USHIFT-6746: migrate 23 OTP router tests to Robot Framework

[agullon]

Warning

This PR adds 5 new scenarios under release dir, it must be on hold until dynamic scheduling is implemented

Summary

Migrates 23 end-to-end router tests from openshift-tests-private (Go/Ginkgo) into the MicroShift repo as Robot Framework tests. These tests validate MicroShift's ingress controller configuration pipeline — the path from config.yaml to the router deployment, HAProxy config, and actual route connectivity.

Two tests were intentionally skipped because they already have equivalent coverage:

• OCP-60149 (HTTP Ingress) — covered by networking-smoke.robot
• OCP-73621 (namespace ownership toggle) — covered by router-basic.robot

What's tested

File	Tests	Scenario	Est. Time
router-routes.robot	6 non-disruptive: route types (HTTP, edge, passthrough, reencrypt), ingress with destCA, namespace ownership default, LB service type, default listen IPs/ports	@router-routes	~15 min
router-config-infra.robot	4 disruptive: custom listen IPs/ports, enable/disable router, syslog destination, negative config validation	@router-config-infra	~32 min
router-config-tls.robot	4 disruptive: custom default cert, Old/Intermediate TLS, Modern/Custom TLS, mTLS Required/Optional	@router-config-tls	~31 min
router-config-policies.robot	4 disruptive: tuning options, mTLS subject filter, wildcard admission policy, httpLogFormat	@router-config-policies	~30 min
router-config-logging.robot	5 disruptive: cookie capture (prefix + exact + maxLength), header capture (request/response + maxLength), custom error pages	@router-config-logging	~32 min

New infrastructure

• test/resources/router.resource — ~50 shared keywords for workload deployment, route creation/admission, curl-from-pod (HTTP/HTTPS/cookie/mTLS variants), HAProxy config inspection, router log checking, and OpenSSL certificate generation
• test/assets/router/ — 8 fixture files: nginx deployments (plain + TLS), test client pod, HTTP/reencrypt ingress manifests, custom error pages, rsyslogd pod
• 15 release scenario scripts — 5 groups × 3 platforms (non-bootc, bootc el9, bootc el10), each targeting ~30 min execution
• test/bin/run-single-test.sh — helper to run individual tests or full suites against a remote MicroShift host

Other changes

• Renames router.robot → router-basic.robot for consistency
• Updates all existing router scenario scripts to reference router-basic.robot explicitly (prevents the new files from being picked up by presubmit scenarios)

Test plan

• make verify-rf passes (robocop check + format)
• shellcheck passes on all scenario scripts
• Run @router-routes scenario on CI
• Run @router-config-infra scenario on CI
• Run @router-config-tls scenario on CI
• Run @router-config-policies scenario on CI
• Run @router-config-logging scenario on CI
• Confirm existing @router presubmit still passes (only runs router-basic.robot)

🤖 Generated with Claude Code

[openshift-ci-robot]

@agullon: This pull request references USHIFT-6746 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Migrates 23 tests from openshift-tests-private/test/extended/router/microshift.go to Robot Framework in the MicroShift repo
• Adds 6 non-disruptive route tests covering HTTP, edge, passthrough, reencrypt routes via router-routes.robot
• Adds 17 disruptive config tests covering TLS profiles, mTLS, access logging, custom error pages, and wildcard routes via router-config.robot
• Adds shared test/resources/router.resource with reusable keywords for workload deployment, route creation, curl-from-pod, haproxy inspection, and OpenSSL cert generation
• Adds el98-src@router-extended.sh CI scenarios (presubmits + releases) for the new test files; updates existing router.sh scenarios to explicitly reference router.robot instead of the directory wildcard to avoid picking up the new (slower) tests
• Skips OCP-60149 (HTTP Ingress, already covered by networking-smoke.robot) and OCP-73621 (namespace ownership toggle, already covered by router.robot)

Test plan

• Run make verify-rf locally to confirm lint and format pass
• Trigger el98-src@router-extended presubmit to validate new tests
• Confirm existing el98-src@router presubmit still passes (only runs router.robot)
• Review test cases in router-routes.robot and router-config.robot for correctness

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds router E2E test assets/manifests, a Robot Framework shared resource library, two Robot suites (routes and router-config), and scenario/CI scripts to run them.

