Skip to content

CORS-4334: Konnectivity#10344

Merged
openshift-merge-bot[bot] merged 4 commits into
openshift:mainfrom
patrickdillon:konnectivity
Jun 25, 2026
Merged

CORS-4334: Konnectivity#10344
openshift-merge-bot[bot] merged 4 commits into
openshift:mainfrom
patrickdillon:konnectivity

Conversation

@patrickdillon

@patrickdillon patrickdillon commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

Continuation of #10280:

  • Refactored to reduce in-lining in bootkube.sh
  • Added some gating (needs port opening on some or all platforms)

Will break the API vendoring into a separate PR to get that merged sooner rather than later.

Not tested. Opening this now as a /WIP to continue discussion of #10280 with #9628
/cc @JoelSpeed @mdbooth

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 2, 2026
@openshift-ci openshift-ci Bot requested a review from JoelSpeed March 2, 2026 04:08
@openshift-ci-robot

openshift-ci-robot commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4334 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Continuation of #10280:

  • Refactored to reduce in-lining in bootkube.sh
  • Added some gating (needs port opening on some or all platforms)

Will break the API changes into a separate PR.

Not tested. Opening this now as a /WIP to continue discussion of #10280 with #9628
/cc @JoelSpeed @mdbooth

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested a review from mdbooth March 2, 2026 04:08
@patrickdillon

patrickdillon commented Mar 2, 2026

Copy link
Copy Markdown
Contributor Author

/wip
/hold

@openshift-ci-robot

openshift-ci-robot commented Mar 2, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4334 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Continuation of #10280:

  • Refactored to reduce in-lining in bootkube.sh
  • Added some gating (needs port opening on some or all platforms)

Will break the API vendoring into a separate PR to get that merged sooner rather than later.

Not tested. Opening this now as a /WIP to continue discussion of #10280 with #9628
/cc @JoelSpeed @mdbooth

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/test e2e-vsphere-ovn e2e-nutanix-ovn
/test ?

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/test e2e-metal-ipi-ovn
/test e2e-agent-compact-ipv4

@patrickdillon

Copy link
Copy Markdown
Contributor Author

We probably want to clean up the konnectivity ports on bootstrap destroy as well.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

I have experimented with adding a feature gate to control this and it is possible.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

Need to not deploy this on a true single node cluster.

@JoelSpeed

Copy link
Copy Markdown
Contributor

Have read through the changes and the scripts all seem reasonable to me. I'll open a PR to CAPIO that switches us back to Fail webhook policy to test this with

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/retest-required

2 similar comments
@patrickdillon

Copy link
Copy Markdown
Contributor Author

/retest-required

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/retest-required

@tthvo

tthvo commented Mar 12, 2026

Copy link
Copy Markdown
Member

/cc @sadasu @jhixson74

@openshift-ci openshift-ci Bot requested review from jhixson74 and sadasu March 12, 2026 20:47
@tthvo

tthvo commented Mar 12, 2026

Copy link
Copy Markdown
Member

/retest

@tthvo tthvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty cool 😎🔥! I just have a questions and comments while learning/reading about this :D

Comment thread pkg/asset/manifests/aws/cluster.go
Comment thread data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml Outdated
Comment thread data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template Outdated
Comment thread data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template Outdated
Comment thread data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml Outdated
@coderabbitai

coderabbitai Bot commented Mar 24, 2026

Copy link
Copy Markdown

Walkthrough

Adds Konnectivity bootstrap: new manifests (server, agent, namespace, egress config, secret, DaemonSet), bootstrap scripts and cert generator, bootkube integration, and cloud-provider changes to allow and clean up port 8091 ingress across providers; also updates service analysis logging for Konnectivity stages.

Changes

Cohort / File(s) Summary
Konnectivity Manifests
data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml, data/data/bootstrap/files/opt/openshift/konnectivity-agent-certs-secret.yaml, data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml, data/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml, data/data/bootstrap/files/opt/openshift/konnectivity-namespace.yaml, data/data/bootstrap/files/opt/openshift/konnectivity-server-pod.yaml
Adds EgressSelectorConfiguration, namespace, secret, konnectivity server pod, agent DaemonSet, and kube-apiserver config-override. Review TLS paths, hostPath mounts, UDS socket path, and egress/proxyProtocol settings.
Bootstrap scripts & templates
data/data/bootstrap/files/usr/local/bin/bootkube.sh.template, data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template, data/data/bootstrap/files/usr/local/bin/konnectivity-certs.sh
Integrates konnectivity lifecycle into bootkube: new setup/manifests/cleanup functions, cert generation script, invocations added to bootkube flow, envsubst usage, and config override file copy. Verify idempotency markers, env var templating, and ordering relative to kube-apiserver bootstrap.
AWS manifests & cleanup
pkg/asset/manifests/aws/cluster.go, pkg/infrastructure/aws/clusterapi/aws.go
Adds BootstrapKonnectivityDescription and control-plane ingress rule for TCP/8091; updates bootstrap rule removal and polling to treat SSH+Konnectivity as bootstrap rules. Inspect rule matching/removal logic and description constants.
Azure manifests & cleanup
pkg/asset/manifests/azure/cluster.go, pkg/infrastructure/azure/azure.go
Adds per-subnet Konnectivity NSG rules (IPv4/IPv6) and post-destroy deletion of the konnectivity NSG rule. Check NSG rule naming/priority sequencing and error handling for deletion.
GCP firewall changes
pkg/infrastructure/gcp/clusterapi/firewallrules.go
Creates bootstrap firewall rule for TCP/8091 and updates removal to delete both SSH and Konnectivity rules. Validate SourceTags/TargetTags and deletion order/error propagation.
IBM Cloud, PowerVS, OpenStack security groups
pkg/asset/manifests/ibmcloud/securitygroups.go, pkg/asset/manifests/powervs/securitygroups.go, pkg/infrastructure/openstack/preprovision/securitygroups.go
Adds bootstrap ingress rules for TCP/8091: IBM Cloud uses cluster-wide SG remote reference, PowerVS adds Any remote rule, OpenStack adds service definition and per-CIDR bootstrap rules. Verify remote types and CIDR/remote group references.
Service analysis logging
pkg/gather/service/analyze.go
Updates bootkube service analysis to explicitly log errors for Konnectivity-related failing stages (konnectivity-certs, konnectivity-server-bootstrap, konnectivity-agent-manifest, konnectivity-cleanup) and removes an obsolete comment. Confirm logged stage names match marker files used by bootstrap scripts.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions


Comment @coderabbitai help to get the list of available commands and usage tips.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

In a followup I will add gating for this, but I wanted to leave it ungated for the moment to do another round of tests

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
data/data/bootstrap/files/usr/local/bin/konnectivity-certs.sh (1)

17-22: Consider restricting private key file permissions.

The generated private keys (ca.key, server.key, agent.key) are created with default umask permissions. For defense in depth, consider explicitly setting restrictive permissions.

🔒 Proposed fix to restrict key permissions
+# Ensure restrictive permissions on key files
+umask 077
+
 # Generate self-signed Konnectivity CA
 openssl req -x509 -newkey rsa:2048 -nodes \

Or alternatively, after each key generation:

chmod 600 "${KONNECTIVITY_CERT_DIR}"/*.key
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@data/data/bootstrap/files/usr/local/bin/konnectivity-certs.sh` around lines
17 - 22, The script konnectivity-certs.sh generates private keys (ca.key,
server.key, agent.key) using openssl without setting restrictive permissions;
after each key is created (identify the openssl req/newkey invocations that
write "${KONNECTIVITY_CERT_DIR}/ca.key" and the similar server/agent key
writes), explicitly set file mode to 0600 for those private key files (for
example by calling chmod 600 on each generated .key or on
"${KONNECTIVITY_CERT_DIR}"/*.key immediately after generation) to ensure keys
are not world-readable.
pkg/infrastructure/aws/clusterapi/aws.go (1)

531-565: Consider renaming removeSSHRule to removeBootstrapRules for clarity.

The function now removes both SSH and Konnectivity rules, but the name and log message (line 561) still reference only SSH.

