Add EgressIP test role for shiftstack-qa

  Port EgressIP testing from Jenkins/infrared to shiftstack-qa.

  - Creates egressip_tests role that runs openshift-tests-private suite
  - Dynamically detects OCP version (4.12-4.22) and network backend
    (OpenShiftSDN/OVNKubernetes/Kuryr)
  - Filters tests using per-version, per-backend allowlist
  - Integrated into osp_verification.yaml for OSP candidate release
    validation

  Allowlist ported from rhos-infrared egressip-whitelist.yaml covering:
  - 4.12-4.14: OpenShiftSDN, OVNKubernetes, Kuryr support
  - 4.15+: OVNKubernetes only (SDN deprecated)

Change-Id: I222491ea7ed254e12ea5935564c1ce026d9bc105
Signed-off-by: Daniel Lawton <dlawton@redhat.com>

Author: dlaw4608

collection/stages/roles/egressip_tests/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+# defaults file for egressip_tests
+egressip_test_name: "openshift-tests-private"
+egressip_test_dir: "{{ artifacts_dir }}/{{ egressip_test_name }}"
+egressip_test_executable: "{{ egressip_test_dir }}/bin/extended-platform-tests"
+egressip_test_results_dir: "{{ artifacts_dir }}/egressip_tests"
+egressip_allowlist_file: "{{ role_path }}/files/egressip-allowlist.yaml"
+egressip_tests_go_version: "{{ tests.default_go_version_target }}"

collection/stages/roles/egressip_tests/files/egressip-allowlist.yaml

@@ -0,0 +1,149 @@
+---
+all_allow_list: &all_allow_list
+  {}
+
+sdn_list: &sdn_tests
+  <<: *all_allow_list
+  ".*Author:jechen-High-46555-Medium-46962-[Automatic EgressIP] Random egressIP is used on a pod that is not on a node hosting an egressIP, and random outages with egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46556-[Automatic EgressIP] A pod that is on a node hosting egressIP, it will always use the egressIP of the node . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46557-[Manual EgressIP] Random egressIP is used on a pod that is not on a node hosting an egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46558-[Manual EgressIP] A pod that is on a node hosting egressIP, it will always use the egressIP of the node . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47462-EgressNetworkPolicy should work well with egressIP [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-Medium-47461-Should not be able to access the node via the egressIP [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46559-[Automatic EgressIP] If some egress node is unavailable, pods continue use other available egressIPs after a short delay. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46561-[Manual EgressIP] If some egress node is unavailable, pods continue use other available egressIPs after a short delay. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46701-High-47470-Pods will lose external access if same egressIP is assigned to different netnamespace, error should be logged on master node. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46705-The egressIP should still work fine after the node or network service restarted. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46960- EgressIP can failover if the node is NotReady. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47455-The egressIP could be assigned to project automatically once it is defined in hostsubnet egressCIDR. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47464-The egressIP will be unavailable if it is set to multiple hostsubnets. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47468-High-47469-Pod access external through egressIP if egress node hosts the egressIP that assigned to netns, or it lose access to external if no node hosts the egressIP that assigned to netns. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47054-The egressIP can be HA if netnamespace has single egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47456-High-47457-Can change egressIP of project when there are multiple egressIP, can access outside with nodeIP after egressIP is removed. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47458-High-47459-EgressIP works when reusing the egressIP that was held by a deleted project, EgressIP works well after removed egressIP is added back. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47463-Pod will not be affected by the egressIP set on other netnamespace. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+
+ovnk_list: &ovnk_tests
+  <<: *all_allow_list
+  ".*Author:huirwang.*47019.*EgressIP works well with networkpolicy and egressFirewall.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47018.*47017.*Multiple projects use same EgressIP.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47028.*After remove EgressIP node tag.*failover.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47030.*EgressIP object can not have multiple egress IP assignments on the same node.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47031.*After reboot egress node EgressIP still work.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47032.*47034.*Traffic is load balanced between egress nodes.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47164.*47025.*update egressip object.*pods removed matched labels.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47272.*Pods will not be affected by the egressIP set on other netnamespace.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*55632.*egress node shouldn't generate broadcast ARP for service IPs.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47029.*47024.*egress IP can only be assigned to one node only.*Warning event.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47163.*47026.*Deleting EgressIP object and recreating it works.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47021.*lr-policy-list and snat should be updated correctly after remove pods.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*55030.*After reboot egress node.*lr-policy-list and snat should keep correct.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*53069.*EgressIP should work for recreated same name pod.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+
+##########
+# This feature is supported since OpenShift 4.12
+
+# OpenShift 4.12
+"4.12":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.13
+"4.13":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.14
+"4.14":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.15
+"4.15":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.16
+"4.16":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.17
+"4.17":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.18
+"4.18":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.19
+"4.19":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.20
+"4.20":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.21
+"4.21":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.22
+"4.22":
+  "OVNKubernetes":
+    <<: *ovnk_tests

collection/stages/roles/egressip_tests/meta/main.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - shiftstack.tools

collection/stages/roles/egressip_tests/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+# tasks file for egressip_tests
+- name: Prepare EgressIP test
+  ansible.builtin.include_role:
+    name: tools_openshift_tests
+    tasks_from: prepare_openshift_tests.yml
+  vars:
+    repo_name: "{{ egressip_test_name }}"
+    results_dir: "{{ egressip_test_results_dir }}"
+    go_version_target: "{{ egressip_tests_go_version }}"
+    reset_result_dir: "{{ egressip_reset_result_dir | default(True) }}"
+
+- name: Run egressip tests
+  ansible.builtin.include_tasks: run_egressip_tests.yml
+
+- name: Post EgressIP test
+  ansible.builtin.include_role:
+    name: tools_openshift_tests
+    tasks_from: post_openshift_tests.yml
+  vars:
+    testsuite_name: "egressip_tests"
+    key_for_filtering_results: "egressip"
+    test_name: "{{ egressip_test_name }}"
+    results_dir: "{{ egressip_test_results_dir }}"
+
+- name: Remove the source directory after tests complete
+  ansible.builtin.file:
+    path: "{{ egressip_test_dir }}"
+    state: absent

collection/stages/roles/egressip_tests/tasks/run_egressip_tests.yml

@@ -0,0 +1,97 @@
+---
+- name: Load the full allowlist file
+  ansible.builtin.set_fact:
+    egressip_full_allowlist: "{{ lookup('file', egressip_allowlist_file) | from_yaml }}"
+
+- name: Detect network backend
+  ansible.builtin.shell: |
+    oc get network.config cluster -o jsonpath='{.status.networkType}'
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+  register: network_backend_result
+  changed_when: false
+
+- name: Set network backend fact
+  ansible.builtin.set_fact:
+    network_backend: "{{ network_backend_result.stdout }}"
+
+- name: Extract allowlist for current version and network backend
+  ansible.builtin.set_fact:
+    egressip_version_allowlist: "{{ egressip_full_allowlist[discovered_openshift_release][network_backend] | default({}) }}"
+
+- name: Fail if no allowlist found for this version/backend combination
+  ansible.builtin.fail:
+    msg: "No allowlist found for OCP {{ discovered_openshift_release }} with {{ network_backend }}"
+  when: egressip_version_allowlist | length == 0
+
+- name: Write filtered allowlist to temporary file
+  ansible.builtin.copy:
+    content: "{{ egressip_version_allowlist | to_nice_yaml }}"
+    dest: "{{ egressip_test_results_dir }}/allowlist.yaml"
+    mode: '0644'
+
+- name: Set artifact paths
+  ansible.builtin.set_fact:
+    all_tests_path: "{{ egressip_test_results_dir }}/egressip_tests.txt"
+    allowlist_path: "{{ egressip_test_results_dir }}/allowlist.txt"
+    tests_to_run_path: "{{ egressip_test_results_dir }}/list_of_tests_to_run.txt"
+
+- name: Build extended-platform-tests executable
+  ansible.builtin.shell: |
+    source {{ home_dir }}/.bashrc
+    make WHAT=cmd/openshift-tests
+  args:
+    chdir: "{{ egressip_test_dir }}"
+  changed_when: true
+
+- name: Get full list of tests
+  ansible.builtin.shell: >
+    {{ egressip_test_executable }} run all --dry-run > {{ all_tests_path }}
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+    OS_CLOUD: "{{ user_cloud }}"
+  changed_when: true
+
+- name: Convert the allowlist YAML to TXT
+  ansible.builtin.include_role:
+    name: tools_openshift_tests
+    tasks_from: convert_yaml_tests_file_to_txt.yml
+  vars:
+    input_tests_list: "{{ egressip_test_results_dir }}/allowlist.yaml"
+    output_tests_list: "{{ allowlist_path }}"
+    yaml_format_based_on_ocp_version: true
+
+- name: Prepare the tests list to run
+  shiftstack.tools.filter_tests_list:
+    input_tests_file: "{{ all_tests_path }}"
+    allowlist_file: "{{ allowlist_path }}"
+    blocklist_file: ""
+    output_file: "{{ tests_to_run_path }}"
+
+- name: Run the egressip tests
+  block:
+    - name: Run egressIP tests
+      ansible.builtin.shell: >
+        {{ egressip_test_executable }} run
+        -f {{ tests_to_run_path }}
+        --output-file {{ egressip_test_results_dir }}/{{ egressip_test_name }}.log
+        --junit-dir={{ egressip_test_results_dir }} > /dev/null
+      environment:
+        KUBECONFIG: "{{ kubeconfig }}"
+        OS_CLOUD: "{{ user_cloud }}"
+      changed_when: true
+
+  rescue:
+    - name: Mark the egressip tests as UNSTABLE
+      ansible.builtin.include_role:
+        name: tools_stage_results
+        tasks_from: mark_stage_unstable.yml
+      vars:
+        unstable_msg: >-
+          The EgressIP test suite failed.
+
+    - name: Run must-gather
+      ansible.builtin.include_role:
+        name: tools_must-gather
+      vars:
+        must_gather_suffix: "egressip-tests"

jobs_definitions/osp_verification.yaml

@@ -21,6 +21,7 @@ stages:
   - verification
   - openstack_test
   - lb_tests
+  - egressip_tests
 
 ocp_deployment_topology:
   network_type: OVNKubernetes

playbooks/ocp_testing.yaml

@@ -103,3 +103,7 @@
 - name: Run Openshift Manila CSI Tests on OpenShift
   ansible.builtin.import_playbook: plays/manila_csi.yaml
   when: "'manila_csi_tests' in stages"
+
+- name: Run EgressIP tests on OpenShift
+  ansible.builtin.import_playbook: plays/egressip_tests.yaml
+  when: "'egressip_tests' in stages"

playbooks/plays/egressip_tests.yaml

@@ -0,0 +1,17 @@
+---
+- name: Run EgressIP tests on OpenShift
+  hosts: installer
+  gather_facts: no
+  vars_files:
+    - "../../configs/global.yml"
+  tasks:
+    - name: Main block
+      block:
+        - name: Run EgressIP tests on OpenShift
+          ansible.builtin.include_role:
+            name: shiftstack.stages.egressip_tests
+      always:
+        - name: Synchronize artifacts from the Ansible Managed Node to Ansible Controller
+          ansible.builtin.include_role:
+            name: shiftstack.tools.tools_ansible_inventory
+            tasks_from: sync_artifacts.yml