test: Update openshift tests to use locked images

Update the references to individual images in tests to use either upstream Kube images, or the new tools image. Fix tests that had assumptions about access to those images, including custom builds which lacked access to certs and pull credentials.
openshift · Nov 30, 2020 · 4cbb844 · 4cbb844
1 parent b7fd162
commit 4cbb844
Show file tree

Hide file tree

Showing 126 changed files with 791 additions and 658 deletions.
diff --git a/cmd/openshift-tests/images.go b/cmd/openshift-tests/images.go
@@ -169,7 +169,8 @@ func verifyImagesWithoutEnv() error {
 // pulledInvalidImages returns a function that checks whether the cluster pulled an image that is
 // outside the allowed list of images. The list is defined as a set of static test case images, the
 // local cluster registry, any repository referenced by the image streams in the cluster's 'openshift'
-// namespace, or the location that input images are cloned from.
+// namespace, or the location that input images are cloned from. Only namespaces prefixed with 'e2e-'
+// are checked.
 func pulledInvalidImages(fromRepository string) func(events monitor.EventIntervals) ([]*ginkgo.JUnitTestCase, bool) {
 	// static allowed images
 	allowedImages := sets.NewString("image/webserver:404")
@@ -179,13 +180,20 @@ func pulledInvalidImages(fromRepository string) func(events monitor.EventInterva
 		"gcr.io/authenticated-image-pulling/",
 		"invalid.com/",
 
-		// used by the CI infrastructure, eventually should be created as an image stream tag in
-		// openshift so that it is automatically excluded
-		"grafana/loki",
-		"grafana/promtail",
-		// this is used by an operator hub test and is not replaced today (in the future OLM should
-		// use image streams to reference these and we can exclude those that match)
-		"quay.io/helmoperators/cockroachdb",
+		// installed alongside OLM and managed externally
+		"registry.redhat.io/redhat/community-operator-index",
+		"registry.redhat.io/redhat/certified-operator-index",
+		"registry.redhat.io/redhat/redhat-marketplace-index",
+		"registry.redhat.io/redhat/redhat-operator-index",
+
+		// used by OLM tests
+		"registry.redhat.io/amq7/amq-streams-rhel7-operator",
+		"registry.redhat.io/amq7/amqstreams-rhel7-operator-metadata",
+
+		// used to test pull secrets against an authenticated registry
+		// TODO: will not work for a disconnected test environment and should be emulated by launching
+		//   an authenticated registry in a pod on cluster
+		"registry.redhat.io/rhscl/nodejs-10-rhel7:latest",
 	)
 	if len(fromRepository) > 0 {
 		allowedPrefixes.Insert(fromRepository)
@@ -207,9 +215,15 @@ func pulledInvalidImages(fromRepository string) func(events monitor.EventInterva
 
 		pulls := make(map[string]sets.String)
 		for _, event := range events {
+			// only messages that include a Pulled reason
 			if !strings.Contains(event.Message, " reason/Pulled ") {
 				continue
 			}
+			// only look at pull events from an e2e-* namespace
+			if !strings.Contains(event.Locator, " ns/e2e-") {
+				continue
+			}
+
 			parts := strings.Split(event.Message, " ")
 			if len(parts) == 0 {
 				continue

diff --git a/test/e2e/upgrade/alert/alert.go b/test/e2e/upgrade/alert/alert.go
@@ -75,7 +75,7 @@ func (t *UpgradeTest) Test(f *framework.Framework, done <-chan struct{}, upgrade
 	}
 	t.oc.SetupProject()
 	ns := t.oc.Namespace()
-	execPod := exutil.CreateUbiExecPodOrFail(t.oc.AdminKubeClient(), ns, "execpod", nil)
+	execPod := exutil.CreateExecPodOrFail(t.oc.AdminKubeClient(), ns, "execpod")
 	defer func() {
 		t.oc.AdminKubeClient().CoreV1().Pods(ns).Delete(ctx, execPod.Name, *metav1.NewDeleteOptions(1))
 	}()

diff --git a/test/e2e/upgrade/monitor.go b/test/e2e/upgrade/monitor.go
@@ -20,6 +20,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	configv1client "github.com/openshift/client-go/config/clientset/versioned"
 	"github.com/openshift/origin/test/extended/util/disruption"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 type versionMonitor struct {
@@ -336,7 +337,7 @@ func triggerReboot(kubeClient kubernetes.Interface, target string, attempt int,
 						RunAsUser:  &zero,
 						Privileged: &isTrue,
 					},
-					Image: "ubi8/ubi",
+					Image: image.ShellImage(),
 					Command: []string{
 						"/bin/bash",
 						"-c",

diff --git a/test/extended/apiserver/kubeconfigs.go b/test/extended/apiserver/kubeconfigs.go
@@ -32,7 +32,7 @@ var _ = g.Describe("[Conformance][sig-api-machinery][Feature:APIServer] local ku
 				g.By("Testing master node " + master.Name)
 				kubeconfigPath := "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/" + kubeconfig
 				framework.Logf("Verifying kubeconfig %q on master %s", master.Name)
-				out, err := oc.AsAdmin().Run("debug").Args("node/"+master.Name, "--image=registry.access.redhat.com/ubi8/ubi-minimal:latest", "--", "chroot", "/host", "/bin/bash", "-euxo", "pipefail", "-c", fmt.Sprintf(`oc --kubeconfig "%s" get namespace kube-system`, kubeconfigPath)).Output()
+				out, err := oc.AsAdmin().Run("debug").Args("node/"+master.Name, "--", "chroot", "/host", "/bin/bash", "-euxo", "pipefail", "-c", fmt.Sprintf(`oc --kubeconfig "%s" get namespace kube-system`, kubeconfigPath)).Output()
 				o.Expect(err).NotTo(o.HaveOccurred())
 				framework.Logf(out)
 			}

diff --git a/test/extended/builds/contextdir.go b/test/extended/builds/contextdir.go
@@ -10,6 +10,7 @@ import (
 
 	imageeco "github.com/openshift/origin/test/extended/image_ecosystem"
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -102,7 +103,7 @@ var _ = g.Describe("[sig-builds][Feature:Builds][Slow] builds with a context dir
 				repo, err := exutil.NewGitRepo("contextdir")
 				o.Expect(err).NotTo(o.HaveOccurred())
 				defer repo.Remove()
-				err = repo.AddAndCommit("2.3/Dockerfile", "FROM busybox")
+				err = repo.AddAndCommit("2.3/Dockerfile", fmt.Sprintf("FROM %s", image.ShellImage()))
 				o.Expect(err).NotTo(o.HaveOccurred())
 
 				exutil.WaitForOpenShiftNamespaceImageStreams(oc)

diff --git a/test/extended/builds/dockerfile.go b/test/extended/builds/dockerfile.go
@@ -13,19 +13,20 @@ import (
 	"github.com/openshift/library-go/pkg/image/imageutil"
 
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 var _ = g.Describe("[sig-builds][Feature:Builds][Slow] build can have Dockerfile input", func() {
 	defer g.GinkgoRecover()
 	var (
 		oc             = exutil.NewCLI("build-dockerfile-env")
 		dockerfileAdd  = exutil.FixturePath("testdata", "builds", "docker-add")
-		testDockerfile = `
-FROM library/busybox
+		testDockerfile = fmt.Sprintf(`
+FROM %s
 USER 1001
-`
+`, image.ShellImage())
 		testDockerfile2 = `
-FROM centos:7
+FROM image-registry.openshift-image-registry.svc:5000/openshift/ruby:2.5
 USER 1001
 `
 		testDockerfile3 = `
@@ -85,31 +86,31 @@ USER 1001
 				o.Expect(err).NotTo(o.HaveOccurred())
 
 				g.By("checking the buildconfig content")
-				bc, err := oc.BuildClient().BuildV1().BuildConfigs(oc.Namespace()).Get(context.Background(), "centos", metav1.GetOptions{})
+				bc, err := oc.BuildClient().BuildV1().BuildConfigs(oc.Namespace()).Get(context.Background(), "ruby", metav1.GetOptions{})
 				o.Expect(err).NotTo(o.HaveOccurred())
 				o.Expect(bc.Spec.Source.Git).To(o.BeNil())
 				o.Expect(*bc.Spec.Source.Dockerfile).To(o.Equal(testDockerfile2))
 				o.Expect(bc.Spec.Output.To).ToNot(o.BeNil())
-				o.Expect(bc.Spec.Output.To.Name).To(o.Equal("centos:latest"))
+				o.Expect(bc.Spec.Output.To.Name).To(o.Equal("ruby:latest"))
 
-				buildName := "centos-1"
+				buildName := "ruby-1"
 				g.By("expecting the Dockerfile build is in Complete phase")
 				err = exutil.WaitForABuild(oc.BuildClient().BuildV1().Builds(oc.Namespace()), buildName, nil, nil, nil)
 				//debug for failures
 				if err != nil {
-					exutil.DumpBuildLogs("centos", oc)
+					exutil.DumpBuildLogs("ruby", oc)
 				}
 				o.Expect(err).NotTo(o.HaveOccurred())
 
 				g.By("getting the built container image reference from ImageStream")
-				image, err := oc.ImageClient().ImageV1().ImageStreamTags(oc.Namespace()).Get(context.Background(), "centos:latest", metav1.GetOptions{})
+				image, err := oc.ImageClient().ImageV1().ImageStreamTags(oc.Namespace()).Get(context.Background(), "ruby:latest", metav1.GetOptions{})
 				o.Expect(err).NotTo(o.HaveOccurred())
 				err = imageutil.ImageWithMetadata(&image.Image)
 				o.Expect(err).NotTo(o.HaveOccurred())
 				o.Expect(image.Image.DockerImageMetadata.Object.(*docker10.DockerImage).Config.User).To(o.Equal("1001"))
 
 				g.By("checking for the imported tag")
-				_, err = oc.ImageClient().ImageV1().ImageStreamTags(oc.Namespace()).Get(context.Background(), "centos:7", metav1.GetOptions{})
+				_, err = oc.ImageClient().ImageV1().ImageStreamTags(oc.Namespace()).Get(context.Background(), "ruby:2.5", metav1.GetOptions{})
 				o.Expect(err).NotTo(o.HaveOccurred())
 			})
 

diff --git a/test/extended/builds/hooks.go b/test/extended/builds/hooks.go
@@ -2,6 +2,7 @@ package builds
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -10,6 +11,7 @@ import (
 	o "github.com/onsi/gomega"
 
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 var _ = g.Describe("[sig-builds][Feature:Builds][Slow] testing build configuration hooks", func() {
@@ -163,7 +165,7 @@ var _ = g.Describe("[sig-builds][Feature:Builds][Slow] testing build configurati
 				o.Expect(err).NotTo(o.HaveOccurred())
 				err = oc.Run("patch").Args("bc/mydockertest", "-p", `{"spec":{"output":{"to":{"kind":"ImageStreamTag","name":"mydockertest:latest"}}}}`).Execute()
 				o.Expect(err).NotTo(o.HaveOccurred())
-				err = oc.Run("patch").Args("bc/mydockertest", "-p", `{"spec":{"source":{"dockerfile":"FROM busybox:latest \n ENTRYPOINT /bin/sleep 600 \n"}}}`).Execute()
+				err = oc.Run("patch").Args("bc/mydockertest", "-p", fmt.Sprintf(`{"spec":{"source":{"dockerfile":"FROM %s \n ENTRYPOINT /bin/sleep 600 \n"}}}`, image.ShellImage())).Execute()
 				o.Expect(err).NotTo(o.HaveOccurred())
 
 				g.By("starting a build")

diff --git a/test/extended/builds/multistage.go b/test/extended/builds/multistage.go
@@ -14,108 +14,106 @@ import (
 	buildv1 "github.com/openshift/api/build/v1"
 	eximages "github.com/openshift/origin/test/extended/images"
 	exutil "github.com/openshift/origin/test/extended/util"
+	"github.com/openshift/origin/test/extended/util/image"
 )
 
 var _ = g.Describe("[sig-builds][Feature:Builds] Multi-stage image builds", func() {
 	defer g.GinkgoRecover()
 	var (
 		oc             = exutil.NewCLI("build-multistage")
-		testDockerfile = `
+		testDockerfile = fmt.Sprintf(`
 FROM scratch as test
 USER 1001
-FROM registry.redhat.io/rhel7
+FROM %[1]s as other
 COPY --from=test /usr/bin/curl /test/
-COPY --from=busybox:latest /bin/echo /test/
-COPY --from=busybox:latest /bin/ping /test/
-`
+COPY --from=%[2]s /bin/echo /test/
+COPY --from=%[2]s /bin/ping /test/
+`, image.LimitedShellImage(), image.ShellImage())
 	)
 
-	g.Context("", func() {
-
-		g.AfterEach(func() {
-			if g.CurrentGinkgoTestDescription().Failed {
-				exutil.DumpPodStates(oc)
-				exutil.DumpConfigMapStates(oc)
-				exutil.DumpPodLogsStartingWith("", oc)
-			}
-		})
+	g.AfterEach(func() {
+		if g.CurrentGinkgoTestDescription().Failed {
+			exutil.DumpPodStates(oc)
+			exutil.DumpConfigMapStates(oc)
+			exutil.DumpPodLogsStartingWith("", oc)
+		}
+	})
 
-		g.It("should succeed", func() {
-			g.By("creating a build directly")
-			registryURL, err := eximages.GetDockerRegistryURL(oc)
-			o.Expect(err).NotTo(o.HaveOccurred())
+	g.It("should succeed", func() {
+		g.By("creating a build directly")
+		registryURL, err := eximages.GetDockerRegistryURL(oc)
+		o.Expect(err).NotTo(o.HaveOccurred())
 
-			build, err := oc.BuildClient().BuildV1().Builds(oc.Namespace()).Create(context.Background(), &buildv1.Build{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "multi-stage",
-				},
-				Spec: buildv1.BuildSpec{
-					CommonSpec: buildv1.CommonSpec{
-						Source: buildv1.BuildSource{
-							Dockerfile: &testDockerfile,
-							Images: []buildv1.ImageSource{
-								{From: corev1.ObjectReference{Kind: "DockerImage", Name: "centos:7"}, As: []string{"scratch"}},
-							},
-						},
-						Strategy: buildv1.BuildStrategy{
-							DockerStrategy: &buildv1.DockerBuildStrategy{},
+		build, err := oc.BuildClient().BuildV1().Builds(oc.Namespace()).Create(context.Background(), &buildv1.Build{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "multi-stage",
+			},
+			Spec: buildv1.BuildSpec{
+				CommonSpec: buildv1.CommonSpec{
+					Source: buildv1.BuildSource{
+						Dockerfile: &testDockerfile,
+						Images: []buildv1.ImageSource{
+							{From: corev1.ObjectReference{Kind: "DockerImage", Name: image.ShellImage()}, As: []string{"scratch"}},
 						},
-						Output: buildv1.BuildOutput{
-							To: &corev1.ObjectReference{
-								Kind: "DockerImage",
-								Name: fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
-							},
+					},
+					Strategy: buildv1.BuildStrategy{
+						DockerStrategy: &buildv1.DockerBuildStrategy{},
+					},
+					Output: buildv1.BuildOutput{
+						To: &corev1.ObjectReference{
+							Kind: "DockerImage",
+							Name: fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
 						},
 					},
 				},
-			}, metav1.CreateOptions{})
-			o.Expect(err).NotTo(o.HaveOccurred())
-			result := exutil.NewBuildResult(oc, build)
-			err = exutil.WaitForBuildResult(oc.AdminBuildClient().BuildV1().Builds(oc.Namespace()), result)
-			o.Expect(err).NotTo(o.HaveOccurred())
+			},
+		}, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		result := exutil.NewBuildResult(oc, build)
+		err = exutil.WaitForBuildResult(oc.AdminBuildClient().BuildV1().Builds(oc.Namespace()), result)
+		o.Expect(err).NotTo(o.HaveOccurred())
 
-			pod, err := oc.KubeClient().CoreV1().Pods(oc.Namespace()).Get(context.Background(), build.Name+"-build", metav1.GetOptions{})
-			o.Expect(err).NotTo(o.HaveOccurred())
-			o.Expect(result.BuildSuccess).To(o.BeTrue(), "Build did not succeed: %#v", result)
+		pod, err := oc.KubeClient().CoreV1().Pods(oc.Namespace()).Get(context.Background(), build.Name+"-build", metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(result.BuildSuccess).To(o.BeTrue(), "Build did not succeed: %#v", result)
 
-			s, err := result.Logs()
-			o.Expect(err).NotTo(o.HaveOccurred())
-			o.Expect(s).ToNot(o.ContainSubstring("--> FROM scratch"))
-			o.Expect(s).ToNot(o.ContainSubstring("FROM busybox"))
-			o.Expect(s).To(o.ContainSubstring("STEP 1: FROM centos:7 AS test"))
-			o.Expect(s).To(o.ContainSubstring("COPY --from"))
-			o.Expect(s).To(o.ContainSubstring(fmt.Sprintf("\"OPENSHIFT_BUILD_NAMESPACE\"=\"%s\"", oc.Namespace())))
-			e2e.Logf("Build logs:\n%s", result)
+		s, err := result.Logs()
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(s).ToNot(o.ContainSubstring("--> FROM scratch"))
+		o.Expect(s).ToNot(o.ContainSubstring("FROM busybox"))
+		o.Expect(s).To(o.ContainSubstring(fmt.Sprintf("STEP 1: FROM %s AS test", image.ShellImage())))
+		o.Expect(s).To(o.ContainSubstring("COPY --from"))
+		o.Expect(s).To(o.ContainSubstring(fmt.Sprintf("\"OPENSHIFT_BUILD_NAMESPACE\"=\"%s\"", oc.Namespace())))
+		e2e.Logf("Build logs:\n%s", result)
 
-			c := oc.KubeFramework().PodClient()
-			pod = c.Create(&corev1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test",
-				},
-				Spec: corev1.PodSpec{
-					RestartPolicy: corev1.RestartPolicyNever,
-					Containers: []corev1.Container{
-						{
-							Name:    "run",
-							Image:   fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
-							Command: []string{"/test/curl", "-k", "https://kubernetes.default.svc"},
-						},
-						{
-							Name:    "check",
-							Image:   fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
-							Command: []string{"ls", "/test/"},
-						},
+		c := oc.KubeFramework().PodClient()
+		pod = c.Create(&corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test",
+			},
+			Spec: corev1.PodSpec{
+				RestartPolicy: corev1.RestartPolicyNever,
+				Containers: []corev1.Container{
+					{
+						Name:    "run",
+						Image:   fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
+						Command: []string{"/test/curl", "-k", "https://kubernetes.default.svc"},
+					},
+					{
+						Name:    "check",
+						Image:   fmt.Sprintf("%s/%s/multi-stage:v1", registryURL, oc.Namespace()),
+						Command: []string{"ls", "/test/"},
 					},
 				},
-			})
-			c.WaitForSuccess(pod.Name, e2e.PodStartTimeout)
-			data, err := oc.Run("logs").Args("-f", "test", "-c", "run").Output()
-			o.Expect(err).NotTo(o.HaveOccurred())
-			m, err := oc.Run("logs").Args("-f", "test", "-c", "check").Output()
-			o.Expect(err).NotTo(o.HaveOccurred())
-			o.Expect(m).To(o.ContainSubstring("echo"))
-			o.Expect(m).To(o.ContainSubstring("ping"))
-			e2e.Logf("Pod logs:\n%s\n%s", string(data), string(m))
+			},
 		})
+		c.WaitForSuccess(pod.Name, e2e.PodStartTimeout)
+		data, err := oc.Run("logs").Args("-f", "test", "-c", "run").Output()
+		o.Expect(err).NotTo(o.HaveOccurred())
+		m, err := oc.Run("logs").Args("-f", "test", "-c", "check").Output()
+		o.Expect(err).NotTo(o.HaveOccurred())
+		o.Expect(m).To(o.ContainSubstring("echo"))
+		o.Expect(m).To(o.ContainSubstring("ping"))
+		e2e.Logf("Pod logs:\n%s\n%s", string(data), string(m))
 	})
 })