shiftstack · dlaw4608 · May 25, 2026
diff --git a/collection/stages/roles/egressip_tests/defaults/main.yml b/collection/stages/roles/egressip_tests/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# defaults file for egressip_tests
+egressip_test_name: "openshift-tests-private"
+egressip_test_dir: "{{ artifacts_dir }}/{{ egressip_test_name }}"
+egressip_test_executable: "{{ egressip_test_dir }}/bin/extended-platform-tests"
+egressip_test_results_dir: "{{ artifacts_dir }}/egressip_tests"
+egressip_allowlist_file: "{{ role_path }}/files/egressip-allowlist.yaml"
+egressip_tests_go_version: "{{ tests.default_go_version_target }}"
diff --git a/collection/stages/roles/egressip_tests/files/egressip-allowlist.yaml b/collection/stages/roles/egressip_tests/files/egressip-allowlist.yaml
@@ -0,0 +1,149 @@
+---
+all_allow_list: &all_allow_list
+  {}
+
+sdn_list: &sdn_tests
+  <<: *all_allow_list
+  ".*Author:jechen-High-46555-Medium-46962-[Automatic EgressIP] Random egressIP is used on a pod that is not on a node hosting an egressIP, and random outages with egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46556-[Automatic EgressIP] A pod that is on a node hosting egressIP, it will always use the egressIP of the node . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46557-[Manual EgressIP] Random egressIP is used on a pod that is not on a node hosting an egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46558-[Manual EgressIP] A pod that is on a node hosting egressIP, it will always use the egressIP of the node . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47462-EgressNetworkPolicy should work well with egressIP [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-Medium-47461-Should not be able to access the node via the egressIP [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46559-[Automatic EgressIP] If some egress node is unavailable, pods continue use other available egressIPs after a short delay. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46561-[Manual EgressIP] If some egress node is unavailable, pods continue use other available egressIPs after a short delay. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46701-High-47470-Pods will lose external access if same egressIP is assigned to different netnamespace, error should be logged on master node. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46705-The egressIP should still work fine after the node or network service restarted. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-46960- EgressIP can failover if the node is NotReady. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47455-The egressIP could be assigned to project automatically once it is defined in hostsubnet egressCIDR. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47464-The egressIP will be unavailable if it is set to multiple hostsubnets. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47468-High-47469-Pod access external through egressIP if egress node hosts the egressIP that assigned to netns, or it lose access to external if no node hosts the egressIP that assigned to netns. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47054-The egressIP can be HA if netnamespace has single egressIP . [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47456-High-47457-Can change egressIP of project when there are multiple egressIP, can access outside with nodeIP after egressIP is removed. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47458-High-47459-EgressIP works when reusing the egressIP that was held by a deleted project, EgressIP works well after removed egressIP is added back. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+  ".*Author:jechen-High-47463-Pod will not be affected by the egressIP set on other netnamespace. [.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1007"
+
+ovnk_list: &ovnk_tests
+  <<: *all_allow_list
+  ".*Author:huirwang.*47019.*EgressIP works well with networkpolicy and egressFirewall.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47018.*47017.*Multiple projects use same EgressIP.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47028.*After remove EgressIP node tag.*failover.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47030.*EgressIP object can not have multiple egress IP assignments on the same node.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47031.*After reboot egress node EgressIP still work.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47032.*47034.*Traffic is load balanced between egress nodes.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47164.*47025.*update egressip object.*pods removed matched labels.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47272.*Pods will not be affected by the egressIP set on other netnamespace.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*55632.*egress node shouldn't generate broadcast ARP for service IPs.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47029.*47024.*egress IP can only be assigned to one node only.*Warning event.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47163.*47026.*Deleting EgressIP object and recreating it works.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*47021.*lr-policy-list and snat should be updated correctly after remove pods.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*55030.*After reboot egress node.*lr-policy-list and snat should keep correct.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+  ".*Author:huirwang.*53069.*EgressIP should work for recreated same name pod.*":
+    description: "https://issues.redhat.com/browse/KURYRQE-1016"
+
+##########
+# This feature is supported since OpenShift 4.12
+
+# OpenShift 4.12
+"4.12":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.13
+"4.13":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.14
+"4.14":
+  "OpenShiftSDN":
+    <<: *sdn_tests
+
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+  "Kuryr":
+    <<: *all_allow_list
+
+# OpenShift 4.15
+"4.15":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.16
+"4.16":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.17
+"4.17":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.18
+"4.18":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.19
+"4.19":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.20
+"4.20":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.21
+"4.21":
+  "OVNKubernetes":
+    <<: *ovnk_tests
+
+# OpenShift 4.22
+"4.22":
+  "OVNKubernetes":
+    <<: *ovnk_tests
diff --git a/collection/stages/roles/egressip_tests/meta/main.yml b/collection/stages/roles/egressip_tests/meta/main.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - shiftstack.tools
diff --git a/collection/stages/roles/egressip_tests/tasks/main.yml b/collection/stages/roles/egressip_tests/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# tasks file for egressip_tests
+- name: Prepare EgressIP test
+  ansible.builtin.include_tasks: prepare_private_tests.yml
+  vars:
+    results_dir: "{{ egressip_test_results_dir }}"
+    go_version_target: "{{ egressip_tests_go_version }}"
+
+- name: Run egressip tests
+  ansible.builtin.include_tasks: run_egressip_tests.yml
+
+- name: Post EgressIP test
+  ansible.builtin.include_role:
+    name: tools_openshift_tests
+    tasks_from: post_openshift_tests.yml
+  vars:
+    testsuite_name: "egressip_tests"
+    key_for_filtering_results: "egressip"
+    test_name: "{{ egressip_test_name }}"
+    results_dir: "{{ egressip_test_results_dir }}"
+
+- name: Remove the source directory after tests complete
+  ansible.builtin.file:
+    path: "{{ egressip_test_dir }}"
+    state: absent
diff --git a/collection/stages/roles/egressip_tests/tasks/prepare_private_tests.yml b/collection/stages/roles/egressip_tests/tasks/prepare_private_tests.yml
@@ -0,0 +1,33 @@
+---
+- name: Create results directory
+  ansible.builtin.file:
+    path: "{{ results_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Write SSH deploy key temporarily
+  ansible.builtin.copy:
+    content: "{{ openshift_tests_private_ssh_key }}"
+    dest: "{{ ansible_env.HOME }}/.ssh/openshift_tests_private_deploy_key"
+    mode: '0600'
+  no_log: true
+
+- name: Clone openshift-tests-private via SSH
+  ansible.builtin.git:
+    repo: "git@github.com:openshift/openshift-tests-private.git"
+    version: "release-{{ discovered_openshift_release }}"
+    dest: "{{ egressip_test_dir }}"
+    key_file: "{{ ansible_env.HOME }}/.ssh/openshift_tests_private_deploy_key"
+    accept_hostkey: yes
+
+- name: Remove SSH deploy key
+  ansible.builtin.file:
+    path: "{{ ansible_env.HOME }}/.ssh/openshift_tests_private_deploy_key"
+    state: absent
+
+- name: Setup Go version
+  ansible.builtin.include_role:
+    name: shiftstack.tools.tools_openshift_tests
+    tasks_from: setup_go_version.yml
+  vars:
+    go_version_target: "{{ go_version_target }}"
diff --git a/collection/stages/roles/egressip_tests/tasks/run_egressip_tests.yml b/collection/stages/roles/egressip_tests/tasks/run_egressip_tests.yml
@@ -0,0 +1,97 @@
+---
+- name: Load the full allowlist file
+  ansible.builtin.set_fact:
+    egressip_full_allowlist: "{{ lookup('file', egressip_allowlist_file) | from_yaml }}"
+
+- name: Detect network backend
+  ansible.builtin.shell: |
+    oc get network.config cluster -o jsonpath='{.status.networkType}'
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+  register: network_backend_result
+  changed_when: false
+
+- name: Set network backend fact
+  ansible.builtin.set_fact:
+    network_backend: "{{ network_backend_result.stdout }}"
+
+- name: Extract allowlist for current version and network backend
+  ansible.builtin.set_fact:
+    egressip_version_allowlist: "{{ egressip_full_allowlist[discovered_openshift_release][network_backend] | default({}) }}"
+
+- name: Fail if no allowlist found for this version/backend combination
+  ansible.builtin.fail:
+    msg: "No allowlist found for OCP {{ discovered_openshift_release }} with {{ network_backend }}"
+  when: egressip_version_allowlist | length == 0
+
+- name: Write filtered allowlist to temporary file
+  ansible.builtin.copy:
+    content: "{{ egressip_version_allowlist | to_nice_yaml }}"
+    dest: "{{ egressip_test_results_dir }}/allowlist.yaml"
+    mode: '0644'
+
+- name: Set artifact paths
+  ansible.builtin.set_fact:
+    all_tests_path: "{{ egressip_test_results_dir }}/egressip_tests.txt"
+    allowlist_path: "{{ egressip_test_results_dir }}/allowlist.txt"
+    tests_to_run_path: "{{ egressip_test_results_dir }}/list_of_tests_to_run.txt"
+
+- name: Build extended-platform-tests executable
+  ansible.builtin.shell: |
+    source {{ home_dir }}/.bashrc
+    make build
+  args:
+    chdir: "{{ egressip_test_dir }}"
+  changed_when: true
+
+- name: Get full list of tests
+  ansible.builtin.shell: >
+    {{ egressip_test_executable }} run all --dry-run > {{ all_tests_path }}
+  environment:
+    KUBECONFIG: "{{ kubeconfig }}"
+    OS_CLOUD: "{{ user_cloud }}"
+  changed_when: true
+
+- name: Convert the allowlist YAML to TXT
+  ansible.builtin.include_role:
+    name: tools_openshift_tests
+    tasks_from: convert_yaml_tests_file_to_txt.yml
+  vars:
+    input_tests_list: "{{ egressip_test_results_dir }}/allowlist.yaml"
+    output_tests_list: "{{ allowlist_path }}"
+    yaml_format_based_on_ocp_version: true
+
+- name: Prepare the tests list to run
+  shiftstack.tools.filter_tests_list:
+    input_tests_file: "{{ all_tests_path }}"
+    allowlist_file: "{{ allowlist_path }}"
+    blocklist_file: ""
+    output_file: "{{ tests_to_run_path }}"
+
+- name: Run the egressip tests
+  block:
+    - name: Run egressIP tests
+      ansible.builtin.shell: >
+        {{ egressip_test_executable }} run
+        -f {{ tests_to_run_path }}
+        --output-file {{ egressip_test_results_dir }}/{{ egressip_test_name }}.log
+        --junit-dir={{ egressip_test_results_dir }} > /dev/null
+      environment:
+        KUBECONFIG: "{{ kubeconfig }}"
+        OS_CLOUD: "{{ user_cloud }}"
+      changed_when: true
+
+  rescue:
+    - name: Mark the egressip tests as UNSTABLE
+      ansible.builtin.include_role:
+        name: tools_stage_results
+        tasks_from: mark_stage_unstable.yml
+      vars:
+        unstable_msg: >-
+          The EgressIP test suite failed.
+
+    - name: Run must-gather
+      ansible.builtin.include_role:
+        name: tools_must-gather
+      vars:
+        must_gather_suffix: "egressip-tests"