Skip to content

adding rhoe 4.22 jobs for operator-pipelines #77090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Apr 14, 2026
Merged

adding rhoe 4.22 jobs for operator-pipelines #77090

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions ...ed-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
releases:
latest:
candidate:
product: ocp
stream: nightly
version: "4.22"
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- as: preflight-preprod-claim
cluster_claim:
architecture: amd64
cloud: aws
owner: rh-openshift-ecosystem
product: ocp
timeout: 1h0m0s
version: "4.22"
cron: '@yearly'
steps:
allow_best_effort_post_steps: true
env:
ASSET_TYPE: operator
PFLT_ARTIFACTS: artifacts
PFLT_INDEXIMAGE: quay.io/opdev/simple-demo-operator-catalog:latest
TEST_ASSET: quay.io/opdev/simple-demo-operator-bundle:latest
post:
- ref: gather-must-gather
pre:
- ref: operator-pipelines-preflight-preprod-health
- ref: ipi-install-rbac
- ref: operator-pipelines-preflight-preprod-approve-csrs
- ref: operator-pipelines-preflight-preprod-operator-registry-cache-fix
test:
- ref: operator-pipelines-preflight-preprod-decrypt
- ref: operator-pipelines-preflight-preprod-check
- ref: operator-pipelines-preflight-preprod-encrypt
zz_generated_metadata:
branch: ocp-4.22
org: redhat-openshift-ecosystem
repo: certified-operators-preprod
45 changes: 45 additions & 0 deletions ...ertified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
releases:
latest:
candidate:
product: ocp
stream: nightly
version: "4.22"
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- as: preflight-prod-claim
cluster_claim:
architecture: amd64
cloud: aws
owner: rh-openshift-ecosystem
product: ocp
timeout: 1h0m0s
version: "4.22"
cron: '@yearly'
steps:
allow_best_effort_post_steps: true
env:
ASSET_TYPE: operator
PFLT_ARTIFACTS: artifacts
PFLT_INDEXIMAGE: quay.io/opdev/simple-demo-operator-catalog:latest
TEST_ASSET: quay.io/opdev/simple-demo-operator-bundle:latest
post:
- ref: gather-must-gather
pre:
- ref: operator-pipelines-preflight-prod-health
- ref: ipi-install-rbac
- ref: operator-pipelines-preflight-prod-approve-csrs
- ref: operator-pipelines-preflight-prod-operator-registry-cache-fix
test:
- ref: operator-pipelines-preflight-prod-decrypt
- ref: operator-pipelines-preflight-prod-check
- ref: operator-pipelines-preflight-prod-encrypt
zz_generated_metadata:
branch: ocp-4.22
org: redhat-openshift-ecosystem
repo: certified-operators-prod
87 changes: 87 additions & 0 deletions ...rs-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
periodics:
- agent: kubernetes
cluster: build01
cron: '@yearly'
decorate: true
decoration_config:
skip_cloning: true
extra_refs:
- base_ref: ocp-4.22
org: redhat-openshift-ecosystem
repo: certified-operators-preprod
labels:
ci.openshift.io/generator: prowgen
job-release: "4.22"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: periodic-ci-redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-preflight-preprod-claim
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --target=preflight-preprod-claim
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
Comment on lines +50 to +52

@coderabbitai coderabbitai Bot Apr 14, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml"

python -m pip install --quiet pyyaml

python - <<'PY'
import sys, yaml, pathlib
file = pathlib.Path("ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml")
doc = yaml.safe_load(file.read_text())

job = doc["periodics"][0]
container = job["spec"]["containers"][0]
mounts = {m["name"] for m in container.get("volumeMounts", [])}
vols = {v["name"] for v in job["spec"].get("volumes", [])}

missing = sorted(mounts - vols)
print("volumeMount names:", sorted(mounts))
print("volume names:", sorted(vols))
if missing:
    print("Missing volume definitions for:", missing)
    sys.exit(1)
print("All volumeMount names are backed by declared volumes.")
PY

Repository: openshift/release

Length of output: 414

Add missing gcs-credentials volume declaration.

The container mounts gcs-credentials at line 50–52, but no matching volume is declared in the spec. Kubernetes will reject this pod spec at validation time, preventing the job from running.

Add the volume to the volumes section:

Suggested fix 
     volumes:
     - name: boskos
       secret:
         items:
         - key: credentials
           path: credentials
         secretName: boskos-credentials
+    - name: gcs-credentials
+      secret:
+        secretName: gcs-credentials
     - name: ci-pull-credentials
       secret:
         secretName: ci-pull-credentials
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-preprod/redhat-openshift-ecosystem-certified-operators-preprod-ocp-4.22-periodics.yaml`
around lines 50 - 52, The pod spec mounts a volume named "gcs-credentials"
(mountPath /secrets/gcs) but no corresponding volume is declared in the spec;
add a volumes entry named "gcs-credentials" under the pod spec's volumes section
that points to the proper secret (e.g., secret: { secretName: "gcs-credentials"
}) so the mount in the container (gcs-credentials) resolves at runtime; ensure
the volume name exactly matches "gcs-credentials" used in the mount and place it
alongside the other volumes in the job spec.

- mountPath: /secrets/hive-hive-credentials
name: hive-hive-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: hive-hive-credentials
secret:
secretName: hive-hive-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
87 changes: 87 additions & 0 deletions ...perators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
periodics:
- agent: kubernetes
cluster: build01
cron: '@yearly'
decorate: true
decoration_config:
skip_cloning: true
extra_refs:
- base_ref: ocp-4.22
org: redhat-openshift-ecosystem
repo: certified-operators-prod
labels:
ci.openshift.io/generator: prowgen
job-release: "4.22"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: periodic-ci-redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-preflight-prod-claim
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --target=preflight-prod-claim
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
Comment on lines +50 to +52

@coderabbitai coderabbitai Bot Apr 14, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml"

python - <<'PY'
import pathlib, re, sys

p = pathlib.Path("ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml")
lines = p.read_text().splitlines()

in_volume_mounts = False
in_volumes = False
mount_names = []
volume_names = []

for line in lines:
    if re.match(r'^\s*volumeMounts:\s*$', line):
        in_volume_mounts, in_volumes = True, False
        continue
    if re.match(r'^\s*volumes:\s*$', line):
        in_volume_mounts, in_volumes = False, True
        continue

    m = re.match(r'^\s*-\s*name:\s*"?([^"\s]+)"?\s*$', line)
    if m:
        name = m.group(1)
        if in_volume_mounts:
            mount_names.append(name)
        elif in_volumes:
            volume_names.append(name)

missing = sorted(set(mount_names) - set(volume_names))
print("volumeMount names:", mount_names)
print("volume names:", volume_names)
print("missing volume definitions:", missing)

if missing:
    sys.exit(1)
PY

Repository: openshift/release

Length of output: 252

🏁 Script executed:

cat -n ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml | sed -n '40,95p'

Repository: openshift/release

Length of output: 1754

Missing gcs-credentials volume makes the PodSpec invalid.

Line 51 references name: gcs-credentials in volumeMounts, but no matching entry exists under spec.volumes (lines 66-87). The periodic will fail before ci-operator starts.

Suggested fix 
     volumes:
     - name: boskos
       secret:
         items:
         - key: credentials
           path: credentials
         secretName: boskos-credentials
+    - name: gcs-credentials
+      secret:
+        secretName: gcs-credentials
     - name: ci-pull-credentials
       secret:
         secretName: ci-pull-credentials
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/redhat-openshift-ecosystem/certified-operators-prod/redhat-openshift-ecosystem-certified-operators-prod-ocp-4.22-periodics.yaml`
around lines 50 - 52, The PodSpec references a volumeMount named
"gcs-credentials" but no matching volume is declared, making the spec invalid;
add a volume under spec.template.spec.volumes (the same PodSpec used by the
ci-operator job) with name: gcs-credentials and point it to the correct Secret
(e.g., secret: { secretName: "gcs-credentials" } or the actual secret name used
in your cluster) so the volumeMount in volumeMounts can bind successfully and
keep the mount readOnly as intended.

- mountPath: /secrets/hive-hive-credentials
name: hive-hive-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: hive-hive-credentials
secret:
secretName: hive-hive-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator