OCPBUGS-98461: requeue CRR on transiently unavailable resources#8997
OCPBUGS-98461: requeue CRR on transiently unavailable resources#8997jparrill wants to merge 1 commit into
Conversation
Three return paths in ensureOldSignerCertificateRevoked and ensureNewSignerCertificatePropagated returned requeueSoon=false when a resource was transiently nil (signer secret, trust bundle ConfigMap). Without a synthetic requeue, the controller waited for a watch event that might never come — the same class of bug fixed in openshift#8563 for the stale trust bundle cache case. Change requeueSoon from false to true for these transient nil returns so the controller retries instead of stalling. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@jparrill: GitHub didn't allow me to request PR reviews from the following users: cewong. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughWalkthroughThe certificate revocation controller now returns Suggested reviewers: 🚥 Pre-merge checks | ✅ 10 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (10 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jparrill The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jparrill: This pull request references Jira Issue OCPBUGS-98461, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test aws-e2e |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8997 +/- ##
=======================================
Coverage 43.80% 43.81%
=======================================
Files 772 772
Lines 96100 96100
=======================================
+ Hits 42097 42103 +6
+ Misses 51084 51080 -4
+ Partials 2919 2917 -2
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
control-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go (1)
2029-2042: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winCover the remaining changed requeue branches.
This test covers only the missing trust bundle during old-signer revocation. Verify that tests also cover missing signer data and missing trust bundles during new-signer propagation, plus a missing current signer during revocation; add focused subtests if they are not already covered.
As per coding guidelines, unit test any code changes and additions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@control-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go` around lines 2029 - 2042, Extend the certificate revocation controller tests around processCertificateRevocationRequest to cover each remaining requeue branch: missing signer data, missing trust bundle during new-signer propagation, and missing current signer during revocation. Add focused subtests using the existing revoked CRR, secret, controller, and expectation helpers, asserting no error and requeue=true for each transiently unavailable dependency.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@control-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go`:
- Around line 2029-2042: Extend the certificate revocation controller tests
around processCertificateRevocationRequest to cover each remaining requeue
branch: missing signer data, missing trust bundle during new-signer propagation,
and missing current signer during revocation. Add focused subtests using the
existing revoked CRR, secret, controller, and expectation helpers, asserting no
error and requeue=true for each transiently unavailable dependency.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: d2b5c30b-21e6-49dd-9aaf-78481e22e58b
📒 Files selected for processing (2)
control-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller.gocontrol-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go
|
@jparrill: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@jparrill: This pull request references Jira Issue OCPBUGS-98461, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
Scheduling tests matching the |
|
Now I have all the evidence. Let me compile the final report: Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryThe Root CauseThe This is a transient infrastructure timing issue during hosted cluster initialization. The API server (or its TLS termination) was not yet fully ready when the CNO first attempted to connect. This is a known pattern in HyperShift hosted clusters where control plane components start concurrently and race against API server readiness. The This failure is unrelated to PR #8997, which only modifies Recommendations
Evidence
|
Summary
requeueSoonfromfalsetotruein 6 return paths acrossensureOldSignerCertificateRevokedandensureNewSignerCertificatePropagatedwhere a resource is transiently nilFixes
Root Cause
CertificateRevocationRequest operations stall at
PreviousCertificatesRevoked=Falsefor 10+ minutes (3/8 runs, Jul 8-10, most frequent CI failure). #8563 fixed one instance of this class of bug (stale trust bundle cache returningrequeueSoon=false), but three other return paths in each function have the same issue::690,:1011secretForSignerClassnot foundrequeueSoon=falserequeueSoon=true:698,:1018requeueSoon=falserequeueSoon=true:717,:1029requeueSoon=falserequeueSoon=trueWhen any of these resources is transiently unavailable (being re-created, not yet propagated), the controller returned
needsWork=true, requeueSoon=false— waiting for a watch event that might never come. WithrequeueSoon=true, it retries on the next synthetic requeue.Frequency
3/8 runs in Jul 8-10 window. Most frequent issue in
e2e-aws-ovn. One CRR completed in 2min while a parallel one in the same run stalled for 10min+ — consistent with a transient resource availability race.Test plan
go test ./control-plane-pki-operator/certificaterevocationcontroller/— all passmake lint— 0 issuesmake verify— clean (except expected uncommitted files)/cc @csrwng
🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Tests