound waits for reconciliation, fail the test on operator-wait errors, and replace fixed sleeps with Eventually/poll helpers; add messages to bare expectations.
Title check	❓ Inconclusive	The title is related to the changes, but it is too generic to clearly describe the new PKI e2e test suites.	Use a more specific title such as "Add kube-apiserver and service-ca PKI e2e tests".

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo titles are static strings; dynamic namespaces/timestamps appear only in test bodies, not in Describe/It names.
Microshift Test Compatibility	✅ Passed	Both new Ginkgo tests are tagged [apigroup:config.openshift.io] and [Skipped:MicroShift], so their unsupported OpenShift API usage is already gated.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The new PKI e2e tests only rotate secrets, verify cert contents, and wait for single pods; no multi-node/HA assumptions or SNO-sensitive scheduling logic found.
Topology-Aware Scheduling Compatibility	✅ Passed	Test-only changes add PKI e2e suites and a blank import; no deployment manifests, controllers, node selectors, or affinity rules were introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout writes were added in process-level code; the new PKI suite only uses e2e.Logf inside test cases, and its setup helpers just read env or register hooks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New PKI tests only use cluster-internal services/secrets and show no hardcoded IPv4s, ParseIP/CIDR, host URL building, or public endpoints.
No-Weak-Crypto	✅ Passed	New PKI tests use RSA/ECDSA only; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto, and comparisons are only cert metadata/UIDs.
Container-Privileges	✅ Passed	No container manifests or pod specs are added; the new PKI tests only manipulate secrets/services and contain no privileged settings.
No-Sensitive-Data-In-Logs	✅ Passed	No logs print secret contents, tokens, PII, or API keys; only resource names and cert key sizes/curves are logged.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kaleemsiddiqu
Once this PR has been reviewed and has the lgtm label, please assign stbenjam for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (1)

test/extended/pki/helpers.go (1)

108-125: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

buildKeyConfig silently returns an incomplete config for unrecognized algorithms.

If algorithm is neither RSA nor ECDSA, only Algorithm is set and both key bodies stay zero-valued, which could produce a confusing apply result downstream. Consider asserting/erroring on the default case so misconfigured test cases fail fast.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/helpers.go` around lines 108 - 125, buildKeyConfig
currently falls through for any algorithm other than KeyAlgorithmRSA or
KeyAlgorithmECDSA, leaving KeyConfig partially populated and hiding
misconfigured test inputs. Update buildKeyConfig to explicitly handle the
supported algorithms and add a default branch that fails fast (for example by
asserting or returning an error) when an unrecognized KeyAlgorithm is passed, so
callers of buildKeyConfig get an immediate signal instead of an incomplete
config.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/pki/helpers.go`:
- Around line 284-293: waitForSecretRegeneration currently treats any existing
secret as success, so it can return the old secret or a newly created secret
before cert data is ready. Update the helper in helpers.go to wait for a
genuinely regenerated secret by comparing against the deleted secret’s
UID/resourceVersion (or by confirming the secret is gone first), and then
require that the new secret contains certKey in Data before returning. Adjust
the call site in pki_kube_apiserver.go to pass the identifier needed to
distinguish the old secret from the recreated one.
- Around line 168-174: The PKI create-or-update flow in the helper currently
treats every Get failure as “missing” and falls back to Create, which can hide
RBAC, timeout, or server errors. Update the logic in the PKI helper path to only
call Create when configClient.ConfigV1alpha1().PKIs().Get returns
apierrors.IsNotFound(err), and otherwise return the original error; apply the
same NotFound-gated pattern in applyMixedPKIConfig as well.

In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 378-383: The deleteCertificateSecret failure path in
pki_kube_apiserver.go can mask a false pass because the loop only logs a warning
and continues without verifying anything. Update the certificate regeneration
checks around deleteCertificateSecret in the relevant test loop(s) so that a
missing/un-deletable expected secret causes the test to fail, or track whether
at least one certificate was successfully deleted and verified before allowing
the spec to pass. Apply the same fix to the duplicate verification block that
uses the same pattern elsewhere in the file.
- Around line 184-188: The deferred cleanup in `g.DeferCleanup` is using
`context.Background()`, which drops the test/spec context and leaves
`cleanupPKIConfiguration` unbounded; update the cleanup path to derive from the
existing spec context in `pki_kube_apiserver.go` using a detached context (for
example via `context.WithoutCancel`) and wrap it with a timeout before calling
`cleanupPKIConfiguration` so cleanup still has context values but cannot run
indefinitely.
- Around line 25-171: The package-level integrationTestCertificates slice in
pki_kube_apiserver.go is unused by the kube-apiserver test helpers. Remove the
dead variable, or update the relevant test setup functions to reference
integrationTestCertificates directly so the shared certificate list is actually
consumed. Use the integrationTestCertificates symbol and the kube-apiserver PKI
test helpers in this file to locate the change.
- Around line 173-174: The top-level ginkgo recovery hook in the `Describe` body
is unnecessary here. Remove the `defer g.GinkgoRecover()` from the `PKI
Configuration` `Describe` block in `pki_kube_apiserver.go`, and only add
`GinkgoRecover()` inside any spawned goroutine that may call `Fail` or Gomega in
the future.

In `@test/extended/pki/pki_service_ca.go`:
- Around line 331-333: The cleanup in the deferred namespace deletion is
ignoring a returned error, which can hide failed teardown; update the defer in
the pki service CA test to capture the result of
kubeClient.CoreV1().Namespaces().Delete and explicitly assert or log any error
instead of discarding it. Use the existing cleanup block around the testNS
deletion in the deferred func and keep the failure handling consistent with the
test’s other error checks so namespace leaks are surfaced.
- Around line 33-35: The deferred cleanup in the Ginkgo test uses
context.Background(), which disconnects it from the spec context. Update the
DeferCleanup block in pki_service_ca.go to derive a detached context from the
existing test context using context.WithoutCancel(ctx) and wrap it with a
bounded timeout, then pass that context into cleanupPKIConfiguration so cleanup
still runs independently without losing test-scoped values. Use the existing
test context variable from the surrounding spec and keep the cleanup logic
inside g.DeferCleanup.

---

Nitpick comments:
In `@test/extended/pki/helpers.go`:
- Around line 108-125: buildKeyConfig currently falls through for any algorithm
other than KeyAlgorithmRSA or KeyAlgorithmECDSA, leaving KeyConfig partially
populated and hiding misconfigured test inputs. Update buildKeyConfig to
explicitly handle the supported algorithms and add a default branch that fails
fast (for example by asserting or returning an error) when an unrecognized
KeyAlgorithm is passed, so callers of buildKeyConfig get an immediate signal
instead of an incomplete config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0bcf1c75-08b8-4f9c-b678-e0aeb6c80603

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8a9b0 and 1820a38.

📒 Files selected for processing (4)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[coderabbitai]

🧹 Nitpick comments (3)

test/extended/pki/pki_kube_apiserver.go (3)

196-384: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider extracting the shared regeneration/verify loop.

testKubeAPIServerCertificates and testMixedKubeAPIServerCertificates differ only in how the expected algorithm/size/curve is sourced; the get-UID → delete → wait → verify body is duplicated. A small helper taking (cert operatorCertificate, expectedAlgorithm, expectedRSASize, expectedECDSACurve) would remove the duplication and keep timeout/verification logic in one place.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 196 - 384, The
regeneration/verify flow is duplicated in testKubeAPIServerCertificates and
testMixedKubeAPIServerCertificates; extract the shared get-UID →
deleteCertificateSecret → waitForSecretRegeneration → getCertificateFromSecret
loop into a helper. Make the helper take operatorCertificate plus the expected
algorithm/size/curve inputs so both callers can reuse the same timeout and
verification logic while only differing in how expectations are populated.

---

232-236: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant if err != nil around the assertion.

o.Expect(err).NotTo(o.HaveOccurred()) already fails (and halts via panic) when err != nil, so the surrounding conditional adds nothing and only obscures intent. The same pattern repeats at Lines 336-339. Assert unconditionally.

♻️ Suggested change

-		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
-		if err != nil {
-			o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)
-		}
+		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 232 - 236, Remove the
redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred(), ...)` assertion in the certificate secret
lookup, and let the expectation run unconditionally before using
`oldSecret.UID`. Apply the same cleanup to the repeated pattern later in this
test (the `kubeClient.CoreV1().Secrets(...).Get` plus `o.Expect` block), so the
intent is clearer and the assertion alone handles failures.

---

42-48: 🩺 Stability & Availability | 🔵 Trivial

Accept the Ginkgo context in these It bodies.

These [Slow] specs can wait up to 20 minutes, so context.TODO() bypasses Ginkgo timeout and cancellation handling. Thread the spec context through instead.