Changes

Router End-to-End Test Infrastructure

Layer / File(s)	Summary
Test assets and manifests test/assets/router/*	Kubernetes manifests, pod definitions, Ingress resources, and static HTTP error page assets used by the router tests (deployments, services, ingresses, test client and rsyslog pods, custom 404/503 pages).
Shared Robot resource library test/resources/router.resource	Robot Framework resource adding variables and ~40 keywords for deploying workloads, creating/validating routes, pod-based curl probing (HTTP/HTTPS/mTLS/cookies), router inspection (env, HAProxy config, logs), MicroShift drop-in orchestration, LB/service queries, OpenSSL cert generation (with SAN support), SSH host inspection, and operational helpers.
Route validation suite test/suites/router/router-routes.robot	Suite with tests verifying ingress-based reencrypt, edge/passthrough routes, HTTP vs reencrypt behavior, namespace ownership defaults, LoadBalancer service type, and LB IP/port/listening checks; includes helper keywords for setup/teardown and curl helpers.
Router configuration suite test/suites/router/router-config.robot	Disruptive tests exercising router drop-ins: listen addresses/ports, ingress status toggle, tuning options, TLS profiles, mTLS policies and allowedSubjectPatterns, wildcard admission, HTTP access logging (cookie/header capture, maxLength), custom error pages, structured HTTP logs, and syslog forwarding; includes many helper keywords and negative validation cases.
Scenario scripts & CI edits test/scenarios*/*@router*.sh	Presubmit/release/bootc script updates narrowing test targets to suites/router/router.robot, plus new router-extended scenario scripts that create VMs and run both router-routes.robot and router-config.robot.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• jerpeter1

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check requires Ginkgo test code review, but PR adds Robot Framework tests. Check instructions reference Ginkgo constructs ("It blocks") and patterns not applicable to Robot Framework.	Clarify check scope: is it intended for Ginkgo (Go) tests, Robot Framework tests, or both? This PR contains only Robot Framework code.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating 23 OTP router tests to Robot Framework, which is the core objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check targets Ginkgo tests, but PR contains only Robot Framework tests (.robot/.resource files) with stable, descriptive test names containing no dynamic values.
Microshift Test Compatibility	✅ Passed	PR adds only Robot Framework tests, not Ginkgo e2e tests. The custom check targets Ginkgo (It(), Describe(), etc.), which are absent.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds Robot Framework tests only, not Ginkgo e2e tests. SNO compatibility check applies only to Ginkgo tests.
Topology-Aware Scheduling Compatibility	✅ Passed	All changes are test infrastructure only. No production code or operators modified. Test fixtures have no topology-incompatible scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR migrates router tests from Go to Robot Framework; contains only .robot, .resource, .yaml, .http, and .sh files. No Go OTE binaries subject to stdout contract validation.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New tests dynamically detect cluster IPs (IPv4 or IPv6), use hostname-based URLs with --resolve, pin all images by digest from internal registry, and require no external connectivity.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/assets/router/web-server-signed-deploy.yaml`:
- Around line 50-58: The nginx container currently lacks an explicit
securityContext; update the container spec for the container named "nginx" to
add a securityContext that enforces non-root execution and reduces privileges
(e.g., set runAsNonRoot: true, runAsUser to a non-root UID such as 1000, set
allowPrivilegeEscalation: false, set readOnlyRootFilesystem: true, and drop
capabilities like ["ALL"]); place this securityContext block under the nginx
container entry so the pod explicitly hardens runtime privileges.

In `@test/resources/router.resource`:
- Around line 131-137: The JsonPath currently used in the "Router Pod Env Should
Have Value" keyword queries all router pods via
.items[*].spec.containers[*].env[...] which can return multiple values during
rollouts; change the Oc Get JsonPath call to scope to a single pod (e.g., use
.items[0].spec.containers[*].env[?(@.name=="${env_name}")].value) so only one
value is returned, keeping the rest of the keyword (Should Be Equal As Strings
and variables like ${ROUTER_NS} and ${env_name}) unchanged.

In `@test/suites/router/router-config.robot`:
- Around line 722-723: The assertion is checking the wrong truncated hostname
and the comment is wrong; change the test that uses Wait For Router Logs To
Contain from waiting for "route-unsec82003.ap" to the correctly truncated
16-character hostname "route-unsec82003" and update the preceding comment to
state that the full hostname should be truncated to "route-unsec82003" (16
chars) when maxLength: 16; locate the assertion by the call to Wait For Router
Logs To Contain and the nearby comment in the router-config.robot test and
replace both the expected string and the comment to reflect the correct
16-character truncation.

In `@test/suites/router/router-routes.robot`:
- Around line 171-179: Add admission assertions after each route creation: after
the Create OC Route calls for route-http, route-edge, and route-passth call the
Route Should Be Admitted keyword (same as for route-reen) so every created route
is verified before curl checks; also mirror this change in the other identical
route-creation block that creates route-http, route-edge and route-passth so all
created routes are gated on admission.
- Around line 117-120: The test currently assigns ${env} from Oc Get JsonPath
and then asserts it equals a single "true", which fails when multiple router
pods produce values like "true true"; update the assertion so it verifies every
returned env value for ROuTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK is "true" (e.g.,
split ${env} into items or iterate over the list and assert each item == "true",
or use a collection-level assertion) instead of comparing the aggregated string
with a single "true"; adjust the steps surrounding Oc Get JsonPath / ${env} and
replace the single-string check (Should Be Equal As Strings ${env} true) with a
per-item check so multi-pod results pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebedf450-e7d9-43c3-85aa-30293f17a3da

📥 Commits

Reviewing files that changed from the base of the PR and between ca5e605 and 42f5ec7.

📒 Files selected for processing (22)

• robocop.toml
• test/assets/router/error-page-404.http
• test/assets/router/error-page-503.http
• test/assets/router/microshift-ingress-destca.yaml
• test/assets/router/microshift-ingress-http.yaml
• test/assets/router/rsyslogd-pod.yaml
• test/assets/router/test-client-pod.yaml
• test/assets/router/web-server-deploy.yaml
• test/assets/router/web-server-signed-deploy.yaml
• test/resources/router.resource
• test/scenarios-bootc/el10/presubmits/el102-src@router-extended.sh
• test/scenarios-bootc/el10/presubmits/el102-src@router.sh
• test/scenarios-bootc/el10/releases/el102-lrel@osconfig-router.sh
• test/scenarios-bootc/el9/presubmits/el98-src@router-extended.sh
• test/scenarios-bootc/el9/presubmits/el98-src@router.sh
• test/scenarios-bootc/el9/releases/el98-lrel@osconfig-router.sh
• test/scenarios/presubmits/el98-src@router-extended.sh
• test/scenarios/presubmits/el98-src@router.sh
• test/scenarios/releases/el98-lrel@router-extended.sh
• test/scenarios/releases/el98-lrel@router.sh
• test/suites/router/router-config.robot
• test/suites/router/router-routes.robot

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/scenarios-bootc/el9/releases/el98-lrel`@router-extended.sh:
- Around line 15-16: The test script incorrectly calls exit_if_image_not_found
in teardown/test phases which can silently skip cleanup or tests; remove the
exit_if_image_not_found invocations from scenario_remove_vms and
scenario_run_tests and leave the guard only in scenario_create_vms so image
availability only blocks VM creation; locate and delete the
exit_if_image_not_found "${start_image}" calls in the scenario_remove_vms and
scenario_run_tests blocks (also check the duplicate occurrences noted around the
other invocation) and ensure no other teardown/test functions call
exit_if_image_not_found.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ee327aa5-6071-49cd-bfcc-37af5609b3c0

📥 Commits

Reviewing files that changed from the base of the PR and between 42f5ec7 and ba69fa0.

📒 Files selected for processing (2)

• test/scenarios-bootc/el10/releases/el102-lrel@router-extended.sh
• test/scenarios-bootc/el9/releases/el98-lrel@router-extended.sh

✅ Files skipped from review due to trivial changes (1)

• test/scenarios-bootc/el10/releases/el102-lrel@router-extended.sh

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/resources/router.resource`:
- Around line 102-105: The helper currently forces a HEAD request by passing -I
to curl in the oc exec call (the line using "oc exec ... -- curl ${url} -sI
--resolve ${resolve} --connect-timeout 10 ${flags}"), which strips the body;
remove the hardcoded -I so the command becomes "-s --resolve ${resolve}
--connect-timeout 10 ${flags}" (or otherwise omit -I) and rely on the existing
${flags} argument to opt into HEAD when callers need it; update the Robot
keyword that wraps Run With Kubeconfig to use the modified curl invocation so
downstream checks (e.g. custom 503 error-page assertions) can see response
bodies.
- Around line 338-348: The wrapper keyword "Generate Client Cert File In Dir" is
incorrectly prepending "/CN=" before the ${cn} when calling "Generate CSR And
Key", causing double "/CN=/CN=..." for callers that already provide a full
subject; modify the call to Generate CSR And Key to pass ${cn} unchanged (remove
the hardcoded "/CN=" prefix) so the subject provided by callers is forwarded
verbatim.

In `@test/suites/router/router-config.robot`:
- Around line 702-710: The test "Verify Custom LB Ports And IP" currently uses
"Get LB IPs" + "Should Contain", which allows extra IPs; change it to assert
exclusivity by checking the list length and membership: after calling ${lb_ips}=
Get LB IPs add "Length Should Be    ${lb_ips}    1" and then keep or add "Should
Contain    ${lb_ips}    ${host_ip}" (or replace both with creating @{expected}
with ${host_ip} and use "Lists Should Be Equal    ${lb_ips}    ${expected}").
This ensures the router-default LB exposes exactly the single custom ${host_ip}.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 924210dd-c568-4210-9330-ea0caa00cd47

📥 Commits

Reviewing files that changed from the base of the PR and between ba69fa0 and d8a7c7f.

📒 Files selected for processing (3)

• test/resources/router.resource
• test/suites/router/router-config.robot
• test/suites/router/router-routes.robot

[agullon]

/label tide/merge-method-squash

[agullon]

Addressed CodeRabbit inline suggestions:

• Route admission checks (comment on router-routes.robot): Added Route Should Be Admitted for route-http, route-edge, and route-passth in Create And Admit Four Route Types — fixed in 4954eb6.
• LB IP exclusivity (comment on router-config.robot:710): Changed Should Contain to Should Be Equal As Strings in Verify Custom LB Ports And IP — fixed in 4954eb6.

[agullon]

/retest

[agullon]

/hold until dynamic scheduling is implemented because this PR adds 5 new scenarios targetting latest release version

[openshift-ci]

@agullon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-release	7f6e4a7	link	true	/test e2e-aws-tests-release

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.