From 0c32f87f37d202a914802349c47e3c79b88c509e Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:32:27 +0200 Subject: [PATCH 01/11] USHIFT-6743: promote Start MicroShift Without Waiting keyword to shared resource Move `Start MicroShift Without Waiting For Systemd Readiness` from lifecycle.robot into microshift-process.resource so it can be reused by the new apiserver-readiness.robot test. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/resources/microshift-process.resource | 14 ++++++++++++++ test/suites/osconfig/lifecycle.robot | 13 ------------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/test/resources/microshift-process.resource b/test/resources/microshift-process.resource index d9134680ff..d9d7758be0 100644 --- a/test/resources/microshift-process.resource +++ b/test/resources/microshift-process.resource @@ -108,6 +108,20 @@ Disable MicroShift [Documentation] Disable the MicroShift service Systemctl disable microshift.service +Start MicroShift Without Waiting For Systemd Readiness + [Documentation] Starts MicroShift without waiting for daemon readiness + ... (which happens after all internal services/components declare ready + ... (close ready channel)), so it can be interrupted (restarted) mid startup. + + ${stdout} ${stderr} ${rc}= Execute Command + ... systemctl start microshift --no-block + ... sudo=True + ... return_stdout=True + ... return_stderr=True + ... return_rc=True + Log Many ${stdout} ${stderr} ${rc} + Should Be Equal As Integers ${rc} 0 + Cleanup MicroShift [Documentation] Cleanup MicroShift data [Arguments] ${cmd}="--all" ${opt}=${EMPTY} diff --git a/test/suites/osconfig/lifecycle.robot b/test/suites/osconfig/lifecycle.robot index 3b8a397190..8b8662d62f 100644 --- a/test/suites/osconfig/lifecycle.robot +++ b/test/suites/osconfig/lifecycle.robot @@ -68,16 +68,3 @@ Restarting MicroShift Should Be Successful On First Try ... return_stderr=True ... return_rc=True Should Be Equal As Integers 0 ${rc} - -Start MicroShift Without Waiting For Systemd Readiness - [Documentation] Starts MicroShift without waiting for daemon readiness - ... (which happens after all internal services/components declare ready - ... (close ready channel)), so it can be interrupted (restarted) mid startup. - - ${stdout} ${stderr} ${rc}= Execute Command - ... systemctl start microshift --no-block - ... sudo=True - ... return_stdout=True - ... return_stderr=True - ... return_rc=True - Should Be Equal As Integers 0 ${rc} From fd5734ce097a6c0f9e612197add382f890b4a220 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:32:35 +0200 Subject: [PATCH 02/11] USHIFT-6743: add shared kustomize-test.resource for manifest test keywords Add reusable keywords for deploying/cleaning up kustomize test manifests (Deploy Test Manifests, Remove Manifest Directory, ConfigMap Should Not Exist). Used by kustomize-sources.robot and drop-in-config.robot. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/resources/kustomize-test.resource | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 test/resources/kustomize-test.resource diff --git a/test/resources/kustomize-test.resource b/test/resources/kustomize-test.resource new file mode 100644 index 0000000000..ccacfeb740 --- /dev/null +++ b/test/resources/kustomize-test.resource @@ -0,0 +1,41 @@ +*** Settings *** +Documentation Keywords for deploying and cleaning up kustomize test manifests + +Resource microshift-host.resource +Resource kubeconfig.resource + + +*** Keywords *** +Deploy Test Manifests + [Documentation] Create a kustomization that deploys a configmap in the given namespace + [Arguments] ${manifest_dir} ${namespace} ${configmap_name}=test-configmap + Command Should Work mkdir -p ${manifest_dir} + ${kustomization}= Catenate SEPARATOR=\n + ... resources: + ... - configmap.yaml + ... namespace: ${namespace} + Upload String To File ${kustomization} ${manifest_dir}/kustomization.yaml + ${configmap}= Catenate SEPARATOR=\n + ... apiVersion: v1 + ... kind: ConfigMap + ... metadata: + ... \ \ name: ${configmap_name} + ... data: + ... \ \ path: ${manifest_dir} + Upload String To File ${configmap} ${manifest_dir}/configmap.yaml + +Remove Manifest Directory + [Documentation] Completely remove a manifest directory under /etc/microshift + [Arguments] ${manifest_dir} + Should Not Be Empty ${manifest_dir} + Should Start With ${manifest_dir} /etc/microshift/ + Command Should Work rm -rf ${manifest_dir} + +ConfigMap Should Not Exist + [Documentation] Verify the configmap was not created in the namespace + [Arguments] ${namespace} ${configmap_name}=test-configmap + ${stdout} ${rc}= Run With Kubeconfig + ... oc get configmap ${configmap_name} -n ${namespace} + ... allow_fail=True return_rc=True + Should Not Be Equal As Integers ${rc} 0 + Should Contain ${stdout} NotFound From ab5625bcf3964146ae2bbe765e9bce5ce793f223 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:32:43 +0200 Subject: [PATCH 03/11] USHIFT-6743: add config search path test to show-config.robot Replaces Ginkgo test 62959: MicroShift must not read config from ~/.microshift/config.yaml. Verifies that only /etc/microshift/ config files are picked up by show-config --mode effective. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/suites/configuration/show-config.robot | 35 ++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/test/suites/configuration/show-config.robot b/test/suites/configuration/show-config.robot index 0fed4844c4..dcd07688cd 100644 --- a/test/suites/configuration/show-config.robot +++ b/test/suites/configuration/show-config.robot @@ -12,10 +12,17 @@ Suite Teardown Teardown *** Variables *** -${MEMLIMIT256} SEPARATOR=\n -... --- -... etcd: -... \ \ memoryLimitMB: 256 +${MEMLIMIT256} SEPARATOR=\n +... --- +... etcd: +... \ \ memoryLimitMB: 256 + +${MEMLIMIT180} SEPARATOR=\n +... --- +... etcd: +... \ \ memoryLimitMB: 180 + +${HOME_CONFIG_DIR} /root/.microshift *** Test Cases *** @@ -52,6 +59,26 @@ Mode Unknown ... sudo=True return_rc=True Should Not Be Equal As Integers 0 ${rc} +Home Directory Config File Is Ignored + [Documentation] MicroShift should not read config from ~/.microshift/config.yaml. + ... Only /etc/microshift/config.yaml (and config.d/ drop-ins) should be used. + [Setup] Run Keywords + ... Command Should Work mkdir -p ${HOME_CONFIG_DIR} + ... AND + ... Upload String To File ${MEMLIMIT180} ${HOME_CONFIG_DIR}/config.yaml + + ${config}= Show Config effective + Should Not Be Equal As Integers 180 ${config.etcd.memoryLimitMB} + + Drop In MicroShift Config ${MEMLIMIT180} 10-memlimit + ${config}= Show Config effective + Should Be Equal As Integers 180 ${config.etcd.memoryLimitMB} + + [Teardown] Run Keywords + ... Command Should Work rm -f ${HOME_CONFIG_DIR}/config.yaml + ... AND + ... Remove Drop In MicroShift Config 10-memlimit + *** Keywords *** Setup From 4dc04ed5ed9396b2ee6a5a219b59c22e69ec4d84 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:01 +0200 Subject: [PATCH 04/11] USHIFT-6743: add case-insensitive log level tests Replaces Ginkgo test 63099: validates that MicroShift accepts log levels in any case variation (normal, Debug, TRACE, TraceAll). Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/suites/configuration/logging.robot | 53 +++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 test/suites/configuration/logging.robot diff --git a/test/suites/configuration/logging.robot b/test/suites/configuration/logging.robot new file mode 100644 index 0000000000..7a404d98a1 --- /dev/null +++ b/test/suites/configuration/logging.robot @@ -0,0 +1,53 @@ +*** Settings *** +Documentation Tests for case-insensitive log level parsing + +Resource ../../resources/common.resource +Resource ../../resources/microshift-config.resource +Resource ../../resources/microshift-process.resource +Library ../../resources/journalctl.py + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart slow + + +*** Test Cases *** +Case Insensitive Log Levels + [Documentation] MicroShift should accept log levels in any case variation. + [Template] MicroShift Should Accept Log Level + + normal + Debug + TRACE + TraceAll + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + +Teardown + [Documentation] Test suite teardown + Remove Drop In MicroShift Config 10-loglevel + Restart MicroShift + Logout MicroShift Host + Remove Kubeconfig + +MicroShift Should Accept Log Level + [Documentation] Set log level via drop-in config, restart, and verify + ... that MicroShift logs the configured level. + [Arguments] ${level} + + ${config}= Catenate SEPARATOR=\n + ... debugging: + ... \ \ logLevel: ${level} + Drop In MicroShift Config ${config} 10-loglevel + + ${cursor}= Get Journal Cursor + Restart MicroShift + + Pattern Should Appear In Log Output ${cursor} logLevel.*${level} From 6830ffd7905dee13326b7d7acad0ee40dc8fa6c2 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:03 +0200 Subject: [PATCH 05/11] USHIFT-6743: add data directory isolation test Replaces Ginkgo test 62987: verifies MicroShift only uses /var/lib/microshift/ for data and does not populate the legacy ~/.microshift/data/ path. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/suites/configuration/data-dir.robot | 63 ++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 test/suites/configuration/data-dir.robot diff --git a/test/suites/configuration/data-dir.robot b/test/suites/configuration/data-dir.robot new file mode 100644 index 0000000000..f2dc92fff5 --- /dev/null +++ b/test/suites/configuration/data-dir.robot @@ -0,0 +1,63 @@ +*** Settings *** +Documentation Tests that MicroShift only uses /var/lib/microshift for data storage + +Resource ../../resources/common.resource +Resource ../../resources/microshift-host.resource +Resource ../../resources/microshift-process.resource + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart + + +*** Variables *** +${HOME_DATA_DIR} /root/.microshift/data +${GLOBAL_RESOURCES} /var/lib/microshift/resources + + +*** Test Cases *** +MicroShift Does Not Use Home Directory For Data + [Documentation] MicroShift should only use /var/lib/microshift/ for data. + ... The legacy search path ~/.microshift/data/ must not be populated. + Command Should Work mkdir -p ${HOME_DATA_DIR} + Command Should Work find ${HOME_DATA_DIR} -mindepth 1 -delete + + Command Should Work find ${GLOBAL_RESOURCES} -mindepth 1 -delete + Directory Should Be Empty ${GLOBAL_RESOURCES} + + Restart MicroShift + + Directory Should Be Empty ${HOME_DATA_DIR} + Wait Until Keyword Succeeds 40x 5s + ... Directory Should Not Be Empty ${GLOBAL_RESOURCES} + + [Teardown] Run Keywords + ... Command Should Work rm -rf /root/.microshift + ... AND + ... Restart MicroShift + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + +Teardown + [Documentation] Test suite teardown + Logout MicroShift Host + Remove Kubeconfig + +Directory Should Be Empty + [Documentation] Verify that a directory contains no files or subdirectories + [Arguments] ${path} + ${stdout}= Command Should Work find ${path} -mindepth 1 -maxdepth 1 | wc -l + Should Be Equal As Strings ${stdout.strip()} 0 Directory ${path} is not empty + +Directory Should Not Be Empty + [Documentation] Verify that a directory contains at least one file or subdirectory + [Arguments] ${path} + ${stdout}= Command Should Work find ${path} -mindepth 1 -maxdepth 1 | wc -l + Should Not Be Equal As Strings ${stdout.strip()} 0 Directory ${path} is empty From c7049d66c69bf8297f16d5f3b252bcce53bef79b Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:05 +0200 Subject: [PATCH 06/11] USHIFT-6743: add drop-in config merge and override tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces Ginkgo test 76468: verifies drop-in config directory semantics — higher-numbered files override arrays (kustomizePaths, subjectAltNames) while maps merge across config.yaml and drop-ins. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- .../suites/configuration/drop-in-config.robot | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 test/suites/configuration/drop-in-config.robot diff --git a/test/suites/configuration/drop-in-config.robot b/test/suites/configuration/drop-in-config.robot new file mode 100644 index 0000000000..b01bebcb31 --- /dev/null +++ b/test/suites/configuration/drop-in-config.robot @@ -0,0 +1,130 @@ +*** Settings *** +Documentation Tests for drop-in configuration directory merge and override semantics + +Resource ../../resources/common.resource +Resource ../../resources/kustomize-test.resource +Resource ../../resources/microshift-config.resource +Resource ../../resources/microshift-host.resource +Resource ../../resources/microshift-process.resource +Resource ../../resources/oc.resource +Library ../../resources/DataFormats.py + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart slow + + +*** Variables *** +${MANIFEST_DIR_A} /etc/microshift/manifests.d/dropin-test-a +${MANIFEST_DIR_B} /etc/microshift/manifests.d/dropin-test-b + +${KUSTOMIZE_A} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: +... \ \ \ \ - /etc/microshift/manifests.d/dropin-test-a + +${KUSTOMIZE_B} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: +... \ \ \ \ - /etc/microshift/manifests.d/dropin-test-b + +${SAN_10} SEPARATOR=\n +... apiServer: +... \ \ subjectAltNames: +... \ \ \ \ - test1.example.com + +${SAN_20} SEPARATOR=\n +... apiServer: +... \ \ subjectAltNames: +... \ \ \ \ - test2.example.com + +${ETCD_MEM} SEPARATOR=\n +... etcd: +... \ \ memoryLimitMB: 180 + +${DEBUG_LEVEL} SEPARATOR=\n +... debugging: +... \ \ logLevel: debug + + +*** Test Cases *** +Drop In Sets Kustomize Paths + [Documentation] A drop-in config file can set kustomizePaths and manifests are loaded from it. + Drop In MicroShift Config ${KUSTOMIZE_A} 10-kustomize + Deploy Test Manifests ${MANIFEST_DIR_A} dropin-ns-a + Restart MicroShift + Wait Until Keyword Succeeds 10x 10s + ... Oc Get configmap dropin-ns-a test-configmap + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Manifest Directory ${MANIFEST_DIR_A} + ... AND Oc Delete namespace dropin-ns-a --ignore-not-found + ... AND Restart MicroShift + +Higher Numbered Drop In Overrides Array + [Documentation] When two drop-ins set the same array field, the higher-numbered + ... file wins (arrays are replaced, not merged). + Drop In MicroShift Config ${KUSTOMIZE_A} 10-kustomize + Drop In MicroShift Config ${KUSTOMIZE_B} 20-kustomize + Deploy Test Manifests ${MANIFEST_DIR_A} dropin-ns-a2 + Deploy Test Manifests ${MANIFEST_DIR_B} dropin-ns-b + + Restart MicroShift + + Wait Until Keyword Succeeds 10x 10s + ... Oc Get configmap dropin-ns-b test-configmap + ConfigMap Should Not Exist dropin-ns-a2 + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Drop In MicroShift Config 20-kustomize + ... AND Remove Manifest Directory ${MANIFEST_DIR_A} + ... AND Remove Manifest Directory ${MANIFEST_DIR_B} + ... AND Oc Delete namespace dropin-ns-a2 --ignore-not-found + ... AND Oc Delete namespace dropin-ns-b --ignore-not-found + ... AND Restart MicroShift + +SAN Arrays Are Replaced Not Merged + [Documentation] SubjectAltNames is an array field. A higher-numbered drop-in + ... should replace the array, not merge with the lower-numbered one. + ... Verified via show-config without restarting to avoid breaking API access. + Drop In MicroShift Config ${SAN_10} 10-san + Drop In MicroShift Config ${SAN_20} 20-san + + ${config}= Show Config effective + Should Contain ${config.apiServer.subjectAltNames.__repr__()} test2.example.com + Should Not Contain ${config.apiServer.subjectAltNames.