♻️ Suggested change

-	g.It("should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func() {
-		testUniformPKIConfigurations(context.TODO(), kubeClient, configClient)
-	})
+	g.It("should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func(ctx context.Context) {
+		testUniformPKIConfigurations(ctx, kubeClient, configClient)
+	})
 
-	g.It("should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func() {
-		testMixedPKIConfigurations(context.TODO(), kubeClient, configClient)
-	})
+	g.It("should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func(ctx context.Context) {
+		testMixedPKIConfigurations(ctx, kubeClient, configClient)
+	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 42 - 48, The two Ginkgo
It bodies are using context.TODO(), which bypasses Ginkgo’s timeout and
cancellation handling for these long-running [Slow] specs. Update the uniform
and mixed PKI specs to accept the Ginkgo context from the It body and pass that
spec context through to testUniformPKIConfigurations and
testMixedPKIConfigurations instead of creating a TODO context, so cancellation
and timeout behavior is preserved.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 196-384: The regeneration/verify flow is duplicated in
testKubeAPIServerCertificates and testMixedKubeAPIServerCertificates; extract
the shared get-UID → deleteCertificateSecret → waitForSecretRegeneration →
getCertificateFromSecret loop into a helper. Make the helper take
operatorCertificate plus the expected algorithm/size/curve inputs so both
callers can reuse the same timeout and verification logic while only differing
in how expectations are populated.
- Around line 232-236: Remove the redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred(), ...)` assertion in the certificate secret
lookup, and let the expectation run unconditionally before using
`oldSecret.UID`. Apply the same cleanup to the repeated pattern later in this
test (the `kubeClient.CoreV1().Secrets(...).Get` plus `o.Expect` block), so the
intent is clearer and the assertion alone handles failures.
- Around line 42-48: The two Ginkgo It bodies are using context.TODO(), which
bypasses Ginkgo’s timeout and cancellation handling for these long-running
[Slow] specs. Update the uniform and mixed PKI specs to accept the Ginkgo
context from the It body and pass that spec context through to
testUniformPKIConfigurations and testMixedPKIConfigurations instead of creating
a TODO context, so cancellation and timeout behavior is preserved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 57aa33bc-1f72-4c5b-94ea-09a80b5afb76

📥 Commits

Reviewing files that changed from the base of the PR and between 1820a38 and aa956c0.

📒 Files selected for processing (4)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

🚧 Files skipped from review as they are similar to previous changes (3)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_service_ca.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[coderabbitai]

🧹 Nitpick comments (1)

test/extended/pki/pki_kube_apiserver.go (1)

232-236: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant if err != nil wrapper around o.Expect.

o.Expect(err).NotTo(o.HaveOccurred()) already fails (and aborts) the spec when err != nil, so the surrounding if err != nil block is dead control flow — oldUID is only ever reached when err == nil. Hoist the assertion out of the conditional for clarity. Same pattern at Lines 337-339.

♻️ Suggested change

-		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
-		if err != nil {
-			o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)
-		}
-		oldUID := string(oldSecret.UID)
+		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)
+		oldUID := string(oldSecret.UID)

Also applies to: 336-340

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 232 - 236, Remove the
redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred())` assertion in the PKI test helpers so the
failure check stands on its own; in the logic that fetches `oldSecret` and
derives `oldUID`, as well as the matching block later in the file, keep the
`kubeClient.CoreV1().Secrets(...).Get(...)` call followed directly by the
expectation and then the UID read. This makes the control flow explicit and
avoids dead branching around `o.Expect`.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 232-236: Remove the redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred())` assertion in the PKI test helpers so the
failure check stands on its own; in the logic that fetches `oldSecret` and
derives `oldUID`, as well as the matching block later in the file, keep the
`kubeClient.CoreV1().Secrets(...).Get(...)` call followed directly by the
expectation and then the UID read. This makes the control flow explicit and
avoids dead branching around `o.Expect`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 16d5d0a7-3b21-49bc-9f97-d1198dbda45e

📥 Commits

Reviewing files that changed from the base of the PR and between adbcf03 and ba29d50.

📒 Files selected for processing (4)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/extended/include.go
• test/extended/pki/helpers.go

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-aws-ovn-single-node-techpreview-serial

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: ba29d50

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-single-node-techpreview-serial	High - "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Suite:openshift/conformance/serial] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test that failed 1 time(s) against the current commit

New tests seen in this PR at sha: ba29d50

• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Suite:openshift/conformance/serial] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Suite:openshift/conformance/serial] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Suite:openshift/conformance/serial] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 1, Fail: 1, Flake: 0]

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/test pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-pkiconfig

[openshift-ci]

@kaleemsiddiqu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-techpreview-serial-2of2	ba29d50	link	false	/test e2e-gcp-ovn-techpreview-serial-2of2
ci/prow/e2e-gcp-ovn-techpreview-serial-1of2	ba29d50	link	false	/test e2e-gcp-ovn-techpreview-serial-1of2
ci/prow/e2e-aws-ovn-single-node-techpreview-serial	ba29d50	link	false	/test e2e-aws-ovn-single-node-techpreview-serial
ci/prow/e2e-aws-ovn-fips	0080764	link	true	/test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 0080764

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: 0080764

• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]
• "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]