From 3591d7d8b96733914b52a90653c4125c4a0c7524 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Mon, 27 Apr 2026 10:28:08 +0200 Subject: [PATCH 1/4] TMP: ci(hypershift): add calico conformance periodic tests for 4.22 Port three calico conformance tests from 4.21 to the 4.22 periodics config: e2e-aws-conformance-calico, e2e-aws-conformance-calico-private, and e2e-kubevirt-metal-conformance-calico. LVM operator bumped to stable-4.22; ODF kept at stable-4.21. Co-Authored-By: Claude Opus 4.6 --- ...ft-hypershift-release-4.22__periodics.yaml | 50 ++++ ...ift-hypershift-release-4.22-periodics.yaml | 250 ++++++++++++++++++ ...t-extended-calico-health-check-commands.sh | 18 +- ...extended-enable-qe-pull-secret-commands.sh | 12 + ...ershift-private-guest-calico-workflow.yaml | 1 + ...shift-aws-conformance-calico-workflow.yaml | 11 +- .../create/hypershift-aws-create-chain.yaml | 4 +- ...remetalds-conformance-calico-workflow.yaml | 1 + 8 files changed, 340 insertions(+), 7 deletions(-) diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index 22646346319cf..82a4650b334a1 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -249,6 +249,56 @@ tests: steps: cluster_profile: openshift-org-aws workflow: hypershift-kubevirt-csi-e2e +- as: e2e-aws-conformance-calico + minimum_interval: 168h + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-conformance-calico +- as: e2e-aws-conformance-calico-private + minimum_interval: 168h + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| + balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] + when installed on the cluster should provide named network metrics\| Unidling + \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work + with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should + work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] + net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on + whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| + sysctl allowlist update should start a pod with custom sysctl only when the + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| loadbalancer + NLB internal should be reachable with hairpinning traffic\| loadbalancer NLB + should be reachable with target-node-labels\| Critical-CCO-based flow for + olm managed operators and AWS STS\|The HAProxy router should pass the http2 + tests + test: + - chain: hypershift-conformance + workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico +- as: e2e-kubevirt-metal-conformance-calico + capabilities: + - intranet + minimum_interval: 168h + steps: + cluster_profile: equinix-ocp-hcp + env: + KONFLUX_DEPLOY_CATALOG_SOURCE: "true" + KONFLUX_DEPLOY_OPERATORS: "true" + KONFLUX_DEPLOY_SUBSCRIPTION: "false" + LOCAL_STORAGE_OPERATOR_SUB_SOURCE: local-storage-konflux + LVM_OPERATOR_SUB_CHANNEL: stable-4.22 + LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource + METALLB_OPERATOR_SUB_SOURCE: metallb-konflux + ODF_OPERATOR_SUB_CHANNEL: stable-4.21 + ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-21 + REDHAT_OPERATORS_INDEX_TAG: v4.21 + workflow: hypershift-kubevirt-baremetalds-conformance-calico - as: e2e-azure-aks-ovn-conformance cron: 0 */2 * * * steps: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml index 85cf3ba9db661..89c25bd5bd774 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml @@ -418,6 +418,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 decorate: true @@ -1826,6 +1992,90 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build11 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-kubevirt-metal-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 cron: 0 10 * * * diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh index 608704b5653f8..83414b961a3a2 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh @@ -13,13 +13,27 @@ fi # shellcheck disable=SC2016 timeout 30m bash -c 'until [[ $(oc get nodes --no-headers | wc -l) -eq "$HYPERSHIFT_NODE_COUNT" ]]; do sleep 15; done' -echo "Waiting for the guest cluster to be ready" -oc wait nodes --all --for=condition=Ready=true --timeout=15m +# Workaround for https://redhat.atlassian.net/browse/OCPBUGS-86033 +# Calico hardcodes cniVersion 0.3.1 but Multus on OCP 4.22+ requires >= 0.4.0. +timeout 15m bash -c 'until oc -n calico-system get cm cni-config 2>/dev/null; do sleep 10; done' +oc -n calico-system rollout status ds/calico-node --timeout=15m || true + +# Annotate the configmap to prevent the operator from reverting the patch. +oc annotate configmap cni-config -n calico-system unsupported.operator.tigera.io/ignore=true + +oc -n calico-system get cm cni-config -o yaml | \ + sed 's/\\"cniVersion\\": \\"0.3.1\\"/\\"cniVersion\\": \\"0.4.0\\"/' | \ + oc apply -f - +oc -n calico-system rollout restart ds/calico-node +oc -n calico-system rollout status ds/calico-node --timeout=5m oc wait tigerastatus calico --for=condition=Available --timeout=30m oc wait tigerastatus apiserver --for=condition=Available --timeout=30m oc wait tigerastatus ippools --for=condition=Available --timeout=30m +echo "Waiting for the guest cluster to be ready" +oc wait nodes --all --for=condition=Ready=true --timeout=15m + oc wait clusteroperators --all --for=condition=Available=True --timeout=30m oc wait clusteroperators --all --for=condition=Progressing=False --timeout=30m oc wait clusteroperators --all --for=condition=Degraded=False --timeout=30m diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh index 876f570250ff1..5760bcc1cd5d6 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh @@ -135,6 +135,18 @@ rm /tmp/global-pull-secret.json echo "{\"spec\":{\"pullSecret\":{\"name\":\"$CLUSTER_NAME-pull-secret-new\"}}}" > /tmp/patch.json oc patch hostedclusters -n "$HYPERSHIFT_NAMESPACE" "$CLUSTER_NAME" --type=merge -p="$(cat /tmp/patch.json)" +# Patching the HostedCluster pullSecret triggers a MachineDeployment rolling update +# (new ignition/user-data). Wait for the rollout to complete before proceeding, +# otherwise conformance tests will run on a cluster with nodes being replaced. +echo "Waiting for MachineDeployment rollouts" +MD_NAMESPACE="${HYPERSHIFT_NAMESPACE}-${CLUSTER_NAME}" +timeout 5m bash -c 'until oc get machinedeployments -n "'"${MD_NAMESPACE}"'" -l "cluster.x-k8s.io/cluster-name='"${CLUSTER_NAME}"'" --no-headers 2>/dev/null | grep -q .; do sleep 10; done' +for md in $(oc get machinedeployments -n "${MD_NAMESPACE}" -l "cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}" -o jsonpath='{.items[*].metadata.name}'); do + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=True --timeout=5m + echo "Waiting for MachineDeployment ${md} to finish rolling out..." + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=False --timeout=45m +done + echo "check day-2 pull-secret update" export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" RETRIES=45 diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml index 28d6017833997..c14d71ddda73f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml @@ -4,6 +4,7 @@ workflow: env: HYPERSHIFT_NETWORK_TYPE: "Other" HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "calico" pre: - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - ref: cucushift-hypershift-extended-calico diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml index 3a9939e5ad244..cf3c2df7cb0b5 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml @@ -7,9 +7,11 @@ workflow: steps: env: HYPERSHIFT_NETWORK_TYPE: "Other" - TEST_ARGS: --disable-monitor=service-type-load-balancer-availability + CNI_PROVIDER: "calico" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| + balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] @@ -19,7 +21,10 @@ workflow: net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS post: - chain: hypershift-dump - chain: hypershift-aws-destroy diff --git a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml index fe78c17db6075..0cbc1b6c0a3ae 100644 --- a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml +++ b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml @@ -88,7 +88,7 @@ chain: documentation: "The additional ca bundle file name in the shared directory" - name: CNI_PROVIDER default: "" - documentation: "The CNI provider to use for the cluster. Supported values: cilium" + documentation: "The CNI provider to use for the cluster. Supported values: cilium, calico" commands: |- set -exuo pipefail AWS_GUEST_INFRA_CREDENTIALS_FILE="/etc/hypershift-ci-jobs-awscreds/credentials" @@ -189,7 +189,7 @@ chain: fi # Required for Cilium, see OCPBUGS-85607. - if [[ "$CNI_PROVIDER" == "cilium" ]]; then + if [[ "$CNI_PROVIDER" == "cilium" || "$CNI_PROVIDER" == "calico" ]]; then COMMAND+=(--annotations=hypershift.openshift.io/aws-load-balancer-health-probe-mode=ServiceNodePort) fi diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml index e393e25ae4776..91f1d25cc742f 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml @@ -29,6 +29,7 @@ workflow: - ref: cucushift-hypershift-extended-calico-health-check env: HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_NODE_CPU_CORES: "8" KONFLUX_DEPLOY_OPERATORS: "false" KONFLUX_TARGET_OPERATORS: metallb,local-storage CLUSTERTYPE: host_384gb_el9 From cccc2dcefbc4a1025af40a26988912a17875cdf7 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 14 May 2026 11:29:10 +0200 Subject: [PATCH 2/4] TMP: Add jobs for Cilium for OCP 4.22 on Kubevirt and AWS-Private --- ...ft-hypershift-release-4.22__periodics.yaml | 46 +++++ ...ift-hypershift-release-4.22-periodics.yaml | 169 +++++++++++++++++- ...ershift-private-guest-cilium-workflow.yaml | 2 + ...shift-aws-conformance-cilium-workflow.yaml | 7 +- ...remetalds-conformance-cilium-workflow.yaml | 6 +- 5 files changed, 225 insertions(+), 5 deletions(-) diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index 82a4650b334a1..c31843490a2d3 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -202,6 +202,52 @@ tests: steps: cluster_profile: hypershift-aws workflow: hypershift-aws-conformance-cilium +- as: e2e-aws-conformance-cilium-private + cron: 0 0 * * 0 + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress + access to server in CIDR block\| Netpol NetworkPolicy between server and client + should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| + Services should serve endpoints on same port and different protocols \[Conformance\]\| + Netpol NetworkPolicy between server and client should enforce except clause + while egress access to server in CIDR block\|Netpol NetworkPolicy between + server and client should deny ingress access to updated pod\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\| DNS should answer