CNTRLPLANE-2625:Add Auth network policy e2e cases by gangwgr · Pull Request #831 · openshift/cluster-authentication-operator

gangwgr · 2026-02-02T04:46:53Z

Auth network policy e2e cases

openshift-ci · 2026-02-02T04:46:57Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2026-02-02T04:47:01Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds two new Ginkgo-based end-to-end test suites that validate, reconcile, and enforce Kubernetes NetworkPolicy behavior for the authentication operator and OAuth API server; promotes github.com/onsi/gomega to a direct module dependency; and registers an additional non-serial test suite in the test runner.

Changes

Cohort / File(s)	Summary
E2E NetworkPolicy Validation `test/e2e/network_policy.go`	New Ginkgo test file validating authentication-operator NetworkPolicies and reconciliation: verifies default-deny policies, pod selectors, ingress/egress ports and sources, namespace-based rules, mutation/restoration flows, event logging, and pod readiness helpers.
E2E NetworkPolicy Enforcement `test/e2e/network_policy_enforcement.go`	New Ginkgo test file that provisions test namespaces and server/client pods (agnhost/netexec), builds NetworkPolicy objects (defaultDeny/allowIngress/allowEgress), runs connectivity assertions across ports and cross-namespace scenarios, and includes extensive pod lifecycle and policy-builder helpers.
Test Runner Suite Registration `cmd/cluster-authentication-operator-tests-ext/main.go`	Adds a second test-suite registration selecting non-serial tests (Parallelism 1) with specific tags, in addition to the existing serial suite.
Module Dependency `go.mod`	Promotes `github.com/onsi/gomega` to a direct dependency (moved from indirect to direct in the require block).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-02-02T04:47:07Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign liouk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@test/e2e/network_policy.go`:
- Around line 466-477: In deleteAndWaitForNetworkPolicy, capture the
NetworkPolicy's original UID via
kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(...) before deleting,
then perform the Delete and poll until either Get returns NotFound or the
returned object's UID differs from the original UID to ensure the
deletion/reconciliation was observed; also surface any error returned by Delete
instead of discarding it. Use the unique function name
deleteAndWaitForNetworkPolicy and references to
NetworkingV1().NetworkPolicies(...).Get/Delete when locating where to add the
UID capture and adjust the wait condition.
- Around line 82-100: The test can match pre-existing events because
waitForNetworkPolicyEvent filters only by reason/message; fix by capturing a
"notBefore" timestamp immediately before calling deleteAndWaitForNetworkPolicy
in testNetworkPolicyEvents and modify waitForNetworkPolicyEvent to accept a
metav1.Time (or time.Time) notBefore parameter and ignore events with
EventTime/LastTimestamp <= notBefore, then update both calls in
testNetworkPolicyEvents to pass that notBefore value; ensure the event
comparison uses the proper Kubernetes event timestamp fields (EventTime if set,
otherwise LastTimestamp) when filtering.

coderabbitai · 2026-02-03T11:44:04Z

test/e2e/network_policy.go

+func testNetworkPolicyEvents() {
+	kubeConfig := e2e.NewClientConfigForTest(g.GinkgoTB())
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	o.Expect(err).NotTo(o.HaveOccurred())
+	configClient, err := configclient.NewForConfig(kubeConfig)
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	g.By("Waiting for authentication clusteroperator to be stable")
+	err = e2e.WaitForClusterOperatorAvailableNotProgressingNotDegraded(g.GinkgoTB(), configClient.ConfigV1(), "authentication")
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	g.By("Deleting oauth-server NetworkPolicy and verifying event emission")
+	deleteAndWaitForNetworkPolicy(kubeClient, "openshift-authentication", "oauth-server-networkpolicy")
+	waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-authentication", "oauth-server-networkpolicy")
+
+	g.By("Deleting oauth-apiserver NetworkPolicy and verifying event emission")
+	deleteAndWaitForNetworkPolicy(kubeClient, "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy")
+	waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy")
+}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd test/e2e && wc -l network_policy.go

Repository: openshift/cluster-authentication-operator

Length of output: 106

🏁 Script executed:

cd test/e2e && cat -n network_policy.go | head -150

Repository: openshift/cluster-authentication-operator

Length of output: 7674

🏁 Script executed:

# Search for waitForNetworkPolicyEvent function definition rg -n "func waitForNetworkPolicyEvent" test/e2e/

Repository: openshift/cluster-authentication-operator

Length of output: 241

🏁 Script executed:

# Search for how events are being listed/queried rg -n "ListOptions\|FieldSelector\|creationTimestamp" test/e2e/network_policy.go -A 5 -B 2

Repository: openshift/cluster-authentication-operator

Length of output: 67

🏁 Script executed:

cd test/e2e && sed -n '492,546p' network_policy.go

Repository: openshift/cluster-authentication-operator

Length of output: 1839

🏁 Script executed:

# Verify event.CreationTimestamp field exists in corev1.Event rg -A 5 "type Event struct" --type go

Repository: openshift/cluster-authentication-operator

Length of output: 4858

🏁 Script executed:

# Look at corev1.Event structure more carefully for CreationTimestamp field rg -A 30 "^type Event struct" vendor/k8s.io/api/core/v1/types.go | head -40

Repository: openshift/cluster-authentication-operator

Length of output: 1559

🏁 Script executed:

# Check if metav1.ObjectMeta has CreationTimestamp field rg -A 20 "^type ObjectMeta struct" vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go | head -25

Repository: openshift/cluster-authentication-operator

Length of output: 1207

🏁 Script executed:

# Search for CreationTimestamp field in ObjectMeta rg "CreationTimestamp" vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go -A 2 -B 2

Repository: openshift/cluster-authentication-operator

Length of output: 776

Guard against matching pre-existing events.

Listing all events without a "not-before" boundary can match older NetworkPolicyCreated events and yield false positives. The waitForNetworkPolicyEvent function at line 492 filters only by reason and message content, with no timestamp checking. Capture a timestamp before deletion and require events created after it.

Proposed fix

g.By("Deleting oauth-server NetworkPolicy and verifying event emission") -deleteAndWaitForNetworkPolicy(kubeClient, "openshift-authentication", "oauth-server-networkpolicy") -waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-authentication", "oauth-server-networkpolicy") +start := time.Now() +deleteAndWaitForNetworkPolicy(kubeClient, "openshift-authentication", "oauth-server-networkpolicy") +waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-authentication", "oauth-server-networkpolicy", start) g.By("Deleting oauth-apiserver NetworkPolicy and verifying event emission") -deleteAndWaitForNetworkPolicy(kubeClient, "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy") -waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy") +start = time.Now() +deleteAndWaitForNetworkPolicy(kubeClient, "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy") +waitForNetworkPolicyEvent(kubeClient, "openshift-authentication-operator", "NetworkPolicyCreated", "openshift-oauth-apiserver", "oauth-apiserver-networkpolicy", start)

-func waitForNetworkPolicyEvent(kubeClient kubernetes.Interface, eventNamespace, reason, policyNamespace, policyName string) { +func waitForNetworkPolicyEvent(kubeClient kubernetes.Interface, eventNamespace, reason, policyNamespace, policyName string, notBefore time.Time) { g.GinkgoHelper() g.GinkgoWriter.Printf("waiting for event %s in %s for networkpolicy %s/%s\n", reason, eventNamespace, policyNamespace, policyName) @@ -504,7 +504,8 @@ func waitForNetworkPolicyEvent(kubeClient kubernetes.Interface, eventNamespace, for _, event := range events.Items { if event.Reason != reason { continue } - if strings.Contains(event.Message, policyName) && strings.Contains(event.Message, policyNamespace) { + if strings.Contains(event.Message, policyName) && strings.Contains(event.Message, policyNamespace) && + event.CreationTimestamp.Time.After(notBefore) { return true, nil } }

🤖 Prompt for AI Agents

In `@test/e2e/network_policy.go` around lines 82 - 100, The test can match pre-existing events because waitForNetworkPolicyEvent filters only by reason/message; fix by capturing a "notBefore" timestamp immediately before calling deleteAndWaitForNetworkPolicy in testNetworkPolicyEvents and modify waitForNetworkPolicyEvent to accept a metav1.Time (or time.Time) notBefore parameter and ignore events with EventTime/LastTimestamp <= notBefore, then update both calls in testNetworkPolicyEvents to pass that notBefore value; ensure the event comparison uses the proper Kubernetes event timestamp fields (EventTime if set, otherwise LastTimestamp) when filtering.

coderabbitai · 2026-02-03T11:44:04Z

test/e2e/network_policy.go

+func deleteAndWaitForNetworkPolicy(kubeClient kubernetes.Interface, namespace, name string) {
+	g.GinkgoHelper()
+
+	g.GinkgoWriter.Printf("deleting networkpolicy %s/%s\n", namespace, name)
+	_ = kubeClient.NetworkingV1().NetworkPolicies(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
+	err := wait.PollImmediate(2*time.Second, 10*time.Minute, func() (bool, error) {
+		_, err := kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+		return err == nil, nil
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	g.GinkgoWriter.Printf("networkpolicy %s/%s restored\n", namespace, name)
+}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's verify the file exists and check the code at lines 466-477 wc -l test/e2e/network_policy.go

Repository: openshift/cluster-authentication-operator

Length of output: 115

🏁 Script executed:

# Read the specific lines to confirm they match the snippet sed -n '466,477p' test/e2e/network_policy.go

Repository: openshift/cluster-authentication-operator

Length of output: 719

🏁 Script executed:

# Look for similar delete/wait patterns in the codebase to see how they handle reconciliation rg -A 8 "wait\.PollImmediate.*Delete" test/ --type go

Repository: openshift/cluster-authentication-operator

Length of output: 67

🏁 Script executed:

# Search for other instances of this function or similar patterns checking UIDs rg "\.UID" test/e2e/ --type go -B 2 -A 2

Repository: openshift/cluster-authentication-operator

Length of output: 1023

Wait for actual deletion by tracking UID changes.

The poll exits when Get succeeds, but the resource may not have been deleted yet. If the original policy still exists or is immediately recreated, Get succeeds without confirming reconciliation occurred. Store the original UID before deletion and wait for it to change to ensure the delete was actually observed.

Proposed fix

g.GinkgoWriter.Printf("deleting networkpolicy %s/%s\n", namespace, name) -_ = kubeClient.NetworkingV1().NetworkPolicies(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{}) -err := wait.PollImmediate(2*time.Second, 10*time.Minute, func() (bool, error) { - _, err := kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) - return err == nil, nil -}) +original, err := kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) +o.Expect(err).NotTo(o.HaveOccurred()) +originalUID := original.UID + +_ = kubeClient.NetworkingV1().NetworkPolicies(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{}) +err = wait.PollImmediate(2*time.Second, 10*time.Minute, func() (bool, error) { + policy, err := kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return policy.UID != originalUID, nil +})

🤖 Prompt for AI Agents

In `@test/e2e/network_policy.go` around lines 466 - 477, In deleteAndWaitForNetworkPolicy, capture the NetworkPolicy's original UID via kubeClient.NetworkingV1().NetworkPolicies(namespace).Get(...) before deleting, then perform the Delete and poll until either Get returns NotFound or the returned object's UID differs from the original UID to ensure the deletion/reconciliation was observed; also surface any error returned by Delete instead of discarding it. Use the unique function name deleteAndWaitForNetworkPolicy and references to NetworkingV1().NetworkPolicies(...).Get/Delete when locating where to add the UID capture and adjust the wait condition.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/e2e/network_policy_enforcement.go`:
- Around line 294-299: The code reads
completed.Status.ContainerStatuses[0].State.Terminated.ExitCode without checking
for a nil Terminated and can panic; update the pod-completion check (the block
that inspects completed.Status.ContainerStatuses in the function that calls
waitForPodCompletion) to verify completed.Status.ContainerStatuses is non-empty
and that completed.Status.ContainerStatuses[0].State.Terminated != nil before
accessing ExitCode, and if Terminated is nil return a descriptive error (e.g.,
"no terminated state recorded for pod <name>") or retry/handle as appropriate so
you never dereference a nil Terminated.

🧹 Nitpick comments (1)

test/e2e/network_policy_enforcement.go (1)

302-328: Consider consolidating wait helpers.

waitForPodReady and waitForPodCompletion are similar to helpers in network_policy.go. Consider extracting these to test/library/waits.go to reduce duplication across test files.

coderabbitai · 2026-02-03T11:48:01Z

test/e2e/network_policy_enforcement.go

+	if len(completed.Status.ContainerStatuses) == 0 {
+		return false, fmt.Errorf("no container status recorded for pod %s", name)
+	}
+	exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode
+	g.GinkgoWriter.Printf("client pod %s/%s exitCode=%d\n", namespace, name, exitCode)
+	return exitCode == 0, nil


⚠️ Potential issue | 🟡 Minor

Guard against nil Terminated state.

After waitForPodCompletion, the container's State.Terminated field might still be nil in edge cases (e.g., race with kubelet status reporting). Accessing Terminated.ExitCode without a nil check will panic.

Proposed fix

if len(completed.Status.ContainerStatuses) == 0 { return false, fmt.Errorf("no container status recorded for pod %s", name) } + if completed.Status.ContainerStatuses[0].State.Terminated == nil { + return false, fmt.Errorf("container state not terminated for pod %s", name) + } exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if len(completed.Status.ContainerStatuses) == 0 {

return false, fmt.Errorf("no container status recorded for pod %s", name)

}

exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode

g.GinkgoWriter.Printf("client pod %s/%s exitCode=%d\n", namespace, name, exitCode)

return exitCode == 0, nil

if len(completed.Status.ContainerStatuses) == 0 {

return false, fmt.Errorf("no container status recorded for pod %s", name)

}

if completed.Status.ContainerStatuses[0].State.Terminated == nil {

return false, fmt.Errorf("container state not terminated for pod %s", name)

}

exitCode := completed.Status.ContainerStatuses[0].State.Terminated.ExitCode

g.GinkgoWriter.Printf("client pod %s/%s exitCode=%d\n", namespace, name, exitCode)

return exitCode == 0, nil

🤖 Prompt for AI Agents

In `@test/e2e/network_policy_enforcement.go` around lines 294 - 299, The code reads completed.Status.ContainerStatuses[0].State.Terminated.ExitCode without checking for a nil Terminated and can panic; update the pod-completion check (the block that inspects completed.Status.ContainerStatuses in the function that calls waitForPodCompletion) to verify completed.Status.ContainerStatuses is non-empty and that completed.Status.ContainerStatuses[0].State.Terminated != nil before accessing ExitCode, and if Terminated is nil return a descriptive error (e.g., "no terminated state recorded for pod <name>") or retry/handle as appropriate so you never dereference a nil Terminated.

gangwgr · 2026-02-05T12:38:49Z

/payload 4.22 nightly informing
/payload 4.22 nightly blocking

openshift-ci · 2026-02-05T12:38:54Z

@gangwgr: trigger 68 job(s) of type informing for the nightly release of OCP 4.22

periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-compact-fips
periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-ha-dualstack-conformance
periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance
periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance
periodic-ci-openshift-release-master-nightly-4.22-console-aws
periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-aws
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-csi
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-cgroupsv2
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-fips
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node-csi
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node-serial
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node-techpreview
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-single-node-techpreview-serial
periodic-ci-openshift-release-master-nightly-4.22-upgrade-from-stable-4.21-e2e-aws-upgrade-ovn-single-node
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn-upgrade-out-of-change
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-upi
periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-azure
periodic-ci-openshift-release-master-nightly-4.22-e2e-azure-csi
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn-serial
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn-techpreview
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn-techpreview-serial
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn-upgrade-out-of-change
periodic-ci-openshift-release-master-cnv-nightly-4.22-deploy-azure-kubevirt-ovn
periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-4.22-periodics-e2e-gcp
periodic-ci-openshift-release-master-ci-4.22-e2e-gcp-ovn
periodic-ci-openshift-release-master-nightly-4.22-e2e-gcp-ovn-csi
periodic-ci-openshift-release-master-nightly-4.22-e2e-gcp-ovn-rt
periodic-ci-openshift-release-master-nightly-4.22-e2e-gcp-ovn-serial
periodic-ci-openshift-release-master-ci-4.22-e2e-gcp-ovn-techpreview
periodic-ci-openshift-release-master-ci-4.22-e2e-gcp-ovn-techpreview-serial
periodic-ci-openshift-release-master-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
periodic-ci-openshift-release-master-ci-4.22-e2e-gcp-ovn-upgrade
periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-kubevirt-ovn
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack-techpreview
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6-techpreview
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-serial-ipv4
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-techpreview
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-upgrade
periodic-ci-openshift-release-master-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-ovn-upgrade
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
periodic-ci-openshift-release-master-nightly-4.22-upgrade-from-stable-4.21-e2e-metal-ipi-upgrade-ovn-ipv6
periodic-ci-openshift-release-master-nightly-4.22-metal-ovn-single-node-recert-cluster-rename
periodic-ci-openshift-osde2e-main-nightly-4.22-osd-aws
periodic-ci-openshift-release-master-nightly-4.22-e2e-osd-ccs-gcp
periodic-ci-openshift-osde2e-main-nightly-4.22-osd-gcp
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-proxy
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ovn-single-node-live-iso
periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-payload-control-plane-6nodes
periodic-ci-openshift-release-master-nightly-4.22-e2e-telco5g
periodic-ci-openshift-release-master-ci-4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-csi
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-serial
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-techpreview
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-techpreview-serial
periodic-ci-openshift-release-master-ci-4.22-e2e-vsphere-ovn-upgrade
periodic-ci-openshift-release-master-ci-4.22-upgrade-from-stable-4.21-e2e-vsphere-ovn-upgrade
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-upi
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-ovn-upi-serial
periodic-ci-openshift-release-master-nightly-4.22-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9fabeea0-028f-11f1-821b-315b0366a22d-0

