Migrate test cases to Project API testing KubeAPI server functionality

[YamunadeviShanmugam]

Summary

Migrates project API test cases to the OpenShift Tests Extension (OTE) framework, following OTE integration guidelines and origin test standards.

Tests Added

1. Invalid Node Selector Validation

• Test: [OTP] should reject project creation when an invalid node selector is given
• Validates: Project creation properly rejects invalid node selector formats (colons, commas, brackets, trailing commas)

2. Node Selector Display

• Test: [OTP] should allow a user to get the node selector from a project
• Validates: oc describe project correctly displays node selectors for projects with and without selectors

3. Project Request Template Configuration

• Test: [OTP] should apply a customized project request template with ResourceQuota and LimitRange
• Validates:
  • Custom project request templates automatically apply resources to new projects
  • Template configuration propagates through openshift-apiserver observed config
  • Existing projects are not retroactively affected

4. Cascading Project Deletion

• Test: [OTP] should delete all resources when the project is deleted
• Validates:
  • Deleting a project cascades and removes all resources (deployments, pods, services, configmaps, secrets)
  • Recreating a project with the same name starts with a clean slate

yshanmug@yshanmug-thinkpadp1gen7:~/Documents/dev/forks/origin$ ./openshift-tests run-test "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]"
I0617 19:08:37.867524  878542 factory.go:195] Registered Plugin "containerd"
  I0617 19:08:38.086240  878542 binary.go:80] Found 8876 test specs
  I0617 19:08:38.087920  878542 binary.go:97] 1207 test specs remain, after filtering out k8s
openshift-tests v4.1.0-11252-g26ba874
  I0617 19:08:42.789696  878542 test_setup.go:125] Extended test version v4.1.0-11252-g26ba874
  I0617 19:08:42.789722  878542 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0617 19:08:42.790094 878542 framework.go:2330] [precondition-check] checking if cluster is MicroShift
  I0617 19:08:43.083193 878542 framework.go:2353] IsMicroShiftCluster: microshift-version configmap not found, not MicroShift

  ===========================================================
  Random Seed: 1781703517 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Lifecycle:informing]
  github.com/openshift/origin/test/extended/project/project.go:585
    STEP: Creating a kubernetes client @ 06/17/26 19:08:43.091
  I0617 19:08:43.091681  878542 discovery.go:214] Invalidating discovery information
  I0617 19:08:44.241094 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env:qa:
  StdOut>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env:qa": must be a valid label selector
  StdErr>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env:qa": must be a valid label selector

  I0617 19:08:45.238019 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,qa:
  StdOut>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env,qa": must be a valid label selector
  StdErr>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env,qa": must be a valid label selector

  I0617 19:08:46.389870 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env [qa]:
  StdOut>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env [qa]": must be a valid label selector
  StdErr>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env [qa]": must be a valid label selector

  I0617 19:08:47.603112 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,:
  StdOut>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env,": must be a valid label selector
  StdErr>
  The Project "project-invalid-node-selector" is invalid: nodeSelector: Invalid value: "env,": must be a valid label selector

  • [4.520 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 4.520 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]",
    "lifecycle": "informing",
    "duration": 4520,
    "startTime": "2026-06-17 13:38:43.083469 UTC",
    "endTime": "2026-06-17 13:38:47.604050 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 06/17/26 19:08:43.091\nI0617 19:08:44.241094 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env:qa:\nStdOut\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env:qa\": must be a valid label selector\nStdErr\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env:qa\": must be a valid label selector\n\nI0617 19:08:45.238019 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,qa:\nStdOut\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,qa\": must be a valid label selector\nStdErr\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,qa\": must be a valid label selector\n\nI0617 19:08:46.389870 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env [qa]:\nStdOut\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env [qa]\": must be a valid label selector\nStdErr\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env [qa]\": must be a valid label selector\n\nI0617 19:08:47.603112 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,:\nStdOut\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,\": must be a valid label selector\nStdErr\u003e\nThe Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,\": must be a valid label selector\n\n",
    "error": "    STEP: Creating a kubernetes client @ 06/17/26 19:08:43.091\n  I0617 19:08:43.091681  878542 discovery.go:214] Invalidating discovery information\n  I0617 19:08:44.241094 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env:qa:\n  StdOut\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env:qa\": must be a valid label selector\n  StdErr\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env:qa\": must be a valid label selector\n\n  I0617 19:08:45.238019 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,qa:\n  StdOut\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,qa\": must be a valid label selector\n  StdErr\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,qa\": must be a valid label selector\n\n  I0617 19:08:46.389870 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env [qa]:\n  StdOut\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env [qa]\": must be a valid label selector\n  StdErr\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env [qa]\": must be a valid label selector\n\n  I0617 19:08:47.603112 878542 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig adm new-project project-invalid-node-selector --node-selector=env,:\n  StdOut\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,\": must be a valid label selector\n  StdErr\u003e\n  The Project \"project-invalid-node-selector\" is invalid: nodeSelector: Invalid value: \"env,\": must be a valid label selector\n\n"
  }
yshanmug@yshanmug-thinkpadp1gen7:~/Documents/dev/forks/origin$ ./openshift-tests run-test "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]"
I0617 19:09:10.728787  878684 factory.go:195] Registered Plugin "containerd"
  I0617 19:09:10.958656  878684 binary.go:80] Found 8876 test specs
  I0617 19:09:10.960418  878684 binary.go:97] 1207 test specs remain, after filtering out k8s
openshift-tests v4.1.0-11252-g26ba874
  I0617 19:09:15.248588  878684 test_setup.go:125] Extended test version v4.1.0-11252-g26ba874
  I0617 19:09:15.248617  878684 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0617 19:09:15.248984 878684 framework.go:2330] [precondition-check] checking if cluster is MicroShift
  I0617 19:09:15.476066 878684 framework.go:2353] IsMicroShiftCluster: microshift-version configmap not found, not MicroShift
  Running Suite:  - /home/yshanmug/Documents/dev/forks/origin
  ===========================================================
  Random Seed: 1781703550 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Lifecycle:informing]
  github.com/openshift/origin/test/extended/project/project.go:606
    STEP: Creating a kubernetes client @ 06/17/26 19:09:15.483
  I0617 19:09:15.484458  878684 discovery.go:214] Invalidating discovery information
  I0617 19:09:23.388626 878684 client.go:293] configPath is now "/tmp/configfile3797219449"
  I0617 19:09:23.388666 878684 client.go:368] The user is now "e2e-test-project-api-hfcj2-user"
  I0617 19:09:23.388669 878684 client.go:370] Creating project "e2e-test-project-api-hfcj2"
  I0617 19:09:23.715462 878684 client.go:378] Waiting on permissions in project "e2e-test-project-api-hfcj2" ...
  I0617 19:09:24.759904 878684 client.go:407] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs
  I0617 19:09:25.066614 878684 client.go:422] Waiting for ServiceAccount "default" to be provisioned...
  I0617 19:09:25.715281 878684 client.go:422] Waiting for ServiceAccount "builder" to be provisioned...
  I0617 19:09:26.332322 878684 client.go:422] Waiting for ServiceAccount "deployer" to be provisioned...
  I0617 19:09:26.900416 878684 client.go:432] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I0617 19:09:27.140397 878684 client.go:432] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I0617 19:09:27.381079 878684 client.go:432] Waiting for RoleBinding "system:deployers" to be provisioned...
  I0617 19:09:29.456747 878684 client.go:469] Project "e2e-test-project-api-hfcj2" has been fully provisioned.
  Created project project-get-node-selector-without-selector-nfxxk
  Created project project-get-node-selector-with-selector-nfxxk
  project.project.openshift.io "project-get-node-selector-with-selector-nfxxk" deleted
  project.project.openshift.io "project-get-node-selector-without-selector-nfxxk" deleted
  I0617 19:09:51.588902 878684 client.go:689] Deleted {user.openshift.io/v1, Resource=users  e2e-test-project-api-hfcj2-user}, err: <nil>
  I0617 19:09:51.820851 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-project-api-hfcj2}, err: <nil>
  I0617 19:09:52.054120 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~MzkekpW6crRiSlcbAci6o6sMkv3nLKvUAD-4dsgETD4}, err: <nil>
    STEP: Destroying namespace "e2e-test-project-api-hfcj2" for this suite. @ 06/17/26 19:09:52.054
  • [36.810 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 36.810 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]",
    "lifecycle": "informing",
    "duration": 36810,
    "startTime": "2026-06-17 13:39:15.476328 UTC",
    "endTime": "2026-06-17 13:39:52.286892 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 06/17/26 19:09:15.483\nI0617 19:09:23.388626 878684 client.go:293] configPath is now \"/tmp/configfile3797219449\"\nI0617 19:09:23.388666 878684 client.go:368] The user is now \"e2e-test-project-api-hfcj2-user\"\nI0617 19:09:23.388669 878684 client.go:370] Creating project \"e2e-test-project-api-hfcj2\"\nI0617 19:09:23.715462 878684 client.go:378] Waiting on permissions in project \"e2e-test-project-api-hfcj2\" ...\nI0617 19:09:24.759904 878684 client.go:407] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs\nI0617 19:09:25.066614 878684 client.go:422] Waiting for ServiceAccount \"default\" to be provisioned...\nI0617 19:09:25.715281 878684 client.go:422] Waiting for ServiceAccount \"builder\" to be provisioned...\nI0617 19:09:26.332322 878684 client.go:422] Waiting for ServiceAccount \"deployer\" to be provisioned...\nI0617 19:09:26.900416 878684 client.go:432] Waiting for RoleBinding \"system:image-pullers\" to be provisioned...\nI0617 19:09:27.140397 878684 client.go:432] Waiting for RoleBinding \"system:image-builders\" to be provisioned...\nI0617 19:09:27.381079 878684 client.go:432] Waiting for RoleBinding \"system:deployers\" to be provisioned...\nI0617 19:09:29.456747 878684 client.go:469] Project \"e2e-test-project-api-hfcj2\" has been fully provisioned.\nCreated project project-get-node-selector-without-selector-nfxxk\nCreated project project-get-node-selector-with-selector-nfxxk\nproject.project.openshift.io \"project-get-node-selector-with-selector-nfxxk\" deleted\nproject.project.openshift.io \"project-get-node-selector-without-selector-nfxxk\" deleted\nI0617 19:09:51.588902 878684 client.go:689] Deleted {user.openshift.io/v1, Resource=users  e2e-test-project-api-hfcj2-user}, err: \u003cnil\u003e\nI0617 19:09:51.820851 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-project-api-hfcj2}, err: \u003cnil\u003e\nI0617 19:09:52.054120 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~MzkekpW6crRiSlcbAci6o6sMkv3nLKvUAD-4dsgETD4}, err: \u003cnil\u003e\n  STEP: Destroying namespace \"e2e-test-project-api-hfcj2\" for this suite. @ 06/17/26 19:09:52.054\n",
    "error": "    STEP: Creating a kubernetes client @ 06/17/26 19:09:15.483\n  I0617 19:09:15.484458  878684 discovery.go:214] Invalidating discovery information\n  I0617 19:09:23.388626 878684 client.go:293] configPath is now \"/tmp/configfile3797219449\"\n  I0617 19:09:23.388666 878684 client.go:368] The user is now \"e2e-test-project-api-hfcj2-user\"\n  I0617 19:09:23.388669 878684 client.go:370] Creating project \"e2e-test-project-api-hfcj2\"\n  I0617 19:09:23.715462 878684 client.go:378] Waiting on permissions in project \"e2e-test-project-api-hfcj2\" ...\n  I0617 19:09:24.759904 878684 client.go:407] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs\n  I0617 19:09:25.066614 878684 client.go:422] Waiting for ServiceAccount \"default\" to be provisioned...\n  I0617 19:09:25.715281 878684 client.go:422] Waiting for ServiceAccount \"builder\" to be provisioned...\n  I0617 19:09:26.332322 878684 client.go:422] Waiting for ServiceAccount \"deployer\" to be provisioned...\n  I0617 19:09:26.900416 878684 client.go:432] Waiting for RoleBinding \"system:image-pullers\" to be provisioned...\n  I0617 19:09:27.140397 878684 client.go:432] Waiting for RoleBinding \"system:image-builders\" to be provisioned...\n  I0617 19:09:27.381079 878684 client.go:432] Waiting for RoleBinding \"system:deployers\" to be provisioned...\n  I0617 19:09:29.456747 878684 client.go:469] Project \"e2e-test-project-api-hfcj2\" has been fully provisioned.\n  Created project project-get-node-selector-without-selector-nfxxk\n  Created project project-get-node-selector-with-selector-nfxxk\n  project.project.openshift.io \"project-get-node-selector-with-selector-nfxxk\" deleted\n  project.project.openshift.io \"project-get-node-selector-without-selector-nfxxk\" deleted\n  I0617 19:09:51.588902 878684 client.go:689] Deleted {user.openshift.io/v1, Resource=users  e2e-test-project-api-hfcj2-user}, err: \u003cnil\u003e\n  I0617 19:09:51.820851 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-project-api-hfcj2}, err: \u003cnil\u003e\n  I0617 19:09:52.054120 878684 client.go:689] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~MzkekpW6crRiSlcbAci6o6sMkv3nLKvUAD-4dsgETD4}, err: \u003cnil\u003e\n    STEP: Destroying namespace \"e2e-test-project-api-hfcj2\" for this suite. @ 06/17/26 19:09:52.054\n"
  }
]yshanmug@yshanmug-thinkpadp1gen7:~/Documents/dev/forks/origin$./openshift-tests run-test "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]"
I0617 19:10:34.070573  878885 factory.go:195] Registered Plugin "containerd"
  I0617 19:10:34.297270  878885 binary.go:80] Found 8876 test specs
  I0617 19:10:34.299020  878885 binary.go:97] 1207 test specs remain, after filtering out k8s
openshift-tests v4.1.0-11252-g26ba874
  I0617 19:10:38.599173  878885 test_setup.go:125] Extended test version v4.1.0-11252-g26ba874
  I0617 19:10:38.599204  878885 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0617 19:10:38.599582 878885 framework.go:2330] [precondition-check] checking if cluster is MicroShift
  I0617 19:10:38.838969 878885 framework.go:2353] IsMicroShiftCluster: microshift-version configmap not found, not MicroShift
  
  Running Suite:  - /home/yshanmug/Documents/dev/forks/origin
  ===========================================================
  Random Seed: 1781703634 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Lifecycle:informing]
  github.com/openshift/origin/test/extended/project/project.go:798
    STEP: Creating a kubernetes client @ 06/17/26 19:10:38.848
  I0617 19:10:38.849246  878885 discovery.go:214] Invalidating discovery information
  Now using project "project-cascading-delete" on server "https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443".

  You can add applications to this project with the 'new-app' command. For example, try:

      oc new-app rails-postgresql-example

  to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

      kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname
  --> Found container image 4200f43 (2 seconds old) from quay.io for "quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83"

      * An image stream tag will be created as "hello-openshift:latest" that will track this image

  --> Creating resources ...
      imagestream.image.openshift.io "hello-openshift" created
      deployment.apps "hello-openshift" created
      service "hello-openshift" created
  --> Success
      Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
       'oc expose service/hello-openshift' 
      Run 'oc status' to view your app.
  configmap/project-cascading-delete-cm created
  secret/project-cascading-delete-secret created
  project.project.openshift.io "project-cascading-delete" deleted
  I0617 19:11:41.524712 878885 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig get project project-cascading-delete:
  StdOut>
  Error from server (NotFound): namespaces "project-cascading-delete" not found
  StdErr>
  Error from server (NotFound): namespaces "project-cascading-delete" not found

  Already on project "project-cascading-delete" on server "https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443".

  You can add applications to this project with the 'new-app' command. For example, try:

      oc new-app rails-postgresql-example

  to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

      kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname
  project.project.openshift.io "project-cascading-delete" deleted

  • [78.403 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 78.403 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]",
    "lifecycle": "informing",
    "duration": 78402,
    "startTime": "2026-06-17 13:40:38.839279 UTC",
    "endTime": "2026-06-17 13:41:57.242176 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 06/17/26 19:10:38.848\nNow using project \"project-cascading-delete\" on server \"https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443\".\n\nYou can add applications to this project with the 'new-app' command. For example, try:\n\n    oc new-app rails-postgresql-example\n\nto build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:\n\n    kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname\n--\u003e Found container image 4200f43 (2 seconds old) from quay.io for \"quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83\"\n\n    * An image stream tag will be created as \"hello-openshift:latest\" that will track this image\n\n--\u003e Creating resources ...\n    imagestream.image.openshift.io \"hello-openshift\" created\n    deployment.apps \"hello-openshift\" created\n    service \"hello-openshift\" created\n--\u003e Success\n    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:\n     'oc expose service/hello-openshift' \n    Run 'oc status' to view your app.\nconfigmap/project-cascading-delete-cm created\nsecret/project-cascading-delete-secret created\nproject.project.openshift.io \"project-cascading-delete\" deleted\nI0617 19:11:41.524712 878885 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig get project project-cascading-delete:\nStdOut\u003e\nError from server (NotFound): namespaces \"project-cascading-delete\" not found\nStdErr\u003e\nError from server (NotFound): namespaces \"project-cascading-delete\" not found\n\nAlready on project \"project-cascading-delete\" on server \"https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443\".\n\nYou can add applications to this project with the 'new-app' command. For example, try:\n\n    oc new-app rails-postgresql-example\n\nto build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:\n\n    kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname\nproject.project.openshift.io \"project-cascading-delete\" deleted\n\n",
    "error": "    STEP: Creating a kubernetes client @ 06/17/26 19:10:38.848\n  I0617 19:10:38.849246  878885 discovery.go:214] Invalidating discovery information\n  Now using project \"project-cascading-delete\" on server \"https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443\".\n\n  You can add applications to this project with the 'new-app' command. For example, try:\n\n      oc new-app rails-postgresql-example\n\n  to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:\n\n      kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname\n  --\u003e Found container image 4200f43 (2 seconds old) from quay.io for \"quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83\"\n\n      * An image stream tag will be created as \"hello-openshift:latest\" that will track this image\n\n  --\u003e Creating resources ...\n      imagestream.image.openshift.io \"hello-openshift\" created\n      deployment.apps \"hello-openshift\" created\n      service \"hello-openshift\" created\n  --\u003e Success\n      Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:\n       'oc expose service/hello-openshift' \n      Run 'oc status' to view your app.\n  configmap/project-cascading-delete-cm created\n  secret/project-cascading-delete-secret created\n  project.project.openshift.io \"project-cascading-delete\" deleted\n  I0617 19:11:41.524712 878885 client.go:1094] Error running oc --kubeconfig=/home/yshanmug/Documents/del/kubeconfig get project project-cascading-delete:\n  StdOut\u003e\n  Error from server (NotFound): namespaces \"project-cascading-delete\" not found\n  StdErr\u003e\n  Error from server (NotFound): namespaces \"project-cascading-delete\" not found\n\n  Already on project \"project-cascading-delete\" on server \"https://api.ci-ln-6btzg6t-76ef8.aws-4.ci.openshift.org:6443\".\n\n  You can add applications to this project with the 'new-app' command. For example, try:\n\n      oc new-app rails-postgresql-example\n\n  to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:\n\n      kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname\n  project.project.openshift.io \"project-cascading-delete\" deleted\n\n"
  }
]
./openshift-tests run-test "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][Slow][OTP] should apply a customized project request template with ResourceQuota and LimitRange [apigroup:project.openshift.io][apigroup:config.openshift.io][apigroup:template.openshift.io]"
I0617 19:19:24.008381  880713 factory.go:195] Registered Plugin "containerd"
  I0617 19:19:24.240033  880713 binary.go:80] Found 8876 test specs
  I0617 19:19:24.241929  880713 binary.go:97] 1207 test specs remain, after filtering out k8s
openshift-tests v4.1.0-11252-g26ba874
  I0617 19:19:30.436643  880713 test_setup.go:125] Extended test version v4.1.0-11252-g26ba874
  I0617 19:19:30.436672  880713 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0617 19:19:30.437213 880713 framework.go:2330] [precondition-check] checking if cluster is MicroShift
  I0617 19:19:30.765096 880713 framework.go:2353] IsMicroShiftCluster: microshift-version configmap not found, not MicroShift
  Running Suite:  - /home/yshanmug/Documents/dev/forks/origin
  ===========================================================
  Random Seed: 1781704164 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][Slow][OTP] should apply a customized project request template with ResourceQuota and LimitRange [apigroup:project.openshift.io][apigroup:config.openshift.io][apigroup:template.openshift.io] [Lifecycle:informing]
  github.com/openshift/origin/test/extended/project/project.go:645
    STEP: Creating a kubernetes client @ 06/17/26 19:19:30.775
  I0617 19:19:30.775858  880713 discovery.go:214] Invalidating discovery information
  template.template.openshift.io/project-request-template-request created
  project.project.openshift.io "project-request-template-before" deleted
  I0617 19:26:47.207016 880713 project.go:885] cleanup: deleted project "project-request-template-before"
  project.project.openshift.io "project-request-template-after" deleted
  I0617 19:26:55.288162 880713 project.go:885] cleanup: deleted project "project-request-template-after"
  template.template.openshift.io "project-request-template-request" deleted from openshift-config namespace
  I0617 19:26:56.517763 880713 project.go:893] cleanup: deleted template "project-request-template-request" from openshift-config
  • [777.626 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 777.626 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][Slow][OTP] should apply a customized project request template with ResourceQuota and LimitRange [apigroup:project.openshift.io][apigroup:config.openshift.io][apigroup:template.openshift.io]",
    "lifecycle": "informing",
    "duration": 777626,
    "startTime": "2026-06-17 13:49:30.765351 UTC",
    "endTime": "2026-06-17 14:02:28.391814 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 06/17/26 19:19:30.775\ntemplate.template.openshift.io/project-request-template-request created\nproject.project.openshift.io \"project-request-template-before\" deleted\nI0617 19:26:47.207016 880713 project.go:885] cleanup: deleted project \"project-request-template-before\"\nproject.project.openshift.io \"project-request-template-after\" deleted\nI0617 19:26:55.288162 880713 project.go:885] cleanup: deleted project \"project-request-template-after\"\ntemplate.template.openshift.io \"project-request-template-request\" deleted from openshift-config namespace\nI0617 19:26:56.517763 880713 project.go:893] cleanup: deleted template \"project-request-template-request\" from openshift-config\n",
    "error": "    STEP: Creating a kubernetes client @ 06/17/26 19:19:30.775\n  I0617 19:19:30.775858  880713 discovery.go:214] Invalidating discovery information\n  template.template.openshift.io/project-request-template-request created\n  project.project.openshift.io \"project-request-template-before\" deleted\n  I0617 19:26:47.207016 880713 project.go:885] cleanup: deleted project \"project-request-template-before\"\n  project.project.openshift.io \"project-request-template-after\" deleted\n  I0617 19:26:55.288162 880713 project.go:885] cleanup: deleted project \"project-request-template-after\"\n  template.template.openshift.io \"project-request-template-request\" deleted from openshift-config namespace\n  I0617 19:26:56.517763 880713 project.go:893] cleanup: deleted template \"project-request-template-request\" from openshift-config\n"
  }

Summary by CodeRabbit

Summary

• Tests
  • Expanded end-to-end coverage for project creation, including rejection of multiple invalid node-selector formats.
  • Verified user-visible node selector output in project descriptions (<none> when unset, configured values when set).
  • Added slow/serialized checks to ensure custom project request templates propagate and apply ResourceQuota/LimitRange only to projects created after readiness.
  • Added serialized checks that deleting a project fully removes resources and recreating it starts clean.
  • Added an embedded YAML fixture for project request limits/quotas and improved test OAuth token cleanup.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds four new serialized Ginkgo e2e tests covering invalid node selector rejection, node selector display via oc describe project, project request template propagation with ResourceQuota/LimitRange injection and openshift-apiserver operator stability polling, and cascading project deletion. Introduces a parameterized YAML fixture, updates GetScopedClientForUser to accept context and defer token cleanup, and updates existing test call sites.

Changes

Project API E2E Tests

Layer / File(s)	Summary
YAML fixture and bindata embedding test/extended/testdata/project/project-request-limits-quota.yaml, test/extended/testdata/bindata.go	Adds a parameterized template YAML defining a LimitRange and ResourceQuota keyed on ${PROJECT_NAME}, and registers it in bindata.go with embedded byte slice, helper functions, map entry, and bintree node.
GetScopedClientForUser context and token cleanup test/extended/project/project.go	Expands import blocks to add JSON, regex, string, time, and Kubernetes client/utility packages. Updates GetScopedClientForUser signature to accept context.Context as first parameter and changes OAuth token cleanup to use deferred direct delete instead of resource registration. Updates two existing call sites to pass the test context as the new first argument.
Project API test suite: node selector, template propagation, and cascading deletion test/extended/project/project.go	Implements the [sig-api-machinery] [Jira:apiserver-auth] Project API Ginkgo suite with tests for invalid node-selector rejection via adm new-project, node-selector visibility via oc describe project, project request template propagation with LimitRange/ResourceQuota injection and openshift-apiserver operator stability polling, and cascading project deletion verification. Includes cleanup function and helpers openshiftAPIServerObservedProjectRequestTemplate and waitForOpenShiftAPIServerOperatorStableWithPolling.

Sequence Diagram(s)

sequenceDiagram
  participant Test
  participant ProjectAPI as Project<br/>API
  participant ConfigAPI as Cluster<br/>Config
  participant APIServerOp as OpenShift<br/>APIServer Operator
  participant ClusterOp as Cluster<br/>Operator

  rect rgba(200, 220, 255, 0.5)
    Note over Test,ConfigAPI: Template Propagation Test
    Test->>ConfigAPI: PATCH project.config.openshift.io/cluster<br/>set projectRequestTemplate
    Test->>APIServerOp: extract observed projectRequestTemplate
    Test->>ClusterOp: poll conditions: Available,<br/>NotProgressing, NotDegraded
    Test->>ProjectAPI: create project post-update
    ProjectAPI-->>Test: namespace contains injected<br/>LimitRange and ResourceQuota
  end

  rect rgba(200, 255, 200, 0.5)
    Note over Test,ProjectAPI: Cascading Deletion Test
    Test->>ProjectAPI: create project with pods,<br/>configmaps, secrets
    Test->>ProjectAPI: DELETE project namespace
    Test->>ProjectAPI: poll namespace deletion,<br/>verify resources removed
    Test->>ProjectAPI: recreate project name
    ProjectAPI-->>Test: verify namespace empty,<br/>no leftover resources
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references migrating test cases to Project API testing but the summary shows primarily new test additions covering Project API validation, node selectors, templates, and deletion semantics.	Revise title to accurately reflect the main change: focus on adding comprehensive Project API test coverage for node selectors, templates, and cascading deletion, or clarify what 'migrate' means in context.
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Many assertions lack meaningful failure messages. 46+ Expect().NotTo(HaveOccurred()) calls have no message parameters, violating requirement 4.	Add failure messages to all assertions: Expect(err).NotTo(HaveOccurred(), "operation context/name") to aid diagnosis when tests fail.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All four test names are stable and deterministic with no dynamic information (random IDs, timestamps, node names, namespaces, IPs) in titles; dynamic values are correctly confined to test bodies.
Microshift Test Compatibility	✅ Passed	All four new e2e tests have [apigroup:...] tags for OpenShift APIs unavailable on MicroShift (project.openshift.io, config.openshift.io, template.openshift.io, apps.openshift.io), so MicroShift CI...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	All four new tests are SNO-compatible. They don't assume multiple nodes, use node affinity, require topology-specific scheduling, or depend on multi-node cluster features. The cascading deletion te...
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies test code and test fixtures (LimitRange/ResourceQuota YAML) in test/ directory. No deployment manifests, operator code, or workload scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR passes OTE Binary Stdout Contract: no init/main/BeforeSuite functions, zero fmt.Print/os.Stdout calls, all logging via framework.Logf, proper var _ = g.Describe pattern, tests use ote.Informing(...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The four new Ginkgo tests (Invalid Node Selector, Node Selector Display, Project Request Template, Cascading Deletion) contain no IPv4 assumptions, hardcoded IPv4 addresses, or external connectivit...
No-Weak-Crypto	✅ Passed	PR adds project API tests using SHA256 (strong algorithm) for token hashing. No weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom implementations, or insecure comparisons introduced.
Container-Privileges	✅ Passed	No privileged container settings found in PR changes. The new YAML fixture contains only LimitRange and ResourceQuota resources with no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, o...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging found. OAuth token cleanup explicitly avoids logging token hash (line 1023 comment), and all logging statements only log non-sensitive metadata (project/template names, er...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/extended/project/project.go (2)

764-784: 💤 Low value

Refactor: Use the helper function to avoid duplication.

This polling logic duplicates the waitForOpenShiftAPIServerOperatorStableWithPolling helper function defined later in this file (lines 967-991). Consider reusing the helper.

♻️ Suggested refactor

-		err = wait.PollUntilContextCancel(ctx, 30*time.Second, true, func(ctx context.Context) (bool, error) {
-			co, err := oc.AdminConfigClient().ConfigV1().ClusterOperators().Get(ctx, "openshift-apiserver", metav1.GetOptions{})
-			if err != nil {
-				return false, nil
-			}
-			var available, progressing, degraded bool
-			for _, c := range co.Status.Conditions {
-				if c.Type == configv1.OperatorAvailable {
-					available = c.Status == configv1.ConditionTrue
-				} else if c.Type == configv1.OperatorProgressing {
-					progressing = c.Status == configv1.ConditionTrue
-				} else if c.Type == configv1.OperatorDegraded {
-					degraded = c.Status == configv1.ConditionTrue
-				}
-			}
-			if degraded {
-				return false, fmt.Errorf("openshift-apiserver operator is degraded")
-			}
-			return available && !progressing, nil
-		})
+		err = waitForOpenShiftAPIServerOperatorStableWithPolling(ctx, oc)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/project/project.go` around lines 764 - 784, The polling logic
for checking the OpenShift API server operator status is duplicated inline in
the code block starting at line 764. Remove the inline
wait.PollUntilContextCancel block that checks cluster operator conditions
(available, progressing, degraded) and replace it with a call to the existing
helper function waitForOpenShiftAPIServerOperatorStableWithPolling which is
defined later in the file and contains the same polling logic. This will
eliminate the code duplication and improve maintainability.

---

884-895: ⚡ Quick win

Consider detecting permanent pod failures to fail fast.

The pod readiness check only detects transitional states (ContainerCreating, Init, Pending). If the image pull fails permanently (e.g., ImagePullBackOff, ErrImagePull) or the container crashes (CrashLoopBackOff), the test will wait the full 3 minutes before timing out.

♻️ Suggested improvement

 		err = wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 3*time.Minute, false, func(ctx context.Context) (bool, error) {
 			podOutput, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("pods", "-n", projectName, "--no-headers").Output()
 			if err != nil {
 				return false, nil
 			}
+			// Fail fast on permanent errors
+			if matched, _ := regexp.MatchString(`(ImagePullBackOff|ErrImagePull|CrashLoopBackOff|Error)`, podOutput); matched {
+				return false, fmt.Errorf("pod entered failure state: %s", podOutput)
+			}
 			if matched, _ := regexp.MatchString(`(ContainerCreating|Init|Pending)`, podOutput); matched {
 				return false, nil
 			}
 			return strings.TrimSpace(podOutput) != "", nil
 		})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/project/project.go` around lines 884 - 895, The pod readiness
check in the wait.PollUntilContextTimeout function with the regexp.MatchString
call only detects transitional states (ContainerCreating, Init, Pending) but
does not check for permanent failure states like ImagePullBackOff, ErrImagePull,
or CrashLoopBackOff. Add an additional regexp.MatchString check within the same
polling condition to detect these failure states, and return false immediately
when such a state is found so the wait fails fast instead of continuing for the
full 3-minute timeout duration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/project/project.go`:
- Around line 909-916: The deletion verification in the poll function currently
treats any error from the oc get project command as successful deletion by
returning true when getErr is not nil. This masks transient errors like network
or authentication problems. Instead of immediately returning true when getErr is
not nil, check if the error message specifically contains "not found" text using
regexp.MatchString (similar to how it's already checking the output), and only
return true if it matches that specific pattern. For other errors, either return
false to continue polling or propagate the actual error to distinguish deletion
from transient failures.

---

Nitpick comments:
In `@test/extended/project/project.go`:
- Around line 764-784: The polling logic for checking the OpenShift API server
operator status is duplicated inline in the code block starting at line 764.
Remove the inline wait.PollUntilContextCancel block that checks cluster operator
conditions (available, progressing, degraded) and replace it with a call to the
existing helper function waitForOpenShiftAPIServerOperatorStableWithPolling
which is defined later in the file and contains the same polling logic. This
will eliminate the code duplication and improve maintainability.
- Around line 884-895: The pod readiness check in the
wait.PollUntilContextTimeout function with the regexp.MatchString call only
detects transitional states (ContainerCreating, Init, Pending) but does not
check for permanent failure states like ImagePullBackOff, ErrImagePull, or
CrashLoopBackOff. Add an additional regexp.MatchString check within the same
polling condition to detect these failure states, and return false immediately
when such a state is found so the wait fails fast instead of continuing for the
full 3-minute timeout duration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 560f4189-9491-4d9a-a6c7-4fde004881de

📥 Commits

Reviewing files that changed from the base of the PR and between ae4a0d4 and 26ba874.

📒 Files selected for processing (3)

• test/extended/project/project.go
• test/extended/testdata/bindata.go
• test/extended/testdata/project/project-request-limits-quota.yaml

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/project/project.go`:
- Around line 742-746: The function
openshiftAPIServerObservedProjectRequestTemplate uses context.Background()
internally, which prevents the surrounding poll timeout from cancelling stuck
API reads. Modify the openshiftAPIServerObservedProjectRequestTemplate function
signature to accept a context.Context parameter, replace the
context.Background() call with this passed context, and then update all call
sites (including the one at lines 742-746 and the additional occurrences at
lines 914-916 and 930-931) to pass the poll or cleanup context through to the
helper function.
- Line 663: The cleanup operation in the defer statement for
cleanupProjectRequestTemplateTest needs to restore the cluster config before
deleting the template to prevent leaving the cluster in a broken state, and all
error returns from cleanup operations must be checked and handled rather than
ignored. Modify the cleanupProjectRequestTemplateTest function to first restore
the cluster configuration (using the restoreProjectSpec parameter) before
deleting the referenced template, and ensure that any errors returned from
restore operations or template deletion are properly checked and handled
according to Go error handling guidelines. Apply the same fix to all similar
cleanup defer statements mentioned in the extended comment range (lines
891-925).
- Around line 619-624: The deferred Execute() calls for project cleanup (the
delete project commands for firstProject and secondProject, and similar calls at
lines 805 and 872) are not checking for errors, which violates Go error handling
guidelines. Wrap each deferred project deletion in a pattern similar to the
new-project creation shown in the diff: capture the error from Execute() and
validate it with o.Expect(err).NotTo(o.HaveOccurred()) to ensure cleanup
failures are not silently ignored. Apply this error checking wrapper
consistently to all deferred project deletion calls throughout the file.
- Around line 380-385: The error returned from GetScopedClientForUser() for
twoThreeBobConfig is being ignored before the config is used to create
twoThreeBobClient with NewForConfigOrDie(). Add an error check immediately after
the GetScopedClientForUser() call (similar to how adjacent scoped client calls
handle errors) to verify err is nil before proceeding to construct
twoThreeBobClient. If an error occurs, handle it appropriately by returning or
logging the error rather than allowing a potentially invalid config to be passed
to NewForConfigOrDie().
- Around line 875-877: Replace the oc status command call and substring matching
in the assertion with direct resource queries. Instead of running oc status and
checking for the substring "no services, deployment", query each resource type
deterministically by using separate oc get commands for configmaps, secrets,
pods, services, and deployments with the projectName filter, then verify that
each resource query returns no results. This approach is more reliable than
parsing the human-readable prose output of oc status.
- Around line 995-1002: The defer block in the GetScopedClientForUser function
deletes the OAuthAccessToken prematurely before callers can use it with the
returned scopedConfig for watches and list operations. Remove the entire defer
block that calls Delete on sha256TokenStr so the token persists after the
function returns and is available for callers to use. Additionally, if token
cleanup is needed, it should be handled by calling code at an appropriate time,
not immediately deferred here.
- Around line 821-831: The polling logic inside the PollUntilContextTimeout call
with the regexp.MatchString check is insufficient because it only filters out
early lifecycle states (ContainerCreating, Init, Pending) but does not verify
that pods are actually in a Running or Ready state. This allows the poll to
succeed even when pods are in failure states like CrashLoopBackOff, Error, or
Completed. Replace the negative matching logic (checking if pods are NOT in
certain states) with positive matching logic that explicitly checks the pod
output contains the "Running" state, ensuring the poll only succeeds when pods
are actually healthy and running.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 552040f8-5613-45f8-8f7c-f5a447a15b1f

📥 Commits

Reviewing files that changed from the base of the PR and between e642a80 and bc9b7f9.

📒 Files selected for processing (3)

• test/extended/project/project.go
• test/extended/testdata/bindata.go
• test/extended/testdata/project/project-request-limits-quota.yaml

✅ Files skipped from review due to trivial changes (2)

• test/extended/testdata/project/project-request-limits-quota.yaml
• test/extended/testdata/bindata.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: bc9b7f9

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: bc9b7f9

• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Job Failure Risk Analysis for sha: b912f72

Job Name

Failure Risk

pull-ci-openshift-origin-main-e2e-vsphere-ovn

Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation a user defined primary network created using ClusterUserDefinedNetwork creates a networkStatus Annotation with UDN interface L3 primary UDN [Suite:openshift/conformance/parallel] This test has passed 55.90% of 3329 runs on release 5.0 [Overall] in the last week. --- [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation UserDefinedNetwork CRD Controller for primary UDN without required namespace label should not be able to update the namespace and remove the UDN label [Suite:openshift/conformance/parallel] This test has passed 55.90% of 3329 runs on release 5.0 [Overall] in the last week. --- [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation when primary network exist, ClusterUserDefinedNetwork status should report not-ready [Suite:openshift/conformance/parallel] This test has passed 55.90% of 3329 runs on release 5.0 [Overall] in the last week. --- [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation UserDefinedNetwork CRD Controller for primary UDN without required namespace label should be able to create pod and it will attach to the cluster default network [Suite:openshift/conformance/parallel] This test has passed 55.90% of 3329 runs on release 5.0 [Overall] in the last week. --- Showing 4 of 10 test results

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: b912f72

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: b912f72

• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 5, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" [Total: 1, Pass: 1, Fail: 0, Flake: 0]

[gangwgr]

/lgtm

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/lgtm

[gangwgr]

/hold

[YamunadeviShanmugam]

/retest

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/unhold

[YamunadeviShanmugam]

/retest

[openshift-ci]

@YamunadeviShanmugam: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kaleemsiddiqu]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr, kaleemsiddiqu, YamunadeviShanmugam
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: a932f0a

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-serial-2of2	Medium - "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: a932f0a

• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should allow a user to get the node selector from a project [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [OTP] should reject project creation when an invalid node selector is given [apigroup:project.openshift.io] [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]
• "[sig-api-machinery] [Jira:apiserver-auth] Project API [Serial][OTP] should delete all resources when the project is deleted [apigroup:project.openshift.io][apigroup:apps.openshift.io] [Suite:openshift/conformance/serial]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]

[YamunadeviShanmugam]

/verified by CI

[openshift-ci-robot]

@YamunadeviShanmugam: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.