Skip to content

OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags#8013

Merged
openshift-merge-bot[bot] merged 4 commits into
openshift:mainfrom
DavidHurta:cvo-add-tls-config-flags
Jul 9, 2026
Merged

OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags#8013
openshift-merge-bot[bot] merged 4 commits into
openshift:mainfrom
DavidHurta:cvo-add-tls-config-flags

Conversation

@DavidHurta

@DavidHurta DavidHurta commented Mar 19, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. The flags were added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Enhanced hosted control plane deployment TLS configuration by honoring the specified minimum TLS version and TLS cipher suites.
    • Ensures the correct TLS CLI arguments are applied (including modern TLS profile behavior).
  • Tests

    • Added table-driven test coverage to verify TLS-related deployment arguments are added or omitted correctly for different TLS configuration combinations.

@openshift-ci-robot

Copy link
Copy Markdown

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 19, 2026
@openshift-ci-robot

openshift-ci-robot commented Mar 19, 2026

Copy link
Copy Markdown

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. Flags to be added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Mar 19, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 43bf94f9-2241-4461-a04c-04f22e3cea8c

📥 Commits

Reviewing files that changed from the base of the PR and between d3064db and b820f5a.

📒 Files selected for processing (1)
  • control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment_test.go

📝 Walkthrough

Walkthrough

adaptDeployment now reads the hosted control plane configuration into a local variable and appends TLS flags from the TLS security profile to the CVO container arguments. It adds --tls-min-version when a minimum version is set and --tls-cipher-suites when cipher suites are provided, joined with commas. The test file adds fake-client wiring and table-driven coverage for custom and modern TLS profiles.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the PR’s main change: adding TLS cipher suite and minimum version flags to the CVO.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The added tests use only static, descriptive t.Run names; no dynamic identifiers, timestamps, or runtime-generated values appear in test titles.
Test Structure And Quality ✅ Passed The new tests are isolated table-driven unit tests with fake-client setup, no cluster resources/Eventually calls, and each case targets one TLS scenario.
Topology-Aware Scheduling Compatibility ✅ Passed The change only appends TLS CLI flags in adaptDeployment and adds tests; it does not add replicas, affinity, node selectors, spread constraints, or topology assumptions.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only unit tests were added; no Ginkgo e2e specs, IPv4-only literals, or external network calls were introduced, and the quay.io image is used with a fake provider.
No-Weak-Crypto ✅ Passed The patch only adds TLS min-version/cipher-suite flag wiring and tests; no MD5/SHA1/DES/RC4/3DES/ECB or non-constant-time secret comparisons appear in the diff.
Container-Privileges ✅ Passed The commit only adds a TLS-related test; no privileged, hostPID/Network/IPC, SYS_ADMIN, root, or allowPrivilegeEscalation settings appear in the changed files.
No-Sensitive-Data-In-Logs ✅ Passed No new logging APIs or print statements were added; the change only appends TLS args and tests, with no sensitive data emitted to logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/needs-area labels Mar 19, 2026
@openshift-ci-robot

openshift-ci-robot commented Mar 19, 2026

Copy link
Copy Markdown

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. Flags to be added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Mar 19, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release and removed do-not-merge/needs-area labels Mar 19, 2026
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 11, 2026
Add new flags to the hosted CVO to comply with the centralized
TLS configuration in HyperShift. These flags are to override the
CVO's internal TLS profile, which is used for its metrics server.
@DavidHurta DavidHurta force-pushed the cvo-add-tls-config-flags branch from 4571f71 to c91d2de Compare June 5, 2026 13:02
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2026
@DavidHurta

Copy link
Copy Markdown
Contributor Author

/test all

@codecov

codecov Bot commented Jun 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.47%. Comparing base (f13c62d) to head (b820f5a).
⚠️ Report is 327 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8013      +/-   ##
==========================================
+ Coverage   41.43%   42.47%   +1.04%     
==========================================
  Files         756      774      +18     
  Lines       93647    97648    +4001     
==========================================
+ Hits        38802    41479    +2677     
- Misses      52124    53275    +1151     
- Partials     2721     2894     +173     
Files with missing lines Coverage Δ
...ontrollers/hostedcontrolplane/v2/cvo/deployment.go 73.48% <100.00%> (+32.89%) ⬆️

... and 109 files with indirect coverage changes

Flag Coverage Δ
cmd-support 36.08% <ø> (+1.21%) ⬆️
cpo-hostedcontrolplane 45.71% <100.00%> (+2.21%) ⬆️
cpo-other 45.10% <ø> (+2.35%) ⬆️
hypershift-operator 50.70% <ø> (-0.87%) ⬇️
other 31.68% <ø> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@hongkailiu

Copy link
Copy Markdown
Member

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 5, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@DavidHurta DavidHurta marked this pull request as ready for review June 8, 2026 22:40
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 8, 2026
@openshift-ci openshift-ci Bot requested review from cblecker and jparrill June 8, 2026 22:40

@cblecker cblecker left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good — correct, nil-safe, and consistent with how other v2 components handle TLS configuration. Left one suggestion about test coverage.

Comment on lines +112 to +117
if tlsMinVersion := config.MinTLSVersion(configuration.GetTLSSecurityProfile()); tlsMinVersion != "" {
c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion))
}
if cipherSuites := config.CipherSuites(configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 {
c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ",")))
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic looks correct — follows the same pattern as kube-scheduler, machine-approver, and other v2 components.

One thing I noticed: all 5 test fixtures exercise the same TLS code path (nil Configuration → Intermediate default), so they all produce identical --tls-min-version=VersionTLS12 + cipher suites output. Might be worth adding a fixture variant (or unit test in deployment_test.go) that sets a Modern TLS profile — that's the interesting edge case where CipherSuites() returns empty and --tls-cipher-suites should be omitted. The oauth_apiserver component has this kind of coverage as a reference.

Not blocking — the underlying config.MinTLSVersion() / config.CipherSuites() functions are well-tested in support/config/cipher_test.go, so the risk is low. Just would be nice to have coverage at the component level too.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point; thank you.

I have added unit tests to verify the functionality for more combinations than the fixture testing verifies in d3064db

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding the test cases! However, they all use TLSProfileCustomType with manually specified (or empty) cipher lists. That exercises the securityProfile.Custom.Ciphers branch in CipherSuites(), not the configv1.TLSProfiles[securityProfile.Type].Ciphers lookup path.

The Modern profile specifically is worth testing because its ciphers (TLS_AES_128_GCM_SHA256, etc.) are all TLS 1.3 ciphers that are commented out of openSSLToIANACiphersMap in cipher.go, so CipherSuites() returns empty through a different mechanism than Custom-with-empty-ciphers. A single test case with Type: configv1.TLSProfileModernType (no Custom field) expecting --tls-min-version=VersionTLS13 and no --tls-cipher-suites flag would cover that.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the feedback! I initially used custom profile test cases to directly control the Ciphers and minTLSVersion field values, making it straightforward to exercise flag presence/absence.

I've now added a modern profile test case that exercises the configv1.TLSProfiles[securityProfile.Type].Ciphers lookup path and verifies the TLS 1.3 cipher filtering behavior you described.

@jparrill jparrill left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dropped some comments. Thanks!

Additionally, the Codecov failure is expected — adaptDeployment gained new lines (the TLS flag logic) that aren't directly exercised by unit tests. The coverage actually comes from the fixture-based TestControlPlaneComponents snapshot tests, but Codecov can't always attribute YAML output validation back to the specific source lines inside closures that produced it. The behavior IS tested — it's a reporting gap, not a coverage gap.

Value: dataPlaneReleaseImage,
})

if tlsMinVersion := config.MinTLSVersion(configuration.GetTLSSecurityProfile()); tlsMinVersion != "" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: configuration.GetTLSSecurityProfile() is called twice — once for min version, once for cipher suites. It's a trivial accessor so no real performance concern, but extracting it to a variable would be cleaner:

tlsProfile := configuration.GetTLSSecurityProfile()
if tlsMinVersion := config.MinTLSVersion(tlsProfile); tlsMinVersion != "" {
    ...
}
if cipherSuites := config.CipherSuites(tlsProfile); len(cipherSuites) != 0 {
    ...
}

That said, machine_approver, kube_scheduler, and kcm all do the same double-call, so if you'd rather stay consistent with the existing pattern that's fine too. Your call.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for ensuring clean code!

Now done in b07e703

if tlsMinVersion := config.MinTLSVersion(configuration.GetTLSSecurityProfile()); tlsMinVersion != "" {
c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion))
}
if cipherSuites := config.CipherSuites(configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: in oauth_apiserver/deployment.go:52, --tls-min-version is passed unconditionally (no != "" guard), because MinTLSVersion() never returns an empty string thanks to the Intermediate fallback. Here you use the conditional guard, which is what machine_approver and kube_scheduler do. Both are correct since the fallback to Intermediate always yields "VersionTLS12", but I wanted to confirm: is the intent to be more defensive so the CVO doesn't get an empty TLS flag if the profile somehow returns empty? If so, makes sense — it's safer than oauth_apiserver's approach.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly, the intent is to be more defensive.

DavidHurta and others added 2 commits July 1, 2026 15:41
To keep lines concise and reuse the returned value from the function.
Test adaptDeployment with various combinations of set and unset
cipher suites and MinTLSVersion flags.

Co-authored-by: Claude Code <claude@anthropic.com>
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@DavidHurta DavidHurta requested review from cblecker and jparrill July 1, 2026 23:44
Add test case that verifies Modern TLS profile behavior: sets TLS 1.3
as minimum version without adding cipher suites flag. This exercises
the configv1.TLSProfiles[securityProfile.Type].Ciphers lookup path and
confirms that Modern profile's TLS 1.3 ciphers (commented out in
openSSLToIANACiphersMap) result in no --tls-cipher-suites argument.

Co-authored-by: Claude Code <claude@anthropic.com>

@cblecker cblecker left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - the Modern profile test case exercises the configv1.TLSProfiles lookup path and TLS 1.3 cipher filtering as requested. Implementation follows established v2 component patterns cleanly.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 6, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cblecker, DavidHurta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@hypershift-jira-solve-ci

Copy link
Copy Markdown
Contributor

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2074178942054436864 | Cost: $4.324549199999999 | Failed step: hypershift-azure-run-e2e

View full analysis report


Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6

@hongkailiu

Copy link
Copy Markdown
Member

/retest-required

@hypershift-jira-solve-ci

Copy link
Copy Markdown
Contributor

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2074278429762523136 | Cost: $4.428335249999999 | Failed step: hypershift-azure-run-e2e

View full analysis report


Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6

@DavidHurta

Copy link
Copy Markdown
Contributor Author

/test ?

@DavidHurta

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-metrics

1 similar comment
@DavidHurta

Copy link
Copy Markdown
Contributor Author

/test e2e-aws-metrics

@DavidHurta

Copy link
Copy Markdown
Contributor Author

/retest-required

@hypershift-jira-solve-ci

hypershift-jira-solve-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Now I have all the evidence I need. Let me compile the analysis. The key findings are:

  1. Test: TestKarpenterUpgradeControlPlane/Main — this is the only failing test (parent TestKarpenterUpgradeControlPlane fails because the child Main failed).
  2. Root cause: During a Karpenter-managed control plane upgrade, the replacement NodeClaim on-demand-bpb4f was launched by Karpenter (to replace the drifted on-demand-m89hm) but the AWS EC2 instance never registered with the cluster. The NodeClaim status shows Launched=True, Registered=False, Initialized=False with reason NodeNotFound(Node not registered with cluster). Additionally, 2 NodeClaims existed when only 1 was expected, meaning the old NodeClaim wasn't cleaned up before the new one was created.
  3. Not related to PR OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags #8013: The PR only adds TLS cipher suite flags to CVO deployment — completely different code path from Karpenter node lifecycle management.
  4. 587 of 589 tests passed — this is an isolated infrastructure/timing issue.

Test Failure Analysis Complete

Job Information

Test Failure Analysis

Error

TestKarpenterUpgradeControlPlane/Main: context deadline exceeded
  Failed to wait for NodeClaims to be ready in 5m0s
  - NodeClaim on-demand-bpb4f not ready: Launched=true, Registered=false, Initialized=false
  - expected 1 NodeClaims, got 2
  NodeClaim conditions:
    Initialized=Unknown: AwaitingReconciliation
    Registered=Unknown: NodeNotFound(Node not registered with cluster)
    Launched=True: Launched
    Ready=Unknown: ReconcilingDependents

Summary

The TestKarpenterUpgradeControlPlane test failed due to an infrastructure-level issue during Karpenter node replacement after a control plane upgrade — completely unrelated to PR #8013's CVO TLS configuration changes. During the upgrade, Karpenter correctly detected node drift and launched a replacement EC2 instance, but that instance never registered as a Kubernetes node within the 5-minute timeout. The test is an isolated flake: 587 of 589 tests passed, and the only failure is this single Karpenter upgrade test where the replacement AWS instance failed to join the cluster.

Root Cause

The TestKarpenterUpgradeControlPlane test exercises a full Karpenter-managed hosted cluster upgrade. The test flow completed these steps successfully:

  1. Created a hosted cluster with Karpenter NodePool and workloads
  2. Waited for initial node ip-10-0-128-22.ec2.internal (RHCOS 9.8.20260702-0) to become ready (11m9s)
  3. Triggered control plane upgrade to a new release image
  4. Detected NodeClaim on-demand-m89hm as drifted (3s)
  5. Waited for hosted cluster rollout (19m33s)
  6. Waited for 1 new replacement node to become ready (8m0s)
  7. Verified pods rescheduled on new node (0s)

Then the failure occurred at step 8 — validating NodeClaims are ready. The replacement NodeClaim on-demand-bpb4f was in state Launched=True but Registered=False. This means Karpenter successfully created a new EC2 instance via the AWS API, but the instance never completed its boot/ignition process to register as a Kubernetes node. The console log for the instance (i-0c9d5eee0769f2639) was empty, confirming the instance likely didn't fully boot or failed early in the ignition phase.

Additionally, 2 NodeClaims existed when only 1 was expected, indicating the old drifted NodeClaim (on-demand-m89hm) wasn't fully cleaned up while the new one (on-demand-bpb4f) was created — a race condition in Karpenter's drift replacement logic.

This is unrelated to PR #8013. The PR adds --tls-min-version and --tls-cipher-suites CLI flags to the CVO deployment configuration — 7 files changed, all under control-plane-operator/controllers/hostedcontrolplane/v2/cvo/. The Karpenter test failure involves AWS EC2 instance provisioning, node registration, and Karpenter's drift reconciliation — completely different subsystems with no shared code paths.

Recommendations
  1. Retry the job — This is a transient infrastructure issue (AWS EC2 instance failed to boot/register). The test passed the initial node provisioning just fine (11m9s), and the replacement node's failure to register with an empty console log points to an AWS-side issue rather than a code defect.

  2. No code changes needed for PR OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags #8013 — The PR's TLS cipher suite changes to the CVO deployment are entirely orthogonal to Karpenter node lifecycle management.

  3. If the test continues to flake, investigate:

    • Whether the Karpenter drift replacement race (2 NodeClaims when 1 expected) is a known issue
    • Whether the 5-minute timeout for NodeClaim readiness is sufficient given the multi-step boot/ignition/registration process
    • AWS EC2 instance launch success rates in the CI region (us-east-1)
Evidence
Evidence Detail
Failed test TestKarpenterUpgradeControlPlane/Main (2646.65s runtime)
Pass rate 587/589 tests passed (99.7%), 35 skipped
Failing step e2e-aws-metrics-hypershift-aws-run-e2e-nested (test phase)
NodeClaim stuck on-demand-bpb4f: Launched=True, Registered=False, Initialized=False
NodeClaim count Expected 1, got 2 (old on-demand-m89hm + new on-demand-bpb4f)
Node registration NodeNotFound(Node not registered with cluster) — EC2 instance launched but never joined
Console log Instance i-0c9d5eee0769f2639 — empty (0 bytes), indicating instance didn't boot successfully
Pre-upgrade node ip-10-0-128-22.ec2.internal, RHCOS 9.8.20260702-0 (Plow) — worked correctly
Cluster rollout Succeeded in 19m33s — control plane upgrade itself was fine
PR #8013 scope Only modifies CVO deployment args (--tls-min-version, --tls-cipher-suites) in 7 files under control-plane-operator/.../v2/cvo/
PR relevance Not related — no overlap with Karpenter node provisioning, drift detection, or AWS EC2 lifecycle

@DavidHurta

Copy link
Copy Markdown
Contributor Author

/verified by CI

Unit tests ensure that flags are applied if applicable.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 9, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@DavidHurta: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Unit tests ensure that flags are applied if applicable.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@DavidHurta

Copy link
Copy Markdown
Contributor Author

/retest-required

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@DavidHurta: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-metrics b820f5a link false /test e2e-aws-metrics

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 433a404 into openshift:main Jul 9, 2026
41 of 42 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants