OCPNODE-3983: Add e2e tests for KubeletEnsureSecretPulledImages feature gate

[Chandan9112]

Summary

• Automates all test scenarios from OCPNODE-3982 for the Ensure Secret Pull Images feature
• Covers multi-tenancy isolation, credential rotation, ImagePullPolicy, credential verification policy, and registry availability scenarios
• Uses OpenShift internal image registry and dynamic SA pull secrets

Test Cases

1. Multi-tenancy isolation – private/public image access across namespaces
2. Credential rotation – secret hash mismatch and secret coordinates mismatch
3. ImagePullPolicy – IfNotPresent, Never, Always behavior
4. Credential verification policy – NeverVerify, AlwaysVerify
5. Registry availability – cached pull-records vs new credentials when registry is down

Prerequisites

• Requires KubeletEnsureSecretPulledImages feature gate to be enabled
• Cluster must have TechPreviewNoUpgrade or CustomNoUpgrade FeatureSet
• Tests are annotated with [OCPFeatureGate:KubeletEnsureSecretPulledImages] and will be skipped automatically on clusters without the feature gate enabled

Testing Result

Tested on latest 4.22 OCP cluster

➜ oc version
Client Version: 4.21.0
Kustomize Version: v5.7.1
Server Version: 4.22.0-0.nightly-2026-04-27-194825
Kubernetes Version: v1.35.3

➜ oc get featuregate cluster -o jsonpath='{.spec}'
{"customNoUpgrade":{"enabled":["KubeletEnsureSecretPulledImages"]},"featureSet":"CustomNoUpgrade"}%                                                  

Case 1: 

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 1: Multi-tenancy isolation for private and public images"

    STEP: Verifying tenant-a can pull private image with valid secret @ 04/30/26 12:40:38.661
    STEP: Verifying tenant-b cannot pull private image without secret @ 04/30/26 12:40:41.722
    STEP: Verifying tenant-a can pull public image without secret @ 04/30/26 12:40:44.726
    STEP: Verifying tenant-b can pull same public image without secret @ 04/30/26 12:40:47.935
  • [20.647 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 20.648 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 2:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 2: Credential rotation"

 STEP: Pulling private image with secret-v1 to establish pull record on the node @ 04/30/26 12:41:17.321
    STEP: Verifying pod succeeds when secret hash matches but secret coordinates differ @ 04/30/26 12:41:20.445
    STEP: Verifying pod succeeds when secret coordinates match but secret hash differs @ 04/30/26 12:41:24.155
  I0430 12:41:24.902518 58252 kubelet_secret_pulled_images.go:359] Extracted SA credentials, user=<token>
  • [18.801 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 18.801 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 3:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 3: ImagePullPolicy scenarios"

    STEP: Verifying IfNotPresent ImagePullPolicy with valid secret pulls and caches the image @ 04/30/26 12:41:51.136
    STEP: Verifying Never ImagePullPolicy with valid secret uses cached image @ 04/30/26 12:41:54.211
    STEP: Verifying Always ImagePullPolicy with valid secret re-pulls the image @ 04/30/26 12:41:57.338
  • [16.850 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 16.851 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 4:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 4: Credential verification policy [Slow]"

STEP: Pre-caching private image on the node with a valid secret @ 04/30/26 13:24:28.309
STEP: Applying NeverVerify policy and waiting for MCO rollout @ 04/30/26 13:24:31.349
  I0430 13:24:43.248742 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
  I0430 13:24:43.630075 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
  I0430 13:33:33.642781 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=1/3
  I0430 13:33:43.632152 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=2/3
  I0430 13:39:24.613653 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying NeverVerify policy allows pod without secret to use cached image @ 04/30/26 13:39:24.616
STEP: Switching to AlwaysVerify policy and waiting for MCO rollout @ 04/30/26 13:39:27.673
 I0430 13:45:19.473074 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
  I0430 14:00:57.687670 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying AlwaysVerify policy allows pod with valid secret @ 04/30/26 14:00:57.687
STEP: Verifying AlwaysVerify policy blocks pod without valid secret @ 04/30/26 14:05:19.669
  kubeletconfig.machineconfiguration.openshift.io "cred-verify-policy" deleted
  I0430 14:05:24.264526 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
  I0430 14:05:24.572942 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
  • [1226.487 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 1226.489 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 5:

/openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 5: Registry availability"

