NO-JIRA: e2e: extracting fencing credentials rotaion into standalone test

[fracappa]

Summary by CodeRabbit

• Tests
  • Added a new end-to-end suite for fencing-credential updates in dual-replica edge topologies, rotating BMC/fencing credentials and validating fencing works with the new credentials.
  • Includes health checks to ensure fencing and cluster stability after rotation (with special handling for emulator-based environments) and restores the original credentials afterward.
  • Removed a redundant older recovery scenario that duplicated the fencing-credential update and post-update validation flow.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@fracappa: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 22260ee7-da5a-4170-8409-6eb094d73095

📥 Commits

Reviewing files that changed from the base of the PR and between 134d234 and 261c116.

📒 Files selected for processing (2)

• test/extended/edge_topologies/tnf_fencing_credentials.go
• test/extended/edge_topologies/tnf_recovery.go

💤 Files with no reviewable changes (1)

• test/extended/edge_topologies/tnf_recovery.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/extended/edge_topologies/tnf_fencing_credentials.go

---

Walkthrough

Adds a new dual-replica fencing-credentials e2e test that rotates BMC credentials, refreshes fencing configuration, and checks Pacemaker and etcd health. It also removes the older recovery spec that covered the same credential-rotation flow.

Changes

Dual-replica fencing credential tests

Layer / File(s)	Summary
New fencing test flow test/extended/edge_topologies/tnf_fencing_credentials.go	Sets up the dual-replica test, reads and updates fencing credentials, restores them in cleanup, and validates Pacemaker and etcd health after the update.
Removed recovery-file copy test/extended/edge_topologies/tnf_recovery.go	Removes the earlier fencing-credential spec from the recovery file and drops the unused rand import.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• openshift/origin#31199: Adds the fencing-credential rotation and validation flow that this PR now relocates into a dedicated dual-replica test.

Suggested labels

verified

Suggested reviewers

• jaypoulz
• qJkee

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	New test logs fencing address/Redfish host and hypervisor IP, exposing internal hostnames/identifiers in CI logs.	Remove or redact address/host/IP/secret-name fields from logs; keep only node names and generic status. Avoid dumping update-fencing-credentials output unless sanitized.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	The new Fencing credentials test requires exactly two nodes and is scoped to openshift/two-node/DualReplica, with no SNO skip guard.	Add a [Skipped:SingleReplicaTopology] label or runtime SNO guard (e.g. exutil.IsSingleNode()/skipOnSingleNodeTopology) if the test should not run on SNO.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: extracting fencing credentials rotation into a standalone e2e test.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The added Ginkgo titles are static strings; no test title interpolates node names, timestamps, UUIDs, or other run-specific values.
Test Structure And Quality	✅ Passed	PASS: The new fence-credential It has one cohesive scenario, uses BeforeEach/DeferCleanup, explicit timeouts, and message-bearing assertions, matching nearby TNF tests.
Microshift Test Compatibility	✅ Passed	The new Ginkgo spec is tagged [apigroup:config.openshift.io], which MicroShift doesn’t serve, so it’s auto-skipped despite using etcd/Pacemaker APIs.
Topology-Aware Scheduling Compatibility	✅ Passed	Only DualReplica-gated e2e tests were added/removed; no manifests, controllers, affinities, replicas, or node selectors changed.
Ote Binary Stdout Contract	✅ Passed	PASS: The new suite has no process-level stdout writes; its logs go via framework.Logf/GinkgoWriter and fmt.Fprintf(g.GinkgoWriter), with no fmt.Print/log.SetOutput/klog stdout use.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new fencing-credentials test uses net.JoinHostPort and IPv6 brackets for Redfish, and I found no hardcoded IPv4 literals or public-internet dependencies.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or non-constant-time secret comparisons were found; the new password helper uses crypto/rand.
Container-Privileges	✅ Passed	The PR only changes Go E2E tests; the touched files contain no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation settings.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fracappa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/edge_topologies/OWNERS [fracappa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/edge_topologies/tnf_fencing_credentials.go`:
- Around line 140-157: Track whether the initial BMC password change in the
fencing credentials test actually succeeded, and only attempt to restore from
newPassword when that state is true. In the DeferCleanup block in
tnf_fencing_credentials.go, use a success flag tied to the earlier password
change and gate both the changeBMCPassword(originalPassword) restore call and
the scriptPassword fallback on that flag; if the initial change failed, skip the
restore path that would re-run update-fencing-credentials.sh with the wrong
password. Reference the cleanup logic around DeferCleanup, changeBMCPassword,
and update-fencing-credentials.sh so the BMC password and fencing credentials
stay in sync.
- Around line 44-49: The node selection in the `Test...` setup is unsafe because
it indexes `nodes.Items` without confirming there are exactly two entries at the
point of use. Update the local logic around `utils.GetNodes`, `rand.Intn`,
`peerNode`, and `targetNode` to assert the returned list has exactly two nodes
before any indexing, and fail fast if not; also avoid relying on a separate
earlier fetch for this invariant.
- Line 113: The temporary BMC password generation in the tnffencing credential
flow uses k8srand.String, which is not cryptographically secure for a real
credential. Update the password creation in the TNF fencing test helper to use a
crypto/rand-based helper (for example, a new secureRandomString function) and
handle any generation error before proceeding. Remove the k8srand import if it
is no longer needed, and keep the change localized around the newPassword
assignment and the related credential setup path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 385123d5-07f8-4f3c-9b0a-6ab7d9ee56f1

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8a9b0 and ec88ee0.

📒 Files selected for processing (2)

• test/extended/edge_topologies/tnf_fencing_credentials.go
• test/extended/edge_topologies/tnf_recovery.go

💤 Files with no reviewable changes (1)

• test/extended/edge_topologies/tnf_recovery.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-metal-ovn-two-node-arbiter
/test e2e-metal-ovn-two-node-fencing
/test e2e-metal-ovn-two-node-fencing-recovery

[coderabbitai]

♻️ Duplicate comments (1)

test/extended/edge_topologies/tnf_fencing_credentials.go (1)

151-193: 🗄️ Data Integrity & Integration | 🔴 Critical | 🏗️ Heavy lift

bmcPasswordChanged is declared but never set to true, so the BMC password is never restored.

bmcPasswordChanged is initialized to false at Line 151 and is never assigned true after the successful password change at Lines 192-193. Consequently the cleanup block always takes the else branch (Lines 161-163) and skips restoring the BMC password. After a successful rotation the BMC is left with the random test password (newPassword) permanently, while the fencing script at Line 173 rewrites credentials with scriptPassword = originalPassword (since the flag stays false) — leaving the BMC and the fencing secret out of sync. This is the exact failure mode the gating flag was meant to prevent.

🛠️ Proposed fix

 		g.By(fmt.Sprintf("Changing BMC password on %s", bmcNode.Name))
 		err = changeBMCPassword(originalPassword, newPassword)
 		o.Expect(err).ToNot(o.HaveOccurred(), "expected to change BMC password")
+		bmcPasswordChanged = true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/edge_topologies/tnf_fencing_credentials.go` around lines 151 -
193, The cleanup gate in the BMC password rotation flow is never flipped, so the
restore path is skipped. In tnf_fencing_credentials.go, update the logic around
changeBMCPassword and the DeferCleanup closure so bmcPasswordChanged is set to
true only after the password change succeeds, allowing the cleanup block to
restore the original password and keep the fencing credentials in sync. Use the
existing symbols bmcPasswordChanged, changeBMCPassword, and the DeferCleanup
restoration block to place the fix without relying on line numbers.

🧹 Nitpick comments (1)

test/extended/edge_topologies/tnf_fencing_credentials.go (1)

37-38: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

defer g.GinkgoRecover() in the Describe body is a no-op.

The Describe closure runs during tree construction, not during spec execution, so this deferred GinkgoRecover fires immediately after the container function returns and never guards a running spec. GinkgoRecover is only needed inside goroutines spawned by a spec. Safe to remove.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/edge_topologies/tnf_fencing_credentials.go` around lines 37 -
38, The deferred ginkgo recovery in the Describe container is ineffective
because the closure runs during tree construction, not spec execution. Remove
the defer ginkgo.GinkgoRecover() from the g.Describe block in the fencing
credentials test, since GinkgoRecover is only needed inside goroutines spawned
from actual specs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/extended/edge_topologies/tnf_fencing_credentials.go`:
- Around line 151-193: The cleanup gate in the BMC password rotation flow is
never flipped, so the restore path is skipped. In tnf_fencing_credentials.go,
update the logic around changeBMCPassword and the DeferCleanup closure so
bmcPasswordChanged is set to true only after the password change succeeds,
allowing the cleanup block to restore the original password and keep the fencing
credentials in sync. Use the existing symbols bmcPasswordChanged,
changeBMCPassword, and the DeferCleanup restoration block to place the fix
without relying on line numbers.

---

Nitpick comments:
In `@test/extended/edge_topologies/tnf_fencing_credentials.go`:
- Around line 37-38: The deferred ginkgo recovery in the Describe container is
ineffective because the closure runs during tree construction, not spec
execution. Remove the defer ginkgo.GinkgoRecover() from the g.Describe block in
the fencing credentials test, since GinkgoRecover is only needed inside
goroutines spawned from actual specs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 10fd6f7a-ddb7-4451-9c95-2beed53891a6

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8a9b0 and 134d234.

📒 Files selected for processing (2)

• test/extended/edge_topologies/tnf_fencing_credentials.go
• test/extended/edge_topologies/tnf_recovery.go

💤 Files with no reviewable changes (1)

• test/extended/edge_topologies/tnf_recovery.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-metal-ovn-two-node-arbiter
/test e2e-metal-ovn-two-node-fencing
/test e2e-metal-ovn-two-node-fencing-recovery

[fracappa]

@coderabbitai approve this PR

[fracappa]

/verified by @fracappa

[coderabbitai]

@fracappa approving this PR.

✅ Action performed

Comments resolved and changes approved.

[openshift-ci-robot]

@fracappa: This PR has been marked as verified by @fracappa.

Details

In response to this:

/verified by @fracappa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dhensel-rh]

I think you need to add a line here

bmcPasswordChanged = true

The flag is never flipped. Consequences:

1. changeBMCPassword(originalPassword, newPassword) succeeds → BMC now expects newPassword
2. DeferCleanup runs → sees bmcPasswordChanged == false → skips changeBMCPassword(newPassword, originalPassword)
3. Runs the script with originalPassword → pacemaker and k8s secret reset to originalPassword
4. BMC expects newPassword, pacemaker sends originalPassword → fencing broken

[fracappa]

Absolutely, pushing the fix

[openshift-ci-robot]

@fracappa: This pull request explicitly references no jira issue.

Details

In response to this:

Summary by CodeRabbit

• Tests
• Added a new end-to-end suite for fencing-credential updates in dual-replica edge topologies, rotating BMC/fencing credentials and validating fencing works with the new credentials.
• Includes health checks to ensure fencing and cluster stability after rotation (with special handling for emulator-based environments) and restores the original credentials afterward.
• Removed a redundant older recovery scenario that duplicated the fencing-credential update and post-update validation flow.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-metal-ovn-two-node-arbiter
/test e2e-metal-ovn-two-node-fencing
/test e2e-metal-ovn-two-node-fencing-recovery