[DEBUG] [DO NOT MERGE]

[tbuskey]

/hold

Summary by CodeRabbit

Release Notes

• Improvements
  • Network access restrictions enabled for test environments
  • Kata runtime installation configured with versioned RPM packages
  • Test timeout extended to 120 seconds
  • Must-gather failure reporting enabled for all test runs
  • Test execution timing and filtering adjustments applied
  • Trustee service endpoint configured for the system

[coderabbitai]

Walkthrough

Updated CI test configuration for sandboxed containers operator across multiple deployment scenarios, including network access restrictions, Kata RPM versioning, test execution parameters, and trustee service endpoint settings.

Changes

Cohort / File(s)

Summary

CI Test Configuration ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml

Modified test parameters across multiple scenarios: enabled restrict_network_access, changed Kata installation from disabled to enabled with specific RPM versions (3.25.0-5.rhaos4.20.el9 or 3.25.0-5.rhaos4.17.el9), added base64 INITDATA payload, disabled must-gather-only-on-failure, extended sleep duration to 6h, increased test timeout to 120s, updated test filters from ~DisconnectedOnly&;~Disruptive& to ~C00317&;~C00133&, and set Trustee URL to kbs-service endpoint.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title '[DEBUG] [DO NOT MERGE]' is vague and generic, using non-descriptive markers that don't convey meaningful information about the actual changeset modifications to Kata RPM settings and test configurations.	Replace the generic debug title with a descriptive summary of the main changes, such as 'Update Kata RPM configuration and test parameters for sandboxed containers operator' or similar.
Test Structure And Quality	❓ Inconclusive	This PR modifies only YAML configuration files for CI/CD settings and contains no Ginkgo test code to review.	The custom check for Ginkgo test quality is not applicable to configuration file changes. No Go test files are present in this PR.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML CI configuration files with no Ginkgo test code or test name declarations present.
Microshift Test Compatibility	✅ Passed	PR modifies only CI operator configuration YAML without adding new Ginkgo e2e tests; custom check for new test implementations is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The SNO Test Compatibility check is not applicable to this pull request. The custom check is specifically designed to assess new Ginkgo e2e tests (It(), Describe(), Context(), etc.) for multi-node cluster assumptions. This PR only modifies CI operator configuration settings in a YAML file (environment variables, test timeouts, network settings), not adding any new test code. The summary confirms 'no exported/public code entities modified' and the file contains only CI configuration changes, not Ginkgo test definitions.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies CI-operator configuration for test execution only, containing no Kubernetes scheduling constraints, pod affinity rules, or topology-dependent constraints.
Ote Binary Stdout Contract	✅ Passed	This PR modifies only a YAML configuration file with test environment variables, not Go source code, so cannot violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies CI operator YAML configuration without adding or modifying any Ginkgo e2e test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tbuskey]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tbuskey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/sandboxed-containers-operator/OWNERS [tbuskey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tbuskey]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tbuskey]

/pj-rehearse list

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@tbuskey: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-coco	N/A	periodic	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@tbuskey: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata	N/A	periodic	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml (2)

45-45: Consider using HTTPS for the trustee service endpoint.

The TRUSTEE_URL uses HTTP instead of HTTPS. Since this appears to be a Key Broker Service (KBS) endpoint for confidential computing, using unencrypted HTTP could expose sensitive attestation data in transit.

If HTTPS is available for this service, prefer:

TRUSTEE_URL: https://kbs-service-trustee-operator-system.apps.tpb.azure.sandboxedcontainers.com

If this is intentionally HTTP for testing purposes, it aligns with the debug nature of this PR but should not be merged to production configurations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`
at line 45, Update the TRUSTEE_URL environment value to use HTTPS instead of
HTTP for the KBS trustee endpoint: change the value of the TRUSTEE_URL key
(TRUSTEE_URL:
http://kbs-service-trustee-operator-system.apps.tpb.azure.sandboxedcontainers.com)
to use https:// if the service supports TLS, or explicitly document/guard the
HTTP use for test-only configs; ensure the updated value is applied wherever
TRUSTEE_URL is referenced in the deployment manifests or CI config.

---

35-35: Consider documenting or validating the INITDATA payload.

The INITDATA field contains a large base64-encoded gzip blob. For maintainability and review purposes, consider:

1. Adding a comment explaining what this configuration contains
2. Storing the source file (e.g., initdata.toml) in the repository and generating the encoded value during CI
3. Validating the decoded content in code review

This would improve auditability and make future updates easier to review.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`
at line 35, The INITDATA field currently holds a large base64+gzip blob; replace
this opaque inlined blob with a documented workflow: add a short comment next to
INITDATA describing that it is a gzipped base64-encoded initdata payload, check
the repository in with the plain-text source file named initdata.toml, and
update CI to generate the encoded value from initdata.toml (gzip then base64)
and patch the manifest during the pipeline; also add a lightweight validation
step (decode+gunzip and schema or TOML lint) in the PR/CI job to assert the
decoded content is valid so reviewers can inspect the plain initdata.toml
instead of the blob.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`:
- Around line 39-40: The file contains debug settings that must be reverted:
reset SLEEP_DURATION from "6h" back to the production/default value and set
MUST_GATHER_ON_FAILURE_ONLY back to "true" (or the repo's default) in every
configuration where they were changed (look for the SLEEP_DURATION and
MUST_GATHER_ON_FAILURE_ONLY keys across the 7 test configs), and remove the
"[DEBUG] [DO NOT MERGE]" changes so CI runs use standard timing and only gather
must-gather on failures.

---

Nitpick comments:
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`:
- Line 45: Update the TRUSTEE_URL environment value to use HTTPS instead of HTTP
for the KBS trustee endpoint: change the value of the TRUSTEE_URL key
(TRUSTEE_URL:
http://kbs-service-trustee-operator-system.apps.tpb.azure.sandboxedcontainers.com)
to use https:// if the service supports TLS, or explicitly document/guard the
HTTP use for test-only configs; ensure the updated value is applied wherever
TRUSTEE_URL is referenced in the deployment manifests or CI config.
- Line 35: The INITDATA field currently holds a large base64+gzip blob; replace
this opaque inlined blob with a documented workflow: add a short comment next to
INITDATA describing that it is a gzipped base64-encoded initdata payload, check
the repository in with the plain-text source file named initdata.toml, and
update CI to generate the encoded value from initdata.toml (gzip then base64)
and patch the manifest during the pipeline; also add a lightweight validation
step (decode+gunzip and schema or TOML lint) in the PR/CI job to assert the
decoded content is valid so reviewers can inspect the plain initdata.toml
instead of the blob.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b816716-ccad-4f12-91eb-9b5df6f575ba

📥 Commits

Reviewing files that changed from the base of the PR and between 81bf77c and 0ea9b58.

📒 Files selected for processing (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Debug configuration detected - do not merge.

SLEEP_DURATION: 6h and MUST_GATHER_ON_FAILURE_ONLY: "false" are debug settings:

• A 6-hour sleep significantly extends test execution time and consumes CI resources unnecessarily.
• Gathering must-gather on success (not just failure) adds overhead without benefit for normal CI runs.

These settings are applied across all 7 test configurations. Given the PR title explicitly states "[DEBUG] [DO NOT MERGE]", ensure these changes are reverted before any merge consideration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml`
around lines 39 - 40, The file contains debug settings that must be reverted:
reset SLEEP_DURATION from "6h" back to the production/default value and set
MUST_GATHER_ON_FAILURE_ONLY back to "true" (or the repo's default) in every
configuration where they were changed (look for the SLEEP_DURATION and
MUST_GATHER_ON_FAILURE_ONLY keys across the 7 test configs), and remove the
"[DEBUG] [DO NOT MERGE]" changes so CI runs use standard timing and only gather
must-gather on failures.

[openshift-ci]

@tbuskey: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	0ea9b58	link	unknown	/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.