ci-operator-configresolver: Add upstream config resolver

[danilo-gemoli]

e2e tests use a real ci-operator-configresolver that is expected to find IS ocp/X.Y within the cluster the test is running on, but these streams exist on app.ci only.

As a consequence of that, we experience failures like this.
This PR overcomes the problem by adding a new parameter on ci-operator-configresolver:

--upstream-resolver-address=...

that e2es set to the production endpoint https://config.ci.openshift.org/.

The upstream resolver is used to retrieve information about the integrated streams.

Upstream Resolver Support for ci-operator-configresolver

This PR adds optional upstream resolution for OpenShift “integrated streams” to help e2e tests pass in isolated clusters that don’t contain the ocp/X.Y image streams (those exist on app.ci). It lets ci-operator-configresolver delegate integrated-stream lookups to a production upstream resolver when configured, while keeping existing behavior unchanged by default.

What changed

ci-operator-configresolver (cmd/ci-operator-configresolver/main.go)

• Introduced a new CLI flag: --upstream-resolver-address.
• Wired the server to use a new TTL-based streamCache/integrationStreamCache for /integratedStream.
• Cache entries resolve integrated streams either:
  • Locally (via configresolver.LocalIntegratedStream) when no upstream is configured, or
  • Upstream (via an upstream resolver client) when --upstream-resolver-address is set.
• Updated unit tests to cover both local resolution and upstream resolution/miss behavior (including expected error handling for upstream misses).

e2e framework + tests

• Extended test/e2e/framework/framework.go with ConfigResolverOptions.UpstreamResolverAddress, and passed it through to ci-operator-configresolver as --upstream-resolver-address.
• Updated e2e callers to set the upstream address using the OpenShift CI API endpoint for the config service (api.URLForService("config")), so integrated stream lookups can succeed even when the test cluster lacks those streams.
• Adjusted loop variable capture in the e2e tests by removing per-iteration shadowing (testCase := testCase).

Additional e2e adjustment

• Updated test/e2e/multi-stage/integration-releases.yaml’s verify-releases “latest” step for 4.18 to inspect /release-manifests/release-metadata instead of grepping cluster-version-operator version output.

Impact

• Existing CI and deployments that don’t set --upstream-resolver-address behave as before.
• e2e environments can opt in to upstream resolution to prevent integrated-stream lookup failures caused by missing ocp/X.Y streams in the test cluster.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 471d3f0e-2d06-4eb8-9a0d-f913c429f38b

📥 Commits

Reviewing files that changed from the base of the PR and between 7773952 and 85be9fb.

📒 Files selected for processing (6)

• cmd/ci-operator-configresolver/main.go
• cmd/ci-operator-configresolver/main_test.go
• test/e2e/framework/framework.go
• test/e2e/multi-stage/e2e_test.go
• test/e2e/multi-stage/integration-releases.yaml
• test/e2e/observer/e2e_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

🚧 Files skipped from review as they are similar to previous changes (5)

• test/e2e/framework/framework.go
• test/e2e/multi-stage/e2e_test.go
• cmd/ci-operator-configresolver/main_test.go
• cmd/ci-operator-configresolver/main.go
• test/e2e/observer/e2e_test.go

---

📝 Walkthrough

Walkthrough

Adds optional upstream integrated-stream resolver support to configresolver by introducing a --upstream-resolver-address CLI flag. Replaces the previous memoryCache with a sync.Map-backed streamCache featuring TTL expiry and conditional delegation to either local LocalIntegratedStream or an upstream ResolverClient. Threads the new flag through the e2e test framework and updates two e2e test suites to wire the upstream resolver address.

Changes

Upstream integrated-stream resolver

Layer / File(s)	Summary
CLI flag and streamCache implementation cmd/ci-operator-configresolver/main.go	Options struct adds upstreamResolverAddress field; --upstream-resolver-address flag registered in gatherOptions; new streamCache type with TTL-based Get method; integrationStreamCache factory routes to local or upstream resolver; kubeClient variable used for cache; optional ResolverClient initialized from flag; /integratedStream route switched from old memoryCache to new cache.
Unit tests for streamCache and upstream resolver cmd/ci-operator-configresolver/main_test.go	Time and registryserver imports added; test data reorganized with upstreamStreams map; fakeResolverClient type implements upstream resolver interface; TestGetIntegratedStream parameterized with optional resolverClient, runs subtests in parallel, adds two new upstream-focused cases (ocp/4.22 hit returning 4.22.0-0.ci, ocp/6.22 miss returning 400).
E2E framework ConfigResolverOptions and flag wiring test/e2e/framework/framework.go	UpstreamResolverAddress string field added to ConfigResolverOptions struct; ConfigResolver function threads flag into configresolver server startup as --upstream-resolver-address.
E2E test suite integration test/e2e/multi-stage/e2e_test.go, test/e2e/observer/e2e_test.go, test/e2e/multi-stage/integration-releases.yaml	Both test suites import pkg/api and set UpstreamResolverAddress: api.URLForService("config"); both remove unnecessary testCase := testCase per-iteration rebinding; integration-releases.yaml updates 4.18 release validation to read /release-manifests/release-metadata and grep for version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Coverage For New Features	⚠️ Warning	New caching logic with TTL expiration (streamCache.Get method, lines 160-164) lacks unit test coverage. Cache behavior verifying TTL enforcement and hit/miss scenarios is not tested.	Add unit tests for streamCache.Get() covering: cache hits within TTL, cache misses after expiration, and multiple lookups with time progression.
Test Structure And Quality	❓ Inconclusive	This PR contains standard Go tests and a custom test framework, not Ginkgo tests. The check instructions specifically state to review Ginkgo test code (Describe/It blocks, BeforeEach/AfterEach), wh...	The custom check is not applicable to this PR: no Ginkgo tests exist. The code uses standard Go testing (testing.T) and a custom e2e framework but lacks Ginkgo structures targeted by this check.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding upstream resolver support to ci-operator-configresolver via a new CLI flag.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	The new code sections follow Go error handling best practices: errors from integrationStreamResolver are properly wrapped with fmt.Errorf and %w; nil checks are performed on ResolverClient before u...
Stable And Deterministic Test Names	✅ Passed	All test names in modified files are stable and deterministic. They use only static string literals with no dynamic values like UUIDs, timestamps, or pod names. UUID is only used to modify test env...
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It(), Describe(), etc.) were added in this PR. Changes are to standard Go testing functions and framework configuration only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It(), Describe(), Context(), When()) are added in this PR. Changes only update existing standard Go tests to use the new upstream resolver address parameter.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no deployment manifests, operator code, or scheduling constraints. Changes are limited to adding an --upstream-resolver-address CLI flag to configresolver and updating e2e test fram...
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. All logging uses logrus (stderr-redirected via logrusutil.ComponentInit), no fmt.Print/Println/Printf calls to stdout, no explicit os.Stdout writes i...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It/Describe/Context/When) were added in this PR. Changes are only to test configuration and unit tests using standard Go testing package.
No-Weak-Crypto	✅ Passed	PR introduces upstream resolver address config and TTL-based caching with sync.Map. No weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom crypto implementations, or non-constant-time secret c...
Container-Privileges	✅ Passed	No container privilege escalation settings found; PR modifies Go source and test configuration files only, not K8s manifests with securityContext specifications.
No-Sensitive-Data-In-Logs	✅ Passed	The upstream resolver address parameter is logged via existing test framework and client code, but the expected value is a public production endpoint URL (https://config.ci.openshift.org/), not sen...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[danilo-gemoli]

/test e2e

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, droslean

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli,droslean]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 074066f and 2 for PR HEAD 7773952 in total

[danilo-gemoli]

/hold

[danilo-gemoli]

/retest-required

[danilo-gemoli]

/test e2e

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@danilo-gemoli: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	85be9fb	link	true	/test e2e
ci/prow/images	85be9fb	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.