adding rhoe 4.22 jobs for operator-pipelines

[acornett21]

Summary by CodeRabbit

• Chores
  • Added CI/CD test infrastructure configurations for OpenShift 4.22 certified operators.
  • Configured automated preflight validation workflows for pre-production and production testing environments.
  • Enabled periodic test scheduling to ensure ongoing operators certification compliance verification.

[acornett21]

/pj-rehearse periodic-ci-redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-preflight-preprod-claim periodic-ci-redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-preflight-prod-claim

[openshift-ci-robot]

@acornett21: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[acornett21]

/pj-rehearse periodic-ci-redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-preflight-preprod-claim

[openshift-merge-bot]

@acornett21: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[acornett21]

/retest

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@acornett21: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-preflight-prod-claim	N/A	periodic	Periodic changed
periodic-ci-redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-preflight-preprod-claim	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Walkthrough

Four new YAML configuration files are added to define CI/CD workflows for OCP 4.22 certified operators testing. These introduce release configurations, resource defaults, and yearly-scheduled preflight test jobs for both preprod and production environments with specific test pipeline steps and environment variables.

Changes

Cohort / File(s)	Summary
Preprod Configuration ci-operator/config/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22.yaml	Defines nightly release candidate for OCP 4.22, sets default resource requests/limits (cpu: 100m, memory: 200Mi, memory limit: 4Gi), and configures preflight-preprod-claim test with pre/test/post steps.
Production Configuration ci-operator/config/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22.yaml	Establishes releases.latest.candidate entry for OCP 4.22 nightly stream, resource defaults, and yearly-scheduled preflight-prod-claim test with decrypt/check/encrypt workflow and governance steps.
Periodic Job Definitions ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml, ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml	Adds Prow periodic job configurations with yearly @cron schedules, build01 cluster targeting, ci-operator container setup with target preflight tests, secret mounts, and service account bindings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding RHOE 4.22 jobs for operator-pipelines, which is exactly what the PR does across four configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Pull request adds only CI/CD configuration files (YAML) with no Ginkgo test code present.
Test Structure And Quality	✅ Passed	PR adds only CI configuration files in YAML format; no Ginkgo test code is present, making the check not applicable.
Microshift Test Compatibility	✅ Passed	This pull request adds CI job configurations and operator pipeline configuration YAML files, not new Ginkgo e2e test code. The custom check is specifically designed to assess new Ginkgo e2e tests (Go files containing test definitions with It(), Describe(), Context(), When(), etc.), and the shell verification confirms that no such test files are present in this PR. Since no new Ginkgo test code is being added, the MicroShift test compatibility check is not applicable to this pull request.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI configuration YAML files and Prow job definitions for OCP 4.22, not Ginkgo e2e test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/CD infrastructure files for certified-operators testing on OCP 4.22 without topology-specific scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR adds only YAML configuration files for CI/CD job definitions with no executable source code, making the OTE Binary Stdout Contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not contain any new Ginkgo e2e tests. The four files added are YAML configuration files for CI/CD operations: two ci-operator config files and two Prow periodic job definitions. The custom check for IPv6 and disconnected network compatibility is not applicable to these files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml`:
- Around line 50-52: The pod spec mounts a volume named "gcs-credentials"
(mountPath /secrets/gcs) but no corresponding volume is declared in the spec;
add a volumes entry named "gcs-credentials" under the pod spec's volumes section
that points to the proper secret (e.g., secret: { secretName: "gcs-credentials"
}) so the mount in the container (gcs-credentials) resolves at runtime; ensure
the volume name exactly matches "gcs-credentials" used in the mount and place it
alongside the other volumes in the job spec.

In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml`:
- Around line 50-52: The PodSpec references a volumeMount named
"gcs-credentials" but no matching volume is declared, making the spec invalid;
add a volume under spec.template.spec.volumes (the same PodSpec used by the
ci-operator job) with name: gcs-credentials and point it to the correct Secret
(e.g., secret: { secretName: "gcs-credentials" } or the actual secret name used
in your cluster) so the volumeMount in volumeMounts can bind successfully and
keep the mount readOnly as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: eb752023-a817-4a72-ba5e-b92e31dbafc7

📥 Commits

Reviewing files that changed from the base of the PR and between a1c24de and cb98d83.

📒 Files selected for processing (4)

• ci-operator/config/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22.yaml
• ci-operator/config/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22.yaml
• ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml
• ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml"

python -m pip install --quiet pyyaml

python - <<'PY'
import sys, yaml, pathlib
file = pathlib.Path("ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml")
doc = yaml.safe_load(file.read_text())

job = doc["periodics"][0]
container = job["spec"]["containers"][0]
mounts = {m["name"] for m in container.get("volumeMounts", [])}
vols = {v["name"] for v in job["spec"].get("volumes", [])}

missing = sorted(mounts - vols)
print("volumeMount names:", sorted(mounts))
print("volume names:", sorted(vols))
if missing:
    print("Missing volume definitions for:", missing)
    sys.exit(1)
print("All volumeMount names are backed by declared volumes.")
PY

Repository: openshift/release

Length of output: 414

---

Add missing gcs-credentials volume declaration.

The container mounts gcs-credentials at line 50–52, but no matching volume is declared in the spec. Kubernetes will reject this pod spec at validation time, preventing the job from running.

Add the volume to the volumes section:

Suggested fix

     volumes:
     - name: boskos
       secret:
         items:
         - key: credentials
           path: credentials
         secretName: boskos-credentials
+    - name: gcs-credentials
+      secret:
+        secretName: gcs-credentials
     - name: ci-pull-credentials
       secret:
         secretName: ci-pull-credentials

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml`
around lines 50 - 52, The pod spec mounts a volume named "gcs-credentials"
(mountPath /secrets/gcs) but no corresponding volume is declared in the spec;
add a volumes entry named "gcs-credentials" under the pod spec's volumes section
that points to the proper secret (e.g., secret: { secretName: "gcs-credentials"
}) so the mount in the container (gcs-credentials) resolves at runtime; ensure
the volume name exactly matches "gcs-credentials" used in the mount and place it
alongside the other volumes in the job spec.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml"

python - <<'PY'
import pathlib, re, sys

p = pathlib.Path("ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml")
lines = p.read_text().splitlines()

in_volume_mounts = False
in_volumes = False
mount_names = []
volume_names = []

for line in lines:
    if re.match(r'^\s*volumeMounts:\s*$', line):
        in_volume_mounts, in_volumes = True, False
        continue
    if re.match(r'^\s*volumes:\s*$', line):
        in_volume_mounts, in_volumes = False, True
        continue

    m = re.match(r'^\s*-\s*name:\s*"?([^"\s]+)"?\s*$', line)
    if m:
        name = m.group(1)
        if in_volume_mounts:
            mount_names.append(name)
        elif in_volumes:
            volume_names.append(name)

missing = sorted(set(mount_names) - set(volume_names))
print("volumeMount names:", mount_names)
print("volume names:", volume_names)
print("missing volume definitions:", missing)

if missing:
    sys.exit(1)
PY

Repository: openshift/release

Length of output: 252

---

🏁 Script executed:

cat -n ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml | sed -n '40,95p'

Repository: openshift/release

Length of output: 1754

---

Missing gcs-credentials volume makes the PodSpec invalid.

Line 51 references name: gcs-credentials in volumeMounts, but no matching entry exists under spec.volumes (lines 66-87). The periodic will fail before ci-operator starts.

Suggested fix

     volumes:
     - name: boskos
       secret:
         items:
         - key: credentials
           path: credentials
         secretName: boskos-credentials
+    - name: gcs-credentials
+      secret:
+        secretName: gcs-credentials
     - name: ci-pull-credentials
       secret:
         secretName: ci-pull-credentials

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml`
around lines 50 - 52, The PodSpec references a volumeMount named
"gcs-credentials" but no matching volume is declared, making the spec invalid;
add a volume under spec.template.spec.volumes (the same PodSpec used by the
ci-operator job) with name: gcs-credentials and point it to the correct Secret
(e.g., secret: { secretName: "gcs-credentials" } or the actual secret name used
in your cluster) so the volumeMount in volumeMounts can bind successfully and
keep the mount readOnly as intended.

[acornett21]

/pj-rehearse periodic-ci-redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-preflight-preprod-claim periodic-ci-redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-preflight-prod-claim

[openshift-merge-bot]

@acornett21: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[acornett21]

/pj-rehearse ack

[openshift-merge-bot]

@acornett21: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acornett21, yashoza19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/redhat-openshift-ecosystem/certified-operators-preprod/OWNERS [acornett21]
• ci-operator/config/redhat-openshift-ecosystem/certified-operators-prod/OWNERS [acornett21]
• ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/OWNERS [acornett21]
• ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/OWNERS [acornett21]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@acornett21: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.