Merge pull request #30484 from rioliu-rh/fix-debugnode-guest-kubeconfig

openshift-merge-bot[bot] · web-flow · commit 8aaf884e0893 · 2025-11-15T09:41:12.000Z
NO-JIRA: Fix compat_otp.DebugNode() to support guest kubeconfig for HyperShift
diff --git a/test/extended/util/compat_otp/client.go b/test/extended/util/compat_otp/client.go
@@ -38,12 +38,22 @@ func NewCLIForKubeOpenShift(basename string) *exutil.CLI {
 	return exutil.NewCLI(basename)
 }
 
+// determineExecCLI returns the appropriate CLI object based on guest kubeconfig availability.
+// If guest kubeconfig is set, returns CLI with guest config; otherwise returns CLI with admin config.
+// This ensures operations target the correct cluster (management vs. guest) automatically.
+func determineExecCLI(oc *exutil.CLI) *exutil.CLI {
+	if oc.GetGuestKubeconf() != "" {
+		return oc.AsGuestKubeconf()
+	}
+	return oc.AsAdmin()
+}
+
 // IsNamespacePrivileged checks if a namespace has privileged SCC
 func IsNamespacePrivileged(oc *exutil.CLI, namespace string) (bool, error) {
 	// Check for the Kubernetes Pod Security Admission 'enforce: privileged' label.
 	// This is the direct confirmation that the namespace's admission controller
 	// will allow an unrestricted pod (like the one created by 'oc debug node').
-	stdout, err := oc.AsAdmin().Run("get").Args("ns", namespace, "-o", `jsonpath={.metadata.labels.pod-security\.kubernetes\.io/enforce}`).Output()
+	stdout, err := determineExecCLI(oc).Run("get").Args("ns", namespace, "-o", `jsonpath={.metadata.labels.pod-security\.kubernetes\.io/enforce}`).Output()
 
 	if err != nil {
 		return false, err
@@ -59,7 +69,7 @@ func IsNamespacePrivileged(oc *exutil.CLI, namespace string) (bool, error) {
 
 // SetNamespacePrivileged sets a namespace to use privileged SCC
 func SetNamespacePrivileged(oc *exutil.CLI, namespace string) error {
-	err := oc.AsAdmin().Run("label").Args("ns", namespace, "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/audit=privileged", "pod-security.kubernetes.io/warn=privileged", "security.openshift.io/scc.podSecurityLabelSync=false", "--overwrite").Execute()
+	err := determineExecCLI(oc).Run("label").Args("ns", namespace, "pod-security.kubernetes.io/enforce=privileged", "pod-security.kubernetes.io/audit=privileged", "pod-security.kubernetes.io/warn=privileged", "security.openshift.io/scc.podSecurityLabelSync=false", "--overwrite").Execute()
 	if err != nil {
 		return fmt.Errorf("failed to set namespace %s privileged: %v", namespace, err)
 	}
@@ -68,7 +78,7 @@ func SetNamespacePrivileged(oc *exutil.CLI, namespace string) error {
 
 // RecoverNamespaceRestricted recovers a namespace to restricted mode
 func RecoverNamespaceRestricted(oc *exutil.CLI, namespace string) error {
-	err := oc.AsAdmin().Run("label").Args("ns", namespace, "pod-security.kubernetes.io/enforce-", "pod-security.kubernetes.io/audit-", "pod-security.kubernetes.io/warn-", "security.openshift.io/scc.podSecurityLabelSync-").Execute()
+	err := determineExecCLI(oc).Run("label").Args("ns", namespace, "pod-security.kubernetes.io/enforce-", "pod-security.kubernetes.io/audit-", "pod-security.kubernetes.io/warn-", "security.openshift.io/scc.podSecurityLabelSync-").Execute()
 	if err != nil {
 		return fmt.Errorf("failed to recover namespace %s to restricted: %v", namespace, err)
 	}
diff --git a/test/extended/util/compat_otp/nodes.go b/test/extended/util/compat_otp/nodes.go
@@ -174,7 +174,7 @@ func debugNode(oc *exutil.CLI, nodeName string, cmdOptions []string, needChroot
 		cargs = append(cargs, "--")
 	}
 	cargs = append(cargs, cmd...)
-	return oc.AsAdmin().WithoutNamespace().Run("debug").Args(cargs...).Outputs()
+	return determineExecCLI(oc).WithoutNamespace().Run("debug").Args(cargs...).Outputs()
 }
 
 // DeleteLabelFromNode delete the custom label from the node
@@ -390,15 +390,15 @@ func GetNodeArchByName(oc *exutil.CLI, nodeName string) string {
 
 // GetNodeListByLabel gets the node list by label
 func GetNodeListByLabel(oc *exutil.CLI, labelKey string) []string {
-	output, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("node", "-l", labelKey, "-o=jsonpath={.items[*].metadata.name}").Output()
+	output, err := determineExecCLI(oc).WithoutNamespace().Run("get").Args("node", "-l", labelKey, "-o=jsonpath={.items[*].metadata.name}").Output()
 	o.Expect(err).NotTo(o.HaveOccurred(), "Fail to get node with label %v, got error: %v\n", labelKey, err)
 	nodeNameList := strings.Fields(output)
 	return nodeNameList
 }
 
 // IsDefaultNodeSelectorEnabled judges whether the test cluster enabled the defaultNodeSelector
 func IsDefaultNodeSelectorEnabled(oc *exutil.CLI) bool {
-	defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
+	defaultNodeSelector, getNodeSelectorErr := determineExecCLI(oc).WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
 	if getNodeSelectorErr != nil && strings.Contains(defaultNodeSelector, `the server doesn't have a resource type`) {
 		e2e.Logf("WARNING: The scheduler API is not supported on the test cluster")
 		return false
diff --git a/test/extended/util/compat_otp/resource_op.go b/test/extended/util/compat_otp/resource_op.go
@@ -56,7 +56,7 @@ func AddAnnotationsToSpecificResource(oc *exutil.CLI, resourceKindAndName, resou
 	cargs = append(cargs, resourceKindAndName)
 	cargs = append(cargs, annotations...)
 	cargs = append(cargs, "--overwrite")
-	return oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()
+	return determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()
 }
 
 // RemoveAnnotationFromSpecificResource removes the specified annotation from the resource
@@ -67,7 +67,7 @@ func RemoveAnnotationFromSpecificResource(oc *exutil.CLI, resourceKindAndName, r
 	}
 	cargs = append(cargs, resourceKindAndName)
 	cargs = append(cargs, annotationName+"-")
-	return oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()
+	return determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()
 }
 
 // GetAnnotationsFromSpecificResource gets the annotations from the specific resource
@@ -77,7 +77,7 @@ func GetAnnotationsFromSpecificResource(oc *exutil.CLI, resourceKindAndName, res
 		cargs = append(cargs, "-n", resourceNamespace)
 	}
 	cargs = append(cargs, resourceKindAndName, "--list")
-	annotationsStr, getAnnotationsErr := oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()
+	annotationsStr, getAnnotationsErr := determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()
 	if getAnnotationsErr != nil {
 		e2e.Logf(`Failed to get annotations from /%s in namespace %s: "%v"`, resourceKindAndName, resourceNamespace, getAnnotationsErr)
 	}

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ func AddAnnotationsToSpecificResource(oc *exutil.CLI, resourceKindAndName, resou`
`56`	`56`	`cargs = append(cargs, resourceKindAndName)`
`57`	`57`	`cargs = append(cargs, annotations...)`
`58`	`58`	`cargs = append(cargs, "--overwrite")`
`59`		`- return oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()`
	`59`	`+ return determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`// RemoveAnnotationFromSpecificResource removes the specified annotation from the resource`
`@@ -67,7 +67,7 @@ func RemoveAnnotationFromSpecificResource(oc *exutil.CLI, resourceKindAndName, r`
`67`	`67`	`}`
`68`	`68`	`cargs = append(cargs, resourceKindAndName)`
`69`	`69`	`cargs = append(cargs, annotationName+"-")`
`70`		`- return oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()`
	`70`	`+ return determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`// GetAnnotationsFromSpecificResource gets the annotations from the specific resource`
`@@ -77,7 +77,7 @@ func GetAnnotationsFromSpecificResource(oc *exutil.CLI, resourceKindAndName, res`
`77`	`77`	`cargs = append(cargs, "-n", resourceNamespace)`
`78`	`78`	`}`
`79`	`79`	`cargs = append(cargs, resourceKindAndName, "--list")`
`80`		`- annotationsStr, getAnnotationsErr := oc.AsAdmin().WithoutNamespace().Run("annotate").Args(cargs...).Output()`
	`80`	`+ annotationsStr, getAnnotationsErr := determineExecCLI(oc).WithoutNamespace().Run("annotate").Args(cargs...).Output()`
`81`	`81`	`if getAnnotationsErr != nil {`
`82`	`82`	e2e.Logf(`Failed to get annotations from /%s in namespace %s: "%v"`, resourceKindAndName, resourceNamespace, getAnnotationsErr)
`83`	`83`	`}`