Merge pull request #1267 from rikatz/rkatz/deflake-customendpoints

openshift-merge-bot[bot] · web-flow · commit 2371120eedb2 · 2025-08-26T13:43:11.000Z
OCPBUGS-53432: deflake TestIngressControllerCustomEndpoints by proper waiting for CCM to be ready
diff --git a/test/e2e/operator_test.go b/test/e2e/operator_test.go
@@ -125,6 +125,7 @@ var (
 	operandNamespace  = operatorcontroller.DefaultOperandNamespace
 	defaultName       = types.NamespacedName{Namespace: operatorNamespace, Name: manifests.DefaultIngressControllerName}
 	clusterConfigName = types.NamespacedName{Namespace: operatorNamespace, Name: manifests.ClusterIngressConfigName}
+	ccmDeploymentName = types.NamespacedName{Namespace: "openshift-cloud-controller-manager", Name: "aws-cloud-controller-manager"}
 
 	// Platforms that need a DNS "warmup" period for internal (inside the test cluster) DNS resolution.
 	// The warmup period is a period of delay before the first query is executed to avoid negative caching.
@@ -142,6 +143,13 @@ const (
 	// cluster (which may be on different platforms) and any negative caching along the way. As of writing this, AWS
 	// typically resolves within ~1 minute (see OCPBUGS-14966), while IBMCloud takes ~7 minutes (see OCPBUGS-48780).
 	dnsResolutionTimeout = 10 * time.Minute
+
+	// ccmConfigAnnotation is an annotation that exists on CloudControllerManager
+	// and contains a hash of the current infrastructure configuration.
+	// It is used to signal to CCM deployment a configuration change that needs
+	// a rollout update, and can be used by tests to also detect changes on CCM
+	// deployment
+	ccmConfigAnnotation = "operator.openshift.io/config-hash"
 )
 
 func init() {
@@ -2600,71 +2608,81 @@ func TestIngressControllerCustomEndpoints(t *testing.T) {
 	if platform == nil {
 		t.Fatalf("platform status is missing for infrastructure %s", infraConfig.Name)
 	}
-	switch platform.Type {
-	case configv1.AWSPlatformType:
-		switch {
-		case platform.AWS == nil:
-			t.Fatalf("aws platform status is missing for infrastructure %s", infraConfig.Name)
-		case len(platform.AWS.ServiceEndpoints) != 0:
-			t.Skipf("custom endpoints detected for infrastructure %s, skipping TestIngressControllerCustomEndpoints",
-				infraConfig.Name)
-		case len(platform.AWS.Region) == 0:
-			t.Fatalf("region is missing from aws platform status for infrastructure %s", infraConfig.Name)
-		case platform.AWS.Region == endpoints.CnNorth1RegionID || platform.AWS.Region == endpoints.CnNorthwest1RegionID:
-			t.Skipf("region %s or %s detected for infrastructure %s, skipping TestIngressControllerCustomEndpoints",
-				endpoints.CnNorth1RegionID, endpoints.CnNorthwest1RegionID, infraConfig.Name)
-		}
-		route53Endpoint := configv1.AWSServiceEndpoint{
-			Name: "route53",
-			// AWS Route 53 is a non-regionalized service, so the endpoint URL
-			// does not include a region.
-			URL: "https://route53.amazonaws.com",
-		}
-		taggingEndpoint := configv1.AWSServiceEndpoint{
-			Name: "tagging",
-			// us-east-1 region is required to get hosted zone resources
-			// since route 53 is a non-regionalized service.
-			URL: "https://tagging.us-east-1.amazonaws.com",
-		}
-		elbEndpoint := configv1.AWSServiceEndpoint{
-			Name: "elasticloadbalancing",
-			URL:  fmt.Sprintf("https://elasticloadbalancing.%s.amazonaws.com", platform.AWS.Region),
-		}
-		if err := updateInfrastructureConfigSpecWithRetryOnConflict(t, types.NamespacedName{Name: "cluster"}, timeout, func(spec *configv1.InfrastructureSpec) {
-			spec.PlatformSpec.AWS = &configv1.AWSPlatformSpec{
-				ServiceEndpoints: []configv1.AWSServiceEndpoint{
-					route53Endpoint,
-					taggingEndpoint,
-					elbEndpoint,
-				},
-			}
-		}); err != nil {
-			t.Fatalf("failed to update infrastructure config: %v\n", err)
+
+	if platform.Type != configv1.AWSPlatformType {
+		t.Skipf("skipping TestIngressControllerCustomEndpoints test due to platform type: %s", platform.Type)
+	}
+
+	switch {
+	case platform.AWS == nil:
+		t.Fatalf("aws platform status is missing for infrastructure %s", infraConfig.Name)
+	case len(platform.AWS.ServiceEndpoints) != 0:
+		t.Skipf("custom endpoints detected for infrastructure %s, skipping TestIngressControllerCustomEndpoints",
+			infraConfig.Name)
+	case len(platform.AWS.Region) == 0:
+		t.Fatalf("region is missing from aws platform status for infrastructure %s", infraConfig.Name)
+	case platform.AWS.Region == endpoints.CnNorth1RegionID || platform.AWS.Region == endpoints.CnNorthwest1RegionID:
+		t.Skipf("region %s or %s detected for infrastructure %s, skipping TestIngressControllerCustomEndpoints",
+			endpoints.CnNorth1RegionID, endpoints.CnNorthwest1RegionID, infraConfig.Name)
+	}
+
+	route53Endpoint := configv1.AWSServiceEndpoint{
+		Name: "route53",
+		// AWS Route 53 is a non-regionalized service, so the endpoint URL
+		// does not include a region.
+		URL: "https://route53.amazonaws.com",
+	}
+	taggingEndpoint := configv1.AWSServiceEndpoint{
+		Name: "tagging",
+		// us-east-1 region is required to get hosted zone resources
+		// since route 53 is a non-regionalized service.
+		URL: "https://tagging.us-east-1.amazonaws.com",
+	}
+	elbEndpoint := configv1.AWSServiceEndpoint{
+		Name: "elasticloadbalancing",
+		URL:  fmt.Sprintf("https://elasticloadbalancing.%s.amazonaws.com", platform.AWS.Region),
+	}
+
+	// On a non-managed environment, retrieve the current Cloud Controller Manager
+	// configuration hash, so later we can verify if the new configuration was applied
+	// as part of the infrastructure.config update
+	var oldConfigHash string
+	if infraConfig.Status.ControlPlaneTopology != configv1.ExternalTopologyMode {
+		oldCCMDeployment := waitForCCMAvailableAndUpdated(t, 5*time.Minute, "")
+		oldConfigHash = retrieveCCMConfigurationHash(oldCCMDeployment)
+		if oldConfigHash == "" {
+			t.Fatalf("CCM does not have a config hash, this should never happen: %v", oldCCMDeployment)
+		}
+	}
+
+	// Wait for infrastructure status to update with custom endpoints.
+	if err := updateAndVerifyInfrastructureConfigWithRetry(t, types.NamespacedName{Name: "cluster"}, timeout, func(spec *configv1.InfrastructureSpec) {
+		spec.PlatformSpec.AWS = &configv1.AWSPlatformSpec{
+			ServiceEndpoints: []configv1.AWSServiceEndpoint{
+				route53Endpoint,
+				taggingEndpoint,
+				elbEndpoint,
+			},
 		}
-		defer func() {
-			// Remove the custom endpoints from the infrastructure config.
-			if err := updateInfrastructureConfigSpecWithRetryOnConflict(t, types.NamespacedName{Name: "cluster"}, timeout, func(spec *configv1.InfrastructureSpec) {
-				spec.PlatformSpec.AWS = nil
-			}); err != nil {
-				t.Fatalf("failed to update infrastructure config: %v", err)
-			}
-		}()
-		// Wait for infrastructure status to update with custom endpoints.
-		if err := wait.PollImmediate(1*time.Second, 15*time.Second, func() (bool, error) {
-			if err := kclient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, &infraConfig); err != nil {
-				t.Logf("failed to get infrastructure config: %v\n", err)
-				return false, err
-			}
-			if len(infraConfig.Status.PlatformStatus.AWS.ServiceEndpoints) == 0 {
-				return false, nil
-			}
-			return true, nil
+	}); err != nil {
+		t.Fatalf("failed to update infrastructure config: %v", err)
+	}
+	defer func() {
+		// Remove the custom endpoints from the infrastructure config.
+		if err := updateAndVerifyInfrastructureConfigWithRetry(t, types.NamespacedName{Name: "cluster"}, timeout, func(spec *configv1.InfrastructureSpec) {
+			spec.PlatformSpec.AWS = nil
 		}); err != nil {
-			t.Fatalf("failed to observe status update for infrastructure config %s", infraConfig.Name)
+			t.Fatalf("failed to update infrastructure config: %v", err)
 		}
-	default:
-		t.Skipf("skipping TestIngressControllerCustomEndpoints test due to platform type: %s", platform.Type)
+	}()
+
+	if infraConfig.Status.ControlPlaneTopology != configv1.ExternalTopologyMode {
+		// Wait for CCM to be ready with the new configuration, so we can guarantee that
+		// the LoadBalancer will be created correctly. This assertion is not possible
+		// on managed control planes (eg.: hypershift or rosa)
+		_ = waitForCCMAvailableAndUpdated(t, 5*time.Minute, oldConfigHash)
 	}
+
 	// The default ingresscontroller should surface the expected status conditions.
 	if err := waitForIngressControllerCondition(t, kclient, 30*time.Second, defaultName, availableConditionsForIngressControllerWithLoadBalancer...); err != nil {
 		t.Fatalf("did not get expected ingress controller conditions: %v", err)
@@ -2677,7 +2695,10 @@ func TestIngressControllerCustomEndpoints(t *testing.T) {
 	}
 	defer assertIngressControllerDeleted(t, kclient, ic)
 	// Ensure the ingress controller is reporting expected status conditions.
-	if err := waitForIngressControllerCondition(t, kclient, 5*time.Minute, name, availableConditionsForIngressControllerWithLoadBalancer...); err != nil {
+	// The readiness of the resource depends on the load of the environment, and because changing InfrastructureConfig
+	// causes the Cloud controller manager to rollout, at least 3 minutes are required for leader
+	// election of CCM to happen + the required time to properly schedule the Pods once they are killed/restarted
+	if err := waitForIngressControllerCondition(t, kclient, 7*time.Minute, name, availableConditionsForIngressControllerWithLoadBalancer...); err != nil {
 		t.Errorf("failed to observe expected conditions: %v", err)
 	}
 }
diff --git a/test/e2e/util_test.go b/test/e2e/util_test.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -622,31 +623,111 @@ func updateIngressConfigSpecWithRetryOnConflict(t *testing.T, name types.Namespa
 	})
 }
 
-// updateInfrastructureConfigSpecWithRetryOnConflict gets a fresh copy
+// updateAndVerifyInfrastructureConfigWithRetry gets a fresh copy
 // of the named infrastructure object, calls updateSpecFn() where
 // callers can modify fields of the spec, and then updates the infrastructure
 // config object. If there is a conflict error on update then the
 // complete operation of get, mutate, and update is retried until
 // timeout is reached.
-func updateInfrastructureConfigSpecWithRetryOnConflict(t *testing.T, name types.NamespacedName, timeout time.Duration, mutateSpecFn func(*configv1.InfrastructureSpec)) error {
+// After updating, it will check if the desired spec.Endpoints where applied to
+// the infrastructure config
+func updateAndVerifyInfrastructureConfigWithRetry(t *testing.T, name types.NamespacedName, timeout time.Duration, mutateSpecFn func(*configv1.InfrastructureSpec)) error {
 	infraConfig := configv1.Infrastructure{}
-	return wait.PollImmediate(1*time.Second, timeout, func() (bool, error) {
-		if err := kclient.Get(context.TODO(), name, &infraConfig); err != nil {
+	// First we apply the configuration
+	err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, timeout, false, func(ctx context.Context) (done bool, err error) {
+		if err := kclient.Get(ctx, name, &infraConfig); err != nil {
 			t.Logf("error getting infrastructure config %v: %v, retrying...", name, err)
 			return false, nil
 		}
 		mutateSpecFn(&infraConfig.Spec)
 		if err := kclient.Update(context.TODO(), &infraConfig); err != nil {
-			if errors.IsConflict(err) {
-				t.Logf("conflict when updating infrastructure config %v: %v, retrying...", name, err)
+			t.Logf("error updating infrastructure config %v: %v, retrying...", name, err)
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		return err
+	}
+	// Then we get the applied configuration, and check if the serviceendpoints match
+	return wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, timeout, false, func(ctx context.Context) (done bool, err error) {
+		if err := kclient.Get(ctx, name, &infraConfig); err != nil {
+			t.Logf("error getting infrastructure config %v: %v, retrying...", name, err)
+			return false, nil
+		}
+
+		// Early return if we don't have any specific service endpoint
+		if infraConfig.Spec.PlatformSpec.AWS == nil || len(infraConfig.Spec.PlatformSpec.AWS.ServiceEndpoints) == 0 {
+			return true, nil
+		}
+		// In case we have a desired ServiceEndpoints, we need to check once it has been reflected correctly
+		if infraConfig.Status.PlatformStatus == nil ||
+			infraConfig.Status.PlatformStatus.AWS == nil ||
+			len(infraConfig.Status.PlatformStatus.AWS.ServiceEndpoints) != len(infraConfig.Spec.PlatformSpec.AWS.ServiceEndpoints) {
+			t.Logf("infrastructure config status does not contain endpoints yet %v: %v, retrying...", name, infraConfig.Status)
+			return false, nil
+		}
+
+		for _, endpoint := range infraConfig.Spec.PlatformSpec.AWS.ServiceEndpoints {
+			if !slices.ContainsFunc(infraConfig.Status.PlatformStatus.AWS.ServiceEndpoints, func(e configv1.AWSServiceEndpoint) bool {
+				return e.Name == endpoint.Name && e.URL == endpoint.URL
+			}) {
+				t.Logf("infrastructure config status does not contain the desired endpoints, retrying %v: %v, retrying...", name, endpoint)
 				return false, nil
 			}
-			return false, err
 		}
 		return true, nil
 	})
 }
 
+// waitForCCMAvailableAndUpdated waits for Cloud Controller Manager Deployment
+// to be reported as ready.
+// If oldConfigurationHash is not empty it will additionally verify that the configuration hash
+// is different between the deployments
+func waitForCCMAvailableAndUpdated(t *testing.T, timeout time.Duration, oldConfigurationHash string) appsv1.Deployment {
+	// The pooler below will never return an error, and instead it will log and try until it fails.
+	// This avoids errors that are network errors to cause a failure on the test, and instead retries until it
+	// is successful
+	ccmDeployment := appsv1.Deployment{}
+	if err := wait.PollUntilContextTimeout(context.TODO(), 5*time.Second, timeout, false, func(ctx context.Context) (done bool, err error) {
+		if err := kclient.Get(context.TODO(), ccmDeploymentName, &ccmDeployment); err != nil {
+			t.Logf("error getting CCM deployment: %v", err)
+			return false, nil
+		}
+
+		if oldConfigurationHash != "" {
+			currentConfigHash := retrieveCCMConfigurationHash(ccmDeployment)
+			if oldConfigurationHash == currentConfigHash {
+				t.Log("new config hash not yet applied to CCM deployment")
+				return false, nil
+			}
+		}
+
+		if ccmDeployment.Generation != ccmDeployment.Status.ObservedGeneration ||
+			ccmDeployment.Status.Replicas != ccmDeployment.Status.ReadyReplicas ||
+			ccmDeployment.Status.Replicas != ccmDeployment.Status.UpdatedReplicas ||
+			ccmDeployment.Status.UnavailableReplicas != 0 {
+			t.Log("CCM replicas are not ready, will retry")
+			return false, nil
+		}
+
+		return true, nil
+
+	}); err != nil {
+		t.Fatalf("failed to observe status update for infrastructure config %s", infraConfig.Name)
+	}
+
+	return ccmDeployment
+}
+
+// retrieveCCMConfigurationHash fetches the config-hash used on CCM deployment
+// and present on the annotation operator.openshift.io/config-hash
+// this information can be used to signal that a required infrastructure change
+// was successfully applied on CCM and forces CCM to do a rollout update.
+func retrieveCCMConfigurationHash(ccmDeployment appsv1.Deployment) string {
+	return ccmDeployment.Spec.Template.Annotations[ccmConfigAnnotation]
+}
+
 // updateInfrastructureStatus updates the Infrastructure status by applying
 // the given update function to the current Infrastructure object.
 // If there is a conflict error on update then the complete operation
