diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml index 742ae53307773..ea00677799dd1 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml @@ -188,26 +188,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure - an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve - endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with - Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully - idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\| - Unidling with Deployments \[apigroup:route.openshift.io\] should work with - UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using - the local DNS endpoint \[Suite:openshift/conformance/parallel\]\|Ensure HTTPRoute - object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-aws-conformance-calico minimum_interval: 336h steps: @@ -221,21 +202,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml index 7dcf474804c48..380928e5bfe73 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml @@ -188,26 +188,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure - an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve - endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with - Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully - idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\| - Unidling with Deployments \[apigroup:route.openshift.io\] should work with - UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using - the local DNS endpoint \[Suite:openshift/conformance/parallel\]\|Ensure HTTPRoute - object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-kubevirt-metal-conformance-cilium capabilities: - intranet @@ -233,21 +214,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml index e2ad735052b8c..24e21bbb9105a 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml @@ -196,22 +196,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\]\| Netpol NetworkPolicy - between server and client should ensure an IP overlapping both IPBlock.CIDR - and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| Services should - serve endpoints on same port and different protocols \[Conformance\]\| Netpol - NetworkPolicy between server and client should enforce except clause while - egress access to server in CIDR block \[Feature:NetworkPolicy\]\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work - with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should - work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\| DNS should answer queries using the local DNS endpoint\| - Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-kubevirt-metal-conformance-cilium capabilities: - intranet @@ -326,21 +311,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index 22646346319cf..47963b527121b 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -202,6 +202,32 @@ tests: steps: cluster_profile: hypershift-aws workflow: hypershift-aws-conformance-cilium +- as: e2e-aws-conformance-cilium-private + cron: 0 0 * * 0 + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-cilium-private +- as: e2e-kubevirt-metal-conformance-cilium + capabilities: + - intranet + cron: 0 0 * * 0 + steps: + cluster_profile: equinix-ocp-hcp + env: + KONFLUX_DEPLOY_CATALOG_SOURCE: "true" + KONFLUX_DEPLOY_OPERATORS: "true" + KONFLUX_DEPLOY_SUBSCRIPTION: "false" + LOCAL_STORAGE_OPERATOR_SUB_SOURCE: local-storage-konflux + LVM_OPERATOR_SUB_CHANNEL: stable-4.22 + LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource + METALLB_OPERATOR_SUB_SOURCE: metallb-konflux + ODF_OPERATOR_SUB_CHANNEL: stable-4.21 + ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-21 + REDHAT_OPERATORS_INDEX_TAG: v4.21 + workflow: hypershift-kubevirt-baremetalds-conformance-cilium - as: e2e-aws-external-oidc minimum_interval: 12h steps: @@ -249,6 +275,38 @@ tests: steps: cluster_profile: openshift-org-aws workflow: hypershift-kubevirt-csi-e2e +- as: e2e-aws-conformance-calico + minimum_interval: 168h + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-conformance-calico +- as: e2e-aws-conformance-calico-private + minimum_interval: 168h + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-calico-private +- as: e2e-kubevirt-metal-conformance-calico + capabilities: + - intranet + minimum_interval: 168h + steps: + cluster_profile: equinix-ocp-hcp + env: + KONFLUX_DEPLOY_CATALOG_SOURCE: "true" + KONFLUX_DEPLOY_OPERATORS: "true" + KONFLUX_DEPLOY_SUBSCRIPTION: "false" + LOCAL_STORAGE_OPERATOR_SUB_SOURCE: local-storage-konflux + LVM_OPERATOR_SUB_CHANNEL: stable-4.22 + LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource + METALLB_OPERATOR_SUB_SOURCE: metallb-konflux + ODF_OPERATOR_SUB_CHANNEL: stable-4.21 + ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-21 + REDHAT_OPERATORS_INDEX_TAG: v4.21 + workflow: hypershift-kubevirt-baremetalds-conformance-calico - as: e2e-azure-aks-ovn-conformance cron: 0 */2 * * * steps: diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml index d7c40f45c9bb4..25f81012f8895 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml @@ -238,6 +238,28 @@ tests: steps: cluster_profile: hypershift-aws workflow: hypershift-aws-conformance-cilium +- as: e2e-aws-conformance-cilium-private + cron: 0 0 * * 0 + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-cilium-private +- as: e2e-aws-conformance-calico + minimum_interval: 168h + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-conformance-calico +- as: e2e-aws-conformance-calico-private + minimum_interval: 168h + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-calico-private - as: e2e-aws-external-oidc minimum_interval: 12h steps: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml index 85cf3ba9db661..1bc1b7bff64cb 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml @@ -418,6 +418,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 decorate: true @@ -501,6 +667,89 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build01 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-cilium-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 decorate: true @@ -1826,6 +2075,174 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-kubevirt-metal-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-kubevirt-metal-conformance-cilium + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 cron: 0 10 * * * diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml index 75866ec19be6e..1550a1ab185c4 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml @@ -248,6 +248,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build07 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build11 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-calico-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build07 decorate: true @@ -331,6 +497,89 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build11 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-cilium-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-cilium-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build07 decorate: true diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh index 608704b5653f8..83414b961a3a2 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh @@ -13,13 +13,27 @@ fi # shellcheck disable=SC2016 timeout 30m bash -c 'until [[ $(oc get nodes --no-headers | wc -l) -eq "$HYPERSHIFT_NODE_COUNT" ]]; do sleep 15; done' -echo "Waiting for the guest cluster to be ready" -oc wait nodes --all --for=condition=Ready=true --timeout=15m +# Workaround for https://redhat.atlassian.net/browse/OCPBUGS-86033 +# Calico hardcodes cniVersion 0.3.1 but Multus on OCP 4.22+ requires >= 0.4.0. +timeout 15m bash -c 'until oc -n calico-system get cm cni-config 2>/dev/null; do sleep 10; done' +oc -n calico-system rollout status ds/calico-node --timeout=15m || true + +# Annotate the configmap to prevent the operator from reverting the patch. +oc annotate configmap cni-config -n calico-system unsupported.operator.tigera.io/ignore=true + +oc -n calico-system get cm cni-config -o yaml | \ + sed 's/\\"cniVersion\\": \\"0.3.1\\"/\\"cniVersion\\": \\"0.4.0\\"/' | \ + oc apply -f - +oc -n calico-system rollout restart ds/calico-node +oc -n calico-system rollout status ds/calico-node --timeout=5m oc wait tigerastatus calico --for=condition=Available --timeout=30m oc wait tigerastatus apiserver --for=condition=Available --timeout=30m oc wait tigerastatus ippools --for=condition=Available --timeout=30m +echo "Waiting for the guest cluster to be ready" +oc wait nodes --all --for=condition=Ready=true --timeout=15m + oc wait clusteroperators --all --for=condition=Available=True --timeout=30m oc wait clusteroperators --all --for=condition=Progressing=False --timeout=30m oc wait clusteroperators --all --for=condition=Degraded=False --timeout=30m diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh index 876f570250ff1..5760bcc1cd5d6 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh @@ -135,6 +135,18 @@ rm /tmp/global-pull-secret.json echo "{\"spec\":{\"pullSecret\":{\"name\":\"$CLUSTER_NAME-pull-secret-new\"}}}" > /tmp/patch.json oc patch hostedclusters -n "$HYPERSHIFT_NAMESPACE" "$CLUSTER_NAME" --type=merge -p="$(cat /tmp/patch.json)" +# Patching the HostedCluster pullSecret triggers a MachineDeployment rolling update +# (new ignition/user-data). Wait for the rollout to complete before proceeding, +# otherwise conformance tests will run on a cluster with nodes being replaced. +echo "Waiting for MachineDeployment rollouts" +MD_NAMESPACE="${HYPERSHIFT_NAMESPACE}-${CLUSTER_NAME}" +timeout 5m bash -c 'until oc get machinedeployments -n "'"${MD_NAMESPACE}"'" -l "cluster.x-k8s.io/cluster-name='"${CLUSTER_NAME}"'" --no-headers 2>/dev/null | grep -q .; do sleep 10; done' +for md in $(oc get machinedeployments -n "${MD_NAMESPACE}" -l "cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}" -o jsonpath='{.items[*].metadata.name}'); do + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=True --timeout=5m + echo "Waiting for MachineDeployment ${md} to finish rolling out..." + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=False --timeout=45m +done + echo "check day-2 pull-secret update" export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" RETRIES=45 diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml deleted file mode 100644 index 28d6017833997..0000000000000 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml +++ /dev/null @@ -1,19 +0,0 @@ -workflow: - as: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico - steps: - env: - HYPERSHIFT_NETWORK_TYPE: "Other" - HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade - pre: - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - - ref: cucushift-hypershift-extended-calico - - ref: cucushift-hypershift-extended-calico-health-check - - chain: cucushift-hypershift-extended-enable-qe-catalogsource - - ref: cucushift-hypershift-extended-enable-guest - - ref: cucushift-installer-reportportal-marker - post: - - ref: cucushift-hypershift-extended-disable-guest - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision - - ref: send-results-to-reportportal - documentation: |- - This is the workflow to install private Hypershift cluster with Tigera Calico CNI network stack. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml deleted file mode 100644 index d46f7e24c07c4..0000000000000 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml +++ /dev/null @@ -1,19 +0,0 @@ -workflow: - as: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium - steps: - env: - HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. - HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade - pre: - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - - ref: cucushift-hypershift-extended-cilium - - ref: cucushift-hypershift-extended-cilium-health-check - - chain: cucushift-hypershift-extended-enable-qe-catalogsource - - ref: cucushift-hypershift-extended-enable-guest - - ref: cucushift-installer-reportportal-marker - post: - - ref: cucushift-hypershift-extended-disable-guest - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision - - ref: send-results-to-reportportal - documentation: |- - This is the workflow to install private Hypershift cluster with Cilium network stack. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/OWNERS b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS similarity index 100% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/OWNERS rename to ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json similarity index 57% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json rename to ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json index 03b256488af65..051262fec672f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json @@ -1,5 +1,5 @@ { - "path": "cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml", + "path": "hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml", "owners": { "approvers": [ "csrwng", diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml new file mode 100644 index 0000000000000..bcd222269602e --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml @@ -0,0 +1,40 @@ +workflow: + as: hypershift-aws-conformance-calico-private + documentation: |- + The HyperShift AWS conformance Calico private workflow executes conformance tests + against an ephemeral private HyperShift cluster with Tigera Calico CNI installed. + steps: + env: + HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "calico" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) + TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| + balancer healthcheck port and path should be 10256/healthz\| + Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should + provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] + net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on + whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| + sysctl allowlist update should start a pod with custom sysctl only when the + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS + pre: + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision + - ref: cucushift-hypershift-extended-calico + - ref: cucushift-hypershift-extended-calico-health-check + - chain: cucushift-hypershift-extended-enable-qe-catalogsource + - ref: cucushift-hypershift-extended-enable-guest + - ref: cucushift-installer-reportportal-marker + test: + - chain: hypershift-conformance + post: + - ref: cucushift-hypershift-extended-disable-guest + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision + - ref: send-results-to-reportportal diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml index 3a9939e5ad244..cf3c2df7cb0b5 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml @@ -7,9 +7,11 @@ workflow: steps: env: HYPERSHIFT_NETWORK_TYPE: "Other" - TEST_ARGS: --disable-monitor=service-type-load-balancer-availability + CNI_PROVIDER: "calico" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| + balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] @@ -19,7 +21,10 @@ workflow: net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS post: - chain: hypershift-dump - chain: hypershift-aws-destroy diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/OWNERS b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/OWNERS similarity index 100% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/OWNERS rename to ci-operator/step-registry/hypershift/aws/conformance-cilium-private/OWNERS diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json similarity index 57% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json rename to ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json index f13f7721a6699..31bb49188cfcd 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json @@ -1,5 +1,5 @@ { - "path": "cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml", + "path": "hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml", "owners": { "approvers": [ "csrwng", diff --git a/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml new file mode 100644 index 0000000000000..273352658f40a --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml @@ -0,0 +1,49 @@ +workflow: + as: hypershift-aws-conformance-cilium-private + documentation: |- + The HyperShift AWS conformance Cilium private workflow executes conformance tests + against an ephemeral private HyperShift cluster with Cilium CNI installed. + steps: + env: + HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "cilium" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) + TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress + access to server in CIDR block\| + Netpol NetworkPolicy between server and client should ensure an IP + overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| + Services should serve endpoints on same port and different protocols \[Conformance\]\| + Netpol NetworkPolicy between server and client should enforce + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with UDP\| + Unidling with Deployments \[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| + Unidling with Deployments \[apigroup:route.openshift.io\] should work with UDP\| + DNS should answer queries using the local DNS endpoint\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS\| + NonHyperShiftHOST-High-CCO metrics endpoint validation\| + Services should fallback to local terminating endpoints when there are no ready endpoints with externalTrafficPolicy=Local\| + Services should be rejected when no endpoints exist\| + Services should be rejected for evicted pods + pre: + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision + - ref: cucushift-hypershift-extended-cilium + - ref: cucushift-hypershift-extended-cilium-network-policies + - ref: cucushift-hypershift-extended-cilium-health-check + - chain: cucushift-hypershift-extended-enable-qe-catalogsource + - ref: cucushift-hypershift-extended-enable-guest + - ref: cucushift-installer-reportportal-marker + test: + - chain: hypershift-conformance + post: + - ref: cucushift-hypershift-extended-disable-guest + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision + - ref: send-results-to-reportportal diff --git a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml index 08e38b2c68a9e..ae3b230eaece0 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml @@ -32,12 +32,13 @@ workflow: # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\]\| + access to server in CIDR block\| Netpol NetworkPolicy between server and client should ensure an IP - overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| + overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols \[Conformance\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\]\| + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] diff --git a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml index fe78c17db6075..0cbc1b6c0a3ae 100644 --- a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml +++ b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml @@ -88,7 +88,7 @@ chain: documentation: "The additional ca bundle file name in the shared directory" - name: CNI_PROVIDER default: "" - documentation: "The CNI provider to use for the cluster. Supported values: cilium" + documentation: "The CNI provider to use for the cluster. Supported values: cilium, calico" commands: |- set -exuo pipefail AWS_GUEST_INFRA_CREDENTIALS_FILE="/etc/hypershift-ci-jobs-awscreds/credentials" @@ -189,7 +189,7 @@ chain: fi # Required for Cilium, see OCPBUGS-85607. - if [[ "$CNI_PROVIDER" == "cilium" ]]; then + if [[ "$CNI_PROVIDER" == "cilium" || "$CNI_PROVIDER" == "calico" ]]; then COMMAND+=(--annotations=hypershift.openshift.io/aws-load-balancer-health-probe-mode=ServiceNodePort) fi diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml index e393e25ae4776..91f1d25cc742f 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml @@ -29,6 +29,7 @@ workflow: - ref: cucushift-hypershift-extended-calico-health-check env: HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_NODE_CPU_CORES: "8" KONFLUX_DEPLOY_OPERATORS: "false" KONFLUX_TARGET_OPERATORS: metallb,local-storage CLUSTERTYPE: host_384gb_el9 diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 17bedd66cc018..87e80e0cb85ff 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -55,7 +55,11 @@ workflow: should work with UDP\| DNS should answer queries using the local DNS endpoint\|\[Feature:bond\]\| StatefulSet Basic\| StatefulSet Non-retain\| \[OCPFeatureGate:RouteExternalCertificate\]\| - migration when running openshift cluster on KubeVirt virtual machines + migration when running openshift cluster on KubeVirt virtual machines\| + Services should fallback to local terminating endpoints + when there are no ready endpoints with externalTrafficPolicy=Local\| Services + should be rejected when no endpoints exist\| Services should be rejected for + evicted pods DEVSCRIPTS_CONFIG: | IP_STACK=v4 NETWORK_TYPE=OVNKubernetes