[release-4.19] OCPBUGS-60168: CVO protects /metrics with authorization

[openshift-cherrypick-robot]

This is an automated cherry-pick of #1215

/assign wking

[wking]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-57585 has been cloned as Jira Issue OCPBUGS-60168. Will retitle bug to link to clone.
/retitle [release-4.19] OCPBUGS-60168: CVO protects /metrics with authorization

In response to this:

This is an automated cherry-pick of #1215

/assign wking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-60168, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected dependent Jira Issue OCPBUGS-57585 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead
• expected dependent Jira Issue OCPBUGS-57585 to target a version in 4.20.0, but it targets "4.20" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #1215

/assign wking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wking]

/jira refresh

[openshift-ci-robot]

@wking: This pull request references Jira Issue OCPBUGS-60168, which is invalid:

• expected dependent Jira Issue OCPBUGS-57585 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hongkailiu]

/test e2e-hypershift

[openshift-ci]

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-operator-devpreview	ad8d505	link	false	/test e2e-agnostic-operator-devpreview

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dis016]

Test from openshift/origin#30014 is PASSED.

dinesh@Dineshs-MacBook-Pro origin % export GCP_SHARED_CREDENTIALS_FILE=/tmp/gce.json 
dinesh@Dineshs-MacBook-Pro origin % export COMPONENT_NAMESPACE=openshift-cluster-version
dinesh@Dineshs-MacBook-Pro origin % export KUBECONFIG=/Users/dinesh/Downloads/kubeconfig
dinesh@Dineshs-MacBook-Pro origin % oc get clusterversion 
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0-2025-08-07-074034-test-ci-ln-tv7g4lk-latest   True        False         23m     Cluster version is 4.19.0-0-2025-08-07-074034-test-ci-ln-tv7g4lk-latest
dinesh@Dineshs-MacBook-Pro origin % make build 
go build -mod=vendor -trimpath -ldflags "-X github.com/openshift/origin/pkg/version.versionFromGit="v3.7.0-alpha.0-18454-gcd59271" -X github.com/openshift/origin/pkg/version.commitFromGit="cd59271535" -X github.com/openshift/origin/pkg/version.gitTreeState="clean" -X github.com/openshift/origin/pkg/version.buildDate="2025-08-07T08:51:45Z" " github.com/openshift/origin/cmd/openshift-tests

go build -mod=vendor -trimpath -ldflags "-X github.com/openshift/origin/pkg/version.versionFromGit="v3.7.0-alpha.0-18454-gcd59271" -X github.com/openshift/origin/pkg/version.commitFromGit="cd59271535" -X github.com/openshift/origin/pkg/version.gitTreeState="clean" -X github.com/openshift/origin/pkg/version.buildDate="2025-08-07T08:51:46Z" " github.com/openshift/origin/cmd/update-tls-artifacts
dinesh@Dineshs-MacBook-Pro origin % 
dinesh@Dineshs-MacBook-Pro origin % ./openshift-tests run-test "[sig-instrumentation][Late] Platform Prometheus targets [apigroup:image.openshift.io] should not be accessible without auth [Serial] [Suite:openshift/conformance/serial]"
  I0807 14:34:45.390612   18919 i18n.go:139] Couldn't find translations for en_IN, using default
  I0807 14:34:45.391027   18919 i18n.go:157] Setting language to default
openshift-tests v3.7.0-alpha.0-18454-gcd59271
  I0807 14:34:50.320468   18919 test_setup.go:94] Extended test version v3.7.0-alpha.0-18454-gcd59271
  I0807 14:34:50.320699   18919 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0807 14:34:50.642130 18919 framework.go:2317] microshift-version configmap not found
  I0807 14:34:50.642750   18919 binary.go:111] Loaded test configuration: &framework.TestContextType{KubeConfig:"/Users/dinesh/Downloads/kubeconfig", KubeContext:"", KubeAPIContentType:"application/vnd.kubernetes.protobuf", KubeletRootDir:"/var/lib/kubelet", KubeletConfigDropinDir:"", CertDir:"", Host:"https://api.ci-ln-tv7g4lk-72292.gcp-2.ci.openshift.org:6443", BearerToken:"qVu1jSHBJVIrRn0T", RepoRoot:"../../", ListImages:false, listTests:false, listLabels:false, ListConformanceTests:false, Provider:"gce", Tooling:"", timeouts:framework.TimeoutContext{Poll:2000000000, PodStart:300000000000, PodStartShort:120000000000, PodStartSlow:900000000000, PodDelete:300000000000, ClaimProvision:300000000000, DataSourceProvision:300000000000, ClaimProvisionShort:60000000000, ClaimBound:180000000000, PVReclaim:180000000000, PVBound:180000000000, PVCreate:180000000000, PVDelete:300000000000, PVDeleteSlow:1200000000000, SnapshotCreate:300000000000, SnapshotDelete:300000000000, SnapshotControllerMetrics:300000000000, SystemPodsStartup:600000000000, NodeSchedulable:1800000000000, SystemDaemonsetStartup:300000000000, NodeNotReady:180000000000}, CloudConfig:framework.CloudConfig{APIEndpoint:"", ProjectID:"openshift-gce-devel-ci-2", Zone:"us-central1-a", Zones:[]string{"us-central1-a"}, Region:"us-central1", MultiZone:false, MultiMaster:false, Cluster:"", MasterName:"", NodeInstanceGroup:"", NumNodes:0, ClusterIPRange:"", ClusterTag:"", Network:"", ConfigFile:"", NodeTag:"", MasterTag:"", Provider:(*framework.NullProvider)(0x111de0268)}, KubectlPath:"kubectl", OutputDir:"/tmp", ReportDir:"", ReportPrefix:"", ReportCompleteGinkgo:false, ReportCompleteJUnit:false, Prefix:"e2e", MinStartupPods:-1, EtcdUpgradeStorage:"", EtcdUpgradeVersion:"", GCEUpgradeScript:"", ContainerRuntimeEndpoint:"unix:///run/containerd/containerd.sock", ContainerRuntimeProcessName:"containerd", ContainerRuntimePidFile:"/run/containerd/containerd.pid", SystemdServices:"containerd*", DumpSystemdJournal:false, ImageServiceEndpoint:"", MasterOSDistro:"custom", NodeOSDistro:"custom", NodeOSArch:"amd64", VerifyServiceAccount:true, DeleteNamespace:true, DeleteNamespaceOnFailure:true, AllowedNotReadyNodes:-1, CleanStart:false, GatherKubeSystemResourceUsageData:"false", GatherLogsSizes:false, GatherMetricsAfterTest:"false", GatherSuiteMetricsAfterTest:false, MaxNodesToGather:0, IncludeClusterAutoscalerMetrics:false, OutputPrintType:"json", CreateTestingNS:(framework.CreateTestingNSFn)(0x109a35b20), DumpLogsOnFailure:true, DisableLogDump:false, LogexporterGCSPath:"", NodeTestContextType:framework.NodeTestContextType{NodeE2E:false, NodeName:"", NodeConformance:false, PrepullImages:false, ImageDescription:"", RuntimeConfig:map[string]string(nil), SystemSpecName:"", RestartKubelet:false, ExtraEnvs:map[string]string(nil), StandaloneMode:false, CriProxyEnabled:false}, ClusterDNSDomain:"cluster.local", NodeKiller:framework.NodeKillerConfig{Enabled:false, FailureRatio:0.01, Interval:60000000000, JitterFactor:60, SimulatedDowntime:600000000000, NodeKillerStopCtx:context.Context(nil), NodeKillerStop:(func())(nil)}, IPFamily:"ipv4", NonblockingTaints:"node-role.kubernetes.io/control-plane", ProgressReportURL:"", SriovdpConfigMapFile:"", SpecSummaryOutput:"", DockerConfigFile:"", E2EDockerConfigFile:"", KubeTestRepoList:"", SnapshotControllerPodName:"", SnapshotControllerHTTPPort:0, RequireDevices:false, EnabledVolumeDrivers:[]string(nil)}
  Running Suite:  - /Users/dinesh/Openshift_Project/origin
  ========================================================
  Random Seed: 1754557485 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-instrumentation][Late] Platform Prometheus targets [apigroup:image.openshift.io] should not be accessible without auth [Serial]
  github.com/openshift/origin/test/extended/prometheus/prometheus.go:86
    STEP: Creating a kubernetes client @ 08/07/25 14:34:50.659
...
...
host command failed: error running /usr/local/bin/kubectl --server=https://api.ci-ln-tv7g4lk-72292.gcp-2.ci.openshift.org:6443 --kubeconfig=/Users/dinesh/Downloads/kubeconfig --namespace=e2e-test-prometheus-h5rcj exec execpod-targets-authorization -- /bin/sh -x -c curl -k -s -o /dev/null -w '%{http_code}' "https://10.128.0.8:8443/metrics":
  Command stdout:

