Skip to content

NO-JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS#31372

Open
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:promauth
Open

NO-JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS#31372
machine424 wants to merge 1 commit into
openshift:mainfrom
machine424:promauth

Conversation

@machine424

@machine424 machine424 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

from ci/prow/e2e-aws-ovn-serial-1of2 (link).

openshift-cluster-csi-drivers
  All 10 targets returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

  scraping target https://10.128.0.51:9202/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.129.0.14:9202/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.51:9203/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.129.0.14:9203/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.51:9201/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.129.0.14:9204/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.51:9205/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.51:9204/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.129.0.14:9205/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.129.0.14:9201/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-cluster-node-tuning-operator
  Returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

  scraping target https://10.128.0.16:60000/metrics of pod openshift-cluster-node-tuning-operator/node-tuning-operator/cluster-node-tuning-operator-76b8cbfd7c-vqhr2 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-operator-lifecycle-manager
  All 3 targets returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

  scraping target https://10.128.0.8:8443/metrics of pod openshift-operator-lifecycle-manager/catalog-operator-metrics/catalog-operator-7d8c7cbc6b-c7ckh without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.18:8443/metrics of pod openshift-operator-lifecycle-manager/olm-operator-metrics/olm-operator-749bf4cbb6-qbfv5 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
  scraping target https://10.128.0.30:8443/metrics of pod openshift-operator-lifecycle-manager/package-server-manager-metrics/package-server-manager-7f766b7476-cwmwz without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-etcd
  All 3 targets rejected the connection with a TLS "certificate required" error.
  Caught by the new "certificate required" detection in the PR.

  scraping target https://10.0.60.167:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-60-167.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"
  scraping target https://10.0.20.95:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-20-95.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"
  scraping target https://10.0.7.49:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-7-49.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"

openshift-marketplace
  Target rejected the connection with a TLS "certificate required" error.
  Same mTLS rejection as etcd.

  scraping target https://10.128.0.14:8081/metrics of pod openshift-marketplace/marketplace-operator-metrics/marketplace-operator-7d8644974c-tcwgs without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"

Summary by CodeRabbit

  • Tests
    • Improved Prometheus auth-related test coverage and reliability for unauthenticated target access checks.
    • Unauthorized target validations now report both HTTP status and curl error details for clearer diagnosis.
    • Reduced flaky behavior in namespace skipping by using deterministic in-test skip lists and consistent membership checks.
    • Simplified network policy setup for target ports and added explicit handling for certificate-required (mTLS) responses for the etcd target.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Walkthrough

The Prometheus unauthenticated-target test now uses a curl helper that returns HTTP status and error text, replaces environment-driven namespace filtering with local slices, and updates target polling, success checks, and failure reporting.