STEP: Caching private image then making the registry unavailable @ 04/30/26 12:42:21.2
  deployment.apps/image-registry scaled
  Waiting for deployment "image-registry" rollout to finish: 0 of 2 updated replicas are available...
  Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
  Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
  Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
  deployment "image-registry" successfully rolled out
STEP: Verifying cached pull-record works when registry is down @ 04/30/26 12:43:14.358
STEP: Verifying new credentials fail when registry is down @ 04/30/26 12:43:17.371
  deployment.apps/image-registry scaled
  • [68.573 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 68.574 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

References

• OCPNODE-3982
• OCPNODE-3983

Summary by CodeRabbit

• Tests
  • Added a comprehensive disruptive node test suite validating kubelet image-pull credential verification and image-pull behaviors across multi-tenant isolation, secret rotation, ImagePullPolicy modes (IfNotPresent/Never/Always), verification-policy transitions coordinated with node updates, and cached vs fresh pulls when the registry is unavailable.
• Documentation
  • Added a test suite entry to the node tests README describing scope, scenarios, and feature requirements.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Adds a new serial Ginkgo ordered disruptive long-running node test that validates kubelet image-pull credential verification and cached pull-record behavior across five scenarios: multi-tenant isolation, secret rotation, ImagePullPolicy modes, KubeletConfig verification policy transitions (with MCP rollout), and registry availability effects. Includes helpers and README entry.

Changes

Kubelet Secret Pulled Images Test Suite

Layer / File(s)	Summary
Test Suite Bootstrap / Fixtures test/extended/node/kubelet_secret_pulled_images.go	Adds new Ginkgo ordered disruptive-longrunning suite with BeforeAll selecting worker node, creating source namespace and imagestream tag, waiting for readiness, extracting internal-registry dockercfg for service account, and AfterAll cleanup.
Case 1 — Multi‑tenant Isolation test/extended/node/kubelet_secret_pulled_images.go	Creates two tenant namespaces, grants system:image-puller, provisions pull secret for tenant A, asserts tenant A can pull private image while tenant B fails; both can pull public tools image without secrets.
Case 2 — Secret Rotation / Pull‑record test/extended/node/kubelet_secret_pulled_images.go	Seeds cached pull-record, rotates secret name with same credentials and asserts success, then rotates content using a different service account (same coordinates) and asserts success.
Case 3 — ImagePullPolicy Interactions test/extended/node/kubelet_secret_pulled_images.go	Exercises IfNotPresent, Never, and Always policies with valid pull secret to validate cache vs forced re-pull behavior and credential verification.
Case 4 — KubeletConfig Credential Verification test/extended/node/kubelet_secret_pulled_images.go	Applies KubeletConfig changes (NeverVerify → AlwaysVerify) with MCP rollout waits; verifies pods without secrets can use cached images under NeverVerify, are rejected under AlwaysVerify, and pods with valid secret succeed.
Case 5 — Registry Availability Effects test/extended/node/kubelet_secret_pulled_images.go	Seeds cached pull-records, scales image-registry deployment to zero, verifies cached pulls still succeed while creating new credentials/pulls fail due to registry unavailability.
Helpers / Utilities test/extended/node/kubelet_secret_pulled_images.go	Adds helpers for namespace lifecycle, RBAC grant to system:image-puller, building dockerconfig secrets, extracting service-account dockercfg from internal-registry annotations, pod creation/waiting and pull-failure assertions, applying/deleting KubeletConfig, and MCP update waits.
Test Indexing / Docs test/extended/node/README.md	Adds kubelet_secret_pulled_images.go to openshift/disruptive-longrunning test list with descriptive entry and required feature set note.

sequenceDiagram
  participant Test as Test Harness
  participant APIServer as Kubernetes API
  participant Kubelet as Node Kubelet
  participant Registry as Internal Registry
  participant MCP as MachineConfigPool

  Test->>APIServer: create namespaces, imagestream tag, extract secret
  Test->>APIServer: create pods referencing secrets / imagePullPolicy
  APIServer->>Kubelet: schedule Pod spec
  Kubelet->>Registry: attempt image pull (use secret or cached pull-record)
  Registry-->>Kubelet: respond (success / unauthorized / unavailable)
  alt KubeletConfig change
    Test->>APIServer: apply KubeletConfig (NeverVerify / AlwaysVerify)
    APIServer->>MCP: rollout config
    MCP-->>Kubelet: kubelet restarts with new policy
  end
  Kubelet-->>APIServer: report Pod status (Running / ErrImagePull / ImagePullBackOff)
  Test->>APIServer: scale registry (to zero) and validate cached vs new pulls

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 27.27% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	All 23 assertions lack error messages, violating requirement #4. Codebase convention includes messages but test has none.	Add error messages to all Expect() assertions following codebase pattern: o.Expect(err).NotTo(o.HaveOccurred(), "failed to create namespace"). Verify Case 4 AlwaysVerify test properly blocks default SA's auto-injected dockercfg.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	Test requires dedicated worker nodes and silently skips on SNO. Not protected by [Skipped:SingleReplicaTopology], IsSingleNode() check, or skipOnSingleNodeTopology() call.	Add [Skipped:SingleReplicaTopology] to test Describe line (line 33) OR add skipOnSingleNodeTopology(oc) call in BeforeAll after feature-set check (line 58).

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding end-to-end tests for the KubeletEnsureSecretPulledImages feature gate, which aligns perfectly with the changeset's primary purpose.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles are stable and deterministic. No dynamic content found in test names (no generated suffixes, timestamps, UUIDs, node/namespace names, or IP addresses).
Microshift Test Compatibility	✅ Passed	Test uses KubeletConfig, MachineConfigPool, and other OpenShift APIs unavailable on MicroShift, but is protected by exutil.IsMicroShiftCluster() check with g.Skip() at lines 49-54 in BeforeAll.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds test code only. Custom check applies to deployment manifests, operators, controllers—not tests. Code skips gracefully when workers unavailable, uses no prohibited scheduling patterns.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations. Test file uses standard Ginkgo patterns with no main(), init(), or package-level stdout writes. All logging is framework-controlled within test blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test contains no IPv4 assumptions or external connectivity requirements. All images pulled from cluster-internal registry using DNS discovery. Fully compatible with IPv6-only and disconnected CI jobs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/extended/node/kubelet_secret_pulled_images.go (1)

409-425: ⚡ Quick win

Consider folding the MCP transition polling into the shared helper.

This local helper duplicates MCP condition polling that already exists in test/extended/node/node_utils.go:521-570. Extending the shared wait path to support “must observe Updating=True before waiting for ready” would keep rollout semantics in one place and avoid the two implementations drifting on degraded/updated handling.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/node/kubelet_secret_pulled_images.go` around lines 409 - 425,
The function credVerifyWaitForMCPUpdating duplicates MCP polling; remove it and
extend the existing shared helper waitForMCP (in node_utils.go) to accept an
option/flag (e.g., requireObserveUpdating bool or a policy enum) that first
polls for condition Type "Updating" == True and only then proceeds with the
existing wait-for-ready semantics; update callers (including where
credVerifyWaitForMCPUpdating was used) to call waitForMCP with the new option so
all MCP transition logic remains centralized and avoids duplicated/ drifting
implementations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/node/kubelet_secret_pulled_images.go`:
- Around line 27-30: Replace the Docker Hub mutable image references with
pinned, internally-hosted images: change the constant credVerifyPublicImage from
"docker.io/library/nginx:alpine" to a registry-controlled, immutable image
(preferably using a digest) served by the cluster image-registry (use
internalRegistryPrefix as the prefix and point to a specific repo@sha256:...
digest); update the seed import lines referenced around 71-74 likewise to pull
from the internal registry and pin by digest (do not use :latest or other
mutable tags) so all pulls come from the environment-controlled registry and are
immutable.
- Around line 251-257: Before scaling the image-registry down, query and store
its current replica count (e.g., via
oc.AsAdmin().WithoutNamespace().Run("get").Args("deployment/image-registry",
"-n", "openshift-image-registry", "-o", "jsonpath={.spec.replicas}") or
equivalent) and then use that stored value in the g.DeferCleanup closure instead
of the hard-coded "--replicas=2"; in the cleanup closure call
oc.AsAdmin().WithoutNamespace().Run("scale").Args("deployment/image-registry",
"-n", "openshift-image-registry", fmt.Sprintf("--replicas=%d",
originalReplicas)) and then wait for completion with
oc.AsAdmin().WithoutNamespace().Run("rollout").Args("status",
"deployment/image-registry", "-n", "openshift-image-registry",
"--timeout=2m").Execute() to ensure the registry is restored to its exact prior
size and the test waits for rollout.

---

Nitpick comments:
In `@test/extended/node/kubelet_secret_pulled_images.go`:
- Around line 409-425: The function credVerifyWaitForMCPUpdating duplicates MCP
polling; remove it and extend the existing shared helper waitForMCP (in
node_utils.go) to accept an option/flag (e.g., requireObserveUpdating bool or a
policy enum) that first polls for condition Type "Updating" == True and only
then proceeds with the existing wait-for-ready semantics; update callers
(including where credVerifyWaitForMCPUpdating was used) to call waitForMCP with
the new option so all MCP transition logic remains centralized and avoids
duplicated/ drifting implementations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6c10e20a-d25e-473b-9257-be65b6405b54

📥 Commits

Reviewing files that changed from the base of the PR and between 231811f and f75db07.

📒 Files selected for processing (1)

• test/extended/node/kubelet_secret_pulled_images.go

[openshift-ci-robot]

@Chandan9112: This pull request references OCPNODE-3983 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Automates all test scenarios from OCPNODE-3982 for the Ensure Secret Pull Images feature
• Covers multi-tenancy isolation, credential rotation, ImagePullPolicy, credential verification policy, and registry availability scenarios
• Uses OpenShift internal image registry and dynamic SA pull secrets

Test Cases

1. Multi-tenancy isolation – private/public image access across namespaces
2. Credential rotation – secret hash mismatch and secret coordinates mismatch
3. ImagePullPolicy – IfNotPresent, Never, Always behavior
4. Credential verification policy – NeverVerify, AlwaysVerify
5. Registry availability – cached pull-records vs new credentials when registry is down

Prerequisites

• Requires KubeletEnsureSecretPulledImages feature gate to be enabled
• Cluster must have TechPreviewNoUpgrade or CustomNoUpgrade FeatureSet
• Tests are annotated with [OCPFeatureGate:KubeletEnsureSecretPulledImages] and will be skipped automatically on clusters without the feature gate enabled

Testing Result

Tested on latest 4.22 OCP cluster

➜ oc version
Client Version: 4.21.0
Kustomize Version: v5.7.1
Server Version: 4.22.0-0.nightly-2026-04-27-194825
Kubernetes Version: v1.35.3

➜ oc get featuregate cluster -o jsonpath='{.spec}'
{"customNoUpgrade":{"enabled":["KubeletEnsureSecretPulledImages"]},"featureSet":"CustomNoUpgrade"}%                                                  

Case 1: 

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 1: Multi-tenancy isolation for private and public images"

   STEP: Verifying tenant-a can pull private image with valid secret @ 04/30/26 12:40:38.661
   STEP: Verifying tenant-b cannot pull private image without secret @ 04/30/26 12:40:41.722
   STEP: Verifying tenant-a can pull public image without secret @ 04/30/26 12:40:44.726
   STEP: Verifying tenant-b can pull same public image without secret @ 04/30/26 12:40:47.935
 • [20.647 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 20.648 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 2:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 2: Credential rotation"

STEP: Pulling private image with secret-v1 to establish pull record on the node @ 04/30/26 12:41:17.321
   STEP: Verifying pod succeeds when secret hash matches but secret coordinates differ @ 04/30/26 12:41:20.445
   STEP: Verifying pod succeeds when secret coordinates match but secret hash differs @ 04/30/26 12:41:24.155
 I0430 12:41:24.902518 58252 kubelet_secret_pulled_images.go:359] Extracted SA credentials, user=<token>
 • [18.801 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 18.801 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 3:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 3: ImagePullPolicy scenarios"

   STEP: Verifying IfNotPresent ImagePullPolicy with valid secret pulls and caches the image @ 04/30/26 12:41:51.136
   STEP: Verifying Never ImagePullPolicy with valid secret uses cached image @ 04/30/26 12:41:54.211
   STEP: Verifying Always ImagePullPolicy with valid secret re-pulls the image @ 04/30/26 12:41:57.338
 • [16.850 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 16.851 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 4:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 4: Credential verification policy [Slow]"

STEP: Pre-caching private image on the node with a valid secret @ 04/30/26 13:24:28.309
STEP: Applying NeverVerify policy and waiting for MCO rollout @ 04/30/26 13:24:31.349
 I0430 13:24:43.248742 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
 I0430 13:24:43.630075 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
 I0430 13:33:33.642781 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=1/3
 I0430 13:33:43.632152 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=2/3
 I0430 13:39:24.613653 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying NeverVerify policy allows pod without secret to use cached image @ 04/30/26 13:39:24.616
STEP: Switching to AlwaysVerify policy and waiting for MCO rollout @ 04/30/26 13:39:27.673
I0430 13:45:19.473074 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
 I0430 14:00:57.687670 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying AlwaysVerify policy allows pod with valid secret @ 04/30/26 14:00:57.687
STEP: Verifying AlwaysVerify policy blocks pod without valid secret @ 04/30/26 14:05:19.669
 kubeletconfig.machineconfiguration.openshift.io "cred-verify-policy" deleted
 I0430 14:05:24.264526 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
 I0430 14:05:24.572942 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
 • [1226.487 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 1226.489 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 5:

/openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 5: Registry availability"

STEP: Caching private image then making the registry unavailable @ 04/30/26 12:42:21.2
 deployment.apps/image-registry scaled
 Waiting for deployment "image-registry" rollout to finish: 0 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 deployment "image-registry" successfully rolled out
STEP: Verifying cached pull-record works when registry is down @ 04/30/26 12:43:14.358
STEP: Verifying new credentials fail when registry is down @ 04/30/26 12:43:17.371
 deployment.apps/image-registry scaled
 • [68.573 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 68.574 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

References

• OCPNODE-3982
• OCPNODE-3983

Summary by CodeRabbit

Release Notes

• Tests
• Added comprehensive test suite validating kubelet credential verification and image pull behavior across multiple scenarios including private/public image access patterns, secret rotation handling, image pull policy variations, KubeletConfig-driven credential policy transitions coordinated with node pool updates, and cached versus fresh credential scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Chandan9112: This pull request references OCPNODE-3983 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

Summary

• Automates all test scenarios from OCPNODE-3982 for the Ensure Secret Pull Images feature
• Covers multi-tenancy isolation, credential rotation, ImagePullPolicy, credential verification policy, and registry availability scenarios
• Uses OpenShift internal image registry and dynamic SA pull secrets

Test Cases

1. Multi-tenancy isolation – private/public image access across namespaces
2. Credential rotation – secret hash mismatch and secret coordinates mismatch
3. ImagePullPolicy – IfNotPresent, Never, Always behavior
4. Credential verification policy – NeverVerify, AlwaysVerify
5. Registry availability – cached pull-records vs new credentials when registry is down

Prerequisites

• Requires KubeletEnsureSecretPulledImages feature gate to be enabled
• Cluster must have TechPreviewNoUpgrade or CustomNoUpgrade FeatureSet
• Tests are annotated with [OCPFeatureGate:KubeletEnsureSecretPulledImages] and will be skipped automatically on clusters without the feature gate enabled

Testing Result

Tested on latest 4.22 OCP cluster

➜ oc version
Client Version: 4.21.0
Kustomize Version: v5.7.1
Server Version: 4.22.0-0.nightly-2026-04-27-194825
Kubernetes Version: v1.35.3

➜ oc get featuregate cluster -o jsonpath='{.spec}'
{"customNoUpgrade":{"enabled":["KubeletEnsureSecretPulledImages"]},"featureSet":"CustomNoUpgrade"}%                                                  

Case 1: 

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 1: Multi-tenancy isolation for private and public images"

   STEP: Verifying tenant-a can pull private image with valid secret @ 04/30/26 12:40:38.661
   STEP: Verifying tenant-b cannot pull private image without secret @ 04/30/26 12:40:41.722
   STEP: Verifying tenant-a can pull public image without secret @ 04/30/26 12:40:44.726
   STEP: Verifying tenant-b can pull same public image without secret @ 04/30/26 12:40:47.935
 • [20.647 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 20.648 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 2:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 2: Credential rotation"

STEP: Pulling private image with secret-v1 to establish pull record on the node @ 04/30/26 12:41:17.321
   STEP: Verifying pod succeeds when secret hash matches but secret coordinates differ @ 04/30/26 12:41:20.445
   STEP: Verifying pod succeeds when secret coordinates match but secret hash differs @ 04/30/26 12:41:24.155
 I0430 12:41:24.902518 58252 kubelet_secret_pulled_images.go:359] Extracted SA credentials, user=<token>
 • [18.801 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 18.801 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 3:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 3: ImagePullPolicy scenarios"

