From cb3cc3166c8f6b90b41cb92fccffb4c9d264b81b Mon Sep 17 00:00:00 2001 From: Matthew Booth Date: Thu, 16 Apr 2026 16:07:33 +0100 Subject: [PATCH] Add openshift-e2e-aws-disconnected workflow Add a new disconnected AWS workflow for component-level CI testing. The workflow creates an isolated VPC with private subnets and VPC endpoints, a bastion host providing mirror registry, egress proxy, and SSH jump host, then installs OpenShift using mirrored images and manual CCO credentials. Also adds an optional e2e-aws-capi-disconnected-techpreview job to cluster-capi-operator. Co-Authored-By: Claude Opus 4.6 --- .../openshift-cluster-capi-operator-main.yaml | 20 +++++ ...cluster-capi-operator-main-presubmits.yaml | 83 +++++++++++++++++++ .../ipi/aws/post/disconnected/OWNERS | 7 ++ ...-aws-post-disconnected-chain.metadata.json | 13 +++ .../ipi-aws-post-disconnected-chain.yaml | 15 ++++ .../ipi/aws/pre/disconnected/OWNERS | 7 ++ ...i-aws-pre-disconnected-chain.metadata.json | 13 +++ .../ipi-aws-pre-disconnected-chain.yaml | 58 +++++++++++++ .../openshift/e2e/aws/disconnected/OWNERS | 6 ++ ...2e-aws-disconnected-workflow.metadata.json | 12 +++ ...enshift-e2e-aws-disconnected-workflow.yaml | 16 ++++ 11 files changed, 250 insertions(+) create mode 100644 ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS create mode 100644 ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json create mode 100644 ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml create mode 100644 ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS create mode 100644 ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json create mode 100644 ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml create mode 100644 ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS create mode 100644 ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json create mode 100644 ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml diff --git a/ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml b/ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml index 4f531042396af..72e8d0b428ab5 100644 --- a/ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml +++ b/ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml @@ -116,6 +116,26 @@ tests: cpu: 100m timeout: 3h0m0s workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-capi-disconnected-techpreview + optional: true + pipeline_skip_if_only_changed: \.md$|(^|/)docs/|(^|/)LICENSE$|(^|/)manifests-gen/|(^|/)OWNERS$ + steps: + cluster_profile: openshift-org-aws + env: + FEATURE_SET: TechPreviewNoUpgrade + observers: + enable: + - observers-resource-watch + test: + - as: test + commands: make e2e + from: src + resources: + requests: + cpu: 100m + timeout: 3h0m0s + workflow: openshift-e2e-aws-disconnected - always_run: false as: e2e-gcp-ovn-techpreview pipeline_skip_if_only_changed: \.md$|(^|/)docs/|(^|/)LICENSE$|(^|/)manifests-gen/|(^|/)OWNERS$ diff --git a/ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml b/ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml index bdc935ddccaa3..30ab2acc35587 100644 --- a/ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main-presubmits.yaml @@ -61,6 +61,89 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )build,?($|\s.*) + - agent: kubernetes + always_run: false + annotations: + pipeline_skip_if_only_changed: \.md$|(^|/)docs/|(^|/)LICENSE$|(^|/)manifests-gen/|(^|/)OWNERS$ + branches: + - ^main$ + - ^main- + cluster: build07 + context: ci/prow/e2e-aws-capi-disconnected-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview + optional: true + rerun_command: /test e2e-aws-capi-disconnected-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-capi-disconnected-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-capi-disconnected-techpreview,?($|\s.*) - agent: kubernetes always_run: false annotations: diff --git a/ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS b/ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS new file mode 100644 index 0000000000000..0ec22565f37a4 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS @@ -0,0 +1,7 @@ +approvers: +- vrutkovs +- deads2k +- technical-release-team-approvers +- jianlinliu +- yunjiang29 +- patrickdillon diff --git a/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json b/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json new file mode 100644 index 0000000000000..823f095492a64 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.metadata.json @@ -0,0 +1,13 @@ +{ + "path": "ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml", + "owners": { + "approvers": [ + "vrutkovs", + "deads2k", + "technical-release-team-approvers", + "jianlinliu", + "yunjiang29", + "patrickdillon" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml b/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml new file mode 100644 index 0000000000000..85faa7af4d0e4 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml @@ -0,0 +1,15 @@ +chain: + as: ipi-aws-post-disconnected + steps: + - ref: gather-aws-console + - ref: gather-installer-boostrap-logs-in-bastion + - ref: gather-mirror-registry + - chain: ipi-deprovision + - ref: aws-deprovision-security-group + - ref: aws-deprovision-stacks + - ref: aws-deprovision-users-and-policies + - ref: aws-deprovision-verification + documentation: |- + The ipi-aws-post-disconnected chain gathers artifacts and deprovisions + a disconnected OpenShift cluster on AWS, including the bastion host, + CloudFormation VPC stack, and static IAM users created during installation. diff --git a/ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS b/ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS new file mode 100644 index 0000000000000..0ec22565f37a4 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/disconnected/OWNERS @@ -0,0 +1,7 @@ +approvers: +- vrutkovs +- deads2k +- technical-release-team-approvers +- jianlinliu +- yunjiang29 +- patrickdillon diff --git a/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json b/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json new file mode 100644 index 0000000000000..30ace3d0966c3 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.metadata.json @@ -0,0 +1,13 @@ +{ + "path": "ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml", + "owners": { + "approvers": [ + "vrutkovs", + "deads2k", + "technical-release-team-approvers", + "jianlinliu", + "yunjiang29", + "patrickdillon" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml b/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml new file mode 100644 index 0000000000000..fbb970ae0f8d1 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/disconnected/ipi-aws-pre-disconnected-chain.yaml @@ -0,0 +1,58 @@ +chain: + as: ipi-aws-pre-disconnected + steps: + - ref: aws-provision-vpc-disconnected + - chain: aws-provision-bastionhost + - chain: mirror-images-payload + - ref: ipi-conf + - ref: ipi-conf-telemetry + - ref: ipi-conf-aws-custom-vpc + - ref: ipi-conf-manual-creds + - ref: ipi-conf-aws + - ref: ipi-conf-mirror + - ref: ipi-install-monitoringpvc + - ref: proxy-config-generate + - ref: aws-provision-cco-manual-users-static + - ref: ipi-conf-manual-creds-remove-unnecessary-creds + - chain: aws-provision-iam-user-minimal-permission + - ref: openshift-cluster-bot-rbac + - ref: ipi-install-hosted-loki + - ref: ipi-install-install-aws + - ref: ipi-install-times-collection + - ref: nodes-readiness + - ref: multiarch-validate-nodes + - as: disable-default-sources + from: cli + commands: |- + set -exuo pipefail + if test -f "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" + fi + oc patch OperatorHub cluster --type json \ + -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]' + resources: + requests: + cpu: 100m + memory: 100Mi + timeout: 5m0s + grace_period: 5m0s + env: + - name: MIRROR_IN_BASTION + default: "yes" + documentation: "Mirror images from the bastion host rather than the build farm." + - name: PUBLISH + default: "Internal" + documentation: "Cluster publish strategy for disconnected install." + - name: ADD_INGRESS_RECORDS_MANUALLY + default: "yes" + documentation: "Manually create ingress DNS records for private clusters." + - name: ZONES_COUNT + default: "2" + documentation: "Number of availability zones. Default 2 to avoid regions with fewer than 3 AZs." + documentation: |- + The ipi-aws-pre-disconnected chain provisions a fully disconnected + OpenShift cluster on AWS. It creates an isolated VPC with private subnets + and no direct internet access, a bastion host on the public subnet + providing a mirror registry, egress proxy, and SSH jump host, then + mirrors the release payload and installs the cluster using manual CCO + credentials. diff --git a/ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS b/ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS new file mode 100644 index 0000000000000..bc1f79d945cda --- /dev/null +++ b/ci-operator/step-registry/openshift/e2e/aws/disconnected/OWNERS @@ -0,0 +1,6 @@ +approvers: +- deads2k +- dgoodwin +- stbenjam +- vrutkovs +- wking diff --git a/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json b/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json new file mode 100644 index 0000000000000..b8d39f9e999cc --- /dev/null +++ b/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.metadata.json @@ -0,0 +1,12 @@ +{ + "path": "openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml", + "owners": { + "approvers": [ + "deads2k", + "dgoodwin", + "stbenjam", + "vrutkovs", + "wking" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml b/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml new file mode 100644 index 0000000000000..7430697d00a42 --- /dev/null +++ b/ci-operator/step-registry/openshift/e2e/aws/disconnected/openshift-e2e-aws-disconnected-workflow.yaml @@ -0,0 +1,16 @@ +workflow: + as: openshift-e2e-aws-disconnected + steps: + allow_best_effort_post_steps: true + pre: + - chain: ipi-aws-pre-disconnected + test: + - ref: openshift-e2e-test + post: + - chain: gather-core-dump + - chain: ipi-aws-post-disconnected + documentation: |- + The openshift-e2e-aws-disconnected workflow executes the common end-to-end + test suite on a disconnected AWS cluster. The cluster is installed in a + private VPC with no direct internet access. A bastion host on the public + subnet provides a mirror registry, egress proxy, and SSH jump host.