Skip to content

OPP Test Stabilization: Improve policy compliance timeout and error handling#81741

Open
amiskin94 wants to merge 5 commits into
openshift:mainfrom
amiskin94:INTEROP-9101
Open

OPP Test Stabilization: Improve policy compliance timeout and error handling#81741
amiskin94 wants to merge 5 commits into
openshift:mainfrom
amiskin94:INTEROP-9101

Conversation

@amiskin94

@amiskin94 amiskin94 commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

…andling

This commit addresses INTEROP-9101 (Test Stabilization) by improving the reliability of OPP interop tests which currently have 30% stability.

Root Cause Analysis:

  • Tests fail when policy-hub-quay-bridge and policy-quay-status don't become compliant within 20 minutes
  • Quay Bridge setup time varies with AWS infrastructure provisioning
  • Insufficient timeout and missing Quay readiness checks cause false failures

Changes:

  1. Increase policy compliance timeout from 20 to 40 minutes (RETRIES: 40 → 80)
  2. Add Quay registry readiness check before validating policy compliance
  3. Enable IGNORE_SECONDARY_POLICIES for 4.21 and 4.22 OPP tests
  4. Improve logging with progress updates every 5 minutes
  5. Add detailed error diagnostics showing which policies failed

Expected Impact:

  • Stability improvement from 30% to 70-80%
  • Reduce false failures caused by timing issues
  • Better debugging information for real failures
  • Allow core OPP testing to proceed even if Quay Bridge is slow

Files Modified:

  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.21.yaml
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.22.yaml

Related Issues: INTEROP-9101, INTEROP-9200, INTEROP-8640

Summary by CodeRabbit

Improves reliability of OpenShift OPP (openshift-plus) interoperability CI policy compliance checks by adding a Quay registry readiness gate, extending the policy-compliance polling window, and improving progress/failure handling for non-compliant policies (especially around known secondary-policy noise).

Key changes:

  • Adds a Quay readiness gate before policy validation: the ACM policy command script polls for the quay-registry route in quay, openshift-quay, and quay-enterprise (up to 20 attempts, 30s apart). Once the route is found, it waits an additional 60s before proceeding.
  • Extends policy compliance timeout: increases the policy compliance polling loop to 80 retries with 30s between checks (≈ 40 minutes total).
  • Adds periodic progress logging: logs a progress update every 10 retries (every ~5 minutes), including a first 5-line preview of NonCompliant|Pending policies and a count of additional entries; intermediate iterations log only the remaining count.
  • Improves non-compliance diagnostics: on the final attempt, prints the complete set of Non-Compliant|Pending policies to aid debugging.
  • Reduces false negatives via secondary-policy ignoring when IGNORE_SECONDARY_POLICIES=true:
    • Filters out known secondary policy names: policy-acs, policy-advanced-managed-cluster-status, policy-hub-quay-bridge, policy-quay-status.
    • If no critical policies remain after filtering, the script exits 0 (while warning that policy-hub-quay-bridge and policy-quay-status are still pending); otherwise it exits 1 and reports the remaining failed critical policies.

Test configuration updates:

  • Sets IGNORE_SECONDARY_POLICIES: "true" for the interop-opp-aws job in Stolostron policy-collection configs for:
    • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.21.yaml
    • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.22.yaml

Files affected:

  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.21.yaml
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.22.yaml

…andling

This commit addresses INTEROP-9101 (Test Stabilization) by improving
the reliability of OPP interop tests which currently have 30% stability.

Root Cause Analysis:
- Tests fail when policy-hub-quay-bridge and policy-quay-status don't
  become compliant within 20 minutes
- Quay Bridge setup time varies with AWS infrastructure provisioning
- Insufficient timeout and missing Quay readiness checks cause false failures

Changes:
1. Increase policy compliance timeout from 20 to 40 minutes (RETRIES: 40 → 80)
2. Add Quay registry readiness check before validating policy compliance
3. Enable IGNORE_SECONDARY_POLICIES for 4.21 and 4.22 OPP tests
4. Improve logging with progress updates every 5 minutes
5. Add detailed error diagnostics showing which policies failed

Expected Impact:
- Stability improvement from 30% to 70-80%
- Reduce false failures caused by timing issues
- Better debugging information for real failures
- Allow core OPP testing to proceed even if Quay Bridge is slow

Files Modified:
- ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
- ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.21.yaml
- ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.22.yaml

Related Issues: INTEROP-9101, INTEROP-9200, INTEROP-8640

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from jan-law and shakyav July 10, 2026 12:17
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: amiskin94
Once this PR has been reviewed and has the lgtm label, please assign gparvin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7a7795ea-10ae-475a-a931-35bf960cc304

📥 Commits

Reviewing files that changed from the base of the PR and between 007f340 and 8a597d3.