Changes

Prometheus unauthorized-access test update

Layer / File(s) Summary
Curl helper output parsing
test/extended/util/prometheus/helpers.go
Replaces URLStatusCodeExecViaPod with CurlExecViaPod, which parses combined curl status and error text and returns both values plus the exec error.
Namespace and policy setup
test/extended/prometheus/prometheus.go
Removes the env-driven namespace selection and set-based skip logic, then simplifies network-policy creation to always install the needed policies.
Unauthenticated scrape polling
test/extended/prometheus/prometheus.go
Switches polling to helper.CurlExecViaPod, adds the etcd certificate-required success path, and updates failure messages and refresh handling to use the new curl error text.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The touched Ginkgo titles are static string literals; no runtime-derived names or interpolations were added.
Test Structure And Quality ✅ Passed The updated It block stays focused on unauthenticated scraping, uses deferred cleanup for created resources, and all cluster waits use PollUntilContextTimeout.
Microshift Test Compatibility ✅ Passed No new Ginkgo tests were added; this patch only refactors an existing serial spec/helper and adds no new MicroShift-unsupported API/resource use.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The PR only edits an existing auth-scrape test/helper; it adds no new Ginkgo specs and introduces no multi-node or HA assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed Only extended Prometheus test/helper code changed; no deployment manifests, operators, or controllers, and no new scheduling constraints were introduced.
Ote Binary Stdout Contract ✅ Passed No new stdout writes appear in main/init/TestMain/BeforeSuite/AfterSuite/RunSpecs setup; the only fmt.Printf is inside a regular helper called from a test body.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The changed Ginkgo test uses cluster-internal routes/services and curl; no hardcoded IPv4, IP-family assumptions, or public internet access were introduced.
No-Weak-Crypto ✅ Passed The diff only changes Prometheus test helpers; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were added.
Container-Privileges ✅ Passed Only Go test/helper files changed; no K8s manifests or container privilege fields were added or modified.
No-Sensitive-Data-In-Logs ✅ Passed The new logs only add curl error text and existing target URLs; no passwords, tokens, PII, or other secret-bearing values are logged.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main Prometheus test changes around a smaller skip list and mTLS handling.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2026
@openshift-ci openshift-ci Bot requested review from jan--f and rexagod July 9, 2026 10:30
}
networkPolicies := BuildNetworkPolicies(oc.Namespace(), ports)
for _, networkPolicy := range networkPolicies {
policies, err := oc.AdminKubeClient().NetworkingV1().NetworkPolicies(networkPolicy.Namespace).List(context.Background(), metav1.ListOptions{})

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the goal is to ensure auth is present even if NPs are bypassed.
deploying unneeded allow NP is not a problem.

@machine424

Copy link
Copy Markdown
Contributor Author

/pipeline required

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/prometheus/prometheus.go`:
- Line 100: The test is still using context.Background() in the NetworkPolicies
Create call, which bypasses Ginkgo cancellation; update the affected It block in
prometheus.go to accept func(ctx g.SpecContext) and thread ctx through both the
oc.AdminKubeClient().NetworkingV1().NetworkPolicies(...).Create call and the
wait.PollUntilContextTimeout usage so the test respects spec cancellation.

In `@test/extended/util/prometheus/helpers.go`:
- Around line 306-309: The RunHostCmd handling in the prometheus helper is
dropping curl’s output as soon as err is non-nil, so the caller never gets the
--write-out text needed for the mTLS fallback. Update the helper around
e2eoutput.RunHostCmd to preserve and return output even when the command exits
non-zero, and let the caller in prometheus.go handle the exec error/retry
decision after parsing the output, using the existing host command/curl flow as
the entry point.
- Line 305: The `RunHostCmd` call in `helpers.go` is still vulnerable because
`fmt.Sprintf` with `%q` does not fully shell-quote `url` before `/bin/sh -c`
executes it. Update the helper around `RunHostCmd` to avoid shell interpretation
by switching to argv-based execution if available, or otherwise properly
shell-quote the URL and insert `--` before it so command substitutions cannot be
evaluated.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0f29d88c-5d99-430d-9410-5853afa0b80c

📥 Commits

Reviewing files that changed from the base of the PR and between 965e8a0 and 4701ad1.

📒 Files selected for processing (2)
  • test/extended/prometheus/prometheus.go
  • test/extended/util/prometheus/helpers.go

Comment thread test/extended/prometheus/prometheus.go
Comment thread test/extended/util/prometheus/helpers.go
Comment thread test/extended/util/prometheus/helpers.go Outdated
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@machine424 machine424 changed the title chore(extended/prometheus): reduce targets-auth skip list and handle etcd mTLS chore(extended/prometheus): reduce targets-auth skip list and handle mTLS Jul 9, 2026
@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 9, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@jan--f jan--f left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

one optional nit, but feel free to ignore.

}

// Set $MONITORING_AUTH_TEST_NAMESPACE to focus on the targets from a single namespace
var namespaceUnderTest = os.Getenv("MONITORING_AUTH_TEST_NAMESPACE")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a short comment why this is no longer needed can be helpful to future readers.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can leave the comment here:
this is no longer needed and was making the logic hard to read.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jan--f, machine424

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@machine424

Copy link
Copy Markdown
Contributor Author

/retitle NO_JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS

@openshift-ci openshift-ci Bot changed the title chore(extended/prometheus): reduce targets-auth skip list and handle mTLS NO_JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS Jul 13, 2026
@machine424

Copy link
Copy Markdown
Contributor Author

/verified by existing tests

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 13, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@machine424: This PR has been marked as verified by existing tests.

Details

In response to this:

/verified by existing tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@machine424

Copy link
Copy Markdown
Contributor Author

/retitle NO-JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS

@machine424

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown

@machine424: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot changed the title NO_JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS NO-JIRA: chore(extended/prometheus): reduce targets-auth skip list and handle mTLS Jul 13, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 13, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@machine424: This pull request explicitly references no jira issue.

Details

In response to this:

from ci/prow/e2e-aws-ovn-serial-1of2 (link).

openshift-cluster-csi-drivers
 All 10 targets returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

 scraping target https://10.128.0.51:9202/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.129.0.14:9202/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.51:9203/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.129.0.14:9203/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.51:9201/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.129.0.14:9204/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.51:9205/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.51:9204/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-mnmn7 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.129.0.14:9205/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.129.0.14:9201/metrics of pod openshift-cluster-csi-drivers/aws-ebs-csi-driver-controller-metrics/aws-ebs-csi-driver-controller-5b46bcfbd5-j6v5g without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-cluster-node-tuning-operator
 Returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

 scraping target https://10.128.0.16:60000/metrics of pod openshift-cluster-node-tuning-operator/node-tuning-operator/cluster-node-tuning-operator-76b8cbfd7c-vqhr2 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-operator-lifecycle-manager
 All 3 targets returned HTTP 401 (Unauthorized). Auth is enforced, no skip needed.

 scraping target https://10.128.0.8:8443/metrics of pod openshift-operator-lifecycle-manager/catalog-operator-metrics/catalog-operator-7d8c7cbc6b-c7ckh without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.18:8443/metrics of pod openshift-operator-lifecycle-manager/olm-operator-metrics/olm-operator-749bf4cbb6-qbfv5 without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)
 scraping target https://10.128.0.30:8443/metrics of pod openshift-operator-lifecycle-manager/package-server-manager-metrics/package-server-manager-7f766b7476-cwmwz without auth returned 401, curlErrMsg: "", err: <nil> (skip=false)

openshift-etcd
 All 3 targets rejected the connection with a TLS "certificate required" error.
 Caught by the new "certificate required" detection in the PR.

 scraping target https://10.0.60.167:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-60-167.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"
 scraping target https://10.0.20.95:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-20-95.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"
 scraping target https://10.0.7.49:9979/metrics of pod openshift-etcd/etcd/etcd-ip-10-0-7-49.us-west-1.compute.internal without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"

openshift-marketplace
 Target rejected the connection with a TLS "certificate required" error.
 Same mTLS rejection as etcd.

 scraping target https://10.128.0.14:8081/metrics of pod openshift-marketplace/marketplace-operator-metrics/marketplace-operator-7d8644974c-tcwgs without auth returned 0, curlErrMsg: "OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0"

Summary by CodeRabbit

  • Tests
  • Improved Prometheus auth-related test coverage and reliability for unauthenticated target access checks.
  • Unauthorized target validations now report both HTTP status and curl error details for clearer diagnosis.
  • Reduced flaky behavior in namespace skipping by using deterministic in-test skip lists and consistent membership checks.
  • Simplified network policy setup for target ports and added explicit handling for certificate-required (mTLS) responses for the etcd target.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 0f64c49 and 2 for PR HEAD 7e3002e in total

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@machine424: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-fips 7e3002e link true /test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants