CNTRLPLANE-3518: pkg/testsuites: add parent kms test suite

[flavianmissi]

add parent kms test suite in order to make it easier for plugin vendors to run all kms tests with a single command

Summary by CodeRabbit

• Tests
  • Added a new OpenShift KMS test suite aggregating KMS encryption end-to-end tests.
  • Runs sequentially (parallelism = 1) with an extended 240-minute timeout.
  • Marked as disruptive to cluster stability to reflect its scope.
  • Qualifier filter excludes tests tagged as [Flaky] or [Disabled:].
  • Includes metadata to ensure consistent execution.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Registers a new built-in test suite openshift/kms in the test suite registry with qualifiers for the KMSEncryption feature and runtime settings: Parallelism 1 and TestTimeout 4 hours.

Changes

KMS Test Suite Registration

Layer / File(s)	Summary
KMS test suite configuration pkg/testsuites/standard_suites.go	Adds openshift/kms to staticSuites with description, qualifier filter (KMSEncryption feature gate; exclude flaky/disabled), Parallelism: 1, TestTimeout: 4 * time.Hour, and ClusterStabilityDuringTest: ginkgo.Disruptive.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR change adds a static suite entry 'openshift/kms' in standard_suites.go; file contains no Ginkgo It/Describe/Context/When titles with dynamic pod/node/ns/time/UUID data.
Test Structure And Quality	✅ Passed	PR only adds a new test suite entry in pkg/testsuites/standard_suites.go; repo contains no Ginkgo It/Describe/Eventually/Consistently/BeforeEach/AfterEach there, so the quality requirements are not...
Microshift Test Compatibility	✅ Passed	PR adds only the openshift/kms parent suite in pkg/testsuites/standard_suites.go (Parallelism=1, timeout=4h, disruptive; excludes Flaky/Disabled). No new Ginkgo It/Describe/Context/When tests to as...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #31267 only adds the parent Ginkgo suite "openshift/kms" in pkg/testsuites/standard_suites.go (+15/-0); the diff contains no new g.It/Describe/Context tests or SNO-relevant multi-node assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Inspected pkg/testsuites/standard_suites.go: PR only adds built-in test suite “openshift/kms” config (parallelism/timeout/qualifiers). No new scheduling constraints (anti-affinity/topologySpread/no...
Ote Binary Stdout Contract	✅ Passed	PR #31267 changes only pkg/testsuites/standard_suites.go; added openshift/kms suite has no fmt.Print/fmt.Printf/fmt.Println or os.Stdout/klog calls. Only logrus.Warning (not stdout) is present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR only adds an openshift/kms suite entry in pkg/testsuites/standard_suites.go; it contains no new Ginkgo It/Describe/Context/When tests and no IPv4/external-network logic.
No-Weak-Crypto	✅ Passed	PR only adds a new ginkgo test suite entry (openshift/kms) in pkg/testsuites/standard_suites.go; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons added.
Container-Privileges	✅ Passed	PR changes only pkg/testsuites/standard_suites.go, adding a KMS test suite; no container/K8s manifest privileges (privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation/runAsRoot...
No-Sensitive-Data-In-Logs	✅ Passed	Inspected pkg/testsuites/standard_suites.go: new openshift/kms suite is static metadata; no logrus/klog/t.Log calls added that include tokens/passwords/PII/internal hostnames.
Title check	✅ Passed	The pull request title accurately describes the main change: adding a parent KMS test suite to standard_suites.go, which aligns with the core objective of aggregating KMS tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: flavianmissi, gangwgr
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-trt]

Job Failure Risk Analysis for sha: 38c1b00

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:gcp Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 1 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv6 OS:rhcos9 Owner:eng Platform:metal Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 3 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:upi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@flavianmissi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	9481155	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[flavianmissi]

/retitle CNTRLPLANE-3518: pkg/testsuites: add parent kms test suite

[openshift-ci-robot]

@flavianmissi: This pull request references CNTRLPLANE-3518 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

add parent kms test suite in order to make it easier for plugin vendors to run all kms tests with a single command

Summary by CodeRabbit

• Tests
• Added a new OpenShift KMS test suite aggregating KMS encryption end-to-end tests.
• Runs sequentially (parallelism = 1) with an extended 240-minute timeout.
• Marked as disruptive to cluster stability to reflect its scope.
• Qualifier filter excludes tests tagged as [Flaky] or [Disabled:].
• Includes metadata to ensure consistent execution.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[flavianmissi]

/test ci/prow/verify

[openshift-ci]

@flavianmissi: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test e2e-aws-csi

/test e2e-aws-jenkins

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-image-registry

/test e2e-aws-ovn-microshift

/test e2e-aws-ovn-microshift-serial

/test e2e-aws-ovn-serial-1of2

/test e2e-aws-ovn-serial-2of2

/test e2e-gcp-csi

/test e2e-gcp-ovn

/test e2e-gcp-ovn-builds

/test e2e-gcp-ovn-image-ecosystem

/test e2e-gcp-ovn-upgrade

/test e2e-metal-ipi-ovn-ipv6

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test go-verify-deps

/test images

/test lint

/test okd-scos-images

/test unit

/test verify

/test verify-deps

/test verify-image-manifest-lists

The following commands are available to trigger optional jobs:

/test e2e-agnostic-ovn-cmd

/test e2e-aws-disruptive

/test e2e-aws-etcd-certrotation

/test e2e-aws-etcd-recovery

/test e2e-aws-ovn

/test e2e-aws-ovn-cgroupsv2

/test e2e-aws-ovn-dra-example

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-etcd-scaling

/test e2e-aws-ovn-kube-apiserver-rollout

/test e2e-aws-ovn-kubevirt

/test e2e-aws-ovn-serial-fast

/test e2e-aws-ovn-serial-ipsec

/test e2e-aws-ovn-serial-publicnet-1of2

/test e2e-aws-ovn-serial-publicnet-2of2

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-single-node-serial

/test e2e-aws-ovn-single-node-techpreview

/test e2e-aws-ovn-single-node-techpreview-serial

/test e2e-aws-ovn-single-node-upgrade

/test e2e-aws-ovn-upgrade

/test e2e-aws-ovn-upgrade-rollback

/test e2e-aws-ovn-upi

/test e2e-aws-proxy

/test e2e-aws-tls-observed-config

/test e2e-aws-tls-observed-config-fips

/test e2e-aws-tls-observed-config-hypershift

/test e2e-azure

/test e2e-azure-ovn-etcd-scaling

/test e2e-azure-ovn-upgrade

/test e2e-baremetalds-kubevirt

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-external-vsphere-ccm

/test e2e-gcp-disruptive

/test e2e-gcp-fips-serial-1of2

/test e2e-gcp-fips-serial-2of2

/test e2e-gcp-ovn-etcd-scaling

/test e2e-gcp-ovn-kube-apiserver-rollout

/test e2e-gcp-ovn-rt-upgrade

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-techpreview-serial-1of2

/test e2e-gcp-ovn-techpreview-serial-2of2

/test e2e-gcp-ovn-usernamespace

/test e2e-hypershift-conformance

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-bgp-virt-dualstack

/test e2e-metal-ipi-ovn-bgp-virt-dualstack-techpreview

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-dualstack-bgp

/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw

/test e2e-metal-ipi-ovn-dualstack-local-gateway

/test e2e-metal-ipi-ovn-kube-apiserver-rollout

/test e2e-metal-ipi-serial-1of2

/test e2e-metal-ipi-serial-2of2

/test e2e-metal-ipi-serial-ovn-ipv6-1of2

/test e2e-metal-ipi-serial-ovn-ipv6-2of2

/test e2e-metal-ipi-virtualmedia

/test e2e-metal-ovn-single-node-live-iso

/test e2e-metal-ovn-single-node-with-worker-live-iso

/test e2e-metal-ovn-two-node-arbiter

/test e2e-metal-ovn-two-node-fencing

/test e2e-metal-ovn-two-node-fencing-recovery

/test e2e-openstack-dualstack-v6primary

/test e2e-openstack-ovn

/test e2e-openstack-serial

/test e2e-vsphere-ovn-etcd-scaling

/test okd-scos-e2e-aws-ovn

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-origin-main-go-verify-deps

pull-ci-openshift-origin-main-images

pull-ci-openshift-origin-main-lint

pull-ci-openshift-origin-main-okd-scos-images

pull-ci-openshift-origin-main-unit

pull-ci-openshift-origin-main-verify

pull-ci-openshift-origin-main-verify-deps

Details

In response to this:

/test ci/prow/verify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.