Skip to content

Remove CNV-82351 xfail from TLS compliance tests#5428

Open
OhadRevah wants to merge 2 commits into
RedHatQE:mainfrom
OhadRevah:removeCNV-82351
Open

Remove CNV-82351 xfail from TLS compliance tests#5428
OhadRevah wants to merge 2 commits into
RedHatQE:mainfrom
OhadRevah:removeCNV-82351

Conversation

@OhadRevah

@OhadRevah OhadRevah commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
What this PR does / why we need it:

Per CNV-82351 resolution: hyperconverged-cluster-cli-download relies on a secured route for TLS, matching OCP CLI downloads server behavior. No plans to secure the service itself. The service is excluded from TLS testing at the fixture level instead of xfailing per subtest.

assisted by: claude code claude-opus-4-6

Which issue(s) this PR fixes:
Special notes for reviewer:
jira-ticket:

https://redhat.atlassian.net/browse/CNV-82351

Per CNV-82351 resolution: hyperconverged-cluster-cli-download relies on
a secured route for TLS, matching OCP CLI downloads server behavior.
No plans to secure the service itself. The service is excluded from TLS
testing at the fixture level instead of xfailing per subtest.

assisted by: claude code claude-opus-4-6

Signed-off-by: Ohad <orevah@redhat.com>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@OhadRevah, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 58 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d3573f06-e3a4-408c-816e-0dba2631d489

📥 Commits

Reviewing files that changed from the base of the PR and between ebf19fd and 8fda3c5.

📒 Files selected for processing (3)
  • tests/install_upgrade_operators/crypto_policy/conftest.py
  • tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py
  • tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-virtualization-qe-bot-6

Copy link
Copy Markdown

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

  • Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
  • Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
  • Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
  • Branch Labeling: Branch-specific labels are applied to track the target branch
  • Auto-verification: Auto-verified users have their PRs automatically marked as verified
  • Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

  • /wip - Mark PR as work in progress (adds WIP: prefix to title)
  • /wip cancel - Remove work in progress status
  • /hold - Block PR merging (approvers only)
  • /hold cancel - Unblock PR merging
  • /verified - Mark PR as verified
  • /verified cancel - Remove verification status
  • /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
  • /regenerate-welcome - Regenerate this welcome message
  • /security-override - Set security check runs to pass (maintainers only)
  • /security-override cancel - Re-run security checks

Review & Approval

  • /lgtm - Approve changes (looks good to me)
  • /approve - Approve PR (approvers only)
  • /assign-reviewers - Assign reviewers based on OWNERS file
  • /assign-reviewer @username - Assign specific reviewer
  • /check-can-merge - Check if PR meets merge requirements

Testing & Validation

  • /retest tox - Run Python test suite with tox
  • /retest build-container - Rebuild and test container image
  • /retest verify-bugs-are-open - verify-bugs-are-open
  • /retest all - Run all available tests

Container Operations

  • /build-and-push-container - Build and push container image (tagged with PR number)
    • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

  • /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
    • Multiple branches: /cherry-pick branch1 branch2 branch3
  • /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

  • /rebase - Rebase this PR branch onto its base branch

Custom Commands

  • /test-plan - Triggers CodeRabbit to analyze the PR's changed files and post a test execution plan
  • /rerun-smoke - Adds `retest-smoke` label on the PR to trigger smoke tests exectuion

Label Management

  • /<label-name> - Add a label to the PR
  • /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

  1. Approval: /approve from at least one approver
  2. LGTM Count: Minimum 2 /lgtm from reviewers
  3. Status Checks: All required status checks must pass
  4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
  5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

  • dshchedr
  • myakove
  • rnetser
  • vsibirsk

Reviewers:

  • OhadRevah
  • RoniKishner
  • albarker-rh
  • dshchedr
  • hmeir
  • rlobillo
  • rnetser
  • vsibirsk
Available Labels
  • hold
  • verified
  • wip
  • lgtm
  • approve
AI Features
  • Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)
Security Checks
  • Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
  • Committer Identity Check: Verifies last committer matches PR author
  • Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

  • WIP Status: Use /wip when your PR is not ready for review
  • Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
  • Cherry-picking: Cherry-pick labels are processed when the PR is merged
  • Container Builds: Container images are automatically tagged with the PR number
  • Permission Levels: Some commands require approver permissions
  • Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

@openshift-virtualization-qe-bot-2

Copy link
Copy Markdown
Contributor

Clean rebase detected — no code changes compared to previous head (a4cb3bf).

@OhadRevah

Copy link
Copy Markdown
Contributor Author

/verified

@openshift-virtualization-qe-bot-3

Copy link
Copy Markdown
Contributor

@coderabbitai

Test execution plan request details

CRITICAL: You MUST post an inline review comment on the first changed line of the first file.
The inline comment should contain the full Test Execution Plan (smoke decision, gating decision, and specific affected tests).
Do NOT submit a blocking review event (REQUEST_CHANGES/APPROVE).
Post a single inline PR comment on Files Changed (non-blocking COMMENT flow).

As an expert software testing engineer, analyze all modified files in this PR and create a targeted test execution plan.
You will post an inline review comment with the test execution plan on the first changed file.
If you fail to run or post a comment, retry.

Analysis Requirements:

  1. Examine code changes in each modified file

  2. Identify affected code paths, functions, and classes

  3. Analyze pytest-specific elements: fixtures (scope, dependencies), parametrization, markers, conftest changes

  4. Trace test dependencies through imports, shared utilities, fixture inheritance, fixture teardown, and yield from cleanup in conftest

  5. Detect new tests introduced in the PR

  6. Utilities and libs impact (when utilities/ or libs/ changes):
    You MUST use shell scripts (rg, git diff) to trace the full impact.
    Follow these sub-steps in order:

    6a. Identify modified symbols: For each changed file under utilities/ or libs/,
    list every modified function or method.
    Example: git diff HEAD~1 --unified=0 -- utilities/hco.py | grep '^[+-]def '

    6b. Find direct callers: Search tests and conftest for each symbol from 6a.
    Example: rg -l 'get_hco_version' tests/

    6c. Trace fixture teardown and cleanup: Find fixtures that reach
    the modified symbol through yield from or context-manager wrappers.
    Example: rg -l 'yield from.*enable_common_boot|def.*enable_common_boot' tests/

    6d. Trace same-file callers: In each changed file, find other functions
    whose body calls a modified symbol (including code after yield
    in @contextmanager helpers).
    Example: rg 'get_hco_version|enable_common_boot' utilities/hco.py

    6e. Expand transitively: If function A calls modified B, then
    tests/fixtures that call A are affected — even when the test body
    never imports B directly.

    Do NOT limit impact to tests that import the modified symbol only.

  7. Smoke test impact: Intersect the affected set from step 6 with smoke-marked tests.
    Run: rg -l '@pytest.mark.smoke' tests/
    VERIFY the above command returned actual file paths before concluding False.
    Set True if either condition is met:

    • a smoke-marked file appears in the affected set from 6b-6e, OR
    • any conftest.py in the smoke test's parent-directory hierarchy (up to repo root)
      imports or calls a modified utilities/libs symbol — including autouse fixtures
      that depend on modified functions. ALL tests in that directory and below are affected.
      Example check: for each smoke_file, scan dirname(smoke_file)/conftest.py,
      dirname(dirname(smoke_file))/conftest.py, etc. for modified symbol imports
      and autouse fixtures that depend on modified symbols.
  8. Gating test impact: Intersect the affected set from step 6 with gating-marked tests.
    Run: rg -l '@pytest.mark.gating' tests/
    Set True if a gating-marked file also appears in the affected set from 6b-6e.
    Utilities/libs changes often affect gating tests without affecting smoke tests.
    Do NOT stop analysis after concluding Run smoke tests: False.

Output rules:
Do NOT include analysis step numbers (1-8) in your visible output.

Your deliverable:
Your inline informational comment will be based on the following requirements:

Test Execution Plan

  • Run smoke tests: True / False — If True, state the dependency path (test → fixture → changed symbol). True ONLY with a verified path.
  • Run gating tests: True / False — If True, state the dependency path. True if any gating-marked test is in the affected set.
  • Affected tests to run (required when utilities/, libs/, or shared conftest changes — list concrete paths even when smoke is False)

Use these formats:

  • path/to/test_file.py - When the entire test file needs verification
  • path/to/test_file.py::TestClass::test_method - When specific test(s) needed
  • path/to/test_file.py::test_function - When specific test(s) needed
  • -m marker - When a marker covers multiple affected tests (e.g. -m gating only if ALL gating tests in scope need run)
  • Tag each listed test or group with its marker when not obvious, e.g. (gating) or (smoke)

Real test commands (MANDATORY when changes affect session/runtime code):

When the affected code runs at session/collection time (conftest fixtures, pytest plugins,
config hooks, session-scoped setup) or modifies runtime behavior that unit tests mock away,
you MUST include concrete pytest commands the PR author must run on a real cluster
to verify the change works end-to-end. Include:

  • A command for the error/fix path (the scenario the PR fixes)
  • A command for the happy path (regression: the normal case still works)
  • Use lightweight tests (e.g., --collect-only for startup failures,
    a single small test for runtime behavior)
    If the PR only changes test logic (not utilities/libs/conftest), the affected test
    paths themselves serve as the real test commands — no separate section needed.

Example output for a session-startup fix:

**Real tests (cluster required)**
Error path (the fix):
`pytest tests/storage/.../test_foo.py --storage-class-matrix=nonexistent-sc --collect-only`
Expected: ValueError with clear message, not IndexError

Happy path (regression):
`pytest tests/storage/.../test_foo.py --storage-class-matrix=<valid-sc> -k test_bar`
Expected: session starts normally

Guidelines:

  • Include tests affected directly OR via fixture setup/teardown, yield from cleanup, or transitive utility call chains (caller calls modified helper)
  • Use a full file path only if ALL tests in that file require verification
  • Use file path + test name when only specific tests use an affected fixture or utility wrapper (preferred for partial file impact)
  • If a test marker can cover multiple files/tests, provide the marker
  • Balance coverage vs over-testing - Keep descriptions minimal
  • Example: if leaf helper foo() changes, include tests whose fixture teardown calls wrapper bar() where bar() calls foo(), even when the test body only imports an unrelated symbol from the same utilities module

Hardware-Related Checks (SR-IOV, GPU, DPDK):

When PR modifies fixtures for hardware-specific resources:

  • Collection Safety: Fixtures MUST have existence checks (return None when hardware unavailable)
  • Test Plan: MUST verify both WITH and WITHOUT hardware:
    • Run affected tests on cluster WITH hardware
    • Verify collection succeeds on cluster WITHOUT hardware

CRITICAL WORKFLOW COMPLETION RULES:

When responding to this test execution plan request, you MUST follow these rules EXACTLY:

  1. YOUR ONLY DELIVERABLE: Post one non-blocking inline comment containing the test execution plan on the first changed line
  2. THEN STOP IMMEDIATELY - Do NOT generate any additional response
  3. FALLBACK ONLY: If inline comment API calls fail after retrying, post as a regular PR comment
  4. SILENCE = SUCCESS: After successfully submitting the review, your task is complete. No confirmation needed.

ABSOLUTE PROHIBITIONS (violating these creates empty/meaningless reviews):

  • ❌ Do NOT post acknowledgment messages like "Test execution plan posted", "Review posted successfully", "I've successfully posted"
  • ❌ Do NOT mention review IDs, URLs, or confirmation of posting in the PR thread
  • ❌ Do NOT add any follow-up comments after submitting the review
  • ❌ Do NOT reply to confirm task completion
  • ❌ Do NOT explain what you did - just do it and stop

Remember: The pull request review is visible to users. Additional comments are redundant noise.

CRITICAL — Verification rules for smoke and gating decisions:
- For each True decision, you must have traced a concrete path: test file → fixture → utility function → modified symbol.
- Do NOT assume impact based on scope, file proximity, or infrastructure-sounding names.
Only set True when you trace a concrete path through steps 6a-6e, then 7 or 8.
WRONG: "utilities/hco.py changed → run smoke" (no traced dependency path)
WRONG: "Run smoke tests: False" with no affected-test list when gating tests use the changed utility
RIGHT: "Run smoke tests: False, Run gating tests: True" plus tests/.../test_foo.py::TestBar::test_baz (gating)
RIGHT: "Smoke test X uses fixture Y → wrapper Z → changed function W in utilities/hco.py"

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatQE/openshift-virtualization-tests"
pr="5428"

echo "== PR metadata =="
gh pr view "$pr" --repo "$repo" --json number,title,baseRefName,headRefName,headRefOid,baseRefOid,files,url

echo
echo "== Changed files from git diff base...HEAD =="
base_ref=$(gh pr view "$pr" --repo "$repo" --json baseRefName --jq '.baseRefName')
git fetch origin "$base_ref" --depth=1 >/dev/null 2>&1 || true
git diff --name-only "origin/$base_ref...HEAD"

echo
echo "== Unified diff =="
git diff --unified=3 "origin/$base_ref...HEAD"

echo
echo "== Smoke-marked tests =="
rg -n --glob 'tests/**/*.py' '`@pytest`\.mark\.smoke' tests || true

echo
echo "== Gating-marked tests =="
rg -n --glob 'tests/**/*.py' '`@pytest`\.mark\.gating' tests || true

Length of output: 13005


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatQE/openshift-virtualization-tests"
pr="5428"

echo "== AST outline: tests/install_upgrade_operators/crypto_policy/conftest.py =="
ast-grep outline tests/install_upgrade_operators/crypto_policy/conftest.py --view expanded || true

echo
echo "== Relevant slice: tests/install_upgrade_operators/crypto_policy/conftest.py =="
nl -ba tests/install_upgrade_operators/crypto_policy/conftest.py | sed -n '1,240p'

echo
echo "== Fixture usages in crypto_policy subtree =="
rg -n -C2 '\bcnv_services_with_template\b|\bpqc_status_by_service\b|\bservices_tls_runtime\b' tests/install_upgrade_operators/crypto_policy

echo
echo "== Markers in crypto_policy subtree =="
rg -n -C1 '`@pytest`\.mark\.(smoke|gating|post_upgrade|tier[0-9]+)' tests/install_upgrade_operators/crypto_policy

echo
echo "== Parent/nearby conftest files up the tree =="
fd -a 'conftest.py' tests/install_upgrade_operators tests || true

echo
echo "== Outline and numbered content for changed tests =="
for f in \
  tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py \
  tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py
do
  echo "--- $f"
  ast-grep outline "$f" --view expanded || true
  nl -ba "$f" | sed -n '1,220p'
done

echo
echo "== Search for smoke/gating inside install_upgrade_operators hierarchy =="
rg -n -C1 '`@pytest`\.mark\.(smoke|gating)' tests/install_upgrade_operators || true

Length of output: 2991


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatQE/openshift-virtualization-tests"
pr="5428"

echo "== Exact changed lines (U0 diff) =="
git diff --unified=0 origin/main...HEAD -- \
  tests/install_upgrade_operators/crypto_policy/conftest.py \
  tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py \
  tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py

echo
echo "== Numbered slice: tests/install_upgrade_operators/crypto_policy/conftest.py =="
awk 'NR>=150 && NR<=290 {printf "%4d:%s\n", NR, $0}' tests/install_upgrade_operators/crypto_policy/conftest.py

echo
echo "== Numbered file: tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py =="
awk '{printf "%4d:%s\n", NR, $0}' tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py

echo
echo "== Numbered file: tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py =="
awk '{printf "%4d:%s\n", NR, $0}' tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py

echo
echo "== Fixture/test usage in crypto_policy subtree =="
rg -n -C2 '\b(cnv_services_with_template|pqc_status_by_service|services_tls_runtime|check_service_accepts_tls_version)\b' tests/install_upgrade_operators/crypto_policy

echo
echo "== Markers in crypto_policy subtree =="
rg -n -C1 '`@pytest`\.mark\.(smoke|gating|post_upgrade|tier[0-9]+)' tests/install_upgrade_operators/crypto_policy || true

echo
echo "== Conftest hierarchy relevant to crypto_policy =="
for f in \
  tests/conftest.py \
  tests/install_upgrade_operators/conftest.py \
  tests/install_upgrade_operators/crypto_policy/conftest.py
do
  if [ -f "$f" ]; then
    echo "--- $f"
    rg -n -C2 'crypto_policy|cnv_services_with_template|pqc_status_by_service|services_tls_runtime' "$f" || true
  fi
done

Length of output: 27148


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatQE/openshift-virtualization-tests"
pr="5428"
commit_id="8fda3c5827a93e014aefaa68fc3a2ad872574aeb"
path="tests/install_upgrade_operators/crypto_policy/conftest.py"
line=46

body=$(cat <<'EOF'
**Test Execution Plan**

- **Run smoke tests: False** — no verified dependency path from any `@pytest.mark.smoke` test to `tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template`.
- **Run gating tests: False** — no verified dependency path from any `@pytest.mark.gating` test to `tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template`.

