USHIFT-6745: Port OTP etcd test cases to Robot Framework

[agullon]

Summary

• Port MicroShiftOnly OTP etcd test cases to Robot Framework (USHIFT-6690)
• Add 3 new tests to standard1/etcd.robot: etcd defragmentation (OCP-71790), transient scope verification (OCP-62738), and lifecycle tracking (OCP-60945)
• Add manual etcd cert rotation test to standard2/validate-certificate-rotation.robot (OCP-75224)
• Improve Restore System Date robustness for shared suite execution

OTP coverage mapping

OTP Test	ID	Action
Etcd as transient systemd unit	OCP-62738	Added to etcd.robot
Etcd start/stop with MicroShift	OCP-60945	Added to etcd.robot
Etcd db defragment manually	OCP-71790	Added to etcd.robot
Manual rotation of etcd signer certs	OCP-75224	Added to validate-certificate-rotation.robot
Etcd quota size configurable	OCP-62547	Already covered by existing etcd.robot
Tuning heartbeat/election timeout	OCP-66829	N/A (OCP-operator only)
Selectable etcd database size	OCP-73511	N/A (OCP-operator only)
Auto rotation of etcd signer certs	OCP-75259	N/A (10yr cert, impractical)

USHIFT-6745

[openshift-ci-robot]

@agullon: This pull request references USHIFT-6745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Port MicroShiftOnly OTP etcd test cases to Robot Framework (USHIFT-6690)
• Add 3 new tests to standard1/etcd.robot: etcd defragmentation (OCP-71790), transient scope verification (OCP-62738), and lifecycle tracking (OCP-60945)
• Add manual etcd cert rotation test to standard2/validate-certificate-rotation.robot (OCP-75224)
• Improve Restore System Date robustness for shared suite execution

Test plan

• All 7 tests pass in local dry-run against a MicroShift host (2 runs)
• CI: tests are picked up automatically by standard1/standard2 scenario jobs
• Verify make verify-rf passes (robocop/robotidy lint)

OTP coverage mapping

OTP Test	ID	Action
Etcd as transient systemd unit	OCP-62738	Added to etcd.robot
Etcd start/stop with MicroShift	OCP-60945	Added to etcd.robot
Etcd db defragment manually	OCP-71790	Added to etcd.robot
Manual rotation of etcd signer certs	OCP-75224	Added to validate-certificate-rotation.robot
Etcd quota size configurable	OCP-62547	Already covered by existing etcd.robot
Tuning heartbeat/election timeout	OCP-66829	N/A (OCP-operator only)
Selectable etcd database size	OCP-73511	N/A (OCP-operator only)
Auto rotation of etcd signer certs	OCP-75259	N/A (10yr cert, impractical)

USHIFT-6745

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Suite test/suites/standard1/etcd.robot adds etcdctl install/check logic, TLS/endpoint suite variables, DB-size querying, scope lifecycle checks, and three etcd-related tests; memory-limit tests were retagged and given teardowns. Suite test/suites/standard2/validate-certificate-rotation.robot adds a manual etcd-signer rotation test, a cert-fingerprint keyword, and a chronyd conditional in Restore System Date.

Changes

Cohort / File(s)	Summary
Etcd Management & Tests test/suites/standard1/etcd.robot	Added suite variables (${ETCD_CA_CERT}, ${ETCD_CLIENT_CERT}, ${ETCD_CLIENT_KEY}, ${ETCD_ENDPOINT}, ${ETCDCTL_CMD}), suite setup Install Etcdctl If Missing; new keywords Install Etcdctl If Missing, Get Etcd Database Size, Etcd Scope Is Inactive, Wait Until Etcd Scope Is Inactive; updated Expect MemoryHigh to use ${ETCD_SYSTEMD_UNIT}; retagged memory-limit tests and added teardowns; added tests: Etcd Database Defragment Manually, Etcd Runs As Transient Systemd Scope Unit, Etcd Scope Follows MicroShift Lifecycle.
Certificate Rotation Tests test/suites/standard2/validate-certificate-rotation.robot	Added test Manual Rotation Of Etcd Signer Certs (captures CA SHA256, removes /var/lib/microshift/certs/etcd-signer/*, restarts MicroShift, verifies regenerated cert files and fingerprint changed); added exported keyword Get Cert Fingerprint (uses openssl); updated Restore System Date to skip restarting chronyd if already active; minor doc/var fixes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@agullon: This pull request references USHIFT-6745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Port MicroShiftOnly OTP etcd test cases to Robot Framework (USHIFT-6690)
• Add 3 new tests to standard1/etcd.robot: etcd defragmentation (OCP-71790), transient scope verification (OCP-62738), and lifecycle tracking (OCP-60945)
• Add manual etcd cert rotation test to standard2/validate-certificate-rotation.robot (OCP-75224)
• Improve Restore System Date robustness for shared suite execution

OTP coverage mapping

OTP Test	ID	Action
Etcd as transient systemd unit	OCP-62738	Added to etcd.robot
Etcd start/stop with MicroShift	OCP-60945	Added to etcd.robot
Etcd db defragment manually	OCP-71790	Added to etcd.robot
Manual rotation of etcd signer certs	OCP-75224	Added to validate-certificate-rotation.robot
Etcd quota size configurable	OCP-62547	Already covered by existing etcd.robot
Tuning heartbeat/election timeout	OCP-66829	N/A (OCP-operator only)
Selectable etcd database size	OCP-73511	N/A (OCP-operator only)
Auto rotation of etcd signer certs	OCP-75259	N/A (10yr cert, impractical)

USHIFT-6745

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[agullon]

/jira refresh

[openshift-ci-robot]

@agullon: This pull request references USHIFT-6745 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

test/suites/standard1/etcd.robot (1)

148-152: Shell quoting in JSON parsing could break on edge cases.

Using echo '${output}' is fragile if the JSON ever contains literal single quotes. Consider using a heredoc or piping directly.

♻️ Suggested fix using printf

 Get Etcd Database Size
     [Documentation]    Return the current etcd database size in bytes
     ${output}=    Command Should Work    ${ETCDCTL_CMD} endpoint status --write-out\=json
-    ${size}=    Command Should Work    echo '${output}' | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['Status']['dbSize'])"
+    ${size}=    Command Should Work    printf '%s' '${output}' | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['Status']['dbSize'])"
     RETURN    ${size}

Alternatively, combine into a single command to avoid intermediate shell expansion entirely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/suites/standard1/etcd.robot` around lines 148 - 152, The step "Get Etcd
Database Size" is fragile because it uses echo '${output}' which can break if
the JSON contains single quotes; change the pipeline to avoid shell
interpolation: take the ${output} captured by Command Should Work and pipe it
directly into the Python JSON parser (or use printf/ heredoc) so you don't rely
on echo with quoted content—update the lines that set ${output} and ${size} (the
Command Should Work invocations) to feed the JSON safely into python3 (or a
single combined command) instead of using echo '${output}'.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/suites/standard1/etcd.robot`:
- Around line 148-152: The step "Get Etcd Database Size" is fragile because it
uses echo '${output}' which can break if the JSON contains single quotes; change
the pipeline to avoid shell interpolation: take the ${output} captured by
Command Should Work and pipe it directly into the Python JSON parser (or use
printf/ heredoc) so you don't rely on echo with quoted content—update the lines
that set ${output} and ${size} (the Command Should Work invocations) to feed the
JSON safely into python3 (or a single combined command) instead of using echo
'${output}'.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b9d3caef-6347-4631-b2a2-f0fec3604252

📥 Commits

Reviewing files that changed from the base of the PR and between 544426e and f67f8af.

📒 Files selected for processing (1)

• test/suites/standard1/etcd.robot

[coderabbitai]

🧹 Nitpick comments (1)

test/suites/standard1/etcd.robot (1)

134-146: Consider adding checksum verification for downloaded etcdctl binary.

Downloading from GitHub releases without verifying a checksum is acceptable for test environments but reduces supply-chain assurance. If this is intentional for simplicity, a brief comment explaining the tradeoff would help future maintainers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/suites/standard1/etcd.robot` around lines 134 - 146, The test "Install
Etcdctl If Missing" currently downloads and extracts etcdctl via the curl|tar
pipeline (the Command Should Work that uses
https://github.com/etcd-io/etcd/releases/download/v${etcd_ver}/etcd-v${etcd_ver}-linux-${arch_suffix}.tar.gz)
without verifying integrity; add checksum verification by also downloading the
corresponding release checksum (or GPG signature) for v${etcd_ver}, validating
the tarball before extracting, and fail the test if verification fails;
alternatively, if you intentionally omit verification for simplicity, add a
short comment above the download (near the ${etcd_ver} and ${arch_suffix} logic)
documenting the tradeoff and rationale.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/suites/standard1/etcd.robot`:
- Around line 134-146: The test "Install Etcdctl If Missing" currently downloads
and extracts etcdctl via the curl|tar pipeline (the Command Should Work that
uses
https://github.com/etcd-io/etcd/releases/download/v${etcd_ver}/etcd-v${etcd_ver}-linux-${arch_suffix}.tar.gz)
without verifying integrity; add checksum verification by also downloading the
corresponding release checksum (or GPG signature) for v${etcd_ver}, validating
the tarball before extracting, and fail the test if verification fails;
alternatively, if you intentionally omit verification for simplicity, add a
short comment above the download (near the ${etcd_ver} and ${arch_suffix} logic)
documenting the tradeoff and rationale.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 9a6eccc1-5b6f-48db-b7ba-4e8659c12fb9

📥 Commits

Reviewing files that changed from the base of the PR and between f67f8af and 7a101f7.

📒 Files selected for processing (2)

• test/suites/standard1/etcd.robot
• test/suites/standard2/validate-certificate-rotation.robot

[coderabbitai]

🧹 Nitpick comments (1)

test/suites/standard1/etcd.robot (1)

148-152: Consider heredoc for robustness against special characters.

The echo '${output}' pattern breaks if JSON ever contains single quotes. While unlikely with etcdctl output, a heredoc is more robust.

Alternative using heredoc

 Get Etcd Database Size
     [Documentation]    Return the current etcd database size in bytes
     ${output}=    Command Should Work    ${ETCDCTL_CMD} endpoint status --write-out\=json
     ${size}=    Command Should Work
-    ...    echo '${output}' | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['Status']['dbSize'])"
+    ...    python3 -c "import json; print(json.loads('''${output}''')[0]['Status']['dbSize'])"
     RETURN    ${size}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/suites/standard1/etcd.robot` around lines 148 - 152, The current step
"Get Etcd Database Size" pipes echo '${output}' into python3 which will break if
the JSON contains single quotes; instead, pass the ${output} variable into
python3 via a heredoc to avoid shell quoting issues: update the second Command
Should Work call that runs python3 -c "import sys,json; print(...)" so it
consumes stdin from a quoted here-document containing ${output} (e.g. <<'EOF'
... EOF), preserving the python one-liner and extracting ['Status']['dbSize']
from the JSON.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/suites/standard1/etcd.robot`:
- Around line 148-152: The current step "Get Etcd Database Size" pipes echo
'${output}' into python3 which will break if the JSON contains single quotes;
instead, pass the ${output} variable into python3 via a heredoc to avoid shell
quoting issues: update the second Command Should Work call that runs python3 -c
"import sys,json; print(...)" so it consumes stdin from a quoted here-document
containing ${output} (e.g. <<'EOF' ... EOF), preserving the python one-liner and
extracting ['Status']['dbSize'] from the JSON.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bf7893cb-788b-4156-bd4a-7d8c23a11a5f

📥 Commits

Reviewing files that changed from the base of the PR and between 7a101f7 and f1846af.

📒 Files selected for processing (2)

• test/suites/standard1/etcd.robot
• test/suites/standard2/validate-certificate-rotation.robot

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/suites/standard1/etcd.robot`:
- Around line 135-148: The test keyword "Install Etcdctl If Missing" currently
downloads and executes an unverified etcdctl from GitHub at runtime (using
curl/tar and microshift-etcd to detect version) which breaks in disconnected CI
and skips artifact verification; change the test to stop performing the direct
curl/tar fetch and instead use a pre-staged etcdctl from test fixtures (replace
the runtime download logic that references ${ETCDCTL_BIN}, ${etcd_ver},
microshift-etcd and the curl/tar bash command) or, if dynamic fetch is
absolutely required, add a checksum verification step against a known-good hash
before making ${ETCDCTL_BIN} executable and running it; ensure the keyword
resolves ${ETCDCTL_BIN} to the fixture path and remove sudo curl/tar usage so no
outbound fetch occurs during test execution.
- Around line 121-128: The test "Etcd Scope Is Inactive" currently uses "Should
Not Be Equal As Strings ${stdout.strip()} active" which also allows undesired
states like "failed"; update the assertion to explicitly allow only the expected
states by replacing that line with an explicit membership check such as using
"Should Be One Of    ${stdout.strip()}    inactive    unknown" (or equivalent
Robot keyword) so the output from Execute Command (systemctl is-active
${ETCD_SYSTEMD_UNIT}) is restricted to only "inactive" or "unknown".

In `@test/suites/standard2/validate-certificate-rotation.robot`:
- Around line 45-46: The current test uses the keyword "Certificate Should Be
Valid For Current Time" which only asserts notBefore <= now; update the test to
also assert that now < notAfter (i.e., certificate not expired) after "Verify
Remote File Exists With Sudo ${cert_file}". Either extend or replace the keyword
call with one that checks both notBefore and notAfter, or add a new assertion
(e.g., "Certificate Not Expired" or "Certificate Should Be Valid NowAndLater")
that parses ${cert_file} and verifies now < notAfter; reference the existing
keyword name "Certificate Should Be Valid For Current Time" when implementing
the combined check so the helper is updated consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 93980c3c-3299-4d00-8339-23bea32dd562

📥 Commits

Reviewing files that changed from the base of the PR and between f1846af and 695ac1d.

📒 Files selected for processing (2)

• test/suites/standard1/etcd.robot
• test/suites/standard2/validate-certificate-rotation.robot

[agullon]

/test e2e-aws-tests-release
/test e2e-aws-tests-release-arm
/test e2e-aws-tests-bootc-release-el9
/test e2e-aws-tests-bootc-release-el10
/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[agullon]

/retest

[openshift-ci]

@agullon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-release-arm-el9	8eccdcb	link	true	/test e2e-aws-tests-bootc-release-arm-el9
ci/prow/e2e-aws-tests-release	8eccdcb	link	true	/test e2e-aws-tests-release
ci/prow/e2e-aws-tests-bootc-release-el10	8eccdcb	link	true	/test e2e-aws-tests-bootc-release-el10
ci/prow/e2e-aws-tests-release-arm	8eccdcb	link	true	/test e2e-aws-tests-release-arm
ci/prow/e2e-aws-tests-bootc-release-el9	8eccdcb	link	true	/test e2e-aws-tests-bootc-release-el9
ci/prow/e2e-aws-tests-bootc-release-arm-el10	8eccdcb	link	true	/test e2e-aws-tests-bootc-release-arm-el10

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.