DNM: no-jira: fix egressfirewall test in aws dualstack jobs by tthvo · Pull Request #31217 · openshift/origin

tthvo · 2026-05-26T19:40:22Z

This is the duplicate of #31147. I opened this to quickly test out the fix after regenerating the binddata.

Note: I do not intend to merge this (duplicate).

/hold

Summary by CodeRabbit

Tests
- Added IPv6 egress firewall denial rules to test configurations, extending firewall rule coverage across both IPv4 and IPv6 protocols.

openshift-merge-bot · 2026-05-26T19:40:25Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

openshift-ci-robot · 2026-05-26T19:40:27Z

@tthvo: This pull request explicitly references no jira issue.

Details

In response to this:

This is the duplicate of #31147. I opened this to quickly test out the fix after regenerating the binddata.

Note: I do not intend to merge this (duplicate).

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-05-26T19:41:09Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tthvo
Once this PR has been reviewed and has the lgtm label, please assign stbenjam for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai · 2026-05-26T19:43:10Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8e89a65a-ef95-421b-98f1-820729c56b41

📥 Commits

Reviewing files that changed from the base of the PR and between bc9737b and 625bc1b.

📒 Files selected for processing (3)

test/extended/testdata/bindata.go
test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml
test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml

Walkthrough

Test fixtures for EgressFirewall policies are extended to include IPv6 egress deny rules (::/0). Two YAML test files and their corresponding embedded bindata representations are updated to cover both IPv4 and IPv6 default-route blocking scenarios.

Changes

IPv6 Egress Firewall Test Coverage

Layer / File(s)	Summary
Add IPv6 deny rules to YAML test fixtures `test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml`, `test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml`	Two EgressFirewall test policies add new deny rules targeting the IPv6 default route (`::/0`) to expand test coverage beyond the existing IPv4 (`0.0.0.0/0`) rules.
Update embedded YAML bytes in bindata `test/extended/testdata/bindata.go`	Embedded YAML byte fixtures are regenerated to reflect the IPv6 deny rule additions, keeping bindata synchronized with source YAML test fixtures.

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Microshift Test Compatibility	⚠️ Warning	Test "egressFirewall should have no impact outside its namespace" uses config.openshift.io API (Infrastructure) unavailable on MicroShift without protective skip or apigroup tag.	Add [apigroup:config.openshift.io] tag to the test name, wrap with InOVNKubernetesContext(), or add IsMicroShiftCluster() skip check to prevent execution on MicroShift.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo tests in egress_firewall.go require multiple nodes via findAppropriateNodes(DIFFERENT_NODE) which skips on single-node. No SNO compatibility protection found.	Add [Skipped:SingleReplicaTopology] label to test names, or guard with exutil.IsSingleNode() check that calls g.Skip() on single-node clusters.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title includes 'DNM' (Do Not Merge) prefix and 'no-jira' marker, and the author explicitly states in the PR description this is a duplicate PR not intended to be merged and is on hold.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only testdata YAML files and bindata.go. No Ginkgo test definitions were changed. All existing test names are stable.
Test Structure And Quality	✅ Passed	PR modifies only test data (YAML fixtures and bindata.go), not test code. The custom check applies to Ginkgo test code quality, which is not affected.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test fixtures (YAML test data and auto-generated bindata.go). No deployment manifests, operator code, controllers, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only test data files (YAML fixtures and auto-generated bindata.go). No process-level code with stdout writes added, modified, or affected by these changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; only test data fixtures and bindata.go are modified to add IPv6 CIDR rules, so the check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

tthvo · 2026-05-26T19:45:37Z

/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview openshift/cluster-cloud-controller-manager-operator#466
/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview openshift/cluster-cloud-controller-manager-operator#466

openshift-ci · 2026-05-26T19:45:40Z

@tthvo: given command is invalid: at least one of the commands given is only supported on a one-command-per-comment basis, please separate out commands as multiple comments

tthvo · 2026-05-26T19:45:55Z

/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview openshift/cluster-cloud-controller-manager-operator#466

openshift-ci · 2026-05-26T19:45:59Z

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/82f96140-593b-11f1-9177-54846f2a0e77-0

tthvo · 2026-05-26T19:46:08Z

/payload-job-with-prs periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview openshift/cluster-cloud-controller-manager-operator#466

openshift-ci · 2026-05-26T19:46:12Z

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8afa2d70-593b-11f1-94c3-bb46dcb523ca-0

tthvo · 2026-05-26T19:47:47Z

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview
/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

openshift-ci · 2026-05-26T19:47:51Z

@tthvo: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview
periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/c604c560-593b-11f1-928b-e7924d949510-0

openshift-merge-bot · 2026-05-26T20:10:29Z

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

openshift-ci · 2026-05-27T00:30:05Z

@tthvo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-csi	`625bc1b`	link	true	`/test e2e-gcp-csi`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

tthvo · 2026-05-27T16:41:27Z

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview
/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

openshift-ci · 2026-05-27T16:41:48Z

@tthvo: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview
periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e8b129a0-59ea-11f1-89f9-60dd22fcd43d-0

OCPBUGS-82501: fix egressfirewall test in aws dualstack jobs

625bc1b

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 26, 2026

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 26, 2026

openshift-ci Bot requested review from p0lyn0mial and sjenning May 26, 2026 19:41

openshift-ci Bot mentioned this pull request May 26, 2026

OCPBUGS-86299: e2e/ccm-aws-ote: support to dual-stack IPv6 primary openshift/cluster-cloud-controller-manager-operator#466

Merged

3 tasks

coderabbitai Bot approved these changes May 26, 2026

View reviewed changes

openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label May 26, 2026

tthvo mentioned this pull request May 26, 2026

OCPBUGS-82501: Fix AWS DualStack CI jobs consistently encounter 2 EgressFirewall Test Failures #31147

Open

Conversation

tthvo commented May 26, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-merge-bot Bot commented May 26, 2026

Uh oh!

openshift-ci-robot commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

coderabbitai Bot commented May 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

❌ Failed checks (3 warnings)

Uh oh!

tthvo commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

tthvo commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

tthvo commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

tthvo commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 26, 2026

Uh oh!

openshift-merge-bot Bot commented May 26, 2026

Uh oh!

openshift-ci Bot commented May 27, 2026

Uh oh!

tthvo commented May 27, 2026

Uh oh!

openshift-ci Bot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

tthvo commented May 26, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 26, 2026 •

edited

Loading