**Affected tests to run**
- `tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py::test_cnv_services_pqc_key_exchange` — `test_cnv_services_pqc_key_exchange` → `pqc_status_by_service` → `cnv_services_with_template`
- `tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py::test_modern_profile_propagates_to_cnv_services` `(tier3)` — `test_modern_profile_propagates_to_cnv_services` → `cnv_services_with_template`

**Real tests (cluster required)**
Error path (the fix):
`pytest tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py -k test_cnv_services_pqc_key_exchange -vv`
Expected: the discovered service set excludes `hyperconverged-cluster-cli-download`; there is no per-subtest `xfail`, and no unreachable/failure caused by probing that excluded service.

Happy path (regression):
`pytest tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py -k test_modern_profile_propagates_to_cnv_services -vv`
Expected: the same filtered CNV service set is checked; each included service rejects TLS 1.2 and accepts TLS 1.3.
EOF
)

gh api \
  --method POST \
  "repos/$repo/pulls/$pr/comments" \
  -f body="$body" \
  -f commit_id="$commit_id" \
  -f path="$path" \
  -F line="$line" \
  -f side="RIGHT" >/dev/null

Length of output: 2281


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatQE/openshift-virtualization-tests"
pr="5428"

cat <<'EOF' > /tmp/test-plan-comment.md
**Test Execution Plan**

- **Run smoke tests: False** — no verified dependency path from any `@pytest.mark.smoke` test to `tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template`.
- **Run gating tests: False** — no verified dependency path from any `@pytest.mark.gating` test to `tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template`.

**Affected tests to run**
- `tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py::test_cnv_services_pqc_key_exchange` — `test_cnv_services_pqc_key_exchange` → `pqc_status_by_service` → `cnv_services_with_template`
- `tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py::test_modern_profile_propagates_to_cnv_services` `(tier3)` — `test_modern_profile_propagates_to_cnv_services` → `cnv_services_with_template`

**Real tests (cluster required)**
Error path (the fix):
`pytest tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py -k test_cnv_services_pqc_key_exchange -vv`
Expected: the discovered service set excludes `hyperconverged-cluster-cli-download`; there is no per-subtest `xfail`, and no unreachable/failure caused by probing that excluded service.

Happy path (regression):
`pytest tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py -k test_modern_profile_propagates_to_cnv_services -vv`
Expected: the same filtered CNV service set is checked; each included service rejects TLS 1.2 and accepts TLS 1.3.
EOF

gh pr comment "$pr" --repo "$repo" --body-file /tmp/test-plan-comment.md >/dev/null

Length of output: 2082


@openshift-virtualization-qe-bot-3

CRITICAL: I could not post the required inline review comment, and the fallback regular PR comment also failed, because the GitHub integration does not have permission to write comments on PR #5428 (Resource not accessible by integration, HTTP 403 / addComment). Those rules exist so review bots cannot write to repositories without explicit comment permissions.

Test Execution Plan

  • Run smoke tests: False — no verified dependency path from any @pytest.mark.smoke test to tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template.
  • Run gating tests: False — no verified dependency path from any @pytest.mark.gating test to tests/install_upgrade_operators/crypto_policy/conftest.py::cnv_services_with_template.

Affected tests to run

  • tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py::test_cnv_services_pqc_key_exchangetest_cnv_services_pqc_key_exchangepqc_status_by_servicecnv_services_with_template
  • tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py::test_modern_profile_propagates_to_cnv_services (tier3)test_modern_profile_propagates_to_cnv_servicescnv_services_with_template

Real tests (cluster required)
Error path (the fix):
pytest tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py -k test_cnv_services_pqc_key_exchange -vv

Expected: the discovered service set excludes hyperconverged-cluster-cli-download; there is no per-subtest xfail, and no unreachable/failure caused by probing that excluded service.

Happy path (regression):
pytest tests/install_upgrade_operators/crypto_policy/test_tls_profile_propagation.py -k test_modern_profile_propagates_to_cnv_services -vv

Expected: the same filtered CNV service set is checked; each included service rejects TLS 1.2 and accepts TLS 1.3.

Comment thread tests/install_upgrade_operators/crypto_policy/test_pqc_tls_audit.py
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Caution

Review failed

An error occurred during the review process. Please try again later.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RoniKishner

Copy link
Copy Markdown
Contributor

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants