Add OCP 4.22 to prow#81081
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR updates sandboxed-containers-operator CI wiring, adds a new Trustee install step and docs, and changes several release, mirroring, scheduling, and Prow configuration files. ChangesSandboxed containers Trustee CI flow
Release, mirroring, and scheduling updates
Prow policy and repo config updates
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Suggested labels
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (13 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
openshift-ci
Bot
added
the
approved
|
@tbuskey: |
|
@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
openshift-merge-bot
Bot
added
the
rehearsals-ack
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`:
- Line 48: Update the KATA_RPM_VERSION value used by the 4.20 candidate config
so it points to the rhaos4.20 artifact tag instead of rhaos4.19. Locate the
KATA_RPM_VERSION setting in the downstream candidate YAML for the
sandboxed-containers operator and change the version string to the OCP
4.20-compatible RPM tag so get-kata-rpm resolves correctly for 4.20 builds.
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml`:
- Line 48: The KATA_RPM_VERSION value is using the wrong OCP stream suffix for
the 4.21 downstream candidate config. Update the KATA_RPM_VERSION entries in
openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml to a
4.21-compatible build tag ending in rhaos4.21.el9, and make sure any replicated
occurrences of this version string are changed consistently.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: f01acde8-e898-4b1b-a149-4d486483f148
⛔ Files ignored due to path filters (1)
ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (4)
ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml
Other changes: - MUST_GATHER_ON_FAILURE_ONLY: "false" # so prow always runs kata must-gather - INSTALL_KATA_RPM: true - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 # 4.19 -> 4.21 - KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 # 4.22 https://redhat.atlassian.net/browse/KATA-5459 Rehersal success in openshift#80932 Signed-off-by: Tom Buskey <tbuskey@redhat.com> Add note to README.md about restrict_network_access
openshift-merge-bot
Bot
removed
the
rehearsals-ack
|
/lgtm |
openshift-ci
Bot
added
lgtm
|
New changes are detected. LGTM label has been removed. |
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse list |
|
@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse list |
|
@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-peerpods |
|
@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
/pj-rehearse list |
|
@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel. |
|
@tbuskey, |
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
…AC repos (openshift#81073) * OSAC-1770: require jira/valid-reference label for merge across all OSAC repos OSAC-1800: add Prow/Tide configuration for osac-workspace Add jira/valid-reference to the required Tide labels for all 9 existing OSAC repos, and add full Prow/Tide configuration for osac-workspace (which was previously missing). PRs must now have a valid Jira ticket (e.g. OSAC-1234: title) or explicitly say NO-ISSUE in the title to be mergeable. Assisted-by: Claude Code <noreply@anthropic.com> Signed-off-by: Eran Cohen <eranco@redhat.com> * OSAC-1770: determinize prow config for label ordering Run `make prow-config` to sort labels alphabetically as required by the prow-config CI check. Assisted-by: Claude Code <noreply@anthropic.com> Signed-off-by: Eran Cohen <eranco@redhat.com> --------- Signed-off-by: Eran Cohen <eranco@redhat.com>
…nshift#81026) Add run_if_changed path filtering to the 8 module package PR image-mirror jobs so they only trigger when their respective package directory is modified, instead of running on every PR. Mapping: - odh-mod-arch-model-registry-pr-image-mirror: ^packages/model-registry/ - odh-mod-arch-gen-ai-pr-image-mirror: ^packages/gen-ai/ - odh-mod-arch-maas-pr-image-mirror: ^packages/maas/ - odh-mod-arch-mlflow-pr-image-mirror: ^packages/mlflow/ - odh-mod-arch-eval-hub-pr-image-mirror: ^packages/eval-hub/ - odh-mod-arch-automl-pr-image-mirror: ^packages/automl/ - odh-mod-arch-autorag-pr-image-mirror: ^packages/autorag/ - odh-mod-arch-agent-ops-pr-image-mirror: ^packages/agent-ops/ The main odh-dashboard-pr-image-mirror and all postsubmit jobs remain always_run: true.
…1084) add prow plugin and tide configuration for the new ai-gateway-operator repository under opendatahub-io org. - configure standard prow plugins (approve, lgtm, assign, trigger, etc.) - configure external plugins (cherrypick, needs-rebase, jira-lifecycle, etc.) - configure triggers with trusted_apps (openshift-merge-bot) - set tide merge method to squash with standard label requirements - restrict tide to main branch via includedBranches - also add includedBranches to ai-gateway-payload-processing for consistency - no ci-operator jobs at this stage, only prow wiring Signed-off-by: Chaitanya Kulkarni <chkulkar@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
…penshift#80864) * CNF-25270: Export LCA git coordinates to image-based remote scripts - Wire Prow PR metadata into ib-orchestrate-vm remote scripts so lifecycle-agent presubmits checkout the correct source during LCA deploy. Assisted-by: Cursor/auto AI-attribution: AIA,Primarily AI-generated,Human-initiated,Reviewed,Cursor/auto,v1.0 For more information on AI attribution statements, see: https://aiattribution.github.io/ * CNF-25270: Update ibu scripts to use the correct branch for rehearsals - Previously, it was always checking out `main` branch for LCA, even for non-main rehearsals - Where possible, try to preferentially use the matching release version for rehearsals
…se branches (openshift#80970) The upgrade test on release-4.{19,20,21,22} installs the HO from hypershift-operator-init before upgrading to the PR-built version. With tag:latest this pulls the HO from main, causing a downgrade instead of an upgrade. Pin the tag to the release version and add a promotion target so each release branch publishes its HO image with a version-specific tag to the hypershift namespace. Signed-off-by: Ahmed Abdalla <aabdelre@redhat.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Returning TPNU job to weekly as verified job for feature promotion has satisfied job runs. Keeping this as long-term with slack monitoring.
The two sanity jobs (cs-sanity-staging and cs-sanity-jira-staging) were missing cron fields, making them always_run presubmits. These jobs pull an external ocmci container and run ocmtest with zero dependency on rosa-e2e repo code, so running them on every PR is wasteful and blocks unrelated changes. Add cron schedules to make them periodics like the other 13 FVT jobs in this variant.
Signed-off-by: Steve Kuznetsov <stekuznetsov@microsoft.com>
…penshift#80601) * Add Trustee operator installation step for Confidential Containers Add automated Trustee operator installation for sandboxed-containers-operator CoCo (Confidential Containers) tests using OLM and helm charts. Key Features: - OLM-based operator installation with comprehensive wait stages - Helm chart integration with pre-built container image - Works with restrict_network_access: true for rehearsals - KBS connectivity verification and resource validation - tools-with-helm custom image with oc, kubectl, helm, jq, skopeo, git Step Registry: - Created install-trustee-operator step in sandboxed-containers-operator - Added to sandboxed-containers-operator-pre chain before OSC installation - Runs for all *-ipi-coco test jobs when TRUSTEE_INSTALL="true" CI Configuration: - Added trustee-charts image (packages helm charts from confidential-devhub/charts) - Added tools-with-helm image based on cli with helm and required tools - Added cli to base_images for tools-with-helm dependency - Enabled Trustee installation for azure-ipi-coco, aro-ipi-coco, aws-ipi-coco - Set restrict_network_access: true for candidate421 aws-ipi-coco Technical Implementation: - FROM this-is-ignored with from: cli pattern for custom image builds - Wait stages: CatalogSource → Subscription → InstallPlan → CSV → Deployment → Pods - Generous 10-minute timeouts to avoid cluster rebuild waste - Discovers KBS endpoint and persists TRUSTEE_URL for CoCo tests - Generates INITDATA artifacts and patches osc-config ConfigMap - Verifies connectivity with kbs-client pod testing resource retrieval Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Fix Trustee catalog configuration and remove unused env vars - Remove TRUSTEE_CATALOG_SOURCE_NAME (helm chart hardcodes catalog name) - Fix dev.enabled bug: explicitly control based on custom image presence - Remove invalid helm '--set catalogSource.name' parameter - Add tools-with-helm image to all downstream-release config - Document catalog source configuration and image tag strategies Implementation is tag-agnostic for future flexibility switching to :latest. Signed-off-by: Tom Buskey <tbuskey@redhat.com> --------- Signed-off-by: Tom Buskey <tbuskey@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
…penshift#81098) Whitelist MutatingWebhookConfiguration, RuntimeClass, and PriorityClass so ci-scheduling-webhook manifests can sync on core-ci via Argo CD.
|
@tbuskey, Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
openshift-ci
Bot
removed
the
approved
|
@tbuskey: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml`:
- Around line 21-26: The helper image definition is still using moving targets,
so update the dockerfile_literal blocks to use immutable references instead of
registry.access.redhat.com/ubi9/ubi-minimal:latest and the
confidential-devhub/charts main branch. Pin the base image in the helper image
setup and replace the git clone revision in the chart fetch step with a fixed
commit, tag, or release reference in all duplicated variant blocks (for example,
the downstream candidate and any copied 4.17/4.18/4.19/default definitions).
Keep the change consistent across the shared helper image configuration so the
same inputs are used everywhere.
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml`:
- Around line 21-26: The image build in the dockerfile_literal block is cloning
confidential-devhub/charts from main, which makes the CI input non-reproducible.
Update the git clone step to use a reviewed tag or specific commit instead of
the moving branch, so future rebuilds always use the same charts revision. Keep
the change within the dockerfile_literal content used by this downstream-release
config.
In
`@ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh`:
- Around line 103-118: The lifecycle-agent branch selection in the seed-create
script is defaulting release jobs to main, which can check out the wrong branch.
Update the LCA_GIT_BRANCH derivation in
openshift-image-based-upgrade-seed-create-commands.sh so it reads the
lifecycle-agent base ref from JOB_SPEC refs.extra_refs[].base_ref (or equivalent
refs.base_ref data) before falling back, and only use main as the last resort;
keep the existing lifecycle-agent-release-* and lifecycle-agent-main-* handling
in the same branch-selection block.
In
`@ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh`:
- Around line 169-185: The git-clone fallback currently returns the repo root
path in charts_dir, but the render helpers expect the nested charts directory
inside the cloned repo. Update the fallback in the trustee charts fetch flow to
point to the cloned repo’s charts/ subdirectory before echoing the path, so the
later chart lookups for trustee-operator and trustee-operands resolve correctly.
Apply the same path adjustment anywhere this fallback result is consumed, using
the existing charts_dir handling and TRUSTEE_CHARTS_REPO/REF flow.
- Around line 334-377: The all-CatalogSources readiness loop in the trustee
install script is too broad and blocks on unrelated marketplace health. Update
the waiting logic in the sandboxed-containers-operator install-trustee flow to
check only the CatalogSources this install actually depends on, using the
existing readiness polling structure and the CatalogSource lookup/logging code.
Keep the wait, progress, and failure reporting behavior, but scope the `oc get
catalogsource` query and readiness count to the required sources instead of
every catalog in openshift-marketplace.
In
`@ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml`:
- Around line 59-60: Update the step documentation text in the
sandboxed-containers-operator install-trustee-operator reference so it no longer
claims Helm is unnecessary; the current wording conflicts with the install logic
that checks for helm and constructs Helm args. Rephrase the note to say the step
avoids runtime chart fetches by using pre-rendered manifests and sed-based
substitution, while still relying on helm for installation, and keep the message
aligned with the install step’s behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: fad2d72d-8154-4353-9785-dbb04dbe7781
⛔ Files ignored due to path filters (15)
ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yamlis excluded by!ci-operator/jobs/**ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yamlis excluded by!ci-operator/jobs/**
📒 Files selected for processing (47)
ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yamlci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yamlci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yamlci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yamlci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yamlci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yamlci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yamlci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yamlci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yamlci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yamlci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yamlci-operator/config/openshift/loki/openshift-loki-release-6.4.yamlci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yamlci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yamlci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yamlci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.shci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.shci-operator/step-registry/sandboxed-containers-operator/README.mdci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERSci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.shci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.jsonci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yamlci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yamlclusters/gitops/apps/appproject-core-ci.yamlcore-services/image-mirroring/openshift-logging/mapping_logging_loki_quaycore-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yamlcore-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yamlcore-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yamlcore-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yamlcore-services/prow/02_config/osac-project/docs/_prowconfig.yamlcore-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yamlcore-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-aap/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-installer/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-operator/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-ui/_prowconfig.yamlcore-services/prow/02_config/osac-project/osac-workspace/OWNERScore-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yamlcore-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml
✅ Files skipped from review due to trivial changes (9)
- core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml
- ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS
- ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml
- core-services/prow/02_config/osac-project/osac-workspace/OWNERS
- core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml
- core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml
- core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml
- core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml
- ci-operator/step-registry/sandboxed-containers-operator/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml
| - dockerfile_literal: | | ||
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| RUN microdnf install -y git tar gzip && microdnf clean all | ||
| RUN git clone --depth 1 --branch main \ | ||
| https://github.com/confidential-devhub/charts /charts && \ | ||
| rm -rf /charts/.git |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Pin the helper image inputs to immutable versions.
ubi-minimal:latest and cloning confidential-devhub/charts from main make these candidate jobs non-reproducible, so an upstream change can silently alter or break the 4.17/4.18/4.19/default variants without any corresponding change here. Please pin the base image and charts revision to immutable values in all copied blocks.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml`
around lines 21 - 26, The helper image definition is still using moving targets,
so update the dockerfile_literal blocks to use immutable references instead of
registry.access.redhat.com/ubi9/ubi-minimal:latest and the
confidential-devhub/charts main branch. Pin the base image in the helper image
setup and replace the git clone revision in the chart fetch step with a fixed
commit, tag, or release reference in all duplicated variant blocks (for example,
the downstream candidate and any copied 4.17/4.18/4.19/default definitions).
Keep the change consistent across the shared helper image configuration so the
same inputs are used everywhere.
| - dockerfile_literal: | | ||
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| RUN microdnf install -y git tar gzip && microdnf clean all | ||
| RUN git clone --depth 1 --branch main \ | ||
| https://github.com/confidential-devhub/charts /charts && \ | ||
| rm -rf /charts/.git |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Pin the Trustee charts revision.
Line 24 pulls confidential-devhub/charts from main, so any future rebuild can silently pick up unrelated upstream chart changes and start failing without a matching PR here. Please switch this image build to a reviewed tag or commit so the CI input stays reproducible.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml`
around lines 21 - 26, The image build in the dockerfile_literal block is cloning
confidential-devhub/charts from main, which makes the CI input non-reproducible.
Update the git clone step to use a reviewed tag or specific commit instead of
the moving branch, so future rebuilds always use the same charts revision. Keep
the change within the dockerfile_literal content used by this downstream-release
config.
| if [[ "${REPO_OWNER}/${REPO_NAME}" == "openshift-kni/lifecycle-agent" ]]; then | ||
| CI_LCA_GIT_REF="${PULL_PULL_SHA:-}" | ||
| CI_LCA_GIT_PULL="${PULL_NUMBER:-}" | ||
| LCA_GIT_BRANCH="${PULL_BASE_REF:-${LCA_GIT_BRANCH:-}}" | ||
| elif [[ "${JOB_NAME}" == rehearse-* ]] && [[ "${JOB_NAME}" == *lifecycle-agent* ]]; then | ||
| LCA_GIT_BRANCH="$(echo "${JOB_SPEC}" | jq -r '[.extra_refs[]? | select(.org == "openshift-kni" and .repo == "lifecycle-agent") | .base_ref][0] // empty')" | ||
| if [[ -z "${LCA_GIT_BRANCH}" ]]; then | ||
| if [[ "${JOB_NAME}" =~ lifecycle-agent-release-([0-9]+\.[0-9]+) ]]; then | ||
| LCA_GIT_BRANCH="release-${BASH_REMATCH[1]}" | ||
| elif [[ "${JOB_NAME}" == *lifecycle-agent-main-* ]]; then | ||
| LCA_GIT_BRANCH="main" | ||
| else | ||
| LCA_GIT_BRANCH="main" | ||
| fi | ||
| fi | ||
| fi |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== step consumers =="
rg -n -C2 'openshift-image-based-upgrade-(seed-create|target)' ci-operator/config
echo
echo "== branch sources already used in related scripts =="
rg -n -C2 'PULL_BASE_REF|refs\.base_ref|JOB_SPEC' ci-operator/step-registry/openshift/image-based/upgrade
echo
echo "== lifecycle-agent jobs in CI config =="
rg -n -C2 'openshift-kni.*lifecycle-agent|lifecycle-agent.*release-[0-9]+\.[0-9]+' ci-operator/configRepository: openshift/release
Length of output: 36238
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== relevant script context =="
sed -n '90,140p' ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh
echo
echo "== matching logic in target step =="
sed -n '30,60p' ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh
echo
echo "== where LCA_GIT_BRANCH is set in repo configs =="
rg -n 'LCA_GIT_BRANCH|CI_LCA_GIT_REF|CI_LCA_GIT_PULL|PULL_BASE_REF|base_ref' ci-operator/config/openshift-kni/lifecycle-agent
echo
echo "== references to JOB_SPEC.refs.base_ref in the repo =="
rg -n 'JOB_SPEC.*refs\.base_ref|refs\.base_ref' ci-operator/step-registry ci-operator/configRepository: openshift/release
Length of output: 3706
Don't default lifecycle-agent release jobs to main.
