NE-1743: Add documentation for pre-release script for OSSM testing #1315
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@rhamini3: This pull request references NE-1743 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/assign @alebedev87 |
|
@rhamini3 : LGTM, can you please fix up commits to a single one? |
rhamini3
force-pushed
the
doc-ossm
branch
2 times, most recently
from
4c0a953 to
5e890bb
Compare
|
/lgtm For Candace to have a look. |
openshift-ci
bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/test e2e-aws-pre-release-ossm |
1 similar comment
|
/test e2e-aws-pre-release-ossm |
| ``` | ||
| $ make test-e2e | ||
| ``` | ||
|
|
There was a problem hiding this comment.
I think this documentation belongs in in the /hack directory. Just the make test-pre-release-ossm command belongs in HACKING.md, with a pointer to the documentation.
Did you and Andrey discuss this?
There was a problem hiding this comment.
Did you and Andrey discuss this?
Not really.
I think it's fine to keep it here. hack/ directory is a common place for all the scripts we use. verify, run-local, update targets all use scripts from hack/ directory. HACKING.md already has precedents for targets which use hack/ directory: run-local, buildconfig.
There was a problem hiding this comment.
leaving it in hacking.md then
|
|
||
| - Obtain Brew Pull Secret | ||
| ```shell | ||
| $ podman login --authfile=/tmp/authbrew --username="${BREW_USER}" --password="${BREW_PASS}" brew.registry.redhat.io |
There was a problem hiding this comment.
Question - what creates the files in /tmp ?
There was a problem hiding this comment.
the podman login pulls a secret from the brew and stage registries which are then applied into the clusters pull secret. these files can also be found in the CI vault
There was a problem hiding this comment.
It's the login that creates the files. They don't have to be pre-existing.
HACKING.md
Outdated
| $ podman login --authfile=/tmp/authbrew --username="${BREW_USER}" --password="${BREW_PASS}" brew.registry.redhat.io | ||
| ``` | ||
|
|
||
| - Obtain the Konflux Token from the secrets folder in [CI Vault](https://vault.ci.openshift.org/ui/vault/secrets/kv/kv/list/selfservice/nid-ossm-token/). |
There was a problem hiding this comment.
Should you set the KONFLUX_TOKEN environment variable with the contents of that file?
There was a problem hiding this comment.
thats right I will also add in the specific file to look at for each variable?
|
@rhamini3 this is great information. Please fix a few more nits and move the doc to the /hack directory. Just keep the |
|
New changes are detected. LGTM label has been removed. |
|
@alebedev87 @candita for one final round |
|
|
||
| - Connect to Red Hat VPN. | ||
|
|
||
| - Create new service accounts for [stage registry](https://access.stage.redhat.com/terms-based-registry/accounts) and [brew registry](https://access.redhat.com/terms-based-registry/accounts). |
There was a problem hiding this comment.
I don't have access to access.stage.redhat.com, it gives an error.
I do have access to access.redhat.com,
There was a problem hiding this comment.
@alebedev87 did you test this part? I still cannot open the first link, even on vpn.
There was a problem hiding this comment.
I think I did but my memory is blurry on this one already, may be I used the token from the CI vault to test the script. I can confirm that I'm having auth troubles accessing access.stage.redhat.com too. I'll have a look why I cannot login to the stage link. Meanwhile, if Ishmam (and maybe other QEs) can login I'm fine with the instructions.
There was a problem hiding this comment.
@lihongan @ShudiLi can you please try and check if you can access the stage registry: https://access.stage.redhat.com/terms-based-registry/accounts
Please login to VPN before accessing the link or else you will get a pre-prod lockdown error
There was a problem hiding this comment.
@rhamini3 Yes, I can access it(Yesterday, I used my email address to login, but the passwords I input were always wrong, so I reset it by clicking forget the password)
|
@rhamini3: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| ``` | ||
|
|
||
| - Obtain the Konflux Token | ||
| 1. Access the [CI Vault](https://vault.ci.openshift.org/ui/vault/secrets/kv/kv/list/selfservice/nid-ossm-token/). |
There was a problem hiding this comment.
All our team member can access this ? or just a few members can access it?
If it is not for all members please provide the contacts so others can reach out to get the token.
There was a problem hiding this comment.
When accessed https://vault.ci.openshift.org/ui/vault/secrets/kv/kv/list/selfservice/nid-ossm-token/, Not authorized issue occur
Not authorized
Ember Data Request GET /v1/sys/internal/ui/mounts/kv returned a 403 Payload (application/json) [object Object]
preflight capability check returned 403, please ensure client's policies grant access to path "kv/"
There was a problem hiding this comment.
@rhamini3 Yes, I can access it now. I will continue to review this PR, thanks.
| ```shell | ||
| $ TOKEN="$(cat konflux.tmp)" AUTHSTAGE="$(cat /tmp/authstage)" AUTHBREW="$(cat /tmp/authbrew)" make test-pre-release-ossm | ||
| ``` |
There was a problem hiding this comment.
I can run the make test-pre-release-ossm on 4.22.0-0.nightly-2026-01-06-164201, but there are errors
# TOKEN="$(cat /tmp/konflux.tmp)" AUTHSTAGE="$(cat /tmp/authstage)" AUTHBREW="$(cat /tmp/authbrew)" make test-pre-release-ossm
...
--- FAIL: TestGatewayAPI (1528.29s)
--- PASS: TestGatewayAPI/testGatewayAPIResources (40.58s)
--- FAIL: TestGatewayAPI/testGatewayAPIObjects (303.37s)
--- FAIL: TestGatewayAPI/testGatewayAPIManualDeployment (601.74s)
--- FAIL: TestGatewayAPI/testGatewayAPIIstioInstallation (32.73s)
--- FAIL: TestGatewayAPI/testGatewayAPIDNS (363.21s)
--- FAIL: TestGatewayAPI/testGatewayAPIDNS/multipleGatewaysSameListenerHostname (181.25s)
--- FAIL: TestGatewayAPI/testGatewayAPIDNS/gatewayListenersWithOverlappingHostname (181.34s)
--- FAIL: TestGatewayAPI/testGatewayAPIDNSListenerUpdate (181.02s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1e6775c]
...
FAIL github.com/openshift/cluster-ingress-operator/test/e2e 1531.731s
FAIL
make[1]: *** [Makefile:62: test-e2e] Error 1
make[1]: Leaving directory '/home/shudi/work/github/cluster-ingress-operator'
make: *** [Makefile:74: test-pre-release-ossm] Error 2
There was a problem hiding this comment.
Sorry, I have a 4.22 GCP cluster and did the make on my PC. I think the make error is expected.
There was a problem hiding this comment.
@ShudiLi can you confirm that you were able to run the script successfully?
6 participants
Commit to add documentation for the pre-release-ossm script so others can get started on it