Skip to content

test(ui): Export OpenShift creds to ui e2e test jobs#19701

Merged
dvail merged 1 commit intomasterfrom
dv/pass-openshift-creds-to-ui-e2e-test
Apr 3, 2026
Merged

test(ui): Export OpenShift creds to ui e2e test jobs#19701
dvail merged 1 commit intomasterfrom
dv/pass-openshift-creds-to-ui-e2e-test

Conversation

@dvail
Copy link
Copy Markdown
Contributor

@dvail dvail commented Mar 30, 2026

Description

Note - Heavy use of Claude Code for the exploration and solution

OpenShift console credentials (OPENSHIFT_CONSOLE_USERNAME, OPENSHIFT_CONSOLE_PASSWORD) are needed to run Cypress e2e tests against the OCP console plugin. These credentials are created by automation-flavors and stored in ${SHARED_DIR}/dotenv, but were not being exported to UI test jobs.

Historical Context

Initial attempt (reverted):

  • PR #16203 added oc login to authenticate with OCP clusters and export credentials
  • This broke ocp-qa-e2e-tests workload identity setup (ROX-30812)
  • Root cause: oc login modified the kubeconfig cluster name from simple form (rox-ci-18674432) to API endpoint form (api-rox-ci-23657728-ocp-ci-rox-systems:6443)
  • The workload identity script extracted cluster name from kubeconfig and expected the simple form
  • PR #16698 reverted the change to unblock CI

Solution

Key insight: UI tests don't need oc login at all!

The Cypress tests perform browser-based authentication using environment variables. The kubeconfig already has admin access from automation-flavors for deploying StackRox components.

Changes

  1. .openshift-ci/dispatch.sh - Added ocp*e2e-tests pattern to trigger cluster setup
  2. tests/e2e/lib.sh - Export credentials for ocp.*ui-e2e-tests$ jobs by sourcing dotenv
    • No oc login = no kubeconfig modification = workload identity tests unaffected
  3. UI test infrastructure - Already present from previous work

Why This Works

  • Zero impact on qa-e2e tests: No oc login means workload identity tests see the original cluster name
  • Clean credential flow: Variables exported directly from dotenv only for UI tests
  • Pattern isolation: Conditional logic targets only ocp.*ui-e2e-tests$ jobs

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Verify that the ocp-e2e test jobs that failed in the original change are successful: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/stackrox_stackrox/19701/pull-ci-stackrox-stackrox-master-ocp-4-21-qa-e2e-tests/2038959834006556672

Verify that ui e2e tests correctly pick up the credentials and run passing tests against the console plugin. This occurs in a PR up-stack, plugin e2e tests do not run in this PR. (ests are failing due to the plugin being disabled by default, but the authentication can be verified to be working correctly. Plugin enable state will be fixed in the follow up PR.) Tests are now working with both authentication, and against an enabled plugin, but are failing due to an issue with cert identities separate from this change. Enabling the tests and checking true e2e success will be handled in a PR up the stack. #18737
image

@dvail
Copy link
Copy Markdown
Contributor Author

dvail commented Mar 30, 2026

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 30, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider guarding the source "${SHARED_DIR}/dotenv" call with a file existence check and a clear error message to avoid obscure failures if the dotenv file is missing or misnamed in CI.
  • The export OPENSHIFT_CONSOLE_*=... assignments are self-assignments; if the intent is simply to expose variables already defined by the dotenv file to child processes, a single set -a; source ...; set +a (or equivalent) would be simpler and less redundant.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider guarding the `source "${SHARED_DIR}/dotenv"` call with a file existence check and a clear error message to avoid obscure failures if the dotenv file is missing or misnamed in CI.
- The `export OPENSHIFT_CONSOLE_*=...` assignments are self-assignments; if the intent is simply to expose variables already defined by the dotenv file to child processes, a single `set -a; source ...; set +a` (or equivalent) would be simpler and less redundant.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 30, 2026

📝 Walkthrough

Walkthrough

Updated CI routing to include ocp*ui-e2e-tests so those jobs trigger the same cluster setup branch as other e2e tests; added a conditional in the cluster setup to source ${SHARED_DIR}/dotenv and export OpenShift console credentials for OCP UI e2e runs.

Changes

Cohort / File(s) Summary
CI Dispatch Routing
​.openshift-ci/dispatch.sh
Added ocp*ui-e2e-tests to the job-to-cluster-setup routing so setup_automation_flavor_e2e_cluster "$ci_job" runs for those jobs.
Cluster Setup Configuration
tests/e2e/lib.sh
Added a conditional within setup_automation_flavor_e2e_cluster() to source ${SHARED_DIR}/dotenv and export OPENSHIFT_CONSOLE_URL, OPENSHIFT_CONSOLE_USERNAME, and OPENSHIFT_CONSOLE_PASSWORD when ci_job matches ^ocp.*ui-e2e-tests$.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: exporting OpenShift credentials to UI e2e test jobs, which is the core objective of the PR.
Description check ✅ Passed The pull request provides a comprehensive description following the template structure with detailed historical context, solution rationale, and validation evidence.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dv/pass-openshift-creds-to-ui-e2e-test

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/e2e/lib.sh`:
- Around line 1513-1518: The current export of
OPENSHIFT_CONSOLE_URL/USERNAME/PASSWORD will fail under set -u if any variable
is missing; after sourcing "${SHARED_DIR}/dotenv" in the ci_job ocp UI branch,
guard each export by either using a safe default expansion (e.g. export
OPENSHIFT_CONSOLE_URL="${OPENSHIFT_CONSOLE_URL:-}" ) or only exporting when set
(e.g. if [[ -n "${OPENSHIFT_CONSOLE_URL:-}" ]]; then export
OPENSHIFT_CONSOLE_URL; fi), and apply the same pattern for
OPENSHIFT_CONSOLE_USERNAME and OPENSHIFT_CONSOLE_PASSWORD so the script won't
abort when dotenv lacks those keys.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 83d14cb2-0d46-4fba-afa5-da9a5ac7e4e8

📥 Commits

Reviewing files that changed from the base of the PR and between 574b0ee and 95f5145.

📒 Files selected for processing (2)
  • .openshift-ci/dispatch.sh
  • tests/e2e/lib.sh

Comment thread tests/e2e/lib.sh
@dvail dvail force-pushed the dv/pass-openshift-creds-to-ui-e2e-test branch from 95f5145 to 668c00c Compare March 31, 2026 12:40
@dvail
Copy link
Copy Markdown
Contributor Author

dvail commented Mar 31, 2026

/test ocp-4-21-qa-e2e-tests

@dvail
Copy link
Copy Markdown
Contributor Author

dvail commented Mar 31, 2026

/test ocp-4-21-ui-e2e-tests

@rhacs-bot
Copy link
Copy Markdown
Contributor

Images are ready for the commit at 668c00c.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-493-g668c00c5c8.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 31, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.65%. Comparing base (7072ab4) to head (668c00c).
⚠️ Report is 65 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master   #19701   +/-   ##
=======================================
  Coverage   49.65%   49.65%           
=======================================
  Files        2747     2747           
  Lines      207261   207261           
=======================================
+ Hits       102909   102910    +1     
+ Misses      96698    96697    -1     
  Partials     7654     7654           
Flag Coverage Δ
go-unit-tests 49.65% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dvail dvail marked this pull request as ready for review March 31, 2026 18:16
@dvail dvail requested a review from davdhacs March 31, 2026 18:17
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In setup_automation_flavor_e2e_cluster, consider guarding source "${SHARED_DIR}/dotenv" with a file-existence check or clearer error message so failures from a missing or malformed dotenv file are easier to diagnose.
  • The export OPENSHIFT_CONSOLE_*="${OPENSHIFT_CONSOLE_*}" lines are redundant after sourcing dotenv; you can either rely on dotenv to export them or use set -a/export once to avoid repeating variable assignments.
  • The patterns ocp*ui-e2e-tests and the description’s ocp.*ui-e2e-tests$ differ; consider aligning the job name matching with an anchored or more explicit pattern so only the intended jobs trigger the OCP UI e2e setup.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `setup_automation_flavor_e2e_cluster`, consider guarding `source "${SHARED_DIR}/dotenv"` with a file-existence check or clearer error message so failures from a missing or malformed dotenv file are easier to diagnose.
- The `export OPENSHIFT_CONSOLE_*="${OPENSHIFT_CONSOLE_*}"` lines are redundant after sourcing dotenv; you can either rely on dotenv to export them or use `set -a`/`export` once to avoid repeating variable assignments.
- The patterns `ocp*ui-e2e-tests` and the description’s `ocp.*ui-e2e-tests$` differ; consider aligning the job name matching with an anchored or more explicit pattern so only the intended jobs trigger the OCP UI e2e setup.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copy link
Copy Markdown
Contributor

@davdhacs davdhacs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! And +1 I think it is good for it to fail if any of those variables are not set. If they're not set from the dotenv file, then there is a problem with the cluster anyway and we want a failure.

@dvail
Copy link
Copy Markdown
Contributor Author

dvail commented Apr 3, 2026

/retest

@dvail dvail merged commit b61d01e into master Apr 3, 2026
194 of 216 checks passed
@dvail dvail deleted the dv/pass-openshift-creds-to-ui-e2e-test branch April 3, 2026 12:44
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

🚀 Build Images Ready

Images are ready for commit b61d01e. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-557-gb61d01eadd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants