From da80c46ed55a0f3cb18262c594bb41d60721006d Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 25 Jun 2026 11:08:52 -0400 Subject: [PATCH 01/14] Add OCP 4.22 to prow Other changes: - MUST_GATHER_ON_FAILURE_ONLY: "false" # so prow always runs kata must-gather - INSTALL_KATA_RPM: true - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 # 4.19 -> 4.21 - KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 # 4.22 https://redhat.atlassian.net/browse/KATA-5459 Rehersal success in https://github.com/openshift/release/pull/80932 Signed-off-by: Tom Buskey Add note to README.md about restrict_network_access --- ...erator-devel__downstream-candidate419.yaml | 42 +- ...erator-devel__downstream-candidate420.yaml | 42 +- ...erator-devel__downstream-candidate421.yaml | 34 +- ...erator-devel__downstream-candidate422.yaml | 291 ++++++++ ...d-containers-operator-devel-periodics.yaml | 658 ++++++++++++++++++ .../sandboxed-containers-operator/README.md | 4 +- 6 files changed, 1011 insertions(+), 60 deletions(-) create mode 100644 ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 6ebb5e7e369df..42076da37f434 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -44,10 +44,10 @@ tests: CUSTOM_AZURE_REGION: eastus ENABLE_MUST_GATHER: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -80,10 +80,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,10 +118,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -156,11 +156,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,11 +195,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -233,10 +233,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -270,10 +270,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 7c4604c457c01..f08313bb41ff2 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -44,10 +44,10 @@ tests: CUSTOM_AZURE_REGION: eastus ENABLE_MUST_GATHER: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -80,10 +80,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,10 +118,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -156,11 +156,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,11 +195,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -233,10 +233,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -270,10 +270,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index b86e51f6c2ca5..bfdd37b512e75 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -45,9 +45,9 @@ tests: ENABLE_MUST_GATHER: "true" INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -81,9 +81,9 @@ tests: ENABLEPEERPODS: "true" INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,10 +118,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -157,10 +157,10 @@ tests: HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,11 +195,11 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -234,9 +234,9 @@ tests: ENABLEPEERPODS: "true" INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -270,10 +270,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: "false" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml new file mode 100644 index 0000000000000..2aa6d17ac457c --- /dev/null +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml @@ -0,0 +1,291 @@ +base_images: + tests-private: + name: tests-private + namespace: ci + tag: "4.22" + upi-installer: + name: "4.22" + namespace: ocp + tag: upi-installer +prowgen: + disable_sparse_checkout: true +releases: + latest: + release: + architecture: amd64 + channel: fast + version: "4.22" +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: azure-ipi-kata + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: azure-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: azure-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + BASE_DOMAIN: qe.azure.devcluster.openshift.com + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + CUSTOM_AZURE_REGION: eastus + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-azure + timeout: 24h0m0s +- as: aro-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + ARO_CLUSTER_VERSION: "4.17" + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + HYPERSHIFT_AZURE_LOCATION: eastus + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + LOCATION: eastus + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-aro + timeout: 24h0m0s +- as: aro-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: azure-qe + env: + ARO_CLUSTER_VERSION: "4.17" + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + HYPERSHIFT_AZURE_LOCATION: eastus + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + LOCATION: eastus + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-aro + timeout: 24h0m0s +- as: aws-ipi-peerpods + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: aws-sandboxed-containers-operator + env: + AWS_REGION_OVERRIDE: us-east-2 + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: peer-pods + workflow: sandboxed-containers-operator-e2e-aws + timeout: 24h0m0s +- as: aws-ipi-coco + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + restrict_network_access: false + steps: + cluster_profile: aws-sandboxed-containers-operator + env: + AWS_REGION_OVERRIDE: us-east-2 + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" + KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "false" + RUNTIMECLASS: kata-remote + SLEEP_DURATION: 0h + TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco + workflow: sandboxed-containers-operator-e2e-aws + timeout: 24h0m0s +zz_generated_metadata: + branch: devel + org: openshift + repo: sandboxed-containers-operator + variant: downstream-candidate422 diff --git a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml index ea278d814439b..da4bc21152346 100644 --- a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml +++ b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml @@ -3947,6 +3947,664 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aro-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aro-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-sandboxed-containers-operator + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-sandboxed-containers-operator + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-coco + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-coco + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-kata + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-kata + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate422 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-peerpods + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=azure-ipi-peerpods + - --variant=downstream-candidate422 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 0 31 2 1 diff --git a/ci-operator/step-registry/sandboxed-containers-operator/README.md b/ci-operator/step-registry/sandboxed-containers-operator/README.md index 7cff08b86bd2c..c83640ea588bd 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/README.md +++ b/ci-operator/step-registry/sandboxed-containers-operator/README.md @@ -1,5 +1,7 @@ This directory contain the steps, chains and workflows implemented specifically for the Openshift Sandboxed Containers (OSC) jobs. +*Note the prowjobs need **restrict_network_access: false** for konflux. If doing a /pj-rehearse, it needs to be **true**. If the PR is merged, it should be reverted to **false*** + ## Steps Here is the list of steps and their explanation. @@ -209,7 +211,7 @@ for ``Running step launch-cucushift-installer-wait.`` line in there. Once it shows there the cluster is ready and waiting for you for the specified amount of time. -Getting access to your testing cluster is slightly harder as first +Getting access to your testing cluster is slightly harder as first you need to get to the ``main build OCP``. To do so: 1. open the ``job started...`` link by clusterbot From da9e737573c3cd20c850db94896a5737f3f89d19 Mon Sep 17 00:00:00 2001 From: Eran Cohen Date: Thu, 25 Jun 2026 18:16:22 +0300 Subject: [PATCH 02/14] OSAC-1770: require jira/valid-reference label for merge across all OSAC repos (#81073) * OSAC-1770: require jira/valid-reference label for merge across all OSAC repos OSAC-1800: add Prow/Tide configuration for osac-workspace Add jira/valid-reference to the required Tide labels for all 9 existing OSAC repos, and add full Prow/Tide configuration for osac-workspace (which was previously missing). PRs must now have a valid Jira ticket (e.g. OSAC-1234: title) or explicitly say NO-ISSUE in the title to be mergeable. Assisted-by: Claude Code Signed-off-by: Eran Cohen * OSAC-1770: determinize prow config for label ordering Run `make prow-config` to sort labels alphabetically as required by the prow-config CI check. Assisted-by: Claude Code Signed-off-by: Eran Cohen --------- Signed-off-by: Eran Cohen --- .../_prowconfig.yaml | 1 + .../osac-project/docs/_prowconfig.yaml | 1 + .../enhancement-proposals/_prowconfig.yaml | 1 + .../fulfillment-service/_prowconfig.yaml | 1 + .../osac-project/osac-aap/_prowconfig.yaml | 1 + .../osac-installer/_prowconfig.yaml | 1 + .../osac-operator/_prowconfig.yaml | 1 + .../osac-test-infra/_prowconfig.yaml | 1 + .../osac-project/osac-ui/_prowconfig.yaml | 1 + .../osac-project/osac-workspace/OWNERS | 29 +++++++ .../osac-workspace/_pluginconfig.yaml | 82 +++++++++++++++++++ .../osac-workspace/_prowconfig.yaml | 15 ++++ 12 files changed, 135 insertions(+) create mode 100644 core-services/prow/02_config/osac-project/osac-workspace/OWNERS create mode 100644 core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml create mode 100644 core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml diff --git a/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml b/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml index 19abe5cf16441..cc336eb06ddc2 100644 --- a/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/bare-metal-fulfillment-operator/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml b/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml index 1a88be12f882a..4c89a86a3a2cb 100644 --- a/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/docs/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml b/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml index 17be205c5d3ba..514cfebfd504f 100644 --- a/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/enhancement-proposals/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml b/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml index abaf3fd4a9731..75c8192e84c76 100644 --- a/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/fulfillment-service/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml index 0668638edc647..1acd1a3a9ee77 100644 --- a/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-aap/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml index 82ada4d400dfb..dd9de2cac352f 100644 --- a/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-installer/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml index 5b005d9b8cdd3..c0327c14bd8e0 100644 --- a/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-operator/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml index 63d2b7023d9ab..f4a666ee6c85a 100644 --- a/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-test-infra/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml index 08b235595c199..9a823f0f24626 100644 --- a/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml +++ b/core-services/prow/02_config/osac-project/osac-ui/_prowconfig.yaml @@ -2,6 +2,7 @@ tide: queries: - labels: - approved + - jira/valid-reference - lgtm missingLabels: - backports/unvalidated-commits diff --git a/core-services/prow/02_config/osac-project/osac-workspace/OWNERS b/core-services/prow/02_config/osac-project/osac-workspace/OWNERS new file mode 100644 index 0000000000000..db968e2befc93 --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/OWNERS @@ -0,0 +1,29 @@ +# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools. +# Fetched from https://github.com/osac-project/osac-workspace root OWNERS +# If the repo had OWNERS_ALIASES then the aliases were expanded +# Logins who are not members of 'openshift' organization were filtered out +# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md + +filters: + '[^.]': + approvers: + - adriengentil + - akshaynadkarni + - eliorerz + - eranco74 + - jhernand + - larsks + - omer-vishlitzky + - rgolangh + - trewest + reviewers: + - adriengentil + - akshaynadkarni + - eliorerz + - eranco74 + - jhernand + - larsks + - omer-vishlitzky + - rgolangh + - trewest +options: {} diff --git a/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml b/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml new file mode 100644 index 0000000000000..bd4b94752ff6e --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/_pluginconfig.yaml @@ -0,0 +1,82 @@ +approve: +- repos: + - osac-project/osac-workspace + require_self_approval: false +external_plugins: + osac-project/osac-workspace: + - endpoint: http://refresh + events: + - issue_comment + name: refresh + - endpoint: http://cherrypick + events: + - issue_comment + - pull_request + name: cherrypick + - endpoint: http://needs-rebase + events: + - issue_comment + - pull_request + name: needs-rebase + - endpoint: http://backport-verifier + events: + - issue_comment + - pull_request + name: backport-verifier + - endpoint: http://payload-testing-prow-plugin + events: + - issue_comment + name: payload-testing-prow-plugin + - endpoint: http://jira-lifecycle-plugin + events: + - issue_comment + - pull_request + - pull_request_review + name: jira-lifecycle-plugin + - endpoint: http://pipeline-controller + events: + - pull_request + - issue_comment + name: pipeline-controller + - endpoint: http://multi-pr-prow-plugin + events: + - issue_comment + name: multi-pr-prow-plugin +lgtm: +- repos: + - osac-project/osac-workspace + review_acts_as_lgtm: true +plugins: + osac-project/osac-workspace: + plugins: + - assign + - blunderbuss + - cat + - dog + - heart + - golint + - goose + - help + - hold + - jira + - label + - lgtm + - lifecycle + - override + - pony + - retitle + - shrug + - sigmention + - skip + - trigger + - verify-owners + - owners-label + - wip + - yuks + - approve +triggers: +- repos: + - osac-project/osac-workspace + trusted_apps: + - openshift-merge-bot + - dependabot diff --git a/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml b/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml new file mode 100644 index 0000000000000..6e6f3832f9c5a --- /dev/null +++ b/core-services/prow/02_config/osac-project/osac-workspace/_prowconfig.yaml @@ -0,0 +1,15 @@ +tide: + queries: + - labels: + - approved + - jira/valid-reference + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - osac-project/osac-workspace From f818314ce9630e9befa5ef35c9f5ffc619f068f4 Mon Sep 17 00:00:00 2001 From: Lucas Ferrnandez Aragon Date: Thu, 25 Jun 2026 17:51:50 +0200 Subject: [PATCH 03/14] odh-dashboard: add run_if_changed to module PR image-mirror jobs (#81026) Add run_if_changed path filtering to the 8 module package PR image-mirror jobs so they only trigger when their respective package directory is modified, instead of running on every PR. Mapping: - odh-mod-arch-model-registry-pr-image-mirror: ^packages/model-registry/ - odh-mod-arch-gen-ai-pr-image-mirror: ^packages/gen-ai/ - odh-mod-arch-maas-pr-image-mirror: ^packages/maas/ - odh-mod-arch-mlflow-pr-image-mirror: ^packages/mlflow/ - odh-mod-arch-eval-hub-pr-image-mirror: ^packages/eval-hub/ - odh-mod-arch-automl-pr-image-mirror: ^packages/automl/ - odh-mod-arch-autorag-pr-image-mirror: ^packages/autorag/ - odh-mod-arch-agent-ops-pr-image-mirror: ^packages/agent-ops/ The main odh-dashboard-pr-image-mirror and all postsubmit jobs remain always_run: true. --- .../opendatahub-io-odh-dashboard-main.yaml | 8 +++++++ ...ahub-io-odh-dashboard-main-presubmits.yaml | 24 ++++++++++++------- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml b/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml index 76c5b289766bf..47299654d255c 100644 --- a/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml +++ b/ci-operator/config/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main.yaml @@ -70,6 +70,7 @@ tests: IMAGE_REPO: odh-dashboard workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-model-registry-pr-image-mirror + run_if_changed: ^packages/model-registry/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-model-registry-image @@ -86,6 +87,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-gen-ai-pr-image-mirror + run_if_changed: ^packages/gen-ai/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-gen-ai-image @@ -102,6 +104,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-maas-pr-image-mirror + run_if_changed: ^packages/maas/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-maas-image @@ -118,6 +121,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-mlflow-pr-image-mirror + run_if_changed: ^packages/mlflow/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-mlflow-image @@ -134,6 +138,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-eval-hub-pr-image-mirror + run_if_changed: ^packages/eval-hub/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-eval-hub-image @@ -150,6 +155,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-automl-pr-image-mirror + run_if_changed: ^packages/automl/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-automl-image @@ -166,6 +172,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-autorag-pr-image-mirror + run_if_changed: ^packages/autorag/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-autorag-image @@ -182,6 +189,7 @@ tests: RELEASE_VERSION: main workflow: opendatahub-io-ci-image-mirror - as: odh-mod-arch-agent-ops-pr-image-mirror + run_if_changed: ^packages/agent-ops/ steps: dependencies: SOURCE_IMAGE_REF: odh-mod-arch-agent-ops-image diff --git a/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml b/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml index 7cfe473832a39..eba8f259df602 100644 --- a/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml +++ b/ci-operator/jobs/opendatahub-io/odh-dashboard/opendatahub-io-odh-dashboard-main-presubmits.yaml @@ -246,7 +246,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-dashboard-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -270,6 +270,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-agent-ops-pr-image-mirror rerun_command: /test odh-mod-arch-agent-ops-pr-image-mirror + run_if_changed: ^packages/agent-ops/ spec: containers: - args: @@ -336,7 +337,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-agent-ops-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -360,6 +361,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-automl-pr-image-mirror rerun_command: /test odh-mod-arch-automl-pr-image-mirror + run_if_changed: ^packages/automl/ spec: containers: - args: @@ -426,7 +428,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-automl-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -450,6 +452,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-autorag-pr-image-mirror rerun_command: /test odh-mod-arch-autorag-pr-image-mirror + run_if_changed: ^packages/autorag/ spec: containers: - args: @@ -516,7 +519,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-autorag-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -540,6 +543,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-eval-hub-pr-image-mirror rerun_command: /test odh-mod-arch-eval-hub-pr-image-mirror + run_if_changed: ^packages/eval-hub/ spec: containers: - args: @@ -606,7 +610,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-eval-hub-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -630,6 +634,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-gen-ai-pr-image-mirror rerun_command: /test odh-mod-arch-gen-ai-pr-image-mirror + run_if_changed: ^packages/gen-ai/ spec: containers: - args: @@ -696,7 +701,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-gen-ai-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -720,6 +725,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-maas-pr-image-mirror rerun_command: /test odh-mod-arch-maas-pr-image-mirror + run_if_changed: ^packages/maas/ spec: containers: - args: @@ -786,7 +792,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-maas-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -810,6 +816,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-mlflow-pr-image-mirror rerun_command: /test odh-mod-arch-mlflow-pr-image-mirror + run_if_changed: ^packages/mlflow/ spec: containers: - args: @@ -876,7 +883,7 @@ presubmits: secretName: result-aggregator trigger: (?m)^/test( | .* )odh-mod-arch-mlflow-pr-image-mirror,?($|\s.*) - agent: kubernetes - always_run: true + always_run: false branches: - ^main$ - ^main- @@ -900,6 +907,7 @@ presubmits: pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-opendatahub-io-odh-dashboard-main-odh-mod-arch-model-registry-pr-image-mirror rerun_command: /test odh-mod-arch-model-registry-pr-image-mirror + run_if_changed: ^packages/model-registry/ spec: containers: - args: From 8188678f210798bb03a11bf287b95aba0676f9e9 Mon Sep 17 00:00:00 2001 From: Chaitanya Kulkarni Date: Thu, 25 Jun 2026 09:15:56 -0700 Subject: [PATCH 04/14] feat: onboard opendatahub-io/ai-gateway-operator to prow (#81084) add prow plugin and tide configuration for the new ai-gateway-operator repository under opendatahub-io org. - configure standard prow plugins (approve, lgtm, assign, trigger, etc.) - configure external plugins (cherrypick, needs-rebase, jira-lifecycle, etc.) - configure triggers with trusted_apps (openshift-merge-bot) - set tide merge method to squash with standard label requirements - restrict tide to main branch via includedBranches - also add includedBranches to ai-gateway-payload-processing for consistency - no ci-operator jobs at this stage, only prow wiring Signed-off-by: Chaitanya Kulkarni Co-authored-by: Cursor --- .../ai-gateway-operator/_pluginconfig.yaml | 81 +++++++++++++++++++ .../ai-gateway-operator/_prowconfig.yaml | 18 +++++ .../_prowconfig.yaml | 4 +- 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml create mode 100644 core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml new file mode 100644 index 0000000000000..2a5d6cf392a3f --- /dev/null +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_pluginconfig.yaml @@ -0,0 +1,81 @@ +approve: +- repos: + - opendatahub-io/ai-gateway-operator + require_self_approval: false +external_plugins: + opendatahub-io/ai-gateway-operator: + - endpoint: http://refresh + events: + - issue_comment + name: refresh + - endpoint: http://cherrypick + events: + - issue_comment + - pull_request + name: cherrypick + - endpoint: http://needs-rebase + events: + - issue_comment + - pull_request + name: needs-rebase + - endpoint: http://backport-verifier + events: + - issue_comment + - pull_request + name: backport-verifier + - endpoint: http://payload-testing-prow-plugin + events: + - issue_comment + name: payload-testing-prow-plugin + - endpoint: http://jira-lifecycle-plugin + events: + - issue_comment + - pull_request + - pull_request_review + name: jira-lifecycle-plugin + - endpoint: http://pipeline-controller + events: + - pull_request + - issue_comment + name: pipeline-controller + - endpoint: http://multi-pr-prow-plugin + events: + - issue_comment + name: multi-pr-prow-plugin +lgtm: +- repos: + - opendatahub-io/ai-gateway-operator + review_acts_as_lgtm: true +plugins: + opendatahub-io/ai-gateway-operator: + plugins: + - assign + - blunderbuss + - cat + - dog + - heart + - golint + - goose + - help + - hold + - jira + - label + - lgtm + - lifecycle + - override + - pony + - retitle + - shrug + - sigmention + - skip + - trigger + - verify-owners + - owners-label + - wip + - yuks + - approve +triggers: +- repos: + - opendatahub-io/ai-gateway-operator + trusted_apps: + - openshift-merge-bot diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml new file mode 100644 index 0000000000000..21ee2a795d1cf --- /dev/null +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-operator/_prowconfig.yaml @@ -0,0 +1,18 @@ +tide: + merge_method: + opendatahub-io/ai-gateway-operator: squash + queries: + - includedBranches: + - main + labels: + - approved + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - opendatahub-io/ai-gateway-operator diff --git a/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml b/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml index f98512edc720a..7eeec9187fe6e 100644 --- a/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml +++ b/core-services/prow/02_config/opendatahub-io/ai-gateway-payload-processing/_prowconfig.yaml @@ -2,7 +2,9 @@ tide: merge_method: opendatahub-io/ai-gateway-payload-processing: squash queries: - - labels: + - includedBranches: + - main + labels: - approved - lgtm missingLabels: From f240fff57fad419ba75e3151c464279f2d35be1b Mon Sep 17 00:00:00 2001 From: Steven Skeard Date: Thu, 25 Jun 2026 12:47:55 -0400 Subject: [PATCH 05/14] CNF-25270: Export LCA git coordinates to image-based remote scripts (#80864) * CNF-25270: Export LCA git coordinates to image-based remote scripts - Wire Prow PR metadata into ib-orchestrate-vm remote scripts so lifecycle-agent presubmits checkout the correct source during LCA deploy. Assisted-by: Cursor/auto AI-attribution: AIA,Primarily AI-generated,Human-initiated,Reviewed,Cursor/auto,v1.0 For more information on AI attribution statements, see: https://aiattribution.github.io/ * CNF-25270: Update ibu scripts to use the correct branch for rehearsals - Previously, it was always checking out `main` branch for LCA, even for non-main rehearsals - Where possible, try to preferentially use the matching release version for rehearsals --- ...mage-based-upgrade-seed-create-commands.sh | 28 +++++++++++++++++++ ...ift-image-based-upgrade-target-commands.sh | 28 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh b/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh index 7095c0d409d7a..1bd89569bc504 100644 --- a/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh +++ b/ci-operator/step-registry/openshift/image-based/upgrade/seed/create/openshift-image-based-upgrade-seed-create-commands.sh @@ -93,6 +93,30 @@ if [[ ! -z "${RECERT_IMAGE_OVERRIDE}" ]]; then RECERT_IMAGE=$RECERT_IMAGE_OVERRIDE fi +# Export lifecycle-agent git coordinates for ib-orchestrate-vm. +# - lifecycle-agent presubmit: pin to the PR commit (CI_LCA_GIT_REF/PULL). +# - openshift/release rehearsal of lifecycle-agent jobs: branch checkout only +# (main or release-4.x); CI_LCA_GIT_* stay empty. +# - Other jobs: leave CI_LCA_GIT_* empty; ib-orchestrate-vm uses defaults. +CI_LCA_GIT_REF="" +CI_LCA_GIT_PULL="" +if [[ "${REPO_OWNER}/${REPO_NAME}" == "openshift-kni/lifecycle-agent" ]]; then + CI_LCA_GIT_REF="${PULL_PULL_SHA:-}" + CI_LCA_GIT_PULL="${PULL_NUMBER:-}" + LCA_GIT_BRANCH="${PULL_BASE_REF:-${LCA_GIT_BRANCH:-}}" +elif [[ "${JOB_NAME}" == rehearse-* ]] && [[ "${JOB_NAME}" == *lifecycle-agent* ]]; then + LCA_GIT_BRANCH="$(echo "${JOB_SPEC}" | jq -r '[.extra_refs[]? | select(.org == "openshift-kni" and .repo == "lifecycle-agent") | .base_ref][0] // empty')" + if [[ -z "${LCA_GIT_BRANCH}" ]]; then + if [[ "${JOB_NAME}" =~ lifecycle-agent-release-([0-9]+\.[0-9]+) ]]; then + LCA_GIT_BRANCH="release-${BASH_REMATCH[1]}" + elif [[ "${JOB_NAME}" == *lifecycle-agent-main-* ]]; then + LCA_GIT_BRANCH="main" + else + LCA_GIT_BRANCH="main" + fi + fi +fi + echo "Creating seed script..." cat < ${SHARED_DIR}/create_seed.sh #!/bin/bash @@ -103,6 +127,10 @@ export BACKUP_SECRET=\$(<${BACKUP_SECRET_FILE}) export SEED_VM_NAME="${SEED_VM_NAME}" export SEED_VERSION="${SEED_VERSION}" export LCA_OPERATOR_BUNDLE_IMAGE="${OO_BUNDLE}" +export CI_LCA_GIT_REF="${CI_LCA_GIT_REF}" +export CI_LCA_GIT_PULL="${CI_LCA_GIT_PULL}" +export LCA_GIT_REPO="https://github.com/openshift-kni/lifecycle-agent" +export LCA_GIT_BRANCH="${LCA_GIT_BRANCH:-main}" export SEED_RELEASE_IMAGE="${RELEASE_IMAGE}" export RECERT_IMAGE="${RECERT_IMAGE}" export SEED_FLOATING_TAG="${SEED_FLOATING_TAG}" diff --git a/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh b/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh index c626373dcd469..40aa2b1402b9d 100644 --- a/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh +++ b/ci-operator/step-registry/openshift/image-based/upgrade/target/openshift-image-based-upgrade-target-commands.sh @@ -28,6 +28,30 @@ target_kubeconfig=${remote_workdir}/ib-orchestrate-vm/bip-orchestrate-vm/workdir echo "${TARGET_VM_NAME}" > "${SHARED_DIR}/target_vm_name" +# Export lifecycle-agent git coordinates for ib-orchestrate-vm. +# - lifecycle-agent presubmit: pin to the PR commit (CI_LCA_GIT_REF/PULL). +# - openshift/release rehearsal of lifecycle-agent jobs: branch checkout only +# (main or release-4.x); CI_LCA_GIT_* stay empty. +# - Other jobs: leave CI_LCA_GIT_* empty; ib-orchestrate-vm uses defaults. +CI_LCA_GIT_REF="" +CI_LCA_GIT_PULL="" +if [[ "${REPO_OWNER}/${REPO_NAME}" == "openshift-kni/lifecycle-agent" ]]; then + CI_LCA_GIT_REF="${PULL_PULL_SHA:-}" + CI_LCA_GIT_PULL="${PULL_NUMBER:-}" + LCA_GIT_BRANCH="${PULL_BASE_REF:-${LCA_GIT_BRANCH:-}}" +elif [[ "${JOB_NAME}" == rehearse-* ]] && [[ "${JOB_NAME}" == *lifecycle-agent* ]]; then + LCA_GIT_BRANCH="$(echo "${JOB_SPEC}" | jq -r '[.extra_refs[]? | select(.org == "openshift-kni" and .repo == "lifecycle-agent") | .base_ref][0] // empty')" + if [[ -z "${LCA_GIT_BRANCH}" ]]; then + if [[ "${JOB_NAME}" =~ lifecycle-agent-release-([0-9]+\.[0-9]+) ]]; then + LCA_GIT_BRANCH="release-${BASH_REMATCH[1]}" + elif [[ "${JOB_NAME}" == *lifecycle-agent-main-* ]]; then + LCA_GIT_BRANCH="main" + else + LCA_GIT_BRANCH="main" + fi + fi +fi + echo "Creating upgrade script..." cat < ${SHARED_DIR}/upgrade_from_seed.sh #!/bin/bash @@ -40,6 +64,10 @@ export TARGET_VERSION="${TARGET_VERSION}" export TARGET_LCA_REF="${TARGET_LCA_REF}" export RELEASE_IMAGE="${TARGET_IMAGE}" export LCA_OPERATOR_BUNDLE_IMAGE="${OO_BUNDLE}" +export CI_LCA_GIT_REF="${CI_LCA_GIT_REF}" +export CI_LCA_GIT_PULL="${CI_LCA_GIT_PULL}" +export LCA_GIT_REPO="https://github.com/openshift-kni/lifecycle-agent" +export LCA_GIT_BRANCH="${LCA_GIT_BRANCH:-main}" export SEED_VERSION="${SEED_VERSION}" export IP_STACK="${IP_STACK}" export UPGRADE_TIMEOUT="60m" From 2a5ec61a5c45fda08bb2d91f081f0a6f0dc15197 Mon Sep 17 00:00:00 2001 From: Ahmed Abdalla Abdelrehim Date: Thu, 25 Jun 2026 19:02:01 +0200 Subject: [PATCH 06/14] hypershift: fix upgrade test to use version-tagged HO image for release branches (#80970) The upgrade test on release-4.{19,20,21,22} installs the HO from hypershift-operator-init before upgrading to the PR-built version. With tag:latest this pulls the HO from main, causing a downgrade instead of an upgrade. Pin the tag to the release version and add a promotion target so each release branch publishes its HO image with a version-specific tag to the hypershift namespace. Signed-off-by: Ahmed Abdalla Co-authored-by: Claude Opus 4.6 (1M context) --- .../openshift-priv-hypershift-release-4.19.yaml | 2 +- .../openshift-priv-hypershift-release-4.20.yaml | 2 +- .../openshift-priv-hypershift-release-4.21.yaml | 2 +- .../openshift-priv-hypershift-release-4.22.yaml | 2 +- .../hypershift/openshift-hypershift-release-4.19.yaml | 8 +++++++- .../hypershift/openshift-hypershift-release-4.20.yaml | 8 +++++++- .../hypershift/openshift-hypershift-release-4.21.yaml | 8 +++++++- .../hypershift/openshift-hypershift-release-4.22.yaml | 8 +++++++- .../openshift-hypershift-release-4.19-postsubmits.yaml | 1 + .../openshift-hypershift-release-4.19-presubmits.yaml | 1 + .../openshift-hypershift-release-4.20-postsubmits.yaml | 1 + .../openshift-hypershift-release-4.20-presubmits.yaml | 1 + .../openshift-hypershift-release-4.21-postsubmits.yaml | 1 + .../openshift-hypershift-release-4.21-presubmits.yaml | 1 + .../openshift-hypershift-release-4.22-postsubmits.yaml | 1 + .../openshift-hypershift-release-4.22-presubmits.yaml | 1 + 16 files changed, 40 insertions(+), 8 deletions(-) diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml index 20a1e1a589e46..5d3e68d095ece 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.19.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.19" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml index b6fb60c4ad1f2..de915a67ca9f5 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.20.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.20" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml index 0457de796b8c9..348fd0474448b 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.21.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.21" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml index 7cfabea6c86ba..6e699710bb606 100644 --- a/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml +++ b/ci-operator/config/openshift-priv/hypershift/openshift-priv-hypershift-release-4.22.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.22" hypershift-tests: name: hypershift-tests namespace: hypershift diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml index 1eb8b1329453d..d20fd476b594f 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.19" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -30,6 +30,12 @@ promotion: to: - name: "4.19" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.19" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml index 0351f84047300..5131feeee0144 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.20" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -35,6 +35,12 @@ promotion: to: - name: "4.20" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.20" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml index 5ae3c15c68d63..496b17ac956eb 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.21" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -38,6 +38,12 @@ promotion: - hypershift-tests name: "4.21" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.21" releases: initial: candidate: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml index d321cf02c2e7b..b71c3d68bcaba 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22.yaml @@ -14,7 +14,7 @@ base_images: hypershift-operator-init: name: hypershift-operator namespace: hypershift - tag: latest + tag: "4.22" hypershift-tests: name: hypershift-tests namespace: hypershift @@ -33,6 +33,12 @@ promotion: - hypershift-operator name: "4.22" namespace: ocp + - additional_images: + hypershift-operator: hypershift-operator + excluded_images: + - '*' + namespace: hypershift + tag: "4.22" releases: initial: candidate: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml index 1c33025bcc9bc..b062066f8fab2 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml index 722891c683b45..0424134a4f64a 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-presubmits.yaml @@ -1217,6 +1217,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml index ccfb684db9985..0dee7ec2e673b 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml index 1f507c2ae7d2a..428d06f1f3fb7 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.20-presubmits.yaml @@ -1387,6 +1387,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml index 87cff80e741ba..1abd5eca5b35f 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-postsubmits.yaml @@ -24,6 +24,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml index e07967369d800..5fde228d52b63 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.21-presubmits.yaml @@ -1644,6 +1644,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml index 963e610267b2e..fcb02147d5f6b 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-postsubmits.yaml @@ -25,6 +25,7 @@ postsubmits: - --promote - --report-credentials-file=/etc/report/credentials - --target=[images] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml index e296beb0af652..b55adb6b046a1 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-presubmits.yaml @@ -2103,6 +2103,7 @@ presubmits: - --report-credentials-file=/etc/report/credentials - --target=[images] - --target=[release:latest] + - --target=hypershift-operator command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest From d84e5884c31fe032e2b1720037359fdf9345edc3 Mon Sep 17 00:00:00 2001 From: Marco Braga Date: Thu, 25 Jun 2026 14:22:56 -0300 Subject: [PATCH 07/14] SPLAT-2588: hcp/aws returning TPNU job to weekly (#81080) Returning TPNU job to weekly as verified job for feature promotion has satisfied job runs. Keeping this as long-term with slack monitoring. --- .../hypershift/openshift-hypershift-release-5.0__periodics.yaml | 2 +- .../hypershift/openshift-hypershift-release-5.0-periodics.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml index 14e75ee1c14b8..d7c40f45c9bb4 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml @@ -187,7 +187,7 @@ tests: - chain: hypershift-conformance workflow: hypershift-aws-conformance - as: e2e-aws-ovn-conformance-techpreview - interval: 6h + cron: '@weekly' reporter_config: channel: '#forum-ocp-splat-alerts-aws' job_states_to_report: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml index 5546fc5385196..75866ec19be6e 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml @@ -1006,6 +1006,7 @@ periodics: secretName: result-aggregator - agent: kubernetes cluster: build07 + cron: '@weekly' decorate: true decoration_config: skip_cloning: true @@ -1013,7 +1014,6 @@ periodics: - base_ref: release-5.0 org: openshift repo: hypershift - interval: 6h labels: ci-operator.openshift.io/cloud: hypershift-aws ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws From 950d6e4a3b0deed0b59cc913417e86f231eb0e19 Mon Sep 17 00:00:00 2001 From: Dustin Row Date: Thu, 25 Jun 2026 10:38:59 -0700 Subject: [PATCH 08/14] Move OCM FVT sanity jobs from presubmit to periodic (#81091) The two sanity jobs (cs-sanity-staging and cs-sanity-jira-staging) were missing cron fields, making them always_run presubmits. These jobs pull an external ocmci container and run ocmtest with zero dependency on rosa-e2e repo code, so running them on every PR is wasteful and blocks unrelated changes. Add cron schedules to make them periodics like the other 13 FVT jobs in this variant. --- ...sa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml | 2 + ...nshift-online-rosa-e2e-main-periodics.yaml | 166 +++++++++++++++++ ...shift-online-rosa-e2e-main-presubmits.yaml | 170 ------------------ 3 files changed, 168 insertions(+), 170 deletions(-) diff --git a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml index 86eaaa3a298d6..73ad11a01f799 100644 --- a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml +++ b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-staging.yaml @@ -233,6 +233,7 @@ tests: - as: ocm-fvt-periodic-cs-sanity-staging-main capabilities: - nested-podman + cron: 0 0 31 2 * nested_podman: true steps: allow_best_effort_post_steps: true @@ -248,6 +249,7 @@ tests: - as: ocm-fvt-periodic-cs-sanity-jira-staging-main capabilities: - nested-podman + cron: 0 0 31 2 * nested_podman: true steps: allow_best_effort_post_steps: true diff --git a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml index 8b1a3df2e0409..b272fa04433b2 100644 --- a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml +++ b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml @@ -2921,6 +2921,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build02 + cron: 0 0 31 2 * + decorate: true + decoration_config: + skip_cloning: true + timeout: 5h0m0s + extra_refs: + - base_ref: main + org: openshift-online + repo: rosa-e2e + labels: + capability/nested-podman: nested-podman + ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=ocm-fvt-periodic-cs-sanity-jira-staging-main + - --variant=ocm-fvt-rosa-hcp-staging + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build02 + cron: 0 0 31 2 * + decorate: true + decoration_config: + skip_cloning: true + timeout: 5h0m0s + extra_refs: + - base_ref: main + org: openshift-online + repo: rosa-e2e + labels: + capability/nested-podman: nested-podman + ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=ocm-fvt-periodic-cs-sanity-staging-main + - --variant=ocm-fvt-rosa-hcp-staging + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 30 7 * * * diff --git a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml index a8da82fbdbc64..256f942409bf8 100644 --- a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml +++ b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml @@ -294,176 +294,6 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )lint,?($|\s.*) - - agent: kubernetes - always_run: true - branches: - - ^main$ - - ^main- - cluster: build03 - context: ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - decorate: true - decoration_config: - skip_cloning: true - timeout: 5h0m0s - labels: - capability/nested-podman: nested-podman - ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging - ci.openshift.io/generator: prowgen - job-release: "4.22" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - rerun_command: /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=ocm-fvt-periodic-cs-sanity-jira-staging-main - - --variant=ocm-fvt-rosa-hcp-staging - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-jira-staging-main,?($|\s.*) - - agent: kubernetes - always_run: true - branches: - - ^main$ - - ^main- - cluster: build03 - context: ci/prow/ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - decorate: true - decoration_config: - skip_cloning: true - timeout: 5h0m0s - labels: - capability/nested-podman: nested-podman - ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-staging - ci.openshift.io/generator: prowgen - job-release: "4.22" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - rerun_command: /test ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=ocm-fvt-periodic-cs-sanity-staging-main - - --variant=ocm-fvt-rosa-hcp-staging - command: - - ci-operator - env: - - name: HTTP_SERVER_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - trigger: (?m)^/test( | .* )ocm-fvt-rosa-hcp-staging-ocm-fvt-periodic-cs-sanity-staging-main,?($|\s.*) - agent: kubernetes always_run: true branches: From 0db4bb471d6ca12853504b28944d83987720bfcd Mon Sep 17 00:00:00 2001 From: Robert Jacob Date: Thu, 25 Jun 2026 19:52:00 +0200 Subject: [PATCH 09/14] openshift-logging: Update Loki Operator 6.4 to Go 1.26 (#81093) --- .../config/openshift/loki/openshift-loki-release-6.4.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml b/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml index 716bd11ae5b5a..75ad3116faa35 100644 --- a/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml +++ b/ci-operator/config/openshift/loki/openshift-loki-release-6.4.yaml @@ -6,7 +6,7 @@ base_images: go_builder: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.23 + tag: rhel-9-golang-1.26-openshift-4.23 loki: name: loki namespace: logging @@ -23,7 +23,7 @@ build_root: image_stream_tag: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.23 + tag: rhel-9-golang-1.26-openshift-4.23 use_build_cache: true images: items: @@ -33,7 +33,7 @@ images: inputs: go_builder: as: - - golang:1.24.4 + - golang:1.26.3 to: loki-operator - dockerfile_literal: | FROM registry.redhat.io/ubi9/go-toolset:latest From 5063865effc09fa14e0fd022085776f5ef17211d Mon Sep 17 00:00:00 2001 From: Steve Kuznetsov Date: Thu, 25 Jun 2026 11:52:09 -0600 Subject: [PATCH 10/14] ci-operator: aro-hcp: fail on observability gather (#81096) Signed-off-by: Steve Kuznetsov --- .../gather/observability/aro-hcp-gather-observability-ref.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml b/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml index e028533c09bdd..c4802dd86f748 100644 --- a/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml +++ b/ci-operator/step-registry/aro-hcp/gather/observability/aro-hcp-gather-observability-ref.yaml @@ -27,5 +27,5 @@ ref: - name: COMPRESS_TIMING_METADATA default: "true" documentation: Whether to compress timing metadata files with gzip. - best_effort: true + best_effort: false timeout: 5m From dc7c44db70a0042030a7086a4cd5a492f4954c64 Mon Sep 17 00:00:00 2001 From: Robert Jacob Date: Thu, 25 Jun 2026 20:07:48 +0200 Subject: [PATCH 11/14] openshift-logging: Add configuration for Loki 3.6.12 (#81086) --- .../loki/openshift-loki-upstream-v3.6.12.yaml | 51 +++++++ ...ift-loki-upstream-v3.6.12-postsubmits.yaml | 65 ++++++++ ...hift-loki-upstream-v3.6.12-presubmits.yaml | 142 ++++++++++++++++++ .../mapping_logging_loki_quay | 4 +- 4 files changed, 261 insertions(+), 1 deletion(-) create mode 100644 ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml create mode 100644 ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml create mode 100644 ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml diff --git a/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml b/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml new file mode 100644 index 0000000000000..96717db0886d9 --- /dev/null +++ b/ci-operator/config/openshift/loki/openshift-loki-upstream-v3.6.12.yaml @@ -0,0 +1,51 @@ +base_images: + base: + name: "4.21" + namespace: ocp + tag: base-rhel9 +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.26-openshift-4.23 +images: + items: + - additional_architectures: + - arm64 + dockerfile_path: Dockerfile.ocp + from: base + to: loki + - additional_architectures: + - arm64 + dockerfile_path: Dockerfile.promtail.ocp + from: base + to: promtail +promotion: + to: + - namespace: logging + tag: v3.6.12 +releases: + latest: + release: + channel: stable + version: "4.21" +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: test + steps: + test: + - as: unit + commands: GOFLAGS="" make test + from: src + resources: + requests: + cpu: 100m + memory: 200Mi +zz_generated_metadata: + branch: upstream-v3.6.12 + org: openshift + repo: loki diff --git a/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml new file mode 100644 index 0000000000000..75a2270c64df9 --- /dev/null +++ b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-postsubmits.yaml @@ -0,0 +1,65 @@ +postsubmits: + openshift/loki: + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + cluster: build06 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + capability/arm64: arm64 + ci-operator.openshift.io/is-promotion: "true" + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-loki-upstream-v3.6.12-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml new file mode 100644 index 0000000000000..796aa4104903b --- /dev/null +++ b/ci-operator/jobs/openshift/loki/openshift-loki-upstream-v3.6.12-presubmits.yaml @@ -0,0 +1,142 @@ +presubmits: + openshift/loki: + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + - ^upstream-v3\.6\.12- + cluster: build05 + context: ci/prow/images + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + capability/arm64: arm64 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-loki-upstream-v3.6.12-images + rerun_command: /test images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^upstream-v3\.6\.12$ + - ^upstream-v3\.6\.12- + cluster: build01 + context: ci/prow/test + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfile.ocp + - Dockerfile.promtail.ocp + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-loki-upstream-v3.6.12-test + rerun_command: /test test + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=test + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )test,?($|\s.*) diff --git a/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay b/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay index 6fcfa2bf83068..70b2be99ff6bf 100644 --- a/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay +++ b/core-services/image-mirroring/openshift-logging/mapping_logging_loki_quay @@ -3,5 +3,7 @@ quay.io/openshift/ci:logging_promtail_v3.4.3 quay.io/openshift-logging/promtail: quay.io/openshift/ci:logging_loki_v3.5.7 quay.io/openshift-logging/loki:v3.5.7 quay.io/openshift/ci:logging_promtail_v3.5.7 quay.io/openshift-logging/promtail:v3.5.7 quay.io/openshift/ci:logging_loki_v3.6.5 quay.io/openshift-logging/loki:v3.6.5 -quay.io/openshift/ci:logging_promtail_v3.6.5 quay.io/openshift-logging/promtail:v3.6.5 quay.io/openshift-logging/promtail:latest +quay.io/openshift/ci:logging_promtail_v3.6.5 quay.io/openshift-logging/promtail:v3.6.5 +quay.io/openshift/ci:logging_loki_v3.6.12 quay.io/openshift-logging/loki:v3.6.12 +quay.io/openshift/ci:logging_promtail_v3.6.12 quay.io/openshift-logging/promtail:v3.6.12 quay.io/openshift-logging/promtail:latest quay.io/openshift/ci:logging_loki_v3.7.2 quay.io/openshift-logging/loki:v3.7.2 quay.io/openshift-logging/loki:latest From f891ec48b035a9efb6f906cf9649707675a9ab02 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 25 Jun 2026 14:23:09 -0400 Subject: [PATCH 12/14] Add Trustee operator installation step for Confidential Containers (#80601) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add Trustee operator installation step for Confidential Containers Add automated Trustee operator installation for sandboxed-containers-operator CoCo (Confidential Containers) tests using OLM and helm charts. Key Features: - OLM-based operator installation with comprehensive wait stages - Helm chart integration with pre-built container image - Works with restrict_network_access: true for rehearsals - KBS connectivity verification and resource validation - tools-with-helm custom image with oc, kubectl, helm, jq, skopeo, git Step Registry: - Created install-trustee-operator step in sandboxed-containers-operator - Added to sandboxed-containers-operator-pre chain before OSC installation - Runs for all *-ipi-coco test jobs when TRUSTEE_INSTALL="true" CI Configuration: - Added trustee-charts image (packages helm charts from confidential-devhub/charts) - Added tools-with-helm image based on cli with helm and required tools - Added cli to base_images for tools-with-helm dependency - Enabled Trustee installation for azure-ipi-coco, aro-ipi-coco, aws-ipi-coco - Set restrict_network_access: true for candidate421 aws-ipi-coco Technical Implementation: - FROM this-is-ignored with from: cli pattern for custom image builds - Wait stages: CatalogSource → Subscription → InstallPlan → CSV → Deployment → Pods - Generous 10-minute timeouts to avoid cluster rebuild waste - Discovers KBS endpoint and persists TRUSTEE_URL for CoCo tests - Generates INITDATA artifacts and patches osc-config ConfigMap - Verifies connectivity with kbs-client pod testing resource retrieval Co-Authored-By: Claude Sonnet 4.5 * Fix Trustee catalog configuration and remove unused env vars - Remove TRUSTEE_CATALOG_SOURCE_NAME (helm chart hardcodes catalog name) - Fix dev.enabled bug: explicitly control based on custom image presence - Remove invalid helm '--set catalogSource.name' parameter - Add tools-with-helm image to all downstream-release config - Document catalog source configuration and image tag strategies Implementation is tag-agnostic for future flexibility switching to :latest. Signed-off-by: Tom Buskey --------- Signed-off-by: Tom Buskey Co-authored-by: Claude Sonnet 4.5 --- ...-operator-devel__downstream-candidate.yaml | 36 + ...erator-devel__downstream-candidate417.yaml | 36 + ...erator-devel__downstream-candidate418.yaml | 36 + ...erator-devel__downstream-candidate419.yaml | 36 + ...erator-devel__downstream-candidate420.yaml | 36 + ...erator-devel__downstream-candidate421.yaml | 74 +- ...rs-operator-devel__downstream-release.yaml | 30 + ...-containers-operator-devel-presubmits.yaml | 399 +++++++ .../sandboxed-containers-operator/README.md | 176 +++ .../install-trustee-operator/OWNERS | 10 + ...rator-install-trustee-operator-commands.sh | 1027 +++++++++++++++++ ...install-trustee-operator-ref.metadata.json | 17 + ...operator-install-trustee-operator-ref.yaml | 60 + ...ndboxed-containers-operator-pre-chain.yaml | 1 + 14 files changed, 1955 insertions(+), 19 deletions(-) create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS create mode 100755 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 7573a7135610d..9c8acde398dd5 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -127,6 +157,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -204,6 +236,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -278,6 +312,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index eed240831f6ec..1011ef29ef777 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.17" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.17" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index af5f346bee912..eec734a110464 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.18" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.18" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 42076da37f434..c3ebfdd1e8438 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index f08313bb41ff2..71c130a4f2d3d 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.20" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.20" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -128,6 +158,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -206,6 +238,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -280,6 +314,8 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index bfdd37b512e75..cc5f2e938e602 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.21" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.21" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: @@ -45,9 +75,9 @@ tests: ENABLE_MUST_GATHER: "true" INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA @@ -80,10 +110,10 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -118,16 +148,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure @@ -157,10 +189,10 @@ tests: HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -195,17 +227,19 @@ tests: ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus INITDATA: "" - INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro @@ -234,9 +268,9 @@ tests: ENABLEPEERPODS: "true" INITDATA: "" INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& @@ -260,7 +294,7 @@ tests: report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} <{{.Status.URL}}|View logs>' - restrict_network_access: false + restrict_network_access: true steps: cluster_profile: aws-sandboxed-containers-operator env: @@ -270,16 +304,18 @@ tests: ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true" INITDATA: "" - INSTALL_KATA_RPM: "true" - KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive&;~C00133& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml index 9d9314954ed64..9cdf7de6aafad 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-release.yaml @@ -1,4 +1,8 @@ base_images: + cli: + name: "4.19" + namespace: ocp + tag: cli tests-private: name: tests-private namespace: ci @@ -7,6 +11,32 @@ base_images: name: "4.19" namespace: ocp tag: upi-installer +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.25-openshift-4.21 +images: + items: + - dockerfile_literal: | + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + RUN microdnf install -y git tar gzip && microdnf clean all + RUN git clone --depth 1 --branch main \ + https://github.com/confidential-devhub/charts /charts && \ + rm -rf /charts/.git + to: trustee-charts + - dockerfile_literal: | + FROM this-is-ignored + USER root + RUN dnf install -y tar gzip jq skopeo git && dnf clean all + RUN curl -sL https://get.helm.sh/helm-v3.14.0-linux-amd64.tar.gz | tar xz && \ + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + chmod +x /usr/local/bin/helm && \ + helm version + USER 1000 + from: cli + to: tools-with-helm prowgen: disable_sparse_checkout: true releases: diff --git a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml index b92caf2f925e7..c4667663b6b66 100644 --- a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml +++ b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-presubmits.yaml @@ -117,6 +117,405 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )ci-bundle-openshift-sandboxed-containers-operator-bundle,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-images + rerun_command: /test downstream-candidate-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate417-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate417 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-images + rerun_command: /test downstream-candidate417-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate417 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate417-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate418-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate418 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-images + rerun_command: /test downstream-candidate418-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate418 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate418-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate419-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate419 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-images + rerun_command: /test downstream-candidate419-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate419 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate419-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate420-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate420 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-images + rerun_command: /test downstream-candidate420-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate420 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate420-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-candidate421-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-candidate421 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-images + rerun_command: /test downstream-candidate421-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-candidate421 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-candidate421-images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^devel$ + - ^devel- + cluster: build13 + context: ci/prow/downstream-release-images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/variant: downstream-release + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-sandboxed-containers-operator-devel-downstream-release-images + rerun_command: /test downstream-release-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + - --variant=downstream-release + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )downstream-release-images,?($|\s.*) - agent: kubernetes always_run: true branches: diff --git a/ci-operator/step-registry/sandboxed-containers-operator/README.md b/ci-operator/step-registry/sandboxed-containers-operator/README.md index c83640ea588bd..6393083c2cab4 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/README.md +++ b/ci-operator/step-registry/sandboxed-containers-operator/README.md @@ -33,6 +33,182 @@ The [sandboxed-containers-operator-env-cm](./env-cm/) step creates the osc-confi Currently not all parameters are enabled. In particular, only GA release type is supported, meaning it doesn't install development builds of OSC. +### sandboxed-containers-operator-install-trustee-operator + +The [sandboxed-containers-operator-install-trustee-operator](./install-trustee-operator/) step installs the Trustee operator for Confidential Containers (CoCo) workloads. This step is only needed for CoCo tests. + +## Catalog Source Configuration + +Both OSC and Trustee operators can be installed from different catalog sources depending on whether you're testing pre-release builds or using production catalogs. + +### OSC Catalog Source + +Controlled by environment variables in job configurations: + +- **`CATALOG_SOURCE_NAME`** - Name of the CatalogSource to use + - Default: `"redhat-operators"` (production catalog) + - For testing: `"brew-catalog"` or custom names + +- **`CATALOG_SOURCE_IMAGE`** - Custom FBC (File-Based Catalog) image + - Default: `""` (empty, uses existing catalog specified by `CATALOG_SOURCE_NAME`) + - For testing: `"quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest"` + +**Behavior:** +- If `CATALOG_SOURCE_IMAGE` is empty: uses existing catalog specified by `CATALOG_SOURCE_NAME` +- If `CATALOG_SOURCE_IMAGE` is set: creates a new CatalogSource with that image + +### Trustee Catalog Source + +Controlled by the Trustee helm chart and `TRUSTEE_CATALOG_SOURCE_IMAGE` environment variable: + +- **`TRUSTEE_CATALOG_SOURCE_IMAGE`** - Custom FBC image for Trustee operator + - Default: `""` (empty) + - For testing: `"quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656"` + +**Behavior:** +- If `TRUSTEE_CATALOG_SOURCE_IMAGE` is **empty**: + - Helm chart sets `dev.enabled=false` + - Uses existing `redhat-operators` CatalogSource (production) + - No new CatalogSource is created + +- If `TRUSTEE_CATALOG_SOURCE_IMAGE` is **set**: + - Helm chart sets `dev.enabled=true` + - Creates new CatalogSource named `trustee-operator-dev-catalog` (hardcoded in helm chart) + - Uses the specified custom image + - **Note:** CatalogSource name cannot be overridden - it's always `trustee-operator-dev-catalog` + +**Example job configuration for CoCo testing:** + +```yaml +tests: +- as: azure-ipi-coco + steps: + env: + # OSC operator catalog + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + + # Trustee operator catalog (CatalogSource name is hardcoded to trustee-operator-dev-catalog) + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_INSTALL: "true" + + # Test configuration + WORKLOAD_TO_TEST: coco + ENABLEPEERPODS: "true" + RUNTIMECLASS: kata-remote +``` + +**Why the different approaches?** +- OSC workflow was designed with flexibility to use any catalog name +- Trustee uses upstream helm charts from [confidential-devhub/charts](https://github.com/confidential-devhub/charts) which hardcode the dev CatalogSource name +- This keeps Trustee CI aligned with upstream tooling + +### Image Tag Resolution: `:latest` vs Specific Build Tags + +Catalog images can be referenced using different tag strategies with distinct tradeoffs: + +#### Using `:latest` Tags + +```yaml +CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest +``` + +**How it resolves:** +1. At job execution time, container runtime queries Quay.io registry +2. Registry returns the current image digest that `:latest` points to +3. That specific digest is pulled and used for the job +4. Different jobs can get different images if builds happen between runs + +**Managed by:** Konflux/RHTAP automatically updates `:latest` after each successful build + +**Advantages:** +- ✅ Automatically tests newest builds without config changes +- ✅ Good for continuous validation of rolling builds +- ✅ No manual maintenance needed + +**Disadvantages:** +- ❌ Non-reproducible (different runs may use different builds) +- ❌ Hard to bisect regressions ("which build broke this?") +- ❌ Can break unexpectedly if bad build gets tagged + +#### Using Specific Build Tags + +```yaml +TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 +``` + +**Tag format:** `-` +- Version: `1.1.0` (semantic version from project) +- Build ID: `1776506656` (Konflux pipeline run identifier) + +**How it resolves:** +- Tag is **immutable** - always points to the same image digest +- Never changes after creation +- Reproducible across all job runs + +**Advantages:** +- ✅ Reproducible test results +- ✅ Easy to bisect issues (pin to specific builds) +- ✅ Stable - won't break from new builds +- ✅ Direct traceability to Konflux pipeline runs + +**Disadvantages:** +- ❌ Requires manual config updates to test new builds +- ❌ Can become stale if not maintained + +#### How Konflux Creates Multiple Tags + +When a catalog build completes in Konflux, multiple tags point to the same image: + +```bash +# All these reference the same image digest: +quay.io/.../osc-test-fbc:latest # Moves to newest build +quay.io/.../osc-test-fbc:1.2.0-1776506656 # Immutable build-specific tag +quay.io/.../osc-test-fbc:1.2.0 # Moves within version series +quay.io/.../osc-test-fbc:sha256-abc123... # Direct digest reference +``` + +#### Finding Specific Build Tags + +To find the current build tag that `:latest` points to: + +```bash +# Option 1: Query Quay.io API +curl -s https://quay.io/api/v1/repository/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc/tag/ | \ + jq -r '.tags[] | select(.name | startswith("1.1.0")) | .name' | sort -V | tail -5 + +# Option 2: Pull and inspect +podman pull quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:latest +podman inspect quay.io/.../trustee-test-fbc:latest | jq '.[0].RepoTags[]' + +# Option 3: Check Konflux pipeline runs +# Navigate to Konflux UI → Application → Component → Pipeline Runs +# Find successful run ID and use format: - +``` + +#### Strategy Comparison + +| Aspect | `:latest` | `1.1.0-1776506656` (Specific build) | +|--------|----------------|------------------------------| +| **Resolution** | Dynamic (query registry each time) | Static (immutable) | +| **Reproducibility** | ❌ Different builds over time | ✅ Always same build | +| **Maintenance** | Automatic | Manual updates | +| **Traceability** | Hard (logs needed) | Easy (build ID in tag) | +| **Use Case** | Daily/nightly rolling tests | Stable/release validation | + +#### When to Use Each Strategy + +**Use `:latest` when:** +- Running frequent jobs (daily/nightly) that should pick up new builds automatically +- Testing the latest code is more important than reproducibility +- You have good monitoring/alerting for failures + +**Use specific build tags when:** +- You need reproducible results for debugging +- Testing specific release candidates or milestones +- You want to correlate failures to specific builds +- Running less frequently (weekly/release gates) + ## Chains Here is the list of chains. diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS new file mode 100644 index 0000000000000..5c31fe0ceccfc --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS @@ -0,0 +1,10 @@ +reviewers: + - ldoktor + - tbuskey + - vvoronko + - wainersm +approvers: + - ldoktor + - tbuskey + - vvoronko + - wainersm diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh new file mode 100755 index 0000000000000..8d746e938205f --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -0,0 +1,1027 @@ +#!/usr/bin/env bash +# +# Install Trustee Operator for Confidential Containers (CoCo) +# +# This script installs and configures the Trustee operator and operands using +# helm charts from https://github.com/confidential-devhub/charts +# +# NETWORK ACCESS: +# Preferred: Use TRUSTEE_CHARTS_IMAGE (pre-built image dependency) +# Works with restrict_network_access: true for rehearsals +# Fallback: Fetches from GitHub (requires restrict_network_access: false) +# +# Environment Variables: +# TRUSTEE_INSTALL - "true" to install, "false" to skip (default: false) +# TRUSTEE_NAMESPACE - Namespace for operator (default: trustee-operator-system) +# TRUSTEE_CATALOG_SOURCE_IMAGE - Custom catalog image (optional) +# NOTE: CatalogSource name is hardcoded to "trustee-operator-dev-catalog" +# in the helm chart and cannot be overridden +# IMAGE_TRUSTEE_CHARTS - Pre-built charts image (set by ci-operator, recommended) +# TRUSTEE_CHARTS_REPO - Charts repo URL (default: https://github.com/confidential-devhub/charts) +# TRUSTEE_CHARTS_REF - Charts git ref (default: main) +# KBS_CLIENT_TAG - kbs-client version override (optional) +# +# Outputs to SHARED_DIR: +# TRUSTEE_URL - KBS service URL for CoCo workloads +# TRUSTEE_HOST - KBS hostname +# TRUSTEE_PORT - KBS port +# INITDATA - Base64-encoded gzipped initdata.toml +# initdata.toml - Plain text initdata configuration +# + +set -euo pipefail + +#======================================== +# Configuration +#======================================== + +export SHARED_DIR=${SHARED_DIR:-/tmp} +export KUBECONFIG=${KUBECONFIG:-${SHARED_DIR}/kubeconfig} + +TRUSTEE_INSTALL=${TRUSTEE_INSTALL:-false} +TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE:-trustee-operator-system} +TRUSTEE_CATALOG_SOURCE_IMAGE=${TRUSTEE_CATALOG_SOURCE_IMAGE:-} +TRUSTEE_CHARTS_REPO=${TRUSTEE_CHARTS_REPO:-https://github.com/confidential-devhub/charts} +TRUSTEE_CHARTS_REF=${TRUSTEE_CHARTS_REF:-main} + +# Early exit if installation disabled +if [[ "${TRUSTEE_INSTALL}" != "true" ]]; then + echo ">>> Skipping trustee operator installation (TRUSTEE_INSTALL=${TRUSTEE_INSTALL})" + exit 0 +fi + +# Check helm is available +if ! command -v helm &> /dev/null; then + echo ">>> ERROR: helm is not available in the step image." >&2 + echo ">>> Install helm in the image used by this step to keep restrict_network_access support." >&2 + exit 1 +fi + +# Show configuration +echo ">>> Trustee charts: ${TRUSTEE_CHARTS_REPO} (ref: ${TRUSTEE_CHARTS_REF})" +if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + echo ">>> Trustee catalog source: trustee-operator-dev-catalog (image: ${TRUSTEE_CATALOG_SOURCE_IMAGE})" +else + echo ">>> Trustee catalog source: redhat-operators (using existing catalog)" +fi + +#======================================== +# Cleanup Handler +#======================================== + +SCRATCH=$(mktemp -d) +cd "${SCRATCH}" + +function exit_handler() { + local exitcode=$? + set +e + rm -rf "${SCRATCH}" + + if [[ ${exitcode} -ne 0 ]]; then + echo ">>> ERROR: Trustee operator installation failed" + echo ">>> Namespace status:" + oc get all -n "${TRUSTEE_NAMESPACE}" || true + echo ">>> Operator logs:" + oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true + fi +} +trap 'exit_handler' EXIT + +#======================================== +# Helper Functions +#======================================== + +# Retry command up to 10 times with 30s delay between attempts +function retry() { + "$@" && return 0 + for (( i = 0; i < 9; i++ )); do + sleep 30 + "$@" && return 0 + done + return 1 +} + +# Generic wait loop with condition checking +# Usage: wait_until +# Returns: 0 on success, 1 on timeout +# Example: wait_until "pod to be ready" 300 5 'oc get pod mypod -o jsonpath="{.status.phase}" | grep -q Running' +function wait_until() { + local description="$1" + local timeout_seconds="$2" + local check_interval="$3" + local condition_command="$4" + + local max_iterations=$((timeout_seconds / check_interval)) + local progress_interval=$((60 / check_interval)) # Show progress every 60 seconds + [[ ${progress_interval} -lt 1 ]] && progress_interval=1 + + echo ">>> Waiting for ${description} (timeout: ${timeout_seconds}s, interval: ${check_interval}s)..." >&2 + + for (( i = 1; i <= max_iterations; i++ )); do + if eval "${condition_command}" 2>/dev/null; then + echo ">>> ${description} - SUCCESS (after $((i * check_interval))s)" >&2 + return 0 + fi + + # Show progress at regular intervals + if [[ $((i % progress_interval)) -eq 0 ]]; then + echo ">>> Still waiting for ${description} (${i}/${max_iterations}, $((i * check_interval))s elapsed)..." >&2 + fi + + [[ ${i} -lt ${max_iterations} ]] && sleep "${check_interval}" + done + + echo ">>> ERROR: ${description} - TIMEOUT after ${timeout_seconds}s" >&2 + return 1 +} + +# Fetch trustee helm charts (from pre-built image or GitHub) +function fetch_trustee_charts() { + local charts_dir="${SCRATCH}/charts" + + # Option 1: Extract from pre-built container image (preferred, works with restrict_network_access: true) + # ci-operator provides built images via IMAGE_FORMAT and IMAGE_TRUSTEE_CHARTS env vars + if [[ -n "${IMAGE_TRUSTEE_CHARTS:-}" ]]; then + local charts_image="${IMAGE_TRUSTEE_CHARTS}" + echo ">>> Extracting trustee charts from pre-built image" >&2 + echo ">>> Image: ${charts_image}" >&2 + + # Extract charts from the image + mkdir -p "${charts_dir}" + local extract_output + if extract_output=$(oc image extract "${charts_image}" --path /charts/:${charts_dir}/ 2>&1); then + echo ">>> Charts extracted from image (no network access needed)" >&2 + echo ">>> Extracted files:" >&2 + ls -lR "${charts_dir}" | head -50 >&2 + # The git repo structure is: charts/trustee-operator/, so image has /charts/charts/ + # Return the nested charts directory + echo "${charts_dir}/charts" + return 0 + else + echo ">>> ERROR: Failed to extract charts from image" >&2 + echo "$extract_output" >&2 + echo ">>> Falling back to git clone" >&2 + fi + else + echo ">>> IMAGE_TRUSTEE_CHARTS not set, using git clone fallback" >&2 + fi + + # Option 2: Fallback to git clone (requires restrict_network_access: false) + echo ">>> Fetching trustee charts from GitHub: ${TRUSTEE_CHARTS_REPO} (ref: ${TRUSTEE_CHARTS_REF})" >&2 + + if ! command -v git &> /dev/null; then + echo ">>> ERROR: git command not found" >&2 + return 1 + fi + + git clone --depth 1 --branch "${TRUSTEE_CHARTS_REF}" "${TRUSTEE_CHARTS_REPO}" "${charts_dir}" + + if [[ ! -d "${charts_dir}" ]]; then + echo ">>> ERROR: Failed to clone charts repository" >&2 + return 1 + fi + + echo ">>> Charts cloned from GitHub" >&2 + echo "${charts_dir}" +} + +# Get cluster domain from ingress config, console route, or console URL +function get_cluster_domain() { + local cluster_domain="" + + # Try ingress config, console route, then console URL + cluster_domain=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}' 2>/dev/null || true) + + if [[ -z "${cluster_domain}" ]]; then + cluster_domain=$(oc get route -n openshift-console console -o jsonpath='{.spec.host}' 2>/dev/null | sed 's/^console-openshift-console\.//' || true) + fi + + if [[ -z "${cluster_domain}" ]]; then + local console_url + console_url=$(oc whoami --show-console 2>/dev/null || true) + if [[ -n "${console_url}" ]]; then + cluster_domain=$(echo "${console_url}" | sed 's|https://console-openshift-console\.||' | sed 's|/.*||') + fi + fi + + if [[ -z "${cluster_domain}" ]]; then + echo ">>> ERROR: Failed to derive cluster domain" >&2 + return 1 + fi + + echo ">>> Cluster domain: ${cluster_domain}" >&2 + echo "${cluster_domain}" +} + +#======================================== +# Helm Chart Functions +#======================================== + +# Render trustee operator chart using helm template +function render_trustee_operator_chart() { + local charts_dir="$1" + local operator_chart="${charts_dir}/trustee-operator" + + if [[ ! -d "${operator_chart}" ]]; then + echo ">>> ERROR: Operator chart not found at ${operator_chart}" >&2 + return 1 + fi + + echo ">>> Rendering trustee-operator chart from: ${operator_chart}" >&2 + echo ">>> Chart files:" >&2 + ls -la "${operator_chart}" >&2 + + # Build helm command with --set parameters + local helm_args=( + "trustee-operator" + "${operator_chart}" + "--set" "namespaceOverride=${TRUSTEE_NAMESPACE}" + ) + + # Add catalog source configuration if custom image provided + if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + helm_args+=( + "--set" "dev.enabled=true" + "--set" "dev.image=${TRUSTEE_CATALOG_SOURCE_IMAGE}" + ) + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, dev.enabled=true, dev.image=${TRUSTEE_CATALOG_SOURCE_IMAGE}" >&2 + echo ">>> Note: CatalogSource name is hardcoded to 'trustee-operator-dev-catalog' in helm chart" >&2 + else + helm_args+=( + "--set" "dev.enabled=false" + ) + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, dev.enabled=false" >&2 + echo ">>> Note: Using existing 'redhat-operators' CatalogSource" >&2 + fi + + # Render the chart and capture output for debugging + local helm_output + if ! helm_output=$(helm template "${helm_args[@]}" 2>&1); then + echo ">>> ERROR: helm template failed" >&2 + echo "$helm_output" >&2 + return 1 + fi + + echo "$helm_output" +} + +# Render trustee operands chart using helm template +function render_trustee_operands_chart() { + local charts_dir="$1" + local operands_chart="${charts_dir}/trustee-operands" + + if [[ ! -d "${operands_chart}" ]]; then + echo ">>> ERROR: Operands chart not found at ${operands_chart}" >&2 + return 1 + fi + + echo ">>> Rendering trustee-operands chart from: ${operands_chart}" >&2 + echo ">>> Chart files:" >&2 + ls -la "${operands_chart}" >&2 + echo ">>> Helm parameters: namespaceOverride=${TRUSTEE_NAMESPACE}, clusterDomain=${CLUSTER_DOMAIN}" >&2 + + # Render the chart and capture output for debugging + local helm_output + if ! helm_output=$(helm template trustee-operands "${operands_chart}" \ + --set "namespaceOverride=${TRUSTEE_NAMESPACE}" \ + --set "clusterDomain=${CLUSTER_DOMAIN}" 2>&1); then + echo ">>> ERROR: helm template failed" >&2 + echo "$helm_output" >&2 + return 1 + fi + + echo "$helm_output" +} + +#======================================== +# Installation Functions +#======================================== + +# Install trustee operator via OLM using helm-rendered manifests +function install_trustee_operator() { + local charts_dir="$1" + + echo ">>> Installing Trustee operator" + + # Render operator chart + local operator_yaml="${SCRATCH}/operator-manifests.yaml" + if ! render_trustee_operator_chart "${charts_dir}" > "${operator_yaml}"; then + echo ">>> ERROR: Failed to render operator chart" + return 1 + fi + + echo ">>> Rendered operator YAML:" + cat "${operator_yaml}" + echo ">>> Total YAML lines: $(wc -l < "${operator_yaml}")" + + # Apply operator chart + local apply_output + if ! apply_output=$(oc apply -f "${operator_yaml}" 2>&1); then + echo ">>> ERROR: Failed to apply operator manifests" + echo "$apply_output" + echo ">>> Full operator YAML:" + cat "${operator_yaml}" + return 1 + fi + + echo ">>> Apply output:" + echo "$apply_output" +} + +# Wait for operator installation through all OLM stages +# Stages: All CatalogSources READY → Subscription → InstallPlan → CSV → Deployment +function wait_for_operator() { + # Stage 0: Wait for ALL CatalogSources to be READY (600s / 10 minutes) + # This prevents Subscription failures due to missing/unavailable catalogs + echo ">>> Waiting for all CatalogSources to be READY..." + local all_catalogs_ready=false + for i in {1..120}; do + # Get all catalogs and their states + local catalog_states + catalog_states=$(oc get catalogsource -n openshift-marketplace -o jsonpath='{range .items[*]}{.metadata.name}={.status.connectionState.lastObservedState}{"\n"}{end}' 2>/dev/null || echo "") + + if [[ -z "${catalog_states}" ]]; then + echo ">>> WARNING: Unable to get catalog states (attempt ${i}/120)" + [[ ${i} -lt 120 ]] && sleep 5 + continue + fi + + # Count total vs ready catalogs + local total_catalogs + total_catalogs=$(echo "${catalog_states}" | wc -l) + local ready_catalogs + ready_catalogs=$(echo "${catalog_states}" | grep -c "=READY" || echo "0") + + if [[ ${ready_catalogs} -eq ${total_catalogs} && ${ready_catalogs} -gt 0 ]]; then + echo ">>> All CatalogSources are READY (${ready_catalogs}/${total_catalogs})" + all_catalogs_ready=true + break + fi + + # Show progress every 6 iterations (30 seconds) + if [[ $((i % 6)) -eq 0 ]]; then + echo ">>> CatalogSources ready: ${ready_catalogs}/${total_catalogs} (checking ${i}/120, $((i*5))s elapsed)..." + echo "${catalog_states}" | grep -v "=READY" | head -5 || true + fi + + [[ ${i} -lt 120 ]] && sleep 5 + done + + if [[ "${all_catalogs_ready}" != "true" ]]; then + echo ">>> ERROR: Not all CatalogSources are READY after 600s" + echo ">>> Current CatalogSource states:" + oc get catalogsource -n openshift-marketplace -o custom-columns=NAME:.metadata.name,STATE:.status.connectionState.lastObservedState || true + echo ">>> CatalogSource pods:" + oc get pods -n openshift-marketplace || true + return 1 + fi + + # Stage 1: Wait for Trustee CatalogSource to be READY (60s) + # Skip if using existing catalog (no TRUSTEE_CATALOG_SOURCE_IMAGE provided) + if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + # Helm chart hardcodes the CatalogSource name to trustee-operator-dev-catalog + # Auto-discover in case the helm chart changes this in the future + local actual_catalog_name + actual_catalog_name=$(oc get catalogsource -n openshift-marketplace -l olm.catalogSource!=redhat-operators -o name 2>/dev/null | grep -i trustee | head -1 | cut -d/ -f2 || echo "") + + if [[ -z "$actual_catalog_name" ]]; then + # Fallback: use the hardcoded name from the helm chart + actual_catalog_name="trustee-operator-dev-catalog" + fi + + if ! wait_until "Trustee CatalogSource ${actual_catalog_name} READY" 60 5 \ + "[[ \"\$(oc get catalogsource -n openshift-marketplace '${actual_catalog_name}' -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null)\" == \"READY\" ]]"; then + echo ">>> All CatalogSources in openshift-marketplace:" >&2 + oc get catalogsource -n openshift-marketplace || true + echo ">>> Details of ${actual_catalog_name}:" >&2 + oc get catalogsource -n openshift-marketplace "${actual_catalog_name}" -o yaml || true + oc get pods -n openshift-marketplace -l olm.catalogSource="${actual_catalog_name}" || true + oc describe pods -n openshift-marketplace -l olm.catalogSource="${actual_catalog_name}" | tail -50 || true + return 1 + fi + else + echo ">>> Using existing CatalogSource redhat-operators" + fi + + # Stage 2: Wait for Subscription to reference an InstallPlan (300s) + local installplan_ref="" + if ! wait_until "Subscription to reference InstallPlan" 300 5 \ + "installplan_ref=\$(oc get subscription -n '${TRUSTEE_NAMESPACE}' trustee-operator -o jsonpath='{.status.installplan.name}' 2>/dev/null); [[ -n \"\${installplan_ref}\" ]]"; then + echo ">>> ERROR: Subscription has no InstallPlan reference" >&2 + oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o yaml || true + return 1 + fi + + # Capture the installplan ref for next stage + installplan_ref=$(oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o jsonpath='{.status.installplan.name}' 2>/dev/null || echo "") + echo ">>> Subscription references InstallPlan: ${installplan_ref}" >&2 + + # Stage 3: Wait for InstallPlan to be Complete (300s) + if ! wait_until "InstallPlan ${installplan_ref} Complete" 300 5 \ + "[[ \"\$(oc get installplan -n '${TRUSTEE_NAMESPACE}' '${installplan_ref}' -o jsonpath='{.status.phase}' 2>/dev/null)\" == \"Complete\" ]]"; then + echo ">>> ERROR: InstallPlan not Complete" >&2 + oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o yaml || true + return 1 + fi + + # Stage 4: Wait for CSV to be Succeeded (600s / 10 minutes) + if ! wait_until "CSV Succeeded" 600 5 \ + "[[ \"\$(oc get csv -n '${TRUSTEE_NAMESPACE}' -o jsonpath='{.items[0].status.phase}' 2>/dev/null)\" == \"Succeeded\" ]]"; then + echo ">>> ERROR: CSV not Succeeded" >&2 + oc get csv -n "${TRUSTEE_NAMESPACE}" -o yaml || true + return 1 + fi + + # Export CSV name for kbs-client version mapping + local csv_name + csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + export TRUSTEE_CSV_NAME="${csv_name}" + echo ">>> CSV ${csv_name} is Succeeded" >&2 + + # Stage 5: Wait for Deployment to be Available (600s / 10 minutes) + if ! wait_until "operator deployment Available" 600 5 \ + "oc get deployment -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type==\"Available\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: Operator deployment not Available" >&2 + oc get deployment -n "${TRUSTEE_NAMESPACE}" || true + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + return 1 + fi + + # Stage 6: Wait for pods to be Ready (600s / 10 minutes for readiness probes) + if ! wait_until "operator pods Ready (1/1)" 600 5 \ + "ready_count=\$(oc get pods -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager -o jsonpath='{.items[*].status.containerStatuses[0].ready}' 2>/dev/null | tr ' ' '\\\n' | grep -c 'true' || echo '0'); total_count=\$(oc get pods -n '${TRUSTEE_NAMESPACE}' -l control-plane=controller-manager --no-headers 2>/dev/null | wc -l); [[ \${ready_count} -gt 0 ]] && [[ \${ready_count} -eq \${total_count} ]]"; then + echo ">>> ERROR: Operator pods not Ready" >&2 + echo ">>> Pods:" >&2 + oc get pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + echo ">>> Pod details:" >&2 + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager | tail -100 || true + echo ">>> Pod logs:" >&2 + oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true + return 1 + fi + + # Show final pod status + oc get pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + echo ">>> Operator installation complete" >&2 +} + +# Install Trustee operands using helm-rendered manifests +function install_trustee_operands() { + local charts_dir="$1" + + echo ">>> Installing Trustee operands (cluster domain: ${CLUSTER_DOMAIN})" + + # Render operands chart + local operands_yaml="${SCRATCH}/operands-manifests.yaml" + if ! render_trustee_operands_chart "${charts_dir}" > "${operands_yaml}"; then + echo ">>> ERROR: Failed to render operands chart" + return 1 + fi + + echo ">>> Rendered operands YAML (first 30 lines):" + head -30 "${operands_yaml}" + echo ">>> Total YAML lines: $(wc -l < "${operands_yaml}")" + + # Apply operands chart + local apply_output + if ! apply_output=$(oc apply -f "${operands_yaml}" 2>&1); then + echo ">>> ERROR: Failed to apply operands manifests" + echo "$apply_output" + echo ">>> Full operands YAML:" + cat "${operands_yaml}" + return 1 + fi + + echo ">>> Apply output:" + echo "$apply_output" +} + +# Wait for operand deployments to become available +function wait_for_operands() { + sleep 10 + + local operand_deployments + operand_deployments=$(oc get deployment -n "${TRUSTEE_NAMESPACE}" -o name 2>/dev/null | grep -v controller-manager || true) + + if [[ -n "${operand_deployments}" ]]; then + for deployment in ${operand_deployments}; do + if ! wait_until "${deployment} Available" 150 15 \ + "oc get '${deployment}' -n '${TRUSTEE_NAMESPACE}' -o jsonpath='{.status.conditions[?(@.type==\"Available\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: ${deployment} not ready after timeout" >&2 + oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + oc describe "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + exit 1 + fi + done + fi +} + +#======================================== +# Configuration Functions +#======================================== + +# Get TLS certificate for cluster ingress (tries multiple sources) +function get_tls_certificate() { + local cert_data="" + + # Try router-ca, ingress-operator secrets, openssl, then any ingress secret + if oc get secret -n openshift-ingress-operator router-ca &>/dev/null; then + cert_data=$(oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + + if [[ -z "${cert_data}" ]]; then + local cert_secret + cert_secret=$(oc get secret -n openshift-ingress-operator -o name 2>/dev/null | grep -E 'router-certs|ingress-operator' | head -1) + if [[ -n "${cert_secret}" ]]; then + cert_data=$(oc get "${cert_secret}" -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + if [[ -z "${cert_data}" ]] && [[ -n "${TRUSTEE_HOST}" ]]; then + cert_data=$(echo | timeout 5 openssl s_client -connect "${TRUSTEE_HOST}:443" -servername "${TRUSTEE_HOST}" 2>/dev/null | openssl x509 2>/dev/null || echo "") + fi + + if [[ -z "${cert_data}" ]]; then + local cert_info + cert_info=$(oc get secret -A -o json 2>/dev/null | jq -r '.items[] | select(.metadata.name | contains("ingress")) | select(.data."tls.crt" != null) | "\(.metadata.namespace)/\(.metadata.name)"' | head -1 || echo "") + if [[ -n "${cert_info}" ]]; then + local ns name + ns=$(echo "${cert_info}" | cut -d/ -f1) + name=$(echo "${cert_info}" | cut -d/ -f2) + cert_data=$(oc get secret "${name}" -n "${ns}" -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + [[ -z "${cert_data}" ]] && echo ">>> WARN: No TLS certificate found" >&2 + + echo "${cert_data}" +} + +# Get Trustee KBS service URL and save to SHARED_DIR +function get_trustee_url() { + local kbs_service="kbs-service" + local trustee_url="" + local trustee_host="" + local trustee_port="" + + trustee_port=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.ports[0].port}' 2>/dev/null || echo "8080") + + # Try OpenShift route, LoadBalancer, then ClusterIP + if oc get route -n "${TRUSTEE_NAMESPACE}" &>/dev/null; then + trustee_host=$(oc get route "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.host}' 2>/dev/null || echo "") + if [[ -n "${trustee_host}" ]]; then + trustee_url="http://${trustee_host}" + echo ">>> Trustee URL: ${trustee_url} (HTTP for test environment)" + fi + fi + + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + [[ -z "${trustee_ip}" ]] && trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "") + if [[ -n "${trustee_ip}" ]]; then + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + fi + fi + + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "") + if [[ -n "${trustee_ip}" ]]; then + echo ">>> WARN: Trustee using ClusterIP only (not externally accessible)" + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + else + echo ">>> ERROR: Cannot find Trustee KBS service in namespace ${TRUSTEE_NAMESPACE}" + return 1 + fi + fi + + echo "${trustee_url}" > "${SHARED_DIR}/TRUSTEE_URL" + echo "${trustee_host}" > "${SHARED_DIR}/TRUSTEE_HOST" + echo "${trustee_port}" > "${SHARED_DIR}/TRUSTEE_PORT" + + export TRUSTEE_URL="${trustee_url}" + export TRUSTEE_HOST="${trustee_host}" + export TRUSTEE_PORT="${trustee_port}" +} + +# Create INITDATA for confidential containers (includes aa.toml, cdh.toml, policy.rego) +function create_initdata() { + local tls_cert + tls_cert=$(get_tls_certificate) + + local policy_data + policy_data=$(oc get secret containers-policy -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.signed}' 2>/dev/null | base64 -d || echo "") + + if [[ -z "${policy_data}" ]]; then + echo ">>> WARN: containers-policy secret not found, using default reject policy" + policy_data='{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/confidential-containers/test-container-image-rs": [ + { + "type": "sigstoreSigned", + "keyPath": "kbs:///default/cosign-keys/key-0" + } + ] + } + } +}' + fi + + local policy_json + if command -v jq &> /dev/null; then + policy_json=$(echo "${policy_data}" | jq -c '.') + else + policy_json=$(echo "${policy_data}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin), separators=(",", ":")))' 2>/dev/null || echo "${policy_data}") + fi + + local initdata_file="${SCRATCH}/initdata.toml" + + cat > "${initdata_file}" < "${SHARED_DIR}/INITDATA" + cp "${initdata_file}" "${SHARED_DIR}/initdata.toml" + + export INITDATA="${encoded_initdata}" +} + +# Update osc-config ConfigMap with Trustee URL and INITDATA +function update_env_configmap() { + if ! oc get configmap osc-config -n default &>/dev/null; then + echo ">>> WARN: osc-config ConfigMap not found normal if env-cm step hasn't run yet)" + exit 1 + fi + + oc patch configmap osc-config -n default --type=json -p="[ + {\"op\": \"replace\", \"path\": \"/data/trusteeUrl\", \"value\": \"${TRUSTEE_URL}\"}, + {\"op\": \"replace\", \"path\": \"/data/INITDATA\", \"value\": \"${INITDATA}\"} + ]" +} + +#======================================== +# Verification Functions +#======================================== + +# Generate kbs-client test pod manifest +function get_kbs_client_manifest() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Pod +metadata: + name: KBS_CLIENT_POD_PLACEHOLDER + namespace: KBS_CLIENT_NAMESPACE_PLACEHOLDER +spec: + containers: + - name: kbs-client + image: KBS_CLIENT_IMAGE_PLACEHOLDER + command: ["sleep", "infinity"] + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + restartPolicy: Never +MANIFEST_EOF +} + +# Map trustee operator version to compatible kbs-client version +function map_trustee_to_kbs_client_version() { + local trustee_version="$1" + case "${trustee_version}" in + 1.1.*|1.1) echo "v0.17.0" ;; + 1.11.*|1.11) echo "v0.19.0" ;; + *) echo "" ;; # No mapping exists + esac +} + +# Determine kbs-client image tag (from KBS_CLIENT_TAG, trustee CSV, or auto-discover) +function get_kbs_client_tag() { + # 1. Use explicit override if provided + if [[ -n "${KBS_CLIENT_TAG:-}" ]]; then + echo ">>> kbs-client tag (from KBS_CLIENT_TAG): ${KBS_CLIENT_TAG}" >&2 + echo "${KBS_CLIENT_TAG}" + return 0 + fi + + # 2. Try to map from trustee operator CSV version + if [[ -n "${TRUSTEE_CSV_NAME:-}" ]]; then + # Extract version from CSV name (e.g., "trustee-operator.v1.10.0" -> "1.10.0") + local trustee_version + trustee_version=$(echo "${TRUSTEE_CSV_NAME}" | sed 's/^trustee-operator\.v//') + + if [[ -n "${trustee_version}" ]]; then + # Try major.minor mapping first (e.g., "1.10.0" -> "1.10") + local trustee_minor="${trustee_version%.*}" + local mapped_tag + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_minor}") + + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + + # Try full version mapping if minor didn't match + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_version}") + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + fi + fi + + # 3. Auto-discover latest semver tag from registry + local latest_tag="" + latest_tag=$(skopeo list-tags docker://quay.io/confidential-containers/kbs-client 2>/dev/null | \ + jq -r '.Tags[]' | \ + grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | \ + sort -V | \ + tail -1 || echo "") + + if [[ -n "${latest_tag}" ]]; then + echo ">>> kbs-client tag (auto-discovered latest semver): ${latest_tag}" >&2 + echo "${latest_tag}" + return 0 + fi + + # 4. Fallback to known-good version + echo ">>> WARN: Could not determine kbs-client tag, using fallback: v0.17.0" >&2 + echo "v0.17.0" +} + +# Verify Trustee KBS connectivity using kbs-client test pod +function verify_trustee_connectivity() { + local kbs_client_pod="kbs-client-test" + local kbs_client_namespace="${TRUSTEE_NAMESPACE}" + local kbs_client_tag + kbs_client_tag=$(get_kbs_client_tag) + local kbs_client_image="quay.io/confidential-containers/kbs-client:${kbs_client_tag}" + + echo ">>> Creating kbs-client test pod (image: ${kbs_client_image})" + get_kbs_client_manifest | \ + sed "s@KBS_CLIENT_POD_PLACEHOLDER@${kbs_client_pod}@g" | \ + sed "s@KBS_CLIENT_NAMESPACE_PLACEHOLDER@${kbs_client_namespace}@g" | \ + sed "s@KBS_CLIENT_IMAGE_PLACEHOLDER@${kbs_client_image}@g" | \ + oc apply -f - + + # Wait for pod to become ready + if ! wait_until "kbs-client pod Ready" 150 15 \ + "oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[?(@.type==\"Ready\")].status}' 2>/dev/null | grep -q 'True'"; then + echo ">>> ERROR: kbs-client pod not ready" >&2 + oc describe pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + oc logs pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + return 1 + fi + + # Get expected resource value from KbsConfig + local expected_value="" + local configmap_name + configmap_name=$(oc get kbsconfig -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].spec.kbsConfigMapName}' 2>/dev/null || echo "") + + if [[ -n "${configmap_name}" ]]; then + expected_value=$(oc get configmap "${configmap_name}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.kbsres1}' 2>/dev/null || echo "") + fi + + if [[ -z "${expected_value}" ]]; then + echo ">>> WARN: Could not determine expected resource value from KbsConfig ConfigMap" >&2 + # Fallback: check the KbsConfig resource data directly + expected_value=$(oc get kbsconfig -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].spec.resourceData.default.kbsres1.key1}' 2>/dev/null || echo "key1") + fi + + # Test KBS connectivity using RCA protocol + # The kbs-client performs Remote Attestation Protocol (RCA): + # 1. GET resource → 401 (no token) + # 2. POST /auth + POST /attest (get attestation token) + # 3. GET resource → 200 (with token) + local kbs_test_failed=false + echo ">>> Testing KBS connectivity: ${TRUSTEE_URL}/default/kbsres1/key1" + echo ">>> Expected resource value: ${expected_value}" + + if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ + kbs-client --url "${TRUSTEE_URL}" get-resource --path default/kbsres1/key1 \ + > /tmp/kbs-resource.txt 2> /tmp/kbs-stderr.txt; then + + # Success - verify the retrieved value + echo ">>> Successfully retrieved default/kbsres1/key1" + local resource_value + resource_value=$(cat /tmp/kbs-resource.txt 2>/dev/null || echo "") + echo ">>> Retrieved resource value: ${resource_value}" + + # Validate the retrieved value matches what was configured + if [[ -n "${expected_value}" ]] && [[ "${resource_value}" != "${expected_value}" ]]; then + echo ">>> ERROR: Resource value mismatch!" + echo ">>> Expected: ${expected_value}" + echo ">>> Retrieved: ${resource_value}" + kbs_test_failed=true + else + echo ">>> ✓ Resource value matches expected value" + kbs_test_failed=false + fi + else + # Failure - show diagnostics + echo ">>> ERROR: Failed to retrieve resource from Trustee KBS at ${TRUSTEE_URL}" + + # Show stderr (has the actual error) + if [[ -s /tmp/kbs-stderr.txt ]]; then + echo ">>> Error output:" + cat /tmp/kbs-stderr.txt + fi + + # Show stdout (might have partial data) + if [[ -s /tmp/kbs-resource.txt ]]; then + echo ">>> Partial output:" + cat /tmp/kbs-resource.txt + fi + + # Check for specific error patterns in both stdout and stderr + local all_output + all_output="$(cat /tmp/kbs-resource.txt /tmp/kbs-stderr.txt 2>/dev/null || true)" + + if echo "${all_output}" | grep -q "404\|not found\|NotFound"; then + echo ">>> ERROR: Resource not found (404) - KbsConfig may not have published secrets correctly" + fi + if echo "${all_output}" | grep -q "Connection refused\|Connection timed out\|timed out"; then + echo ">>> ERROR: Cannot connect to KBS service" + fi + if echo "${all_output}" | grep -q "certificate verify failed\|SSL\|TLS"; then + echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS (current: ${TRUSTEE_URL})" + fi + + kbs_test_failed=true + fi + + # Capture KBS logs for debugging (shows RCA protocol flow) + local kbs_pod + kbs_pod=$(oc get pod -n "${TRUSTEE_NAMESPACE}" -l app=kbs -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + + if [[ -n "${kbs_pod}" ]]; then + local log_file="${ARTIFACT_DIR:-${SHARED_DIR}}/kbs-attestation-logs.txt" + # Strip ANSI color codes from logs for cleaner output + oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m 2>&1 | sed 's/\x1b\[[0-9;]*m//g' > "${log_file}" || true + + if [[ -n "${ARTIFACT_DIR}" && "${ARTIFACT_DIR}" != "${SHARED_DIR}" ]]; then + cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true + fi + + # Show attestation patterns (RCA protocol flow) + echo ">>> Attestation patterns (RCA protocol):" + if grep -q "POST.*attest" "${log_file}" 2>/dev/null; then + echo "✓ Attestation (POST /auth, POST /attest):" + grep -E "POST.*/auth|POST.*attest" "${log_file}" | tail -4 + else + echo "⚠ No attestation POST requests" + fi + + if grep -q "GET.*resource" "${log_file}" 2>/dev/null; then + echo "✓ Resource access (GET → 401 → attest → GET → 200):" + grep "GET.*resource" "${log_file}" | tail -5 + else + echo "⚠ No resource GET requests" + fi + else + echo ">>> WARN: Could not find KBS pod" + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + fi + + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + + if [[ "${kbs_test_failed}" == "true" ]]; then + echo ">>> ERROR: kbs-client connectivity test failed" + return 1 + fi + + return 0 +} + +#======================================== +# Main Execution +#======================================== + +echo ">>> Starting Trustee operator installation" + +# Fetch helm charts from GitHub +CHARTS_DIR=$(fetch_trustee_charts) +export CHARTS_DIR + +# Get cluster domain +CLUSTER_DOMAIN=$(get_cluster_domain) +export CLUSTER_DOMAIN + +# Install operator and operands +install_trustee_operator "${CHARTS_DIR}" +wait_for_operator +install_trustee_operands "${CHARTS_DIR}" +wait_for_operands + +# Configure and verify +get_trustee_url +create_initdata +update_env_configmap +verify_trustee_connectivity + +echo ">>> Trustee operator installation complete" +echo ">>> KBS URL: ${TRUSTEE_URL}" +echo ">>> INITDATA saved to: ${SHARED_DIR}/INITDATA" diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json new file mode 100644 index 0000000000000..3bf63215782f7 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml", + "owners": { + "approvers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ], + "reviewers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml new file mode 100644 index 0000000000000..0b21ff5bcf200 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml @@ -0,0 +1,60 @@ +ref: + as: sandboxed-containers-operator-install-trustee-operator + from: tools-with-helm + grace_period: 10m + commands: sandboxed-containers-operator-install-trustee-operator-commands.sh + dependencies: + - name: trustee-charts + env: IMAGE_TRUSTEE_CHARTS + resources: + requests: + cpu: 1000m + memory: 2000Mi + env: + - name: TRUSTEE_INSTALL + default: "false" + documentation: |- + Whether to install the trustee operator. Set to "true" to enable installation. + - name: TRUSTEE_NAMESPACE + default: "trustee-operator-system" + documentation: |- + The namespace where the trustee operator will be installed + - name: TRUSTEE_CATALOG_SOURCE_IMAGE + default: "" + documentation: |- + The container image for a custom trustee operator CatalogSource. + If empty (default), uses existing "redhat-operators" catalog. + If set, helm chart creates a new CatalogSource named "trustee-operator-dev-catalog" with this image. + Note: The CatalogSource name is hardcoded in the helm chart and cannot be overridden. + Example: "quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656" + - name: TRUSTEE_CHARTS_REPO + default: "https://github.com/confidential-devhub/charts" + documentation: |- + The git repository URL for trustee Helm charts. Used as a fallback when + IMAGE_TRUSTEE_CHARTS is not set. + - name: TRUSTEE_CHARTS_REF + default: "main" + documentation: |- + The git ref (branch/tag/commit) to use from the confidential-devhub/charts repository + - name: KBS_CLIENT_TAG + default: "" + documentation: |- + The kbs-client image tag to use for connectivity testing. If empty, automatically + discovers the latest v.X.Y.Z tag using skopeo. Override to pin a specific version + (e.g., "v0.19.0"). Fallback is v0.19.0 if skopeo lookup fails. + documentation: |- + A step that installs the trustee operator and operands on the cluster using pre-rendered + manifests embedded in the script. First installs the trustee-operator, waits for it to be + ready, then installs the trustee-operands with the derived cluster domain. After installation, + retrieves the Trustee KBS service URL and saves it to ${SHARED_DIR}/TRUSTEE_URL, + ${SHARED_DIR}/TRUSTEE_HOST, and ${SHARED_DIR}/TRUSTEE_PORT for use by subsequent test steps. + Also creates INITDATA for confidential containers including TLS certificate and image security + policy, saving both the encoded INITDATA and plain text initdata.toml to ${SHARED_DIR}. + When TRUSTEE_INSTALL=true, updates the osc-config ConfigMap with the generated TRUSTEE_URL + and INITDATA values, overriding any empty values set in the job configuration. Finally, + verifies Trustee connectivity by creating a kbs-client pod, testing resource fetching, and + capturing KBS pod logs showing attestation attempts to ${ARTIFACT_DIR}/kbs-attestation-logs.txt + for inclusion in CI job artifacts. + + NO NETWORK ACCESS REQUIRED: This step uses pre-rendered manifests with runtime variable + substitution via sed, eliminating the need for helm or git. Works with restrict_network_access: true. diff --git a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml index a46aca64e11a5..3cb7b9fc097a3 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml @@ -4,6 +4,7 @@ chain: - ref: sandboxed-containers-operator-get-kata-rpm - ref: sandboxed-containers-operator-peerpods-param-cm - ref: sandboxed-containers-operator-env-cm + - ref: sandboxed-containers-operator-install-trustee-operator - ref: sandboxed-containers-operator-record-metadata documentation: |- The sandboxed containers operator pre-testing chain \ No newline at end of file From 09279f4c9a52d4e80ff5299dc65336ca993ec8ca Mon Sep 17 00:00:00 2001 From: Deep Mistry Date: Thu, 25 Jun 2026 14:55:31 -0400 Subject: [PATCH 13/14] Allow ci-scheduling-webhook cluster resources in core-ci AppProject (#81098) Whitelist MutatingWebhookConfiguration, RuntimeClass, and PriorityClass so ci-scheduling-webhook manifests can sync on core-ci via Argo CD. --- clusters/gitops/apps/appproject-core-ci.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/clusters/gitops/apps/appproject-core-ci.yaml b/clusters/gitops/apps/appproject-core-ci.yaml index 8022908005d5d..f44c7efc5621a 100644 --- a/clusters/gitops/apps/appproject-core-ci.yaml +++ b/clusters/gitops/apps/appproject-core-ci.yaml @@ -18,6 +18,12 @@ spec: kind: ClusterRoleBinding - group: apiextensions.k8s.io kind: CustomResourceDefinition + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + - group: node.k8s.io + kind: RuntimeClass + - group: scheduling.k8s.io + kind: PriorityClass - group: pipelines.openshift.io kind: GitopsService - group: operator.openshift.io From b5341332e0655851b82c4594b685be397b8e3cf6 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 25 Jun 2026 17:06:12 -0400 Subject: [PATCH 14/14] Debug: Set CATALOG_SOURCE_IMAGE to 1.12.1-1781886111 for aws-ipi-peerpods OCP 4.22 --- ...oxed-containers-operator-devel__downstream-candidate422.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml index 2aa6d17ac457c..1c999bf34b9f2 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml @@ -228,7 +228,7 @@ tests: cluster_profile: aws-sandboxed-containers-operator env: AWS_REGION_OVERRIDE: us-east-2 - CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:1.12.1-1781886111 CATALOG_SOURCE_NAME: brew-catalog ENABLE_MUST_GATHER: "true" ENABLEPEERPODS: "true"