LCA_GIT_BRANCH is only seeded from PULL_BASE_REF here, and release periodic jobs under ci-operator/config/openshift-kni/lifecycle-agent/* won't have that value, so the export at line 133 falls back to main and checks out the wrong branch. Use JOB_SPEC/refs.base_ref before the final fallback.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh`
around lines 103 - 118, The lifecycle-agent branch selection in the seed-create
script is defaulting release jobs to main, which can check out the wrong branch.
Update the LCA_GIT_BRANCH derivation in
openshift-image-based-upgrade-seed-create-commands.sh so it reads the
lifecycle-agent base ref from JOB_SPEC refs.extra_refs[].base_ref (or equivalent
refs.base_ref data) before falling back, and only use main as the last resort;
keep the existing lifecycle-agent-release-* and lifecycle-agent-main-* handling
in the same branch-selection block.
Source: Coding guidelines
| # Option 2: Fallback to git clone (requires restrict_network_access: false) | ||
| echo ">>> Fetching trustee charts from GitHub: ${TRUSTEE_CHARTS_REPO} (ref: ${TRUSTEE_CHARTS_REF})" >&2 | ||
|
|
||
| if ! command -v git &> /dev/null; then | ||
| echo ">>> ERROR: git command not found" >&2 | ||
| return 1 | ||
| fi | ||
|
|
||
| git clone --depth 1 --branch "${TRUSTEE_CHARTS_REF}" "${TRUSTEE_CHARTS_REPO}" "${charts_dir}" | ||
|
|
||
| if [[ ! -d "${charts_dir}" ]]; then | ||
| echo ">>> ERROR: Failed to clone charts repository" >&2 | ||
| return 1 | ||
| fi | ||
|
|
||
| echo ">>> Charts cloned from GitHub" >&2 | ||
| echo "${charts_dir}" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Return the nested charts/ directory from the git-clone fallback.
The fallback clones the repo root and returns ${charts_dir}, but both render helpers expect ${charts_dir}/trustee-operator and ${charts_dir}/trustee-operands. With the documented repo layout (charts/<chart>), any run that misses IMAGE_TRUSTEE_CHARTS or falls back after a failed extract will fail later with “chart not found”.
Proposed fix
git clone --depth 1 --branch "${TRUSTEE_CHARTS_REF}" "${TRUSTEE_CHARTS_REPO}" "${charts_dir}"
if [[ ! -d "${charts_dir}" ]]; then
echo ">>> ERROR: Failed to clone charts repository" >&2
return 1
fi
+ local repo_charts_dir="${charts_dir}/charts"
+ if [[ ! -d "${repo_charts_dir}/trustee-operator" ]] || [[ ! -d "${repo_charts_dir}/trustee-operands" ]]; then
+ echo ">>> ERROR: Expected charts under ${repo_charts_dir}" >&2
+ return 1
+ fi
+
echo ">>> Charts cloned from GitHub" >&2
- echo "${charts_dir}"
+ echo "${repo_charts_dir}"
}Also applies to: 221-223, 271-272
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh`
around lines 169 - 185, The git-clone fallback currently returns the repo root
path in charts_dir, but the render helpers expect the nested charts directory
inside the cloned repo. Update the fallback in the trustee charts fetch flow to
point to the cloned repo’s charts/ subdirectory before echoing the path, so the
later chart lookups for trustee-operator and trustee-operands resolve correctly.
Apply the same path adjustment anywhere this fallback result is consumed, using
the existing charts_dir handling and TRUSTEE_CHARTS_REPO/REF flow.
| # Stage 0: Wait for ALL CatalogSources to be READY (600s / 10 minutes) | ||
| # This prevents Subscription failures due to missing/unavailable catalogs | ||
| echo ">>> Waiting for all CatalogSources to be READY..." | ||
| local all_catalogs_ready=false | ||
| for i in {1..120}; do | ||
| # Get all catalogs and their states | ||
| local catalog_states | ||
| catalog_states=$(oc get catalogsource -n openshift-marketplace -o jsonpath='{range .items[*]}{.metadata.name}={.status.connectionState.lastObservedState}{"\n"}{end}' 2>/dev/null || echo "") | ||
|
|
||
| if [[ -z "${catalog_states}" ]]; then | ||
| echo ">>> WARNING: Unable to get catalog states (attempt ${i}/120)" | ||
| [[ ${i} -lt 120 ]] && sleep 5 | ||
| continue | ||
| fi | ||
|
|
||
| # Count total vs ready catalogs | ||
| local total_catalogs | ||
| total_catalogs=$(echo "${catalog_states}" | wc -l) | ||
| local ready_catalogs | ||
| ready_catalogs=$(echo "${catalog_states}" | grep -c "=READY" || echo "0") | ||
|
|
||
| if [[ ${ready_catalogs} -eq ${total_catalogs} && ${ready_catalogs} -gt 0 ]]; then | ||
| echo ">>> All CatalogSources are READY (${ready_catalogs}/${total_catalogs})" | ||
| all_catalogs_ready=true | ||
| break | ||
| fi | ||
|
|
||
| # Show progress every 6 iterations (30 seconds) | ||
| if [[ $((i % 6)) -eq 0 ]]; then | ||
| echo ">>> CatalogSources ready: ${ready_catalogs}/${total_catalogs} (checking ${i}/120, $((i*5))s elapsed)..." | ||
| echo "${catalog_states}" | grep -v "=READY" | head -5 || true | ||
| fi | ||
|
|
||
| [[ ${i} -lt 120 ]] && sleep 5 | ||
| done | ||
|
|
||
| if [[ "${all_catalogs_ready}" != "true" ]]; then | ||
| echo ">>> ERROR: Not all CatalogSources are READY after 600s" | ||
| echo ">>> Current CatalogSource states:" | ||
| oc get catalogsource -n openshift-marketplace -o custom-columns=NAME:.metadata.name,STATE:.status.connectionState.lastObservedState || true | ||
| echo ">>> CatalogSource pods:" | ||
| oc get pods -n openshift-marketplace || true | ||
| return 1 | ||
| fi |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Wait only on the CatalogSources this install actually needs.
Failing the step until every CatalogSource in openshift-marketplace is READY makes Trustee installation depend on unrelated marketplace health. A single degraded third-party catalog will deadlock this step even when redhat-operators and the Trustee catalog are fine.
Suggested direction
- # Stage 0: Wait for ALL CatalogSources to be READY (600s / 10 minutes)
- # This prevents Subscription failures due to missing/unavailable catalogs
- echo ">>> Waiting for all CatalogSources to be READY..."
+ # Stage 0: Wait only for the CatalogSources this install depends on.
+ echo ">>> Waiting for required CatalogSources to be READY..."
+ local required_catalogs=("redhat-operators")
+ [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]] && required_catalogs+=("trustee-operator-dev-catalog")
+
+ for catalog in "${required_catalogs[@]}"; do
+ if ! wait_until "CatalogSource ${catalog} READY" 600 5 \
+ "[[ \"\$(oc get catalogsource -n openshift-marketplace '${catalog}' -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null)\" == \"READY\" ]]"; then
+ oc get catalogsource -n openshift-marketplace "${catalog}" -o yaml || true
+ return 1
+ fi
+ done📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Stage 0: Wait for ALL CatalogSources to be READY (600s / 10 minutes) | |
| # This prevents Subscription failures due to missing/unavailable catalogs | |
| echo ">>> Waiting for all CatalogSources to be READY..." | |
| local all_catalogs_ready=false | |
| for i in {1..120}; do | |
| # Get all catalogs and their states | |
| local catalog_states | |
| catalog_states=$(oc get catalogsource -n openshift-marketplace -o jsonpath='{range .items[*]}{.metadata.name}={.status.connectionState.lastObservedState}{"\n"}{end}' 2>/dev/null || echo "") | |
| if [[ -z "${catalog_states}" ]]; then | |
| echo ">>> WARNING: Unable to get catalog states (attempt ${i}/120)" | |
| [[ ${i} -lt 120 ]] && sleep 5 | |
| continue | |
| fi | |
| # Count total vs ready catalogs | |
| local total_catalogs | |
| total_catalogs=$(echo "${catalog_states}" | wc -l) | |
| local ready_catalogs | |
| ready_catalogs=$(echo "${catalog_states}" | grep -c "=READY" || echo "0") | |
| if [[ ${ready_catalogs} -eq ${total_catalogs} && ${ready_catalogs} -gt 0 ]]; then | |
| echo ">>> All CatalogSources are READY (${ready_catalogs}/${total_catalogs})" | |
| all_catalogs_ready=true | |
| break | |
| fi | |
| # Show progress every 6 iterations (30 seconds) | |
| if [[ $((i % 6)) -eq 0 ]]; then | |
| echo ">>> CatalogSources ready: ${ready_catalogs}/${total_catalogs} (checking ${i}/120, $((i*5))s elapsed)..." | |
| echo "${catalog_states}" | grep -v "=READY" | head -5 || true | |
| fi | |
| [[ ${i} -lt 120 ]] && sleep 5 | |
| done | |
| if [[ "${all_catalogs_ready}" != "true" ]]; then | |
| echo ">>> ERROR: Not all CatalogSources are READY after 600s" | |
| echo ">>> Current CatalogSource states:" | |
| oc get catalogsource -n openshift-marketplace -o custom-columns=NAME:.metadata.name,STATE:.status.connectionState.lastObservedState || true | |
| echo ">>> CatalogSource pods:" | |
| oc get pods -n openshift-marketplace || true | |
| return 1 | |
| fi | |
| # Stage 0: Wait only for the CatalogSources this install depends on. | |
| echo ">>> Waiting for required CatalogSources to be READY..." | |
| local required_catalogs=("redhat-operators") | |
| [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]] && required_catalogs+=("trustee-operator-dev-catalog") | |
| for catalog in "${required_catalogs[@]}"; do | |
| if ! wait_until "CatalogSource ${catalog} READY" 600 5 \ | |
| "[[ \"\$(oc get catalogsource -n openshift-marketplace '${catalog}' -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null)\" == \"READY\" ]]"; then | |
| oc get catalogsource -n openshift-marketplace "${catalog}" -o yaml || true | |
| return 1 | |
| fi | |
| done |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh`
around lines 334 - 377, The all-CatalogSources readiness loop in the trustee
install script is too broad and blocks on unrelated marketplace health. Update
the waiting logic in the sandboxed-containers-operator install-trustee flow to
check only the CatalogSources this install actually depends on, using the
existing readiness polling structure and the CatalogSource lookup/logging code.
Keep the wait, progress, and failure reporting behavior, but scope the `oc get
catalogsource` query and readiness count to the required sources instead of
every catalog in openshift-marketplace.
| NO NETWORK ACCESS REQUIRED: This step uses pre-rendered manifests with runtime variable | ||
| substitution via sed, eliminating the need for helm or git. Works with restrict_network_access: true. |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Correct the Helm requirement in the step docs.
These lines say the step eliminates the need for Helm, but the script explicitly exits when helm is missing and builds Helm arguments during install. Please reword this to say the step avoids runtime chart fetches, not that Helm is unnecessary.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml`
around lines 59 - 60, Update the step documentation text in the
sandboxed-containers-operator install-trustee-operator reference so it no longer
claims Helm is unnecessary; the current wording conflicts with the install logic
that checks for helm and constructs Helm args. Rephrase the note to say the step
avoids runtime chart fetches by using pre-rendered manifests and sed-based
substitution, while still relying on helm for installation, and keep the message
aligned with the install step’s behavior.
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Moved to #81141 |
13 participants
Other changes:
KATA-5459
Previous PR Rehersal success
Summary by CodeRabbit
Expanded
ci-operator/config/openshift/sandboxed-containers-operatordownstream Prow configuration to add OCP 4.22 and adjust kata e2e job runtime behavior:openshift-sandboxed-containers-operator-devel__downstream-candidate419.yamland...__downstream-candidate420.yaml), kata must-gather now runs on failures only is disabled (MUST_GATHER_ON_FAILURE_ONLY: "false") and kata RPM installation is enabled (INSTALL_KATA_RPM: "true") withKATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9(whileMUST_GATHER_IMAGEis unchanged)....__downstream-candidate422.yaml), the same must-gather behavior is applied (MUST_GATHER_ON_FAILURE_ONLY: "false",INSTALL_KATA_RPM: "true") withKATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9(keepingMUST_GATHER_IMAGEunchanged).*-cocovariants, the job environment is updated to install Trustee (TRUSTEE_INSTALL: "true") and pin the Trustee catalog source image (TRUSTEE_CATALOG_SOURCE_IMAGE).Also updated
ci-operator/step-registry/sandboxed-containers-operator/README.mdwith guidance for Konflux prowjobs’restrict_network_accessbehavior (including how it should be handled around/pj-rehearse).