SDN-4168: Fix IPsec tests for monitor failures #29437

pperiyasamy · 2025-01-14T13:25:47Z

This PR fixes following issues to stabilize monitor tests while running IPsec tests.

When IPsec tests configuring certificates into libreswan nss db for north south traffic via a machine config, it's rebooting worker nodes by default which still makes a monitor test to fail. Actually it is not required to reboot the nodes just for configuring certs on the nss db. Hence adding node disruption machine configuration policy so that nodes are not rebooted while deploying certificates on the worker nodes.

When IPsec mode are changed across tests within IPsec test suite, it causes reboot of ovnkube-node daemonset pods, It's expected workload traffic would fail temporarily until pods are settle down after IPsec is properly configured in every node's OVN and OvS across the cluster. So we should not test ipsec mode change in the ipsec test suite and instead for every ipsec mode, there should be one CI lane, then in the test corresponding configuration and traffic must be tested. So it merges everything with a single test which can be run from CI lanes for Full and External IPsec modes.

Depends on openshift/machine-config-operator#4864.

pperiyasamy · 2025-01-15T17:42:15Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-01-16T15:35:47Z

/test e2e-aws-ovn-ipsec-serial

openshift-trt · 2025-01-16T19:23:08Z

Job Failure Risk Analysis for sha: dd54a1d

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial	High [sig-imageregistry][Serial] Image signature workflow can push a signed image to openshift registry and verify it [apigroup:user.openshift.io][apigroup:image.openshift.io] [Skipped:Disconnected] [Suite:openshift/conformance/serial] This test has passed 100.00% of 185 runs on jobs [periodic-ci-openshift-release-master-nightly-4.19-e2e-aws-ovn-single-node-serial] in the last 14 days.
pull-ci-openshift-origin-master-e2e-aws-ovn-ipsec-serial	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 69.80% of 4076 runs on release 4.19 [Overall] in the last week.

openshift-trt · 2025-02-12T23:11:16Z

Job Failure Risk Analysis for sha: e68a744

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-ipsec-serial	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 70.95% of 4743 runs on release 4.19 [Overall] in the last week.

pperiyasamy · 2025-02-17T08:25:51Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-02-17T10:42:48Z

/assign @tssurya

pperiyasamy · 2025-02-17T10:43:36Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-02-17T14:44:35Z

/test e2e-aws-ovn-ipsec-serial

openshift-trt · 2025-02-17T17:08:25Z

Job Failure Risk Analysis for sha: cab8327

Job Name	Failure Risk
pull-ci-openshift-origin-master-okd-scos-e2e-aws-ovn	High [sig-arch] Only known images used by tests This test has passed 100.00% of 28 runs on jobs [periodic-ci-openshift-release-master-ci-4.19-e2e-aws-ovn] in the last 14 days.
pull-ci-openshift-origin-master-e2e-gcp-ovn-rt-upgrade	IncompleteTests Tests for this run (104) are below the historical average (1679): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node	Medium [sig-node] static pods should start after being created This test has passed 94.12% of 34 runs on jobs [periodic-ci-openshift-release-master-nightly-4.19-e2e-aws-ovn-single-node] in the last 14 days.

pperiyasamy · 2025-02-17T17:41:30Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-02-17T21:08:34Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-02-18T05:08:10Z

/test e2e-aws-ovn-ipsec-serial

openshift-trt · 2025-02-18T08:07:35Z

Job Failure Risk Analysis for sha: f41d22e

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade	IncompleteTests Tests for this run (1994) are below the historical average (4443): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

pperiyasamy · 2025-02-18T09:08:17Z

/assign @huiran0826

pperiyasamy · 2025-02-18T13:01:35Z

/test e2e-aws-ovn-ipsec-serial

pperiyasamy · 2025-03-10T15:44:44Z

/test e2e-aws-ovn-ipsec-serial

openshift-trt · 2025-03-10T19:18:31Z

Job Failure Risk Analysis for sha: c53288d

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	Medium [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-azure	IncompleteTests Tests for this run (23) are below the historical average (2288): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-kube-apiserver-rollout	Low [Conformance][Suite:openshift/kube-apiserver/rollout][Jira:"kube-apiserver"][sig-kube-apiserver] kube-apiserver should roll out new revisions without disruption [apigroup:config.openshift.io][apigroup:operator.openshift.io] This test has passed 42.86% of 7 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:informing Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: c53288d

"[sig-network][Feature:IPsec] when using openshift ovn-kubernetes check traffic with IPsec [apigroup:config.openshift.io] [Suite:openshift/network/ipsec]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]

pperiyasamy · 2025-03-11T17:04:51Z

/test e2e-aws-ovn-ipsec-serial

openshift-ci · 2025-03-11T17:15:52Z

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-kube-apiserver-rollout	`c53288d`	link	false	`/test e2e-aws-ovn-kube-apiserver-rollout`
ci/prow/e2e-openstack-ovn	`c53288d`	link	false	`/test e2e-openstack-ovn`
ci/prow/e2e-aws-disruptive	`c53288d`	link	false	`/test e2e-aws-disruptive`
ci/prow/e2e-azure	`c53288d`	link	false	`/test e2e-azure`
ci/prow/e2e-gcp-fips-serial	`c53288d`	link	false	`/test e2e-gcp-fips-serial`
ci/prow/okd-e2e-gcp	`c53288d`	link	false	`/test okd-e2e-gcp`
ci/prow/e2e-aws-ovn-etcd-scaling	`c53288d`	link	false	`/test e2e-aws-ovn-etcd-scaling`
ci/prow/4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	`c53288d`	link	false	`/test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback`
ci/prow/e2e-azure-ovn-etcd-scaling	`c53288d`	link	false	`/test e2e-azure-ovn-etcd-scaling`
ci/prow/e2e-azure-ovn-upgrade	`c53288d`	link	false	`/test e2e-azure-ovn-upgrade`
ci/prow/e2e-metal-ipi-ovn-dualstack	`c53288d`	link	false	`/test e2e-metal-ipi-ovn-dualstack`
ci/prow/e2e-gcp-disruptive	`c53288d`	link	false	`/test e2e-gcp-disruptive`
ci/prow/e2e-vsphere-ovn-etcd-scaling	`c53288d`	link	false	`/test e2e-vsphere-ovn-etcd-scaling`
ci/prow/e2e-aws-ovn-single-node-upgrade	`c53288d`	link	false	`/test e2e-aws-ovn-single-node-upgrade`
ci/prow/e2e-metal-ipi-virtualmedia	`c53288d`	link	false	`/test e2e-metal-ipi-virtualmedia`
ci/prow/e2e-metal-ipi-serial-ovn-ipv6	`c53288d`	link	false	`/test e2e-metal-ipi-serial-ovn-ipv6`
ci/prow/e2e-openstack-serial	`c53288d`	link	false	`/test e2e-openstack-serial`
ci/prow/e2e-metal-ipi-ovn-dualstack-local-gateway	`c53288d`	link	false	`/test e2e-metal-ipi-ovn-dualstack-local-gateway`
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	`c53288d`	link	false	`/test e2e-vsphere-ovn-dualstack-primaryv6`
ci/prow/e2e-aws-ovn-ipsec-serial	`c53288d`	link	false	`/test e2e-aws-ovn-ipsec-serial`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-trt · 2025-03-11T18:13:44Z

Job Failure Risk Analysis for sha: c53288d

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	Medium [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-azure	IncompleteTests Tests for this run (23) are below the historical average (2173): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-kube-apiserver-rollout	Low [Conformance][Suite:openshift/kube-apiserver/rollout][Jira:"kube-apiserver"][sig-kube-apiserver] kube-apiserver should roll out new revisions without disruption [apigroup:config.openshift.io][apigroup:operator.openshift.io] This test has passed 28.57% of 7 runs on release 4.19 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:informing Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs Component Readiness: [kube-apiserver] [Other] test regressed

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: c53288d

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-ipsec-serial	High - "[sig-network][Feature:IPsec] when using openshift ovn-kubernetes check traffic with IPsec [apigroup:config.openshift.io] [Suite:openshift/network/ipsec]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: c53288d

"[sig-network][Feature:IPsec] when using openshift ovn-kubernetes check traffic with IPsec [apigroup:config.openshift.io] [Suite:openshift/network/ipsec]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]

openshift-ci-robot · 2025-03-12T11:33:32Z

@pperiyasamy: This pull request references SDN-4168 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

This PR fixes following issues to stabilize monitor tests while running IPsec tests.

When IPsec tests configuring certificates into libreswan nss db for north south traffic via a machine config, it's rebooting worker nodes by default which still makes a monitor test to fail. Actually it is not required to reboot the nodes just for configuring certs on the nss db. Hence adding node disruption machine configuration policy so that nodes are not rebooted while deploying certificates on the worker nodes.

When IPsec mode are changed across tests within IPsec test suite, it causes reboot of ovnkube-node daemonset pods, It's expected workload traffic would fail temporarily until pods are settle down after IPsec is properly configured in every node's OVN and OvS across the cluster. So we should not test ipsec mode change in the ipsec test suite and instead for every ipsec mode, there should be one CI lane, then in the test corresponding configuration and traffic must be tested. So it merges everything with a single test which can be run from CI lanes for Full and External IPsec modes.

Depends on openshift/machine-config-operator#4864.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

pperiyasamy · 2025-03-12T11:41:25Z

/hold cancel

we are tracking nmstate-operator failure with bug https://issues.redhat.com/browse/OCPBUGS-52845 and get it checked while testing IPsec CI lane from PR openshift/release#61740.

pperiyasamy · 2025-03-12T11:41:55Z

/assign @dgoodwin

dgoodwin · 2025-03-12T11:48:18Z

All looks good but you appear to have renamed some tests, in which case for things to work best you should submit a test rename request here after this merges: https://github.com/openshift-eng/ci-test-mapping

Doing so will allow component readiness to track the new tests performance against it's old name in 4.18 at GA time.

/approve

openshift-ci · 2025-03-12T11:50:56Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgoodwin, martinkennelly, pperiyasamy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [dgoodwin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2025-03-12T14:15:08Z

/retest-required

Remaining retests: 0 against base HEAD 4c1d2ce and 2 for PR HEAD c53288d in total

openshift-ci-robot · 2025-03-12T19:31:38Z

/retest-required

Remaining retests: 0 against base HEAD 4c1d2ce and 2 for PR HEAD c53288d in total

openshift-bot · 2025-03-13T03:31:06Z

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-tests
This PR has been included in build openshift-enterprise-tests-container-v4.19.0-202503130217.p0.g59d86be.assembly.stream.el9.
All builds following this will include this PR.

As per changes in openshift/origin#29437 for IPsec E2E tests, each IPsec mode Full and External must be tested with two different CI lanes, so this commit replaces existing e2e-aws-ovn-ipsec-serial CI lane with e2e-aws-ovn-ipsec-full-mode and e2e-aws-ovn-ipsec-external-mode CI lanes. This commit also makes both jobs mandatory and periodic jobs which helps to make IPsec eligible for component readiness. Signed-off-by: Periyasamy Palanisamy <[email protected]>

As per changes in openshift/origin#29437 for IPsec E2E tests, each IPsec mode Full and External must be tested with two different CI lanes, so this commit replaces existing e2e-aws-ovn-ipsec-serial CI lane with e2e-aws-ovn-ipsec-full-mode and e2e-aws-ovn-ipsec-external-mode CI lanes. This commit also makes both jobs as default presubmit for cluster network operator. Signed-off-by: Periyasamy Palanisamy <[email protected]>

As per changes in openshift/origin#29437 for IPsec E2E tests, each IPsec mode Full and External must be tested separately, so this commit updates openshift-e2e-test step with new test type called ipsec-suite and ipsec test suite is executed under this test type for each ipsec modes. Signed-off-by: Periyasamy Palanisamy <[email protected]>

As per changes in openshift/origin#29437 for IPsec E2E tests, each IPsec mode Full and External must be tested separately, so this commit updates openshift-e2e-test step with new test type called ipsec-suite and ipsec test suite is executed under this test type for each ipsec modes. Signed-off-by: Periyasamy Palanisamy <[email protected]> (cherry picked from commit f5df7d1)

As per changes in openshift/origin#29437 for IPsec E2E tests, each IPsec mode Full and External must be tested separately, so this commit updates openshift-e2e-test step with new test type called ipsec-suite and ipsec test suite is executed under this test type for each ipsec modes. Signed-off-by: Periyasamy Palanisamy <[email protected]>

openshift-ci bot requested review from danwinship and knobunc January 14, 2025 13:26

pperiyasamy mentioned this pull request Jan 14, 2025

SDN-5330: Wait enough for IPsec tunnels to establish before kubelet start openshift/cluster-network-operator#2606

Closed

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch 2 times, most recently from 0edd5b6 to dd54a1d Compare January 16, 2025 12:17

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch from dd54a1d to e68a744 Compare January 24, 2025 15:56

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch from e68a744 to 744915f Compare February 17, 2025 08:23

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch from 744915f to cab8327 Compare February 17, 2025 10:41

openshift-ci bot assigned tssurya Feb 17, 2025

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch from cab8327 to 59fcece Compare February 17, 2025 17:39

openshift-ci bot assigned huiran0826 Feb 18, 2025

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch from f41d22e to dba2246 Compare February 18, 2025 13:01

pperiyasamy force-pushed the ipsec-debug-monitor-test-failure branch 2 times, most recently from 8eaaaa4 to 5db298d Compare February 18, 2025 16:53

pperiyasamy changed the title ~~[DNM] Disable external ipsec mode test~~ Fix monitor test failures for IPsec serial e2e test Feb 18, 2025

pperiyasamy changed the title ~~Fix IPsec tests for monitor failures~~ SDN-4168: Fix IPsec tests for monitor failures Mar 12, 2025

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 12, 2025

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 12, 2025

openshift-ci bot assigned dgoodwin Mar 12, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 12, 2025

openshift-merge-bot bot merged commit 59d86be into openshift:main Mar 12, 2025
34 of 54 checks passed

pperiyasamy mentioned this pull request Apr 1, 2025

[release-4.18] CORENET-5568: Stabilize IPsec E2E tests #29632

Open

SDN-4168: Fix IPsec tests for monitor failures #29437

SDN-4168: Fix IPsec tests for monitor failures #29437

Uh oh!

Conversation

pperiyasamy commented Jan 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pperiyasamy commented Jan 15, 2025

Uh oh!

pperiyasamy commented Jan 16, 2025

Uh oh!

openshift-trt bot commented Jan 16, 2025

Uh oh!

openshift-trt bot commented Feb 12, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

openshift-trt bot commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 17, 2025

Uh oh!

pperiyasamy commented Feb 18, 2025

Uh oh!

openshift-trt bot commented Feb 18, 2025

Uh oh!

pperiyasamy commented Feb 18, 2025

Uh oh!

pperiyasamy commented Feb 18, 2025

Uh oh!

pperiyasamy commented Mar 10, 2025

Uh oh!

openshift-trt bot commented Mar 10, 2025

Uh oh!

pperiyasamy commented Mar 11, 2025

Uh oh!

openshift-ci bot commented Mar 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-trt bot commented Mar 11, 2025

Uh oh!

openshift-ci-robot commented Mar 12, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pperiyasamy commented Mar 12, 2025

Uh oh!

pperiyasamy commented Mar 12, 2025

Uh oh!

dgoodwin commented Mar 12, 2025

Uh oh!

openshift-ci bot commented Mar 12, 2025

Uh oh!

openshift-ci-robot commented Mar 12, 2025

Uh oh!

openshift-ci-robot commented Mar 12, 2025

Uh oh!

Uh oh!

openshift-bot commented Mar 13, 2025

Uh oh!

Uh oh!

pperiyasamy commented Jan 14, 2025 •

edited

Loading

openshift-ci bot commented Mar 11, 2025 •

edited

Loading

openshift-ci-robot commented Mar 12, 2025 •

edited by openshift-ci bot

Loading