ipblock mnp tests

ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.22-nightly-x86.yaml

@@ -305,6 +305,32 @@ tests:
     - chain: create-infra-move-ingress-monitoring-registry
     - ref: openshift-qe-workers-scale
     workflow: openshift-qe-udn-density-pods
+- as: mnp-ipblocks-76500
+  steps:
+    allow_skip_on_success: true
+    cluster_profile: aws-perfscale
+    env:
+      ADDITIONAL_WORKER_NODES: "11"
+      BASE_DOMAIN: perfscale.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m6a.8xlarge
+      CONTROL_PLANE_INSTANCE_TYPE: m6a.12xlarge
+      CUSTOM_OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: registry.build07.ci.openshift.org/ci-ln-09l6sn2/release:latest
+      LOKI_USE_SERVICEMONITOR: "false"
+      MNP_CIDRS_PER_POLICY: "450"
+      MNP_POLICY_COUNT: "385"
+      MNP_TOTAL_PODS: "1400"
+      OPENSHIFT_INFRA_NODE_INSTANCE_TYPE: c5.4xlarge
+      SET_ENV_BY_PLATFORM: custom
+      USER_TAGS: |
+        TicketId MNP-76500
+      ZONES_COUNT: "3"
+    test:
+    - ref: openshift-qe-workers-scale
+    - ref: openshift-qe-enable-mnp
+    - ref: openshift-qe-mnp-ipblocks-loadtest
+    - ref: openshift-qe-perfscale-aws-data-path-sg
+    - chain: openshift-qe-data-path-tests
+    workflow: openshift-qe-installer-aws
 zz_generated_metadata:
   branch: main
   org: openshift-eng

ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml

@@ -2897,6 +2897,91 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )(aws-4.22-nightly-x86-loaded-upgrade-from-4.21-loaded-upgrade-3nodes-udn|remaining-required),?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build10
+    context: ci/prow/aws-4.22-nightly-x86-mnp-ipblocks-76500
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale
+      ci-operator.openshift.io/variant: aws-4.22-nightly-x86
+      ci.openshift.io/generator: prowgen
+      job-release: "4.22"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.22-nightly-x86-mnp-ipblocks-76500
+    rerun_command: /test aws-4.22-nightly-x86-mnp-ipblocks-76500
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=mnp-ipblocks-76500
+        - --variant=aws-4.22-nightly-x86
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )aws-4.22-nightly-x86-mnp-ipblocks-76500,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/openshift-qe/enable-mnp/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- perfscale-ocp-approvers
+reviewers:
+- perfscale-ocp-reviewers

ci-operator/step-registry/openshift-qe/enable-mnp/openshift-qe-enable-mnp-commands.sh

@@ -0,0 +1,135 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+echo "Enabling Multi-Network Policy support"
+echo "====================================="
+
+# Function for logging with timestamps
+log_info() { echo "$(date +'%Y-%m-%d %H:%M:%S') [INFO] $1"; }
+log_success() { echo "$(date +'%Y-%m-%d %H:%M:%S') [SUCCESS] $1"; }
+log_warning() { echo "$(date +'%Y-%m-%d %H:%M:%S') [WARNING] $1"; }
+log_error() { echo "$(date +'%Y-%m-%d %H:%M:%S') [ERROR] $1"; }
+
+# Check if oc is available
+if ! command -v oc >/dev/null 2>&1; then
+    log_error "OpenShift CLI (oc) not found"
+    exit 1
+fi
+
+# Check cluster connectivity
+if ! oc whoami >/dev/null 2>&1; then
+    log_error "Cannot connect to OpenShift cluster"
+    exit 1
+fi
+
+log_info "Cluster: $(oc whoami --show-server)"
+
+# Check current MNP status
+log_info "Checking current Multi-Network Policy status..."
+current_status=$(oc get network.operator.openshift.io cluster -o jsonpath='{.spec.useMultiNetworkPolicy}' 2>/dev/null || echo "false")
+log_info "Current useMultiNetworkPolicy: $current_status"
+
+if [[ "$current_status" == "true" ]]; then
+    log_success "Multi-Network Policy is already enabled"
+else
+    log_info "Enabling Multi-Network Policy..."
+
+    # Enable Multi-Network Policy
+    if oc patch network.operator.openshift.io cluster --type=merge -p '{"spec":{"useMultiNetworkPolicy":true}}'; then
+        log_success "Multi-Network Policy enabled successfully"
+    else
+        log_error "Failed to enable Multi-Network Policy"
+        exit 1
+    fi
+
+    # Wait for the configuration to be applied
+    log_info "Waiting for Multi-Network Policy configuration to be applied..."
+    for attempt in {1..30}; do
+        sleep 10
+        updated_status=$(oc get network.operator.openshift.io cluster -o jsonpath='{.spec.useMultiNetworkPolicy}' 2>/dev/null || echo "false")
+
+        if [[ "$updated_status" == "true" ]]; then
+            log_success "Multi-Network Policy configuration confirmed active"
+            break
+        fi
+
+        log_info "Attempt $attempt/30: Waiting for configuration to be applied..."
+
+        if [[ $attempt -eq 30 ]]; then
+            log_error "Timeout waiting for Multi-Network Policy configuration"
+            exit 1
+        fi
+    done
+fi
+
+# Wait for MultiNetworkPolicy CRD to be available
+log_info "Waiting for MultiNetworkPolicy CRD to be available..."
+for attempt in {1..60}; do
+    # Check multiple ways for CRD availability
+    if oc api-resources --api-group=k8s.cni.cncf.io 2>/dev/null | grep -q "multinetworkpolicies\|multi-networkpolicies"; then
+        log_success "MultiNetworkPolicy CRD is available via API group check"
+        break
+    elif oc api-resources 2>/dev/null | grep -E "multinetworkpolicies|multi-networkpolicies"; then
+        log_success "MultiNetworkPolicy CRD is available via general API resources"
+        break
+    elif oc get crd multinetworkpolicies.k8s.cni.cncf.io >/dev/null 2>&1; then
+        log_success "MultiNetworkPolicy CRD is available via direct CRD check"
+        break
+    fi
+
+    log_info "Attempt $attempt/60: Waiting for CRD to be installed..."
+
+    # Show debug info every 10 attempts
+    if (( attempt % 10 == 0 )); then
+        log_info "Debug: Available API groups:"
+        oc api-resources --api-group=k8s.cni.cncf.io 2>/dev/null || true
+        log_info "Debug: Network-related CRDs:"
+        oc get crd | grep -i network || true
+    fi
+
+    sleep 10
+
+    if [[ $attempt -eq 60 ]]; then
+        log_error "Timeout waiting for MultiNetworkPolicy CRD"
+        log_error "Available network-related resources:"
+        oc api-resources | grep -i network || true
+        log_error "Available CRDs:"
+        oc get crd | grep -i multinetwork || true
+        exit 1
+    fi
+done
+
+# Verify the CRD is properly installed
+log_info "Verifying MultiNetworkPolicy CRD details..."
+if oc explain multinetworkpolicy >/dev/null 2>&1; then
+    log_success "MultiNetworkPolicy CRD is properly installed and accessible"
+
+    # Show CRD information
+    log_info "MultiNetworkPolicy API version:"
+    oc api-resources | grep multi-networkpolicies | awk '{print $3}'
+else
+    log_warning "MultiNetworkPolicy CRD found but not fully accessible"
+fi
+
+# Verify cluster operators are stable
+log_info "Checking cluster operators status..."
+if ! oc get co network -o jsonpath='{.status.conditions[?(@.type=="Available")].status}' | grep -q "True"; then
+    log_warning "Network operator may not be fully ready"
+    oc get co network -o yaml | grep -A 5 -B 5 "conditions:"
+fi
+
+# Check multus pods are running
+log_info "Checking multus-networkpolicy pods..."
+multus_pods=$(oc get pods -n openshift-multus --no-headers -o custom-columns=":metadata.name" 2>/dev/null | wc -l || echo "0")
+if [[ $multus_pods -gt 0 ]]; then
+    log_success "Found $multus_pods multus pods running"
+    oc get pods -n openshift-multus
+else
+    log_info "No multus pods found (may be integrated into CNI)"
+fi
+
+log_success "Multi-Network Policy enablement completed successfully"
+echo "Multi-Network Policy is now ready for testing"

ci-operator/step-registry/openshift-qe/enable-mnp/openshift-qe-enable-mnp-ref.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "openshift-qe/enable-mnp/openshift-qe-enable-mnp-ref.yaml",
+	"owners": {
+		"approvers": [
+			"perfscale-ocp-approvers"
+		],
+		"reviewers": [
+			"perfscale-ocp-reviewers"
+		]
+	}
+}

ci-operator/step-registry/openshift-qe/enable-mnp/openshift-qe-enable-mnp-ref.yaml

@@ -0,0 +1,23 @@
+ref:
+  as: openshift-qe-enable-mnp
+  from_image:
+    namespace: ocp
+    name: "4.22"
+    tag: cli
+  commands: openshift-qe-enable-mnp-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  documentation: |-
+    Enables Multi-Network Policy support on the OpenShift cluster by patching the 
+    network operator configuration to set useMultiNetworkPolicy=true.
+
+    This step is required before running Multi-Network Policy tests as the feature
+    is not enabled by default in OpenShift clusters.
+
+    The step:
+    - Checks current MNP configuration status
+    - Enables useMultiNetworkPolicy if not already enabled
+    - Waits for the MultiNetworkPolicy CRD to become available
+    - Verifies the configuration is properly applied

ci-operator/step-registry/openshift-qe/mnp-ipblocks-loadtest/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- perfscale-ocp-approvers
+reviewers:
+- perfscale-ocp-reviewers