Skip to content

OCPBUGS-97597: use unique usernames in parallel OAuth tests#31363

Open
xueqzhan wants to merge 2 commits into
openshift:mainfrom
xueqzhan:oauth-testuser
Open

OCPBUGS-97597: use unique usernames in parallel OAuth tests#31363
xueqzhan wants to merge 2 commits into
openshift:mainfrom
xueqzhan:oauth-testuser

Conversation

@xueqzhan

@xueqzhan xueqzhan commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Tests
    • Improved OAuth end-to-end coverage by using per-test/per-namespace identities instead of a fixed username.
    • Updated OAuth flow helpers to authenticate with the dynamically generated identity and verify the returned user matches it.
    • Strengthened test cleanup by explicitly removing the dynamically created Kubernetes user and identity resources for the run.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 2, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@xueqzhan: This pull request references Jira Issue OCPBUGS-97597, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xueqzhan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
@openshift-ci openshift-ci Bot requested review from ShazaAldawamneh and ibihim July 2, 2026 19:01
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 41a7604c-1bdf-4ce5-a2b1-c19fa78343ce

📥 Commits

Reviewing files that changed from the base of the PR and between f71f7e9 and 43305cb.

📒 Files selected for processing (2)
  • test/extended/oauth/expiration.go
  • test/extended/oauth/htpasswd.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/extended/oauth/htpasswd.go
  • test/extended/oauth/expiration.go

Walkthrough

This PR updates OAuth extended tests to use dynamically generated usernames instead of a hardcoded test user. The OAuth server helper now accepts a username, and the affected tests pass that username through setup, token/code flows, verification, and cleanup.

Changes

OAuth test username parameterization

Layer / File(s) Summary
Server setup and htpasswd username
test/extended/oauth/helpers.go, test/extended/oauth/server_headers.go
deployOAuthServer accepts a username and uses it in the htpasswd secret; the server headers test passes a namespace-derived username into that setup call.
Expiration test username flow
test/extended/oauth/expiration.go
Generates a per-test username, passes it into server deployment and both flow helpers, updates the token/code assertions to expect that username, and deletes the matching User and Identity resources during teardown.
Htpasswd test username cleanup
test/extended/oauth/htpasswd.go
Uses a namespace-scoped username throughout deployment, token lookup, assertion, and deferred cleanup.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: OAuth tests now use per-test unique usernames to support parallel execution.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Changed Ginkgo titles are static strings; dynamic namespace/user values appear only in setup and assertions, not in test names.
Test Structure And Quality ✅ Passed The changed tests keep one behavior per It, add BeforeEach/AfterEach cleanup for dynamic user/identity resources, and introduce no new unbounded waits.
Microshift Test Compatibility ✅ Passed All affected Ginkgo cases carry unsupported apigroup tags (user.openshift.io/oauth.openshift.io/config.openshift.io), so MicroShift auto-skips them.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Changed OAuth e2e tests only exercise OAuth/user APIs and single-client login flows; no node-count, scheduling, failover, or topology assumptions found.
Topology-Aware Scheduling Compatibility ✅ Passed PASS — changes are limited to OAuth e2e tests/helpers; no manifests, controllers, or topology-sensitive scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed No stdout writes appear in process-level code; only allowed test-block logging and an init() that installs the scheme.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new IPv4 literals, IPv4-only parsing, or public internet dependencies were introduced; URLs stay cluster-internal and localhost is only a redirect URI.
No-Weak-Crypto ✅ Passed No weak crypto was introduced; changes only parameterize usernames and reuse the existing htpasswd bcrypt hash and SHA-256 token-name helper.
Container-Privileges ✅ Passed The PR only changes OAuth test Go code; no touched file is a manifest, and no changed file contains privileged/hostNetwork/hostPID/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed Patch adds only cleanup/error logs with synthetic usernames; no passwords, tokens, or API keys are logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/oauth/expiration.go`:
- Around line 39-43: The AfterEach cleanup in the expiration test ignores Delete
errors, so failures can leave stale User/Identity objects behind. Update the
cleanup in the oauth expiration test’s AfterEach block to handle and surface
errors from oc.AdminUserClient().UserV1().Users().Delete and
Identities().Delete, while still running oauthServerCleanup(), so test cleanup
never silently discards failures.

In `@test/extended/oauth/htpasswd.go`:
- Around line 45-47: The deferred cleanup in htpasswd.go is discarding errors
from the User and Identity Delete calls, which can leave resources behind during
parallel runs. Update the cleanup logic in the affected deferred block to handle
and surface the Delete return values instead of ignoring them, following the
same pattern used in expiration.go, so both
oc.AdminUserClient().UserV1().Users().Delete and
oc.AdminUserClient().UserV1().Identities().Delete are checked and any failures
are reported.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0bac446b-5343-4171-bf83-d3799874d367

📥 Commits

Reviewing files that changed from the base of the PR and between f2c72ee and f71f7e9.

📒 Files selected for processing (4)
  • test/extended/oauth/expiration.go
  • test/extended/oauth/helpers.go
  • test/extended/oauth/htpasswd.go
  • test/extended/oauth/server_headers.go

Comment thread test/extended/oauth/expiration.go
Comment thread test/extended/oauth/htpasswd.go Outdated
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 2, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@xueqzhan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-fips 43305cb link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-csi 43305cb link true /test e2e-aws-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants