diff --git a/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml b/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml index 76c5b289766bf..47299654d255c 100644 --- a/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml +++ b/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml @@ -70,6 +70,7 @@ tests: IMAGE_REPO: odh-dashboard workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-model-registry-pr-image-mirror + run_if_changed: ^packages/model-registry/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-model-registry-image @@ -86,6 +87,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-gen-ai-pr-image-mirror + run_if_changed: ^packages/gen-ai/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-gen-ai-image @@ -102,6 +104,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-maas-pr-image-mirror + run_if_changed: ^packages/maas/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-maas-image @@ -118,6 +121,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-mlflow-pr-image-mirror + run_if_changed: ^packages/mlflow/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-mlflow-image @@ -134,6 +138,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-eval-hub-pr-image-mirror + run_if_changed: ^packages/eval-hub/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-eval-hub-image @@ -150,6 +155,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-automl-pr-image-mirror + run_if_changed: ^packages/automl/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-automl-image @@ -166,6 +172,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-autorag-pr-image-mirror + run_if_changed: ^packages/autorag/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-autorag-image @@ -182,6 +189,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-agent-ops-pr-image-mirror + run_if_changed: ^packages/agent-ops/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-agent-ops-image diff --git a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml index 86eaaa3a298d6..73ad11a01f799 100644 --- a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml +++ b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml @@ -233,6 +233,7 @@ tests: - as: ocm-fvt-periodic-cs-sanity-staging-main capabilities: - nested-podman + cron: 0 0 31 2 * nested_podman: true steps: allow_best_effort_post_steps: true @@ -248,6 +249,7 @@ tests: - as: ocm-fvt-periodic-cs-sanity-jira-staging-main capabilities: - nested-podman + cron: 0 0 31 2 * nested_podman: true steps: allow_best_effort_post_steps: true diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml index 20a1e1a589e46..5d3e68d095ece 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.19" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml index b6fb60c4ad1f2..de915a67ca9f5 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.20" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml index 0457de796b8c9..348fd0474448b 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.21" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml index 7cfabea6c86ba..6e699710bb606 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.22" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml index 1eb8b1329453d..d20fd476b594f 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.19" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -30,6 +30,12 @@ promotion: to: - name: "4.19" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.19" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml index 0351f84047300..5131feeee0144 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.20" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -35,6 +35,12 @@ promotion: to: - name: "4.20" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.20" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml index 5ae3c15c68d63..496b17ac956eb 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.21" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -38,6 +38,12 @@ promotion: - hypershift-tests name: "4.21" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.21" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml index d321cf02c2e7b..b71c3d68bcaba 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.22" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -33,6 +33,12 @@ promotion: - hypershift-operator name: "4.22" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.22" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml index 14e75ee1c14b8..d7c40f45c9bb4 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml @@ -187,7 +187,7 @@ tests: - chain: hypershift-conformance workflow: hypershift-aws-conformance - as: e2e-aws-ovn-conformance-techpreview - interval: 6h + cron: '@weekly' reporter_config: channel: '#forum-ocp-splat-alerts-aws' job_states_to_report: diff --git a/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml b/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml index 716bd11ae5b5a..75ad3116faa35 100644 --- a/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml +++ b/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml @@ -6,7 +6,7 @@ base_images: go_builder: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.23 + tag: rhel-9-golang-1.26-openshift-4.23 loki: name: loki namespace: logging @@ -23,7 +23,7 @@ build_root: image_stream_tag: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.23 + tag: rhel-9-golang-1.26-openshift-4.23 use_build_cache: true images: items: @@ -33,7 +33,7 @@ images: inputs: go_builder: as: - - golang:1.24.4 + - golang:1.26.3 to: loki-operator - dockerfile_literal: | FROM registry.redhat.io/ubi9/go-toolset:latest diff --git a/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml b/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml new file mode 100644 index 0000000000000..96717db0886d9 --- /dev/null +++ b/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml @@ -0,0 +1,51 @@ +base_images: + base: + name: "4.21" + namespace: ocp + tag: base-rhel9 +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.26-openshift-4.23 +images: + items: + - additional_architectures: + - arm64 + dockerfile_path: Dockerfile.ocp + from: base + to: loki + - additional_architectures: + - arm64 + dockerfile_path: Dockerfile.promtail.ocp + from: base + to: promtail +promotion: + to: + - namespace: logging + tag: v3.6.12 +releases: + latest: + release: + channel: stable + version: "4.21" +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: test + steps: + test: + - as: unit + commands: GOFLAGS="" make test + from: src + resources: + requests: + cpu: 100m + memory: 200Mi +zz_generated_metadata: + branch: upstream-v3.6.12 + org: openshift + repo: loki diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 7573a7135610d..9c8acde398dd5 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -127,6 +157,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -204,6 +236,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -278,6 +312,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index eed240831f6ec..1011ef29ef777 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.17" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.17" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index af5f346bee912..eec734a110464 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.18" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.18" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 6ebb5e7e369df..c3ebfdd1e8438 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -44,10 +74,10 @@ tests: CUSTOM_AZURE_REGION: eastus ENABLE_MUST_GATHER: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -80,10 +110,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,16 +148,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -156,11 +188,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,17 +227,19 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -233,10 +267,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -270,16 +304,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 7c4604c457c01..71c130a4f2d3d 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.20" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.20" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -44,10 +74,10 @@ tests: CUSTOM_AZURE_REGION: eastus ENABLE_MUST_GATHER: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -80,10 +110,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,16 +148,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -156,11 +188,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,17 +227,19 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -233,10 +267,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -270,16 +304,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index b86e51f6c2ca5..cc5f2e938e602 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.21" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.21" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -80,8 +110,8 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -260,7 +294,7 @@ tests: report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} <{{.Status.URL}}|View logs>' - restrict_network_access: false + restrict_network_access: true steps: cluster_profile: aws-sandboxed-containers-operator env: @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml new file mode 100644 index 0000000000000..1c999bf34b9f2 --- /dev/null +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml @@ -0,0 +1,291 @@ +base_images: + tests-private: + name: tests-private + namespace: ci + tag: "4.22" + upi-installer: + name: "4.22" + namespace: ocp + tag: upi-installer +prowgen: + disable_sparse_checkout: true +releases: + latest: + release: + architecture: amd64 + channel: fast + version: "4.22" +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: azure-ipi-kata + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: azure-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: azure-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: aro-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + ARO_CLUSTER_VERSION: "4.17" + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + HYPERSHIFT_AZURE_LOCATION: eastus + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + LOCATION: eastus + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-aro + timeout: 24h0m0s +- as: aro-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + ARO_CLUSTER_VERSION: "4.17" + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + HYPERSHIFT_AZURE_LOCATION: eastus + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + LOCATION: eastus + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-aro + timeout: 24h0m0s +- as: aws-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: aws-sandboxed-containers-operator + env: + AWS_REGION_OVERRIDE: us-east-2 + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:1.12.1-1781886111 + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-aws + timeout: 24h0m0s +- as: aws-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: aws-sandboxed-containers-operator + env: + AWS_REGION_OVERRIDE: us-east-2 + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-aws + timeout: 24h0m0s +zz_generated_metadata: + branch: devel + org: openshift + repo: sandboxed-containers-operator + variant: downstream-candidate422 diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml index 9d9314954ed64..9cdf7de6aafad 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: diff --git a/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml b/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml index 7cfe473832a39..eba8f259df602 100644 --- a/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml +++ b/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml @@ -246,7 +246,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-dashboard-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -270,6 +270,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-agent-ops-pr-image-mirror rerun_command: /test odh-mod-arch-agent-ops-pr-image-mirror + run_if_changed: ^packages/agent-ops/ spec: containers: - args: @@ -336,7 +337,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-agent-ops-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -360,6 +361,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-automl-pr-image-mirror rerun_command: /test odh-mod-arch-automl-pr-image-mirror + run_if_changed: ^packages/automl/ spec: containers: - args: @@ -426,7 +428,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-automl-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -450,6 +452,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-autorag-pr-image-mirror rerun_command: /test odh-mod-arch-autorag-pr-image-mirror + run_if_changed: ^packages/autorag/ spec: containers: - args: @@ -516,7 +519,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-autorag-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -540,6 +543,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-eval-hub-pr-image-mirror rerun_command: /test odh-mod-arch-eval-hub-pr-image-mirror + run_if_changed: ^packages/eval-hub/ spec: containers: - args: @@ -606,7 +610,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-eval-hub-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -630,6 +634,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-gen-ai-pr-image-mirror rerun_command: /test odh-mod-arch-gen-ai-pr-image-mirror + run_if_changed: ^packages/gen-ai/ spec: containers: - args: @@ -696,7 +701,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-gen-ai-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -720,6 +725,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-maas-pr-image-mirror rerun_command: /test odh-mod-arch-maas-pr-image-mirror + run_if_changed: ^packages/maas/ spec: containers: - args: @@ -786,7 +792,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-maas-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -810,6 +816,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-mlflow-pr-image-mirror rerun_command: /test odh-mod-arch-mlflow-pr-image-mirror + run_if_changed: ^packages/mlflow/ spec: containers: - args: @@ -876,7 +883,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-mlflow-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -900,6 +907,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-model-registry-pr-image-mirror rerun_command: /test odh-mod-arch-model-registry-pr-image-mirror + run_if_changed: ^packages/model-registry/ spec: containers: - args: diff --git a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml index 8b1a3df2e0409..b272fa04433b2 100644 --- a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml +++ b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml @@ -2921,6 +2921,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build02 + cron: 0 0 31 2 * + decorate: true + decoration_config: + skip_cloning: true + timeout: 5h0m0s + extra_refs: + - base_ref: main + org: openshift-online + repo: rosa-e2e + labels: + capability/nested-podman: nested-podman + ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=ocm-fvt-periodic-cs-sanity-jira-staging-main + - --variant=ocm-fvt-rosa-hcp-staging + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build02 + cron: 0 0 31 2 * + decorate: true + decoration_config: + skip_cloning: true + timeout: 5h0m0s + extra_refs: + - base_ref: main + org: openshift-online + repo: rosa-e2e + labels: + capability/nested-podman: nested-podman + ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=ocm-fvt-periodic-cs-sanity-staging-main + - --variant=ocm-fvt-rosa-hcp-staging + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 30 7 * * * diff --git a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml index a8da82fbdbc64..256f942409bf8 100644 --- a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml +++ b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml @@ -294,176 +294,6 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )lint,?($|\s.*) - - agent: kubernetes - always_run: true - branches: - - ^main$ - - ^main- - cluster: build03 - context: ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - decorate: true - decoration_config: - skip_cloning: true - timeout: 5h0m0s - labels: - capability/nested-podman: nested-podman - ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging - ci.openshift.io/generator: prowgen - job-release: "4.22" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - rerun_command: /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=ocm-fvt-periodic-cs-sanity-jira-staging-main - - --variant=ocm-fvt-rosa-hcp-staging - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main,?($|\s.*) - - agent: kubernetes - always_run: true - branches: - - ^main$ - - ^main- - cluster: build03 - context: ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - decorate: true - decoration_config: - skip_cloning: true - timeout: 5h0m0s - labels: - capability/nested-podman: nested-podman - ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging - ci.openshift.io/generator: prowgen - job-release: "4.22" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - rerun_command: /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=ocm-fvt-periodic-cs-sanity-staging-main - - --variant=ocm-fvt-rosa-hcp-staging - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main,?($|\s.*) - agent: kubernetes always_run: true branches: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml index 1c33025bcc9bc..b062066f8fab2 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml index 722891c683b45..0424134a4f64a 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml @@ -1217,6 +1217,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml index ccfb684db9985..0dee7ec2e673b 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml index 1f507c2ae7d2a..428d06f1f3fb7 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml @@ -1387,6 +1387,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml index 87cff80e741ba..1abd5eca5b35f 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml index e07967369d800..5fde228d52b63 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml @@ -1644,6 +1644,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml index 963e610267b2e..fcb02147d5f6b 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml @@ -25,6 +25,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml index e296beb0af652..b55adb6b046a1 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml @@ -2103,6 +2103,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml index 5546fc5385196..75866ec19be6e 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml @@ -1006,6 +1006,7 @@ periodics: secretName: result-aggregator - agent: kubernetes cluster: build07 + cron: '@weekly' decorate: true decoration_config: skip_cloning: true @@ -1013,7 +1014,6 @@ periodics: - base_ref: release-5.0 org: openshift repo: hypershift - interval: 6h labels: ci-operator.openshift.io/cloud: hypershift-aws ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws diff --git a/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml new file mode 100644 index 0000000000000..75a2270c64df9 --- /dev/null +++ b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml @@ -0,0 +1,65 @@ +postsubmits: + openshift/loki: + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + cluster: build06 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + capability/arm64: arm64 + ci-operator.openshift.io/is-promotion: "true" + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-loki-upstream-v3.6.12-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml new file mode 100644 index 0000000000000..796aa4104903b --- /dev/null +++ b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml @@ -0,0 +1,142 @@ +presubmits: + openshift/loki: + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + - ^upstream-v3\.6\.12- + cluster: build05 + context: ci/prow/images + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + capability/arm64: arm64 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-loki-upstream-v3.6.12-images + rerun_command: /test images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + - ^upstream-v3\.6\.12- + cluster: build01 + context: ci/prow/test + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-loki-upstream-v3.6.12-test + rerun_command: /test test + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=test + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )test,?($|\s.*) diff --git a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml index ea278d814439b..da4bc21152346 100644 --- a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml +++ b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml @@ -3947,6 +3947,664 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aro-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aro-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-sandboxed-containers-operator + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-sandboxed-containers-operator + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-kata + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-kata + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 0 31 2 1 diff --git a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml index b92caf2f925e7..c4667663b6b66 100644 --- a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml +++ b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml @@ -117,6 +117,405 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )ci-bundle-openshift-sandboxed-containers-operator-bundle,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-images + rerun_command: /test downstream-candidate-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate417-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate417 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-images + rerun_command: /test downstream-candidate417-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate417 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate417-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate418-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate418 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-images + rerun_command: /test downstream-candidate418-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate418 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate418-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate419-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate419 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-images + rerun_command: /test downstream-candidate419-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate419 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate419-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate420-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate420 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-images + rerun_command: /test downstream-candidate420-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate420 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate420-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate421-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate421 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-images + rerun_command: /test downstream-candidate421-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate421 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate421-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-release-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-release + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-release-images + rerun_command: /test downstream-release-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-release + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-release-images,?($|\s.*) - agent: kubernetes always_run: true branches: diff --git a/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml b/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml index e028533c09bdd..c4802dd86f748 100644 --- a/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml +++ b/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml @@ -27,5 +27,5 @@ ref: - name: COMPRESS_TIMING_METADATA default: "true" documentation: Whether to compress timing metadata files with gzip. - best_effort: true + best_effort: false timeout: 5m diff --git a/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh b/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh index 7095c0d409d7a..1bd89569bc504 100644 --- a/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh +++ b/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh @@ -93,6 +93,30 @@ if [[ ! -z "${RECERT_IMAGE_OVERRIDE}" ]]; then RECERT_IMAGE=$RECERT_IMAGE_OVERRIDE fi +# Export lifecycle-agent git coordinates for ib-orchestrate-vm. +# - lifecycle-agent presubmit: pin to the PR commit (CI_LCA_GIT_REF/PULL). +# - openshift/release rehearsal of lifecycle-agent jobs: branch checkout only +# (main or release-4.x); CI_LCA_GIT_* stay empty. +# - Other jobs: leave CI_LCA_GIT_* empty; ib-orchestrate-vm uses defaults. +CI_LCA_GIT_REF="" +CI_LCA_GIT_PULL="" +if [[ "${REPO_OWNER}/${REPO_NAME}" == "openshift-kni/lifecycle-agent" ]]; then + CI_LCA_GIT_REF="${PULL_PULL_SHA:-}" + CI_LCA_GIT_PULL="${PULL_NUMBER:-}" + LCA_GIT_BRANCH="${PULL_BASE_REF:-${LCA_GIT_BRANCH:-}}" +elif [[ "${JOB_NAME}" == rehearse-* ]] && [[ "${JOB_NAME}" == *lifecycle-agent* ]]; then + LCA_GIT_BRANCH="$(echo "${JOB_SPEC}" | jq -r '[.extra_refs[]? | select(.org == "openshift-kni" and .repo == "lifecycle-agent") | .base_ref][0] // empty')" + if [[ -z "${LCA_GIT_BRANCH}" ]]; then + if [[ "${JOB_NAME}" =~ lifecycle-agent-release-([0-9]+\.[0-9]+) ]]; then + LCA_GIT_BRANCH="release-${BASH_REMATCH[1]}" + elif [[ "${JOB_NAME}" == *lifecycle-agent-main-* ]]; then + LCA_GIT_BRANCH="main" + else + LCA_GIT_BRANCH="main" + fi + fi +fi + echo "Creating seed script..." cat < ${SHARED_DIR}/create_seed.sh #!/bin/bash @@ -103,6 +127,10 @@ export BACKUP_SECRET=\$(<${BACKUP_SECRET_FILE}) export SEED_VM_NAME="${SEED_VM_NAME}" export SEED_VERSION="${SEED_VERSION}" export LCA_OPERATOR_BUNDLE_IMAGE="${OO_BUNDLE}" +export CI_LCA_GIT_REF="${CI_LCA_GIT_REF}" +export CI_LCA_GIT_PULL="${CI_LCA_GIT_PULL}" +export LCA_GIT_REPO="https://github.com/openshift-kni/lifecycle-agent" +export LCA_GIT_BRANCH="${LCA_GIT_BRANCH:-main}" export SEED_RELEASE_IMAGE="${RELEASE_IMAGE}" export RECERT_IMAGE="${RECERT_IMAGE}" export SEED_FLOATING_TAG="${SEED_FLOATING_TAG}" diff --git a/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh b/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh index c626373dcd469..40aa2b1402b9d 100644 --- a/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh +++ b/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh @@ -28,6 +28,30 @@ target_kubeconfig=${remote_workdir}/ib-orchestrate-vm/bip-orchestrate-vm/workdir echo "${TARGET_VM_NAME}" > "${SHARED_DIR}/target_vm_name" +# Export lifecycle-agent git coordinates for ib-orchestrate-vm. +# - lifecycle-agent presubmit: pin to the PR commit (CI_LCA_GIT_REF/PULL). +# - openshift/release rehearsal of lifecycle-agent jobs: branch checkout only +# (main or release-4.x); CI_LCA_GIT_* stay empty. +# - Other jobs: leave CI_LCA_GIT_* empty; ib-orchestrate-vm uses defaults. +CI_LCA_GIT_REF="" +CI_LCA_GIT_PULL="" +if [[ "${REPO_OWNER}/${REPO_NAME}" == "openshift-kni/lifecycle-agent" ]]; then + CI_LCA_GIT_REF="${PULL_PULL_SHA:-}" + CI_LCA_GIT_PULL="${PULL_NUMBER:-}" + LCA_GIT_BRANCH="${PULL_BASE_REF:-${LCA_GIT_BRANCH:-}}" +elif [[ "${JOB_NAME}" == rehearse-* ]] && [[ "${JOB_NAME}" == *lifecycle-agent* ]]; then + LCA_GIT_BRANCH="$(echo "${JOB_SPEC}" | jq -r '[.extra_refs[]? | select(.org == "openshift-kni" and .repo == "lifecycle-agent") | .base_ref][0] // empty')" + if [[ -z "${LCA_GIT_BRANCH}" ]]; then + if [[ "${JOB_NAME}" =~ lifecycle-agent-release-([0-9]+\.[0-9]+) ]]; then + LCA_GIT_BRANCH="release-${BASH_REMATCH[1]}" + elif [[ "${JOB_NAME}" == *lifecycle-agent-main-* ]]; then + LCA_GIT_BRANCH="main" + else + LCA_GIT_BRANCH="main" + fi + fi +fi + echo "Creating upgrade script..." cat < ${SHARED_DIR}/upgrade_from_seed.sh #!/bin/bash @@ -40,6 +64,10 @@ export TARGET_VERSION="${TARGET_VERSION}" export TARGET_LCA_REF="${TARGET_LCA_REF}" export RELEASE_IMAGE="${TARGET_IMAGE}" export LCA_OPERATOR_BUNDLE_IMAGE="${OO_BUNDLE}" +export CI_LCA_GIT_REF="${CI_LCA_GIT_REF}" +export CI_LCA_GIT_PULL="${CI_LCA_GIT_PULL}" +export LCA_GIT_REPO="https://github.com/openshift-kni/lifecycle-agent" +export LCA_GIT_BRANCH="${LCA_GIT_BRANCH:-main}" export SEED_VERSION="${SEED_VERSION}" export IP_STACK="${IP_STACK}" export UPGRADE_TIMEOUT="60m" diff --git a/ci-operator/step-registry/sandboxed-containers-operator/README.md b/ci-operator/step-registry/sandboxed-containers-operator/README.md index 7cff08b86bd2c..6393083c2cab4 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/README.md +++ b/ci-operator/step-registry/sandboxed-containers-operator/README.md @@ -1,5 +1,7 @@ This directory contain the steps, chains and workflows implemented specifically for the Openshift Sandboxed Containers (OSC) jobs. +*Note the prowjobs need **restrict_network_access: false** for konflux. If doing a /pj-rehearse, it needs to be **true**. If the PR is merged, it should be reverted to **false*** + ## Steps Here is the list of steps and their explanation. @@ -31,6 +33,182 @@ The [sandboxed-containers-operator-env-cm](./env-cm/) step creates the osc-confi Currently not all parameters are enabled. In particular, only GA release type is supported, meaning it doesn't install development builds of OSC. +### sandboxed-containers-operator-install-trustee-operator + +The [sandboxed-containers-operator-install-trustee-operator](./install-trustee-operator/) step installs the Trustee operator for Confidential Containers (CoCo) workloads. This step is only needed for CoCo tests. + +## Catalog Source Configuration + +Both OSC and Trustee operators can be installed from different catalog sources depending on whether you're testing pre-release builds or using production catalogs. + +### OSC Catalog Source + +Controlled by environment variables in job configurations: + +- **`CATALOG_SOURCE_NAME`** - Name of the CatalogSource to use + - Default: `"redhat-operators"` (production catalog) + - For testing: `"brew-catalog"` or custom names + +- **`CATALOG_SOURCE_IMAGE`** - Custom FBC (File-Based Catalog) image + - Default: `""` (empty, uses existing catalog specified by `CATALOG_SOURCE_NAME`) + - For testing: `"quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest"` + +**Behavior:** +- If `CATALOG_SOURCE_IMAGE` is empty: uses existing catalog specified by `CATALOG_SOURCE_NAME` +- If `CATALOG_SOURCE_IMAGE` is set: creates a new CatalogSource with that image + +### Trustee Catalog Source + +Controlled by the Trustee helm chart and `TRUSTEE_CATALOG_SOURCE_IMAGE` environment variable: + +- **`TRUSTEE_CATALOG_SOURCE_IMAGE`** - Custom FBC image for Trustee operator + - Default: `""` (empty) + - For testing: `"quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656"` + +**Behavior:** +- If `TRUSTEE_CATALOG_SOURCE_IMAGE` is **empty**: + - Helm chart sets `dev.enabled=false` + - Uses existing `redhat-operators` CatalogSource (production) + - No new CatalogSource is created + +- If `TRUSTEE_CATALOG_SOURCE_IMAGE` is **set**: + - Helm chart sets `dev.enabled=true` + - Creates new CatalogSource named `trustee-operator-dev-catalog` (hardcoded in helm chart) + - Uses the specified custom image + - **Note:** CatalogSource name cannot be overridden - it's always `trustee-operator-dev-catalog` + +**Example job configuration for CoCo testing:** + +```yaml +tests: +- as: azure-ipi-coco + steps: + env: + # OSC operator catalog + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + + # Trustee operator catalog (CatalogSource name is hardcoded to trustee-operator-dev-catalog) + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" + + # Test configuration + WORKLOAD_TO_TEST: coco + ENABLEPEERPODS: "true" + RUNTIMECLASS: kata-remote +``` + +**Why the different approaches?** +- OSC workflow was designed with flexibility to use any catalog name +- Trustee uses upstream helm charts from [confidential-devhub/charts](https://github.com/confidential-devhub/charts) which hardcode the dev CatalogSource name +- This keeps Trustee CI aligned with upstream tooling + +### Image Tag Resolution: `:latest` vs Specific Build Tags + +Catalog images can be referenced using different tag strategies with distinct tradeoffs: + +#### Using `:latest` Tags + +```yaml +CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest +``` + +**How it resolves:** +1. At job execution time, container runtime queries Quay.io registry +2. Registry returns the current image digest that `:latest` points to +3. That specific digest is pulled and used for the job +4. Different jobs can get different images if builds happen between runs + +**Managed by:** Konflux/RHTAP automatically updates `:latest` after each successful build + +**Advantages:** +- ✅ Automatically tests newest builds without config changes +- ✅ Good for continuous validation of rolling builds +- ✅ No manual maintenance needed + +**Disadvantages:** +- ❌ Non-reproducible (different runs may use different builds) +- ❌ Hard to bisect regressions ("which build broke this?") +- ❌ Can break unexpectedly if bad build gets tagged + +#### Using Specific Build Tags + +```yaml +TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 +``` + +**Tag format:** `-` +- Version: `1.1.0` (semantic version from project) +- Build ID: `1776506656` (Konflux pipeline run identifier) + +**How it resolves:** +- Tag is **immutable** - always points to the same image digest +- Never changes after creation +- Reproducible across all job runs + +**Advantages:** +- ✅ Reproducible test results +- ✅ Easy to bisect issues (pin to specific builds) +- ✅ Stable - won't break from new builds +- ✅ Direct traceability to Konflux pipeline runs + +**Disadvantages:** +- ❌ Requires manual config updates to test new builds +- ❌ Can become stale if not maintained + +#### How Konflux Creates Multiple Tags + +When a catalog build completes in Konflux, multiple tags point to the same image: + +```bash +# All these reference the same image digest: +quay.io/.../osc-test-fbc:latest # Moves to newest build +quay.io/.../osc-test-fbc:1.2.0-1776506656 # Immutable build-specific tag +quay.io/.../osc-test-fbc:1.2.0 # Moves within version series +quay.io/.../osc-test-fbc:sha256-abc123... # Direct digest reference +``` + +#### Finding Specific Build Tags + +To find the current build tag that `:latest` points to: + +```bash +# Option 1: Query Quay.io API +curl -s https://quay.io/api/v1/repository/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc/tag/ | \ + jq -r '.tags[] | select(.name | startswith("1.1.0")) | .name' | sort -V | tail -5 + +# Option 2: Pull and inspect +podman pull quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:latest +podman inspect quay.io/.../trustee-test-fbc:latest | jq '.[0].RepoTags[]' + +# Option 3: Check Konflux pipeline runs +# Navigate to Konflux UI → Application → Component → Pipeline Runs +# Find successful run ID and use format: - +``` + +#### Strategy Comparison + +| Aspect | `:latest` | `1.1.0-1776506656` (Specific build) | +|--------|----------------|------------------------------| +| **Resolution** | Dynamic (query registry each time) | Static (immutable) | +| **Reproducibility** | ❌ Different builds over time | ✅ Always same build | +| **Maintenance** | Automatic | Manual updates | +| **Traceability** | Hard (logs needed) | Easy (build ID in tag) | +| **Use Case** | Daily/nightly rolling tests | Stable/release validation | + +#### When to Use Each Strategy + +**Use `:latest` when:** +- Running frequent jobs (daily/nightly) that should pick up new builds automatically +- Testing the latest code is more important than reproducibility +- You have good monitoring/alerting for failures + +**Use specific build tags when:** +- You need reproducible results for debugging +- Testing specific release candidates or milestones +- You want to correlate failures to specific builds +- Running less frequently (weekly/release gates) + ## Chains Here is the list of chains. @@ -209,7 +387,7 @@ for ``Running step launch-cucushift-installer-wait.`` line in there. Once it shows there the cluster is ready and waiting for you for the specified amount of time. -Getting access to your testing cluster is slightly harder as first +Getting access to your testing cluster is slightly harder as first you need to get to the ``main build OCP``. To do so: 1. open the ``job started...`` link by clusterbot diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS new file mode 100644 index 0000000000000..5c31fe0ceccfc --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS @@ -0,0 +1,10 @@ +reviewers: + - ldoktor + - tbuskey + - vvoronko + - wainersm +approvers: + - ldoktor + - tbuskey + - vvoronko + - wainersm diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh new file mode 100755 index 0000000000000..8d746e938205f --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -0,0 +1,1027 @@ +#!/usr/bin/env bash +# +# Install Trustee Operator for Confidential Containers (CoCo) +# +# This script installs and configures the Trustee operator and operands using +# helm charts from https://github.com/confidential-devhub/charts +# +# NETWORK ACCESS: +# Preferred: Use TRUSTEE_CHARTS_IMAGE (pre-built image dependency) +# Works with restrict_network_access: true for rehearsals +# Fallback: Fetches from GitHub (requires restrict_network_access: false) +# +# Environment Variables: +# TRUSTEE_INSTALL - "true" to install, "false" to skip (default: false) +# TRUSTEE_NAMESPACE - Namespace for operator (default: trustee-operator-system) +# TRUSTEE_CATALOG_SOURCE_IMAGE - Custom catalog image (optional) +# NOTE: CatalogSource name is hardcoded to "trustee-operator-dev-catalog" +# in the helm chart and cannot be overridden +# IMAGE_TRUSTEE_CHARTS - Pre-built charts image (set by ci-operator, recommended) +# TRUSTEE_CHARTS_REPO - Charts repo URL (default: https://github.com/confidential-devhub/charts) +# TRUSTEE_CHARTS_REF - Charts git ref (default: main) +# KBS_CLIENT_TAG - kbs-client version override (optional) +# +# Outputs to SHARED_DIR: +# TRUSTEE_URL - KBS service URL for CoCo workloads +# TRUSTEE_HOST - KBS hostname +# TRUSTEE_PORT - KBS port +# INITDATA - Base64-encoded gzipped initdata.toml +# initdata.toml - Plain text initdata configuration +# + +set -euo pipefail + +#======================================== +# Configuration +#======================================== + +export SHARED_DIR=${SHARED_DIR:-/tmp} +export KUBECONFIG=${KUBECONFIG:-${SHARED_DIR}/kubeconfig} + +TRUSTEE_INSTALL=${TRUSTEE_INSTALL:-false} +TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE:-trustee-operator-system} +TRUSTEE_CATALOG_SOURCE_IMAGE=${TRUSTEE_CATALOG_SOURCE_IMAGE:-} +TRUSTEE_CHARTS_REPO=${TRUSTEE_CHARTS_REPO:-https://github.com/confidential-devhub/charts} +TRUSTEE_CHARTS_REF=${TRUSTEE_CHARTS_REF:-main} + +# Early exit if installation disabled +if [[ "${TRUSTEE_INSTALL}" != "true" ]]; then + echo ">>> Skipping trustee operator installation (TRUSTEE_INSTALL=${TRUSTEE_INSTALL})" + exit 0 +fi + +# Check helm is available +if ! command -v helm &> /dev/null; then + echo ">>> ERROR: helm is not available in the step image." >&2 + echo ">>> Install helm in the image used by this step to keep restrict_network_access support." >&2 + exit 1 +fi + +# Show configuration +echo ">>> Trustee charts: ${TRUSTEE_CHARTS_REPO} (ref: ${TRUSTEE_CHARTS_REF})" +if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + echo ">>> Trustee catalog source: trustee-operator-dev-catalog (image: ${TRUSTEE_CATALOG_SOURCE_IMAGE})" +else + echo ">>> Trustee catalog source: redhat-operators (using existing catalog)" +fi + +#======================================== +# Cleanup Handler +#======================================== + +SCRATCH=$(mktemp -d) +cd "${SCRATCH}" + +function exit_handler() { + local exitcode=$? + set +e + rm -rf "${SCRATCH}" + + if [[ ${exitcode} -ne 0 ]]; then + echo ">>> ERROR: Trustee operator installation failed" + echo ">>> Namespace status:" + oc get all -n "${TRUSTEE_NAMESPACE}" || true + echo ">>> Operator logs:" + oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true + fi +} +trap 'exit_handler' EXIT + +#======================================== +# Helper Functions +#======================================== + +# Retry command up to 10 times with 30s delay between attempts +function retry() { + "$@" && return 0 + for (( i = 0; i < 9; i++ )); do + sleep 30 + "$@" && return 0 + done + return 1 +} + +# Generic wait loop with condition checking +# Usage: wait_until +# Returns: 0 on success, 1 on timeout +# Example: wait_until "pod to be ready" 300 5 'oc get pod mypod -o jsonpath="{.status.phase}" | grep -q Running' +function wait_until() { + local description="$1" + local timeout_seconds="$2" + local check_interval="$3" + local condition_command="$4" + + local max_iterations=$((timeout_seconds / check_interval)) + local progress_interval=$((60 / check_interval)) # Show progress every 60 seconds + [[ ${progress_interval} -lt 1 ]] && progress_interval=1 + + echo ">>> Waiting for ${description} (timeout: ${timeout_seconds}s, interval: ${check_interval}s)..." >&2 + + for (( i = 1; i <= max_iterations; i++ )); do + if eval "${condition_command}" 2>/dev/null; then + echo ">>> ${description} - SUCCESS (after $((i * check_interval))s)" >&2 + return 0 + fi + + # Show progress at regular intervals + if [[ $((i % progress_interval)) -eq 0 ]]; then + echo ">>> Still waiting for ${description} (${i}/${max_iterations}, $((i * check_interval))s elapsed)..." >&2 + fi + + [[ ${i} -lt ${max_iterations} ]] && sleep "${check_interval}" + done + + echo ">>> ERROR: ${description} - TIMEOUT after ${timeout_seconds}s" >&2 + return 1 +} + +# Fetch trustee helm charts (from pre-built image or GitHub) +function fetch_trustee_charts() { + local charts_dir="${SCRATCH}/charts" + + # Option 1: Extract from pre-built container image (preferred, works with restrict_network_access: true) + # ci-operator provides built images via IMAGE_FORMAT and IMAGE_TRUSTEE_CHARTS env vars + if [[ -n "${IMAGE_TRUSTEE_CHARTS:-}" ]]; then + local charts_image="${IMAGE_TRUSTEE_CHARTS}" + echo ">>> Extracting trustee charts from pre-built image" >&2 + echo ">>> Image: ${charts_image}" >&2 + + # Extract charts from the image + mkdir -p "${charts_dir}" + local extract_output + if extract_output=$(oc image extract "${charts_image}" --path /charts/:${charts_dir}/ 2>&1); then + echo ">>> Charts extracted from image (no network access needed)" >&2 + echo ">>> Extracted files:" >&2 + ls -lR "${charts_dir}" | head -50 >&2 + # The git repo structure is: charts/trustee-operator/, so image has /charts/charts/ + # Return the nested charts directory + echo "${charts_dir}/charts" + return 0 + else + echo ">>> ERROR: Failed to extract charts from image" >&2 + echo "$extract_output" >&2 + echo ">>> Falling back to git clone" >&2 + fi + else + echo ">>> IMAGE_TRUSTEE_CHARTS not set, using git clone fallback" >&2 + fi + + # Option 2: Fallback to git clone (requires restrict_network_access: false) + echo ">>> Fetching trustee charts from GitHub: ${TRUSTEE_CHARTS_REPO} (ref: ${TRUSTEE_CHARTS_REF})" >&2 + + if ! command -v git &> /dev/null; then + echo ">>> ERROR: git command not found" >&2 + return 1 + fi + + git clone --depth 1 --branch "${TRUSTEE_CHARTS_REF}" "${TRUSTEE_CHARTS_REPO}" "${charts_dir}" + + if [[ ! -d "${charts_dir}" ]]; then + echo ">>> ERROR: Failed to clone charts repository" >&2 + return 1 + fi + + echo ">>> Charts cloned from GitHub" >&2 + echo "${charts_dir}" +} + +# Get cluster domain from ingress config, console route, or console URL +function get_cluster_domain() { + local cluster_domain="" + + # Try ingress config, console route, then console URL + cluster_domain=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}' 2>/dev/null || true) + + if [[ -z "${cluster_domain}" ]]; then + cluster_domain=$(oc get route -n openshift-console console -o jsonpath='{.spec.host}' 2>/dev/null | sed 's/^console-openshift-console\.//' || true) + fi + + if [[ -z "${cluster_domain}" ]]; then + local console_url + console_url=$(oc whoami --show-console 2>/dev/null || true) + if [[ -n "${console_url}" ]]; then + cluster_domain=$(echo "${console_url}" | sed 's|https://console-openshift-console\.||' | sed 's|/.*||') + fi + fi + + if [[ -z "${cluster_domain}" ]]; then + echo ">>> ERROR: Failed to derive cluster domain" >&2 + return 1 + fi + + echo ">>> Cluster domain: ${cluster_domain}" >&2 + echo "${cluster_domain}" +} + +#======================================== +# Helm Chart Functions +#======================================== + +# Render trustee operator chart using helm template +function render_trustee_operator_chart() { + local charts_dir="$1" + local operator_chart="${charts_dir}/trustee-operator" + + if [[ ! -d "${operator_chart}" ]]; then + echo ">>> ERROR: Operator chart not found at ${operator_chart}" >&2 + return 1 + fi + + echo ">>> Rendering trustee-operator chart from: ${operator_chart}" >&2 + echo ">>> Chart files:" >&2 + ls -la "${operator_chart}" >&2 + + # Build helm command with --set parameters + local helm_args=( + "trustee-operator" + "${operator_chart}" + "--set" "namespaceOverride=${TRUSTEE_NAMESPACE}" + ) + + # Add catalog source configuration if custom image provided + if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + helm_args+=( + "--set" "dev.enabled=true" + "--set" "dev.image=${TRUSTEE_CATALOG_SOURCE_IMAGE}" + ) + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, dev.enabled=true, dev.image=${TRUSTEE_CATALOG_SOURCE_IMAGE}" >&2 + echo ">>> Note: CatalogSource name is hardcoded to 'trustee-operator-dev-catalog' in helm chart" >&2 + else + helm_args+=( + "--set" "dev.enabled=false" + ) + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, dev.enabled=false" >&2 + echo ">>> Note: Using existing 'redhat-operators' CatalogSource" >&2 + fi + + # Render the chart and capture output for debugging + local helm_output + if ! helm_output=$(helm template "${helm_args[@]}" 2>&1); then + echo ">>> ERROR: helm template failed" >&2 + echo "$helm_output" >&2 + return 1 + fi + + echo "$helm_output" +} + +# Render trustee operands chart using helm template +function render_trustee_operands_chart() { + local charts_dir="$1" + local operands_chart="${charts_dir}/trustee-operands" + + if [[ ! -d "${operands_chart}" ]]; then + echo ">>> ERROR: Operands chart not found at ${operands_chart}" >&2 + return 1 + fi + + echo ">>> Rendering trustee-operands chart from: ${operands_chart}" >&2 + echo ">>> Chart files:" >&2 + ls -la "${operands_chart}" >&2 + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, clusterDomain=${CLUSTER_DOMAIN}" >&2 + + # Render the chart and capture output for debugging + local helm_output + if ! helm_output=$(helm template trustee-operands "${operands_chart}" \ + --set "namespaceOverride=${TRUSTEE_NAMESPACE}" \ + --set "clusterDomain=${CLUSTER_DOMAIN}" 2>&1); then + echo ">>> ERROR: helm template failed" >&2 + echo "$helm_output" >&2 + return 1 + fi + + echo "$helm_output" +} + +#======================================== +# Installation Functions +#======================================== + +# Install trustee operator via OLM using helm-rendered manifests +function install_trustee_operator() { + local charts_dir="$1" + + echo ">>> Installing Trustee operator" + + # Render operator chart + local operator_yaml="${SCRATCH}/operator-manifests.yaml" + if ! render_trustee_operator_chart "${charts_dir}" > "${operator_yaml}"; then + echo ">>> ERROR: Failed to render operator chart" + return 1 + fi + + echo ">>> Rendered operator YAML:" + cat "${operator_yaml}" + echo ">>> Total YAML lines: $(wc -l < "${operator_yaml}")" + + # Apply operator chart + local apply_output + if ! apply_output=$(oc apply -f "${operator_yaml}" 2>&1); then + echo ">>> ERROR: Failed to apply operator manifests" + echo "$apply_output" + echo ">>> Full operator YAML:" + cat "${operator_yaml}" + return 1 + fi + + echo ">>> Apply output:" + echo "$apply_output" +} + +# Wait for operator installation through all OLM stages +# Stages: All CatalogSources READY → Subscription → InstallPlan → CSV → Deployment +function wait_for_operator() { + # Stage 0: Wait for ALL CatalogSources to be READY (600s / 10 minutes) + # This prevents Subscription failures due to missing/unavailable catalogs + echo ">>> Waiting for all CatalogSources to be READY..." + local all_catalogs_ready=false + for i in {1..120}; do + # Get all catalogs and their states + local catalog_states + catalog_states=$(oc get catalogsource -n openshift-marketplace -o jsonpath='{range .items[*]}{.metadata.name}={.status.connectionState.lastObservedState}{"\n"}{end}' 2>/dev/null || echo "") + + if [[ -z "${catalog_states}" ]]; then + echo ">>> WARNING: Unable to get catalog states (attempt ${i}/120)" + [[ ${i} -lt 120 ]] && sleep 5 + continue + fi + + # Count total vs ready catalogs + local total_catalogs + total_catalogs=$(echo "${catalog_states}" | wc -l) + local ready_catalogs + ready_catalogs=$(echo "${catalog_states}" | grep -c "=READY" || echo "0") + + if [[ ${ready_catalogs} -eq ${total_catalogs} && ${ready_catalogs} -gt 0 ]]; then + echo ">>> All CatalogSources are READY (${ready_catalogs}/${total_catalogs})" + all_catalogs_ready=true + break + fi + + # Show progress every 6 iterations (30 seconds) + if [[ $((i % 6)) -eq 0 ]]; then + echo ">>> CatalogSources ready: ${ready_catalogs}/${total_catalogs} (checking ${i}/120, $((i*5))s elapsed)..." + echo "${catalog_states}" | grep -v "=READY" | head -5 || true + fi + + [[ ${i} -lt 120 ]] && sleep 5 + done + + if [[ "${all_catalogs_ready}" != "true" ]]; then + echo ">>> ERROR: Not all CatalogSources are READY after 600s" + echo ">>> Current CatalogSource states:" + oc get catalogsource -n openshift-marketplace -o custom-columns=NAME:.metadata.name,STATE:.status.connectionState.lastObservedState || true + echo ">>> CatalogSource pods:" + oc get pods -n openshift-marketplace || true + return 1 + fi + + # Stage 1: Wait for Trustee CatalogSource to be READY (60s) + # Skip if using existing catalog (no TRUSTEE_CATALOG_SOURCE_IMAGE provided) + if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + # Helm chart hardcodes the CatalogSource name to trustee-operator-dev-catalog + # Auto-discover in case the helm chart changes this in the future + local actual_catalog_name + actual_catalog_name=$(oc get catalogsource -n openshift-marketplace -l olm.catalogSource!=redhat-operators -o name 2>/dev/null | grep -i trustee | head -1 | cut -d/ -f2 || echo "") + + if [[ -z "$actual_catalog_name" ]]; then + # Fallback: use the hardcoded name from the helm chart + actual_catalog_name="trustee-operator-dev-catalog" + fi + + if ! wait_until "Trustee CatalogSource ${actual_catalog_name} READY" 60 5 \ + "[[ \"\$(oc get catalogsource -n openshift-marketplace '${actual_catalog_name}' -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null)\" == \"READY\" ]]"; then + echo ">>> All CatalogSources in openshift-marketplace:" >&2 + oc get catalogsource -n openshift-marketplace || true + echo ">>> Details of ${actual_catalog_name}:" >&2 + oc get catalogsource -n openshift-marketplace "${actual_catalog_name}" -o yaml || true + oc get pods -n openshift-marketplace -l olm.catalogSource="${actual_catalog_name}" || true + oc describe pods -n openshift-marketplace -l olm.catalogSource="${actual_catalog_name}" | tail -50 || true + return 1 + fi + else + echo ">>> Using existing CatalogSource redhat-operators" + fi + + # Stage 2: Wait for Subscription to reference an InstallPlan (300s) + local installplan_ref="" + if ! wait_until "Subscription to reference InstallPlan" 300 5 \ + "installplan_ref=\$(oc get subscription -n '${TRUSTEE_NAMESPACE}' trustee-operator -o jsonpath='{.status.installplan.name}' 2>/dev/null); [[ -n \"\${installplan_ref}\" ]]"; then + echo ">>> ERROR: Subscription has no InstallPlan reference" >&2 + oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o yaml || true + return 1 + fi + + # Capture the installplan ref for next stage + installplan_ref=$(oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o jsonpath='{.status.installplan.name}' 2>/dev/null || echo "") + echo ">>> Subscription references InstallPlan: ${installplan_ref}" >&2 + + # Stage 3: Wait for InstallPlan to be Complete (300s) + if ! wait_until "InstallPlan ${installplan_ref} Complete" 300 5 \ + "[[ \"\$(oc get installplan -n '${TRUSTEE_NAMESPACE}' '${installplan_ref}' -o jsonpath='{.status.phase}' 2>/dev/null)\" == \"Complete\" ]]"; then + echo ">>> ERROR: InstallPlan not Complete" >&2 + oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o yaml || true + return 1 + fi + + # Stage 4: Wait for CSV to be Succeeded (600s / 10 minutes) + if ! wait_until "CSV Succeeded" 600 5 \ + "[[ \"\$(oc get csv -n '${TRUSTEE_NAMESPACE}' -o jsonpath='{.items[0].status.phase}' 2>/dev/null)\" == \"Succeeded\" ]]"; then + echo ">>> ERROR: CSV not Succeeded" >&2 + oc get csv -n "${TRUSTEE_NAMESPACE}" -o yaml || true + return 1 + fi + + # Export CSV name for kbs-client version mapping + local csv_name + csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + export TRUSTEE_CSV_NAME="${csv_name}" + echo ">>> CSV ${csv_name} is Succeeded" >&2 + + # Stage 5: Wait for Deployment to be Available (600s / 10 minutes) + if ! wait_until "operator deployment Available" 600 5 \ + "oc get deployment -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type==\"Available\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: Operator deployment not Available" >&2 + oc get deployment -n "${TRUSTEE_NAMESPACE}" || true + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + return 1 + fi + + # Stage 6: Wait for pods to be Ready (600s / 10 minutes for readiness probes) + if ! wait_until "operator pods Ready (1/1)" 600 5 \ + "ready_count=\$(oc get pods -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager -o jsonpath='{.items[*].status.containerStatuses[0].ready}' 2>/dev/null | tr ' ' '\\\n' | grep -c 'true' || echo '0'); total_count=\$(oc get pods -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager --no-headers 2>/dev/null | wc -l); [[ \${ready_count} -gt 0 ]] && [[ \${ready_count} -eq \${total_count} ]]"; then + echo ">>> ERROR: Operator pods not Ready" >&2 + echo ">>> Pods:" >&2 + oc get pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + echo ">>> Pod details:" >&2 + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager | tail -100 || true + echo ">>> Pod logs:" >&2 + oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true + return 1 + fi + + # Show final pod status + oc get pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + echo ">>> Operator installation complete" >&2 +} + +# Install Trustee operands using helm-rendered manifests +function install_trustee_operands() { + local charts_dir="$1" + + echo ">>> Installing Trustee operands (cluster domain: ${CLUSTER_DOMAIN})" + + # Render operands chart + local operands_yaml="${SCRATCH}/operands-manifests.yaml" + if ! render_trustee_operands_chart "${charts_dir}" > "${operands_yaml}"; then + echo ">>> ERROR: Failed to render operands chart" + return 1 + fi + + echo ">>> Rendered operands YAML (first 30 lines):" + head -30 "${operands_yaml}" + echo ">>> Total YAML lines: $(wc -l < "${operands_yaml}")" + + # Apply operands chart + local apply_output + if ! apply_output=$(oc apply -f "${operands_yaml}" 2>&1); then + echo ">>> ERROR: Failed to apply operands manifests" + echo "$apply_output" + echo ">>> Full operands YAML:" + cat "${operands_yaml}" + return 1 + fi + + echo ">>> Apply output:" + echo "$apply_output" +} + +# Wait for operand deployments to become available +function wait_for_operands() { + sleep 10 + + local operand_deployments + operand_deployments=$(oc get deployment -n "${TRUSTEE_NAMESPACE}" -o name 2>/dev/null | grep -v controller-manager || true) + + if [[ -n "${operand_deployments}" ]]; then + for deployment in ${operand_deployments}; do + if ! wait_until "${deployment} Available" 150 15 \ + "oc get '${deployment}' -n '${TRUSTEE_NAMESPACE}' -o jsonpath='{.status.conditions[?(@.type==\"Available\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: ${deployment} not ready after timeout" >&2 + oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + oc describe "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + exit 1 + fi + done + fi +} + +#======================================== +# Configuration Functions +#======================================== + +# Get TLS certificate for cluster ingress (tries multiple sources) +function get_tls_certificate() { + local cert_data="" + + # Try router-ca, ingress-operator secrets, openssl, then any ingress secret + if oc get secret -n openshift-ingress-operator router-ca &>/dev/null; then + cert_data=$(oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + + if [[ -z "${cert_data}" ]]; then + local cert_secret + cert_secret=$(oc get secret -n openshift-ingress-operator -o name 2>/dev/null | grep -E 'router-certs|ingress-operator' | head -1) + if [[ -n "${cert_secret}" ]]; then + cert_data=$(oc get "${cert_secret}" -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + if [[ -z "${cert_data}" ]] && [[ -n "${TRUSTEE_HOST}" ]]; then + cert_data=$(echo | timeout 5 openssl s_client -connect "${TRUSTEE_HOST}:443" -servername "${TRUSTEE_HOST}" 2>/dev/null | openssl x509 2>/dev/null || echo "") + fi + + if [[ -z "${cert_data}" ]]; then + local cert_info + cert_info=$(oc get secret -A -o json 2>/dev/null | jq -r '.items[] | select(.metadata.name | contains("ingress")) | select(.data."tls.crt" != null) | "\(.metadata.namespace)/\(.metadata.name)"' | head -1 || echo "") + if [[ -n "${cert_info}" ]]; then + local ns name + ns=$(echo "${cert_info}" | cut -d/ -f1) + name=$(echo "${cert_info}" | cut -d/ -f2) + cert_data=$(oc get secret "${name}" -n "${ns}" -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + [[ -z "${cert_data}" ]] && echo ">>> WARN: No TLS certificate found" >&2 + + echo "${cert_data}" +} + +# Get Trustee KBS service URL and save to SHARED_DIR +function get_trustee_url() { + local kbs_service="kbs-service" + local trustee_url="" + local trustee_host="" + local trustee_port="" + + trustee_port=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.ports[0].port}' 2>/dev/null || echo "8080") + + # Try OpenShift route, LoadBalancer, then ClusterIP + if oc get route -n "${TRUSTEE_NAMESPACE}" &>/dev/null; then + trustee_host=$(oc get route "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.host}' 2>/dev/null || echo "") + if [[ -n "${trustee_host}" ]]; then + trustee_url="http://${trustee_host}" + echo ">>> Trustee URL: ${trustee_url} (HTTP for test environment)" + fi + fi + + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + [[ -z "${trustee_ip}" ]] && trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "") + if [[ -n "${trustee_ip}" ]]; then + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + fi + fi + + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "") + if [[ -n "${trustee_ip}" ]]; then + echo ">>> WARN: Trustee using ClusterIP only (not externally accessible)" + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + else + echo ">>> ERROR: Cannot find Trustee KBS service in namespace ${TRUSTEE_NAMESPACE}" + return 1 + fi + fi + + echo "${trustee_url}" > "${SHARED_DIR}/TRUSTEE_URL" + echo "${trustee_host}" > "${SHARED_DIR}/TRUSTEE_HOST" + echo "${trustee_port}" > "${SHARED_DIR}/TRUSTEE_PORT" + + export TRUSTEE_URL="${trustee_url}" + export TRUSTEE_HOST="${trustee_host}" + export TRUSTEE_PORT="${trustee_port}" +} + +# Create INITDATA for confidential containers (includes aa.toml, cdh.toml, policy.rego) +function create_initdata() { + local tls_cert + tls_cert=$(get_tls_certificate) + + local policy_data + policy_data=$(oc get secret containers-policy -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.signed}' 2>/dev/null | base64 -d || echo "") + + if [[ -z "${policy_data}" ]]; then + echo ">>> WARN: containers-policy secret not found, using default reject policy" + policy_data='{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/confidential-containers/test-container-image-rs": [ + { + "type": "sigstoreSigned", + "keyPath": "kbs:///default/cosign-keys/key-0" + } + ] + } + } +}' + fi + + local policy_json + if command -v jq &> /dev/null; then + policy_json=$(echo "${policy_data}" | jq -c '.') + else + policy_json=$(echo "${policy_data}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin), separators=(",", ":")))' 2>/dev/null || echo "${policy_data}") + fi + + local initdata_file="${SCRATCH}/initdata.toml" + + cat > "${initdata_file}" < "${SHARED_DIR}/INITDATA" + cp "${initdata_file}" "${SHARED_DIR}/initdata.toml" + + export INITDATA="${encoded_initdata}" +} + +# Update osc-config ConfigMap with Trustee URL and INITDATA +function update_env_configmap() { + if ! oc get configmap osc-config -n default &>/dev/null; then + echo ">>> WARN: osc-config ConfigMap not found normal if env-cm step hasn't run yet)" + exit 1 + fi + + oc patch configmap osc-config -n default --type=json -p="[ + {\"op\": \"replace\", \"path\": \"/data/trusteeUrl\", \"value\": \"${TRUSTEE_URL}\"}, + {\"op\": \"replace\", \"path\": \"/data/INITDATA\", \"value\": \"${INITDATA}\"} + ]" +} + +#======================================== +# Verification Functions +#======================================== + +# Generate kbs-client test pod manifest +function get_kbs_client_manifest() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Pod +metadata: + name: KBS_CLIENT_POD_PLACEHOLDER + namespace: KBS_CLIENT_NAMESPACE_PLACEHOLDER +spec: + containers: + - name: kbs-client + image: KBS_CLIENT_IMAGE_PLACEHOLDER + command: ["sleep", "infinity"] + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + restartPolicy: Never +MANIFEST_EOF +} + +# Map trustee operator version to compatible kbs-client version +function map_trustee_to_kbs_client_version() { + local trustee_version="$1" + case "${trustee_version}" in + 1.1.*|1.1) echo "v0.17.0" ;; + 1.11.*|1.11) echo "v0.19.0" ;; + *) echo "" ;; # No mapping exists + esac +} + +# Determine kbs-client image tag (from KBS_CLIENT_TAG, trustee CSV, or auto-discover) +function get_kbs_client_tag() { + # 1. Use explicit override if provided + if [[ -n "${KBS_CLIENT_TAG:-}" ]]; then + echo ">>> kbs-client tag (from KBS_CLIENT_TAG): ${KBS_CLIENT_TAG}" >&2 + echo "${KBS_CLIENT_TAG}" + return 0 + fi + + # 2. Try to map from trustee operator CSV version + if [[ -n "${TRUSTEE_CSV_NAME:-}" ]]; then + # Extract version from CSV name (e.g., "trustee-operator.v1.10.0" -> "1.10.0") + local trustee_version + trustee_version=$(echo "${TRUSTEE_CSV_NAME}" | sed 's/^trustee-operator\.v//') + + if [[ -n "${trustee_version}" ]]; then + # Try major.minor mapping first (e.g., "1.10.0" -> "1.10") + local trustee_minor="${trustee_version%.*}" + local mapped_tag + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_minor}") + + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + + # Try full version mapping if minor didn't match + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_version}") + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + fi + fi + + # 3. Auto-discover latest semver tag from registry + local latest_tag="" + latest_tag=$(skopeo list-tags docker://quay.io/confidential-containers/kbs-client 2>/dev/null | \ + jq -r '.Tags[]' | \ + grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | \ + sort -V | \ + tail -1 || echo "") + + if [[ -n "${latest_tag}" ]]; then + echo ">>> kbs-client tag (auto-discovered latest semver): ${latest_tag}" >&2 + echo "${latest_tag}" + return 0 + fi + + # 4. Fallback to known-good version + echo ">>> WARN: Could not determine kbs-client tag, using fallback: v0.17.0" >&2 + echo "v0.17.0" +} + +# Verify Trustee KBS connectivity using kbs-client test pod +function verify_trustee_connectivity() { + local kbs_client_pod="kbs-client-test" + local kbs_client_namespace="${TRUSTEE_NAMESPACE}" + local kbs_client_tag + kbs_client_tag=$(get_kbs_client_tag) + local kbs_client_image="quay.io/confidential-containers/kbs-client:${kbs_client_tag}" + + echo ">>> Creating kbs-client test pod (image: ${kbs_client_image})" + get_kbs_client_manifest | \ + sed "s@KBS_CLIENT_POD_PLACEHOLDER@${kbs_client_pod}@g" | \ + sed "s@KBS_CLIENT_NAMESPACE_PLACEHOLDER@${kbs_client_namespace}@g" | \ + sed "s@KBS_CLIENT_IMAGE_PLACEHOLDER@${kbs_client_image}@g" | \ + oc apply -f - + + # Wait for pod to become ready + if ! wait_until "kbs-client pod Ready" 150 15 \ + "oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: kbs-client pod not ready" >&2 + oc describe pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + oc logs pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + return 1 + fi + + # Get expected resource value from KbsConfig + local expected_value="" + local configmap_name + configmap_name=$(oc get kbsconfig -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].spec.kbsConfigMapName}' 2>/dev/null || echo "") + + if [[ -n "${configmap_name}" ]]; then + expected_value=$(oc get configmap "${configmap_name}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.kbsres1}' 2>/dev/null || echo "") + fi + + if [[ -z "${expected_value}" ]]; then + echo ">>> WARN: Could not determine expected resource value from KbsConfig ConfigMap" >&2 + # Fallback: check the KbsConfig resource data directly + expected_value=$(oc get kbsconfig -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].spec.resourceData.default.kbsres1.key1}' 2>/dev/null || echo "key1") + fi + + # Test KBS connectivity using RCA protocol + # The kbs-client performs Remote Attestation Protocol (RCA): + # 1. GET resource → 401 (no token) + # 2. POST /auth + POST /attest (get attestation token) + # 3. GET resource → 200 (with token) + local kbs_test_failed=false + echo ">>> Testing KBS connectivity: ${TRUSTEE_URL}/default/kbsres1/key1" + echo ">>> Expected resource value: ${expected_value}" + + if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ + kbs-client --url "${TRUSTEE_URL}" get-resource --path default/kbsres1/key1 \ + > /tmp/kbs-resource.txt 2> /tmp/kbs-stderr.txt; then + + # Success - verify the retrieved value + echo ">>> Successfully retrieved default/kbsres1/key1" + local resource_value + resource_value=$(cat /tmp/kbs-resource.txt 2>/dev/null || echo "") + echo ">>> Retrieved resource value: ${resource_value}" + + # Validate the retrieved value matches what was configured + if [[ -n "${expected_value}" ]] && [[ "${resource_value}" != "${expected_value}" ]]; then + echo ">>> ERROR: Resource value mismatch!" + echo ">>> Expected: ${expected_value}" + echo ">>> Retrieved: ${resource_value}" + kbs_test_failed=true + else + echo ">>> ✓ Resource value matches expected value" + kbs_test_failed=false + fi + else + # Failure - show diagnostics + echo ">>> ERROR: Failed to retrieve resource from Trustee KBS at ${TRUSTEE_URL}" + + # Show stderr (has the actual error) + if [[ -s /tmp/kbs-stderr.txt ]]; then + echo ">>> Error output:" + cat /tmp/kbs-stderr.txt + fi + + # Show stdout (might have partial data) + if [[ -s /tmp/kbs-resource.txt ]]; then + echo ">>> Partial output:" + cat /tmp/kbs-resource.txt + fi + + # Check for specific error patterns in both stdout and stderr + local all_output + all_output="$(cat /tmp/kbs-resource.txt /tmp/kbs-stderr.txt 2>/dev/null || true)" + + if echo "${all_output}" | grep -q "404\|not found\|NotFound"; then + echo ">>> ERROR: Resource not found (404) - KbsConfig may not have published secrets correctly" + fi + if echo "${all_output}" | grep -q "Connection refused\|Connection timed out\|timed out"; then + echo ">>> ERROR: Cannot connect to KBS service" + fi + if echo "${all_output}" | grep -q "certificate verify failed\|SSL\|TLS"; then + echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS (current: ${TRUSTEE_URL})" + fi + + kbs_test_failed=true + fi + + # Capture KBS logs for debugging (shows RCA protocol flow) + local kbs_pod + kbs_pod=$(oc get pod -n "${TRUSTEE_NAMESPACE}" -l app=kbs -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + + if [[ -n "${kbs_pod}" ]]; then + local log_file="${ARTIFACT_DIR:-${SHARED_DIR}}/kbs-attestation-logs.txt" + # Strip ANSI color codes from logs for cleaner output + oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m 2>&1 | sed 's/\x1b\[[0-9;]*m//g' > "${log_file}" || true + + if [[ -n "${ARTIFACT_DIR}" && "${ARTIFACT_DIR}" != "${SHARED_DIR}" ]]; then + cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true + fi + + # Show attestation patterns (RCA protocol flow) + echo ">>> Attestation patterns (RCA protocol):" + if grep -q "POST.*attest" "${log_file}" 2>/dev/null; then + echo "✓ Attestation (POST /auth, POST /attest):" + grep -E "POST.*/auth|POST.*attest" "${log_file}" | tail -4 + else + echo "⚠ No attestation POST requests" + fi + + if grep -q "GET.*resource" "${log_file}" 2>/dev/null; then + echo "✓ Resource access (GET → 401 → attest → GET → 200):" + grep "GET.*resource" "${log_file}" | tail -5 + else + echo "⚠ No resource GET requests" + fi + else + echo ">>> WARN: Could not find KBS pod" + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + fi + + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + + if [[ "${kbs_test_failed}" == "true" ]]; then + echo ">>> ERROR: kbs-client connectivity test failed" + return 1 + fi + + return 0 +} + +#======================================== +# Main Execution +#======================================== + +echo ">>> Starting Trustee operator installation" + +# Fetch helm charts from GitHub +CHARTS_DIR=$(fetch_trustee_charts) +export CHARTS_DIR + +# Get cluster domain +CLUSTER_DOMAIN=$(get_cluster_domain) +export CLUSTER_DOMAIN + +# Install operator and operands +install_trustee_operator "${CHARTS_DIR}" +wait_for_operator +install_trustee_operands "${CHARTS_DIR}" +wait_for_operands + +# Configure and verify +get_trustee_url +create_initdata +update_env_configmap +verify_trustee_connectivity + +echo ">>> Trustee operator installation complete" +echo ">>> KBS URL: ${TRUSTEE_URL}" +echo ">>> INITDATA saved to: ${SHARED_DIR}/INITDATA" diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json new file mode 100644 index 0000000000000..3bf63215782f7 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml", + "owners": { + "approvers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ], + "reviewers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml new file mode 100644 index 0000000000000..0b21ff5bcf200 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml @@ -0,0 +1,60 @@ +ref: + as: sandboxed-containers-operator-install-trustee-operator + from: tools-with-helm + grace_period: 10m + commands: sandboxed-containers-operator-install-trustee-operator-commands.sh + dependencies: + - name: trustee-charts + env: IMAGE_TRUSTEE_CHARTS + resources: + requests: + cpu: 1000m + memory: 2000Mi + env: + - name: TRUSTEE_INSTALL + default: "false" + documentation: |- + Whether to install the trustee operator. Set to "true" to enable installation. + - name: TRUSTEE_NAMESPACE + default: "trustee-operator-system" + documentation: |- + The namespace where the trustee operator will be installed + - name: TRUSTEE_CATALOG_SOURCE_IMAGE + default: "" + documentation: |- + The container image for a custom trustee operator CatalogSource. + If empty (default), uses existing "redhat-operators" catalog. + If set, helm chart creates a new CatalogSource named "trustee-operator-dev-catalog" with this image. + Note: The CatalogSource name is hardcoded in the helm chart and cannot be overridden. + Example: "quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656" + - name: TRUSTEE_CHARTS_REPO + default: "https://github.com/confidential-devhub/charts" + documentation: |- + The git repository URL for trustee Helm charts. Used as a fallback when + IMAGE_TRUSTEE_CHARTS is not set. + - name: TRUSTEE_CHARTS_REF + default: "main" + documentation: |- + The git ref (branch/tag/commit) to use from the confidential-devhub/charts repository + - name: KBS_CLIENT_TAG + default: "" + documentation: |- + The kbs-client image tag to use for connectivity testing. If empty, automatically + discovers the latest v.X.Y.Z tag using skopeo. Override to pin a specific version + (e.g., "v0.19.0"). Fallback is v0.19.0 if skopeo lookup fails. + documentation: |- + A step that installs the trustee operator and operands on the cluster using pre-rendered + manifests embedded in the script. First installs the trustee-operator, waits for it to be + ready, then installs the trustee-operands with the derived cluster domain. After installation, + retrieves the Trustee KBS service URL and saves it to ${SHARED_DIR}/TRUSTEE_URL, + ${SHARED_DIR}/TRUSTEE_HOST, and ${SHARED_DIR}/TRUSTEE_PORT for use by subsequent test steps. + Also creates INITDATA for confidential containers including TLS certificate and image security + policy, saving both the encoded INITDATA and plain text initdata.toml to ${SHARED_DIR}. + When TRUSTEE_INSTALL=true, updates the osc-config ConfigMap with the generated TRUSTEE_URL + and INITDATA values, overriding any empty values set in the job configuration. Finally, + verifies Trustee connectivity by creating a kbs-client pod, testing resource fetching, and + capturing KBS pod logs showing attestation attempts to ${ARTIFACT_DIR}/kbs-attestation-logs.txt + for inclusion in CI job artifacts. + + NO NETWORK ACCESS REQUIRED: This step uses pre-rendered manifests with runtime variable + substitution via sed, eliminating the need for helm or git. Works with restrict_network_access: true. diff --git a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml index a46aca64e11a5..3cb7b9fc097a3 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml @@ -4,6 +4,7 @@ chain: - ref: sandboxed-containers-operator-get-kata-rpm - ref: sandboxed-containers-operator-peerpods-param-cm - ref: sandboxed-containers-operator-env-cm + - ref: sandboxed-containers-operator-install-trustee-operator - ref: sandboxed-containers-operator-record-metadata documentation: |- The sandboxed containers operator pre-testing chain \ No newline at end of file diff --git a/clusters/gitops/apps/appproject-core-ci.yaml b/clusters/gitops/apps/appproject-core-ci.yaml index 8022908005d5d..f44c7efc5621a 100644 --- a/clusters/gitops/apps/appproject-core-ci.yaml +++ b/clusters/gitops/apps/appproject-core-ci.yaml @@ -18,6 +18,12 @@ spec: kind: ClusterRoleBinding - group: apiextensions.k8s.io kind: CustomResourceDefinition + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + - group: node.k8s.io + kind: RuntimeClass + - group: scheduling.k8s.io + kind: PriorityClass - group: pipelines.openshift.io kind: GitopsService - group: operator.openshift.io diff --git a/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay b/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay index 6fcfa2bf83068..70b2be99ff6bf 100644 --- a/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay +++ b/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay @@ -3,5 +3,7 @@ quay.io/openshift/ci:logging_promtail_v3.4.3 quay.io/openshift-logging/promtail: quay.io/openshift/ci:logging_loki_v3.5.7 quay.io/openshift-logging/loki:v3.5.7 quay.io/openshift/ci:logging_promtail_v3.5.7 quay.io/openshift-logging/promtail:v3.5.7 quay.io/openshift/ci:logging_loki_v3.6.5 quay.io/openshift-logging/loki:v3.6.5 -quay.io/openshift/ci:logging_promtail_v3.6.5 quay.io/openshift-logging/promtail:v3.6.5 quay.io/openshift-logging/promtail:latest +quay.io/openshift/ci:logging_promtail_v3.6.5 quay.io/openshift-logging/promtail:v3.6.5 +quay.io/openshift/ci:logging_loki_v3.6.12 quay.io/openshift-logging/loki:v3.6.12 +quay.io/openshift/ci:logging_promtail_v3.6.12 quay.io/openshift-logging/promtail:v3.6.12 quay.io/openshift-logging/promtail:latest quay.io/openshift/ci:logging_loki_v3.7.2 quay.io/openshift-logging/loki:v3.7.2 quay.io/openshift-logging/loki:latest diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml new file mode 100644 index 0000000000000..2a5d6cf392a3f --- /dev/null +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml @@ -0,0 +1,81 @@ +approve: +- repos: + - opendatahub-io/ai-gateway-operator + require_self_approval: false +external_plugins: + opendatahub-io/ai-gateway-operator: + - endpoint: http://refresh + events: + - issue_comment + name: refresh + - endpoint: http://cherrypick + events: + - issue_comment + - pull_request + name: cherrypick + - endpoint: http://needs-rebase + events: + - issue_comment + - pull_request + name: needs-rebase + - endpoint: http://backport-verifier + events: + - issue_comment + - pull_request + name: backport-verifier + - endpoint: http://payload-testing-prow-plugin + events: + - issue_comment + name: payload-testing-prow-plugin + - endpoint: http://jira-lifecycle-plugin + events: + - issue_comment + - pull_request + - pull_request_review + name: jira-lifecycle-plugin + - endpoint: http://pipeline-controller + events: + - pull_request + - issue_comment + name: pipeline-controller + - endpoint: http://multi-pr-prow-plugin + events: + - issue_comment + name: multi-pr-prow-plugin +lgtm: +- repos: + - opendatahub-io/ai-gateway-operator + review_acts_as_lgtm: true +plugins: + opendatahub-io/ai-gateway-operator: + plugins: + - assign + - blunderbuss + - cat + - dog + - heart + - golint + - goose + - help + - hold + - jira + - label + - lgtm + - lifecycle + - override + - pony + - retitle + - shrug + - sigmention + - skip + - trigger + - verify-owners + - owners-label + - wip + - yuks + - approve +triggers: +- repos: + - opendatahub-io/ai-gateway-operator + trusted_apps: + - openshift-merge-bot diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml new file mode 100644 index 0000000000000..21ee2a795d1cf --- /dev/null +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml @@ -0,0 +1,18 @@ +tide: + merge_method: + opendatahub-io/ai-gateway-operator: squash + queries: + - includedBranches: + - main + labels: + - approved + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - opendatahub-io/ai-gateway-operator diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml index f98512edc720a..7eeec9187fe6e 100644 --- a/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml @@ -2,7 +2,9 @@ tide: merge_method: opendatahub-io/ai-gateway-payload-processing: squash queries: - - labels: + - includedBranches: + - main + labels: - approved - lgtm missingLabels: diff --git a/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml b/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml index 19abe5cf16441..cc336eb06ddc2 100644 --- a/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml b/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml index 1a88be12f882a..4c89a86a3a2cb 100644 --- a/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml b/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml index 17be205c5d3ba..514cfebfd504f 100644 --- a/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml b/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml index abaf3fd4a9731..75c8192e84c76 100644 --- a/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml index 0668638edc647..1acd1a3a9ee77 100644 --- a/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml index 82ada4d400dfb..dd9de2cac352f 100644 --- a/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml index 5b005d9b8cdd3..c0327c14bd8e0 100644 --- a/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml index 63d2b7023d9ab..f4a666ee6c85a 100644 --- a/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml index 08b235595c199..9a823f0f24626 100644 --- a/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-workspace/OWNERS b/core-services/prow/02_config/osac-project/osac-workspace/OWNERS new file mode 100644 index 0000000000000..db968e2befc93 --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/OWNERS @@ -0,0 +1,29 @@ +# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools. +# Fetched from https://github.com/osac-project/osac-workspace root OWNERS +# If the repo had OWNERS_ALIASES then the aliases were expanded +# Logins who are not members of 'openshift' organization were filtered out +# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md + +filters: + '[^.]': + approvers: + - adriengentil + - akshaynadkarni + - eliorerz + - eranco74 + - jhernand + - larsks + - omer-vishlitzky + - rgolangh + - trewest + reviewers: + - adriengentil + - akshaynadkarni + - eliorerz + - eranco74 + - jhernand + - larsks + - omer-vishlitzky + - rgolangh + - trewest +options: {} diff --git a/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml b/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml new file mode 100644 index 0000000000000..bd4b94752ff6e --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml @@ -0,0 +1,82 @@ +approve: +- repos: + - osac-project/osac-workspace + require_self_approval: false +external_plugins: + osac-project/osac-workspace: + - endpoint: http://refresh + events: + - issue_comment + name: refresh + - endpoint: http://cherrypick + events: + - issue_comment + - pull_request + name: cherrypick + - endpoint: http://needs-rebase + events: + - issue_comment + - pull_request + name: needs-rebase + - endpoint: http://backport-verifier + events: + - issue_comment + - pull_request + name: backport-verifier + - endpoint: http://payload-testing-prow-plugin + events: + - issue_comment + name: payload-testing-prow-plugin + - endpoint: http://jira-lifecycle-plugin + events: + - issue_comment + - pull_request + - pull_request_review + name: jira-lifecycle-plugin + - endpoint: http://pipeline-controller + events: + - pull_request + - issue_comment + name: pipeline-controller + - endpoint: http://multi-pr-prow-plugin + events: + - issue_comment + name: multi-pr-prow-plugin +lgtm: +- repos: + - osac-project/osac-workspace + review_acts_as_lgtm: true +plugins: + osac-project/osac-workspace: + plugins: + - assign + - blunderbuss + - cat + - dog + - heart + - golint + - goose + - help + - hold + - jira + - label + - lgtm + - lifecycle + - override + - pony + - retitle + - shrug + - sigmention + - skip + - trigger + - verify-owners + - owners-label + - wip + - yuks + - approve +triggers: +- repos: + - osac-project/osac-workspace + trusted_apps: + - openshift-merge-bot + - dependabot diff --git a/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml new file mode 100644 index 0000000000000..6e6f3832f9c5a --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml @@ -0,0 +1,15 @@ +tide: + queries: + - labels: + - approved + - jira/valid-reference + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - osac-project/osac-workspace