queries using the local DNS endpoint\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| loadbalancer + NLB should be reachable with target-node-labels\| Critical-CCO-based flow + for olm managed operators and AWS STS\| NonHyperShiftHOST-High-CCO metrics + endpoint validation\| Services should fallback to local terminating endpoints + when there are no ready endpoints with externalTrafficPolicy=Local\| Services + should be rejected when no endpoints exist\| Services should be rejected for + evicted pods\|HAProxy router should pass the http2 tests\|\[DRA\] kubelet + test: + - chain: hypershift-conformance + workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium +- as: e2e-kubevirt-metal-conformance-cilium + capabilities: + - intranet + cron: 0 0 * * 0 + steps: + cluster_profile: equinix-ocp-hcp + env: + KONFLUX_DEPLOY_CATALOG_SOURCE: "true" + KONFLUX_DEPLOY_OPERATORS: "true" + KONFLUX_DEPLOY_SUBSCRIPTION: "false" + LOCAL_STORAGE_OPERATOR_SUB_SOURCE: local-storage-konflux + LVM_OPERATOR_SUB_CHANNEL: stable-4.22 + LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource + METALLB_OPERATOR_SUB_SOURCE: metallb-konflux + ODF_OPERATOR_SUB_CHANNEL: stable-4.21 + ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-21 + REDHAT_OPERATORS_INDEX_TAG: v4.21 + workflow: hypershift-kubevirt-baremetalds-conformance-cilium - as: e2e-aws-external-oidc minimum_interval: 12h steps: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml index 89c25bd5bd774..1bc1b7bff64cb 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml @@ -667,6 +667,89 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build01 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-cilium-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 decorate: true @@ -1993,7 +2076,7 @@ periodics: secret: secretName: result-aggregator - agent: kubernetes - cluster: build11 + cluster: build03 decorate: true decoration_config: skip_cloning: true @@ -2076,6 +2159,90 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-kubevirt-metal-conformance-cilium + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 cron: 0 10 * * * diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml index d46f7e24c07c4..ef9145ce71648 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml @@ -2,11 +2,13 @@ workflow: as: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium steps: env: + CNI_PROVIDER: "cilium" HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade pre: - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - ref: cucushift-hypershift-extended-cilium + - ref: cucushift-hypershift-extended-cilium-network-policies - ref: cucushift-hypershift-extended-cilium-health-check - chain: cucushift-hypershift-extended-enable-qe-catalogsource - ref: cucushift-hypershift-extended-enable-guest diff --git a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml index 08e38b2c68a9e..ae3b230eaece0 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml @@ -32,12 +32,13 @@ workflow: # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\]\| + access to server in CIDR block\| Netpol NetworkPolicy between server and client should ensure an IP - overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| + overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols \[Conformance\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\]\| + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 17bedd66cc018..87e80e0cb85ff 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -55,7 +55,11 @@ workflow: should work with UDP\| DNS should answer queries using the local DNS endpoint\|\[Feature:bond\]\| StatefulSet Basic\| StatefulSet Non-retain\| \[OCPFeatureGate:RouteExternalCertificate\]\| - migration when running openshift cluster on KubeVirt virtual machines + migration when running openshift cluster on KubeVirt virtual machines\| + Services should fallback to local terminating endpoints + when there are no ready endpoints with externalTrafficPolicy=Local\| Services + should be rejected when no endpoints exist\| Services should be rejected for + evicted pods DEVSCRIPTS_CONFIG: | IP_STACK=v4 NETWORK_TYPE=OVNKubernetes From 5b3c10e02c334b5712ff84643707f7974f87825f Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 26 Jun 2026 11:29:07 +0200 Subject: [PATCH 3/4] ci(hypershift): migrate calico/cilium private conformance workflows to hypershift step registry Move cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-{calico,cilium} workflows from cucushift/ to hypershift/aws/conformance-{calico,cilium}-private/. Consolidate TEST_SKIPS into the workflow definitions and remove them from individual CI configs (4.19-4.22 periodics). Delete the now-unused cucushift workflow files. Co-Authored-By: Claude Opus 4.6 --- ...ft-hypershift-release-4.19__periodics.yaml | 37 +------------- ...ft-hypershift-release-4.20__periodics.yaml | 37 +------------- ...ft-hypershift-release-4.21__periodics.yaml | 33 +------------ ...ft-hypershift-release-4.22__periodics.yaml | 42 +--------------- ...ershift-private-guest-calico-workflow.yaml | 20 -------- ...ershift-private-guest-cilium-workflow.yaml | 21 -------- .../aws/conformance-calico-private}/OWNERS | 0 ...nce-calico-private-workflow.metadata.json} | 2 +- ...s-conformance-calico-private-workflow.yaml | 40 +++++++++++++++ .../aws/conformance-cilium-private}/OWNERS | 0 ...nce-cilium-private-workflow.metadata.json} | 2 +- ...s-conformance-cilium-private-workflow.yaml | 49 +++++++++++++++++++ 12 files changed, 99 insertions(+), 184 deletions(-) delete mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml delete mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml rename ci-operator/step-registry/{cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico => hypershift/aws/conformance-calico-private}/OWNERS (100%) rename ci-operator/step-registry/{cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json => hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json} (57%) create mode 100644 ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml rename ci-operator/step-registry/{cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium => hypershift/aws/conformance-cilium-private}/OWNERS (100%) rename ci-operator/step-registry/{cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json => hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json} (57%) create mode 100644 ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml index 742ae53307773..ea00677799dd1 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml @@ -188,26 +188,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure - an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve - endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with - Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully - idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\| - Unidling with Deployments \[apigroup:route.openshift.io\] should work with - UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using - the local DNS endpoint \[Suite:openshift/conformance/parallel\]\|Ensure HTTPRoute - object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-aws-conformance-calico minimum_interval: 336h steps: @@ -221,21 +202,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml index 7dcf474804c48..380928e5bfe73 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml @@ -188,26 +188,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure - an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve - endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with - Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully - idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\| - Unidling with Deployments \[apigroup:route.openshift.io\] should work with - UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using - the local DNS endpoint \[Suite:openshift/conformance/parallel\]\|Ensure HTTPRoute - object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-kubevirt-metal-conformance-cilium capabilities: - intranet @@ -233,21 +214,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml index e2ad735052b8c..24e21bbb9105a 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml @@ -196,22 +196,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\]\| Netpol NetworkPolicy - between server and client should ensure an IP overlapping both IPBlock.CIDR - and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| Services should - serve endpoints on same port and different protocols \[Conformance\]\| Netpol - NetworkPolicy between server and client should enforce except clause while - egress access to server in CIDR block \[Feature:NetworkPolicy\]\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work - with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should - work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\| DNS should answer queries using the local DNS endpoint\| - Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-kubevirt-metal-conformance-cilium capabilities: - intranet @@ -326,21 +311,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index c31843490a2d3..47963b527121b 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -209,27 +209,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com TEST_ARGS: --disable-monitor=apiserver-incluster-availability - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block\| Netpol NetworkPolicy between server and client - should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| - Services should serve endpoints on same port and different protocols \[Conformance\]\| - Netpol NetworkPolicy between server and client should enforce except clause - while egress access to server in CIDR block\|Netpol NetworkPolicy between - server and client should deny ingress access to updated pod\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\| DNS should answer queries using the local DNS endpoint\| - loadbalancer NLB internal should be reachable with hairpinning traffic\| loadbalancer - NLB should be reachable with target-node-labels\| Critical-CCO-based flow - for olm managed operators and AWS STS\| NonHyperShiftHOST-High-CCO metrics - endpoint validation\| Services should fallback to local terminating endpoints - when there are no ready endpoints with externalTrafficPolicy=Local\| Services - should be rejected when no endpoints exist\| Services should be rejected for - evicted pods\|HAProxy router should pass the http2 tests\|\[DRA\] kubelet - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium + workflow: hypershift-aws-conformance-cilium-private - as: e2e-kubevirt-metal-conformance-cilium capabilities: - intranet @@ -308,25 +288,7 @@ tests: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" TEST_ARGS: --disable-monitor=apiserver-incluster-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] - when installed on the cluster should provide named network metrics\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work - with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should - work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created\| loadbalancer - NLB internal should be reachable with hairpinning traffic\| loadbalancer NLB - should be reachable with target-node-labels\| Critical-CCO-based flow for - olm managed operators and AWS STS\|The HAProxy router should pass the http2 - tests - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml deleted file mode 100644 index c14d71ddda73f..0000000000000 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml +++ /dev/null @@ -1,20 +0,0 @@ -workflow: - as: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico - steps: - env: - HYPERSHIFT_NETWORK_TYPE: "Other" - HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade - CNI_PROVIDER: "calico" - pre: - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - - ref: cucushift-hypershift-extended-calico - - ref: cucushift-hypershift-extended-calico-health-check - - chain: cucushift-hypershift-extended-enable-qe-catalogsource - - ref: cucushift-hypershift-extended-enable-guest - - ref: cucushift-installer-reportportal-marker - post: - - ref: cucushift-hypershift-extended-disable-guest - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision - - ref: send-results-to-reportportal - documentation: |- - This is the workflow to install private Hypershift cluster with Tigera Calico CNI network stack. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml deleted file mode 100644 index ef9145ce71648..0000000000000 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml +++ /dev/null @@ -1,21 +0,0 @@ -workflow: - as: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium - steps: - env: - CNI_PROVIDER: "cilium" - HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. - HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade - pre: - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - - ref: cucushift-hypershift-extended-cilium - - ref: cucushift-hypershift-extended-cilium-network-policies - - ref: cucushift-hypershift-extended-cilium-health-check - - chain: cucushift-hypershift-extended-enable-qe-catalogsource - - ref: cucushift-hypershift-extended-enable-guest - - ref: cucushift-installer-reportportal-marker - post: - - ref: cucushift-hypershift-extended-disable-guest - - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision - - ref: send-results-to-reportportal - documentation: |- - This is the workflow to install private Hypershift cluster with Cilium network stack. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/OWNERS b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS similarity index 100% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/OWNERS rename to ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json similarity index 57% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json rename to ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json index 03b256488af65..051262fec672f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.metadata.json +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json @@ -1,5 +1,5 @@ { - "path": "cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml", + "path": "hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml", "owners": { "approvers": [ "csrwng", diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml new file mode 100644 index 0000000000000..bcd222269602e --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml @@ -0,0 +1,40 @@ +workflow: + as: hypershift-aws-conformance-calico-private + documentation: |- + The HyperShift AWS conformance Calico private workflow executes conformance tests + against an ephemeral private HyperShift cluster with Tigera Calico CNI installed. + steps: + env: + HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "calico" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) + TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| + balancer healthcheck port and path should be 10256/healthz\| + Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should + provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] + net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on + whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| + sysctl allowlist update should start a pod with custom sysctl only when the + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS + pre: + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision + - ref: cucushift-hypershift-extended-calico + - ref: cucushift-hypershift-extended-calico-health-check + - chain: cucushift-hypershift-extended-enable-qe-catalogsource + - ref: cucushift-hypershift-extended-enable-guest + - ref: cucushift-installer-reportportal-marker + test: + - chain: hypershift-conformance + post: + - ref: cucushift-hypershift-extended-disable-guest + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision + - ref: send-results-to-reportportal diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/OWNERS b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/OWNERS similarity index 100% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/OWNERS rename to ci-operator/step-registry/hypershift/aws/conformance-cilium-private/OWNERS diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json similarity index 57% rename from ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json rename to ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json index f13f7721a6699..31bb49188cfcd 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.metadata.json +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.metadata.json @@ -1,5 +1,5 @@ { - "path": "cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-cilium-workflow.yaml", + "path": "hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml", "owners": { "approvers": [ "csrwng", diff --git a/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml new file mode 100644 index 0000000000000..273352658f40a --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium-private/hypershift-aws-conformance-cilium-private-workflow.yaml @@ -0,0 +1,49 @@ +workflow: + as: hypershift-aws-conformance-cilium-private + documentation: |- + The HyperShift AWS conformance Cilium private workflow executes conformance tests + against an ephemeral private HyperShift cluster with Cilium CNI installed. + steps: + env: + HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "cilium" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) + TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress + access to server in CIDR block\| + Netpol NetworkPolicy between server and client should ensure an IP + overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| + Services should serve endpoints on same port and different protocols \[Conformance\]\| + Netpol NetworkPolicy between server and client should enforce + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with UDP\| + Unidling with Deployments \[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| + Unidling with Deployments \[apigroup:route.openshift.io\] should work with UDP\| + DNS should answer queries using the local DNS endpoint\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS\| + NonHyperShiftHOST-High-CCO metrics endpoint validation\| + Services should fallback to local terminating endpoints when there are no ready endpoints with externalTrafficPolicy=Local\| + Services should be rejected when no endpoints exist\| + Services should be rejected for evicted pods + pre: + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision + - ref: cucushift-hypershift-extended-cilium + - ref: cucushift-hypershift-extended-cilium-network-policies + - ref: cucushift-hypershift-extended-cilium-health-check + - chain: cucushift-hypershift-extended-enable-qe-catalogsource + - ref: cucushift-hypershift-extended-enable-guest + - ref: cucushift-installer-reportportal-marker + test: + - chain: hypershift-conformance + post: + - ref: cucushift-hypershift-extended-disable-guest + - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision + - ref: send-results-to-reportportal From 6b0be1ed84733367ec72f99d6f9fe252bce6cdd1 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 26 Jun 2026 11:47:44 +0200 Subject: [PATCH 4/4] ci(hypershift): add calico and cilium conformance periodic tests for OCP 5.0 Copy calico and cilium AWS conformance tests from 4.22 periodics to 5.0: - e2e-aws-conformance-cilium-private - e2e-aws-conformance-calico - e2e-aws-conformance-calico-private Kubevirt-metal variants will be added separately. Co-Authored-By: Claude Opus 4.6 --- ...ift-hypershift-release-5.0__periodics.yaml | 22 ++ ...hift-hypershift-release-5.0-periodics.yaml | 249 ++++++++++++++++++ 2 files changed, 271 insertions(+) diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml index d7c40f45c9bb4..25f81012f8895 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml @@ -238,6 +238,28 @@ tests: steps: cluster_profile: hypershift-aws workflow: hypershift-aws-conformance-cilium +- as: e2e-aws-conformance-cilium-private + cron: 0 0 * * 0 + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-cilium-private +- as: e2e-aws-conformance-calico + minimum_interval: 168h + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-conformance-calico +- as: e2e-aws-conformance-calico-private + minimum_interval: 168h + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + workflow: hypershift-aws-conformance-calico-private - as: e2e-aws-external-oidc minimum_interval: 12h steps: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml index 75866ec19be6e..1550a1ab185c4 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml @@ -248,6 +248,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build07 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build11 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-calico-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build07 decorate: true @@ -331,6 +497,89 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build11 + cron: 0 0 * * 0 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-5.0 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "5.0" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-cilium-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-cilium-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build07 decorate: true