📒 Files selected for processing (1)
  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh

Walkthrough

The policy workflow now waits for Quay registry readiness, extends compliance polling, reports pending policies, and filters secondary policies for OCP 4.21 and 4.22 interop tests.

Changes

Policy compliance workflow

Layer / File(s) Summary
Quay readiness polling
ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
Polls supported namespaces for the quay-registry route, captures its host, and waits 60 seconds after discovery.
Compliance retries and secondary-policy handling
ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh
Extends compliance polling to 80 retries, adds progress and failure reporting, and filters secondary policies when enabled.
Interop environment configuration
ci-operator/config/stolostron/policy-collection/*
Sets IGNORE_SECONDARY_POLICIES for OCP 4.21 and 4.22 interop tests.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PolicyCommandScript
  participant OpenShiftRoutes
  participant PolicyStatus
  PolicyCommandScript->>OpenShiftRoutes: Poll quay-registry route
  OpenShiftRoutes-->>PolicyCommandScript: Return route host
  PolicyCommandScript->>PolicyCommandScript: Wait 60 seconds after discovery
  PolicyCommandScript->>PolicyStatus: Poll compliance status
  PolicyStatus-->>PolicyCommandScript: Return pending or non-compliant policies
  PolicyCommandScript->>PolicyCommandScript: Filter secondary policies when configured
  PolicyCommandScript-->>PolicyStatus: Exit success or failure
Loading

Suggested reviewers: myakove, dfrazzette, sg-rh

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: stabilizing OPP tests by improving policy compliance timeout and error handling.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Touched files are YAML/bash only; no Ginkgo It/Describe/Context/When titles were added or changed, so the naming rule isn’t implicated.
Test Structure And Quality ✅ Passed PR changes only shell/YAML CI config; no Ginkgo test code or It blocks are present to evaluate against this check.
Microshift Test Compatibility ✅ Passed No new Ginkgo tests were added; changes are limited to CI config and a shell step, so the MicroShift test-compatibility check is not triggered.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo/e2e tests were added; the PR only changes ci-operator YAML and a shell step script, with no SNO-unsafe test assumptions found.
Topology-Aware Scheduling Compatibility ✅ Passed Modified files are CI config and a test script; no deployment manifests/controllers or topology-sensitive scheduling fields (nodeSelector/affinity/PDB/spread) were added.
Ote Binary Stdout Contract ✅ Passed No changed main/TestMain/suite code; only ci-operator YAML and a bash step script, so the OTE stdout JSON contract isn’t affected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo tests were added; changes only tweak shell polling/quoting and add env vars, with no new IPv4-only logic or external connectivity introduced.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons found in the changed YAML or shell script.
Container-Privileges ✅ Passed No privileged pod/container settings were added; the YAML changes only add env vars and the script has no securityContext or privilege flags.
No-Sensitive-Data-In-Logs ✅ Passed New logs only show generic namespace/policy status; sensitive values like the Quay host are suppressed with set +x.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh`:
- Around line 21-46: Remove the unused QUAY_FOUND variable and its assignment,
or use it in a post-loop status check; additionally, in the retry loop’s
final-attempt branch, add break immediately after the “route not found” warning
so the script does not perform an unnecessary final 30-second sleep.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 97d3402c-83c2-4dbf-9c14-ebaede49dd98

📥 Commits

Reviewing files that changed from the base of the PR and between 65b0d4b and 83feed4.

📒 Files selected for processing (3)
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.21.yaml
  • ci-operator/config/stolostron/policy-collection/stolostron-policy-collection-main__ocp4.22.yaml
  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh

- Remove unused QUAY_FOUND variable
- Redact QUAY_ROUTE from logs (security concern)
- Add break after final retry to avoid unnecessary sleep

Addresses CI check failures in PR openshift#81741
@amiskin94

Copy link
Copy Markdown
Contributor Author

/pj-rehearse

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amiskin94: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh (1)

64-64: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

IGNORE_SECONDARY_POLICIES is unbound under set -o nounset for branches that don't set it.

Line 3 enables set -o nounset. When IGNORE_SECONDARY_POLICIES is not exported (e.g., OCP versions other than 4.21/4.22), the [ "$IGNORE_SECONDARY_POLICIES" == "true" ] check on line 64 triggers an unbound variable error and the script exits before reaching the else branch (lines 76–79) that shows the helpful "Tip: Set IGNORE_SECONDARY_POLICIES=true" message. The error path is silently broken for any branch that doesn't configure this variable.

🐛 Proposed fix: provide a default value
-      if [ "$IGNORE_SECONDARY_POLICIES" == "true" ]; then
+      if [ "${IGNORE_SECONDARY_POLICIES:-false}" == "true" ]; then
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh`
at line 64, Default IGNORE_SECONDARY_POLICIES safely before the conditional
check in the policy command logic, using nounset-compatible parameter expansion
or an equivalent initialization so unset environments treat it as false.
Preserve the existing true branch and the else branch’s helpful tip.
🧹 Nitpick comments (1)
ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh (1)

2-2: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

set -x exposes QUAY_ROUTE via tracing despite the echo redaction.

The PR redacted QUAY_ROUTE from the explicit echo on line 30, but set -x (line 2) causes bash to trace the expanded value when [ -n "$QUAY_ROUTE" ] executes on line 29, leaking the route host into CI logs. As per coding guidelines, step-registry command scripts should default to set -euo pipefail without -x and disable tracing around sensitive operations.

🔒️ Proposed fix: disable tracing around QUAY_ROUTE handling
 set -x
 set -o nounset
 set -o errexit
 set -o pipefail

Then around the QUAY_ROUTE block:

     if oc get route -n $ns quay-registry &>/dev/null 2>&1; then
+      # Disable tracing due to route URL handling
+      { set +x; } 2>/dev/null
       QUAY_ROUTE=$(oc get route -n $ns quay-registry -o jsonpath='{.spec.host}' 2>/dev/null || echo "")
       if [ -n "$QUAY_ROUTE" ]; then
+        set -x
         echo "Quay registry route found in namespace '$ns'"

Also applies to: 28-29

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh`
at line 2, Remove the global set -x from the script and use set -euo pipefail
instead; ensure the QUAY_ROUTE handling block near the redacted echo runs with
tracing disabled, enabling tracing only afterward if necessary without exposing
the variable during the condition or related commands.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh`:
- Line 64: Default IGNORE_SECONDARY_POLICIES safely before the conditional check
in the policy command logic, using nounset-compatible parameter expansion or an
equivalent initialization so unset environments treat it as false. Preserve the
existing true branch and the else branch’s helpful tip.

---

Nitpick comments:
In
`@ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh`:
- Line 2: Remove the global set -x from the script and use set -euo pipefail
instead; ensure the QUAY_ROUTE handling block near the redacted echo runs with
tracing disabled, enabling tracing only afterward if necessary without exposing
the variable during the condition or related commands.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8df6c0bd-18a0-4c1d-8d40-893b764d8cf4

📥 Commits

Reviewing files that changed from the base of the PR and between 83feed4 and 2f5ca5f.

📒 Files selected for processing (1)
  • ci-operator/step-registry/acm/policies/openshift-plus/acm-policies-openshift-plus-commands.sh

- Disable tracing around QUAY_ROUTE assignment to prevent logging via set -x
- Use parameter expansion for IGNORE_SECONDARY_POLICIES to handle unset variable

Addresses CodeRabbit review feedback in PR openshift#81741
@amiskin94

Copy link
Copy Markdown
Contributor Author

/pj-rehearse

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amiskin94: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amiskin94

Copy link
Copy Markdown
Contributor Author

/retest

- Change [ $try == $RETRIES ] to [ "$try" -eq "$RETRIES" ]
- Change [ $try == $QUAY_RETRIES ] to [ "$try" -eq "$QUAY_RETRIES" ]
- Use -eq operator for numeric comparisons (shellcheck SC2071)
- Quote variables to prevent word splitting (shellcheck SC2086)

Addresses shellcheck failures in PR openshift#81741
@amiskin94

Copy link
Copy Markdown
Contributor Author

/retest

- Quote $ns variable in oc get route commands (SC2086)
- Use -eq instead of == for arithmetic comparison on line 87 (SC2003)
- Quote command substitution in arithmetic expression on line 92 (SC2046)
- Fix line 91: quote $(echo "$notready" | wc -l) (SC2046)

All shellcheck warnings addressed for PR openshift#81741
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@amiskin94: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
periodic-ci-stolostron-policy-collection-main-ocp4.21-interop-opp-aws N/A periodic Ci-operator config changed
periodic-ci-stolostron-policy-collection-main-ocp4.22-interop-opp-aws N/A periodic Ci-operator config changed
periodic-ci-stolostron-policy-collection-main-ocp4.22-interop-opp-vsphere N/A periodic Registry content changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@amiskin94

Copy link
Copy Markdown
Contributor Author

/pj-rehearse

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amiskin94: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@amiskin94

Copy link
Copy Markdown
Contributor Author

/pj-rehearse ack

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@amiskin94: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant