Skip to content

NO-ISSUE: automate ocp-85743 and ocp-85745 #1197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Jan 19, 2026
Merged

NO-ISSUE: automate ocp-85743 and ocp-85745 #1197

openshift-merge-bot merged 1 commit into from
Jan 19, 2026
+196 −0

Conversation

@Xia-Zhao-rh
Copy link
Contributor

@Xia-Zhao-rh Xia-Zhao-rh commented Jan 16, 2026

Add security validation tests for OLM and Marketplace operator metrics endpoints

This PR adds two test cases to validate that operator metrics endpoints are
properly secured with authentication mechanisms.

Test Cases

OCP-85743: OLM operator metrics endpoints authentication

Validates that OLM core operator metrics endpoints require Bearer token authentication:

  • Tests 3 operators: catalog-operator, olm-operator, package-server-manager
  • Verifies unauthorized access returns "Unauthorized" error
  • Verifies authorized access with prometheus-k8s token successfully retrieves metrics
  • Namespace: openshift-operator-lifecycle-manager

OCP-85745: Marketplace operator metrics endpoint mTLS authentication

Validates that marketplace-operator-metrics endpoint requires client certificate (mTLS):

  • Verifies unauthorized access fails with "certificate required" error
  • Verifies authorized access with client certificate from prometheus pod succeeds
  • Uses https-metrics port (8081) specifically
  • Namespace: openshift-marketplace
  • Skips if marketplace capability is not available
xzha@xzha1-mac tests-extension % ~/run-tests-ote.sh v0 "85743|85745"                                                                                
Generating test list from case IDs...
Found 2 test(s) matching the case IDs

================================================
OLM Version: v0
Test Binary: /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/bin/olmv0-tests-ext
Test Source: Case List (85743|85745)
Total tests to run: 2
Log file: result.log
================================================

================================================
[1/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85743-[OTP]metrics endpoints should be properly secured
================================================

✓ Test PASSED (67s)

================================================
[2/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85745-[OTP]marketplace-operator-metrics endpoint should require client certificate
================================================

✓ Test PASSED (43s)

@openshift-ci openshift-ci bot requested review from thetechnick and tmshort January 16, 2026 08:29
@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Jan 16, 2026

/payload-job periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-azure-ovn-extended-f2

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-azure-ovn-extended-f2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d26e3420-f2b7-11f0-93e6-8ebe5756a111-0

@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Jan 16, 2026

/payload-job periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-gcp-ovn-ipi-disconnected-extended-f1

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-gcp-ovn-ipi-disconnected-extended-f1

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/24716c50-f2b9-11f0-83de-3cabcbe93a9b-0

@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Jan 16, 2026

/payload-job periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-gcp-ovn-ipi-disconnected-extended-f1

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-operator-framework-olm-release-4.22-periodics-e2e-gcp-ovn-ipi-disconnected-extended-f1

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f6438970-f2e1-11f0-9e9d-576b0e6ba991-0

@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Jan 16, 2026

/verified by @Xia-Zhao-rh

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jan 16, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 16, 2026

@Xia-Zhao-rh: This PR has been marked as verified by @Xia-Zhao-rh.

Details

In response to this:

/verified by @Xia-Zhao-rh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kuiwang02
Copy link
Contributor

kuiwang02 commented Jan 19, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 19, 2026
@jianzhangbjz
Copy link
Member

jianzhangbjz commented Jan 19, 2026

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 19, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jianzhangbjz, Xia-Zhao-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 19, 2026
@Xia-Zhao-rh Xia-Zhao-rh changed the title automate ocp-85743 and ocp-85745 OCPBUGS-59768 OCPBUGS-59763: automate ocp-85743 and ocp-85745 Jan 19, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jan 19, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 19, 2026

@Xia-Zhao-rh: This pull request references Jira Issue OCPBUGS-59768, which is invalid:

  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-59763, which is invalid:

  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add security validation tests for OLM and Marketplace operator metrics endpoints

This PR adds two test cases to validate that operator metrics endpoints are
properly secured with authentication mechanisms.

Test Cases

OCP-85743: OLM operator metrics endpoints authentication

Validates that OLM core operator metrics endpoints require Bearer token authentication:

  • Tests 3 operators: catalog-operator, olm-operator, package-server-manager
  • Verifies unauthorized access returns "Unauthorized" error
  • Verifies authorized access with prometheus-k8s token successfully retrieves metrics
  • Namespace: openshift-operator-lifecycle-manager

OCP-85745: Marketplace operator metrics endpoint mTLS authentication

Validates that marketplace-operator-metrics endpoint requires client certificate (mTLS):

  • Verifies unauthorized access fails with "certificate required" error
  • Verifies authorized access with client certificate from prometheus pod succeeds
  • Uses https-metrics port (8081) specifically
  • Namespace: openshift-marketplace
  • Skips if marketplace capability is not available
xzha@xzha1-mac tests-extension % ~/run-tests-ote.sh v0 "85743|85745"                                                                                
Generating test list from case IDs...
Found 2 test(s) matching the case IDs

================================================
OLM Version: v0
Test Binary: /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/bin/olmv0-tests-ext
Test Source: Case List (85743|85745)
Total tests to run: 2
Log file: result.log
================================================

================================================
[1/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85743-[OTP]metrics endpoints should be properly secured
================================================

✓ Test PASSED (67s)

================================================
[2/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85745-[OTP]marketplace-operator-metrics endpoint should require client certificate
================================================

✓ Test PASSED (43s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 19, 2026
@Xia-Zhao-rh Xia-Zhao-rh changed the title OCPBUGS-59768 OCPBUGS-59763: automate ocp-85743 and ocp-85745 automate ocp-85743 and ocp-85745 Jan 19, 2026
@openshift-ci-robot openshift-ci-robot removed jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 19, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 19, 2026

@Xia-Zhao-rh: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Add security validation tests for OLM and Marketplace operator metrics endpoints

This PR adds two test cases to validate that operator metrics endpoints are
properly secured with authentication mechanisms.

Test Cases

OCP-85743: OLM operator metrics endpoints authentication

Validates that OLM core operator metrics endpoints require Bearer token authentication:

  • Tests 3 operators: catalog-operator, olm-operator, package-server-manager
  • Verifies unauthorized access returns "Unauthorized" error
  • Verifies authorized access with prometheus-k8s token successfully retrieves metrics
  • Namespace: openshift-operator-lifecycle-manager

OCP-85745: Marketplace operator metrics endpoint mTLS authentication

Validates that marketplace-operator-metrics endpoint requires client certificate (mTLS):

  • Verifies unauthorized access fails with "certificate required" error
  • Verifies authorized access with client certificate from prometheus pod succeeds
  • Uses https-metrics port (8081) specifically
  • Namespace: openshift-marketplace
  • Skips if marketplace capability is not available
xzha@xzha1-mac tests-extension % ~/run-tests-ote.sh v0 "85743|85745"                                                                                
Generating test list from case IDs...
Found 2 test(s) matching the case IDs

================================================
OLM Version: v0
Test Binary: /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/bin/olmv0-tests-ext
Test Source: Case List (85743|85745)
Total tests to run: 2
Log file: result.log
================================================

================================================
[1/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85743-[OTP]metrics endpoints should be properly secured
================================================

✓ Test PASSED (67s)

================================================
[2/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85745-[OTP]marketplace-operator-metrics endpoint should require client certificate
================================================

✓ Test PASSED (43s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Xia-Zhao-rh Xia-Zhao-rh changed the title automate ocp-85743 and ocp-85745 NO-ISSUE: automate ocp-85743 and ocp-85745 Jan 19, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 19, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 19, 2026

@Xia-Zhao-rh: This pull request explicitly references no jira issue.

Details

In response to this:

Add security validation tests for OLM and Marketplace operator metrics endpoints

This PR adds two test cases to validate that operator metrics endpoints are
properly secured with authentication mechanisms.

Test Cases

OCP-85743: OLM operator metrics endpoints authentication

Validates that OLM core operator metrics endpoints require Bearer token authentication:

  • Tests 3 operators: catalog-operator, olm-operator, package-server-manager
  • Verifies unauthorized access returns "Unauthorized" error
  • Verifies authorized access with prometheus-k8s token successfully retrieves metrics
  • Namespace: openshift-operator-lifecycle-manager

OCP-85745: Marketplace operator metrics endpoint mTLS authentication

Validates that marketplace-operator-metrics endpoint requires client certificate (mTLS):

  • Verifies unauthorized access fails with "certificate required" error
  • Verifies authorized access with client certificate from prometheus pod succeeds
  • Uses https-metrics port (8081) specifically
  • Namespace: openshift-marketplace
  • Skips if marketplace capability is not available
xzha@xzha1-mac tests-extension % ~/run-tests-ote.sh v0 "85743|85745"                                                                                
Generating test list from case IDs...
Found 2 test(s) matching the case IDs

================================================
OLM Version: v0
Test Binary: /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/bin/olmv0-tests-ext
Test Source: Case List (85743|85745)
Total tests to run: 2
Log file: result.log
================================================

================================================
[1/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85743-[OTP]metrics endpoints should be properly secured
================================================

✓ Test PASSED (67s)

================================================
[2/2] Running test:
[sig-operator][Jira:OLM] OLMv0 should PolarionID:85745-[OTP]marketplace-operator-metrics endpoint should require client certificate
================================================

✓ Test PASSED (43s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 19, 2026

@Xia-Zhao-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 8cfcfeb into openshift:main Jan 19, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thetechnick thetechnick Awaiting requested review from thetechnick

@tmshort tmshort Awaiting requested review from tmshort

Assignees

@kuiwang02 kuiwang02

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Xia-Zhao-rh @openshift-ci-robot @kuiwang02 @jianzhangbjz