__repr__()} test1.example.com + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-san + ... AND Remove Drop In MicroShift Config 20-san + +Map Fields Merge Across Drop Ins + [Documentation] Map-type fields should merge across config.yaml and drop-ins. + ... Settings from different map keys should all be present. + ... Verified via show-config without restarting. + Drop In MicroShift Config ${ETCD_MEM} 10-etcd + Drop In MicroShift Config ${DEBUG_LEVEL} 20-debug + + ${config}= Show Config effective + Should Be Equal As Integers 180 ${config.etcd.memoryLimitMB} + Should Be Equal As Strings debug ${config.debugging.logLevel} + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-etcd + ... AND Remove Drop In MicroShift Config 20-debug + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + +Teardown + [Documentation] Test suite teardown + Logout MicroShift Host + Remove Kubeconfig From dc99dde907829eaf29c1c1d770237ac236cadad6 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:07 +0200 Subject: [PATCH 07/11] USHIFT-6743: add configurable kustomize paths and glob scanning tests Replaces Ginkgo tests 63217 and 63298: tests empty, single, multiple, null, non-existent, and glob-pattern kustomizePaths configurations. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- .../configuration/kustomize-sources.robot | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 test/suites/configuration/kustomize-sources.robot diff --git a/test/suites/configuration/kustomize-sources.robot b/test/suites/configuration/kustomize-sources.robot new file mode 100644 index 0000000000..7248a8b863 --- /dev/null +++ b/test/suites/configuration/kustomize-sources.robot @@ -0,0 +1,171 @@ +*** Settings *** +Documentation Tests for configurable kustomize manifest paths and glob pattern scanning + +Resource ../../resources/common.resource +Resource ../../resources/kustomize-test.resource +Resource ../../resources/microshift-config.resource +Resource ../../resources/microshift-host.resource +Resource ../../resources/microshift-process.resource +Resource ../../resources/oc.resource +Library ../../resources/DataFormats.py + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart slow + + +*** Variables *** +${CONFIGMAP_NAME} test-configmap +${MANIFEST_DIR_1} /etc/microshift/manifests.d/ksrc-test-1 +${MANIFEST_DIR_2} /etc/microshift/manifests.d/ksrc-test-2 +${GLOB_BASE} /etc/microshift/manifests.d/ksrc-glob +${GLOB_DIR_A} /etc/microshift/manifests.d/ksrc-glob/app-a +${GLOB_DIR_B} /etc/microshift/manifests.d/ksrc-glob/app-b + +${EMPTY_PATHS} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: [] + +${SINGLE_PATH} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: +... \ \ \ \ - /etc/microshift/manifests.d/ksrc-test-1 + +${MULTI_PATHS} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: +... \ \ \ \ - /etc/microshift/manifests.d/ksrc-test-1 +... \ \ \ \ - /etc/microshift/manifests.d/ksrc-test-2 + +${NULL_PATHS} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: + +${GLOB_PATHS} SEPARATOR=\n +... manifests: +... \ \ kustomizePaths: +... \ \ \ \ - /etc/microshift/manifests.d/ksrc-glob/*/ + + +*** Test Cases *** +Empty Kustomize Paths Disables Manifests + [Documentation] Setting kustomizePaths to an empty list disables all manifest loading. + Deploy Test Manifests ${MANIFEST_DIR_1} ksrc-empty-ns + Drop In MicroShift Config ${EMPTY_PATHS} 10-kustomize + + Restart MicroShift + + ConfigMap Should Not Exist ksrc-empty-ns + + [Teardown] Cleanup Kustomize Test ksrc-empty-ns ${MANIFEST_DIR_1} + +Single Kustomize Path + [Documentation] Setting a single kustomizePath should load manifests only from that path. + Deploy Test Manifests ${MANIFEST_DIR_1} ksrc-single-ns + Drop In MicroShift Config ${SINGLE_PATH} 10-kustomize + + Restart MicroShift + + Wait Until Keyword Succeeds 20x 10s + ... Oc Get configmap ksrc-single-ns ${CONFIGMAP_NAME} + + [Teardown] Cleanup Kustomize Test ksrc-single-ns ${MANIFEST_DIR_1} + +Multiple Kustomize Paths + [Documentation] Multiple paths in kustomizePaths should all be loaded. + Deploy Test Manifests ${MANIFEST_DIR_1} ksrc-multi-ns-1 + Deploy Test Manifests ${MANIFEST_DIR_2} ksrc-multi-ns-2 + Drop In MicroShift Config ${MULTI_PATHS} 10-kustomize + + Restart MicroShift + + Wait Until Keyword Succeeds 20x 10s + ... Oc Get configmap ksrc-multi-ns-1 ${CONFIGMAP_NAME} + Wait Until Keyword Succeeds 20x 10s + ... Oc Get configmap ksrc-multi-ns-2 ${CONFIGMAP_NAME} + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Manifest Directory ${MANIFEST_DIR_1} + ... AND Remove Manifest Directory ${MANIFEST_DIR_2} + ... AND Oc Delete namespace ksrc-multi-ns-1 --ignore-not-found + ... AND Oc Delete namespace ksrc-multi-ns-2 --ignore-not-found + ... AND Restart MicroShift + +Path Without Kustomization File Is Ignored + [Documentation] A path that exists but has no kustomization.yaml should be silently ignored. + Command Should Work mkdir -p ${MANIFEST_DIR_1} + Drop In MicroShift Config ${SINGLE_PATH} 10-kustomize + + Restart MicroShift + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Manifest Directory ${MANIFEST_DIR_1} + ... AND Restart MicroShift + +Non Existent Path Is Ignored + [Documentation] A non-existent path in kustomizePaths should be silently ignored. + Drop In MicroShift Config ${SINGLE_PATH} 10-kustomize + + Restart MicroShift + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Restart MicroShift + +Unset Kustomize Paths Uses Defaults + [Documentation] Setting kustomizePaths to null should result in the default paths. + Drop In MicroShift Config ${NULL_PATHS} 10-kustomize + + ${config}= Show Config effective + ${paths}= Evaluate str(${config.manifests.kustomizePaths}) + Should Contain ${paths} /etc/microshift/manifests + Should Contain ${paths} /etc/microshift/manifests.d/* + Should Contain ${paths} /usr/lib/microshift/manifests + Should Contain ${paths} /usr/lib/microshift/manifests.d/* + + [Teardown] Remove Drop In MicroShift Config 10-kustomize + +Glob Patterns In Kustomize Paths + [Documentation] Glob patterns in kustomizePaths should match subdirectories. + Deploy Test Manifests ${GLOB_DIR_A} ksrc-glob-ns-a + Deploy Test Manifests ${GLOB_DIR_B} ksrc-glob-ns-b + Drop In MicroShift Config ${GLOB_PATHS} 10-kustomize + + Restart MicroShift + + Wait Until Keyword Succeeds 20x 10s + ... Oc Get configmap ksrc-glob-ns-a ${CONFIGMAP_NAME} + Wait Until Keyword Succeeds 20x 10s + ... Oc Get configmap ksrc-glob-ns-b ${CONFIGMAP_NAME} + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Manifest Directory ${GLOB_BASE} + ... AND Oc Delete namespace ksrc-glob-ns-a --ignore-not-found + ... AND Oc Delete namespace ksrc-glob-ns-b --ignore-not-found + ... AND Restart MicroShift + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + +Teardown + [Documentation] Test suite teardown + Logout MicroShift Host + Remove Kubeconfig + +Cleanup Kustomize Test + [Documentation] Standard cleanup for a single-path kustomize test + [Arguments] ${namespace} ${manifest_dir} + Run Keywords + ... Remove Drop In MicroShift Config 10-kustomize + ... AND Remove Manifest Directory ${manifest_dir} + ... AND Oc Delete namespace ${namespace} --ignore-not-found + ... AND Restart MicroShift From 7165f3694ad556f543a91e08b09dad07a4351040 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:09 +0200 Subject: [PATCH 08/11] USHIFT-6743: add audit log profile and rotation tests Replaces Ginkgo tests 72334 and 72340: verifies all four audit profiles (None, Default, WriteRequestBodies, AllRequestBodies) by checking actual audit.log content, and tests log file rotation with maxFileSize and maxFiles constraints. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/suites/configuration/audit-log.robot | 243 ++++++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 test/suites/configuration/audit-log.robot diff --git a/test/suites/configuration/audit-log.robot b/test/suites/configuration/audit-log.robot new file mode 100644 index 0000000000..db0eb2bb66 --- /dev/null +++ b/test/suites/configuration/audit-log.robot @@ -0,0 +1,243 @@ +*** Settings *** +Documentation Tests for audit log profile configuration and log file rotation + +Resource ../../resources/common.resource +Resource ../../resources/microshift-config.resource +Resource ../../resources/microshift-host.resource +Resource ../../resources/microshift-process.resource +Resource ../../resources/oc.resource +Library ../../resources/DataFormats.py + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart slow + + +*** Variables *** +${AUDIT_LOG} /var/log/kube-apiserver/audit.log +${AUDIT_LOG_DIR} /var/log/kube-apiserver +${TEST_NS} audit-test-ns + +${PROFILE_NONE} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ profile: None + +${PROFILE_DEFAULT} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ profile: Default + +${PROFILE_WRITE} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ profile: WriteRequestBodies + +${PROFILE_ALL} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ profile: AllRequestBodies + +${PROFILE_INVALID} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ profile: Unknown + +${ROTATION_CONFIG} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ maxFileSize: 2 +... \ \ \ \ maxFiles: 2 +... \ \ \ \ profile: AllRequestBodies + +${ROTATION_INVALID} SEPARATOR=\n +... apiServer: +... \ \ auditLog: +... \ \ \ \ maxFileSize: invalid +... \ \ \ \ profile: Default + + +*** Test Cases *** +Invalid Audit Profile Prevents Startup + [Documentation] An unrecognized audit profile should prevent MicroShift from starting. + Drop In MicroShift Config ${PROFILE_INVALID} 10-audit + Stop MicroShift + Command Should Fail timeout 30 systemctl start microshift + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Invalid Audit Rotation Values Prevent Startup + [Documentation] Non-integer rotation parameters should prevent MicroShift from starting. + Drop In MicroShift Config ${ROTATION_INVALID} 10-audit + Stop MicroShift + Command Should Fail timeout 30 systemctl start microshift + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Audit Profile None Produces No Logs + [Documentation] With profile None, no audit entries should be written. + Drop In MicroShift Config ${PROFILE_NONE} 10-audit + Restart MicroShift + + VAR ${cm_name}= audit-none-cm + Oc Create configmap ${cm_name} -n ${TEST_NS} + + ${count}= Grep Audit Log Count ${cm_name} + Should Be Equal As Integers ${count} 0 + + [Teardown] Run Keywords + ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found + ... AND Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Audit Profile Default Logs Metadata Only + [Documentation] Default profile should log metadata but not request/response bodies. + Drop In MicroShift Config ${PROFILE_DEFAULT} 10-audit + Restart MicroShift + + VAR ${cm_name}= audit-default-cm + Oc Create configmap ${cm_name} -n ${TEST_NS} + Oc Get configmap ${TEST_NS} ${cm_name} + + ${meta_count}= Grep Audit Log Count ${cm_name} + Should Be True ${meta_count} > 0 + + ${body_count}= Grep Audit Log Bodies Count ${cm_name} + Should Be Equal As Integers ${body_count} 0 + + [Teardown] Run Keywords + ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found + ... AND Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Audit Profile WriteRequestBodies Logs Write Operations + [Documentation] WriteRequestBodies should log request bodies for write operations + ... (create, update, patch, delete) but not for read operations. + Drop In MicroShift Config ${PROFILE_WRITE} 10-audit + Restart MicroShift + + VAR ${cm_name}= audit-write-cm + Oc Create configmap ${cm_name} -n ${TEST_NS} + Oc Get configmap ${TEST_NS} ${cm_name} + + ${write_bodies}= Grep Audit Log Write Bodies ${cm_name} + Should Be True ${write_bodies} > 0 + + ${read_bodies}= Grep Audit Log Read Bodies ${cm_name} + Should Be Equal As Integers ${read_bodies} 0 + + [Teardown] Run Keywords + ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found + ... AND Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Audit Profile AllRequestBodies Logs All Operations + [Documentation] AllRequestBodies should log request bodies for all operations. + Drop In MicroShift Config ${PROFILE_ALL} 10-audit + Restart MicroShift + + VAR ${cm_name}= audit-all-cm + Oc Create configmap ${cm_name} -n ${TEST_NS} + Oc Get configmap ${TEST_NS} ${cm_name} + + ${write_bodies}= Grep Audit Log Write Bodies ${cm_name} + Should Be True ${write_bodies} > 0 + + ${read_bodies}= Grep Audit Log Read Bodies ${cm_name} + Should Be True ${read_bodies} > 0 + + [Teardown] Run Keywords + ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found + ... AND Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + +Audit Log Rotation Respects Max File Size And Count + [Documentation] With maxFileSize=2 (MB) and maxFiles=2, audit log rotation should + ... produce exactly 2 backup files of approximately 2MB each. + Drop In MicroShift Config ${ROTATION_CONFIG} 10-audit + Restart MicroShift + + Wait Until Keyword Succeeds 60x 5s + ... Audit Backup Files Should Match 2 + + [Teardown] Run Keywords + ... Remove Drop In MicroShift Config 10-audit + ... AND Restart MicroShift + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + Oc Delete namespace ${TEST_NS} --ignore-not-found + Oc Create namespace ${TEST_NS} + +Teardown + [Documentation] Test suite teardown + Oc Delete namespace ${TEST_NS} --ignore-not-found + Logout MicroShift Host + Remove Kubeconfig + +Grep Audit Log Count + [Documentation] Count audit log entries matching the resource name + [Arguments] ${resource_name} + ${stdout}= Command Should Work + ... grep -c '"${resource_name}"' ${AUDIT_LOG} || test $? -eq 1 + RETURN ${stdout.strip()} + +Grep Audit Log Bodies Count + [Documentation] Count audit entries with requestObject or responseObject for a resource + [Arguments] ${resource_name} + ${stdout}= Command Should Work + ... grep '"${resource_name}"' ${AUDIT_LOG} | grep -c '"requestObject"\\|"responseObject"' || test $? -eq 1 + RETURN ${stdout.strip()} + +Grep Audit Log Write Bodies + [Documentation] Count audit entries with requestObject for write verbs + [Arguments] ${resource_name} + ${stdout}= Command Should Work + ... grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(create|update|patch|delete)"' | grep -c '"requestObject"' || test $? -eq 1 + RETURN ${stdout.strip()} + +Grep Audit Log Read Bodies + [Documentation] Count audit entries with responseObject for read verbs + [Arguments] ${resource_name} + ${stdout}= Command Should Work + ... grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(get|list|watch)"' | grep -c '"responseObject"' || test $? -eq 1 + RETURN ${stdout.strip()} + +Audit Backup Files Should Match + [Documentation] Verify the expected number of audit backup files exist and each is at least 1MB. + ... Generates API traffic to fill audit logs while waiting. + [Arguments] ${expected_count} + Generate API Traffic + ${stdout}= Command Should Work + ... find ${AUDIT_LOG_DIR} -name 'audit-*.log' -type f | wc -l + Should Be Equal As Strings ${stdout.strip()} ${expected_count} + ${size_count}= Command Should Work + ... find ${AUDIT_LOG_DIR} -name 'audit-*.log' -type f -size +1M | wc -l + Should Be Equal As Strings ${size_count.strip()} ${expected_count} + ... Rotated audit files should each be at least 1MB + +Generate API Traffic + [Documentation] Generate API activity to produce audit log entries. + ... Fails if none of the API operations succeed. + VAR ${successes}= ${0} + FOR ${i} IN RANGE 20 + Run With Kubeconfig oc get pods -A allow_fail=True + ${stdout} ${rc}= Run With Kubeconfig + ... oc create configmap traffic-cm-${i} -n ${TEST_NS} --from-literal=data=padding${{" " * 4096}} + ... allow_fail=True return_rc=True + IF ${rc} == 0 + ${successes}= Evaluate ${successes} + 1 + END + Run With Kubeconfig oc delete configmap traffic-cm-${i} -n ${TEST_NS} --ignore-not-found allow_fail=True + END + Should Be True ${successes} > 0 No API traffic was generated — API server may be down From 464ac00305460c58cd758b409c176aae45bc3cf8 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 12:33:11 +0200 Subject: [PATCH 09/11] USHIFT-6743: add API server readiness rejection test Replaces Ginkgo test 55728: verifies the API server returns HTTP 429 when X-OpenShift-Internal-If-Not-Ready: reject header is sent during startup, preventing clients from using a partially initialized server. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- .../configuration/apiserver-readiness.robot | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 test/suites/configuration/apiserver-readiness.robot diff --git a/test/suites/configuration/apiserver-readiness.robot b/test/suites/configuration/apiserver-readiness.robot new file mode 100644 index 0000000000..18b996ab36 --- /dev/null +++ b/test/suites/configuration/apiserver-readiness.robot @@ -0,0 +1,62 @@ +*** Settings *** +Documentation Tests that the API server rejects requests during startup + +Resource ../../resources/common.resource +Resource ../../resources/microshift-host.resource +Resource ../../resources/microshift-process.resource + +Suite Setup Setup +Suite Teardown Teardown + +Test Tags restart + + +*** Variables *** +${READINESS_HEADER} X-OpenShift-Internal-If-Not-Ready: reject +${APIS_ENDPOINT} https://localhost:6443/apis + + +*** Test Cases *** +API Server Rejects Requests During Startup + [Documentation] When the X-OpenShift-Internal-If-Not-Ready: reject header is sent + ... and the API server is not yet ready, it should return HTTP 429. + ... This prevents internal clients from using a partially initialized server. + Stop MicroShift + Start MicroShift Without Waiting For Systemd Readiness + + ${found_429}= Poll For 429 During Startup + Should Be True ${found_429} API server did not return 429 during startup + + [Teardown] Restart MicroShift + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Check Required Env Variables + Login MicroShift Host + Setup Kubeconfig + +Teardown + [Documentation] Test suite teardown + Logout MicroShift Host + Remove Kubeconfig + +Poll For 429 During Startup + [Documentation] Poll the API server until we observe a 429 response or the server becomes ready. + ... Returns True if 429 was observed, False otherwise. + VAR ${found}= ${FALSE} + FOR ${i} IN RANGE 300 + ${stdout} ${stderr} ${rc}= Execute Command + ... curl -sk -o /dev/null -w "%{http_code}" -H "${READINESS_HEADER}" ${APIS_ENDPOINT} + ... sudo=True return_stdout=True return_stderr=True return_rc=True + IF "${stdout}" == "429" + VAR ${found}= ${TRUE} + BREAK + END + IF "${stdout}" == "200" or "${stdout}" == "401" or "${stdout}" == "403" + BREAK + END + Sleep 0.2s + END + RETURN ${found} From 155f5580b5517514cdedf49d601fb90ec94130e0 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 6 May 2026 17:14:36 +0200 Subject: [PATCH 10/11] USHIFT-6743: fix CI failures and rebalance configuration scenarios Deploy Test Manifests now includes a namespace.yaml resource so the target namespace is created alongside the configmap. Escape %{http_code} in curl command as \%{http_code} to prevent Robot Framework from interpreting it as an environment variable. Move audit-log.robot from configuration1 to configuration2 scenario to avoid the 30-minute timeout. Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/resources/kustomize-test.resource | 9 +++++- ...uration.sh => el102-src@configuration1.sh} | 4 ++- .../presubmits/el102-src@configuration2.sh | 23 ++++++++++++++ ...> el102-lrel@dual-stack-configuration1.sh} | 3 +- .../el102-lrel@dual-stack-configuration2.sh | 30 +++++++++++++++++++ ...guration.sh => el98-src@configuration1.sh} | 4 ++- .../el9/presubmits/el98-src@configuration2.sh | 23 ++++++++++++++ ...=> el98-lrel@dual-stack-configuration1.sh} | 3 +- .../el98-lrel@dual-stack-configuration2.sh | 30 +++++++++++++++++++ ...uration.sh => cos10-src@configuration1.sh} | 4 ++- .../upstream/cos10-src@configuration2.sh | 23 ++++++++++++++ ...guration.sh => cos9-src@configuration1.sh} | 4 ++- .../upstream/cos9-src@configuration2.sh | 23 ++++++++++++++ ...guration.sh => el98-src@configuration1.sh} | 4 ++- .../presubmits/el98-src@configuration2.sh | 23 ++++++++++++++ ...=> el98-lrel@dual-stack-configuration1.sh} | 3 +- .../el98-lrel@dual-stack-configuration2.sh | 30 +++++++++++++++++++ .../configuration/apiserver-readiness.robot | 2 +- 18 files changed, 235 insertions(+), 10 deletions(-) rename test/scenarios-bootc/el10/presubmits/{el102-src@configuration.sh => el102-src@configuration1.sh} (68%) create mode 100644 test/scenarios-bootc/el10/presubmits/el102-src@configuration2.sh rename test/scenarios-bootc/el10/releases/{el102-lrel@dual-stack-configuration.sh => el102-lrel@dual-stack-configuration1.sh} (84%) create mode 100644 test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration2.sh rename test/scenarios-bootc/el9/presubmits/{el98-src@configuration.sh => el98-src@configuration1.sh} (68%) create mode 100644 test/scenarios-bootc/el9/presubmits/el98-src@configuration2.sh rename test/scenarios-bootc/el9/releases/{el98-lrel@dual-stack-configuration.sh => el98-lrel@dual-stack-configuration1.sh} (84%) create mode 100644 test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration2.sh rename test/scenarios-bootc/upstream/{cos10-src@configuration.sh => cos10-src@configuration1.sh} (68%) create mode 100644 test/scenarios-bootc/upstream/cos10-src@configuration2.sh rename test/scenarios-bootc/upstream/{cos9-src@configuration.sh => cos9-src@configuration1.sh} (68%) create mode 100644 test/scenarios-bootc/upstream/cos9-src@configuration2.sh rename test/scenarios/presubmits/{el98-src@configuration.sh => el98-src@configuration1.sh} (68%) create mode 100644 test/scenarios/presubmits/el98-src@configuration2.sh rename test/scenarios/releases/{el98-lrel@dual-stack-configuration.sh => el98-lrel@dual-stack-configuration1.sh} (84%) create mode 100644 test/scenarios/releases/el98-lrel@dual-stack-configuration2.sh diff --git a/test/resources/kustomize-test.resource b/test/resources/kustomize-test.resource index ccacfeb740..f4215e1ad2 100644 --- a/test/resources/kustomize-test.resource +++ b/test/resources/kustomize-test.resource @@ -7,14 +7,21 @@ Resource kubeconfig.resource *** Keywords *** Deploy Test Manifests - [Documentation] Create a kustomization that deploys a configmap in the given namespace + [Documentation] Create a kustomization that deploys a namespace and configmap [Arguments] ${manifest_dir} ${namespace} ${configmap_name}=test-configmap Command Should Work mkdir -p ${manifest_dir} ${kustomization}= Catenate SEPARATOR=\n ... resources: + ... - namespace.yaml ... - configmap.yaml ... namespace: ${namespace} Upload String To File ${kustomization} ${manifest_dir}/kustomization.yaml + ${ns_yaml}= Catenate SEPARATOR=\n + ... apiVersion: v1 + ... kind: Namespace + ... metadata: + ... \ \ name: ${namespace} + Upload String To File ${ns_yaml} ${manifest_dir}/namespace.yaml ${configmap}= Catenate SEPARATOR=\n ... apiVersion: v1 ... kind: ConfigMap diff --git a/test/scenarios-bootc/el10/presubmits/el102-src@configuration.sh b/test/scenarios-bootc/el10/presubmits/el102-src@configuration1.sh similarity index 68% rename from test/scenarios-bootc/el10/presubmits/el102-src@configuration.sh rename to test/scenarios-bootc/el10/presubmits/el102-src@configuration1.sh index 21638e158f..47ffa2d77d 100644 --- a/test/scenarios-bootc/el10/presubmits/el102-src@configuration.sh +++ b/test/scenarios-bootc/el10/presubmits/el102-src@configuration1.sh @@ -12,5 +12,7 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/configuration/ + run_tests host1 \ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/el10/presubmits/el102-src@configuration2.sh b/test/scenarios-bootc/el10/presubmits/el102-src@configuration2.sh new file mode 100644 index 0000000000..a4dfa7bef5 --- /dev/null +++ b/test/scenarios-bootc/el10/presubmits/el102-src@configuration2.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template rhel102-bootc-source + launch_vm rhel102-bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration.sh b/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration1.sh similarity index 84% rename from test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration.sh rename to test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration1.sh index bdbb343784..abf14b4f2e 100644 --- a/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration.sh +++ b/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration1.sh @@ -21,5 +21,6 @@ scenario_run_tests() { exit_if_image_not_found "${start_image}" run_tests host1 \ suites/ipv6/dualstack.robot \ - suites/configuration/ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration2.sh b/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration2.sh new file mode 100644 index 0000000000..97fd537a36 --- /dev/null +++ b/test/scenarios-bootc/el10/releases/el102-lrel@dual-stack-configuration2.