Skip to content

OCPBUGS-98465: add diagnostic logging to pull secret propagation test#8991

Open
jparrill wants to merge 1 commit into
openshift:mainfrom
jparrill:OCPBUGS-98465
Open

OCPBUGS-98465: add diagnostic logging to pull secret propagation test#8991
jparrill wants to merge 1 commit into
openshift:mainfrom
jparrill:OCPBUGS-98465

Conversation

@jparrill

@jparrill jparrill commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Add diagnostic logging to the EnsureGlobalPullSecret pull secret propagation test. This is NOT a fix — we don't have sufficient evidence to determine the root cause yet.

Fixes

Why this PR exists

The pull secret propagation test fails ~1/14 runs but provides zero diagnostic information when it does. The Eventually loops silently swallow all errors, making it impossible to distinguish between:

  1. HO didn't sync — the Secret never reaches the CP namespace
  2. HCCO didn't reconcile — the CP namespace has the update but the guest cluster doesn't
  3. KAS unreachable — the propagation succeeded but guestClient.Get() fails because the guest API server is down

Evidence from the single observed failure (build 2075336365863604224, Jul 9) shows KAS i/o timeout errors on the same guest cluster during the test window, suggesting scenario 3 — but we can't confirm without diagnostic data.

What this PR changes

  • Stage 1 check: On each retry, reads the pull secret from the CP namespace and logs whether the HO has synced the dummy entry
  • Stage 2 check: Logs the guestClient.Get() error instead of silently returning false
  • Timeout: 150s → 5min defensively (with 10s polling instead of 5s to reduce log noise)
  • Same changes applied to both openshift-config/pull-secret and kube-system/original-pull-secret waits

What happens next

Once this merges, we wait for the test to fail again. The logs will tell us exactly where the propagation stalls, and we'll file the real fix.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • Improved verification that global pull-secret updates propagate correctly across control-plane and guest environments.
    • Added clearer staged checks and logging to help identify propagation delays or failures without requiring a NodePool rollout.
  • Tests

    • Strengthened end-to-end coverage for in-place pull-secret updates and synchronization across supported locations.

…n test

This is NOT a fix — we don't have enough data to determine the root
cause yet. The test currently swallows all errors silently, making it
impossible to triage failures.

Add stage-by-stage logging to the pull secret propagation Eventually
loops so the next failure reveals WHERE the propagation stalls:
- Stage 1: whether HO synced the Secret to the CP namespace
- Stage 2: whether guestClient.Get() fails (KAS unreachable) or the
  Secret exists but lacks the expected entry (HCCO not reconciled)

Also increase timeout from 150s to 5min defensively — the single
observed failure (1/14 runs, Jul 9) showed KAS i/o timeouts on the
guest cluster, suggesting the propagation may have succeeded but the
test couldn't verify it due to an unreachable API server.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@jparrill

Copy link
Copy Markdown
Contributor Author

/test e2e-aws

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

The end-to-end pull-secret propagation test now verifies reconciliation in three stages: the control-plane namespace, the guest openshift-config/pull-secret, and the guest kube-system/original-pull-secret. Each stage uses polling, explicit timeouts, fixed intervals, and additional logging.


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error New t.Logf calls print raw client errors; those errors can include API URLs/hostnames, so logs may leak internal hostnames. Sanitize or summarize the client errors instead of logging %v directly, or redact any host/URL before emitting the message.
✅ Passed checks (10 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed EnsureGlobalPullSecret uses static t.Run titles; the PR changes only logging/timeouts, with no dynamic or interpolated test names.
Test Structure And Quality ✅ Passed The changed test keeps one cohesive scenario, restores state via t.Cleanup, and all cluster waits now use bounded Eventually timeouts with useful failure messages.
Topology-Aware Scheduling Compatibility ✅ Passed Only e2e test logging/timeout changes were made; no manifests, controllers, or scheduling constraints were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The change only adds logging and longer polling in secret-propagation waits; it introduces no new IPv4-only logic or external connectivity requirements.
No-Weak-Crypto ✅ Passed Diff only adds logging, timeouts, and bytes.Contains checks; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token constant-time compare were introduced.
Container-Privileges ✅ Passed PR only changes test logging/timeouts in util.go; no container/K8s manifest fields like privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation were added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding diagnostic logging to the pull secret propagation test.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the area/testing Indicates the PR includes changes for e2e testing label Jul 13, 2026
@openshift-ci openshift-ci Bot requested review from Nirshal and ironcladlou July 13, 2026 16:10
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 13, 2026
@jparrill

Copy link
Copy Markdown
Contributor Author

/hold until we find the underneath issue which is causing the flake.

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 13, 2026
@jparrill jparrill changed the title test(OCPBUGS-98465): add diagnostic logging to pull secret propagation test OCPBUGS-98465: add diagnostic logging to pull secret propagation test Jul 13, 2026
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 13, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@jparrill: This pull request references Jira Issue OCPBUGS-98465, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Add diagnostic logging to the EnsureGlobalPullSecret pull secret propagation test. This is NOT a fix — we don't have sufficient evidence to determine the root cause yet.