📝 Optional naming improvement
-// removeSSHRule removes the SSH rule for accessing the bootstrap node
-// by removing the rule from the cluster spec and updating the object.
-func removeSSHRule(ctx context.Context, cl k8sClient.Client, infraID string) error {
+// removeBootstrapRules removes bootstrap-only ingress rules (SSH and Konnectivity)
+// by removing them from the cluster spec and updating the object.
+func removeBootstrapRules(ctx context.Context, cl k8sClient.Client, infraID string) error {

And update the log message:

-		logrus.Debug("Updated AWSCluster to remove bootstrap SSH rule")
+		logrus.Debug("Updated AWSCluster to remove bootstrap ingress rules")
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/infrastructure/aws/clusterapi/aws.go` around lines 531 - 565, The
function removeSSHRule should be renamed to removeBootstrapRules and its
internal log message (the logrus.Debug call that currently says "Updated
AWSCluster to remove bootstrap SSH rule") should be updated to reflect that both
SSH and Konnectivity rules are removed; update references to
awsmanifest.BootstrapSSHDescription and
awsmanifest.BootstrapKonnectivityDescription remain unchanged, and ensure you
also rename any callers/imports of removeSSHRule to the new removeBootstrapRules
name to keep compilation intact.
data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml (1)

23-54: Consider adding explicit securityContext to harden the container.

While hostNetwork: true is required for konnectivity-agent functionality, adding explicit security controls can improve the pod's security posture. Even for bootstrap-only workloads, defining securityContext with allowPrivilegeEscalation: false is a reasonable hardening step if the application permits it.

🔒 Optional security hardening
       containers:
       - name: konnectivity-agent
         image: ${KONNECTIVITY_IMAGE}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         command:
         - /usr/bin/proxy-agent
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml`
around lines 23 - 54, Add an explicit securityContext to the konnectivity-agent
container to harden it: in the PodSpec under the container named
"konnectivity-agent" add a securityContext block (container-level) setting
allowPrivilegeEscalation: false and, if the binary supports non-root, set
runAsNonRoot: true and a non-zero runAsUser; also consider
readOnlyRootFilesystem: true and dropping all capabilities (capabilities: drop:
["ALL"]) to minimize privileges while ensuring the agent still functions with
hostNetwork: true.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@data/data/bootstrap/files/opt/openshift/konnectivity-server-pod.yaml`:
- Line 25: The Unix socket path for konnectivity-server is inconsistent:
konnectivity-server-pod.yaml creates the socket at
/etc/kubernetes/bootstrap-configs/konnectivity-server.socket but
egress-selector-config.yaml points to
/etc/kubernetes/config/konnectivity-server.socket; update one to match the
other. Fix by either changing the socket path in egress-selector-config.yaml to
/etc/kubernetes/bootstrap-configs/konnectivity-server.socket or altering the
konnectivity-server launch/config in konnectivity-server-pod.yaml to create the
socket under /etc/kubernetes/config/konnectivity-server.socket so both
references to konnectivity-server.socket match exactly.

In `@data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template`:
- Around line 42-61: konnectivity_manifests() currently exports
BOOTSTRAP_NODE_IP but assumes konnectivity_setup() populated it, which can lead
to an empty value in the daemonset manifest; update konnectivity_manifests() to
either re-detect and set BOOTSTRAP_NODE_IP using the same logic as
konnectivity_setup() (so envsubst produces a valid value) or validate that
BOOTSTRAP_NODE_IP is non-empty before calling envsubst and abort/record failure
with a clear error if it's unset; reference the konnectivity_manifests()
function, the BOOTSTRAP_NODE_IP variable, and the envsubst call that writes
manifests/konnectivity-agent-daemonset.yaml when making the change.

---

Nitpick comments:
In `@data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml`:
- Around line 23-54: Add an explicit securityContext to the konnectivity-agent
container to harden it: in the PodSpec under the container named
"konnectivity-agent" add a securityContext block (container-level) setting
allowPrivilegeEscalation: false and, if the binary supports non-root, set
runAsNonRoot: true and a non-zero runAsUser; also consider
readOnlyRootFilesystem: true and dropping all capabilities (capabilities: drop:
["ALL"]) to minimize privileges while ensuring the agent still functions with
hostNetwork: true.

In `@data/data/bootstrap/files/usr/local/bin/konnectivity-certs.sh`:
- Around line 17-22: The script konnectivity-certs.sh generates private keys
(ca.key, server.key, agent.key) using openssl without setting restrictive
permissions; after each key is created (identify the openssl req/newkey
invocations that write "${KONNECTIVITY_CERT_DIR}/ca.key" and the similar
server/agent key writes), explicitly set file mode to 0600 for those private key
files (for example by calling chmod 600 on each generated .key or on
"${KONNECTIVITY_CERT_DIR}"/*.key immediately after generation) to ensure keys
are not world-readable.

In `@pkg/infrastructure/aws/clusterapi/aws.go`:
- Around line 531-565: The function removeSSHRule should be renamed to
removeBootstrapRules and its internal log message (the logrus.Debug call that
currently says "Updated AWSCluster to remove bootstrap SSH rule") should be
updated to reflect that both SSH and Konnectivity rules are removed; update
references to awsmanifest.BootstrapSSHDescription and
awsmanifest.BootstrapKonnectivityDescription remain unchanged, and ensure you
also rename any callers/imports of removeSSHRule to the new removeBootstrapRules
name to keep compilation intact.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d7c2cba8-f144-4052-bf2f-59e7b3332489

📥 Commits

Reviewing files that changed from the base of the PR and between 883a6d8 and ce99dcf.

📒 Files selected for processing (18)
  • data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml
  • data/data/bootstrap/files/opt/openshift/konnectivity-agent-certs-secret.yaml
  • data/data/bootstrap/files/opt/openshift/konnectivity-agent-daemonset.yaml
  • data/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml
  • data/data/bootstrap/files/opt/openshift/konnectivity-namespace.yaml
  • data/data/bootstrap/files/opt/openshift/konnectivity-server-pod.yaml
  • data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
  • data/data/bootstrap/files/usr/local/bin/konnectivity-certs.sh
  • data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template
  • pkg/asset/manifests/aws/cluster.go
  • pkg/asset/manifests/azure/cluster.go
  • pkg/asset/manifests/ibmcloud/securitygroups.go
  • pkg/asset/manifests/powervs/securitygroups.go
  • pkg/gather/service/analyze.go
  • pkg/infrastructure/aws/clusterapi/aws.go
  • pkg/infrastructure/azure/azure.go
  • pkg/infrastructure/gcp/clusterapi/firewallrules.go
  • pkg/infrastructure/openstack/preprovision/securitygroups.go

Comment thread data/data/bootstrap/files/opt/openshift/konnectivity-server-pod.yaml Outdated
Comment thread data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template
Comment thread pkg/infrastructure/aws/clusterapi/aws.go Outdated
@patrickdillon

Copy link
Copy Markdown
Contributor Author

@CodeRabbit review

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/retest-required

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f1287fa0-65c2-11f1-918e-d510a8a6bcaa-0

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/test e2e-azure-ovn-techpreview e2e-aws-ovn-dualstack-ipv4-primary-techpreview e2e-aws-ovn-single-node e2e-azure-ovn-techpreview e2e-metal-single-node-live-iso

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/test e2e-aws-ovn-fips
/payload-job periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-openshift-tests-private-release-5.0-amd64-nightly-aws-ipi-shared-vpc-phz-sts-fips-openldap-mini-perm-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/738edb50-65c9-11f1-9131-ea27653968f2-0

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/payload-job periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-eusc-ipi-fips-tp-arm-f7
/payload-job periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-gcp-ipi-sno-fips-tp-mini-perm-amd-f28-destructive
/payload-job periodic-ci-openshift-verification-tests-main-installation-nightly-5.0-aws-usgov-ipi-custom-dns-mini-perm-arm-f7

Let's run fips to check konnectivity certs are OK 🤔 And why not custom-dns too

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@tthvo: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-eusc-ipi-fips-tp-arm-f7
  • periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-gcp-ipi-sno-fips-tp-mini-perm-amd-f28-destructive
  • periodic-ci-openshift-verification-tests-main-installation-nightly-5.0-aws-usgov-ipi-custom-dns-mini-perm-arm-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e90abbf0-65ca-11f1-8f46-61edf3ce7252-0

@tthvo

tthvo commented Jun 11, 2026

Copy link
Copy Markdown
Member

/payload-job periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-eusc-ipi-fips-tp-f28-destructive

I forgot we can only run arm64 payload job on PRs :D

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-eusc-ipi-fips-tp-f28-destructive

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e6f14970-65d8-11f1-9010-ff1b1af3885c-0

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-ovn-techpreview e2e-azure-ovn-techpreview

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/verified by e2e-aws-ovn-techpreview

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 23, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@patrickdillon: This PR has been marked as verified by e2e-aws-ovn-techpreview.

Details

In response to this:

/verified by e2e-aws-ovn-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 5004911 and 2 for PR HEAD f3ac64e in total

@tthvo

tthvo commented Jun 23, 2026

Copy link
Copy Markdown
Member

/tide refresh

@JoelSpeed

Copy link
Copy Markdown
Contributor

/override ci/prow/e2e-azure-ovn
/override ci/prow/e2e-openstack-ovn

These tests failed only on a test that is currently skipped, see openshift/origin#31297

@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/e2e-azure-ovn, ci/prow/e2e-openstack-ovn

Details

In response to this:

/override ci/prow/e2e-azure-ovn
/override ci/prow/e2e-openstack-ovn

These tests failed only on a test that is currently skipped, see openshift/origin#31297

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@JoelSpeed

Copy link
Copy Markdown
Contributor

/retest-required

@tthvo

tthvo commented Jun 24, 2026

Copy link
Copy Markdown
Member

/test e2e-gcp-ovn

@tthvo

tthvo commented Jun 24, 2026

Copy link
Copy Markdown
Member

/retest-required
/tide refresh

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD a34cc48 and 1 for PR HEAD f3ac64e in total

@JoelSpeed

Copy link
Copy Markdown
Contributor

/test e2e-gcp-ovn

@JoelSpeed

Copy link
Copy Markdown
Contributor

@patrickdillon Are there any of these optional jobs that you see as important to have passed before this PR merges?

@patrickdillon

Copy link
Copy Markdown
Contributor Author

@patrickdillon Are there any of these optional jobs that you see as important to have passed before this PR merges?

No. None of the failures look relevant.

/skip

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-powervs-capi-ovn 80cb9f9 link false /test e2e-powervs-capi-ovn
ci/prow/e2e-aws-ovn-dualstack-ipv4-primary-techpreview 0438c00 link false /test e2e-aws-ovn-dualstack-ipv4-primary-techpreview
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups f3ac64e link false /test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/azure-private f3ac64e link false /test azure-private
ci/prow/e2e-aws-ovn-heterogeneous f3ac64e link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-single-node f3ac64e link false /test e2e-aws-ovn-single-node
ci/prow/e2e-metal-single-node-live-iso 0438c00 link false /test e2e-metal-single-node-live-iso
ci/prow/aws-private f3ac64e link false /test aws-private
ci/prow/e2e-aws-ovn-dualstack-ipv6-primary-techpreview 0438c00 link false /test e2e-aws-ovn-dualstack-ipv6-primary-techpreview
ci/prow/azure-ovn-marketplace-images f3ac64e link false /test azure-ovn-marketplace-images
ci/prow/e2e-gcp-xpn-dedicated-dns-project f3ac64e link false /test e2e-gcp-xpn-dedicated-dns-project
ci/prow/e2e-gcp-ovn-xpn f3ac64e link false /test e2e-gcp-ovn-xpn
ci/prow/e2e-gcp-custom-dns f3ac64e link false /test e2e-gcp-custom-dns
ci/prow/e2e-ibmcloud-ovn f3ac64e link false /test e2e-ibmcloud-ovn
ci/prow/e2e-azurestack f3ac64e link false /test e2e-azurestack
ci/prow/e2e-aws-byo-subnet-role-security-groups f3ac64e link false /test e2e-aws-byo-subnet-role-security-groups
ci/prow/e2e-gcp-ovn-byo-vpc f3ac64e link false /test e2e-gcp-ovn-byo-vpc
ci/prow/e2e-openstack-proxy f3ac64e link false /test e2e-openstack-proxy
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones f3ac64e link false /test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn-imdsv2 f3ac64e link false /test e2e-aws-ovn-imdsv2
ci/prow/e2e-gcp-xpn-custom-dns f3ac64e link false /test e2e-gcp-xpn-custom-dns
ci/prow/e2e-aws-ovn-fips f3ac64e link false /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-techpreview f3ac64e link false /test e2e-aws-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/override ci/prow/e2e-gcp-ovn

failure looks unrelated, caught in retest hell

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: Overrode contexts on behalf of patrickdillon: ci/prow/e2e-gcp-ovn

Details

In response to this:

/override ci/prow/e2e-gcp-ovn

failure looks unrelated, caught in retest hell

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit 16a0282 into openshift:main Jun 25, 2026
52 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants