no-jira: workaround: remove capi credentialsRequest in Default cluster

[tthvo]

Description

Credentials request filtering is temporarily broken due to https://issues.redhat.com/browse/OCPBUGS-77845. GA clusters in manual mode are failing on the missing namespace for the capi cred request at bootstrap phase.

Basically, I copied the approach from #76228. Currently, the step uses upi-installer image, which has a really old oc version (v4.2.0-alpha.0-2466-gd76df14). Unless we can find another image to replace with a newer oc version, this is a workaround...

Summary by CodeRabbit

• Chores
  • Improved AWS provisioning manifest cleanup to avoid including certain credential manifests unless specific feature flags are set.
  • Added a temporary safeguard that removes a cluster API credentials manifest when the feature set is unset to prevent incorrect credential generation.

[openshift-ci-robot]

@tthvo: This pull request explicitly references no jira issue.

Details

In response to this:

Description

This PR updates aws-provision-cco-manual-users-static to use cloud-credential-operator instead of upi-installer get the most up-to-date oc version. See reference: oidc-creds-provision/ipi-conf-aws-oidc-creds-provision-ref.yaml

We don't have to update the deprovision step because static IAM users are cleaned up without using oc. See reference: aws-deprovision-users-and-policies-commands.sh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c987d949-9f8a-417e-b797-c7f7ffeec387

📥 Commits

Reviewing files that changed from the base of the PR and between 8187e9a and de71456.

📒 Files selected for processing (1)

• ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh

---

Walkthrough

Script cleanup logic is changed to conditionally remove TechPreviewNoUpgrade CredentialsRequest manifests only when feature-gate/feature-set conditions are unmet, and adds a temporary workaround that deletes the cluster-api credentials-request manifest when FEATURE_SET is unset to avoid extraction/filtering issues.

Changes

CredentialsRequest manifest handling

Layer / File(s)	Summary
Feature-gate conditional removal ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh	Adds conditional logic to remove TechPreviewNoUpgrade CredentialsRequest manifests only when EXTRACT_MANIFEST_INCLUDED != "true", FEATURE_SET is not TechPreviewNoUpgrade (treating empty as unset), and ${SHARED_DIR}/manifest_feature_gate.yaml does not exist.
Temporary workaround: cluster-api removal ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh	When FEATURE_SET is unset/empty, deletes cr_yaml_d/0000_30_cluster-api_01_credentials-request.yaml (if present) before converting CR YAMLs to JSON to work around oc adm release extract behavior.
Continuation of YAML processing ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh	YAML listing/conversion steps proceed after the conditional removals.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly refers to the main change: removing capi credentialsRequest in Default cluster as a workaround for a broken filtering issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies bash shell script for AWS provisioning, not Ginkgo test files; custom check not applicable
Test Structure And Quality	✅ Passed	PR modifies bash script, not Ginkgo test code. Custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	The custom check applies only to new Ginkgo e2e tests with constructs like It(), Describe(), Context(), or When(). This PR only modifies a bash shell script for AWS provisioning, not test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only a bash shell script for AWS credential provisioning. The custom check assesses Ginkgo e2e tests for Single Node OpenShift compatibility. Since this PR contains no Go test files or test definitions, the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies a provisioning script for AWS credential manifest filtering, not Kubernetes workload deployment with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies exclusively to Go test code and binaries. This PR modifies only a bash shell script for AWS provisioning, not Go code or test binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only a shell script for CI operator step registry that updates manifest cleanup logic. No Ginkgo e2e tests are added or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tthvo
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/aws/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-ha-cert-rotation-suspend-30d

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tthvo]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f7

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh (1)

159-167: ⚠️ Potential issue | 🟠 Major

Use a safe default for FEATURE_SET in the guard condition to prevent nounset abort.

Line 159 dereferences ${FEATURE_SET} directly. With set -o nounset enabled (line 3), an unset FEATURE_SET terminates the script before the workaround block at line 167 executes.

✅ Suggested fix

-if [[ "${EXTRACT_MANIFEST_INCLUDED}" != "true" ]] && [[ "${FEATURE_SET}" != "TechPreviewNoUpgrade" ]] &&  [[ ! -f ${SHARED_DIR}/manifest_feature_gate.yaml ]]; then
+if [[ "${EXTRACT_MANIFEST_INCLUDED}" != "true" ]] && [[ "${FEATURE_SET:-}" != "TechPreviewNoUpgrade" ]] && [[ ! -f ${SHARED_DIR}/manifest_feature_gate.yaml ]]; then
   remove_tech_preview_feature_from_manifests "${cr_yaml_d}" "TechPreviewNoUpgrade" || exit 1
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh`
around lines 159 - 167, The guard conditional that checks FEATURE_SET (the [[
"${FEATURE_SET}" != "TechPreviewNoUpgrade" ]] expression) can trigger nounset;
change that check to use a safe default parameter expansion (e.g.
${FEATURE_SET:-}) or mirror the later pattern ([[ -z "${FEATURE_SET:-}" ]]) so
the script won't abort under set -o nounset; update the conditional that
contains EXTRACT_MANIFEST_INCLUDED and FEATURE_SET (and the call to
remove_tech_preview_feature_from_manifests) to use ${FEATURE_SET:-} wherever
FEATURE_SET is dereferenced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh`:
- Around line 159-167: The guard conditional that checks FEATURE_SET (the [[
"${FEATURE_SET}" != "TechPreviewNoUpgrade" ]] expression) can trigger nounset;
change that check to use a safe default parameter expansion (e.g.
${FEATURE_SET:-}) or mirror the later pattern ([[ -z "${FEATURE_SET:-}" ]]) so
the script won't abort under set -o nounset; update the conditional that
contains EXTRACT_MANIFEST_INCLUDED and FEATURE_SET (and the call to
remove_tech_preview_feature_from_manifests) to use ${FEATURE_SET:-} wherever
FEATURE_SET is dereferenced.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 465e6792-d6d3-4a33-bc61-42ad8d0e0a73

📥 Commits

Reviewing files that changed from the base of the PR and between 5417fc5 and 8187e9a.

📒 Files selected for processing (1)

• ci-operator/step-registry/aws/provision/cco-manual-users/static/aws-provision-cco-manual-users-static-commands.sh

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@tthvo: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-capi-operator-release-5.1-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-capi-operator-release-5.0-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-capi-operator-release-4.23-e2e-aws-capi-disconnected-techpreview	openshift/cluster-capi-operator	presubmit	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-multi-stable-aws-ipi-disc-priv-arm-mixarch-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.13-amd64-nightly-aws-ipi-disc-priv-mtu-localzone-fips-f60-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-ipi-disc-priv-workers-rhcos-rhel8-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-4.17-upgrade-from-stable-4.17-aws-usgov-ipi-disc-priv-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-arm64-nightly-4.20-upgrade-from-stable-4.20-aws-ipi-disc-priv-tp-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-stable-4.19-upgrade-from-stable-4.18-aws-ipi-disc-priv-localzone-fips-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.12-amd64-nightly-4.12-upgrade-from-stable-4.12-aws-usgov-ipi-disc-priv-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-4.17-upgrade-from-stable-4.16-aws-usgov-ipi-disc-priv-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-aws-ipi-disc-priv-workers-rhcos-rhel8-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.12-amd64-nightly-aws-ipi-disc-priv-mtu-localzone-fips-f60-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-multi-stable-aws-ipi-disc-priv-arm-mixarch-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-disc-priv-localzone-fips-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-aws-ipi-disc-priv-f28-longrun-ota	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-4.20-upgrade-from-stable-4.19-aws-usgov-ipi-disc-priv-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-release-main-nightly-4.20-e2e-aws-ovn-ha-cert-rotation-suspend-30d	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-nightly-aws-usgov-ipi-disc-priv-f60-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-disc-priv-localzone-fips-f14-nokubeadmin	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.22-arm64-nightly-4.22-upgrade-from-stable-4.22-aws-ipi-disc-priv-tp-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-multi-nightly-aws-ipi-disc-priv-amd-mixarch-f60-destructive	N/A	periodic	Registry content changed

A total of 256 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[tthvo]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f7

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tthvo]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-ha-cert-rotation-suspend-30d

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@tthvo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f7	de71456	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-disc-priv-arm-mixarch-f7

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.