Add openshift-e2e-aws-disconnected workflow

[mdbooth]

Add a new disconnected AWS workflow for component-level CI testing.
The workflow creates an isolated VPC with private subnets and VPC
endpoints, a bastion host providing mirror registry, egress proxy,
and SSH jump host, then installs OpenShift using mirrored images
and manual CCO credentials.

Also adds an optional e2e-aws-capi-disconnected-techpreview job
to cluster-capi-operator.

The required change to the AWS credentials format has an associated docs bug: https://redhat.atlassian.net/browse/OCPBUGS-84570

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Added end-to-end disconnected AWS CAPI workflows to provision, install, test (TechPreview), gather artifacts, and deprovision isolated clusters.

• Tests

  • Introduced an optional presubmit E2E job to validate disconnected AWS CAPI scenarios with a dedicated workflow and retry/trigger capabilities.

• Chores

  • Added metadata and ownership entries for the new disconnected testing workflows and step registries.

[coderabbitai]

Walkthrough

Adds CI artifacts to run disconnected AWS E2E: a new optional test and presubmit, pre- and post-provision step-registry chains, an openshift-e2e aws disconnected workflow, metadata, and OWNERS entries.

Changes

Cohort / File(s)	Summary
Test config & presubmit ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml, ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml	Added optional e2e-aws-capi-disconnected-techpreview test and corresponding presubmit job; sets cluster profile, env vars (ENABLE_IDMS, FEATURE_SET), observer, test step (make e2e), pipeline-skip filters, BOSKOS/credential mounts, and targets openshift-e2e-aws-disconnected workflow.
IPI AWS pre-disconnected ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml, .../ipi-aws-pre-disconnected-chain.metadata.json, .../OWNERS	New pre-provision chain for disconnected VPC/bastion/mirroring/install flow; adds metadata and OWNERS (approvers).
IPI AWS post-disconnected ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml, .../ipi-aws-post-disconnected-chain.metadata.json, .../OWNERS	New post-deprovision chain to collect artifacts and run AWS deprovision steps (SGs, CFN stacks, IAM/users), plus metadata and OWNERS.
Openshift E2E aws disconnected workflow ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml, .../openshift-e2e-aws-disconnected-workflow.metadata.json, .../OWNERS	Added openshift-e2e-aws-disconnected workflow chaining the pre-disconnected chain, the shared e2e test reference, and post-disconnected chain; includes metadata and OWNERS.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as Test Runner
    participant Pre as Pre-Provision Chain
    participant Bastion as Bastion Host
    participant Mirror as Mirror Registry
    participant Cluster as AWS Cluster
    participant E2E as E2E Workflow
    participant Post as Post-Deprovision Chain

    Runner->>Pre: start ipi-aws-pre-disconnected
    Pre->>Cluster: provision VPC/subnets, IAM, bots
    Pre->>Bastion: provision bastion and mirror
    Pre->>Mirror: mirror payload to bastion
    Pre-->>Runner: cluster installed

    Runner->>E2E: run openshift-e2e-aws-disconnected
    E2E->>Bastion: use bastion for mirror/proxy/ssh
    E2E->>Cluster: execute tests
    E2E-->>Runner: tests complete

    Runner->>Post: start ipi-aws-post-disconnected
    Post->>Cluster: gather logs/console artifacts
    Post->>Mirror: collect mirror registry content
    Post->>Cluster: deprovision SGs/CFN/IAM
    Post-->>Runner: teardown complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new disconnected AWS workflow. It is specific, directly related to the primary additions in the changeset, and accurately reflects the core purpose of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only CI/CD configuration files in OpenShift release repository's ci-operator/ directory, not Ginkgo test code.
Test Structure And Quality	✅ Passed	This pull request contains no Ginkgo test code, consisting only of CI/CD infrastructure configuration files, making the custom check not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only CI configuration files (YAML workflows and job definitions) to orchestrate existing e2e tests on disconnected AWS environment. No new Ginkgo test code is added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only YAML configuration and metadata files for CI/CD orchestration, not Ginkgo e2e test code. Grep matches were false positives from documentation prose.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds CI/CD test workflow and job definitions, not deployment manifests or operator code. The files are test orchestration configurations that do not introduce any Kubernetes scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR contains only CI infrastructure configuration changes (YAML/JSON files) with no Go test source code modifications, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only CI infrastructure configuration files (YAML workflows, chains, presubmit jobs) and metadata files. No Ginkgo e2e test code (Go files) is being added.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mdbooth]

/pj-rehearse

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml`:
- Around line 27-30: Remove the -x (xtrace) flag before sourcing the proxy
config to prevent secrets from being printed: modify the script where it
currently sets "set -exuo pipefail" so that xtrace is disabled (e.g., use "set
-euo pipefail" or temporarily turn off xtrace) prior to the conditional that
sources "${SHARED_DIR}/proxy-conf.sh", then re-enable xtrace afterwards if
needed; update the lines referencing set -exuo pipefail and the source
"${SHARED_DIR}/proxy-conf.sh" accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cbfb056e-a337-401a-8a80-ae55f676bf2f

📥 Commits

Reviewing files that changed from the base of the PR and between e0c42c3 and cb3cc31.

📒 Files selected for processing (11)

• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml
• ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml
• ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml
• ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS
• ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json
• ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml
• ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS
• ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json
• ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml

[mdbooth]

Despite reporting failure the pj-rehearse seems to have been a success. The failure is an actual bug in capi-operator: it needs to import the additional trust bundle in order to trust the mirror registry.

The environment came up. I verified manually (by logging in to it during the run) that it was disconnected. It seems to have successfully collected artifacts.

[mdbooth]

I have opened #77955 to separately address the timeout observed during cluster create. The timeout doesn't ultimately cause the cluster provisioning to fail, it just wastes resources. It is a latent issue.

[mdbooth]

/pj-rehearse

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[damdo]

Not an expert in step registry but it looks reasonable to me.
Thanks

/lgtm

[damdo]

/assign @dgoodwin @stbenjam @neisw

[xueqzhan]

/approve

[mdbooth]

/hold while I iterate on this in #78315. The approach is validated, but I've encountered a couple of things which we'll need to fix in the workflow anyway.

[mdbooth]

Getting a successful run of pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview also required fixes in CAPI operator which haven't merged, yet. However, I was able to successfully test it using #78315: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/78315/rehearse-78315-pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview/2048790289379758080

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 2a832a8 and 2 for PR HEAD ffa2511 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD d47ab7e and 1 for PR HEAD ffa2511 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 6fe696f and 0 for PR HEAD ffa2511 in total

[openshift-merge-bot]

/hold

Revision ffa2511 was retested 3 times: holding

[mdbooth]

/test generated-config

[mdbooth]

/hold cancel

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD d52b059 and 2 for PR HEAD ffa2511 in total

[mdbooth]

No changes, just rebased on to a commit after the fixes to generated-config.

[damdo]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo, mdbooth, xueqzhan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-capi-operator/OWNERS [damdo,mdbooth]
• ci-operator/jobs/openshift/cluster-capi-operator/OWNERS [damdo,mdbooth]
• ci-operator/step-registry/aws/OWNERS [xueqzhan]
• ci-operator/step-registry/ipi/OWNERS [xueqzhan]
• ci-operator/step-registry/openshift/OWNERS [xueqzhan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mdbooth: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Presubmit changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-stable-aws-ipi-disc-priv-arm-mixarch-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-disc-priv-workers-rhcos-rhel8-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-quay-quay-tests-master-omr-ocp421-unreleased-quay-omr-tests-omr-ocp421-disconnected-unreleased	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-multi-stable-aws-ipi-disc-priv-arm-mixarch-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.13-amd64-nightly-aws-ipi-disc-priv-workers-rhcos-rhel8-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-4.15-upgrade-from-stable-4.14-aws-ipi-disc-priv-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-4.21-e2e-aws-ovn-ha-cert-rotation-suspend-30d	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-eusc-ipi-disc-priv-tp-arm-f7	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-aws-ipi-disc-priv-workers-rhcos-rhel8-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.13-amd64-nightly-aws-usgov-ipi-disc-priv-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-nightly-aws-ipi-disc-priv-sdn-rhcos-rhel8-f60	N/A	periodic	Registry content changed
periodic-ci-quay-quay-tests-master-omr-ocp417-quay-omr-tests-omr-ocp417-disconnected	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-multi-stable-aws-ipi-disc-priv-arm-mixarch-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-stable-aws-ipi-disc-priv-localzone-fips-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-arm64-nightly-aws-ipi-disc-priv-tp-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-verification-tests-main-installer-rehearse-4.18-installer-rehearse-aws	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-5.0-multi-nightly-aws-eusc-ipi-disc-priv-tp-amd-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.13-amd64-nightly-aws-ipi-disc-priv-sdn-rhcos-rhel8-f60-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-ipi-disc-priv-f28-longrun-ota	N/A	periodic	Registry content changed

A total of 253 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mdbooth]

No need to re-run pj-rehearse as this is just a rebase.

/pj-rehearse ack

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mdbooth]

/test generated-config

[openshift-ci]

@mdbooth: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/cluster-capi-operator/main/e2e-aws-capi-disconnected-techpreview	ffa2511	link	unknown	/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.12-amd64-nightly-4.12-upgrade-from-stable-4.11-aws-ipi-disc-priv-f60	ffa2511	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.12-amd64-nightly-4.12-upgrade-from-stable-4.11-aws-ipi-disc-priv-f60

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Prucek]

/retest-required