[cifmw_helpers] Fix CRC certificate renewal wait using kubeconfig

[Valkyrie00]

Problem

Since ~2026-06-03, all CRC-based molecule jobs (ci_local_storage, env_op_images, etc.) fail consistently during the prepare phase, stuck on TASK [cifmw_helpers : Login to the OpenShift when certificate is expired] for 15 minutes before timing out with 401 Unauthorized.

Root cause

The oc login -u kubeadmin command in crc_start.yml never included the p flag. In non-interactive CI the empty password always returns 401, regardless of cluster state.

Fix

• Replace oc login with oc get nodes --kubeconfig=... which uses the CRC kubeconfig file directly, avoiding the OAuth dependency and the need for credentials during certificate renewal.
• Increase retries from 90 to 150 (~25 min) to cover the observed cluster recovery time.

Refs:

• https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/build/4d4440cfa7f44ab59da90c14c51d8bd4
• https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/logs//4d4/rdoproject.org/4d4440cfa7f44ab59da90c14c51d8bd4/ci-framework-data/logs/molecule-execution.log

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[danpawlik]

The oc login command in crc_start.yml was missing the -p (password)
flag, causing every retry to fail with 401 Unauthorized regardless
of cluster health.

that's not true :)

The generated kubeconfig contains few ids, no password needed due not via password authorization is done :)

Probably with new Zuul CI, new Ansible module are installed so it can not find kubeconfig in proper localization.

[Valkyrie00]

The oc login command in crc_start.yml was missing the -p (password)
flag, causing every retry to fail with 401 Unauthorized regardless
of cluster health.

that's not true :)

The generated kubeconfig contains few ids, no password needed due not via password authorization is done :)

Probably with new Zuul CI, new Ansible module are installed so it can not find kubeconfig in proper localization.

  stdout: |-
    WARNING: Using insecure TLS client config. Setting this option is not supported!

    Console URL: https://api.crc.testing:6443/console
    Authentication required for https://api.crc.testing:6443 (openshift)
    Username: kubeadmin
    Password: Login failed (401 Unauthorized)
    Verify you have provided the correct credentials.
  stdout_lines: <omitted>

That's the error, that i found. If you have any suggestions, please feel free to share them.

[nemarjan]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nemarjan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nemarjan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bogdando]

LGTM

[nemarjan]

/lgtm
I tested my MR with this change and it has fixed the issue: https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/build/5c08905906cd453fb7613d8d7ccaf153