OCPBUGS-49441: Use different certificates for gRPC interoperability test routes #29757

alebedev87 · 2025-05-05T22:22:44Z

Before this change the gRPC routes were using the same certificate which prevented the usage of ALPN to avoid the connection coalescing. This PR introduces different certificates for edge and reencrypt routes.

PR to test the fix in combination with grpc-go v1.67.0: #29780.

openshift-ci-robot · 2025-05-05T22:22:50Z

@alebedev87: This pull request references Jira Issue OCPBUGS-49441, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.20.0) matches configured target version for branch (4.20.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Before this change the gRPC routes were using the same certificate which prevented the usage of ALPN to avoid the connection coalescing. This commit introduces different certificates for edge and reencrypt routes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

alebedev87 · 2025-05-10T13:34:22Z

/retest

openshift-trt · 2025-05-10T21:12:03Z

Job Failure Risk Analysis for sha: 8525a88

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-aws-disruptive	High [sig-node] static pods should start after being created This test has passed 98.60% of 5505 runs on release 4.20 [Overall] in the last week. --- [sig-arch] events should not repeat pathologically for ns/openshift-kube-apiserver-operator This test has passed 99.95% of 5501 runs on release 4.20 [Overall] in the last week. --- [bz-Etcd] clusteroperator/etcd should not change condition/Available This test has passed 99.93% of 5505 runs on release 4.20 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 8525a88

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] External host should be able to query route advertised pods by the pod IP [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] pods should communicate with external host without being SNATed [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 2 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] External host should be able to query route advertised pods by the pod IP [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 2 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] pods should communicate with external host without being SNATed [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] External host should be able to query route advertised pods by the pod IP [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-dualstack-bgp-techpreview	High - "[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] pods should communicate with external host without being SNATed [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: 8525a88

"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 1]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for default network pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv4 [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [EgressIP][apigroup:user.openshift.io][apigroup:security.openshift.io] Advertising egressIP for layer 3 user defined network UDN pods should have the assigned EgressIPs and EgressIPs can be created, updated and deleted [apigroup:route.openshift.io] IPv6 [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 2 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] External host should be able to query route advertised pods by the pod IP [Suite:openshift/conformance/parallel]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 2 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] pods should communicate with external host without being SNATed [Suite:openshift/conformance/parallel]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] External host should be able to query route advertised pods by the pod IP [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]
"[sig-network][OCPFeatureGate:RouteAdvertisements][Feature:RouteAdvertisements][apigroup:operator.openshift.io] when using openshift ovn-kubernetes [PodNetwork] Advertising a Layer 3 cluster user defined network [apigroup:user.openshift.io][apigroup:security.openshift.io] pods should communicate with external host without being SNATed [Suite:openshift/conformance/parallel]" [Total: 4, Pass: 4, Fail: 0, Flake: 0]

alebedev87 · 2025-05-12T14:37:07Z

/retest

alebedev87 · 2025-05-13T13:04:21Z

/retest

Thealisyed · 2025-05-13T16:22:39Z

/assign

openshift-trt · 2025-05-15T05:21:11Z

Job Failure Risk Analysis for sha: 72b4ed0

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week.

alebedev87 · 2025-05-20T05:29:28Z

/retest-required

Thealisyed · 2025-05-26T11:19:25Z

test/extended/router/grpc-interop.go

 			pemCrt, err := certgen.MarshalCertToPEMString(tlsCrtData)
 			o.Expect(err).NotTo(o.HaveOccurred())

+			_, tlsCrt2Data, tlsPrivateKey2, err := certgen.GenerateKeyPair("Root CA", notBefore, notAfter)


Why is a new Root CA being generated here? Is tlsCrt2Data intended to be a different root CA or a certificate signed by the first root CA?

Why is a new Root CA being generated here?

That's how GenerateKeyPair works. It generates a self signed root CA certificate and then uses it for the test certificate (which we get as second return value).

Is tlsCrt2Data intended to be a different root CA or a certificate signed by the first root CA?

It's intended to be a different certificate. I think that it may still be possible to sign it with the same root CA though. But I stick to what GenerateKeyPair does.

Having different certificates for secure routes instructs router to enable alpn option in crt-list command on HAProxy frontends (e.g. fe_sni). This results into the usage of ALPN TLS extension for the protocol negotiation. Without ALPN, grpc client will refuse to establish a connection to OpenShift router.

Thealisyed · 2025-05-26T11:34:11Z

test/extended/router/grpc-interop.go

+							Key:                           derKey2,
+							Certificate:                   pemCrt2,


Why use those formats (pem and der) for the cert and key?

Those are the formats returned by crypto/x509's CreateCertificate function. Both can be used to encode certificates or keys. DER is binary format while PEM is base64. I didn't see a lot the usage of DER for route's keys but it seems to be accepted by the API and router validation. Also, it is not that important when we set the key programmatically (not from a YAML manifest). So, I prefer to be consistent across the router's tests and keep using DER (http2 test does use DER format too).

I followed up on this one. It turned out that MarshalCertToDERFormat was a misnomer.

alebedev87

@Thealisyed : Thanks for the review! Here are the answers, feel free to follow up in the comments.

alebedev87 · 2025-05-26T16:15:37Z

test/extended/router/grpc-interop.go

 			pemCrt, err := certgen.MarshalCertToPEMString(tlsCrtData)
 			o.Expect(err).NotTo(o.HaveOccurred())

+			_, tlsCrt2Data, tlsPrivateKey2, err := certgen.GenerateKeyPair("Root CA", notBefore, notAfter)


Why is a new Root CA being generated here?

That's how GenerateKeyPair works. It generates a self signed root CA certificate and then uses it for the test certificate (which we get as second return value).

Is tlsCrt2Data intended to be a different root CA or a certificate signed by the first root CA?

It's intended to be a different certificate. I think that it may still be possible to sign it with the same root CA though. But I stick to what GenerateKeyPair does.

Having different certificates for secure routes instructs router to enable alpn option in crt-list command on HAProxy frontends (e.g. fe_sni). This results into the usage of ALPN TLS extension for the protocol negotiation. Without ALPN, grpc client will refuse to establish a connection to OpenShift router.

alebedev87 · 2025-05-26T16:56:48Z

test/extended/router/grpc-interop.go

+							Key:                           derKey2,
+							Certificate:                   pemCrt2,


Those are the formats returned by crypto/x509's CreateCertificate function. Both can be used to encode certificates or keys. DER is binary format while PEM is base64. I didn't see a lot the usage of DER for route's keys but it seems to be accepted by the API and router validation. Also, it is not that important when we set the key programmatically (not from a YAML manifest). So, I prefer to be consistent across the router's tests and keep using DER (http2 test does use DER format too).

alebedev87 · 2025-05-28T05:51:53Z

/retest-required

Thealisyed · 2025-05-28T15:25:27Z

Thanks for the answers and for the follow up PR for MarshalCertToDERFormat

/lgtm

openshift-ci-robot · 2025-05-28T19:58:01Z

/retest-required

Remaining retests: 0 against base HEAD e39730d and 2 for PR HEAD 44a9087 in total

openshift-trt · 2025-06-04T06:16:45Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (236): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.92% of 3536 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-disruptive	High [bz-Etcd] clusteroperator/etcd should not change condition/Available This test has passed 99.83% of 3606 runs on release 4.20 [Overall] in the last week. --- [sig-node] static pods should start after being created This test has passed 98.97% of 3606 runs on release 4.20 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 69.55% of 3606 runs on release 4.20 [Overall] in the last week.

openshift-trt · 2025-06-04T10:21:34Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (235): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.92% of 3628 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-disruptive	High [bz-Etcd] clusteroperator/etcd should not change condition/Available This test has passed 99.81% of 3701 runs on release 4.20 [Overall] in the last week. --- [sig-node] static pods should start after being created This test has passed 99.08% of 3701 runs on release 4.20 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 69.39% of 3701 runs on release 4.20 [Overall] in the last week.

openshift-ci-robot · 2025-06-04T11:43:24Z

/retest-required

Remaining retests: 0 against base HEAD 9508b94 and 0 for PR HEAD 44a9087 in total

openshift-ci-robot · 2025-06-04T12:40:28Z

/retest-required

Remaining retests: 0 against base HEAD 9508b94 and 2 for PR HEAD 44a9087 in total

openshift-trt · 2025-06-04T15:28:49Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (237): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.92% of 3586 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-disruptive	High [bz-Etcd] clusteroperator/etcd should not change condition/Available This test has passed 99.81% of 3661 runs on release 4.20 [Overall] in the last week. --- [sig-node] static pods should start after being created This test has passed 99.07% of 3661 runs on release 4.20 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 69.65% of 3661 runs on release 4.20 [Overall] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests

openshift-trt · 2025-06-04T16:17:59Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (235): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.92% of 3614 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-disruptive	High [bz-Etcd] clusteroperator/etcd should not change condition/Available This test has passed 99.81% of 3689 runs on release 4.20 [Overall] in the last week. --- [sig-node] static pods should start after being created This test has passed 99.08% of 3689 runs on release 4.20 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 69.56% of 3689 runs on release 4.20 [Overall] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests

openshift-ci-robot · 2025-06-04T16:27:04Z

/retest-required

Remaining retests: 0 against base HEAD 9508b94 and 2 for PR HEAD 44a9087 in total

openshift-trt · 2025-06-04T20:38:22Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (231): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.97% of 3455 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests

openshift-trt · 2025-06-04T21:12:15Z

Job Failure Risk Analysis for sha: 44a9087

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (94) are below the historical average (231): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [bz-Etcd] clusteroperator/etcd should not change condition/Available Potential external regression detected for High Risk Test analysis
pull-ci-openshift-origin-main-e2e-aws-ovn-etcd-scaling	High [bz-etcd][invariant] alert/etcdMembersDown should not be at or above info This test has passed 99.97% of 3455 runs on release 4.20 [Overall] in the last week. --- [sig-architecture] platform pods in ns/openshift-etcd should not exit an excessive amount of times This test has passed 100.00% of 2 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:aws SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	Low [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:azure SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests

openshift-ci-robot · 2025-06-05T09:40:23Z

/retest-required

Remaining retests: 0 against base HEAD 9508b94 and 2 for PR HEAD 44a9087 in total

…ability test routes Before this change the gRPC routes were using the same certificate which prevented the usage of ALPN to avoid the connection coalescing. This commit introduces different certificates for edge and reencrypt routes.

alebedev87 · 2025-06-05T13:39:50Z

Rebased from main to start the testing campaign from scratch.

Thealisyed · 2025-06-05T14:02:45Z

/lgtm

openshift-ci · 2025-06-05T14:04:18Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, Thealisyed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~test/extended/router/OWNERS~~ [Thealisyed,alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2025-06-05T14:44:00Z

/retest-required

Remaining retests: 0 against base HEAD 9c87080 and 2 for PR HEAD cf83316 in total

openshift-ci-robot · 2025-06-05T16:02:43Z

/retest-required

Remaining retests: 0 against base HEAD 9c87080 and 2 for PR HEAD cf83316 in total

openshift-ci · 2025-06-05T20:39:38Z

@alebedev87: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	`8525a88`	link	false	`/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview`
ci/prow/e2e-gcp-fips-serial	`72b4ed0`	link	false	`/test e2e-gcp-fips-serial`
ci/prow/e2e-metal-ipi-serial	`72b4ed0`	link	false	`/test e2e-metal-ipi-serial`
ci/prow/e2e-aws-ovn-serial-publicnet	`72b4ed0`	link	true	`/test e2e-aws-ovn-serial-publicnet`
ci/prow/e2e-gcp-fips-serial-2of2	`cf83316`	link	false	`/test e2e-gcp-fips-serial-2of2`
ci/prow/e2e-azure-ovn-etcd-scaling	`cf83316`	link	false	`/test e2e-azure-ovn-etcd-scaling`
ci/prow/e2e-gcp-fips-serial-1of2	`cf83316`	link	false	`/test e2e-gcp-fips-serial-1of2`
ci/prow/4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	`cf83316`	link	false	`/test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback`
ci/prow/e2e-azure-ovn-upgrade	`cf83316`	link	false	`/test e2e-azure-ovn-upgrade`
ci/prow/e2e-metal-ipi-virtualmedia	`cf83316`	link	false	`/test e2e-metal-ipi-virtualmedia`
ci/prow/e2e-aws-ovn-etcd-scaling	`cf83316`	link	false	`/test e2e-aws-ovn-etcd-scaling`
ci/prow/e2e-aws-disruptive	`cf83316`	link	false	`/test e2e-aws-disruptive`
ci/prow/e2e-aws-ovn-single-node	`cf83316`	link	false	`/test e2e-aws-ovn-single-node`
ci/prow/e2e-aws-ovn-serial-publicnet-1of2	`cf83316`	link	false	`/test e2e-aws-ovn-serial-publicnet-1of2`
ci/prow/okd-scos-e2e-aws-ovn	`cf83316`	link	false	`/test okd-scos-e2e-aws-ovn`
ci/prow/e2e-gcp-ovn-etcd-scaling	`cf83316`	link	false	`/test e2e-gcp-ovn-etcd-scaling`
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	`cf83316`	link	false	`/test e2e-vsphere-ovn-dualstack-primaryv6`
ci/prow/e2e-vsphere-ovn-etcd-scaling	`cf83316`	link	false	`/test e2e-vsphere-ovn-etcd-scaling`
ci/prow/e2e-openstack-serial	`cf83316`	link	false	`/test e2e-openstack-serial`
ci/prow/e2e-aws-ovn	`cf83316`	link	false	`/test e2e-aws-ovn`
ci/prow/okd-e2e-gcp	`cf83316`	link	false	`/test okd-e2e-gcp`
ci/prow/e2e-aws-ovn-single-node-upgrade	`cf83316`	link	false	`/test e2e-aws-ovn-single-node-upgrade`
ci/prow/e2e-gcp-disruptive	`cf83316`	link	false	`/test e2e-gcp-disruptive`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-trt · 2025-06-05T20:49:14Z

Job Failure Risk Analysis for sha: cf83316

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	MissingData
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [sig-node] static pods should start after being created Potential external regression detected for High Risk Test analysis Open Bugs [sig-node] static pods should start after being created
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	IncompleteTests Tests for this run (23) are below the historical average (800): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift-serial	IncompleteTests Tests for this run (23) are below the historical average (411): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-gcp-disruptive	Medium [sig-node] static pods should start after being created Potential external regression detected for High Risk Test analysis Open Bugs [sig-node] static pods should start after being created --- [sig-node] node-lifecycle detects unexpected not ready node Potential external regression detected for High Risk Test analysis Open Bugs node-lifecycle detects unexpected not ready node failing on azure serial and upgrade jobs
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests
pull-ci-openshift-origin-main-e2e-vsphere-ovn-etcd-scaling	Low [sig-api-machinery] disruption/kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-instrumentation] disruption/metrics-api connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-api-machinery] disruption/cache-kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- Showing 4 of 8 test results

openshift-trt · 2025-06-05T21:16:45Z

Job Failure Risk Analysis for sha: cf83316

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (86) are below the historical average (213): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [sig-node] static pods should start after being created Potential external regression detected for High Risk Test analysis Open Bugs [sig-node] static pods should start after being created
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	IncompleteTests Tests for this run (23) are below the historical average (798): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift-serial	IncompleteTests Tests for this run (23) are below the historical average (410): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-gcp-disruptive	Medium [sig-node] static pods should start after being created Potential external regression detected for High Risk Test analysis Open Bugs [sig-node] static pods should start after being created --- [sig-node] node-lifecycle detects unexpected not ready node Potential external regression detected for High Risk Test analysis Open Bugs node-lifecycle detects unexpected not ready node failing on azure serial and upgrade jobs
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests
pull-ci-openshift-origin-main-e2e-vsphere-ovn-etcd-scaling	Low [sig-api-machinery] disruption/kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-instrumentation] disruption/metrics-api connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-api-machinery] disruption/cache-kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- Showing 4 of 8 test results

bertinatto · 2025-06-06T12:22:06Z

/retest-required

openshift-trt · 2025-06-06T15:24:55Z

Job Failure Risk Analysis for sha: cf83316

Job Name	Failure Risk
pull-ci-openshift-origin-main-4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade-rollback	IncompleteTests Tests for this run (86) are below the historical average (207): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-main-e2e-aws-disruptive	Medium [sig-node] static pods should start after being created This test has passed 96.94% of 3493 runs on release 4.20 [Overall] in the last week. Open Bugs [sig-node] static pods should start after being created
pull-ci-openshift-origin-main-e2e-gcp-disruptive	Medium [sig-node] static pods should start after being created This test has passed 96.94% of 3493 runs on release 4.20 [Overall] in the last week. Open Bugs [sig-node] static pods should start after being created --- [sig-node] node-lifecycle detects unexpected not ready node Potential external regression detected for High Risk Test analysis Open Bugs node-lifecycle detects unexpected not ready node failing on azure serial and upgrade jobs
pull-ci-openshift-origin-main-e2e-gcp-ovn-etcd-scaling	Low [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-kube-storage-version-migrator] clusteroperator/kube-storage-version-migrator should not change condition/Available This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:gcp SecurityMode:default Topology:ha Upgrade:none] in the last week. Open Bugs [CI] e2e-openstack-ovn-etcd-scaling job permanent fails at many openshift-test tests
pull-ci-openshift-origin-main-e2e-vsphere-ovn-etcd-scaling	Low [sig-api-machinery] disruption/kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-instrumentation] disruption/metrics-api connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [bz-Cloud Compute] clusteroperator/control-plane-machine-set should not change condition/Degraded This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- [sig-api-machinery] disruption/cache-kube-api apiserver/kube-apiserver connection/new should be available throughout the test This test has passed 0.00% of 1 runs on release 4.20 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:rare Network:ovn NetworkStack:ipv4 Owner:eng Platform:vsphere SecurityMode:default Topology:ha Upgrade:none] in the last week. --- Showing 4 of 8 test results

openshift-ci-robot · 2025-06-06T18:17:33Z

/retest-required

Remaining retests: 0 against base HEAD 235412f and 2 for PR HEAD cf83316 in total

openshift-ci-robot · 2025-06-06T20:48:01Z

@alebedev87: Jira Issue OCPBUGS-49441: Some pull requests linked via external trackers have merged:

openshift/origin#29757

The following pull requests linked via external trackers have not merged:

openshift/origin#29780 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-49441 has not been moved to the MODIFIED state.

Details

In response to this:

Before this change the gRPC routes were using the same certificate which prevented the usage of ALPN to avoid the connection coalescing. This PR introduces different certificates for edge and reencrypt routes.

PR to test the fix in combination with grpc-go v1.67.0: #29780.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-06-07T00:48:16Z

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-tests
This PR has been included in build openshift-enterprise-tests-container-v4.20.0-202506062342.p0.g9c672e0.assembly.stream.el9.
All builds following this will include this PR.

melvinjoseph86 · 2025-06-09T10:52:41Z

/jira refresh

openshift-ci-robot · 2025-06-09T10:52:46Z

@melvinjoseph86: Jira Issue OCPBUGS-49441: All pull requests linked via external trackers have merged:

openshift/origin#29757

Jira Issue OCPBUGS-49441 has been moved to the MODIFIED state.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci bot requested review from frobware, lihongan and miheer May 5, 2025 22:22

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 5, 2025

alebedev87 changed the title ~~OCPBUGS-49441: Use different certificates for gRPC interoperability test routes~~ [WIP] OCPBUGS-49441: Use different certificates for gRPC interoperability test routes May 5, 2025

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 5, 2025

alebedev87 force-pushed the ocpbugs-49441-grpc-1-67-certs branch from 1b8896b to 8525a88 Compare May 6, 2025 06:02

alebedev87 force-pushed the ocpbugs-49441-grpc-1-67-certs branch from 8525a88 to 72b4ed0 Compare May 12, 2025 09:12

alebedev87 changed the title ~~[WIP] OCPBUGS-49441: Use different certificates for gRPC interoperability test routes~~ OCPBUGS-49441: Use different certificates for gRPC interoperability test routes May 12, 2025

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 12, 2025

openshift-ci bot assigned Thealisyed May 13, 2025

alebedev87 mentioned this pull request May 13, 2025

[DO NOT MERGE] OCPBUGS-49441: router - test different ceritificate fix with gRPC 1.67.0 #29780

Closed

Thealisyed reviewed May 26, 2025

View reviewed changes

alebedev87 commented May 26, 2025

View reviewed changes

alebedev87 force-pushed the ocpbugs-49441-grpc-1-67-certs branch from 72b4ed0 to 44a9087 Compare May 27, 2025 21:46

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 28, 2025

alebedev87 force-pushed the ocpbugs-49441-grpc-1-67-certs branch from 44a9087 to cf83316 Compare June 5, 2025 13:39

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 5, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 5, 2025

openshift-merge-bot bot merged commit 9c672e0 into openshift:main Jun 6, 2025
40 of 59 checks passed

OCPBUGS-49441: Use different certificates for gRPC interoperability test routes #29757

OCPBUGS-49441: Use different certificates for gRPC interoperability test routes #29757

Uh oh!

Conversation

alebedev87 commented May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented May 5, 2025

Uh oh!

alebedev87 commented May 10, 2025

Uh oh!

openshift-trt bot commented May 10, 2025

Uh oh!

alebedev87 commented May 12, 2025

Uh oh!

alebedev87 commented May 13, 2025

Uh oh!

Thealisyed commented May 13, 2025

Uh oh!

openshift-trt bot commented May 15, 2025

Uh oh!

alebedev87 commented May 20, 2025

Uh oh!

Thealisyed May 26, 2025

Choose a reason for hiding this comment

Uh oh!

alebedev87 May 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Thealisyed May 26, 2025

Choose a reason for hiding this comment

Uh oh!

alebedev87 May 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alebedev87 May 27, 2025

Choose a reason for hiding this comment

Uh oh!

alebedev87 left a comment

Choose a reason for hiding this comment

Uh oh!

alebedev87 May 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alebedev87 May 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alebedev87 commented May 28, 2025

Uh oh!

Thealisyed commented May 28, 2025

Uh oh!

openshift-ci-robot commented May 28, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-ci-robot commented Jun 4, 2025

Uh oh!

openshift-ci-robot commented Jun 4, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-ci-robot commented Jun 4, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-trt bot commented Jun 4, 2025

Uh oh!

openshift-ci-robot commented Jun 5, 2025

Uh oh!

alebedev87 commented Jun 5, 2025

Uh oh!

Thealisyed commented Jun 5, 2025

alebedev87 commented May 5, 2025 •

edited

Loading

alebedev87 May 26, 2025 •

edited

Loading

alebedev87 May 26, 2025 •

edited

Loading

alebedev87 May 26, 2025 •

edited

Loading

alebedev87 May 26, 2025 •

edited

Loading

openshift-ci bot commented Jun 5, 2025 •

edited

Loading