TRT-2723: Revert "NO-JIRA: add preflight command"

[redhat-chai-bot]

This reverts #920 which was identified as contributing to OVN-Kubernetes upgrade failures that are persistently rejecting 5.0 nightly payloads.

Context

Payload testing at https://pr-payload-tests.ci.openshift.org/runs/ci/revert-kaso-cao-sno-azure confirmed that #920 (along with cluster-kube-apiserver-operator#2201, the equivalent change for KASO) is related to the OVN upgrade failures blocking 5.0 nightlies. The failures manifest as:

• aggregated-aws-ovn-single-node-upgrade: ovnkube-node pod deletion during DaemonSet rolling update causes SNO node to go NotReady (~10s CNI gap)
• aggregated-azure-ovn-upgrade: ovnkube-node DaemonSet rollover removes CNI config, all nodes briefly go NotReady

These failures have been persistent for 4+ consecutive nightly payloads since Jun 18.

A fix-forward is being considered but its timeline is uncertain, so reverting to unblock nightlies.

Tracked by TRT-2723.

Summary by CodeRabbit

• Chores
  • Updated the operator's KMS health check mechanism to use the health command instead of the preflight command.

[openshift-ci-robot]

@redhat-chai-bot: This pull request explicitly references no jira issue.

Details

In response to this:

This reverts #920 which was identified as contributing to OVN-Kubernetes upgrade failures that are persistently rejecting 5.0 nightly payloads.

Context

Payload testing at https://pr-payload-tests.ci.openshift.org/runs/ci/revert-kaso-cao-sno-azure confirmed that #920 (along with cluster-kube-apiserver-operator#2201, the equivalent change for KASO) is related to the OVN upgrade failures blocking 5.0 nightlies. The failures manifest as:

• aggregated-aws-ovn-single-node-upgrade: ovnkube-node pod deletion during DaemonSet rolling update causes SNO node to go NotReady (~10s CNI gap)
• aggregated-azure-ovn-upgrade: ovnkube-node DaemonSet rollover removes CNI config, all nodes briefly go NotReady

These failures have been persistent for 4+ consecutive nightly payloads since Jun 18.

A fix-forward is being considered but its timeline is uncertain, so reverting to unblock nightlies.

Tracked by TRT-2723.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

In cmd/authentication-operator/main.go, the operator command registration is changed from kmspreflight.NewCommand to kmshealth.NewCommand. The health command is wired with a temporary stub callback returning (nil, nil). Imports are adjusted to remove the preflight package and add v1helpers.

Changes

KMS health command wiring

Layer / File(s)	Summary
Replace preflight with health command cmd/authentication-operator/main.go	Removes kmspreflight.NewCommand(context.Background()) and registers kmshealth.NewCommand(...) with a stub callback returning (nil, nil); imports updated to drop preflight and add v1helpers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• openshift/cluster-authentication-operator#918: Directly related — both PRs modify cmd/authentication-operator/main.go to wire the KMS health command with a v1helpers-typed stub callback, replacing the preflight command registration.

Suggested reviewers

• ibihim
• ingvagabund

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	Multiple new Ginkgo e2e tests use APIs unavailable on MicroShift: tokentimeout.go and templates.go use config.openshift.io OAuth API; certs.go uses ClusterOperator; custom_route.go uses config.open...	Add [apigroup:config.openshift.io] tags to tests using config.openshift.io APIs, or use [Skipped:MicroShift] labels, or guard with exutil.IsMicroShiftCluster() checks per custom check instructions.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 16 Ginkgo test definitions in the PR use stable, deterministic names with no dynamic content (pods, timestamps, UUIDs, nodes, namespaces, IPs).
Test Structure And Quality	✅ Passed	This PR only modifies cmd/authentication-operator/main.go (revert of preflight command), containing no Ginkgo test code. The custom check for test structure and quality is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR reverts PR #920 (not adding new code). The custom check applies to "new Ginkgo e2e tests being added"; no new tests are being introduced in this revert.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR reverts PR #920 by replacing kmspreflight command registration with kmshealth. It removes code and does not introduce any topology-aware scheduling constraints; operator already properly ta...
Ote Binary Stdout Contract	✅ Passed	The reverted main.go has no stdout writes in process-level code: no fmt.Print, klog, or Ginkgo suite configuration that could emit JSON-corrupting output. All imports are safe and IOStreams properl...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are only to cmd/authentication-operator/main.go, modifying operator command registration. The custom check only applies to PRs that add new...
No-Weak-Crypto	✅ Passed	No weak crypto patterns detected. The revert removes kmspreflight command and keeps kmshealth with a nil stub callback. Only safe crypto libraries (SHA256/512, x509, TLS, RSA, ECDSA) are used in co...
Container-Privileges	✅ Passed	PR restores privileged: true settings with documented justifications (audit logging, trust bundle operations). Revert is necessary to fix OVN upgrade failures blocking production releases.
No-Sensitive-Data-In-Logs	✅ Passed	The PR contains no logging statements that expose sensitive data. The modified main.go file has no logging calls (log, print, fmt) and the callback function receives config but returns nil without...
Title check	✅ Passed	The title clearly and specifically describes the main change: reverting a preflight command addition. It directly matches the changeset's removal of the preflight command registration.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@redhat-chai-bot: This pull request references TRT-2723 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This reverts #920 which was identified as contributing to OVN-Kubernetes upgrade failures that are persistently rejecting 5.0 nightly payloads.

Context

Payload testing at https://pr-payload-tests.ci.openshift.org/runs/ci/revert-kaso-cao-sno-azure confirmed that #920 (along with cluster-kube-apiserver-operator#2201, the equivalent change for KASO) is related to the OVN upgrade failures blocking 5.0 nightlies. The failures manifest as:

• aggregated-aws-ovn-single-node-upgrade: ovnkube-node pod deletion during DaemonSet rolling update causes SNO node to go NotReady (~10s CNI gap)
• aggregated-azure-ovn-upgrade: ovnkube-node DaemonSet rollover removes CNI config, all nodes briefly go NotReady

These failures have been persistent for 4+ consecutive nightly payloads since Jun 18.

A fix-forward is being considered but its timeline is uncertain, so reverting to unblock nightlies.

Tracked by TRT-2723.

Summary by CodeRabbit

• Chores
• Updated the operator's KMS health check mechanism to use the health command instead of the preflight command.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[not-stbenjam]

/lgtm
/label approved

[openshift-ci]

@not-stbenjam: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm
/label approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@not-stbenjam: The label(s) approved cannot be applied or removed, because you are not in one of the allowed teams and are not an allowed user. Must be a member of one of these teams: openshift-release-oversight, openshift-staff-engineers, openshift-sustaining-engineers

Details

In response to this:

/lgtm
/label approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[stbenjam]

/lgtm
/label approved
/hold

[openshift-ci]

@redhat-chai-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	a8bcdbf	link	true	/test e2e-operator
ci/prow/e2e-agnostic-upgrade	a8bcdbf	link	true	/test e2e-agnostic-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[smg247]

/payload-aggregate periodic-ci-openshift-release-main-ci-5.0-e2e-aws-upgrade-ovn-single-node 10
/payload-aggregate periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-upgrade 10

[openshift-ci]

@smg247: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-5.0-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1e13fc80-6bf2-11f1-8a6e-68ea1bc1f8f5-0