Merge pull request #5547 from djoshy/implement-skew-enforcement-e2e

MCO-1984: Add Component Readiness tests for boot image skew enforcement

Author: openshift-merge-bot[bot]

test/extended-priv/clusteroperator.go

@@ -0,0 +1,26 @@
+package extended
+
+import (
+	exutil "github.com/openshift/machine-config-operator/test/extended-priv/util"
+)
+
+// ClusterOperator struct is used to handle ClusterOperator resources in OCP
+type ClusterOperator struct {
+	template string
+	Resource
+}
+
+// ClusterOperatorList struct handles list of COs
+type ClusterOperatorList struct {
+	ResourceList
+}
+
+// NewClusterOperator create a ClusterOperator struct
+func NewClusterOperator(oc *exutil.CLI, name string) *ClusterOperator {
+	return &ClusterOperator{Resource: *NewResource(oc, "co", name)}
+}
+
+// NewClusterOperatorList create a ClusterOperatorList struct
+func NewClusterOperatorList(oc *exutil.CLI) *ClusterOperatorList {
+	return &ClusterOperatorList{*NewResourceList(oc, "co")}
+}

test/extended-priv/const.go

@@ -95,4 +95,16 @@ const (
 	NodeDisruptionPolicyActionRestart      = "Restart"
 	NodeDisruptionPolicyActionDrain        = "Drain"
 	NodeDisruptionPolicyActionDaemonReload = "DaemonReload"
+	// BootImageSkewEnforcement feature constants
+
+	// RHCOSVersionMode is used to signify that the cluster boot image is described via RHCOS version
+	RHCOSVersionMode = "RHCOSVersion"
+	// OCPVersionMode is used to signify that the cluster boot image is described via OCP version
+	OCPVersionMode = "OCPVersion"
+	// SkewEnforcementManualMode indicates boot image updates require manual intervention
+	SkewEnforcementManualMode = "Manual"
+	// SkewEnforcementAutomaticMode indicates boot image updates are applied automatically
+	SkewEnforcementAutomaticMode = "Automatic"
+	// SkewEnforcementNoneMode indicates boot image skew enforcement is disabled
+	SkewEnforcementNoneMode = "None"
 )

test/extended-priv/gomega_matchers.go

@@ -171,3 +171,8 @@ func (matcher *AvailableMatcher) NegatedFailureMessage(actual interface{}) (mess
 func BeAvailable() types.GomegaMatcher {
 	return &DegradedMatcher{&conditionMatcher{conditionType: "Available", field: "status", expected: "True"}}
 }
+
+// BeUpgradeable returns the gomega matcher to check if a resource is upgradeable or not.
+func BeUpgradeable() types.GomegaMatcher {
+	return &conditionMatcher{conditionType: "Upgradeable", field: "status", expected: "True"}
+}

test/extended-priv/machineconfiguration.go

@@ -1,8 +1,10 @@
 package extended
 
 import (
+	"fmt"
 	"strings"
 
+	o "github.com/onsi/gomega"
 	exutil "github.com/openshift/machine-config-operator/test/extended-priv/util"
 	logger "github.com/openshift/machine-config-operator/test/extended-priv/util/logext"
 )
@@ -83,18 +85,18 @@ func (mc MachineConfiguration) GetAllManagedBootImagesResources() ([]string, err
 	return strings.Fields(result), nil
 }
 
