Revert "OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile"

[bryan-cox]

Reverts #8638

Summary by CodeRabbit

• Chores
  • Updated Azure CLI configuration in test environment setup to use the latest available version.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@bryan-cox: This pull request references Jira Issue OCPBUGS-86774, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Reverts #8638

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/test e2e-aws
/test e2e-aks

[coderabbitai]

Walkthrough

This PR removes the version pin from the Azure CLI package in the E2E test Docker image, allowing the system package manager to install the latest available version of azure-cli instead of the specific 2.72.0 release.

Changes

E2E Docker Image Updates

Layer / File(s)	Summary
Azure CLI Package Version Pin Removal Dockerfile.e2e	The dnf install command changed from azure-cli-2.72.0 to the unversioned azure-cli package, allowing automatic installation of the latest available version during image builds.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/hypershift#8638: Prior PR that modified Dockerfile.e2e's Azure CLI installation, pinning it to azure-cli-2.72.0, which this PR reverses.

Suggested labels

area/ci-tooling, area/platform/azure, verified

Suggested reviewers

• muraee
• Nirshal

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: reverting a previous commit that pinned azure-cli to version 2.72.0 in the e2e Dockerfile, which matches the actual changeset of removing the version pin.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR does not introduce Ginkgo test names with dynamic information. All examined test names are static and descriptive strings (e.g., "should have control plane healthy before backup").
Test Structure And Quality	✅ Passed	PR only modifies Dockerfile.e2e (azure-cli version removal); no Ginkgo test code changes. Check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR—it only reverts a Dockerfile.e2e change to unpin azure-cli. The custom check is not applicable since it targets new e2e tests specifically.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies Dockerfile.e2e to revert azure-cli version pinning; no new Ginkgo e2e tests are added, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only Dockerfile.e2e (a test build artifact), not deployment manifests, operator code, or controllers. The custom check is not applicable to test/build Dockerfiles.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Dockerfile.e2e (removing azure-cli version pin); no changes to OTE binary source code, test binaries, or process-level Go code to evaluate against the stdout JSON contract check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests; only Dockerfile.e2e modification. Custom check for IPv6/disconnected network compatibility only applies to new tests, not infrastructure changes.
No-Weak-Crypto	✅ Passed	PR only modifies Dockerfile.e2e azure-cli versioning. No weak crypto algorithms, custom crypto, or non-constant-time secret comparisons found.
Container-Privileges	✅ Passed	PR only modifies Dockerfile.e2e (a build artifact), not Kubernetes manifests. Container privilege checks apply to K8s Pod/deployment specs, not Dockerfiles.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only changes azure-cli version pinning (2.72.0 → unpinned) in Dockerfile.e2e. No passwords, tokens, API keys, PII, or logging flags are present in the Dockerfile.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@bryan-cox: This pull request references Jira Issue OCPBUGS-86774, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Reverts #8638

Summary by CodeRabbit

• Chores
• Updated Azure CLI configuration in test environment setup to use the latest available version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.26%. Comparing base (eb04f61) to head (bf3ba1b).
⚠️ Report is 47 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8652   +/-   ##
=======================================
  Coverage   41.26%   41.26%           
=======================================
  Files         755      755           
  Lines       93443    93443           
=======================================
  Hits        38563    38563           
  Misses      52148    52148           
  Partials     2732     2732           

Flag	Coverage Δ
cmd-support	34.86% <ø> (ø)
cpo-hostedcontrolplane	43.49% <ø> (ø)
cpo-other	42.79% <ø> (ø)
hypershift-operator	51.00% <ø> (ø)
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile.e2e (1)

1-34: Container security guidelines: Multiple pre-existing violations in E2E Dockerfile.

While not part of this change, this Dockerfile has several deviations from the container security guidelines that should be addressed in a future PR:

• No USER directive: Container runs as root (guideline: "USER non-root; never run as root")
• No HEALTHCHECK: No health check defined for the container
• COPY entire context (line 6): Copies all files instead of specific ones in builder stage
• Build tools in final image: Contains Go compiler (line 12) - acknowledged as necessary for tests but still a deviation

While these may be acceptable for an E2E test image, consider whether security hardening is needed even for test environments, especially if the image has access to cloud credentials during testing.

As per coding guidelines: "USER non-root; never run as root", "HEALTHCHECK defined", "COPY specific files, not entire context", "Multi-stage builds; no build tools in final image".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.e2e` around lines 1 - 34, The Dockerfile currently copies the
entire build context (COPY . .), runs as root (no USER directive), lacks a
HEALTHCHECK, and leaves build tooling in the final image (the builder stage runs
RUN make ... and the final stage still uses a golang base and installs packages
via RUN rpm/.../dnf). Update the builder stage to COPY only required sources and
artifacts instead of COPY . ., keep compilation in the builder (identify the RUN
make e2e hypershift ... step and the created binaries like
/hypershift/bin/test-e2e and /hypershift/bin/hypershift), ensure the final image
does not contain unnecessary build tools (move all build-time dependencies to
the builder stage or use a slimmer runtime base if possible), add a non-root
user and switch to it with a USER directive after creating/setting permissions
for /hypershift, and add an appropriate HEALTHCHECK that exercises
/hypershift/bin/test-e2e or another lightweight runtime check; adjust the
azure-cli installation step (RUN rpm ... dnf install -y azure-cli) to preserve
least privilege and only run as root for installation before switching to the
non-root USER.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.e2e`:
- Line 33: The Dockerfile.e2e currently installs azure-cli without pinning and
removed the i686 exclusion, and also lacks container hardening (no USER, no
HEALTHCHECK) and uses COPY . . in the builder and reuses the builder as the
final image; update the dnf install line to pin azure-cli to the known-good
version (azure-cli-2.72.0) and restore the exclusion flag (--exclude='*.i686')
to avoid E4S/EUS python3.12 and i686 resolution failures, add a non-root USER
declaration and a HEALTHCHECK per our guidelines, and change the builder stage
to use explicit COPY of only needed artifacts (avoid COPY . .) and ensure the
final stage does not reuse the builder image but instead copies artifacts from
the builder stage into a minimal runtime image.

---

Nitpick comments:
In `@Dockerfile.e2e`:
- Around line 1-34: The Dockerfile currently copies the entire build context
(COPY . .), runs as root (no USER directive), lacks a HEALTHCHECK, and leaves
build tooling in the final image (the builder stage runs RUN make ... and the
final stage still uses a golang base and installs packages via RUN rpm/.../dnf).
Update the builder stage to COPY only required sources and artifacts instead of
COPY . ., keep compilation in the builder (identify the RUN make e2e hypershift
... step and the created binaries like /hypershift/bin/test-e2e and
/hypershift/bin/hypershift), ensure the final image does not contain unnecessary
build tools (move all build-time dependencies to the builder stage or use a
slimmer runtime base if possible), add a non-root user and switch to it with a
USER directive after creating/setting permissions for /hypershift, and add an
appropriate HEALTHCHECK that exercises /hypershift/bin/test-e2e or another
lightweight runtime check; adjust the azure-cli installation step (RUN rpm ...
dnf install -y azure-cli) to preserve least privilege and only run as root for
installation before switching to the non-root USER.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 246f7454-87c3-49f8-972d-d5c967b09bf5

📥 Commits

Reviewing files that changed from the base of the PR and between eb04f61 and bf3ba1b.

📒 Files selected for processing (1)

• Dockerfile.e2e

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check available azure-cli versions in the Microsoft repository
dnf list --showduplicates azure-cli 2>/dev/null | grep azure-cli | tail -10

Repository: openshift/hypershift

Length of output: 46

---

🏁 Script executed:

#!/bin/bash
# Search for context about why 2.72.0 was originally pinned
gh pr view 8638 --json title,body,comments

Repository: openshift/hypershift

Length of output: 43580

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show Dockerfile.e2e around the cited line 33
if [ -f Dockerfile.e2e ]; then
  nl -ba Dockerfile.e2e | sed -n '20,50p'
else
  echo "Missing Dockerfile.e2e at repo root"
fi

# Also capture any azure-cli dnf install lines in the Dockerfile.e2e
if [ -f Dockerfile.e2e ]; then
  rg -n "dnf .*install .*azure-cli" Dockerfile.e2e || true
  rg -n "azure-cli" Dockerfile.e2e || true
fi

Repository: openshift/hypershift

Length of output: 107

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la

# Locate and display Dockerfile.e2e (with line numbers) around line 33
if [ -f Dockerfile.e2e ]; then
  echo "== Dockerfile.e2e exists at ./Dockerfile.e2e =="
  awk 'NR>=20 && NR<=50 {printf "%d:%s\n", NR, $0}' Dockerfile.e2e
else
  echo "== Dockerfile.e2e not found at repo root; searching by name =="
  fd -t f -i "Dockerfile.e2e" .
  exit 0
fi

echo "== azure-cli install lines =="
rg -n "dnf .*install .*azure-cli|azure-cli-[0-9]|azure-cli" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 6394

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== dockerfile.e2e azure-cli installs and i686 excludes =="
rg -n "dnf .*install .*azure-cli|azure-cli-|azure-cli|--exclude='\\*\\.i686'|i686" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 159

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Top of Dockerfile.e2e =="
awk 'NR>=1 && NR<=80 {printf "%d:%s\n", NR, $0}' Dockerfile.e2e

echo
echo "== USER / HEALTHCHECK =="
rg -n "^(USER|HEALTHCHECK)\b" Dockerfile.e2e || true

echo
echo "== COPY patterns (quick scan) =="
rg -n "\bCOPY\b" Dockerfile.e2e || true

echo
echo "== dnf/yum install usage =="
rg -n "\b(dnf|yum)\s+(install|update)" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 3246

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== azure-cli dnf exclude i686 =="
rg -n "exclude=.*i686|i686" Dockerfile.e2e || true

echo
echo "== USER / HEALTHCHECK directives =="
rg -n "^(USER|HEALTHCHECK)\b" Dockerfile.e2e || true

Repository: openshift/hypershift

Length of output: 134

---

Pin azure-cli (and restore the i686 exclusion) in Dockerfile.e2e to avoid reintroducing known e2e image build failures.

Removing the pin at dnf install -y azure-cli reintroduces the same class of issue fixed by PR #8638:

• E4S/EUS incompatibility: PR #8638 pinned azure-cli-2.72.0 because azure-cli >= 2.73.0 requires python3.12, which isn’t available in the E4S/EUS repos; unpinned installs can select a newer (uninstallable) version.
• dnf resolution failures from i686 metadata: PR #8638 added --exclude='*.i686' to avoid unsatisfied i686 dependencies; this Dockerfile.e2e no longer excludes i686.

Additionally, this Dockerfile.e2e currently violates the provided container hardening guidelines: no USER, no HEALTHCHECK, and builder uses COPY . . (and the final stage reuses the builder image).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.e2e` at line 33, The Dockerfile.e2e currently installs azure-cli
without pinning and removed the i686 exclusion, and also lacks container
hardening (no USER, no HEALTHCHECK) and uses COPY . . in the builder and reuses
the builder as the final image; update the dnf install line to pin azure-cli to
the known-good version (azure-cli-2.72.0) and restore the exclusion flag
(--exclude='*.i686') to avoid E4S/EUS python3.12 and i686 resolution failures,
add a non-root USER declaration and a HEALTHCHECK per our guidelines, and change
the builder stage to use explicit COPY of only needed artifacts (avoid COPY . .)
and ensure the final stage does not reuse the builder image but instead copies
artifacts from the builder stage into a minimal runtime image.

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-06-03T10:47:02Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-06-03T01:30:47Z
• View Job
• View Job History

[bryan-cox]

/area ci-tooling

[bryan-cox]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2061893954906886144 | Cost: $2.8202486 | Failed step: hypershift-azure-run-e2e

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[bryan-cox]

/retest

[bryan-cox]

/test e2e-aws

[bryan-cox]

/test e2e-aws

[hypershift-jira-solve-ci]

Now I have all the evidence needed. The failure is clear — this is a CI infrastructure scheduling issue, not a test/code failure. Let me produce the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
• Build ID: 2062108207471398912
• Target: e2e-aws
• PR: Revert "OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile" #8652 (Revert "OCPBUGS-86774: Pin azure-cli to 2.72.0 in e2e Dockerfile")
• Start Time: 2026-06-03T09:44:43Z
• Duration: ~1h 0m 22s
• Failure Reason: executing_graph:step_failed:importing_release:pod_pending

Test Failure Analysis

Error

step [release:n2minor] failed: failed to get CLI image: unable to find the 'cli' image in the provided release image: pod pending for more than 1h0m0s: pod has not been scheduled in 1h0m0.001023791s

step [release:initial] failed: failed to get CLI image: unable to find the 'cli' image in the provided release image: pod pending for more than 1h0m0s: pod has not been scheduled in 1h0m0.000737422s

Summary

This is a CI infrastructure failure, not a code or test failure. The job failed during the release image import phase — before any test code was executed — because two pods (release-images-n2minor-cli and release-images-initial-cli) could not be scheduled on the CI cluster (build01) for over 1 hour and timed out. All builds (src, hypershift-operator, hypershift-tests, hypershift, hypershift-cli) completed successfully. The failure is entirely unrelated to PR #8652's changes.

Root Cause

The CI cluster build01.ci.openshift.org had insufficient schedulable nodes to place the release image extraction pods. The Kubernetes scheduler events show that across 63–107 nodes in the cluster, every node was excluded due to a combination of:

1. Taints excluding the pods (~85% of nodes): The vast majority of nodes carry role-specific taints (ci-tests-worker, ci-builds-worker, ci-builds-tmpfs-worker, ci-prowjobs-worker, infra, master) that the release image pods do not tolerate. These account for ~90 of ~107 nodes.

2. Node affinity/selector mismatch (14–15 nodes): A consistent set of 14–15 nodes did not match the pod's node affinity or nodeSelector requirements. These are likely nodes with a different architecture or label configuration.

3. Pod anti-affinity rules (2 nodes): 2 nodes were excluded by pod anti-affinity rules, meaning the pods were competing with existing pods for placement on the few eligible nodes.

4. Transient node issues (fluctuating): Throughout the 1-hour wait, 1–10 nodes were continuously transitioning through not-ready and unschedulable states, further reducing the already-zero pool of eligible nodes.

The net result: 0 eligible nodes at every scheduling attempt over the entire hour. The pods release-images-n2minor-cli and release-images-initial-cli were created at ~09:45:01Z and timed out at 10:45:01Z. This is a resource pressure / capacity issue on the CI build cluster — not a product bug or test regression.

The PR's code changes (reverting the azure-cli pin in the e2e Dockerfile) are completely uninvolved; the job never reached the point of executing any test step.

Recommendations

1. Retest the PR — This failure is transient CI infrastructure. Simply re-trigger the e2e-aws job with /retest or /test e2e-aws. The scheduling pressure is likely resolved by now.

2. No code changes needed — The PR's changes (Dockerfile e2e azure-cli revert) are not exercised or relevant to this failure. The job failed during release image import, well before any test execution.

3. If the failure recurs — File an issue against the CI infrastructure team (e.g., in openshift/release or the TRT team) noting that build01 has insufficient capacity for release image extraction pods on nodes matching the required affinity/selector. The scheduling events consistently show 0 eligible nodes across 63–107 total nodes.

Evidence

Evidence	Detail
Failed Steps	[release:n2minor] and [release:initial] — both during release image import, not test execution
Error Type	pod_pending — Kubernetes scheduling failure, not a test/code error
Pod Names	release-images-n2minor-cli (170 events), release-images-initial-cli (169 events)
Cluster	build01.ci.openshift.org (namespace ci-op-iqs5bbdb)
Pending Duration	Exactly 1h 0m 0s for both pods (hit the hard timeout)
Scheduler Events	0/63 to 0/107 nodes available throughout — taints, affinity mismatches, anti-affinity, and not-ready nodes exhausted all options
Node Breakdown	~69–76 ci-tests-worker (tainted), ~14–15 affinity mismatch, ~5–7 ci-prowjobs-worker (tainted), ~3–20 ci-builds-worker (tainted), 3 infra (tainted), 3 master (tainted), 1 ci-builds-tmpfs-worker (tainted), 2 anti-affinity, 1–10 not-ready/unschedulable
Builds Succeeded	src (2m15s), hypershift-tests (9m9s), hypershift-operator (4m40s), hypershift-cli (1m35s), hypershift (3m57s) — all completed before the scheduling timeout
Job State Reason	executing_graph:step_failed:importing_release:pod_pending
PR Relevance	None — the Dockerfile change was never built or tested; failure occurred during CI infrastructure setup

---

[devguyio]

/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[bryan-cox]

/verified by e2e

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@bryan-cox: Jira Issue Verification Checks: Jira Issue OCPBUGS-86774
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-86774 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Reverts #8638

Summary by CodeRabbit

• Chores
• Updated Azure CLI configuration in test environment setup to use the latest available version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.