-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
Product / Portfolio Work
-
None
-
100% To Do, 0% In Progress, 0% Done
-
-
False
-
-
False
-
None
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
Feature Overview (aka. Goal Summary)
This feature completes the remaining ARO HCP e2e test coverage work from OCPSTRAT-2159 by implementing network policy isolation, Cilium CNI testing, certificate rotation validation, and CI configuration cleanup. This ensures comprehensive test coverage for ARO Hosted Control Planes environments.
Goals (aka. expected user outcomes)
- Implement NetworkPolicy resources for ARO-HCP hosted control plane isolation with e2e verification
- Add e2e test coverage for Cilium Network Policies on ARO HCP guest clusters
- Create e2e tests for certificate rotation in ARO HCP components
- Clean up legacy CI environment variables from AKS e2e workflows
Primary users:
- ARO HCP development and support teams
- QA and CI/CD pipeline maintainers
- Release engineering teams
Requirements (aka. Acceptance Criteria):
- NetworkPolicies are created for ARO-HCP hosted control plane namespaces
- E2e tests validate that control plane components have proper labels for KAS access
- E2e tests validate that unauthorized components (e.g., CVO) cannot access management cluster KAS
- Cilium Network Policies are tested and validated on ARO HCP guest clusters
- Certificate rotation e2e tests pass on supported OpenShift versions
- Legacy CI environment variables (AUTH_THROUGH_CERTS, AKS_USER_HYPERSHIFT_MI, HYPERSHIFT_AZURE_CP_MI) are cleaned up
- All tests are integrated into ARO HCP CI suite without flakes
Deployment considerations
| Scenario | Needs |
|---|---|
| Self-managed, managed, or both | Managed (ARO-specific) |
| Classic (standalone cluster) | N/A |
| Hosted control planes | Required |
| Multi node, Compact (three node), or Single node (SNO), or all | Multi-node only |
| Connected / Restricted Network | Connected only |
| Architectures | x86_64 and arm64 |
| Operator compatibility | Ensure compatibility with hypershift and Cilium operators |
| Backport needed | N/A |
| UI need | N/A |
| Other | Ensure test results feed into release dashboards and status reporting |
Use Cases (Optional):
Main Scenario 1 - Network Policy Isolation:
ARO HCP hosted control plane is created
NetworkPolicies are automatically applied to the control plane namespace
E2e tests verify that authorized components can access the management cluster KAS
E2e tests verify that unauthorized components are blocked
Main Scenario 2 - Cilium Network Policies:
ARO HCP guest cluster is deployed with Cilium CNI
E2e tests verify Cilium Network Policies functionality (ingress/egress rules, pod-to-pod communication)
Tests validate network policies are properly enforced
Main Scenario 3 - Certificate Rotation:
ARO HCP components with certificates are identified
Certificate rotation is triggered
E2e tests verify cluster remains healthy after rotation
Out of Scope
- New e2e test framework development
- Non-AKS platform testing
- Changes to certificate rotation implementation (testing only)
Background
This feature consolidates the remaining work from the original OCPSTRAT-2159 initiative. While significant progress was made in standardizing e2e-aks testing, these specific items remain incomplete:
- Network policy isolation for ARO-HCP control planes was not implemented
- Cilium CNI testing is still in code review
- Certificate rotation e2e testing was not started
- CI environment cleanup is pending
Customer Considerations
ARO HCP customers depend on robust security isolation between hosted control planes. Network policy enforcement and certificate rotation are critical for maintaining security posture. This work ensures these features are properly tested before reaching production.
Documentation Considerations
N/A - Internal testing improvements only.
Interoperability Considerations
- This feature directly impacts ARO and Hypershift teams
- Cilium CNI integration requires compatibility testing
- CI changes require coordination with QE team
- split from
-
-
- Closed
-
- links to