trigger 14 job(s) of type blocking for the nightly release of OCP 4.22

periodic-ci-openshift-release-master-ci-4.22-e2e-aws-upgrade-ovn-single-node
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-upgrade-fips
periodic-ci-openshift-release-master-ci-4.22-e2e-azure-ovn-upgrade
periodic-ci-openshift-release-master-ci-4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-rt-upgrade
periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-1of2
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-2of2
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn-techpreview
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn-techpreview-serial-1of3
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn-techpreview-serial-2of3
periodic-ci-openshift-release-master-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-upgrade-fips-no-nat-instance
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv4
periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9fabeea0-028f-11f1-821b-315b0366a22d-1

gangwgr · 2026-02-05T12:54:55Z

/retitle CNTRLPLANE-2610: Add Auth network policy e2e cases

openshift-ci-robot · 2026-02-05T12:55:10Z

@gangwgr: This pull request references CNTRLPLANE-2610 which is a valid jira issue.

Details

In response to this:

Auth network policy e2e cases

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

gangwgr · 2026-02-05T12:56:06Z

/retitle CNTRLPLANE-2625:Add Auth network policy e2e cases

openshift-ci-robot · 2026-02-05T12:56:38Z

@gangwgr: This pull request references CNTRLPLANE-2625 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Auth network policy e2e cases

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

gangwgr · 2026-02-05T13:13:06Z

/testwith openshift/cluster-authentication-operator/main/e2e-operator #825

openshift-ci · 2026-02-05T13:13:12Z

@gangwgr, testwith: could not generate prow job. ERROR:

could not determine ci op config from metadata: got unexpected http 404 status code from configresolver: failed to get config: could not find any config for branch main on repo openshift/cluster-authentication-operator

gangwgr · 2026-02-05T13:15:37Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-external-oidc-conformance-serial #825

gangwgr · 2026-02-05T15:27:51Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-serial-ote #825

gangwgr · 2026-02-05T16:07:41Z

/hold
wait for ci to passed

gangwgr · 2026-02-06T07:15:28Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-parallel-ote #825

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/e2e/network_policy.go`:
- Around line 194-204: The hasPort function treats a nil
NetworkPolicyPort.Protocol as a wildcard; change it to treat nil as TCP-only by
checking p.Protocol explicitly: if p.Protocol == nil then only return true when
the requested protocol equals corev1.ProtocolTCP, otherwise when p.Protocol !=
nil compare *p.Protocol == protocol; keep the existing port IntValue check and
the function name hasPort to locate the change.

test/e2e/network_policy.go

gangwgr · 2026-03-04T09:46:42Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-parallel-ote #825

gangwgr · 2026-03-04T15:32:33Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-serial-ote #825

gangwgr · 2026-03-05T07:32:17Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-serial-ote #825

gangwgr · 2026-03-05T11:48:01Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-serial-ote #825

openshift-ci · 2026-03-05T11:48:36Z

@gangwgr, testwith: could not generate prow job. ERROR:

could not determine cluster for job pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-serial-ote: error performing request: failed to make request to dispatcher: Post "http://prowjob-dispatcher.ci.svc.cluster.local:8080": POST http://prowjob-dispatcher.ci.svc.cluster.local:8080 giving up after 6 attempt(s): Post "http://prowjob-dispatcher.ci.svc.cluster.local:8080": dial tcp 172.30.116.220:8080: connect: connection refused

gangwgr · 2026-03-05T11:53:25Z

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-serial-ote #825

gangwgr · 2026-03-05T15:27:40Z