Add openshift-e2e-aws-disconnected workflow

[mdbooth]

Add a new disconnected AWS workflow for component-level CI testing.
The workflow creates an isolated VPC with private subnets and VPC
endpoints, a bastion host providing mirror registry, egress proxy,
and SSH jump host, then installs OpenShift using mirrored images
and manual CCO credentials.

Also adds an optional e2e-aws-capi-disconnected-techpreview job
to cluster-capi-operator.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Added comprehensive end-to-end testing support for AWS CAPI in fully disconnected environments with tech preview features, including provisioning workflows and cleanup procedures

• Tests

  • Added new presubmit testing job for validating disconnected AWS CAPI configurations

• Chores

  • Added ownership configuration for disconnected AWS testing components

[coderabbitai]

Walkthrough

This PR adds comprehensive CI/CD infrastructure for disconnected AWS E2E testing of OpenShift cluster-capi-operator. Changes include a new test configuration, presubmit job, and step-registry definitions for AWS provisioning, E2E execution, and deprovisioning in fully isolated network environments.

Changes

Cohort / File(s)	Summary
Test Configuration & Job ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml, ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml	Added optional E2E test e2e-aws-capi-disconnected-techpreview with TechPreview feature set and corresponding presubmit job with BOSKOS/credential wiring, targeting build07 cluster.
Disconnected IPI AWS Pre-step ci-operator/step-registry/ipi/aws/pre/disconnected/*	Added chain definition for provisioned disconnected AWS VPC with bastion host, image mirroring, IAM user setup, and bot RBAC, plus OWNERS and metadata files.
Disconnected IPI AWS Post-step ci-operator/step-registry/ipi/aws/post/disconnected/*	Added chain definition for artifact collection and staged AWS deprovisioning (security groups, CloudFormation stacks, IAM users), plus OWNERS and metadata files.
OpenShift E2E AWS Disconnected Workflow ci-operator/step-registry/openshift/e2e/aws/disconnected/*	Added workflow definition chaining pre-disconnected provisioning, shared E2E test suite, and post-disconnected cleanup, plus OWNERS and metadata files.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Runner
    participant Pre as Pre-Provision Chain
    participant Cluster as AWS Cluster
    participant Bastion as Bastion Host
    participant Mirror as Mirror Registry
    participant E2E as E2E Tests
    participant Post as Post-Deprovision Chain

    Test->>Pre: Trigger disconnected provisioning
    Pre->>Cluster: Create isolated VPC & subnets
    Pre->>Bastion: Provision bastion host
    Pre->>Mirror: Mirror images to bastion
    Pre->>Cluster: Configure IAM users & bot RBAC
    Pre->>Cluster: Deploy cluster via IPI
    Pre-->>Test: Ready for testing
    
    Test->>E2E: Run openshift-e2e-aws-disconnected workflow
    E2E->>Bastion: Access via bastion jump host
    E2E->>Cluster: Execute E2E test suite
    E2E-->>Test: Tests complete
    
    Test->>Post: Trigger disconnected deprovisioning
    Post->>Cluster: Gather console artifacts & logs
    Post->>Bastion: Collect mirror registry content
    Post->>Cluster: Remove security groups & IAM policies
    Post->>Cluster: Delete CloudFormation stacks
    Post-->>Test: Cleanup complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add openshift-e2e-aws-disconnected workflow' directly and accurately describes the primary change - introducing a new OpenShift E2E AWS disconnected workflow that is the core focus of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML CI configuration files with no Ginkgo test code, making the check not applicable and passing by default.
Test Structure And Quality	✅ Passed	Custom check not applicable; PR modifies only CI/CD configuration files without Ginkgo test code.
Microshift Test Compatibility	✅ Passed	This PR adds only CI/CD configuration files and does not contain new Ginkgo e2e test code (no It(), Describe(), Context(), or When() blocks).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only CI/CD configuration files and workflow definitions that orchestrate existing tests, not new Ginkgo test implementations.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/CD infrastructure (test jobs, step-registry chains, workflows) for disconnected AWS testing. These are configuration files, not Kubernetes pod manifests with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	Pull request contains only CI/CD configuration files (YAML, JSON) with no Go test binaries or process-level code that violates OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests, only CI workflow and chain configuration files in YAML format.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mdbooth
Once this PR has been reviewed and has the lgtm label, please assign dgoodwin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-capi-operator/OWNERS [mdbooth]
• ci-operator/jobs/openshift/cluster-capi-operator/OWNERS [mdbooth]
• ci-operator/step-registry/ipi/OWNERS
• ci-operator/step-registry/openshift/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mdbooth: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mdbooth]

/pj-rehearse

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml`:
- Around line 27-30: Remove the -x (xtrace) flag before sourcing the proxy
config to prevent secrets from being printed: modify the script where it
currently sets "set -exuo pipefail" so that xtrace is disabled (e.g., use "set
-euo pipefail" or temporarily turn off xtrace) prior to the conditional that
sources "${SHARED_DIR}/proxy-conf.sh", then re-enable xtrace afterwards if
needed; update the lines referencing set -exuo pipefail and the source
"${SHARED_DIR}/proxy-conf.sh" accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cbfb056e-a337-401a-8a80-ae55f676bf2f

📥 Commits

Reviewing files that changed from the base of the PR and between e0c42c3 and cb3cc31.

📒 Files selected for processing (11)

• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml
• ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml
• ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml
• ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS
• ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json
• ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml
• ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS
• ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json
• ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove xtrace before sourcing proxy config to avoid secret leakage.

Line 27 enables -x, and Line 29 sources proxy-conf.sh; this can print sensitive proxy values into job logs.

🔒 Proposed fix

-      set -exuo pipefail
+      set -euo pipefail
       if test -f "${SHARED_DIR}/proxy-conf.sh"; then
         source "${SHARED_DIR}/proxy-conf.sh"
       fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	set -exuo pipefail
	if test -f "${SHARED_DIR}/proxy-conf.sh"; then
	source "${SHARED_DIR}/proxy-conf.sh"
	fi
	set -euo pipefail
	if test -f "${SHARED_DIR}/proxy-conf.sh"; then
	source "${SHARED_DIR}/proxy-conf.sh"
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml`
around lines 27 - 30, Remove the -x (xtrace) flag before sourcing the proxy
config to prevent secrets from being printed: modify the script where it
currently sets "set -exuo pipefail" so that xtrace is disabled (e.g., use "set
-euo pipefail" or temporarily turn off xtrace) prior to the conditional that
sources "${SHARED_DIR}/proxy-conf.sh", then re-enable xtrace afterwards if
needed; update the lines referencing set -exuo pipefail and the source
"${SHARED_DIR}/proxy-conf.sh" accordingly.

[openshift-ci]

The OWNERS file contains untrusted users, which makes it INVALID. The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift org. You can then trigger verification by writing /verify-owners in a comment.

• vrutkovs
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS
  • ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS
• jianlinliu
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS
• yunjiang29
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS

[openshift-ci]

@mdbooth: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/cluster-capi-operator/main/e2e-aws-capi-disconnected-techpreview	cb3cc31	link	unknown	/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mdbooth]

Despite reporting failure the pj-rehearse seems to have been a success. The failure is an actual bug in capi-operator: it needs to import the additional trust bundle in order to trust the mirror registry.

The environment came up. I verified manually (by logging in to it during the run) that it was disconnected. It seems to have successfully collected artifacts.