OCPQE-31342: Update aggregated-cert post check

[xiuwang]

Resolved:

1. After this bug OCPBUGS-53261 fix, the duplicated dns in cert will cause error, add annotation to skip the conflict check for this "azure-aks-hypershift-full-cert-guest-f14" profile
2. Combine kubeconfig with the generated cert to resolve hosted cluster's kubeconfig x509 error

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[xiuwang]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xiuwang
Once this PR has been reviewed and has the lgtm label, please assign heliubj18 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@xiuwang: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[xiuwang]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

[openshift-ci-robot]

@xiuwang: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[xiuwang]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

[openshift-ci-robot]

@xiuwang: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@xiuwang: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[xiuwang]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

[openshift-ci-robot]

@xiuwang: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[xiuwang]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

[openshift-ci-robot]

@xiuwang: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

@xiuwang: This pull request references OCPQE-31342 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Resolved:

1. After this bug OCPBUGS-53261 fix, the duplicated dns in cert will cause error, add annotation to skip the conflict check for this "azure-aks-hypershift-full-cert-guest-f14" profile
2. Combine kubeconfig with the generated cert to resolve hosted cluster's kubeconfig x509 error

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[lunarwhite]

Thanks for your patch fix!

[lunarwhite]

Apologies I have minor knowledge in Hypershift, I have following concerns IMHO:

• Certificates issued by the Let's Encrypt are publicly trusted, so clients should already trust them without adding them to kubeconfig. If something is broken without this combination step, perhaps we should fix it elsewhere rather than relying on this workaround?
• The certs stored in .data.tls.crt include the server certificate, which should not be included in the combined CA bundle used for TLS verification.

There is another existing TODO (might be relevant / out-of-scope):

release/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh

Lines 186 to 188 in 343cf10

	# Update KUBECONFIG to allow secure communication between kubelets and the external KAS endpoint
	# TODO: remove this workaround once https://issues.redhat.com/browse/OCPBUGS-41853 is resolved
	remove_kubelet_kubeconfig_cluster_ca

Just checked OCPBUGS-41853 now is resolved. Not sure whether removing the old outdated workaround would help simplify what this PR is trying to fix?

[xiuwang]

OCPBUGS-41853 fixed as a document update, OCPSTRAT-1516 add a new approach to add external dns with cert , qe prow ci added in https://github.com/openshift/release/pull/64900/files.
Maybe I can configure to deprecated azure-aks-hypershift-full-cert-guest-f14 jobs

[openshift-ci]

@xiuwang: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	60535b1	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	60535b1	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14	60535b1	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-azure-aks-hypershift-full-cert-guest-f14

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.