Add Cluster Profile Sets allowlist

[danilo-gemoli]

Requires openshift/ci-tools#5171.
/hold

The test aws-ipi-public-ipv4-pool-byo-subnet-mini-perm-arm-f14 works with aws only since it uses the BYOIP feature.

Overview

Adds a Cluster Profile Sets whitelist/allowlist mechanism and updates a private test to use the AWS profile required for BYOIP. This supports enforcement of cluster-profile-set usage in a companion ci-tools PR (openshift/ci-tools#5171). The change is currently held (/hold).

Changes

• core-services/prow/02_config/generate-boskos.py

  • Introduces a module-level CLUSTER_PROFILE_SETS_IGNORE constant containing:
    • profiles: a list of Cluster Profile Set names to exclude from the printed set
    • allowlist: a mapping of tests allowed to bypass CPS usage policies
  • Updates print_cluster_profile_set_details() so that when run with --print-cluster-profile-sets it emits JSON with:
    • cluster_profile_sets: CPS names from CLUSTER_PROFILE_SETS_CONFIG excluding those in CLUSTER_PROFILE_SETS_IGNORE['profiles']
    • allowlist: the top-level allowlist taken from CLUSTER_PROFILE_SETS_IGNORE['allowlist']
  • Resource generation behavior via generate_config() is unchanged.

• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml

  • For the test aws-ipi-public-ipv4-pool-byo-subnet-mini-perm-arm-f14, changed steps.cluster_profile from openshift-org-aws to aws so the job uses the AWS profile required by the BYOIP feature.

Impact and context

• This PR implements the data side of a whitelist/allowlist used to exempt specific tests from cluster profile set policy enforcement. The enforcement logic is provided by the companion ci-tools PR (ci-operator-checkconfig: Add cluster profile sets allowlist ci-tools#5171).
• The only functional job change is the cluster_profile update for the noted BYOIP test in the private tests repo. No exported/public code APIs were changed.

[coderabbitai]

Walkthrough

This PR makes two independent config updates: it changes one test job's cluster_profile from openshift-org-aws to aws, and it adds a CLUSTER_PROFILE_SETS_IGNORE configuration plus filtering/allowlist output to the Boskos config generator print_cluster_profile_set_details().

Changes

Test Job Cluster Profile Update

Layer / File(s)	Summary
Job configuration change ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml	Updates steps.cluster_profile for job aws-ipi-public-ipv4-pool-byo-subnet-mini-perm-arm-f14 from openshift-org-aws to aws.

Boskos Config Generation Enhancement

Layer / File(s)	Summary
Ignore / allowlist constant core-services/prow/02_config/generate-boskos.py	Adds module-level CLUSTER_PROFILE_SETS_IGNORE containing profiles (list) and allowlist (mapping).
Output construction and filtering core-services/prow/02_config/generate-boskos.py	Modifies print_cluster_profile_set_details() to read ignored CPS names from CLUSTER_PROFILE_SETS_IGNORE['profiles'], exclude those names when building cluster_profile_sets, and include a top-level allowlist field set from CLUSTER_PROFILE_SETS_IGNORE['allowlist'].

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only CI configuration (YAML) and infrastructure scripts (Python). No Ginkgo test files or test code with test titles are present in the changes.
Test Structure And Quality	✅ Passed	PR does not contain Ginkgo test code. Changes are YAML configuration and Python script modifications only. Custom check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR does not introduce any new Ginkgo e2e tests. It only modifies CI/CD configuration files (YAML job config and Python infrastructure script) with no test code changes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not introduce any new Ginkgo e2e tests. It only modifies CI/CD configuration (YAML) and adds a Python configuration generator. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI configuration files (test job YAML and Prow resource quota script). No deployment manifests, operators, or controllers present.
Ote Binary Stdout Contract	✅ Passed	Check not applicable. PR modifies only YAML job configuration and Python Boskos configuration script—no OTE binary code or stdout operations that could violate JSON contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not introduce new Ginkgo e2e tests. Changes are to CI configuration (YAML) and test infrastructure (Python). The check is not applicable.
Title check	✅ Passed	The title 'Add Cluster Profile Sets allowlist' is a slight variant from the PR description title but accurately describes the main change of introducing the CLUSTER_PROFILE_SETS_IGNORE configuration with an allowlist mapping.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core-services/prow/02_config/generate-boskos.py`:
- Around line 922-923: Replace the membership test that uses the banned form "if
not cps_name in ignored_cps" with the preferred Python operator order by
changing it to "if cps_name not in ignored_cps" where the code assigns
cps['cluster_profile_sets'][cps_name] = list(cps_data.keys()); update the
condition in the loop that references cps_name and ignored_cps to use the "not
in" form to satisfy the linter.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 09478930-5f87-4c88-b472-127c8a71a2bc

📥 Commits

Reviewing files that changed from the base of the PR and between 1fdcd96 and f2855b8.

📒 Files selected for processing (2)

• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml
• core-services/prow/02_config/generate-boskos.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify no E713-style membership checks remain in this file
rg -nP '\bif\s+not\s+\S+\s+in\s+\S+' core-services/prow/02_config/generate-boskos.py

Repository: openshift/release

Length of output: 197

---

Use not in membership form to satisfy lint.

Line 922 uses if not cps_name in ignored_cps, which triggers Ruff E713; switch to if cps_name not in ignored_cps.

🔧 Proposed fix

-        if not cps_name in ignored_cps:
+        if cps_name not in ignored_cps:
             cps['cluster_profile_sets'][cps_name] = list(cps_data.keys())

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if not cps_name in ignored_cps:
	cps['cluster_profile_sets'][cps_name] = list(cps_data.keys())
	if cps_name not in ignored_cps:
	cps['cluster_profile_sets'][cps_name] = list(cps_data.keys())

🧰 Tools

🪛 Ruff (0.15.12)

[error] 922-922: Test for membership should be not in

Convert to not in

(E713)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core-services/prow/02_config/generate-boskos.py` around lines 922 - 923,
Replace the membership test that uses the banned form "if not cps_name in
ignored_cps" with the preferred Python operator order by changing it to "if
cps_name not in ignored_cps" where the code assigns
cps['cluster_profile_sets'][cps_name] = list(cps_data.keys()); update the
condition in the loop that references cps_name and ignored_cps to use the "not
in" form to satisfy the linter.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

♻️ Duplicate comments (1)

core-services/prow/02_config/generate-boskos.py (1)

923-924: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix membership check style to unblock Ruff (E713).

Line 923 still uses if not cps_name in ignored_cps, which Ruff flags. Use not in form.

🔧 Proposed fix

-        if not cps_name in ignored_cps:
+        if cps_name not in ignored_cps:
             cps['cluster_profile_sets'][cps_name] = list(cps_data.keys())

#!/bin/bash
# Verify no E713-form membership checks remain in this file.
rg -nP '\bif\s+not\s+\S+\s+in\s+\S+' core-services/prow/02_config/generate-boskos.py

Expected result: no matches.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core-services/prow/02_config/generate-boskos.py` around lines 923 - 924,
Change the membership check in the block that assigns
cps['cluster_profile_sets'][cps_name] to use Python's preferred "not in" syntax:
replace the condition "if not cps_name in ignored_cps" with "if cps_name not in
ignored_cps" so the check involving cps_name and ignored_cps conforms to
Ruff/E713; the rest of the assignment to cps['cluster_profile_sets'][cps_name] =
list(cps_data.keys()) should remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@core-services/prow/02_config/generate-boskos.py`:
- Around line 923-924: Change the membership check in the block that assigns
cps['cluster_profile_sets'][cps_name] to use Python's preferred "not in" syntax:
replace the condition "if not cps_name in ignored_cps" with "if cps_name not in
ignored_cps" so the check involving cps_name and ignored_cps conforms to
Ruff/E713; the rest of the assignment to cps['cluster_profile_sets'][cps_name] =
list(cps_data.keys()) should remain unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6c97f70f-9f82-442e-8eb8-aa34130bd6bd

📥 Commits

Reviewing files that changed from the base of the PR and between f2855b8 and 309c9de.

📒 Files selected for processing (2)

• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml
• core-services/prow/02_config/generate-boskos.py

✅ Files skipped from review due to trivial changes (1)

• ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml

[mtulio]

is it updated automatically per new release as this jobs will exists on any new OCP release the may be created

[danilo-gemoli]

No but some of these stanza accept regexps as input (see openshift/ci-tools#5171), therefore we can easily set something like this release-(4\.2\d|5\.\d+). Feel free to suggest a better pattern.

[mtulio]

agree, may be better with a regex, but we may also need to consider the presubmits that runs against the main on installer, mentioned here.

[mtulio]

we may need more jobs https://redhat-internal.slack.com/archives/CBN38N3MW/p1778590873227949?thread_ts=1778106962.993449&cid=CBN38N3MW

[danilo-gemoli]

/retest-required

[danilo-gemoli]

/unhold

[tthvo]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/installer/OWNERS [Prucek,danilo-gemoli]
• ci-operator/config/openshift/openshift-tests-private/OWNERS [Prucek,danilo-gemoli]
• ci-operator/jobs/openshift/installer/OWNERS [Prucek,danilo-gemoli]
• ci-operator/jobs/openshift/openshift-tests-private/OWNERS [Prucek,danilo-gemoli]
• core-services/prow/02_config/OWNERS [Prucek,danilo-gemoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtulio]

/pj-rehearse pull-ci-openshift-installer-release-4.21-e2e-aws-ovn-public-ipv4-pool

[openshift-merge-bot]

@mtulio: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tthvo]

/pj-rehearse pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-public-ipv4-pool

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tthvo]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mtulio]

Current configuration is still not routing consistently to the region we wanted. We need to figure out the correct job configuration to make lease controller to run only in us-east-1 (as well specific account) on those jobs.

Previously it was achieved through job config:

    leases:
    - env: LEASED_RESOURCE
      resource_type: aws-3-quota-slice

Currently looks like the pool have more regions, balancing eventually to us-east-1.

/hold

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@danilo-gemoli: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-installer-main-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-main-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.19-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.19-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.20-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.20-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.21-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.21-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.17-altinfra-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.18-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.18-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.16-altinfra-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-5.1-e2e-aws-ovn-public-ipv4-pool	openshift/installer	presubmit	Ci-operator config changed
pull-ci-openshift-installer-release-5.1-e2e-aws-ovn-public-ipv4-pool-disabled	openshift/installer	presubmit	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-amd-f28-destructive	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.17-multi-nightly-aws-ipi-public-ipv4-pool-arm-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.21-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.20-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-openshift-tests-private-release-4.20-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-amd-f28-destructive	N/A	periodic	Ci-operator config changed

A total of 61 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[danilo-gemoli]

/pj-rehearse pull-ci-openshift-installer-release-4.21-e2e-aws-ovn-public-ipv4-pool pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-public-ipv4-pool periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14

[openshift-merge-bot]

@danilo-gemoli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@danilo-gemoli: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/installer/release-4.21/e2e-aws-ovn-public-ipv4-pool	68a5f65	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-4.21-e2e-aws-ovn-public-ipv4-pool
ci/rehearse/openshift/installer/release-4.22/e2e-aws-ovn-public-ipv4-pool	68a5f65	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-public-ipv4-pool
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14	68a5f65	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-public-ipv4-pool-mini-perm-arm-f14

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.