OCPBUGS-85378: Fix OCP E2E test - Object count when exceed openshift.io/image-tags will ban to create new image references in the project #31155
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
|
@YamunadeviShanmugam: An error was encountered adding this pull request to the external tracker bugs for bug OCPBUGS-85378 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details. Full error message.
failed to add remote link: failed to add link: title - The length of the 'Link Text' field cannot exceed 255 characters.: request failed. Please analyze the request body for more details. Status code: 400:
Please contact an administrator to resolve this issue, then request a bug refresh with DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
YamunadeviShanmugam
changed the title
|
/jira refresh |
openshift-ci-robot
added
jira/valid-reference
|
@YamunadeviShanmugam: This pull request references Jira Issue OCPBUGS-85378, which is valid. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAn image-tag quota enforcement test is re-enabled and refactored to discover OpenShift ImageStream tags dynamically from the ChangesImage-Tag Quota Test Re-enablement & Dynamic Source Selection
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 9 | ❌ 3❌ Failed checks (3 warnings)
✅ Passed checks (9 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/quota/resourcequota.go`:
- Around line 259-260: SearchLatestImage errors are currently ignored for
cliImage and toolsImage; capture and check the returned errors (e.g., cliImage,
err := exutil.SearchLatestImage(...); toolsImage, err2 := ...) and explicitly
fail the test or return an error if either lookup fails before proceeding to the
oc tag step. Update the code around the SearchLatestImage calls to validate err
and err2, and produce a clear failure message referencing the image name
(cli/tools) so oc tag is never invoked with an empty or invalid image reference.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: b4877f1a-ee6b-4e7e-be5e-7eaabb6df5f2
📒 Files selected for processing (2)
test/extended/quota/resourcequota.gotest/extended/util/search_latest_image.go
openshift-merge-bot
Bot
added
the
ready-for-human-review
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
test/extended/quota/resourcequota.go (1)
260-289:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winEnsure the test can handle missing ImageStreams
openshift/cli,openshift/tools, andopenshift/must-gatheron HyperShift and other constrained topologies.The test uses
--source=istagto reference ImageStreams from theopenshiftnamespace, which requiresopenshift/cli:latest,openshift/tools:latest, andopenshift/must-gather:latestto exist at test runtime. These are not part of the standard Samples Operator payload (unlike nodejs, perl, php, etc.) and may be unavailable on HyperShift hosted clusters or disconnected environments. If missing, the v1/v2 cases will fail with a non-forbidden error (not the expected success), and the v3 case may fail for the wrong reason, masking quota enforcement issues.Either preflight these streams and skip with a clear message if absent, or simplify the test to tag a single well-known stream multiple times (e.g.,
openshift/cli:latest→mystream:v1/v2/v3) to avoid depending on three independent payload streams.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/quota/resourcequota.go` around lines 260 - 289, The current test depends on three external ImageStreams (openshift/cli, openshift/tools, openshift/must-gather) and should either preflight-check their presence or be simplified to a single well-known stream; update the images setup/loop around oc.Run("tag") in resourcequota.go so it first verifies each source ImageStreamTag exists (e.g., call oc.Run("get").Args("imagestreamtag", "<namespace>/<name>:latest") or use exutil.WaitForAnImageStreamTag) and if any is missing call g.Skipf with a clear message, or alternatively replace the images slice with a single stable source (e.g., Image: "openshift/cli:latest") and reuse it for tags v1/v2/v3 to remove the dependency on multiple payload streams; ensure the tagging loop (oc.Run("tag").Args(...)) and the subsequent expectations remain unchanged aside from using the validated/consistent source.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tatus`:
- Around line 87-102: The PollUntilContextTimeout success check currently
returns true when len(imported.Spec.Tags) >= 2, which can mask missing tags;
update the condition inside the wait.PollUntilContextTimeout callback (the
closure that calls
oc.AdminImageClient().ImageV1().ImageStreams(testProject).Get(ctx, bulkISName,
metav1.GetOptions{})) to require all source tags are present — e.g. compare
len(imported.Spec.Tags) to the expected number of sourceTags (use
len(sourceTags) or an explicit 3) or validate the imported tag names match the
sourceTags set before returning true so the poll only succeeds when every tag
(alpha, beta, gamma) is imported.
---
Outside diff comments:
In `@test/extended/quota/resourcequota.go`:
- Around line 260-289: The current test depends on three external ImageStreams
(openshift/cli, openshift/tools, openshift/must-gather) and should either
preflight-check their presence or be simplified to a single well-known stream;
update the images setup/loop around oc.Run("tag") in resourcequota.go so it
first verifies each source ImageStreamTag exists (e.g., call
oc.Run("get").Args("imagestreamtag", "<namespace>/<name>:latest") or use
exutil.WaitForAnImageStreamTag) and if any is missing call g.Skipf with a clear
message, or alternatively replace the images slice with a single stable source
(e.g., Image: "openshift/cli:latest") and reuse it for tags v1/v2/v3 to remove
the dependency on multiple payload streams; ensure the tagging loop
(oc.Run("tag").Args(...)) and the subsequent expectations remain unchanged aside
from using the validated/consistent source.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: ea789bd5-3f7b-4ad2-830b-5c0e0ae70670
📒 Files selected for processing (2)
tatustest/extended/quota/resourcequota.go
|
Scheduling required tests: |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/extended/quota/resourcequota.go (1)
222-284: 💤 Low valueLGTM!
Optional: Add explanatory comment
Consider adding a brief comment before line 277 explaining why the wait is necessary:
+ // Ensure the ImageStream status reflects both tags before attempting v3, + // so the LimitRange admission controller sees the current tag count (2/2). g.By("waiting until mystream records both tags so limit enforcement sees tag count before v3")This helps future maintainers understand the synchronization requirement.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/quota/resourcequota.go` around lines 222 - 284, Add a short explanatory comment above the call to waitForImageStreamStatusTagsPopulated in the test (the waitForImageStreamStatusTagsPopulated invocation inside the "when exceed openshift.io/image-tags..." It block) stating that the wait ensures the ImageStream's status has observed and recorded the two tags before attempting the third tag so the quota enforcement logic sees the correct tag count; place it immediately before the waitForImageStreamStatusTagsPopulated(...) call near the end of the test to clarify the required synchronization for future maintainers.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/extended/quota/resourcequota.go`:
- Around line 222-284: Add a short explanatory comment above the call to
waitForImageStreamStatusTagsPopulated in the test (the
waitForImageStreamStatusTagsPopulated invocation inside the "when exceed
openshift.io/image-tags..." It block) stating that the wait ensures the
ImageStream's status has observed and recorded the two tags before attempting
the third tag so the quota enforcement logic sees the correct tag count; place
it immediately before the waitForImageStreamStatusTagsPopulated(...) call near
the end of the test to clarify the required synchronization for future
maintainers.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8ea7fd25-385f-40ad-9dd8-ebd9f8e10f3a
📒 Files selected for processing (1)
test/extended/quota/resourcequota.go
|
Scheduling required tests: |
|
Risk analysis has seen new tests most likely introduced by this PR. New tests seen in this PR at sha: b96e4f7
|
openshift-ci
Bot
added
the
approved
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
/retest |
|
Scheduling required tests: |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mgencur, sosiouxme, YamunadeviShanmugam The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required |
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
@YamunadeviShanmugam: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Risk analysis has seen new tests most likely introduced by this PR. New Test Risks for sha: 96733ba
New tests seen in this PR at sha: 96733ba
|
4 participants
Problem
The Resource Quota test flakiness was caused by a hardcoded dependency on external image registry (quay.io), which forced the cluster’s ImageStream import controller to attempt network connections that are blocked. This resulted in timeouts as the test execution hung while waiting for image metadata that could never be retrieved.
Solution
Decoupled the test from the external network by replacing the references with internal OpenShift payload images discovered dynamically via exutil.SearchLatestImage. As these payload images are already stored in the cluster’s internal registry, their metadata resolves instantaneously, allowing the test to bypass the network hang while still proving that the ResourceQuota admission controller correctly blocks new objects once a namespace reaches its defined limit.
Testing
Before Fix
Will run 1 of 1 specs
[sig-api-machinery][Feature:ResourceQuota] Object count when exceed openshift.io/image-tags will ban to create new image references in the project [Skipped:Disconnected]
I0511 16:13:27.420842 2872106 client.go:432] Waiting for RoleBinding "system:deployers" to be provisioned...
I0511 16:13:29.137287 2872106 client.go:469] Project "e2e-test-object-count-rq-nxzlg" has been fully provisioned.
STEP: create the image-tags and checking the usage @ 05/11/26 16:13:29.138
STEP: trying to tag a container image with v1 @ 05/11/26 16:13:29.627
Tag mystream:v1 set to quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83.
STEP: waiting for an is importer to import a tag v1 into a stream mystream @ 05/11/26 16:13:30.881
STEP: trying to tag a container image with v2 @ 05/11/26 16:13:31.377
Tag mystream:v2 set to quay.io/openshifttest/base-alpine@sha256:3126e4eed4a3ebd8bf972b2453fa838200988ee07c01b2251e3ea47e4b1f245c.
STEP: waiting for an is importer to import a tag v2 into a stream mystream @ 05/11/26 16:13:32.708
STEP: trying to tag a container image with v3 @ 05/11/26 16:13:33.206
I0511 16:13:34.469253 2872106 client.go:1094] Error running oc --namespace=e2e-test-object-count-rq-nxzlg --kubeconfig=/tmp/configfile4211718485 tag openshift/hello-openshift --source=docker mystream:v3 -n e2e-test-object-count-rq-nxzlg:
StdOut>
The ImageStream "mystream" is invalid: []: Internal error: ImageStream.image.openshift.io "mystream" is forbidden: requested usage of openshift.io/image-tags exceeds the maximum limit per openshift.io/ImageStream (3 > 2)
StdErr>
After Fix
TestName: ./openshift-tests run-test "[sig-api-machinery][Feature:ResourceQuota] Object count when exceed openshift.io/image-tags will ban to create new image references in the project [Suite:openshift/conformance/parallel]"
STEP: create the image-tags and checking the usage @ 05/11/26 18:14:14.172
STEP: trying to tag a container image with v1 @ 05/11/26 18:14:15.306
Tag mystream:v1 set to registry.ci.openshift.org/ocp/4.22-2026-05-09-090642@sha256:76e1baa07b1a1193777c56ef46bb9e3d5de21e199fd4a2036f92d90195d0dbe5.
STEP: waiting for an is importer to import a tag v1 into a stream mystream @ 05/11/26 18:14:17.042
STEP: trying to tag a container image with v2 @ 05/11/26 18:14:17.596
Tag mystream:v2 set to registry.ci.openshift.org/ocp/4.22-2026-05-09-090642@sha256:c1f899cd087fe8ba7eda607c544e965bfaa01a5f5c3204167fdcd67145620455.
STEP: waiting for an is importer to import a tag v2 into a stream mystream @ 05/11/26 18:14:19.524
STEP: trying to tag a container image with v3 @ 05/11/26 18:14:20.291
I0511 18:14:21.794883 2874972 client.go:1094] Error running oc --namespace=e2e-test-object-count-rq-7p598 --kubeconfig=/tmp/configfile1139119268 tag openshift/hello-openshift --source=docker mystream:v3 -n e2e-test-object-count-rq-7p598:
StdOut>
The ImageStream "mystream" is invalid: []: Internal error: ImageStream.image.openshift.io "mystream" is forbidden: requested usage of openshift.io/image-tags exceeds the maximum limit per openshift.io/ImageStream (3 > 2)
Summary by CodeRabbit