  stderr:
  error: read tcp 192.168.1.5:65530->34.36.57.224:6443: read: connection reset by peer

  error:
  exit status 1
   (skip=false)
  I0807 14:39:23.527490 18919 client.go:674] Deleted {user.openshift.io/v1, Resource=users  e2e-test-prometheus-h5rcj-user}, err: <nil>
  I0807 14:39:23.779962 18919 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-prometheus-h5rcj}, err: <nil>
  I0807 14:39:24.030255 18919 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~sWZTMzsGeQXyNEKDXmK06kypv-Up6YbHk2N4aYYOaP8}, err: <nil>
    STEP: Destroying namespace "e2e-test-prometheus-h5rcj" for this suite. @ 08/07/25 14:39:24.03
  • [250.284 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 250.285 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-instrumentation][Late] Platform Prometheus targets [apigroup:image.openshift.io] should not be accessible without auth [Serial] [Suite:openshift/conformance/serial]",
    "lifecycle": "blocking",
    "duration": 273640,
    "startTime": "2025-08-07 09:04:50.643338 UTC",
    "endTime": "2025-08-07 09:09:24.283942 UTC",
    "result": "passed",
    "output": "  STEP:
    ...
      }
]%                                                                                                                                                                                                          dinesh@Dineshs-MacBook-Pro origin %

[dis016]

Test from https://github.com/openshift/origin/blob/main/test/extended/prometheus/prometheus.go#L514 which is covering for
// Cluster version operator targets.Expect(labels{"job": "cluster-version-operator"}, "up", "^https://.*/metrics$")
also Passed

dinesh@Dineshs-MacBook-Pro origin % ./openshift-tests run-test "[sig-instrumentation] Prometheus [apigroup:image.openshift.io] when installed on the cluster should start and expose a secured proxy and unsecured metrics [apigroup:config.openshift.io] [Skipped:Disconnected] [Suite:openshift/conformance/parallel]"
  I0807 15:15:35.599050   22329 i18n.go:139] Couldn't find translations for en_IN, using default
  I0807 15:15:35.599290   22329 i18n.go:157] Setting language to default
openshift-tests v3.7.0-alpha.0-18454-gcd59271
  I0807 15:15:39.508054   22329 test_setup.go:94] Extended test version v3.7.0-alpha.0-18454-gcd59271
  I0807 15:15:39.508157   22329 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I0807 15:15:39.828271 22329 framework.go:2317] microshift-version configmap not found
  I0807 15:15:39.828367   22329 binary.go:111] Loaded test configuration: &framework.TestContextType{KubeConfig:"/Users/dinesh/Downloads/kubeconfig", KubeContext:"", KubeAPIContentType:"application/vnd.kubernetes.protobuf", KubeletRootDir:"/var/lib/kubelet", KubeletConfigDropinDir:"", CertDir:"", Host:"https://api.ci-ln-tv7g4lk-72292.gcp-2.ci.openshift.org:6443", BearerToken:"szi2Fep8Ysf0A_zw", RepoRoot:"../../", ListImages:false, listTests:false, listLabels:false, ListConformanceTests:false, Provider:"gce", Tooling:"", timeouts:framework.TimeoutContext{Poll:2000000000, PodStart:300000000000, PodStartShort:120000000000, PodStartSlow:900000000000, PodDelete:300000000000, ClaimProvision:300000000000, DataSourceProvision:300000000000, ClaimProvisionShort:60000000000, ClaimBound:180000000000, PVReclaim:180000000000, PVBound:180000000000, PVCreate:180000000000, PVDelete:300000000000, PVDeleteSlow:1200000000000, SnapshotCreate:300000000000, SnapshotDelete:300000000000, SnapshotControllerMetrics:300000000000, SystemPodsStartup:600000000000, NodeSchedulable:1800000000000, SystemDaemonsetStartup:300000000000, NodeNotReady:180000000000}, CloudConfig:framework.CloudConfig{APIEndpoint:"", ProjectID:"openshift-gce-devel-ci-2", Zone:"us-central1-a", Zones:[]string{"us-central1-a"}, Region:"us-central1", MultiZone:false, MultiMaster:false, Cluster:"", MasterName:"", NodeInstanceGroup:"", NumNodes:0, ClusterIPRange:"", ClusterTag:"", Network:"", ConfigFile:"", NodeTag:"", MasterTag:"", Provider:(*framework.NullProvider)(0x117827268)}, KubectlPath:"kubectl", OutputDir:"/tmp", ReportDir:"", ReportPrefix:"", ReportCompleteGinkgo:false, ReportCompleteJUnit:false, Prefix:"e2e", MinStartupPods:-1, EtcdUpgradeStorage:"", EtcdUpgradeVersion:"", GCEUpgradeScript:"", ContainerRuntimeEndpoint:"unix:///run/containerd/containerd.sock", ContainerRuntimeProcessName:"containerd", ContainerRuntimePidFile:"/run/containerd/containerd.pid", SystemdServices:"containerd*", DumpSystemdJournal:false, ImageServiceEndpoint:"", MasterOSDistro:"custom", NodeOSDistro:"custom", NodeOSArch:"amd64", VerifyServiceAccount:true, DeleteNamespace:true, DeleteNamespaceOnFailure:true, AllowedNotReadyNodes:-1, CleanStart:false, GatherKubeSystemResourceUsageData:"false", GatherLogsSizes:false, GatherMetricsAfterTest:"false", GatherSuiteMetricsAfterTest:false, MaxNodesToGather:0, IncludeClusterAutoscalerMetrics:false, OutputPrintType:"json", CreateTestingNS:(framework.CreateTestingNSFn)(0x10f47cb20), DumpLogsOnFailure:true, DisableLogDump:false, LogexporterGCSPath:"", NodeTestContextType:framework.NodeTestContextType{NodeE2E:false, NodeName:"", NodeConformance:false, PrepullImages:false, ImageDescription:"", RuntimeConfig:map[string]string(nil), SystemSpecName:"", RestartKubelet:false, ExtraEnvs:map[string]string(nil), StandaloneMode:false, CriProxyEnabled:false}, ClusterDNSDomain:"cluster.local", NodeKiller:framework.NodeKillerConfig{Enabled:false, FailureRatio:0.01, Interval:60000000000, JitterFactor:60, SimulatedDowntime:600000000000, NodeKillerStopCtx:context.Context(nil), NodeKillerStop:(func())(nil)}, IPFamily:"ipv4", NonblockingTaints:"node-role.kubernetes.io/control-plane", ProgressReportURL:"", SriovdpConfigMapFile:"", SpecSummaryOutput:"", DockerConfigFile:"", E2EDockerConfigFile:"", KubeTestRepoList:"", SnapshotControllerPodName:"", SnapshotControllerHTTPPort:0, RequireDevices:false, EnabledVolumeDrivers:[]string(nil)}
  Running Suite:  - /Users/dinesh/Openshift_Project/origin
  ========================================================
  Random Seed: 1754559935 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-instrumentation] Prometheus [apigroup:image.openshift.io] when installed on the cluster should start and expose a secured proxy and unsecured metrics [apigroup:config.openshift.io]
  github.com/openshift/origin/test/extended/prometheus/prometheus.go:603
    STEP: Creating a kubernetes client @ 08/07/25 15:15:39.846
  I0807 15:15:39.847930   22329 discovery.go:214] Invalidating discovery information
  I0807 15:15:43.022939 22329 client.go:286] configPath is now "/var/folders/gw/q6gbymqn2xn3t21cr090k05h0000gn/T/configfile2404893521"
  I0807 15:15:43.022992 22329 client.go:361] The user is now "e2e-test-prometheus-t9pb7-user"
  I0807 15:15:43.023005 22329 client.go:363] Creating project "e2e-test-prometheus-t9pb7"
  I0807 15:15:43.768963 22329 client.go:371] Waiting on permissions in project "e2e-test-prometheus-t9pb7" ...
  I0807 15:15:45.714022 22329 client.go:400] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs
  I0807 15:15:46.543673 22329 client.go:415] Waiting for ServiceAccount "default" to be provisioned...
  I0807 15:15:47.220189 22329 client.go:415] Waiting for ServiceAccount "builder" to be provisioned...
  I0807 15:15:47.836268 22329 client.go:415] Waiting for ServiceAccount "deployer" to be provisioned...
  I0807 15:15:48.453963 22329 client.go:425] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I0807 15:15:48.960238 22329 client.go:425] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I0807 15:15:49.462929 22329 client.go:425] Waiting for RoleBinding "system:deployers" to be provisioned...
  I0807 15:15:50.577980 22329 client.go:458] Project "e2e-test-prometheus-t9pb7" has been fully provisioned.
  I0807 15:15:52.487555 22329 resource.go:361] Creating new exec pod
    STEP: checking the prometheus metrics path @ 08/07/25 15:15:55.278
  I0807 15:15:55.279379 22329 client.go:1010] Running 'oc --namespace=e2e-test-prometheus-t9pb7 --kubeconfig=/Users/dinesh/Downloads/kubeconfig exec execpod -- curl -s -k -H Authorization: Bearer <redacted> https://prometheus-k8s.openshift-monitoring.svc:9091/metrics'
    STEP: verifying the Thanos querier service requires authentication @ 08/07/25 15:16:01.346
  I0807 15:16:01.347200 22329 builder.go:121] Running '/usr/local/bin/kubectl --server=https://api.ci-ln-tv7g4lk-72292.gcp-2.ci.openshift.org:6443 --kubeconfig=/Users/dinesh/Downloads/kubeconfig --namespace=e2e-test-prometheus-t9pb7 exec execpod -- /bin/sh -x -c curl -k -s -o /dev/null -w '%{http_code}' "https://thanos-querier.openshift-monitoring.svc:9091"'
  I0807 15:16:04.031691 22329 builder.go:146] stderr: "+ curl -k -s -o /dev/null -w '%{http_code}' https://thanos-querier.openshift-monitoring.svc:9091\n"
  I0807 15:16:04.032134 22329 builder.go:147] stdout: "401"
    STEP: verifying a service account token is able to authenticate @ 08/07/25 15:16:04.032
    STEP: verifying a service account token is able to access the Prometheus API @ 08/07/25 15:16:05.328
    STEP: verifying all expected jobs have a working target @ 08/07/25 15:16:07.924
    STEP: verifying all targets are exposing metrics over secure channel @ 08/07/25 15:16:08.182
  I0807 15:16:12.011449 22329 client.go:674] Deleted {user.openshift.io/v1, Resource=users  e2e-test-prometheus-t9pb7-user}, err: <nil>
  I0807 15:16:12.267654 22329 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-prometheus-t9pb7}, err: <nil>
  I0807 15:16:12.524307 22329 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~uhCMxkpARa50YH_HHem7jQCAGUxr8FW9SDjXiOOY4Fo}, err: <nil>
    STEP: Destroying namespace "e2e-test-prometheus-t9pb7" for this suite. @ 08/07/25 15:16:12.524
  • [32.953 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 32.954 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-instrumentation] Prometheus [apigroup:image.openshift.io] when installed on the cluster should start and expose a secured proxy and unsecured metrics [apigroup:config.openshift.io] [Skipped:Disconnected] [Suite:openshift/conformance/parallel]",
    "lifecycle": "blocking",
    "duration": 32954,
    "startTime": "2025-08-07 09:45:39.829012 UTC",
    "endTime": "2025-08-07 09:46:12.783112 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 08/07/25 15:15:39.846\nI0807 15:15:43.022939 22329 client.go:286] configPath is now \"/var/folders/gw/q6gbymqn2xn3t21cr090k05h0000gn/T/configfile2404893521\"\nI0807 15:15:43.022992 22329 client.go:361] The user is now \"e2e-test-prometheus-t9pb7-user\"\nI0807 15:15:43.023005 22329 client.go:363] Creating project \"e2e-test-prometheus-t9pb7\"\nI0807 15:15:43.768963 22329 client.go:371] Waiting on permissions in project \"e2e-test-prometheus-t9pb7\" ...\nI0807 15:15:45.714022 22329 client.go:400] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs\nI0807 15:15:46.543673 22329 client.go:415] Waiting for ServiceAccount \"default\" to be provisioned...\nI0807 15:15:47.220189 22329 client.go:415] Waiting for ServiceAccount \"builder\" to be provisioned...\nI0807 15:15:47.836268 22329 client.go:415] Waiting for ServiceAccount \"deployer\" to be provisioned...\nI0807 15:15:48.453963 22329 client.go:425] Waiting for RoleBinding \"system:image-pullers\" to be provisioned...\nI0807 15:15:48.960238 22329 client.go:425] Waiting for RoleBinding \"system:image-builders\" to be provisioned...\nI0807 15:15:49.462929 22329 client.go:425] Waiting for RoleBinding \"system:deployers\" to be provisioned...\nI0807 15:15:50.577980 22329 client.go:458] Project \"e2e-test-prometheus-t9pb7\" has been fully provisioned.\nI0807 15:15:52.487555 22329 resource.go:361] Creating new exec pod\n  STEP: checking the prometheus metrics path @ 08/07/25 15:15:55.278\nI0807 15:15:55.279379 22329 client.go:1010] Running 'oc --namespace=e2e-test-prometheus-t9pb7 --kubeconfig=/Users/dinesh/Downloads/kubeconfig exec execpod -- curl -s -k -H Authorization: Bearer \u003credacted\u003e https://prometheus-k8s.openshift-monitoring.svc:9091/metrics'\n  STEP: verifying the Thanos querier service requires authentication @ 08/07/25 15:16:01.346\nI0807 15:16:01.347200 22329 builder.go:121] Running '/usr/local/bin/kubectl --server=https://api.ci-ln-tv7g4lk-72292.gcp-2.ci.openshift.org:6443 --kubeconfig=/Users/dinesh/Downloads/kubeconfig --namespace=e2e-test-prometheus-t9pb7 exec execpod -- /bin/sh -x -c curl -k -s -o /dev/null -w '%{http_code}' \"https://thanos-querier.openshift-monitoring.svc:9091\"'\nI0807 15:16:04.031691 22329 builder.go:146] stderr: \"+ curl -k -s -o /dev/null -w '%{http_code}' https://thanos-querier.openshift-monitoring.svc:9091\\n\"\nI0807 15:16:04.032134 22329 builder.go:147] stdout: \"401\"\n  STEP: verifying a service account token is able to authenticate @ 08/07/25 15:16:04.032\n  STEP: verifying a service account token is able to access the Prometheus API @ 08/07/25 15:16:05.328\n  STEP: verifying all expected jobs have a working target @ 08/07/25 15:16:07.924\n  STEP: verifying all targets are exposing metrics over secure channel @ 08/07/25 15:16:08.182\nI0807 15:16:12.011449 22329 client.go:674] Deleted {user.openshift.io/v1, Resource=users  e2e-test-prometheus-t9pb7-user}, err: \u003cnil\u003e\nI0807 15:16:12.267654 22329 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-prometheus-t9pb7}, err: \u003cnil\u003e\nI0807 15:16:12.524307 22329 client.go:674] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~uhCMxkpARa50YH_HHem7jQCAGUxr8FW9SDjXiOOY4Fo}, err: \u003cnil\u003e\n  STEP: Destroying namespace \"e2e-test-prometheus-t9pb7\" for this suite. @ 08/07/25 15:16:12.524\n"
  }
]%                                                                                                                                                                                                          dinesh@Dineshs-MacBook-Pro origin % 

[dis016]

/label qe-approved

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-60168, which is invalid:

• expected dependent Jira Issue OCPBUGS-57585 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

This is an automated cherry-pick of #1215

/assign wking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dis016]

/jira refresh

[openshift-ci-robot]

@dis016: This pull request references Jira Issue OCPBUGS-60168, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-57585 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-57585 targets the "4.20.0" version, which is one of the valid target versions: 4.20.0
• bug has dependents

Requesting review from QA contact:
/cc @jiajliu

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-60168: All pull requests linked via external trackers have merged:

• openshift/cluster-version-operator#1222

Jira Issue OCPBUGS-60168 has been moved to the MODIFIED state.

In response to this:

This is an automated cherry-pick of #1215

/assign wking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hongkailiu]

/cherry-pick release-4.18

[openshift-cherrypick-robot]

@hongkailiu: new pull request created: #1223

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: cluster-version-operator
This PR has been included in build cluster-version-operator-container-v4.19.0-202508070607.p0.gf165654.assembly.stream.el9.
All builds following this will include this PR.