test/e2e: do not use ambiguous container image short names

ibihim · ibihim · commit 5b0eea82dfee · 2026-01-15T14:52:11.000+01:00
The e2e tests fail on OCP 4.22 because RHEL 9 enforces fully qualified
container image names ("short name mode"). The backend image
`nginxdemos/nginx-hello:plain-text` is rejected with ImageInspectError
since Podman cannot determine which registry to pull from.

Replace it with `registry.k8s.io/e2e-test-images/agnhost:2.53`, a fully
qualified image that is the standard e2e test image across OpenShift
repositories. The agnhost image requires running the `netexec` subcommand
to start its HTTP server.

Update test expectations from "URI: /" to "NOW:" to match agnhost's
response format.
diff --git a/test/e2e/proxy_test.go b/test/e2e/proxy_test.go
@@ -92,7 +92,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 			proxyArgs: []string{
 				"--upstream=http://localhost:8080",
 			},
-			pageResult: "URI: /",
+			pageResult: "NOW:",
 		},
 		{
 			name: "scope-full",
@@ -108,7 +108,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				"--upstream=http://localhost:8080",
 				`--openshift-sar={"namespace":"` + ns + `","resource":"services","verb":"list"}`,
 			},
-			pageResult: "URI: /",
+			pageResult: "NOW:",
 		},
 		{
 			name: "sar-fail",
@@ -124,7 +124,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				"--upstream=http://localhost:8080",
 				`--openshift-sar={"namespace":"` + ns + `","resource":"routes","resourceName":"proxy-route","verb":"get"}`,
 			},
-			pageResult: "URI: /",
+			pageResult: "NOW:",
 		},
 		{
 			name: "sar-name-fail",
@@ -140,7 +140,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				"--upstream=http://localhost:8080",
 				`--openshift-sar=[{"namespace":"` + ns + `","resource":"services","verb":"list"}, {"namespace":"` + ns + `","resource":"routes","verb":"list"}]`,
 			},
-			pageResult: "URI: /",
+			pageResult: "NOW:",
 		},
 		{
 			name: "sar-multi-fail",
@@ -157,7 +157,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				`--skip-auth-regex=^/foo`,
 			},
 			accessSubPath: "/foo",
-			pageResult:    "URI: /foo\n",
+			pageResult:    "NOW:",
 			bypass:        true,
 		},
 		{
@@ -167,7 +167,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				`--skip-auth-regex=^/foo`,
 			},
 			accessSubPath: "/bar",
-			pageResult:    "URI: /bar",
+			pageResult:    "NOW:",
 		},
 		{
 			name: "bypass-auth-foo",
@@ -176,7 +176,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				`--bypass-auth-for=^/foo`,
 			},
 			accessSubPath: "/foo",
-			pageResult:    "URI: /foo\n",
+			pageResult:    "NOW:",
 			bypass:        true,
 		},
 		{
@@ -186,7 +186,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				`--bypass-auth-except-for=^/foo`,
 			},
 			accessSubPath: "/foo",
-			pageResult:    "URI: /foo\n",
+			pageResult:    "NOW:",
 		},
 		{
 			name: "bypass-auth-except-bypassed",
@@ -195,7 +195,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 				`--bypass-auth-except-for=^/foo`,
 			},
 			accessSubPath: "/bar",
-			pageResult:    "URI: /bar",
+			pageResult:    "NOW:",
 			bypass:        true,
 		},
 	}
@@ -227,7 +227,7 @@ func TestOAuthProxyE2E(t *testing.T) {
 	openshiftTransport, err := rest.TransportFor(testConfig)
 	require.NoError(t, err)
 
-	backendImage := "nginxdemos/nginx-hello:plain-text"
+	backendImage := "registry.k8s.io/e2e-test-images/agnhost:2.53"
 
 	upstreamCA, upstreamCert, upstreamKey, err := createCAandCertSet("localhost")
 	require.NoError(t, err, "Error creating upstream TLS certificates")
@@ -306,6 +306,9 @@ func TestOAuthProxyE2E(t *testing.T) {
 
 			err = waitForPodRunningInNamespace(ctx, kubeClient, oauthProxyPod)
 			if err != nil {
+				// Log detailed pod debug info to help diagnose startup failures
+				debugInfo := getPodDebugInfo(ctx, kubeClient, oauthProxyPod.Name, ns)
+				t.Logf("Pod failed to reach Running state. Debug info:\n%s", debugInfo)
 				t.Fatalf("setup: error waiting for pod to run: %s", err)
 			}
 
diff --git a/test/e2e/util.go b/test/e2e/util.go
@@ -188,6 +188,81 @@ func podRunning(ctx context.Context, c kubernetes.Interface, podName, namespace
 	}
 }
 
+// getPodDebugInfo returns detailed debugging information about a pod's state,
+// including conditions, container statuses, and events. This is useful for
+// diagnosing why a pod failed to reach Running state.
+func getPodDebugInfo(ctx context.Context, c kubernetes.Interface, podName, namespace string) string {
+	var info strings.Builder
+
+	pod, err := c.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+	if err != nil {
+		return fmt.Sprintf("failed to get pod %s/%s: %v", namespace, podName, err)
+	}
+
+	// Pod phase and basic info
+	info.WriteString(fmt.Sprintf("Pod: %s/%s\n", namespace, podName))
+	info.WriteString(fmt.Sprintf("Phase: %s\n", pod.Status.Phase))
+	if pod.Status.Reason != "" {
+		info.WriteString(fmt.Sprintf("Reason: %s\n", pod.Status.Reason))
+	}
+	if pod.Status.Message != "" {
+		info.WriteString(fmt.Sprintf("Message: %s\n", pod.Status.Message))
+	}
+
+	// Pod conditions
+	info.WriteString("\nConditions:\n")
+	for _, cond := range pod.Status.Conditions {
+		info.WriteString(fmt.Sprintf("  - %s: %s", cond.Type, cond.Status))
+		if cond.Reason != "" {
+			info.WriteString(fmt.Sprintf(" (Reason: %s)", cond.Reason))
+		}
+		if cond.Message != "" {
+			info.WriteString(fmt.Sprintf(" - %s", cond.Message))
+		}
+		info.WriteString("\n")
+	}
+
+	// Container statuses
+	info.WriteString("\nContainer Statuses:\n")
+	allStatuses := append(pod.Status.InitContainerStatuses, pod.Status.ContainerStatuses...)
+	for _, cs := range allStatuses {
+		info.WriteString(fmt.Sprintf("  - %s: Ready=%v, RestartCount=%d\n",
+			cs.Name, cs.Ready, cs.RestartCount))
+		if cs.State.Waiting != nil {
+			info.WriteString(fmt.Sprintf("    State: Waiting - Reason: %s, Message: %s\n",
+				cs.State.Waiting.Reason, cs.State.Waiting.Message))
+		}
+		if cs.State.Running != nil {
+			info.WriteString(fmt.Sprintf("    State: Running since %s\n",
+				cs.State.Running.StartedAt.String()))
+		}
+		if cs.State.Terminated != nil {
+			info.WriteString(fmt.Sprintf("    State: Terminated - Reason: %s, ExitCode: %d, Message: %s\n",
+				cs.State.Terminated.Reason, cs.State.Terminated.ExitCode, cs.State.Terminated.Message))
+		}
+		if cs.LastTerminationState.Terminated != nil {
+			info.WriteString(fmt.Sprintf("    LastTermination: Reason: %s, ExitCode: %d, Message: %s\n",
+				cs.LastTerminationState.Terminated.Reason,
+				cs.LastTerminationState.Terminated.ExitCode,
+				cs.LastTerminationState.Terminated.Message))
+		}
+	}
+
+	// Pod events
+	events, err := c.CoreV1().Events(namespace).List(ctx, metav1.ListOptions{
+		FieldSelector: fmt.Sprintf("involvedObject.name=%s,involvedObject.kind=Pod", podName),
+	})
+	if err == nil && len(events.Items) > 0 {
+		info.WriteString("\nEvents:\n")
+		for _, e := range events.Items {
+			info.WriteString(fmt.Sprintf("  - %s %s: %s\n",
+				e.Type, e.Reason, e.Message))
+		}
+	}
+
+	return info.String()
+}
+
 func waitUntilRouteIsReady(t *testing.T, transport http.RoundTripper, url string) error {
 	client := newHTTPSClient(t, transport)
 	return wait.PollImmediate(time.Second, 30*time.Second, func() (bool, error) {
@@ -781,6 +856,7 @@ func newOAuthProxyPod(proxyImage, backendImage string, suffix string, extraProxy
 				{
 					Image: backendImage,
 					Name:  "hello-openshift",
+					Args:  []string{"netexec", "--http-port=8080"},
 					SecurityContext: &v1.SecurityContext{
 						AllowPrivilegeEscalation: pointer.Bool(false),
 						Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