-// SetManualSkew configures bootImageSkewEnforcement to Manual mode with the specified mode type and version.
+// SetManualSkew configures bootImageSkewEnforcement to Manual mode with the specified mode type and version./
 // mode should be "RHCOSVersion" or "OCPVersion", version is the corresponding version string.
 func (mc MachineConfiguration) SetManualSkew(mode, version string) error {
 	logger.Infof("Setting .spec.bootImageSkewEnforcement to Manual mode (%s: %s) on %s", mode, version, mc)
 	var versionField string
 	switch mode {
-	case "RHCOSVersion":
+	case RHCOSVersionMode:
 		versionField = `"rhcosVersion":"` + version + `"`
-	case "OCPVersion":
+	case OCPVersionMode:
 		versionField = `"ocpVersion":"` + version + `"`
 	default:
-		versionField = `"rhcosVersion":"` + version + `"`
+		return fmt.Errorf("unsupported manual skew mode: %s", mode)
 	}
 	return mc.Patch("merge", `{"spec":{"bootImageSkewEnforcement":{"mode":"Manual","manual":{"mode":"`+mode+`",`+versionField+`}}}}`)
 }
@@ -118,3 +120,31 @@ func (mc MachineConfiguration) RemoveSkew() error {
 	}
 	return mc.Patch("json", `[{ "op": "remove", "path": "/spec/bootImageSkewEnforcement"}]`)
 }
+
+// GetBootImageSkewEnforcementStatusMode returns the .status.bootImageSkewEnforcementStatus.mode field
+func (mc MachineConfiguration) GetBootImageSkewEnforcementStatusMode() (string, error) {
+	return mc.Get(`{.status.bootImageSkewEnforcementStatus.mode}`)
+}
+
+// WaitForBootImageSkewEnforcementStatusMode waits for the bootImageSkewEnforcementStatus.mode to reach the expected value
+func (mc MachineConfiguration) WaitForBootImageSkewEnforcementStatusMode(expectedMode string) {
+	o.Eventually(mc.GetBootImageSkewEnforcementStatusMode, "2m", "10s").Should(o.Equal(expectedMode))
+}
+
+// WaitForBootImageControllerComplete waits for the boot image controller to finish processing
+// (BootImageUpdateProgressing=False)
+func (mc MachineConfiguration) WaitForBootImageControllerComplete() {
+	o.Eventually(mc.IsConditionStatusTrue, "2m", "2s").WithArguments("BootImageUpdateProgressing").
+		Should(o.BeFalse(), "Expected %s BootImageUpdateProgressing to be False.\n%s", mc, mc.PrettyString())
+}
+
+// WaitForBootImageControllerDegradedState waits for the boot image controller to be in the expected degraded state
+func (mc MachineConfiguration) WaitForBootImageControllerDegradedState(degraded bool) {
+	if degraded {
+		o.Eventually(mc.IsConditionStatusTrue, "2m", "2s").WithArguments("BootImageUpdateDegraded").
+			Should(o.BeTrue(), "Expected %s BootImageUpdateDegraded to be True.\n%s", mc, mc.PrettyString())
+	} else {
+		o.Eventually(mc.IsConditionStatusTrue, "2m", "2s").WithArguments("BootImageUpdateDegraded").
+			Should(o.BeFalse(), "Expected %s BootImageUpdateDegraded to be False.\n%s", mc, mc.PrettyString())
+	}
+}

test/extended-priv/mco_bootimages.go

@@ -54,7 +54,7 @@ var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/longdurati
 		var (
 			duplicatedMachinesetName = fmt.Sprintf("cloned-tc-%s", GetCurrentTestPolarionIDNumber())
 			firstMachineSet          = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-			fakeImageName            = GetValidUpdateBootImageValue(oc.AsAdmin())
+			fakeImageName            = getBackdatedBootImage(oc.AsAdmin())
 		)
 
 		exutil.By("Duplicate machineset for testing")
@@ -112,7 +112,7 @@ var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/longdurati
 	g.It("[PolarionID:74240][OTP] ManagedBootImages. Restore All MachineSet images", g.Label("Platform:aws", "Platform:gcp", "Platform:vsphere", "Platform:azure"), func() {
 		var (
 			machineSet                 = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-			fakeImageName              = GetValidUpdateBootImageValue(oc.AsAdmin())
+			fakeImageName              = getBackdatedBootImage(oc.AsAdmin())
 			clonedMSName               = "cloned-tc-74240"
 			clonedWrongBootImageMSName = "cloned-tc-74240-wrong-boot-image"
 			clonedOwnedMSName          = "cloned-tc-74240-owned"
@@ -219,7 +219,7 @@ var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/longdurati
 	g.It("[PolarionID:74239][OTP] ManagedBootImages. Restore Partial MachineSet images", g.Label("Platform:aws", "Platform:gcp", "Platform:vsphere", "Platform:azure"), func() {
 		var (
 			machineSet             = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-			fakeImageName          = GetValidUpdateBootImageValue(oc.AsAdmin())
+			fakeImageName          = getBackdatedBootImage(oc.AsAdmin())
 			clonedMSLabelName      = "cloned-tc-74239-label"
 			clonedMSNoLabelName    = "cloned-tc-74239-no-label"
 			clonedMSLabelOwnedName = "cloned-tc-74239-label-owned"
@@ -316,7 +316,7 @@ var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/longdurati
 		var (
 			machineConfiguration        = GetMachineConfiguration(oc.AsAdmin())
 			machineSet                  = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-			fakeImageName               = GetValidUpdateBootImageValue(oc.AsAdmin())
+			fakeImageName               = getBackdatedBootImage(oc.AsAdmin())
 			clonedMSName                = "cloned-tc-74751-copy"
 			labelName                   = "test"
 			labelValue                  = "update"
@@ -508,7 +508,7 @@ var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/longdurati
 
 			machineConfiguration = GetMachineConfiguration(oc.AsAdmin())
 			machineSet           = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-			fakeImageName        = GetValidUpdateBootImageValue(oc.AsAdmin())
+			fakeImageName        = getBackdatedBootImage(oc.AsAdmin())
 			labelName            = "test"
 			labelValue           = "update"
 
@@ -788,13 +788,27 @@ func getCoreOsBootImageFromConfigMapOrFail(platform, region string, arch archite
 	return image
 }
 
+// GetRHCOSVersionFromConfigMap retrieves the RHCOS release version from the coreos-bootimages ConfigMap
+func GetRHCOSVersionFromConfigMap(oc *exutil.CLI) string {
+	coreosBootimagesCM := NewConfigMap(oc.AsAdmin(), MachineConfigNamespace, "coreos-bootimages")
+	streamJSON, err := coreosBootimagesCM.GetDataValue("stream")
+	o.Expect(err).NotTo(o.HaveOccurred(), "Error getting stream data from coreos-bootimages configmap")
+
+	parsedStream := gjson.Parse(streamJSON)
+	// Get the release version from  aws artifacts
+	rhcosVersion := parsedStream.Get("architectures.x86_64.artifacts.aws.release").String()
+	o.Expect(rhcosVersion).NotTo(o.BeEmpty(), "RHCOS version not found in coreos-bootimages configmap")
+
+	return rhcosVersion
+}
+
 // testUserDataUpdateFailure function that executes the common parts of the update spec v3 negative test cases
 func testUserDataUpdateFailure(oc *exutil.CLI, clonedMSName, clonedSecretName, expectedFailedMessageRegexp string, userDataModifyFunc func(userData string) (string, error)) {
 
 	var (
 		machineConfiguration     = GetMachineConfiguration(oc.AsAdmin())
 		machineSet               = NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
-		fakeImageName            = GetValidUpdateBootImageValue(oc.AsAdmin())
+		fakeImageName            = getBackdatedBootImage(oc.AsAdmin())
 		labelName                = "test"
 		labelValue               = "update"
 		secondLabelValue         = "update2"
@@ -887,9 +901,9 @@ func checkManagedBootImagesStatus(mc *MachineConfiguration, mode string) {
 		Should(o.Equal(mode), "Error: The %s mode does not match even after patched", mode)
 }
 
-// GetValidUpdateBootImageValue returns a valid boot image value for testing based on platform
+// getBackdatedBootImage returns a valid boot image value for testing based on platform
 // MCO will only update images previously published in the installer. This function returns one of those valid images
-func GetValidUpdateBootImageValue(oc *exutil.CLI) string {
+func getBackdatedBootImage(oc *exutil.CLI) string {
 	var (
 		platform = exutil.CheckPlatform(oc)
 	)

test/extended-priv/mco_bootimages_skew.go

@@ -0,0 +1,188 @@
+package extended
+
+import (
+	"context"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+	constants "github.com/openshift/machine-config-operator/pkg/controller/common"
+	exutil "github.com/openshift/machine-config-operator/test/extended-priv/util"
+	logger "github.com/openshift/machine-config-operator/test/extended-priv/util/logext"
+)
+
+const (
+	// Test RHCOS & OCP versions for skew enforcement tests
+	rhcosVersionExceedsSkew = "48.84.202208021106-0"
+	ocpVersionExceedsSkew   = "4.12.0"
+)
+
+var _ = g.Describe("[sig-mco][Suite:openshift/machine-config-operator/disruptive][Serial][Disruptive][OCPFeatureGate:BootImageSkewEnforcement]", func() {
+	defer g.GinkgoRecover()
+
+	var (
+		oc                   = exutil.NewCLI("mco-bootimage", exutil.KubeConfigPath()).AsAdmin()
+		machineConfiguration *MachineConfiguration
+		originalSpec         string
+		mcoCO                *ClusterOperator
+	)
+
+	g.BeforeEach(func() {
+		// Skip on single-node topologies
+		exutil.SkipOnSingleNodeTopology(oc)
+		machineConfiguration = GetMachineConfiguration(oc)
+		// Save initial state to restore after each test
+		originalSpec = machineConfiguration.GetSpecOrFail()
+		mcoCO = NewClusterOperator(oc, "machine-config")
+	})
+
+	g.AfterEach(func() {
+		exutil.By("Restoring MachineConfiguration to original state")
+		o.Expect(machineConfiguration.SetSpec(originalSpec)).To(o.Succeed())
+	})
+
+	g.It("Verify Manual mode with RHCOSVersion and Upgradeable (Happy case) [apigroup:machineconfiguration.openshift.io]", func() {
+		// Get the current RHCOS version from the coreos-bootimages configmap (guaranteed to be within skew)
+		rhcosVersionWithinSkew := GetRHCOSVersionFromConfigMap(oc)
+		logger.Infof("Using RHCOS version from configmap: %s", rhcosVersionWithinSkew)
+
+		// Set manual mode with a boot image version that is within skew limits
+		o.Expect(machineConfiguration.SetManualSkew(RHCOSVersionMode, rhcosVersionWithinSkew)).To(o.Succeed())
+
+		// Wait for the controller to reflect Manual mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementManualMode)
+
+		// Check machine-config CO upgradeable status, should be set to true
+		o.Eventually(mcoCO, "1m", "10s").Should(BeUpgradeable(), "co/machine-config should be upgradeable when manual skew version is within limits")
+	})
+
+	g.It("Verify Manual mode with RHCOSVersion and Upgradeable (Sad case) [apigroup:machineconfiguration.openshift.io]", func() {
+		// Set manual mode with a boot image version that is NOT within skew limits
+		o.Expect(machineConfiguration.SetManualSkew(RHCOSVersionMode, rhcosVersionExceedsSkew)).To(o.Succeed())
+
+		// Wait for the controller to reflect Manual mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementManualMode)
+
+		// Check machine-config CO upgradeable status, should be set to false
+		o.Eventually(mcoCO, "1m", "10s").ShouldNot(BeUpgradeable(), "co/machine-config should not be upgradeable when manual skew version exceeds limits")
+	})
+
+	g.It("Verify Manual mode with OCPVersion and Upgradeable (Happy case) [apigroup:machineconfiguration.openshift.io]", func() {
+		// Set manual mode with a boot image version that is within skew limits
+		o.Expect(machineConfiguration.SetManualSkew(OCPVersionMode, constants.OCPVersionBootImageSkewLimit)).To(o.Succeed())
+
+		// Wait for the controller to reflect Manual mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementManualMode)
+
+		// Check machine-config CO upgradeable status, should be set to true
+		o.Eventually(mcoCO, "1m", "10s").Should(BeUpgradeable(), "co/machine-config should be upgradeable when manual skew version is within limits")
+	})
+
+	g.It("Verify Manual mode with OCPVersion and Upgradeable (Sad case) [apigroup:machineconfiguration.openshift.io]", func() {
+		// Set manual mode with a boot image version that is NOT within skew limits
+		o.Expect(machineConfiguration.SetManualSkew(OCPVersionMode, ocpVersionExceedsSkew)).To(o.Succeed())
+
+		// Wait for the controller to reflect Manual mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementManualMode)
+
+		// Check machine-config CO upgradeable status, should be set to false
+		o.Eventually(mcoCO, "1m", "10s").ShouldNot(BeUpgradeable(), "co/machine-config should not be upgradeable when manual skew version exceeds limits")
+	})
+
+	g.It("Verify Automatic mode and Upgradeable (Happy Case) [apigroup:machineconfiguration.openshift.io]", func() {
+		// only applicable on GCP, AWS clusters
+		skipTestIfSupportedPlatformNotMatched(oc, GCPPlatform, AWSPlatform)
+
+		// No opinion on skew enforcement for these platforms will result in Automatic mode
+		o.Expect(machineConfiguration.RemoveSkew()).To(o.Succeed())
+
+		// Wait for the controller to reflect Automatic mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementAutomaticMode)
+
+		// Pick a random machineset to test
+		machineSetUnderTest := NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
+		logger.Infof("MachineSet under test: %s", machineSetUnderTest.name)
+
+		// Save and restore full spec to ensure cleanup regardless of what we modify
+		originalMachineSetSpec := machineSetUnderTest.GetSpecOrFail()
+		defer func() {
+			o.Expect(machineSetUnderTest.SetSpec(originalMachineSetSpec)).To(o.Succeed())
+		}()
+
+		// Patch the boot image to an older version to trigger an update loop
+		backdatedBootImage := getBackdatedBootImage(oc)
+		o.Expect(machineSetUnderTest.SetCoreOsBootImage(backdatedBootImage)).To(o.Succeed())
+		logger.Infof("Set backdated boot image '%s' in MachineSet %s to trigger update loop", backdatedBootImage, machineSetUnderTest.name)
+
+		// Verify that the boot image controller has finished processing
+		machineConfiguration.WaitForBootImageControllerComplete()
+
+		// Verify that the boot image controller is not degraded
+		machineConfiguration.WaitForBootImageControllerDegradedState(false)
+
+		// Check machine-config CO upgradeable status, should be set to True
+		o.Eventually(mcoCO, "1m", "10s").Should(BeUpgradeable(), "co/machine-config should be upgradeable with restored machineset")
+	})
+
+	g.It("Verify Automatic mode and Upgradeable (Sad Case) [apigroup:machineconfiguration.openshift.io]", func(_ context.Context) {
+		// only applicable on GCP, AWS clusters
+		skipTestIfSupportedPlatformNotMatched(oc, GCPPlatform, AWSPlatform)
+
+		// No opinion on skew enforcement for these platforms will result in Automatic mode
+		o.Expect(machineConfiguration.RemoveSkew()).To(o.Succeed())
+
+		// Wait for the controller to reflect Automatic mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementAutomaticMode)
+
+		// Pick a random machineset to test
+		machineSetUnderTest := NewMachineSetList(oc.AsAdmin(), MachineAPINamespace).GetAllOrFail()[0]
+		logger.Infof("MachineSet under test: %s", machineSetUnderTest.name)
+
+		// Save and restore full spec to ensure cleanup regardless of what we modify
+		originalMachineSetSpec := machineSetUnderTest.GetSpecOrFail()
+		defer func() {
+			o.Expect(machineSetUnderTest.SetSpec(originalMachineSetSpec)).To(o.Succeed())
+		}()
+
+		// Set a non-existent user data secret in the machineset's providerSpec; this will cause a boot image controller degrade
+		nonExistentSecret := "non-existent-user-data"
+		o.Expect(machineSetUnderTest.SetUserDataSecret(nonExistentSecret)).To(o.Succeed())
+		logger.Infof("Set non-existent user data secret '%s' in MachineSet %s", nonExistentSecret, machineSetUnderTest.name)
+
+		// Patch the boot image to an older version to trigger an update loop
+		backdatedBootImage := getBackdatedBootImage(oc)
+		o.Expect(machineSetUnderTest.SetCoreOsBootImage(backdatedBootImage)).To(o.Succeed())
+		logger.Infof("Set backdated boot image '%s' in MachineSet %s to trigger update loop", backdatedBootImage, machineSetUnderTest.name)
+
+		// Verify that the boot image controller has finished processing
+		machineConfiguration.WaitForBootImageControllerComplete()
+
+		// Verify that the boot image controller is degraded
+		machineConfiguration.WaitForBootImageControllerDegradedState(true)
+
+		// Check machine-config CO upgradeable status, should be set to false due to the degrade
+		o.Eventually(mcoCO, "1m", "10s").ShouldNot(BeUpgradeable(), "co/machine-config should not be upgradeable with broken machineset and update loop")
+
+		// Restore machineset to original spec
+		o.Expect(machineSetUnderTest.SetSpec(originalMachineSetSpec)).To(o.Succeed())
+
+		// Verify that the boot image controller has finished processing
+		machineConfiguration.WaitForBootImageControllerComplete()
+
+		// Verify that the boot image controller is not degraded
+		machineConfiguration.WaitForBootImageControllerDegradedState(false)
+
+		// Check machine-config CO upgradeable status, should be set back to true
+		o.Eventually(mcoCO, "1m", "10s").Should(BeUpgradeable(), "co/machine-config should be upgradeable with restored machineset")
+	})
+
+	g.It("Verify None mode [apigroup:machineconfiguration.openshift.io]", func() {
+		// Set None mode, effectively disabling skew enforcement
+		o.Expect(machineConfiguration.SetNoneSkew()).To(o.Succeed())
+
+		// Wait for the controller to reflect None mode in skew enforcement status
+		machineConfiguration.WaitForBootImageSkewEnforcementStatusMode(SkewEnforcementNoneMode)
+
+		// Check machine-config CO upgradeable status, should be set to true
+		o.Eventually(mcoCO, "1m", "10s").Should(BeUpgradeable(), "co/machine-config should be upgradeable when skew enforcement is disabled (None mode)")
+	})
+})