   STEP: Verifying IfNotPresent ImagePullPolicy with valid secret pulls and caches the image @ 04/30/26 12:41:51.136
   STEP: Verifying Never ImagePullPolicy with valid secret uses cached image @ 04/30/26 12:41:54.211
   STEP: Verifying Always ImagePullPolicy with valid secret re-pulls the image @ 04/30/26 12:41:57.338
 • [16.850 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 16.851 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 4:

./openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 4: Credential verification policy [Slow]"

STEP: Pre-caching private image on the node with a valid secret @ 04/30/26 13:24:28.309
STEP: Applying NeverVerify policy and waiting for MCO rollout @ 04/30/26 13:24:31.349
 I0430 13:24:43.248742 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
 I0430 13:24:43.630075 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
 I0430 13:33:33.642781 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=1/3
 I0430 13:33:43.632152 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=2/3
 I0430 13:39:24.613653 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying NeverVerify policy allows pod without secret to use cached image @ 04/30/26 13:39:24.616
STEP: Switching to AlwaysVerify policy and waiting for MCO rollout @ 04/30/26 13:39:27.673
I0430 13:45:19.473074 64108 node_utils.go:564] MachineConfigPool worker not ready yet: updating=true, ready=false, machines=0/3
 I0430 14:00:57.687670 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
STEP: Verifying AlwaysVerify policy allows pod with valid secret @ 04/30/26 14:00:57.687
STEP: Verifying AlwaysVerify policy blocks pod without valid secret @ 04/30/26 14:05:19.669
 kubeletconfig.machineconfiguration.openshift.io "cred-verify-policy" deleted
 I0430 14:05:24.264526 64108 node_utils.go:522] Waiting for MCP worker to be ready (timeout: 30m0s)...
 I0430 14:05:24.572942 64108 node_utils.go:561] MachineConfigPool worker is ready: 3/3 machines ready
 • [1226.487 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 1226.489 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

Case 5:

/openshift-tests run-test "[sig-node][Suite:openshift/disruptive-longrunning][Disruptive][OCPFeatureGate:KubeletEnsureSecretPulledImages][Serial] Case 5: Registry availability"

STEP: Caching private image then making the registry unavailable @ 04/30/26 12:42:21.2
 deployment.apps/image-registry scaled
 Waiting for deployment "image-registry" rollout to finish: 0 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 Waiting for deployment "image-registry" rollout to finish: 1 of 2 updated replicas are available...
 deployment "image-registry" successfully rolled out
STEP: Verifying cached pull-record works when registry is down @ 04/30/26 12:43:14.358
STEP: Verifying new credentials fail when registry is down @ 04/30/26 12:43:17.371
 deployment.apps/image-registry scaled
 • [68.573 seconds]
 ------------------------------

 Ran 1 of 1 Specs in 68.574 seconds
 SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped

References

• OCPNODE-3982
• OCPNODE-3983

Summary by CodeRabbit

• Tests
• Added a comprehensive disruptive node test suite that validates kubelet credential verification and image-pull behavior across scenarios: multi-tenant isolation for private/public images, secret rotation effects, ImagePullPolicy modes (IfNotPresent/Never/Always), KubeletConfig-driven verification transitions coordinated with node pool updates, and cached versus fresh pull behavior when the registry is unavailable.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ngopalak-redhat]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning

[openshift-ci]

@ngopalak-redhat: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/3cb375d0-44a6-11f1-837c-4e7f0d7ef13a-0

[ngopalak-redhat]

@Chandan9112 Can you add the link to the job that actually runs this test case?

[Chandan9112]

@Chandan9112 Can you add the link to the job that actually runs this test case?

CI job: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-origin-31102-nightly-4.22-e2e-aws-disruptive-longrunning/2049868133291790336

The tests are skipped in this job because the cluster doesn't have the KubeletEnsureSecretPulledImages feature gate enabled (requires TechPreviewNoUpgrade or CustomNoUpgrade FeatureSet).

[Chandan9112]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview

[openshift-ci]

@Chandan9112: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/39bdf220-484c-11f1-96b2-66597a73dafb-0

[Chandan9112]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview

[openshift-ci]

@Chandan9112: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview-1of2
• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning-techpreview-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0a664830-4868-11f1-9015-6470e27966d2-0

[cpmeadors]

@Chandan9112 this should go into main first and then get backported to release-4.22. Can you change the target branch?

[Chandan9112]

@Chandan9112 this should go into main first and then get backported to release-4.22. Can you change the target branch?

Sure @cpmeadors ., I have changed the target branch to main.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

test/extended/node/kubelet_secret_pulled_images.go (1)

258-266: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Cleanup rollout --timeout=2m is likely too short for image-registry to come back up.

Scaling deployment/image-registry from 0 back to originalReplicas typically takes longer than 2m on real CI clusters (pod scheduling on workers, image pull, leader election, readiness). If the rollout doesn't finish before the deferred cleanup returns, the next test (or post-suite teardown) can race against an unhealthy registry. Bump the timeout (10m matches what was suggested previously) and treat the rollout result as best-effort but observable.

♻️ Proposed change

 	g.DeferCleanup(func() {
 		_ = oc.AsAdmin().WithoutNamespace().Run("scale").Args(
 			"deployment/image-registry", "-n", "openshift-image-registry",
 			fmt.Sprintf("--replicas=%d", originalReplicas),
 		).Execute()
 		_ = oc.AsAdmin().WithoutNamespace().Run("rollout").Args(
-			"status", "deployment/image-registry", "-n", "openshift-image-registry", "--timeout=2m",
+			"status", "deployment/image-registry", "-n", "openshift-image-registry", "--timeout=10m",
 		).Execute()
 	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/kubelet_secret_pulled_images.go` around lines 258 - 266,
The deferred cleanup waits only 2 minutes for the image-registry rollout which
is too short; update the rollout invocation in the g.DeferCleanup block (the
oc.AsAdmin().WithoutNamespace().Run("rollout").Args("status",
"deployment/image-registry", "-n", "openshift-image-registry",
"--timeout=2m").Execute() call) to use a longer timeout (e.g. "--timeout=10m")
and treat the result as best-effort (don’t cause cleanup to fail if the rollout
times out—capture/ignore the error or log it instead) so the registry has
sufficient time to return to originalReplicas.

🧹 Nitpick comments (2)

test/extended/node/kubelet_secret_pulled_images.go (2)

281-310: 💤 Low value

Map iteration over credentialprovider.DockerConfig is non-deterministic.

for _, auth := range cfg returns the first entry encountered, but Go map iteration order is randomized. For an SA dockercfg there is normally one auth entry so this is fine in practice; if a future kubelet/OpenShift change adds a second registry endpoint to the secret, this helper would silently pick a non-deterministic credential. Consider keying by internalRegistryPrefix (or a host suffix match) instead of taking the first map entry.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/kubelet_secret_pulled_images.go` around lines 281 - 310,
The helper credVerifyExtractSAPullSecret iterates a
credentialprovider.DockerConfig map (cfg) and picks the first auth entry, which
is non-deterministic; change the logic to look up the auth by key that matches
internalRegistryPrefix (or by suffix match on the host) instead of taking the
first map entry, then pass that matched auth.Username/auth.Password into
credVerifyBuildDockerConfigJSON and return that result; ensure the function
still returns an error via the o.Eventually Succeed path if no matching entry is
found.

---

386-396: 💤 Low value

Confirm WaitForPodCondition will satisfy on transient ErrImagePull -> ImagePullBackOff.

credVerifyExpectImagePullError polls only ContainerStatuses[*].State.Waiting.Reason. On a freshly-created pod that has not yet been scheduled / had containers created, ContainerStatuses may be empty for a window, and on registry-down paths kubelet may transition through ErrImagePull → ImagePullBackOff quickly. The 3-minute timeout should be enough in practice, but you may also want to inspect InitContainerStatuses and treat CrashLoopBackOff-style stalls as failure to surface test issues quickly. Worth a sanity pass against CI logs to make sure this doesn't flake when the registry is fully down (Case 5).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/kubelet_secret_pulled_images.go` around lines 386 - 396,
The current WaitForPodCondition predicate in credVerifyExpectImagePullError only
inspects ContainerStatuses and can miss transient transitions or initial empty
statuses; update the predicate used by e2epod.WaitForPodCondition to also
iterate p.Status.InitContainerStatuses, treat Waiting reasons "ErrImagePull" and
"ImagePullBackOff" as the match you want, and additionally treat
"CrashLoopBackOff" (from either ContainerStatuses or InitContainerStatuses) as a
failure/early-surface condition so the test doesn't hang waiting silently;
ensure the predicate handles empty status arrays by continuing to poll rather
than assuming success.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/node/kubelet_secret_pulled_images.go`:
- Around line 230-238: The pod `pod-alwaysverify-nosecret` is inheriting the
default SA's dockercfg so AlwaysVerify isn't actually being tested; fix by
creating a dedicated ServiceAccount with imagePullSecrets: [] (no dockercfg) and
use that SA for the test pod: create e.g. SA "no-pull-sa" in the test namespace
(ensure it has empty imagePullSecrets and optionally
automountServiceAccountToken: false), then modify the call that creates the pod
(credVerifyPod invocation for "pod-alwaysverify-nosecret") to set
serviceAccountName to "no-pull-sa" (either extend credVerifyPod to accept a
serviceAccountName parameter or construct the pod spec inline) and keep the
credVerifyExpectImagePullError call targeting that pod so AlwaysVerify rejection
is exercised properly.

---

Duplicate comments:
In `@test/extended/node/kubelet_secret_pulled_images.go`:
- Around line 258-266: The deferred cleanup waits only 2 minutes for the
image-registry rollout which is too short; update the rollout invocation in the
g.DeferCleanup block (the
oc.AsAdmin().WithoutNamespace().Run("rollout").Args("status",
"deployment/image-registry", "-n", "openshift-image-registry",
"--timeout=2m").Execute() call) to use a longer timeout (e.g. "--timeout=10m")
and treat the result as best-effort (don’t cause cleanup to fail if the rollout
times out—capture/ignore the error or log it instead) so the registry has
sufficient time to return to originalReplicas.

---

Nitpick comments:
In `@test/extended/node/kubelet_secret_pulled_images.go`:
- Around line 281-310: The helper credVerifyExtractSAPullSecret iterates a
credentialprovider.DockerConfig map (cfg) and picks the first auth entry, which
is non-deterministic; change the logic to look up the auth by key that matches
internalRegistryPrefix (or by suffix match on the host) instead of taking the
first map entry, then pass that matched auth.Username/auth.Password into
credVerifyBuildDockerConfigJSON and return that result; ensure the function
still returns an error via the o.Eventually Succeed path if no matching entry is
found.
- Around line 386-396: The current WaitForPodCondition predicate in
credVerifyExpectImagePullError only inspects ContainerStatuses and can miss
transient transitions or initial empty statuses; update the predicate used by
e2epod.WaitForPodCondition to also iterate p.Status.InitContainerStatuses, treat
Waiting reasons "ErrImagePull" and "ImagePullBackOff" as the match you want, and
additionally treat "CrashLoopBackOff" (from either ContainerStatuses or
InitContainerStatuses) as a failure/early-surface condition so the test doesn't
hang waiting silently; ensure the predicate handles empty status arrays by
continuing to poll rather than assuming success.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9045bc92-642a-449d-9c0a-52b945afadad

📥 Commits

Reviewing files that changed from the base of the PR and between 179ba2d and 8400dc7.

📒 Files selected for processing (2)

• test/extended/node/README.md
• test/extended/node/kubelet_secret_pulled_images.go

✅ Files skipped from review due to trivial changes (1)

• test/extended/node/README.md

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@Chandan9112: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-deps	d5a3719	link	true	/test verify-deps
ci/prow/verify-image-manifest-lists	d5a3719	link	true	/test verify-image-manifest-lists
ci/prow/unit	d5a3719	link	true	/test unit
ci/prow/lint	d5a3719	link	true	/test lint
ci/prow/images	d5a3719	link	true	/test images
ci/prow/verify	d5a3719	link	true	/test verify
ci/prow/go-verify-deps	d5a3719	link	true	/test go-verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Chandan9112]

/verified by CI

[openshift-ci-robot]

@Chandan9112: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Chandan9112]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview

[openshift-ci]

@Chandan9112: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a7d1a480-49f7-11f1-807e-fc6872531416-0

[Chandan9112]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview

[openshift-ci]

@Chandan9112: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-1of2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning-techpreview-2of2

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b3940ff0-4a20-11f1-9614-0149f060bdbf-0

[cpmeadors]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Chandan9112, cpmeadors, ngopalak-redhat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/node/OWNERS [cpmeadors]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Chandan9112]

/retest