MCO-2208: MCO-2125: Migrate mco registry units

[ptalgulk01]

Summary

Migrate 10 test cases from openshift-tests-private to machine-config-operator repo:

• 9 registry tests from mco_registry.go
• 1 units test from mco_units.go

This PR continues the migration effort started in #6021 and #5902.

Tests Migrated

Registry Tests (mco_registry.go - 9 tests)

• 43405: node drain is not needed for mirror config change in container registry
• 42682: change container registry config on ocp 4.6+
• 42680: change pull secret in the openshift-config namespace
• 52520: Configure unqualified-search-registries in Image.config resource
• 57595: Use empty pull-secret
• 61555: ImageDigestMirrorSet test
• 61558: ImageTagMirrorSet test
• 66046: Check image registry certificates
• 68736: machine config server supports bootstrap with IR certs

Units Test (mco_units.go - 1 test)

• 53960: No failed units in the bootstrap machine (AWS/Azure only)

Infrastructure Added

Bootstrap Package (from PR #6027)

• test/extended-priv/util/bootstrap/bootstrap.go - Core bootstrap SSH infrastructure
• test/extended-priv/util/bootstrap/aws.go - AWS instance discovery
• test/extended-priv/util/bootstrap/azure.go - Azure instance discovery
• test/extended-priv/util/ssh_client.go - SSH client utilities

Helper Functions & Methods Added

test/extended-priv/util/clusters.go

• GetClusterVersion() - Returns cluster version and build

test/extended-priv/util.go

• NewImageTagMirrorSet() - Create ImageTagMirrorSet resource
• skipTestIfExtensionsAreUsed() - Skip tests when extensions are present
• GetImageRegistryCertificates() - Retrieve image registry certificates
• GetManagedMergedTrustedImageRegistryCertificates() - Get merged trusted certificates
• GetDataFromConfigMap() - Extract data from ConfigMaps

test/extended-priv/mco.go

• skipTestIfClusterVersion() - Skip tests based on cluster version

test/extended-priv/machineconfig.go

• GetExtensions() - Get extensions configured in MachineConfig

Constants Added

test/extended-priv/const.go

• MCDCrioReloadedRegexp - Regex for detecting CRI-O reloads
• NodeDisruptionPolicyFiles - "files"
• NodeDisruptionPolicyUnits - "units"
• NodeDisruptionPolicySshkey - "sshkey"

Build Verification

make machine-config-tests-ext
./_output/linux/amd64/machine-config-tests-ext list | grep -E "PolarionID:(43405|42682|42680|52520|57595|61555|61558|66046|68736|53960)"

All 10 tests successfully built and appear in test listing.



<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **Tests**
* Added extensive tests validating Machine Config Operator behaviors for registry changes, image mirror types, pull-secret handling, certificate bundles, node reboot/drain and cluster-version specific flows; added a bootstrap-unit health test.

* **Chores**
* Added bootstrap discovery for cloud platforms and SSH tooling for test access, cluster-version and ConfigMap certificate utilities, and new test templates for mirror resources.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@ptalgulk01: This pull request references MCO-2208 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Migrate 10 test cases from openshift-tests-private to machine-config-operator repo:

• 9 registry tests from mco_registry.go
• 1 units test from mco_units.go

This PR continues the migration effort started in #6021 and #5902.

Tests Migrated

Registry Tests (mco_registry.go - 9 tests)

• 43405: node drain is not needed for mirror config change in container registry
• 42682: change container registry config on ocp 4.6+
• 42680: change pull secret in the openshift-config namespace
• 52520: Configure unqualified-search-registries in Image.config resource
• 57595: Use empty pull-secret
• 61555: ImageDigestMirrorSet test
• 61558: ImageTagMirrorSet test
• 66046: Check image registry certificates
• 68736: machine config server supports bootstrap with IR certs

Units Test (mco_units.go - 1 test)

• 53960: No failed units in the bootstrap machine (AWS/Azure only)

Infrastructure Added

Bootstrap Package (from PR #6027)

• test/extended-priv/util/bootstrap/bootstrap.go - Core bootstrap SSH infrastructure
• test/extended-priv/util/bootstrap/aws.go - AWS instance discovery
• test/extended-priv/util/bootstrap/azure.go - Azure instance discovery
• test/extended-priv/util/ssh_client.go - SSH client utilities

Helper Functions & Methods Added

test/extended-priv/util/clusters.go

• GetClusterVersion() - Returns cluster version and build

test/extended-priv/util.go

• NewImageTagMirrorSet() - Create ImageTagMirrorSet resource
• skipTestIfExtensionsAreUsed() - Skip tests when extensions are present
• GetImageRegistryCertificates() - Retrieve image registry certificates
• GetManagedMergedTrustedImageRegistryCertificates() - Get merged trusted certificates
• GetDataFromConfigMap() - Extract data from ConfigMaps

test/extended-priv/mco.go

• skipTestIfClusterVersion() - Skip tests based on cluster version

test/extended-priv/machineconfig.go

• GetExtensions() - Get extensions configured in MachineConfig

Constants Added

test/extended-priv/const.go

• MCDCrioReloadedRegexp - Regex for detecting CRI-O reloads
• NodeDisruptionPolicyFiles - "files"
• NodeDisruptionPolicyUnits - "units"
• NodeDisruptionPolicySshkey - "sshkey"

Build Verification

make machine-config-tests-ext
./_output/linux/amd64/machine-config-tests-ext list | grep -E "PolarionID:(43405|42682|42680|52520|57595|61555|61558|66046|68736|53960)"

All 10 tests successfully built and appear in test listing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d68fede6-f617-4531-bb0e-13932fd6dde1

📥 Commits

Reviewing files that changed from the base of the PR and between e8a4eca and 64d737a.

📒 Files selected for processing (8)

• test/extended-priv/machineconfig.go
• test/extended-priv/mco.go
• test/extended-priv/mco_registry.go
• test/extended-priv/testdata/files/add-image-tag-mirror-set.yaml
• test/extended-priv/testdata/files/repository-mirror.yaml
• test/extended-priv/util/bootstrap/azure.go
• test/extended-priv/util/clusters.go
• test/extended-priv/util/ssh_client.go

---

Walkthrough

Adds bootstrap discovery and SSH utilities, cluster-version and extension-aware test helpers, new constants and regexes, a thread-safe SSH client, AWS/Azure bootstrap providers, a comprehensive MCO registry Ginkgo test suite, and supporting testdata/templates.

Changes

MCO Registry and Bootstrap Test Infrastructure

Layer / File(s)	Summary
Constants and small test helpers test/extended-priv/const.go, test/extended-priv/machineconfig.go, test/extended-priv/mco.go, test/extended-priv/util.go, test/extended-priv/util/clusters.go	New exported constants (node disruption policies, crio reload regexp); MachineConfig.GetExtensions(); cluster-version skip helper and extension/check helpers; NewImageTagMirrorSet; GetClusterVersion() and ConfigMap .data helpers.
Bootstrap providers and orchestration test/extended-priv/util/bootstrap/bootstrap.go, test/extended-priv/util/bootstrap/aws.go, test/extended-priv/util/bootstrap/azure.go	New bootstrap package with BSInfoProvider interface, Bootstrap/Ips types, GetBootstrap() orchestration, AWS provider implementation, and Azure provider stub.
SSH client and helpers test/extended-priv/util/ssh_client.go	Adds SshClient with synchronized output buffering, private-key loading, RunOutput, and GetSSHPrivateKey helper.
MCO registry configuration test suite test/extended-priv/mco_registry.go	New extensive Ginkgo suite covering ImageContentSourcePolicy, MachineConfig/cluster image.config changes, ImageDigest/ImageTag mirror sets, pull-secret behaviors, registry certificate bundle checks, and related helpers.
Bootstrap systemd units test test/extended-priv/mco_units.go	Adds a Ginkgo test that locates the bootstrap instance and SSHes to assert zero failed systemd units.
Testdata templates test/extended-priv/testdata/files/add-image-tag-mirror-set.yaml, test/extended-priv/testdata/files/repository-mirror.yaml	New templates for ImageTagMirrorSet and ImageContentSourcePolicy used by tests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm, approved, verified

Suggested reviewers

• pablintino

🚥 Pre-merge checks | ✅ 7 | ❌ 5

❌ Failed checks (4 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Missing assertion messages in 11+ cases. Test 52520 has 116 lines violating single responsibility. Tests avoid BeforeEach/AfterEach patterns used elsewhere in codebase.	Add assertion messages to all Expect() calls. Split multi-concern tests into focused cases. Replace inline defer cleanup with BeforeEach/AfterEach blocks.
Microshift Test Compatibility	⚠️ Warning	mco_registry.go tests use config.openshift.io and operator.openshift.io APIs unavailable on MicroShift without [apigroup:...] tags or exutil.IsMicroShiftCluster() guards.	Add [apigroup:config.openshift.io] or [apigroup:operator.openshift.io] tags to test names, or guard with exutil.IsMicroShiftCluster() checks.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	9 new tests in mco_registry.go lack SNO protection: they assume multiple worker/master nodes and test drain/reboot behavior incompatible with SNO.	Add SkipOnSingleNodeTopology(oc) at test start or use [Skipped:SingleReplicaTopology] label. SkipOnSingleNodeTopology() is available in util/clusters.go.
Title check	❓ Inconclusive	The title references JIRA issues MCO-2208 and MCO-2125 but provides minimal description of the actual changeset. While 'Migrate mco registry units' hints at migration work, the title does not clearly summarize the main change from a developer's perspective.	Clarify the title to better describe the primary change. Consider: 'Migrate MCO registry and units tests to machine-config-operator' or similar to make the scope and purpose more immediately clear.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles are static string literals without dynamic content, pod/node names, timestamps, IPs, UUIDs, or generated identifiers. Test names are stable and deterministic.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only test code and test utilities under test/extended-priv/. It contains no deployment manifests, operator code, or controllers, making the topology-aware scheduling check inapplicable.
Ote Binary Stdout Contract	✅ Passed	All logging uses logger package configured to write to ginkgo.GinkgoWriter. Test suites use Ginkgo v2's g.Describe(). No top-level stdout writes, main(), TestMain() or init() functions.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Tests avoid IPv4 hardcoding, use net.JoinHostPort for IPv6-safe connections, and don't require external internet connectivity beyond cluster-internal operations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ptalgulk01
Once this PR has been reviewed and has the lgtm label, please assign djoshy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (1)

test/extended-priv/mco_registry.go (1)

185-185: ⚡ Quick win

Avoid the bash -c shell wrapper for the file copy.

secretFile/newSecretFile are generated locally, so this is not exploitable today, but invoking bash -c "cp …" with string concatenation is a footgun if either path ever contains a space or shell metacharacter, and it tripped the static analyzer (coderabbit.command-injection.go-exec-command). Invoke cp directly (or use io.Copy over os.Open/os.Create).

♻️ Proposed refactor

-		_, copyErr := exec.Command("bash", "-c", "cp "+secretFile+" "+newSecretFile).Output()
+		_, copyErr := exec.Command("cp", secretFile, newSecretFile).Output()

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended-priv/mco_registry.go` at line 185, Replace the unsafe
shell-invocation exec.Command call that builds a "bash -c" string with a direct
file-copy implementation: either call exec.Command("cp", secretFile,
newSecretFile) to invoke cp without a shell or, preferably, open secretFile and
newSecretFile with os.Open/os.Create and copy contents using io.Copy; update the
site where exec.Command("bash", "-c", "cp "+secretFile+" "+newSecretFile) is
used to reference secretFile and newSecretFile directly to avoid shell
interpolation and satisfy the static analyzer.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended-priv/mco_registry.go`:
- Around line 66-67: The assertion message uses a malformed format verb ("%") so
the node name from node.GetName() will not be printed and fmt will error; update
the format string in the o.Expect(...).To(o.BeFalse(...)) call to use a proper
verb (e.g. "%s") or otherwise build the message with the node name, referencing
the existing call sites node.IsCordoned(), o.Expect, o.BeFalse(), and
node.GetName() so the node name is interpolated correctly into the error
message.
- Around line 545-547: The failure message for the assertion using nodeEvents
and HaveEventsSequence("Drain") is inverted; update the message passed to
o.Expect(...).To(HaveEventsSequence("Drain"), ...) to reflect that we expected a
Drain event but none occurred (e.g. "Error, expected a Drain event to be
triggered but it wasn't") so the log correctly describes the failing condition
for the positive assertion in the nodeEvents/HaveEventsSequence call.
- Around line 627-636: The assertion messages for the checks using
GetManagedMergedTrustedImageRegistryCertificates reference "%s" but don't supply
certFile, causing missing-format tokens; update the
o.Eventually(...).Should(...) and the final o.Expect(...).To(...) calls to
include the certFile in their failure messages (e.g., pass certFile as the
format arg or pre-format the message with fmt.Sprintf), ensure the message still
names merged-trusted-image-registry-ca and the certFile/ certValue variables are
used to construct the assertion text, and keep using
GetManagedMergedTrustedImageRegistryCertificates(oc.AsAdmin()) with the separate
explicit call that checks err as shown.
- Around line 324-334: The master assertions incorrectly reference the worker
and omit format args: in the HaveEventsSequence assertion replace
firstUpdatedWorker.GetName() with firstUpdatedMaster.GetName(), and for the two
o.Expect(...BeTemporally(...)) failure messages add the missing node name
arguments—pass firstUpdatedWorker.GetName() to the worker uptime assertion and
firstUpdatedMaster.GetName() to the master uptime assertion so the "%s"
placeholders are satisfied; look for symbols firstUpdatedMaster.GetEvents,
HaveEventsSequence, firstUpdatedWorker.GetUptime, and
firstUpdatedMaster.GetUptime to locate the lines to edit.

In `@test/extended-priv/mco.go`:
- Around line 86-95: The helper skipTestIfClusterVersion currently calls
o.Expect(err).NotTo(...), which reports failures at this helper; change it to
use o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred()) so failures point to the
caller; keep the rest of the logic (calls to exutil.GetClusterVersion,
CompareVersions and g.Skip with clusterVersion, operator, constraintVersion)
unchanged.

In `@test/extended-priv/util/bootstrap/azure.go`:
- Around line 19-22: The code discards the error returned by
oc.WithoutNamespace().AsAdmin().Run("get").Args(...).Output(), which can leave
infraName empty and produce a misleading bootstrapName and InstanceNotFound
name; change the call that assigns infraName to capture the error (e.g.,
infraName, err := ...Output()), check err and if non-nil log it with context via
logger.Errorf or return a more accurate error, and only construct bootstrapName
and return &InstanceNotFound{bootstrapName} when you have a reliable infraName
(or fall back to a clear placeholder like "<unknown-infra>"); update references
to infraName, bootstrapName, and the InstanceNotFound return accordingly.

In `@test/extended-priv/util/clusters.go`:
- Around line 23-32: GetClusterVersion currently splits clusterBuild into
splitValues and directly indexes [0] and [1], which can panic if the version is
malformed; add bounds checking after strings.Split to verify len(splitValues) >=
2 and return a descriptive error (including clusterBuild) if not, otherwise
construct clusterVersion from splitValues[0] + "." + splitValues[1] and return
as before; ensure you still return the original err (or nil) on success.

In `@test/extended-priv/util/ssh_client.go`:
- Around line 60-86: The SSH dial address in SshClient.RunOutput is built with
fmt.Sprintf("%v:%v", sshClient.Host, sshClient.Port) which breaks for IPv6;
change the address construction to use net.JoinHostPort(sshClient.Host,
strconv.Itoa(sshClient.Port)) (importing net and strconv) and pass that result
to ssh.Dial so IPv4 and IPv6 hosts are handled correctly.

---

Nitpick comments:
In `@test/extended-priv/mco_registry.go`:
- Line 185: Replace the unsafe shell-invocation exec.Command call that builds a
"bash -c" string with a direct file-copy implementation: either call
exec.Command("cp", secretFile, newSecretFile) to invoke cp without a shell or,
preferably, open secretFile and newSecretFile with os.Open/os.Create and copy
contents using io.Copy; update the site where exec.Command("bash", "-c", "cp
"+secretFile+" "+newSecretFile) is used to reference secretFile and
newSecretFile directly to avoid shell interpolation and satisfy the static
analyzer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a7674f12-1469-4c50-9a47-96179fd4fc59

📥 Commits

Reviewing files that changed from the base of the PR and between 9bd4e4f and 853ccf5.

📒 Files selected for processing (11)

• test/extended-priv/const.go
• test/extended-priv/machineconfig.go
• test/extended-priv/mco.go
• test/extended-priv/mco_registry.go
• test/extended-priv/mco_units.go
• test/extended-priv/util.go
• test/extended-priv/util/bootstrap/aws.go
• test/extended-priv/util/bootstrap/azure.go
• test/extended-priv/util/bootstrap/bootstrap.go
• test/extended-priv/util/clusters.go
• test/extended-priv/util/ssh_client.go

[ptalgulk01]

• https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-machine-config-operator-release-4.23-periodics-e2e-aws-mco-fips-proxy-longduration/2058169397926694912
• https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-machine-config-operator-release-4.23-periodics-e2e-vsphere-mco-tp-longduration/2058169424560525312

[openshift-ci]

@ptalgulk01: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	64d737a	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ptalgulk01]

• AWS:
  https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-machine-config-operator-release-4.23-periodics-e2e-aws-mco-fips-proxy-longduration/2058959166944317440
• vSphere:
  https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-machine-config-operator-release-4.23-periodics-e2e-vsphere-mco-tp-longduration/2058959234162233344