Add prow CI lane to enable mount namespace hiding e2e testing (opensh…

…ift#31715) Signed-off-by: Sharat Akhoury <[email protected]> Signed-off-by: Sharat Akhoury <[email protected]>
SchSeba · Sep 2, 2022 · dc2ea2a · dc2ea2a
1 parent 2f35a72
commit dc2ea2a
Show file tree

Hide file tree

Showing 10 changed files with 351 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ jenkins/controllers/.idea/*
 *.swp
 clusters/app.ci/.actual_diff
 *.pyc
+### macOS ###
+.DS_Store
diff --git a/ci-operator/config/openshift/release/openshift-release-master__ci-4.12.yaml b/ci-operator/config/openshift/release/openshift-release-master__ci-4.12.yaml
@@ -186,6 +186,15 @@ tests:
     env:
       FAIL_ON_CORE_DUMP: "true"
     workflow: openshift-e2e-gcp-ovn
+- as: e2e-gcp-mount-ns-hiding
+  interval: 24h
+  steps:
+    cluster_profile: gcp-openshift-gce-devel-ci-2
+    env:
+      FAIL_ON_CORE_DUMP: "true"
+      MOUNT_NS_HIDING_ENABLED: "true"
+      MOUNT_NS_HIDING_LOG: "2"
+    workflow: openshift-e2e-gcp-mount-ns-hiding
 - as: e2e-gcp-sdn-serial
   interval: 24h
   steps:

diff --git a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml
@@ -9299,6 +9299,86 @@ periodics:
     org: openshift
     repo: release
   interval: 24h
+  labels:
+    ci-operator.openshift.io/cloud: gcp
+    ci-operator.openshift.io/cloud-cluster-profile: gcp-openshift-gce-devel-ci-2
+    ci-operator.openshift.io/variant: ci-4.12
+    ci.openshift.io/generator: prowgen
+    ci.openshift.io/no-builds: "true"
+    job-release: "4.12"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-release-master-ci-4.12-e2e-gcp-mount-ns-hiding
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/e2e-gcp-mount-ns-hiding-cluster-profile
+      - --target=e2e-gcp-mount-ns-hiding
+      - --variant=ci-4.12
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/e2e-gcp-mount-ns-hiding-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      projected:
+        sources:
+        - secret:
+            name: cluster-secrets-gcp-openshift-gce-devel-ci-2
+        - configMap:
+            name: cluster-profile-gcp-openshift-gce-devel-ci-2
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: release
+  interval: 24h
   labels:
     ci-operator.openshift.io/cloud: gcp
     ci-operator.openshift.io/cloud-cluster-profile: gcp-openshift-gce-devel-ci-2

diff --git a/ci-operator/step-registry/mount-ns-hiding/OWNERS b/ci-operator/step-registry/mount-ns-hiding/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+- sakhoury
+- lack
+- sdn-approvers
+reviewers:
+- sakhoury
+- lack
+- sdn-reviewers
diff --git a/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-commands.sh b/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-commands.sh
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+LOGLEVEL=0
+
+case $MOUNT_NS_HIDING_LOG in
+  "0")
+    LOGLEVEL=0
+    ;;
+  "1")
+    LOGLEVEL=1
+    ;;
+  "2")
+    LOGLEVEL=2
+    ;;
+  *)
+    LOGLEVEL=0
+    ;;
+esac
+
+function _log() {
+  local level=$1; shift
+  if [[ $level -le $LOGLEVEL ]]; then
+    echo "$(date +%F) $(date +%T) $(date +%Z): $*" >&2
+  fi
+}
+
+function log_err() {
+  _log 0 "$*"
+}
+
+function log_info() {
+  _log 1 "$*"
+}
+
+function log_debug() {
+  _log 2 "$*"
+}
+
+function create_mount_namespace_hiding_mc(){
+  # enabled can be either "true" or "false"
+  local enabled="$1"
+
+  local action="enable"
+  if [ "$enabled" = "false" ]; then
+    action="disable"
+  fi
+
+  local machineconfig=""
+
+  for role in master worker
+  do
+    log_info "[INFO] Rendering machineconfig to $action mount namespace hiding for $role node(s)"
+
+    str=$(cat << EOF
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: $role
+  name: 99-custom-enable-kubens-$role
+spec:
+  config:
+    ignition:
+      version: 2.2.0
+    systemd:
+      units:
+      - enabled: $enabled
+        name: kubens.service
+---
+EOF
+)
+    machineconfig+="${str}\n"
+  done
+
+  log_info "[INFO] Applying machineconfigs..."
+  echo -en "$machineconfig" | oc apply -f -
+
+  log_info "[INFO] Waiting for all machineconfigs to begin rolling out"
+  oc wait --for=condition=Updating mcp --all --timeout=5m
+
+  log_info "[INFO] Waiting for all machineconfigs to finish rolling out"
+  oc wait --for=condition=Updated mcp --all --timeout=30m
+  log_info "[INFO] Finished rolling out machineconfigs!"
+}
+
+function enable_mount_namespace_hiding(){
+  create_mount_namespace_hiding_mc "true"
+}
+
+function disable_mount_namespace_hiding(){
+  create_mount_namespace_hiding_mc "false"
+}
+
+
+log_debug "[DEBUG] Starting to run mount-ns-hiding-commands.sh script!"
+
+if [ -z "${MOUNT_NS_HIDING_ENABLED}" ]; then
+  log_error "[ERROR] MOUNT_NS_HIDING_ENABLED not defined!"
+  exit 1
+else
+  log_debug "[DEBUG] MOUNT_NS_HIDING_ENABLED = ${MOUNT_NS_HIDING_ENABLED}"
+fi
+
+# Determine whether the cluster has the mount namespace hiding feature enabled
+#  note: both master and worker nodes are checked!
+enabled="true"
+
+mc_list=$(oc get mc -o custom-columns='NAME:.metadata.name')
+log_debug "[DEBUG] mc_list ="
+log_debug "${mc_list}"
+
+if [ ! -z "${mc_list}" ]; then
+  for role in master worker
+  do
+    if [ "${enabled}" = "false" ]; then
+      break
+    fi
+
+    str="kubens-$role"
+
+    log_debug "[DEBUG] About to grep for $str"
+
+    if grep -q "$str" <<< "$mc_list"; then
+      mc_name=$(grep "$str" <<< "$mc_list")
+      log_debug "[DEBUG] mc_name = ${mc_name}"
+
+      if [ -z "${mc_name}" ]; then
+        # if no mnt-ns-hiding machineconfig found - set enabled to false
+        log_info "[INFO] No mount namespace hiding machineconfig found!"
+        enabled="false"
+      else
+        log_info "[INFO] Found the following machineconfig: ${mc_name}"
+        is_enabled=$(oc get mc ${mc_name} -o jsonpath="{..systemd.units[?(@.name=='kubens.service')].enabled}")
+        log_debug "[DEBUG] machineconfig: ${mc_name}, enabled=[${is_enabled}]"
+        if [ "${is_enabled}" != "true" ]; then
+          enabled="false"
+        fi
+      fi
+    else
+      log_info "[INFO] Unable to find $str in the machineconfigs retrieved!"
+      enabled="false"
+    fi
+  done
+else
+  log_info "[INFO] Unable to retrieve machineconfigs!"
+  enabled="false"
+fi
+
+log_debug "[DEBUG] mount namespace hiding feature has enabled=[${enabled}]"
+
+# Only enable mnt-ns-hiding feature if $MOUNT_NS_HIDING_ENABLED=true
+#  and the feature is currently disabled (i.e. $enabled=false)
+# Only disable mnt-ns-hiding feature if $MOUNT_NS_HIDING_ENABLED=false
+#  and the feature is currently enabled (i.e. $enabled=true)
+
+if [ "${MOUNT_NS_HIDING_ENABLED}" = "true" ] && [ "${enabled}" = "false" ]; then
+  log_info "[INFO] Enabling the mount ns hiding feature!"
+  enable_mount_namespace_hiding
+elif [ "${MOUNT_NS_HIDING_ENABLED}" = "false" ] && [ "${enabled}" = "true" ]; then
+  log_info "[INFO] Disabling the mount ns hiding feature!"
+  disable_mount_namespace_hiding
+else
+  log_info "[INFO] Neither enabling nor disabling the mount ns hiding feature!"
+fi
+
+
diff --git a/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-ref.metadata.json b/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-ref.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "mount-ns-hiding/mount-ns-hiding-ref.yaml",
+	"owners": {
+		"approvers": [
+			"sakhoury",
+			"lack",
+			"sdn-approvers"
+		],
+		"reviewers": [
+			"sakhoury",
+			"lack",
+			"sdn-reviewers"
+		]
+	}
+}
diff --git a/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-ref.yaml b/ci-operator/step-registry/mount-ns-hiding/mount-ns-hiding-ref.yaml
@@ -0,0 +1,23 @@
+ref:
+  as: mount-ns-hiding
+  from: tests
+  commands: mount-ns-hiding-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  env:
+    - name: MOUNT_NS_HIDING_ENABLED
+      default: "true"
+      documentation: |-
+        This parameter controls whether the mount namespace hiding feature is
+        enabled (true) or disabled (false).
+    - name: MOUNT_NS_HIDING_LOG
+      default: "1"
+      documentation: |-
+        This parameter controls the logging level: "0"=error, "1"=info (default), 
+        "2"=debug.
+  grace_period: 5m0s
+  documentation: |-
+    The step applies the machine configuration to enable (or disable) the mount
+    namespace hiding feature based on the parameter MOUNT_NS_HIDING_ENABLED.
diff --git a/ci-operator/step-registry/openshift/e2e/gcp/mount-ns-hiding/OWNERS b/ci-operator/step-registry/openshift/e2e/gcp/mount-ns-hiding/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+- sakhoury
+- lack
+- sdn-approvers
+reviewers:
+- sakhoury
+- lack
+- sdn-reviewers
diff --git a/...penshift/e2e/gcp/mount-ns-hiding/openshift-e2e-gcp-mount-ns-hiding-workflow.metadata.json b/...penshift/e2e/gcp/mount-ns-hiding/openshift-e2e-gcp-mount-ns-hiding-workflow.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "openshift/e2e/gcp/mount-ns-hiding/openshift-e2e-gcp-mount-ns-hiding-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"sakhoury",
+			"lack",
+			"sdn-approvers"
+		],
+		"reviewers": [
+			"sakhoury",
+			"lack",
+			"sdn-reviewers"
+		]
+	}
+}
diff --git a/...egistry/openshift/e2e/gcp/mount-ns-hiding/openshift-e2e-gcp-mount-ns-hiding-workflow.yaml b/...egistry/openshift/e2e/gcp/mount-ns-hiding/openshift-e2e-gcp-mount-ns-hiding-workflow.yaml
@@ -0,0 +1,21 @@
+workflow:
+    as: openshift-e2e-gcp-mount-ns-hiding
+    steps:
+      allow_best_effort_post_steps: true
+      pre:
+      - ref: ipi-install-hosted-loki
+      - chain: ipi-conf-gcp
+      - ref: ovn-conf
+      - chain: ipi-install
+      - ref: mount-ns-hiding
+      test:
+      - ref: openshift-e2e-test
+      post:
+      - chain: gather-network
+      - chain: gather-core-dump
+      - chain: ipi-deprovision
+    documentation: |-
+      The Openshift E2E mount namespace hiding workflow executes the common end-to-end test
+      suite with the OVNKubernetes network plugin. The mount namespace hiding feature is
+      controlled by MOUNT_NS_HIDING_ENABLED. In OCP 4.12, the feature defaults to being
+      disabled, thus this workflow explicitly enables it.