Skip to content

OCPQE-30680: Fix OPM test cases failure: Ensure container policy.json exists #1144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPQE-30680: Fix OPM test cases failure: Ensure container policy.json exists #1144

wants to merge 1 commit into from
+91 −1

Conversation

@Xia-Zhao-rh
Copy link
Contributor

@Xia-Zhao-rh Xia-Zhao-rh commented Nov 11, 2025

This PR fixes 10 OPM test cases that were failing with the error:
no policy.json file found at any of the following: "/tmp/home/.config/containers/policy.json", "/etc/containers/policy.json"

Problem

OPM commands that interact with container images require a containers policy.json file. When this file doesn't exist, OPM operations fail. The following test cases were affected:

  • PolarionID:43171 - opm render blob from bundle db based index
  • PolarionID:45402 - opm render should automatically pull images
  • PolarionID:48438 - opm render should support olm.constraint
  • PolarionID:70013 - opm support deprecated channel
  • PolarionID:54168 - opm support '--use-http' global flag
  • PolarionID:43409 - opm can list catalog contents
  • PolarionID:53869 - opm supports creating catalog using basic veneer
  • PolarionID:53917 - opm can visualize the update graph
  • PolarionID:60573 - opm exclude bundles with olm.deprecated property
  • PolarionID:73218 - opm alpha render-graph indicate deprecated graph content

Solution

  1. Added EnsureContainerPolicy() function in test/qe/util/opmcli/opm_client.go:
    - Checks if ${HOME}/.config/containers/policy.json exists
    - Creates the file with insecureAcceptAnything policy if it doesn't exist
    - Thread-safe implementation using sync.Mutex to support parallel test execution
    - Uses a policyCreated flag to avoid redundant file operations
  2. Updated failing test cases in test/qe/specs/olmv0_opm.go:
    - Added opmcli.EnsureContainerPolicy() call at the beginning of each affected test case
    - Ensures policy file exists before executing OPM commands

Changes

Files modified:

  • tests-extension/test/qe/util/opmcli/opm_client.go - Added EnsureContainerPolicy() function (+60 lines)
  • tests-extension/test/qe/specs/olmv0_opm.go - Added policy check in 10 test cases (+32 lines, -1 line)

Key features:

  • ✅ Thread-safe: Uses mutex to prevent race conditions in parallel test execution
  • ✅ Efficient: Only creates the file once, subsequent calls return immediately
  • ✅ Non-intrusive: Only affects failing test cases, not all OPM tests
  • ✅ Proper error handling: Returns errors that can be checked by test cases

Testing:

xzha@xzha1-mac tests-extension % ./bin/olmv0-tests-ext run-test "[sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[OTP][Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content"
  I1111 13:02:40.015517 86325 test_context.go:566] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
  Running Suite:  - /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension
  ================================================================================================
  Random Seed: 1762837360 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[OTP][Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content [NonHyperShiftHOST, opm, original-name:[sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content]
  /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/test/qe/specs/olmv0_opm.go:749
    STEP: Creating a kubernetes client @ 11/11/25 13:02:40.017
  I1111 13:02:40.023596 86325 client.go:349] do not know if it is external oidc cluster or not, and try to check it again
  I1111 13:02:40.023914 86325 client.go:755] showInfo is true
  I1111 13:02:40.023926 86325 client.go:757] Running 'oc --kubeconfig=/Users/xzha/kubeconfig get authentication/cluster -o=jsonpath={.spec.type}'
  I1111 13:02:41.597072 86325 clusters.go:568] Found authentication type used: 
  I1111 13:02:44.341352 86325 client.go:200] configPath is now "/var/folders/n7/0fxbs6x52_g7323k0gzgw3g80000gn/T/configfile1689414696"
  I1111 13:02:44.341412 86325 client.go:363] The user is now "e2e-test-opm-3917221d-6szn9-user"
  I1111 13:02:44.341424 86325 client.go:366] Creating project "e2e-test-opm-3917221d-6szn9"
  I1111 13:02:44.666071 86325 client.go:375] Waiting on permissions in project "e2e-test-opm-3917221d-6szn9" ...
  I1111 13:02:45.698085 86325 client.go:436] Waiting for ServiceAccount "default" to be provisioned...
  I1111 13:02:46.059998 86325 client.go:436] Waiting for ServiceAccount "builder" to be provisioned...
  I1111 13:02:46.421667 86325 client.go:436] Waiting for ServiceAccount "deployer" to be provisioned...
  I1111 13:02:46.864194 86325 client.go:446] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I1111 13:02:47.429708 86325 client.go:446] Waiting for RoleBinding "system:deployers" to be provisioned...
  I1111 13:02:47.989478 86325 client.go:446] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I1111 13:02:48.550703 86325 client.go:477] Project "e2e-test-opm-3917221d-6szn9" has been fully provisioned.
  I1111 13:02:53.552374 86325 client.go:731] Running 'oc --kubeconfig=/Users/xzha/kubeconfig explain template.apiVersion'
  I1111 13:02:55.082563 86325 opm_bin.go:33] Setting up opm binary...
  I1111 13:02:55.083495 86325 opm_bin.go:38] opm command is found in PATH
  I1111 13:02:55.083777 86325 opm_client.go:285] Created containers policy.json at: /Users/xzha/.config/containers/policy.json
    STEP: step: opm alpha render-graph index-image with deprecated label @ 11/11/25 13:02:55.083
  I1111 13:03:15.904266 86325 client.go:524] Deleted {user.openshift.io/v1, Resource=users  e2e-test-opm-3917221d-6szn9-user}, err: <nil>
  I1111 13:03:16.162179 86325 client.go:524] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-opm-3917221d-6szn9}, err: <nil>
  I1111 13:03:16.424089 86325 client.go:524] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~kIjJSgSMn88qSHDVSct4Zv6IWee67g3r3oSJ-tQxDZw}, err: <nil>
    STEP: Destroying namespace "e2e-test-opm-3917221d-6szn9" for this suite. @ 11/11/25 13:03:16.424
  • [36.669 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 36.670 seconds

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 11, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 11, 2025
edited by openshift-ci bot
Loading

@Xia-Zhao-rh: This pull request references OCPQE-30680 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.21.0" version, but no target version was set.

In response to this:

This PR fixes 10 OPM test cases that were failing with the error:
no policy.json file found at any of the following: "/tmp/home/.config/containers/policy.json", "/etc/containers/policy.json"

Problem

OPM commands that interact with container images require a containers policy.json file. When this file doesn't exist, OPM operations fail. The following test cases were affected:

  • PolarionID:43171 - opm render blob from bundle db based index
  • PolarionID:45402 - opm render should automatically pull images
  • PolarionID:48438 - opm render should support olm.constraint
  • PolarionID:70013 - opm support deprecated channel
  • PolarionID:54168 - opm support '--use-http' global flag
  • PolarionID:43409 - opm can list catalog contents
  • PolarionID:53869 - opm supports creating catalog using basic veneer
  • PolarionID:53917 - opm can visualize the update graph
  • PolarionID:60573 - opm exclude bundles with olm.deprecated property
  • PolarionID:73218 - opm alpha render-graph indicate deprecated graph content

Solution

  1. Added EnsureContainerPolicy() function in test/qe/util/opmcli/opm_client.go:
  • Checks if ${HOME}/.config/containers/policy.json exists
  • Creates the file with insecureAcceptAnything policy if it doesn't exist
  • Thread-safe implementation using sync.Mutex to support parallel test execution
  • Uses a policyCreated flag to avoid redundant file operations
  1. Updated failing test cases in test/qe/specs/olmv0_opm.go:
  • Added opmcli.EnsureContainerPolicy() call at the beginning of each affected test case
  • Ensures policy file exists before executing OPM commands

Changes

Files modified:

  • tests-extension/test/qe/util/opmcli/opm_client.go - Added EnsureContainerPolicy() function (+60 lines)
  • tests-extension/test/qe/specs/olmv0_opm.go - Added policy check in 10 test cases (+32 lines, -1 line)

Key features:

  • ✅ Thread-safe: Uses mutex to prevent race conditions in parallel test execution
  • ✅ Efficient: Only creates the file once, subsequent calls return immediately
  • ✅ Non-intrusive: Only affects failing test cases, not all OPM tests
  • ✅ Proper error handling: Returns errors that can be checked by test cases

Testing:

xzha@xzha1-mac tests-extension % ./bin/olmv0-tests-ext run-test "[sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[OTP][Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content"
 I1111 13:02:40.015517 86325 test_context.go:566] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
 Running Suite:  - /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension
 ================================================================================================
 Random Seed: 1762837360 - will randomize all specs

 Will run 1 of 1 specs
 ------------------------------
 [sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[OTP][Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content [NonHyperShiftHOST, opm, original-name:[sig-operator][Jira:OLM] OLMv0 opm should PolarionID:73218-[Skipped:Disconnected] opm alpha render-graph indicate deprecated graph content]
 /Users/xzha/go/src/github.com/openshift/operator-framework-olm/tests-extension/test/qe/specs/olmv0_opm.go:749
   STEP: Creating a kubernetes client @ 11/11/25 13:02:40.017
 I1111 13:02:40.023596 86325 client.go:349] do not know if it is external oidc cluster or not, and try to check it again
 I1111 13:02:40.023914 86325 client.go:755] showInfo is true
 I1111 13:02:40.023926 86325 client.go:757] Running 'oc --kubeconfig=/Users/xzha/kubeconfig get authentication/cluster -o=jsonpath={.spec.type}'
 I1111 13:02:41.597072 86325 clusters.go:568] Found authentication type used: 
 I1111 13:02:44.341352 86325 client.go:200] configPath is now "/var/folders/n7/0fxbs6x52_g7323k0gzgw3g80000gn/T/configfile1689414696"
 I1111 13:02:44.341412 86325 client.go:363] The user is now "e2e-test-opm-3917221d-6szn9-user"
 I1111 13:02:44.341424 86325 client.go:366] Creating project "e2e-test-opm-3917221d-6szn9"
 I1111 13:02:44.666071 86325 client.go:375] Waiting on permissions in project "e2e-test-opm-3917221d-6szn9" ...
 I1111 13:02:45.698085 86325 client.go:436] Waiting for ServiceAccount "default" to be provisioned...
 I1111 13:02:46.059998 86325 client.go:436] Waiting for ServiceAccount "builder" to be provisioned...
 I1111 13:02:46.421667 86325 client.go:436] Waiting for ServiceAccount "deployer" to be provisioned...
 I1111 13:02:46.864194 86325 client.go:446] Waiting for RoleBinding "system:image-builders" to be provisioned...
 I1111 13:02:47.429708 86325 client.go:446] Waiting for RoleBinding "system:deployers" to be provisioned...
 I1111 13:02:47.989478 86325 client.go:446] Waiting for RoleBinding "system:image-pullers" to be provisioned...
 I1111 13:02:48.550703 86325 client.go:477] Project "e2e-test-opm-3917221d-6szn9" has been fully provisioned.
 I1111 13:02:53.552374 86325 client.go:731] Running 'oc --kubeconfig=/Users/xzha/kubeconfig explain template.apiVersion'
 I1111 13:02:55.082563 86325 opm_bin.go:33] Setting up opm binary...
 I1111 13:02:55.083495 86325 opm_bin.go:38] opm command is found in PATH
 I1111 13:02:55.083777 86325 opm_client.go:285] Created containers policy.json at: /Users/xzha/.config/containers/policy.json
   STEP: step: opm alpha render-graph index-image with deprecated label @ 11/11/25 13:02:55.083
 I1111 13:03:15.904266 86325 client.go:524] Deleted {user.openshift.io/v1, Resource=users  e2e-test-opm-3917221d-6szn9-user}, err: <nil>
 I1111 13:03:16.162179 86325 client.go:524] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-opm-3917221d-6szn9}, err: <nil>
 I1111 13:03:16.424089 86325 client.go:524] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~kIjJSgSMn88qSHDVSct4Zv6IWee67g3r3oSJ-tQxDZw}, err: <nil>
   STEP: Destroying namespace "e2e-test-opm-3917221d-6szn9" for this suite. @ 11/11/25 13:03:16.424
 • [36.669 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 36.670 seconds

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Nov 11, 2025

/payload-aggregate periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview 5

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 11, 2025

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5564dc70-beca-11f0-86b9-461c6b9d558e-0

@jianzhangbjz
Copy link
Contributor

jianzhangbjz commented Nov 12, 2025

/approve
/lgtm
/verified by @Xia-Zhao-rh

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 12, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 12, 2025

@jianzhangbjz: This PR has been marked as verified by @Xia-Zhao-rh.

In response to this:

/approve
/lgtm
/verified by @Xia-Zhao-rh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jianzhangbjz
Copy link
Contributor

jianzhangbjz commented Nov 12, 2025

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 12, 2025
@jianzhangbjz
Copy link
Contributor

jianzhangbjz commented Nov 12, 2025

/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 12, 2025

@jianzhangbjz: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/32f538f0-bf61-11f0-8adb-ee56d8bb1e44-0

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 12, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 12, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jianzhangbjz, Xia-Zhao-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 12, 2025
@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Nov 12, 2025

/payload-aggregate periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview 5

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 12, 2025

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5cb03610-bfa0-11f0-8026-f9d2eb924f2d-0

@Xia-Zhao-rh
Copy link
Contributor Author

Xia-Zhao-rh commented Nov 14, 2025

/payload-aggregate periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview 5

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 14, 2025

@Xia-Zhao-rh: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.21-e2e-gcp-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/05531960-c14d-11f0-8d02-a60a4dd39113-0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camilamacedo86 camilamacedo86 Awaiting requested review from camilamacedo86

@rashmigottipati rashmigottipati Awaiting requested review from rashmigottipati

Assignees

@jianzhangbjz jianzhangbjz

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Xia-Zhao-rh @openshift-ci-robot @jianzhangbjz