Fixes

Why this PR exists

The pull secret propagation test fails ~1/14 runs but provides zero diagnostic information when it does. The Eventually loops silently swallow all errors, making it impossible to distinguish between:

  1. HO didn't sync — the Secret never reaches the CP namespace
  2. HCCO didn't reconcile — the CP namespace has the update but the guest cluster doesn't
  3. KAS unreachable — the propagation succeeded but guestClient.Get() fails because the guest API server is down

Evidence from the single observed failure (build 2075336365863604224, Jul 9) shows KAS i/o timeout errors on the same guest cluster during the test window, suggesting scenario 3 — but we can't confirm without diagnostic data.

What this PR changes

  • Stage 1 check: On each retry, reads the pull secret from the CP namespace and logs whether the HO has synced the dummy entry
  • Stage 2 check: Logs the guestClient.Get() error instead of silently returning false
  • Timeout: 150s → 5min defensively (with 10s polling instead of 5s to reduce log noise)
  • Same changes applied to both openshift-config/pull-secret and kube-system/original-pull-secret waits

What happens next

Once this merges, we wait for the test to fail again. The logs will tell us exactly where the propagation stalls, and we'll file the real fix.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

  • Improved verification that global pull-secret updates propagate correctly across control-plane and guest environments.

  • Added clearer staged checks and logging to help identify propagation delays or failures without requiring a NodePool rollout.

  • Tests

  • Strengthened end-to-end coverage for in-place pull-secret updates and synchronization across supported locations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/e2e/util/util.go (2)

2083-2083: 🧹 Nitpick | 🔵 Trivial

Worst-case runtime for this subtest jumps meaningfully.

Combined, the two sequential Eventually calls can now take up to 5 minutes each (10 minutes total) versus the prior 150s-based timeouts, on top of the rest of the already-long EnsureGlobalPullSecret flow. Since this change is explicitly diagnostic-only (per PR objective) and not a fix for the underlying flake, worth confirming the team is comfortable with the added CI time budget this could add on every run of this e2e test, especially if it needs to hit the full timeout repeatedly across retries.

Also applies to: 2094-2094

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/util/util.go` at line 2083, Reduce the timeouts for the sequential
Eventually calls in EnsureGlobalPullSecret, including the assertion for
openshift-config/pull-secret propagation, so their combined worst-case duration
does not substantially increase the e2e test runtime. Preserve the diagnostic
behavior and existing polling interval while restoring the prior overall timeout
budget.

2061-2094: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract the repeated poll-and-check pattern into a helper.

The Get + bytes.Contains(..., []byte("e2e-dummy.example.com")) pattern is repeated three times (CP namespace secret, guest openshift-config/pull-secret, guest kube-system/original-pull-secret) with the dummy marker string duplicated as a literal in each spot. A small shared helper would reduce duplication and centralize the marker string, lowering the risk of a typo diverging one check from the others.

♻️ Suggested helper extraction
const dummyPullSecretAuthKey = "e2e-dummy.example.com"

func hasDummyEntry(data []byte) bool {
	return bytes.Contains(data, []byte(dummyPullSecretAuthKey))
}

Then reuse hasDummyEntry(...) at lines 2072, 2082, and 2094, and reference dummyPullSecretAuthKey at line 2053.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/util/util.go` around lines 2061 - 2094, Extract the repeated dummy
pull-secret check into a shared helper near the surrounding test utilities,
centralizing the marker in a named constant. Update the CP namespace check and
both guest secret checks in the existing Eventually callbacks to call the
helper, and use the constant wherever the dummy marker is logged or referenced,
including the setup at the earlier marker location.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/util/util.go`:
- Line 2083: Reduce the timeouts for the sequential Eventually calls in
EnsureGlobalPullSecret, including the assertion for openshift-config/pull-secret
propagation, so their combined worst-case duration does not substantially
increase the e2e test runtime. Preserve the diagnostic behavior and existing
polling interval while restoring the prior overall timeout budget.
- Around line 2061-2094: Extract the repeated dummy pull-secret check into a
shared helper near the surrounding test utilities, centralizing the marker in a
named constant. Update the CP namespace check and both guest secret checks in
the existing Eventually callbacks to call the helper, and use the constant
wherever the dummy marker is logged or referenced, including the setup at the
earlier marker location.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 65f3f336-80b8-4a76-a1f5-e55328cd8c35

📥 Commits

Reviewing files that changed from the base of the PR and between 65839bb and d5081ac.

📒 Files selected for processing (1)
  • test/e2e/util/util.go

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.79%. Comparing base (845ed6f) to head (d5081ac).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #8991   +/-   ##
=======================================
  Coverage   43.79%   43.79%           
=======================================
  Files         772      772           
  Lines       96037    96045    +8     
=======================================
+ Hits        42061    42067    +6     
- Misses      51061    51063    +2     
  Partials     2915     2915           

see 1 file with indirect coverage changes

Flag Coverage Δ
cmd-support 37.43% <ø> (ø)
cpo-hostedcontrolplane 45.91% <ø> (ø)
cpo-other 45.11% <ø> (ø)
hypershift-operator 54.07% <ø> (ø)
other 32.12% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cwbotbot

cwbotbot commented Jul 13, 2026

Copy link
Copy Markdown

Test Results

e2e-aws

Failed Tests

Total failed tests: 1

  • TestCreateClusterPrivate

@jparrill

Copy link
Copy Markdown
Contributor Author

/test e2e-aws

@jparrill

Copy link
Copy Markdown
Contributor Author

Trying to reproduce the propagation flake issue...

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@jparrill: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws d5081ac link true /test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@hypershift-jira-solve-ci

Copy link
Copy Markdown
Contributor

I have all the evidence. The analysis is clear. Here is the final report:

Test Failure Analysis Complete

Job Information

Test Failure Analysis

Error

hypershift_framework.go:518: failed to create cluster, tearing down: failed to create infra:
cannot create VPC S3 endpoint: operation error EC2: CreateVpcEndpoint, exceeded maximum number
of attempts, 11, https response error StatusCode: 503, RequestID: 9171f5a2-ac0e-4446-8d69-eb20ebe51cfe,
api error RequestLimitExceeded: Request limit exceeded. Account 820196288204 has been throttled
on ec2:CreateVpcEndpoint because it exceeded its request rate limit.

Summary

The sole failing test TestCreateClusterPrivate (1 failure out of 620 tests, 29 skipped) was unable to create its VPC S3 endpoint because AWS account 820196288204 was throttled on the ec2:CreateVpcEndpoint API. The test retried the call 11 times over ~103 seconds and received HTTP 503 RequestLimitExceeded on every attempt. This is an AWS-side rate-limit enforcement on the shared CI account, not a product or test code bug. The PR under test (#8991) only adds diagnostic logging to EnsureGlobalPullSecret in test/e2e/util/util.go — it does not touch infrastructure creation, VPC code, or TestCreateClusterPrivate. The test that the PR actually modifies (TestPullSecretUnavailable) passed in 682 seconds. All other 590 non-skipped tests passed as well.

Root Cause

AWS EC2 API rate-limiting (RequestLimitExceeded) on the shared CI account.

The HyperShift e2e suite runs ~20 tests in parallel, each creating its own HostedCluster with dedicated AWS infrastructure (VPCs, subnets, endpoints, etc.). At the moment TestCreateClusterPrivate attempted to call ec2:CreateVpcEndpoint, the shared CI AWS account (820196288204) had already exceeded its request rate limit for that API — likely due to the burst of parallel cluster creations from other tests in the same run (and potentially other concurrent CI jobs sharing the account).

The infrastructure creation sequence for TestCreateClusterPrivate shows it successfully created: VPC, DHCP options, internet gateway, subnet, route table, and route associations. It then failed at the VPC S3 endpoint creation step. The AWS SDK retried 11 times (the configured maximum) with backoff, but the throttling persisted for the entire retry window, resulting in the test failing after 103 seconds.

This failure is not related to PR #8991. The PR modifies only test/e2e/util/util.go to add diagnostic logging to the EnsureGlobalPullSecret function used by TestPullSecretUnavailable. No infrastructure creation code, VPC endpoint code, or TestCreateClusterPrivate code was changed. The test that the PR targets (TestPullSecretUnavailable) passed successfully.

Recommendations
  1. Retest the PR — This failure is an AWS infrastructure flake unrelated to the code changes. A /retest should pass.
  2. No code changes needed — The PR's changes to EnsureGlobalPullSecret logging are orthogonal to the TestCreateClusterPrivate infrastructure creation path.
  3. Known flake patternRequestLimitExceeded on VPC endpoint creation in the shared CI account is a known transient issue when many parallel tests hit AWS API limits simultaneously.
Evidence
Evidence Detail
Failing test TestCreateClusterPrivate — 1 of 620 tests failed (103.31s)
Error type AWS EC2 RequestLimitExceeded — HTTP 503 on ec2:CreateVpcEndpoint
AWS Account 820196288204 (shared CI account)
Retry attempts 11 (maximum reached)
RequestID 9171f5a2-ac0e-4446-8d69-eb20ebe51cfe
PR changes test/e2e/util/util.go only — adds logging to EnsureGlobalPullSecret
PR target test TestPullSecretUnavailablePASSED (682.53s)
Other tests 590 passed, 29 skipped, 0 other failures
Infra log VPC, DHCP, IGW, subnet, route table all created successfully before throttle hit
Related test TestCreateClusterPrivateWithRouteKASPASSED (1771.83s), same private-cluster pattern
Test parallelism 20 concurrent tests creating clusters, causing burst AWS API load

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Indicates the PR includes changes for e2e testing do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants