SigstoreImageVerification:update waitForMCP different config name

QiWang19 · QiWang19 · commit f6ced3ed3f0c · 2025-08-13T22:02:14.000-04:00
Signed-off-by: Qi Wang &lt;qiwan@redhat.com&gt;
diff --git a/test/extended/imagepolicy/imagepolicy.go b/test/extended/imagepolicy/imagepolicy.go
@@ -9,6 +9,8 @@ import (
 	g "github.com/onsi/ginkgo/v2"
 	o "github.com/onsi/gomega"
 	configv1 "github.com/openshift/api/config/v1"
+	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
+	machineconfigclient "github.com/openshift/client-go/machineconfiguration/clientset/versioned"
 	machineconfighelper "github.com/openshift/origin/test/extended/machine_config"
 	exutil "github.com/openshift/origin/test/extended/util"
 	kapiv1 "k8s.io/api/core/v1"
@@ -76,8 +78,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		createClusterImagePolicy(oc, testClusterImagePolicies[invalidPublicKeyClusterImagePolicyName])
 		g.DeferCleanup(deleteClusterImagePolicy, oc, invalidPublicKeyClusterImagePolicyName)
 
-		waitForPoolComplete(oc)
-
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
@@ -95,8 +95,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		createClusterImagePolicy(oc, testClusterImagePolicies[invalidPublicKeyClusterImagePolicyName])
 		g.DeferCleanup(deleteClusterImagePolicy, oc, invalidPublicKeyClusterImagePolicyName)
 
-		waitForPoolComplete(oc)
-
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
@@ -109,8 +107,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		createClusterImagePolicy(oc, testClusterImagePolicies[publiKeyRekorClusterImagePolicyName])
 		g.DeferCleanup(deleteClusterImagePolicy, oc, publiKeyRekorClusterImagePolicyName)
 
-		waitForPoolComplete(oc)
-
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
@@ -122,12 +118,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	g.It("Should fail imagepolicy signature validation in different namespaces root of trust does not match the identity in the signature", func() {
 		createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], imgpolicyClif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, imgpolicyClif.Namespace.Name)
-		waitForPoolComplete(oc)
-
-		createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], clif.Namespace.Name)
-		g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, clif.Namespace.Name)
-
-		waitForPoolComplete(oc)
 
 		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -136,32 +126,14 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		err = waitForTestPodContainerToFailSignatureValidation(tctx, imgpolicyClif, pod)
 		o.Expect(err).NotTo(o.HaveOccurred())
 
-		pod, err = launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
-		o.Expect(err).NotTo(o.HaveOccurred())
-		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
-
-		err = waitForTestPodContainerToFailSignatureValidation(tctx, clif, pod)
-		o.Expect(err).NotTo(o.HaveOccurred())
 	})
 
 	g.It("Should pass imagepolicy signature validation with signed image in namespaces", func() {
-		createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], clif.Namespace.Name)
-		g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, clif.Namespace.Name)
-		waitForPoolComplete(oc)
 
 		createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], imgpolicyClif.Namespace.Name)
 		g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, imgpolicyClif.Namespace.Name)
 
-		waitForPoolComplete(oc)
-
-		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
-		o.Expect(err).NotTo(o.HaveOccurred())
-		g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)
-
-		err = e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
-		o.Expect(err).NotTo(o.HaveOccurred())
-
-		pod, err = launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
+		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
 		g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)
 
@@ -170,13 +142,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	})
 })
 
-func waitForPoolComplete(oc *exutil.CLI) {
-	time.Sleep(10 * time.Second)
-	machineconfighelper.WaitForConfigAndPoolComplete(oc, workerPool, registriesWorkerPoolMachineConfig)
-	machineconfighelper.WaitForConfigAndPoolComplete(oc, masterPool, registriesMasterPoolMachineConfig)
-}
-
 func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
+	e2e.Logf("Updating image config with allowed registries")
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
 	err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		imageConfig, err := oc.AdminConfigClient().ConfigV1().Images().Get(
 			context.Background(), "cluster", metav1.GetOptions{},
@@ -191,13 +161,15 @@ func updateImageConfig(oc *exutil.CLI, allowedRegistries []string) {
 		return err
 	})
 	o.Expect(err).NotTo(o.HaveOccurred(), "error updating image config")
-	time.Sleep(10 * time.Second)
-	machineconfighelper.WaitForConfigAndPoolComplete(oc, workerPool, registriesWorkerPoolMachineConfig)
-	machineconfighelper.WaitForConfigAndPoolComplete(oc, masterPool, registriesMasterPoolMachineConfig)
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
 }
 
 func cleanupImageConfig(oc *exutil.CLI) error {
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
+	err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
 		imageConfig, err := oc.AdminConfigClient().ConfigV1().Images().Get(
 			context.Background(), "cluster", metav1.GetOptions{},
 		)
@@ -208,9 +180,12 @@ func cleanupImageConfig(oc *exutil.CLI) error {
 		_, err = oc.AdminConfigClient().ConfigV1().Images().Update(
 			context.Background(), imageConfig, metav1.UpdateOptions{},
 		)
-		waitForPoolComplete(oc)
 		return err
 	})
+	o.Expect(err).NotTo(o.HaveOccurred(), "error cleaning up image config")
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
+	return nil
 }
 
 func launchTestPod(ctx context.Context, f *e2e.Framework, podName, image string) (*kapiv1.Pod, error) {
@@ -248,28 +223,53 @@ func waitForTestPodContainerToFailSignatureValidation(ctx context.Context, f *e2
 }
 
 func createClusterImagePolicy(oc *exutil.CLI, policy configv1.ClusterImagePolicy) {
+	e2e.Logf("Creating cluster image policy %s", policy.Name)
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
 	_, err := oc.AdminConfigClient().ConfigV1().ClusterImagePolicies().Create(context.TODO(), &policy, metav1.CreateOptions{})
 	o.Expect(err).NotTo(o.HaveOccurred())
+
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
 }
 
 func deleteClusterImagePolicy(oc *exutil.CLI, policyName string) error {
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
 	if err := oc.AdminConfigClient().ConfigV1().ClusterImagePolicies().Delete(context.TODO(), policyName, metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) {
 		return fmt.Errorf("failed to delete cluster image policy %s: %v", policyName, err)
 	}
-	waitForPoolComplete(oc)
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
 	return nil
 }
 
 func createImagePolicy(oc *exutil.CLI, policy configv1.ImagePolicy, namespace string) {
+	// Capture initial rendered config names for both pools before creating the policy
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
+	e2e.Logf("Creating image policy %s in namespace %s", policy.Name, namespace)
 	_, err := oc.AdminConfigClient().ConfigV1().ImagePolicies(namespace).Create(context.TODO(), &policy, metav1.CreateOptions{})
 	o.Expect(err).NotTo(o.HaveOccurred())
+
+	// Wait until each pool's Spec.Configuration.Name changes from the initial value
+	// and the pool reports Updated=true
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
 }
 
 func deleteImagePolicy(oc *exutil.CLI, policyName string, namespace string) error {
+	initialWorkerSpec := getMCPCurrentSpecConfigName(oc, workerPool)
+	initialMasterSpec := getMCPCurrentSpecConfigName(oc, masterPool)
+
 	if err := oc.AdminConfigClient().ConfigV1().ImagePolicies(namespace).Delete(context.TODO(), policyName, metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) {
 		return fmt.Errorf("failed to delete image policy %s in namespace %s: %v", policyName, namespace, err)
 	}
-	waitForPoolComplete(oc)
+	waitForMCPConfigSpecChangeAndUpdated(oc, workerPool, initialWorkerSpec)
+	waitForMCPConfigSpecChangeAndUpdated(oc, masterPool, initialMasterSpec)
 	return nil
 }
 
@@ -380,3 +380,30 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
 	}
 	return testImagePolicies
 }
+
+// getMCPCurrentSpecConfigName returns the current Spec.Configuration.Name for the given MCP
+func getMCPCurrentSpecConfigName(oc *exutil.CLI, pool string) string {
+	clientSet, err := machineconfigclient.NewForConfig(oc.KubeFramework().ClientConfig())
+	o.Expect(err).NotTo(o.HaveOccurred())
+	mcp, err := clientSet.MachineconfigurationV1().MachineConfigPools().Get(context.TODO(), pool, metav1.GetOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	return mcp.Spec.Configuration.Name
+}
+
+// waitForMCPConfigSpecChangeAndUpdated waits until Spec.Configuration.Name changes from the provided initial value
+// and the MCP reports Updated=true
+func waitForMCPConfigSpecChangeAndUpdated(oc *exutil.CLI, pool string, initialSpecName string) {
+	e2e.Logf("Waiting for pool %s to complete", pool)
+	clientSet, err := machineconfigclient.NewForConfig(oc.KubeFramework().ClientConfig())
+	o.Expect(err).NotTo(o.HaveOccurred())
+	o.Eventually(func() bool {
+		mcp, err := clientSet.MachineconfigurationV1().MachineConfigPools().Get(context.TODO(), pool, metav1.GetOptions{})
+		if err != nil {
+			return false
+		}
+		if mcp.Status.Configuration.Name == initialSpecName {
+			return false
+		}
+		return machineconfighelper.IsMachineConfigPoolConditionTrue(mcp.Status.Conditions, mcfgv1.MachineConfigPoolUpdated)
+	}, 20*time.Minute, 10*time.Second).Should(o.BeTrue())
+}