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +start_image="rhel102-bootc-brew-lrel-optional" + +scenario_create_vms() { + exit_if_image_not_found "${start_image}" + + prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}" + launch_vm rhel102-bootc --network "${VM_DUAL_STACK_NETWORK}" --vm_vcpus 4 +} + +scenario_remove_vms() { + exit_if_image_not_found "${start_image}" + + remove_vm host1 +} + +scenario_run_tests() { + exit_if_image_not_found "${start_image}" + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios-bootc/el9/presubmits/el98-src@configuration.sh b/test/scenarios-bootc/el9/presubmits/el98-src@configuration1.sh similarity index 68% rename from test/scenarios-bootc/el9/presubmits/el98-src@configuration.sh rename to test/scenarios-bootc/el9/presubmits/el98-src@configuration1.sh index 936b522034..2060c15b23 100644 --- a/test/scenarios-bootc/el9/presubmits/el98-src@configuration.sh +++ b/test/scenarios-bootc/el9/presubmits/el98-src@configuration1.sh @@ -12,5 +12,7 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/configuration/ + run_tests host1 \ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/el9/presubmits/el98-src@configuration2.sh b/test/scenarios-bootc/el9/presubmits/el98-src@configuration2.sh new file mode 100644 index 0000000000..8e44c92a9e --- /dev/null +++ b/test/scenarios-bootc/el9/presubmits/el98-src@configuration2.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template rhel98-bootc-source + launch_vm rhel98-bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration.sh b/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration1.sh similarity index 84% rename from test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration.sh rename to test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration1.sh index d403a60671..950f974d27 100644 --- a/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration.sh +++ b/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration1.sh @@ -21,5 +21,6 @@ scenario_run_tests() { exit_if_image_not_found "${start_image}" run_tests host1 \ suites/ipv6/dualstack.robot \ - suites/configuration/ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration2.sh b/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration2.sh new file mode 100644 index 0000000000..56cc55776b --- /dev/null +++ b/test/scenarios-bootc/el9/releases/el98-lrel@dual-stack-configuration2.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +start_image="rhel98-bootc-brew-lrel-optional" + +scenario_create_vms() { + exit_if_image_not_found "${start_image}" + + prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}" + launch_vm rhel98-bootc --network "${VM_DUAL_STACK_NETWORK}" --vm_vcpus 4 +} + +scenario_remove_vms() { + exit_if_image_not_found "${start_image}" + + remove_vm host1 +} + +scenario_run_tests() { + exit_if_image_not_found "${start_image}" + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios-bootc/upstream/cos10-src@configuration.sh b/test/scenarios-bootc/upstream/cos10-src@configuration1.sh similarity index 68% rename from test/scenarios-bootc/upstream/cos10-src@configuration.sh rename to test/scenarios-bootc/upstream/cos10-src@configuration1.sh index bbe0b65d80..1daacaa3a4 100644 --- a/test/scenarios-bootc/upstream/cos10-src@configuration.sh +++ b/test/scenarios-bootc/upstream/cos10-src@configuration1.sh @@ -12,5 +12,7 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/configuration/ + run_tests host1 \ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/upstream/cos10-src@configuration2.sh b/test/scenarios-bootc/upstream/cos10-src@configuration2.sh new file mode 100644 index 0000000000..1395ae1590 --- /dev/null +++ b/test/scenarios-bootc/upstream/cos10-src@configuration2.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template cos10-bootc-source + launch_vm centos10-bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios-bootc/upstream/cos9-src@configuration.sh b/test/scenarios-bootc/upstream/cos9-src@configuration1.sh similarity index 68% rename from test/scenarios-bootc/upstream/cos9-src@configuration.sh rename to test/scenarios-bootc/upstream/cos9-src@configuration1.sh index 5ffd5efbe6..4203f3c071 100644 --- a/test/scenarios-bootc/upstream/cos9-src@configuration.sh +++ b/test/scenarios-bootc/upstream/cos9-src@configuration1.sh @@ -12,5 +12,7 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/configuration/ + run_tests host1 \ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios-bootc/upstream/cos9-src@configuration2.sh b/test/scenarios-bootc/upstream/cos9-src@configuration2.sh new file mode 100644 index 0000000000..56d0e3f6d3 --- /dev/null +++ b/test/scenarios-bootc/upstream/cos9-src@configuration2.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source + launch_vm centos9-bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios/presubmits/el98-src@configuration.sh b/test/scenarios/presubmits/el98-src@configuration1.sh similarity index 68% rename from test/scenarios/presubmits/el98-src@configuration.sh rename to test/scenarios/presubmits/el98-src@configuration1.sh index eb223e3209..095981151e 100644 --- a/test/scenarios/presubmits/el98-src@configuration.sh +++ b/test/scenarios/presubmits/el98-src@configuration1.sh @@ -12,5 +12,7 @@ scenario_remove_vms() { } scenario_run_tests() { - run_tests host1 suites/configuration/ + run_tests host1 \ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios/presubmits/el98-src@configuration2.sh b/test/scenarios/presubmits/el98-src@configuration2.sh new file mode 100644 index 0000000000..8d1bf18f9e --- /dev/null +++ b/test/scenarios/presubmits/el98-src@configuration2.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +scenario_create_vms() { + prepare_kickstart host1 kickstart.ks.template rhel-9.8-microshift-source + launch_vm rhel-9.8 +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/scenarios/releases/el98-lrel@dual-stack-configuration.sh b/test/scenarios/releases/el98-lrel@dual-stack-configuration1.sh similarity index 84% rename from test/scenarios/releases/el98-lrel@dual-stack-configuration.sh rename to test/scenarios/releases/el98-lrel@dual-stack-configuration1.sh index 2a63e3d50d..32b19b49b9 100644 --- a/test/scenarios/releases/el98-lrel@dual-stack-configuration.sh +++ b/test/scenarios/releases/el98-lrel@dual-stack-configuration1.sh @@ -21,5 +21,6 @@ scenario_run_tests() { exit_if_commit_not_found "${start_image}" run_tests host1 \ suites/ipv6/dualstack.robot \ - suites/configuration/ + suites/configuration/configuration.robot \ + suites/configuration/kustomize-sources.robot } diff --git a/test/scenarios/releases/el98-lrel@dual-stack-configuration2.sh b/test/scenarios/releases/el98-lrel@dual-stack-configuration2.sh new file mode 100644 index 0000000000..1a84f2074f --- /dev/null +++ b/test/scenarios/releases/el98-lrel@dual-stack-configuration2.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +start_image="rhel98-brew-lrel-optional" + +scenario_create_vms() { + exit_if_commit_not_found "${start_image}" + + prepare_kickstart host1 kickstart.ks.template "${start_image}" + launch_vm rhel-9.8 --network "${VM_DUAL_STACK_NETWORK}" --vm_vcpus 4 +} + +scenario_remove_vms() { + exit_if_commit_not_found "${start_image}" + + remove_vm host1 +} + +scenario_run_tests() { + exit_if_commit_not_found "${start_image}" + run_tests host1 \ + suites/configuration/tls-configuration.robot \ + suites/configuration/drop-in-config.robot \ + suites/configuration/show-config.robot \ + suites/configuration/logging.robot \ + suites/configuration/data-dir.robot \ + suites/configuration/apiserver-readiness.robot \ + suites/configuration/audit-log.robot +} diff --git a/test/suites/configuration/apiserver-readiness.robot b/test/suites/configuration/apiserver-readiness.robot index 18b996ab36..1e535cb71c 100644 --- a/test/suites/configuration/apiserver-readiness.robot +++ b/test/suites/configuration/apiserver-readiness.robot @@ -48,7 +48,7 @@ Poll For 429 During Startup VAR ${found}= ${FALSE} FOR ${i} IN RANGE 300 ${stdout} ${stderr} ${rc}= Execute Command - ... curl -sk -o /dev/null -w "%{http_code}" -H "${READINESS_HEADER}" ${APIS_ENDPOINT} + ... curl -sk -o /dev/null -w "\%{http_code}" -H "${READINESS_HEADER}" ${APIS_ENDPOINT} ... sudo=True return_stdout=True return_stderr=True return_rc=True IF "${stdout}" == "429" VAR ${found}= ${TRUE} From 95b1f2bfe42e761629d12ea1a4a767e83d35fb0c Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Fri, 8 May 2026 14:23:23 +0200 Subject: [PATCH 11/11] USHIFT-6743: add ClusterIP service, SCC admission, CRD validation, and audit log persistence tests Migrate 4 tests from openshift-tests-private: - 10969: ClusterIP service creation with explicit/auto IP, connectivity, error handling, and dry-run verification - 55394: SCC admission controller enforcement of runAsUser, fsGroup, supplementalGroups, and per-namespace UID range isolation - 55677: CRD schema validation and unknown field pruning - 55480: Audit log file existence with correct permissions and ownership Co-Authored-By: Claude Opus 4.6 pre-commit.check-secrets: ENABLED --- test/assets/crd-validation/cr-valid.yaml | 7 ++ test/assets/crd-validation/crd.yaml | 26 +++++++ test/assets/scc/pod-no-user.yaml | 20 ++++++ test/assets/scc/pod-run-as-user-2000.yaml | 21 ++++++ test/assets/scc/pod-security-context.yaml | 24 +++++++ test/suites/configuration/audit-log.robot | 40 ++++++++--- test/suites/configuration/show-config.robot | 2 +- test/suites/standard1/clusterip-service.robot | 72 +++++++++++++++++++ test/suites/standard1/crd-validation.robot | 38 ++++++++++ test/suites/standard1/scc-admission.robot | 60 ++++++++++++++++ 10 files changed, 298 insertions(+), 12 deletions(-) create mode 100644 test/assets/crd-validation/cr-valid.yaml create mode 100644 test/assets/crd-validation/crd.yaml create mode 100644 test/assets/scc/pod-no-user.yaml create mode 100644 test/assets/scc/pod-run-as-user-2000.yaml create mode 100644 test/assets/scc/pod-security-context.yaml create mode 100644 test/suites/standard1/clusterip-service.robot create mode 100644 test/suites/standard1/crd-validation.robot create mode 100644 test/suites/standard1/scc-admission.robot diff --git a/test/assets/crd-validation/cr-valid.yaml b/test/assets/crd-validation/cr-valid.yaml new file mode 100644 index 0000000000..0a12f0c28d --- /dev/null +++ b/test/assets/crd-validation/cr-valid.yaml @@ -0,0 +1,7 @@ +apiVersion: ms.qe.com/v1 +kind: CronTab +metadata: + name: test-crontab +spec: + cronSpec: "* * * * */5" + image: test-image diff --git a/test/assets/crd-validation/crd.yaml b/test/assets/crd-validation/crd.yaml new file mode 100644 index 0000000000..a6f17cdf40 --- /dev/null +++ b/test/assets/crd-validation/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: crontabs.ms.qe.com +spec: + group: ms.qe.com + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + cronSpec: + type: string + image: + type: string + scope: Namespaced + names: + plural: crontabs + singular: crontab + kind: CronTab diff --git a/test/assets/scc/pod-no-user.yaml b/test/assets/scc/pod-no-user.yaml new file mode 100644 index 0000000000..850a275b05 --- /dev/null +++ b/test/assets/scc/pod-no-user.yaml @@ -0,0 +1,20 @@ +kind: Pod +apiVersion: v1 +metadata: + name: scc-test-pod + labels: + app: scc-test +spec: + terminationGracePeriodSeconds: 0 + containers: + - name: test + image: quay.io/microshift/busybox:1.36 + command: ["/bin/sh", "-c", "sleep infinity"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/assets/scc/pod-run-as-user-2000.yaml b/test/assets/scc/pod-run-as-user-2000.yaml new file mode 100644 index 0000000000..8897234f06 --- /dev/null +++ b/test/assets/scc/pod-run-as-user-2000.yaml @@ -0,0 +1,21 @@ +kind: Pod +apiVersion: v1 +metadata: + name: scc-test-pod-2 + labels: + app: scc-test +spec: + terminationGracePeriodSeconds: 0 + securityContext: + runAsUser: 2000 + containers: + - name: test + image: quay.io/microshift/busybox:1.36 + command: ["/bin/sh", "-c", "sleep infinity"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/test/assets/scc/pod-security-context.yaml b/test/assets/scc/pod-security-context.yaml new file mode 100644 index 0000000000..5ae223f0ef --- /dev/null +++ b/test/assets/scc/pod-security-context.yaml @@ -0,0 +1,24 @@ +kind: Pod +apiVersion: v1 +metadata: + name: scc-test-pod-1 + labels: + app: scc-test +spec: + terminationGracePeriodSeconds: 0 + securityContext: + runAsUser: 1000 + fsGroup: 3000 + supplementalGroups: + - 2000 + containers: + - name: test + image: quay.io/microshift/busybox:1.36 + command: ["/bin/sh", "-c", "sleep infinity"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/test/suites/configuration/audit-log.robot b/test/suites/configuration/audit-log.robot index db0eb2bb66..c1f70a77cd 100644 --- a/test/suites/configuration/audit-log.robot +++ b/test/suites/configuration/audit-log.robot @@ -67,7 +67,8 @@ Invalid Audit Profile Prevents Startup [Teardown] Run Keywords ... Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Restart MicroShift Invalid Audit Rotation Values Prevent Startup [Documentation] Non-integer rotation parameters should prevent MicroShift from starting. @@ -77,7 +78,8 @@ Invalid Audit Rotation Values Prevent Startup [Teardown] Run Keywords ... Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Restart MicroShift Audit Profile None Produces No Logs [Documentation] With profile None, no audit entries should be written. @@ -92,8 +94,10 @@ Audit Profile None Produces No Logs [Teardown] Run Keywords ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found - ... AND Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Remove Drop In MicroShift Config 10-audit + ... AND + ... Restart MicroShift Audit Profile Default Logs Metadata Only [Documentation] Default profile should log metadata but not request/response bodies. @@ -112,8 +116,10 @@ Audit Profile Default Logs Metadata Only [Teardown] Run Keywords ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found - ... AND Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Remove Drop In MicroShift Config 10-audit + ... AND + ... Restart MicroShift Audit Profile WriteRequestBodies Logs Write Operations [Documentation] WriteRequestBodies should log request bodies for write operations @@ -133,8 +139,10 @@ Audit Profile WriteRequestBodies Logs Write Operations [Teardown] Run Keywords ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found - ... AND Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Remove Drop In MicroShift Config 10-audit + ... AND + ... Restart MicroShift Audit Profile AllRequestBodies Logs All Operations [Documentation] AllRequestBodies should log request bodies for all operations. @@ -153,8 +161,17 @@ Audit Profile AllRequestBodies Logs All Operations [Teardown] Run Keywords ... Oc Delete configmap ${cm_name} -n ${TEST_NS} --ignore-not-found - ... AND Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Remove Drop In MicroShift Config 10-audit + ... AND + ... Restart MicroShift + +Audit Log File Exists With Correct Permissions + [Documentation] Verify the audit log file exists at the expected path with correct + ... file permissions and root:root ownership. + ${output}= Command Should Work ls -l ${AUDIT_LOG} + Should Match Regexp ${output} ^-rw + Should Match Regexp ${output} root\\s+root Audit Log Rotation Respects Max File Size And Count [Documentation] With maxFileSize=2 (MB) and maxFiles=2, audit log rotation should @@ -167,7 +184,8 @@ Audit Log Rotation Respects Max File Size And Count [Teardown] Run Keywords ... Remove Drop In MicroShift Config 10-audit - ... AND Restart MicroShift + ... AND + ... Restart MicroShift *** Keywords *** diff --git a/test/suites/configuration/show-config.robot b/test/suites/configuration/show-config.robot index dcd07688cd..4852e4a345 100644 --- a/test/suites/configuration/show-config.robot +++ b/test/suites/configuration/show-config.robot @@ -75,7 +75,7 @@ Home Directory Config File Is Ignored Should Be Equal As Integers 180 ${config.etcd.memoryLimitMB} [Teardown] Run Keywords - ... Command Should Work rm -f ${HOME_CONFIG_DIR}/config.yaml + ... Command Should Work rm -rf ${HOME_CONFIG_DIR} ... AND ... Remove Drop In MicroShift Config 10-memlimit diff --git a/test/suites/standard1/clusterip-service.robot b/test/suites/standard1/clusterip-service.robot new file mode 100644 index 0000000000..945a4bcf01 --- /dev/null +++ b/test/suites/standard1/clusterip-service.robot @@ -0,0 +1,72 @@ +*** Settings *** +Documentation Tests for ClusterIP service creation and connectivity + +Resource ../../resources/common.resource +Resource ../../resources/microshift-network.resource +Resource ../../resources/oc.resource + +Suite Setup Setup Suite With Namespace +Suite Teardown Teardown Suite With Namespace + + +*** Test Cases *** +Create ClusterIP Service With Explicit IP + [Documentation] Create a ClusterIP service with an explicit cluster IP + ... and verify connectivity from within a pod. + [Setup] Create Hello MicroShift Pod + ${k8s_ip}= Oc Get JsonPath service default kubernetes .spec.clusterIP + ${explicit_ip}= Evaluate '.'.join("${k8s_ip}".strip().split('.')[:-1]) + '.200' + Oc Create service clusterip hello-microshift --tcp=8080:8080 --clusterip=${explicit_ip} -n ${NAMESPACE} + ${svc_ip}= Oc Get JsonPath service ${NAMESPACE} hello-microshift .spec.clusterIP + Should Be Equal ${svc_ip} ${explicit_ip} + Wait Until Keyword Succeeds 10x 5s + ... Verify ClusterIP Connectivity ${svc_ip} + + [Teardown] Cleanup Hello MicroShift Pod And Service + +Create ClusterIP Service Without Explicit IP + [Documentation] Create a ClusterIP service with an auto-assigned IP + ... and verify connectivity from within a pod. + [Setup] Create Hello MicroShift Pod + Oc Create service clusterip hello-microshift --tcp=8080:8080 -n ${NAMESPACE} + ${svc_ip}= Oc Get JsonPath service ${NAMESPACE} hello-microshift .spec.clusterIP + Should Not Be Empty ${svc_ip} + Wait Until Keyword Succeeds 10x 5s + ... Verify ClusterIP Connectivity ${svc_ip} + + [Teardown] Cleanup Hello MicroShift Pod And Service + +Create ClusterIP Service Without TCP Option Should Fail + [Documentation] Creating a ClusterIP service without the --tcp option should fail. + [Setup] Create Hello MicroShift Pod + ${stdout} ${rc}= Run With Kubeconfig + ... oc create service clusterip hello-microshift -n ${NAMESPACE} + ... allow_fail=${TRUE} return_rc=${TRUE} + Should Not Be Equal As Integers ${rc} 0 + + [Teardown] Oc Delete -f ${HELLO_USHIFT} -n ${NAMESPACE} --ignore-not-found + +Create ClusterIP Service Dry Run + [Documentation] Creating a service with --dry-run=client should not persist it. + [Setup] Create Hello MicroShift Pod + Oc Create service clusterip hello-microshift --tcp=8080:8080 --dry-run=client -n ${NAMESPACE} + ${stdout} ${rc}= Run With Kubeconfig + ... oc get service hello-microshift -n ${NAMESPACE} + ... allow_fail=${TRUE} return_rc=${TRUE} + Should Not Be Equal As Integers ${rc} 0 + + [Teardown] Oc Delete -f ${HELLO_USHIFT} -n ${NAMESPACE} --ignore-not-found + + +*** Keywords *** +Cleanup Hello MicroShift Pod And Service + [Documentation] Delete the hello-microshift service and pod, ignoring errors + Run With Kubeconfig oc delete service/hello-microshift -n ${NAMESPACE} --ignore-not-found + Oc Delete -f ${HELLO_USHIFT} -n ${NAMESPACE} --ignore-not-found + +Verify ClusterIP Connectivity + [Documentation] Verify connectivity to the ClusterIP service from within the pod + [Arguments] ${ip} + ${output}= Run With Kubeconfig + ... oc exec -n ${NAMESPACE} pod/hello-microshift -- wget -qO- http://${ip}:8080 --timeout=5 + Should Contain ${output} Hello MicroShift diff --git a/test/suites/standard1/crd-validation.robot b/test/suites/standard1/crd-validation.robot new file mode 100644 index 0000000000..959a6d2a79 --- /dev/null +++ b/test/suites/standard1/crd-validation.robot @@ -0,0 +1,38 @@ +*** Settings *** +Documentation Tests for CRD schema validation + +Resource ../../resources/common.resource +Resource ../../resources/oc.resource + +Suite Setup Setup +Suite Teardown Teardown + + +*** Variables *** +${CRD_FILE} ./assets/crd-validation/crd.yaml +${CR_VALID} ./assets/crd-validation/cr-valid.yaml + + +*** Test Cases *** +CRD Is Established And Custom Resource Can Be Created + [Documentation] Verify a CRD reaches Established condition and a valid + ... custom resource can be created and retrieved. + Wait Until Keyword Succeeds 5x 10s + ... Oc Apply -f ${CR_VALID} -n ${NAMESPACE} + ${cr}= Oc Get crontab ${NAMESPACE} test-crontab + Should Be Equal ${cr.spec.cronSpec} * * * * */5 + Should Be Equal ${cr.spec.image} test-image + + [Teardown] Oc Delete -f ${CR_VALID} -n ${NAMESPACE} --ignore-not-found + + +*** Keywords *** +Setup + [Documentation] Test suite setup + Setup Suite With Namespace + Oc Apply -f ${CRD_FILE} + +Teardown + [Documentation] Test suite teardown + Oc Delete -f ${CRD_FILE} --ignore-not-found + Teardown Suite With Namespace diff --git a/test/suites/standard1/scc-admission.robot b/test/suites/standard1/scc-admission.robot new file mode 100644 index 0000000000..fc4675b55d --- /dev/null +++ b/test/suites/standard1/scc-admission.robot @@ -0,0 +1,60 @@ +*** Settings *** +Documentation Tests for SCC admission controller enforcement + +Resource ../../resources/common.resource +Resource ../../resources/oc.resource + +Suite Setup Setup Suite With Namespace +Suite Teardown Teardown Suite With Namespace + + +*** Variables *** +${POD_SC_1000} ./assets/scc/pod-security-context.yaml +${POD_SC_2000} ./assets/scc/pod-run-as-user-2000.yaml +${POD_NO_USER} ./assets/scc/pod-no-user.yaml + + +*** Test Cases *** +Pod Runs With Specified UID And Groups + [Documentation] Verify a pod runs with the specified runAsUser, fsGroup, + ... and supplementalGroups from its security context. + Oc Create -f ${POD_SC_1000} -n ${NAMESPACE} + Named Pod Should Be Ready scc-test-pod-1 ${NAMESPACE} + ${id_output}= Run With Kubeconfig + ... oc exec -n ${NAMESPACE} pod/scc-test-pod-1 -- id + Should Match Regexp ${id_output} uid=1000 + Should Match Regexp ${id_output} groups=.*2000 + Should Match Regexp ${id_output} groups=.*3000 + + [Teardown] Oc Delete -f ${POD_SC_1000} -n ${NAMESPACE} --ignore-not-found + +Pod Runs With Different Specified UID + [Documentation] Verify a pod with runAsUser=2000 runs as that UID. + Oc Create -f ${POD_SC_2000} -n ${NAMESPACE} + Named Pod Should Be Ready scc-test-pod-2 ${NAMESPACE} + ${id_output}= Run With Kubeconfig + ... oc exec -n ${NAMESPACE} pod/scc-test-pod-2 -- id -u + Should Be Equal As Strings ${id_output.strip()} 2000 + + [Teardown] Oc Delete -f ${POD_SC_2000} -n ${NAMESPACE} --ignore-not-found + +Different Namespaces Get Different SCC Ranges + [Documentation] Pods in different namespaces without explicit runAsUser should + ... receive different allocated UID ranges from the SCC admission controller. + ${ns2}= Create Unique Namespace + Oc Create -f ${POD_NO_USER} -n ${NAMESPACE} + Oc Create -f ${POD_NO_USER} -n ${ns2} + Named Pod Should Be Ready scc-test-pod ${NAMESPACE} + Named Pod Should Be Ready scc-test-pod ${ns2} + ${id1}= Run With Kubeconfig + ... oc exec -n ${NAMESPACE} pod/scc-test-pod -- id -u + ${id2}= Run With Kubeconfig + ... oc exec -n ${ns2} pod/scc-test-pod -- id -u + Should Not Be Equal As Strings ${id1.strip()} ${id2.strip()} + + [Teardown] Run Keywords + ... Oc Delete -f ${POD_NO_USER} -n ${NAMESPACE} --ignore-not-found + ... AND + ... Oc Delete -f ${POD_NO_USER} -n ${ns2} --ignore-not-found + ... AND + ... Remove Namespace ${ns2}