[WIP] ci(cilium): migrate Cilium installation from OLM manifests to Cilium CLI

[mgencur]

(This will need a rebase after merging #78338)

Replace the deprecated isovalent/olm-for-cilium manifest-based installation
with the official Cilium CLI in both cilium-conf and
cucushift-hypershift-extended-cilium steps. Bump Cilium from 1.13.9/1.15.1
to 1.19.1 and add CILIUM_CLI_VERSION env var (v0.19.2).

Summary

This PR migrates OpenShift CI Cilium installs from the deprecated isovalent OLM-manifests flow to the official cilium-cli installer, bumps Cilium chart versions, and adds CI helper steps and network-policy workarounds to stabilize Cilium tests in HyperShift/OpenShift CI.

What changed in practical terms

• Install method and versions

  • CI steps now download a cilium-cli binary (CILIUM_CLI_VERSION, default v0.19.2) into /tmp/bin and run cilium install --version <CILIUM_VERSION> with explicit chart/value overrides instead of applying isovalent OLM manifests and rendered CiliumConfig YAML.
  • Default Cilium chart/version bumped to 1.19.1 (replacing earlier 1.13.9 / 1.15.1 defaults).
  • Several settings previously present in the rendered CiliumConfig (etcd/prometheus/hubble specifics, bpf.preallocateMaps, etc.) are no longer applied by the scripts; installs are driven by the cilium-cli flags included in the scripts.

• Affected CI steps and scripts (practical effects)

  • ci-operator/step-registry/cilium/conf:
    • cilium-conf-commands.sh: prefers nested_kubeconfig when present, prepends /tmp/bin to PATH, downloads cilium-cli v0.19.2, and installs Cilium with IPv4-only, ipam.mode=cluster-pool (clusterPoolIPv4PodCIDRList=10.128.0.0/14, maskSize=23), cni chainingMode=portmap, sessionAffinity, endpointRoutes, hubble toggle, then waits for readiness.
    • cilium-conf-ref.yaml: adds CILIUM_CLI_VERSION and updates CILIUM_VERSION default to 1.19.1.
  • ci-operator/step-registry/cucushift/hypershift-extended/cilium:
    • cucushift-hypershift-extended-cilium-commands.sh: downloads cilium-cli, derives clusterNetwork CIDR and hostPrefix from the cluster to populate IPAM values, installs via cilium-cli with equivalent chart/value overrides, and waits for cilium status --wait.
    • cucushift-hypershift-extended-cilium-ref.yaml: adds CILIUM_CLI_VERSION and defaults CILIUM_VERSION to 1.19.1.
  • Health-check script: guest-cluster readiness gating was tightened via longer oc wait timeouts for nodes, clusteroperators, and clusterversion.

• New helper steps and debugging

  • Added cucushift-hypershift-extended-cilium-dump-debug: collects Cilium resources and runs in-pod cilium commands for troubleshooting; added ref and metadata with OWNERS.
  • Added cucushift-hypershift-extended-cilium-network-policies: applies five Cilium/OpenShift NetworkPolicy workarounds to restore required test traffic paths (numeric ports, Prometheus/monitoring, router metrics); added ref and metadata with OWNERS.
  • OWNERS updates: new step directories list mgencur as approver/reviewer.

• Workflow and test integrations

  • Injects the network-policies pre-step into multiple HyperShift Cilium workflows (e.g., aws/ipi/ovn guest workflows, conformance workflows, MCE agent chains)—generally placed before the cilium health-check step.
  • Adds the dump-debug step to conformance workflows' post phase to collect Cilium artifacts on failure.
  • Updates e2e-aws-conformance-cilium TEST_SKIPS formatting while preserving skip coverage and extends skip entries for Cilium-related load balancer/CCO issues.

Operational impact / rationale

• Aligns CI with the officially supported installer (cilium-cli) and a newer Cilium chart (1.19.1), removing reliance on deprecated isovalent OLM manifests.
• Introduces network-policy fixes and a debug dump step to improve test reliability and troubleshooting for Cilium runs in HyperShift/OpenShift CI.

Review notes / calls to attention

• CILIUM_CLI_VERSION defaults: scripts use "v0.19.2" while some ref docs show "0.19.2"—the download URL in scripts uses the v-prefixed pattern.
• Several legacy CiliumConfig settings are not migrated into the cilium-cli invocations; reviewers should verify whether omitted settings must be reintroduced via cilium-cli value overrides.
• A rebase will be required after merging PR Fix Cilium TEST_SKIPS for 4.22 conformance job #78338 as noted in the PR description.

[coderabbitai]

Walkthrough

Replaces OLM-manifest Cilium installs with cilium-cli installs across CI steps, bumps Cilium/CLI defaults, adds Cilium network-policy workarounds and a debug-dump step, tightens readiness waits, updates conformance skip lists, and wires new refs/workflow positions and OWNERS/metadata.

Changes

Cilium CI step updates (install, debug, network policies, wiring)

Layer / File(s)	Summary
Version defaults & documentation ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml, ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml	Bumped CILIUM_VERSION to 1.19.1, added CILIUM_CLI_VERSION (default 0.19.2), and updated step docs to describe CLI-based installation.
Generic Cilium install via cilium-cli ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh	Set KUBECONFIG (prefer nested), create /tmp/bin, export PATH, download/extract cilium-cli for CILIUM_CLI_VERSION, and run cilium install --version ${CILIUM_VERSION} with explicit --set chart flags (IPv4-only, cluster-pool IPAM CIDR, CNI paths, sessionAffinity, hubble/endpointRoutes toggles) followed by cilium status --wait.
Hypershift-specific cilium-cli install ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh	Added CILIUM_VERSION/CILIUM_CLI_VERSION, install cilium-cli, derive PODCIDR and HOSTPREFIX from oc get network cluster, invoke cilium install --version ... with chart --set values (cluster-pool IPAM using derived CIDR/mask, ipv4NativeRoutingCIDR, CNI bin/conf paths, endpointRoutes, sessionAffinity, chainingMode, ports, socketLB) and wait with cilium status --wait.
Cilium network-policy workarounds ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh, .../network-policies-ref.yaml, .../network-policies-ref.metadata.json, .../network-policies/OWNERS	New CLI step applying five oc apply heredoc manifests (one CiliumNetworkPolicy, four NetworkPolicys) to allow DNS→API egress and monitoring-related ingress rules; added ref YAML, metadata JSON, and OWNERS pointing to mgencur.
Cilium debug-dump step ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh, .../dump-debug-ref.yaml, .../dump-debug-ref.metadata.json, .../dump-debug/OWNERS	New CLI step gathers Cilium resources into artifacts, finds a Cilium pod and runs cilium status, cilium service list, cilium bpf lb list, and cilium config inside it; added ref YAML, metadata JSON, and OWNERS set to mgencur.
Readiness gating updates ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh	Replaced shorter waits with longer explicit oc wait calls for nodes Ready, clusteroperators (Available/Progressing/Degraded), and ClusterVersion availability.
Conformance/test wiring and skips ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml, ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml, ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/..., ci-operator/step-registry/.../cilium/...-workflow.yaml	Updated TEST_SKIPS formatting and added Cilium-related skip entries; inserted cucushift-hypershift-extended-cilium-network-policies into multiple pre/test chains; added cucushift-hypershift-extended-cilium-dump-debug to post steps in relevant workflows.
OWNERS & metadata additions .../network-policies/OWNERS, .../dump-debug/OWNERS, .../dump-debug-ref.metadata.json, .../network-policies-ref.metadata.json	Added/updated owners (approvers/reviewers set to mgencur) for new debug and network-policies refs and directories.

Sequence Diagram

sequenceDiagram
    participant CI as CI job
    participant Workflow as Workflow YAML
    participant CreateCmd as HyperShift create command
    participant CloudProvider as AWS/Azure
    participant Conformance as Conformance workflow
    Workflow->>CreateCmd: declare `CNI_PROVIDER` env (default "")
    CreateCmd->>CloudProvider: if `CNI_PROVIDER==cilium` append health-probe-mode annotation
    Conformance->>Workflow: set `CNI_PROVIDER: "cilium"`, add network-policies pre-step
    Conformance->>Workflow: add dump-debug post ref

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels: rehearsals-ack

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility	⚠️ Warning	Cilium Helm chart applies required anti-affinity constraints that break on SNO and Two-Node topologies. No topology-aware overrides in cilium install commands.	Add affinity overrides (--set operator.affinity...) or topology checks before installation. Verify with SNO/Two-Node CI.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating Cilium installation from OLM manifests to the Cilium CLI. It is specific, clear, and reflects the primary objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files or test name definitions. All changes are CI/CD configuration scripts and YAML workflow files. The check is not applicable to this PR.
Test Structure And Quality	✅ Passed	The check requires reviewing Ginkgo test code. This PR contains no Ginkgo tests—only shell scripts, YAML configuration, and OWNERS files. The check is not applicable.
Microshift Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests. All 25 modified files are CI/CD infrastructure (shell scripts, YAML configs, JSON, OWNERS). MicroShift test compatibility check only applies to new Ginkgo tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. Changes are CI/CD infrastructure only: shell scripts, YAML workflows, and configuration files. SNO compatibility check is not applicable.
Ote Binary Stdout Contract	✅ Passed	This PR modifies only CI/operator shell scripts and configuration files (YAML/JSON). No OTE binaries or Go test code present. The OTE Binary Stdout Contract check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are present in this PR. The changes consist of CI infrastructure scripts and YAML configuration files, not Go test files. The custom check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh (1)

3-7: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drop global set -x from this step script.

Line 6 enables xtrace by default; this violates the step-script logging rule and increases leak risk in CI logs. Keep strict mode as set -euo pipefail, and only enable tracing in narrow debug blocks.

As per coding guidelines, "Default to set -euo pipefail without -x in step-registry command scripts and only enable -x when actively debugging".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh` around lines 3
- 7, Remove the global xtrace enable (the "set -x" line) from the step script so
the script uses strict mode only ("set -o nounset", "set -o errexit", "set -o
pipefail"); if you need tracing for debugging, enable it around a narrow block
with "set -x" and disable with "set +x" rather than leaving "set -x" globally.
Ensure the script contains the three strict options (nounset/errexit/pipefail)
and no global "set -x" so logs do not leak sensitive information.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh`:
- Line 8: The fallback default for CILIUM_CLI_VERSION currently includes a
leading "v" which causes a double "v" when the download tag is later prefixed;
fix by normalizing the variable before constructing the tag: either change the
default to omit the "v" (use "0.19.2") or strip any leading "v" from
CILIUM_CLI_VERSION when you build the download tag (e.g., use the value with
leading "v" removed and then prefix a single "v" when forming the final tag),
referencing the CILIUM_CLI_VERSION variable and the tag construction site that
currently adds the "v".

In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`:
- Line 3: The script enables xtrace via "set -xeuo pipefail" which can leak
proxy credentials when the script executes "source proxy-conf.sh"; modify the
script to temporarily disable xtrace around the sensitive operation by saving
the current xtrace state, running "set +x" before sourcing proxy-conf.sh,
sourcing it, then restoring the original xtrace state afterward so tracing is
off only while proxy-conf.sh is read (refer to the existing "set -xeuo pipefail"
and the "source proxy-conf.sh" usage to locate where to apply this change).
- Around line 41-47: The cilium install invocation is hardcoded to a dev
repository and version which overrides the CILIUM_VERSION input; update the
cilium install command (the --repository and --version flags in the cilium
install invocation) to use the CILIUM_VERSION variable instead of the literal
dev values (or make --repository conditional if you support an explicit DEV_REPO
flag), so the script honors CILIUM_VERSION; ensure you still pass --set
debug.enabled=true. Reference the existing cilium install command and the
CILIUM_VERSION variable when making the change.
- Around line 54-55: The --set argument expansions are unquoted for HOSTPREFIX
and PODCIDR (symbols: HOSTPREFIX, PODCIDR) which can cause word-splitting;
update the cilium helm/cli invocation so those values are quoted like the
preceding PODCIDR usage — e.g. change the flags to use "${HOSTPREFIX}" and
"${PODCIDR}" in the --set arguments for ipam.operator.clusterPoolIPv4MaskSize
and ipv4NativeRoutingCIDR to match the existing quoting pattern and avoid
splitting issues.

---

Outside diff comments:
In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh`:
- Around line 3-7: Remove the global xtrace enable (the "set -x" line) from the
step script so the script uses strict mode only ("set -o nounset", "set -o
errexit", "set -o pipefail"); if you need tracing for debugging, enable it
around a narrow block with "set -x" and disable with "set +x" rather than
leaving "set -x" globally. Ensure the script contains the three strict options
(nounset/errexit/pipefail) and no global "set -x" so logs do not leak sensitive
information.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2d7530c4-301d-4abe-978b-13b7fe45c85b

📥 Commits

Reviewing files that changed from the base of the PR and between a1e1483 and 1713e49.

📒 Files selected for processing (4)

• ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
• ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

CILIUM_CLI_VERSION fallback currently builds an invalid download tag.

Line 8 defaults to v0.19.2, but Line 35 already prefixes the tag with v, producing vv0.19.2 when fallback is used.

Proposed fix

-CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"v0.19.2"}
+CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"}
...
-curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/
+curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/

Also applies to: 35-35

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh` at line 8, The
fallback default for CILIUM_CLI_VERSION currently includes a leading "v" which
causes a double "v" when the download tag is later prefixed; fix by normalizing
the variable before constructing the tag: either change the default to omit the
"v" (use "0.19.2") or strip any leading "v" from CILIUM_CLI_VERSION when you
build the download tag (e.g., use the value with leading "v" removed and then
prefix a single "v" when forming the final tag), referencing the
CILIUM_CLI_VERSION variable and the tag construction site that currently adds
the "v".

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid xtrace while sourcing proxy configuration.

With Line 3 using -x, sourcing proxy-conf.sh at Line 13 can expose proxy credentials in logs. Disable tracing by default (or at least around source).

As per coding guidelines, "Disable bash tracing (set +x) when handling sensitive operations in step-registry command scripts and restore previous tracing state afterward".

Also applies to: 9-13

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`
at line 3, The script enables xtrace via "set -xeuo pipefail" which can leak
proxy credentials when the script executes "source proxy-conf.sh"; modify the
script to temporarily disable xtrace around the sensitive operation by saving
the current xtrace state, running "set +x" before sourcing proxy-conf.sh,
sourcing it, then restoring the original xtrace state afterward so tracing is
off only while proxy-conf.sh is read (refer to the existing "set -xeuo pipefail"
and the "source proxy-conf.sh" usage to locate where to apply this change).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unquoted --set expansions in this script.
rg -n -C2 --type=sh 'clusterPoolIPv4MaskSize=\$\{HOSTPREFIX\}|ipv4NativeRoutingCIDR=\$\{PODCIDR\}'

Repository: openshift/release

Length of output: 1055

---

🏁 Script executed:

cat -n ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh | head -80

Repository: openshift/release

Length of output: 2505

---

Quote variable expansions in --set args for consistency and safety.

Lines 54-55 have unquoted variable expansions while line 53 quotes the same PODCIDR variable. Quote these expansions to prevent word-splitting hazards and align with the quoting pattern used elsewhere in the command.

Proposed fix

-    --set ipam.operator.clusterPoolIPv4MaskSize=${HOSTPREFIX} \
-    --set ipv4NativeRoutingCIDR=${PODCIDR} \
+    --set "ipam.operator.clusterPoolIPv4MaskSize=${HOSTPREFIX}" \
+    --set "ipv4NativeRoutingCIDR=${PODCIDR}" \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	--set ipam.operator.clusterPoolIPv4MaskSize=${HOSTPREFIX} \
	--set ipv4NativeRoutingCIDR=${PODCIDR} \
	--set "ipam.operator.clusterPoolIPv4MaskSize=${HOSTPREFIX}" \
	--set "ipv4NativeRoutingCIDR=${PODCIDR}" \

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 54-54: Double quote to prevent globbing and word splitting.

(SC2086)

---

[info] 55-55: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`
around lines 54 - 55, The --set argument expansions are unquoted for HOSTPREFIX
and PODCIDR (symbols: HOSTPREFIX, PODCIDR) which can cause word-splitting;
update the cilium helm/cli invocation so those values are quoted like the
preceding PODCIDR usage — e.g. change the flags to use "${HOSTPREFIX}" and
"${PODCIDR}" in the --set arguments for ipam.operator.clusterPoolIPv4MaskSize
and ipv4NativeRoutingCIDR to match the existing quoting pattern and avoid
splitting issues.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign enxebre, jtaleric for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/hypershift/OWNERS
• ci-operator/step-registry/cilium/OWNERS
• ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/guest/cilium/OWNERS [mgencur]
• ci-operator/step-registry/hypershift/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh`:
- Around line 5-7: Save the current xtrace state into a variable (e.g.
XTRACE_SAVE from "$-"), disable xtrace with set +x before sourcing the proxy
config, source "${SHARED_DIR}/proxy-conf.sh", and then restore xtrace (set -x)
only if the saved state indicated it was enabled; this ensures sensitive proxy
credentials in proxy-conf.sh are not printed while preserving the original trace
behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b03f8b40-8af8-4b50-9112-c721bfc5bdd8

📥 Commits

Reviewing files that changed from the base of the PR and between 1713e49 and 9e45c5d.

📒 Files selected for processing (18)

• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml
• ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
• ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml
• ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-guest-cilium-workflow.yaml
• ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml
• ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml
• ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml

✅ Files skipped from review due to trivial changes (7)

• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json
• ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml
• ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json
• ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/guest/cilium/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-guest-cilium-workflow.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
• ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable xtrace while sourcing proxy configuration.

set -x is active when proxy-conf.sh is sourced, which can leak sensitive proxy credentials to job logs.

🔧 Proposed fix

 if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+  set +x
   source "${SHARED_DIR}/proxy-conf.sh"
+  set -x
 fi

As per coding guidelines, step registry command scripts must protect sensitive information from leaking into CI logs and should use set +x around sensitive operations.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh`
around lines 5 - 7, Save the current xtrace state into a variable (e.g.
XTRACE_SAVE from "$-"), disable xtrace with set +x before sourcing the proxy
config, source "${SHARED_DIR}/proxy-conf.sh", and then restore xtrace (set -x)
only if the saved state indicated it was enabled; this ensures sensitive proxy
credentials in proxy-conf.sh are not printed while preserving the original trace
behavior.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`:
- Line 6: Normalize the CILIUM_CLI_VERSION variable before building the release
URL: detect and strip any leading "v" from CILIUM_CLI_VERSION (so both "0.19.2"
and "v0.19.2" become "0.19.2"), then explicitly prefix a single "v" when
composing the download URL; update the code that composes the URL (the place
that currently prepends "v" to CILIUM_CLI_VERSION) to use the normalized value
to avoid producing "vv..." in the URL.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: bac9563c-697e-44a4-9e08-07ca14c8fa89

📥 Commits

Reviewing files that changed from the base of the PR and between 325f3bb and 4feb9e4.

📒 Files selected for processing (5)

• ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
• ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh
• ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml
• ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml
• ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

raw='v0.19.2'
bad="https://github.com/cilium/cilium-cli/releases/download/v${raw}/cilium-linux-amd64.tar.gz"
good="https://github.com/cilium/cilium-cli/releases/download/v${raw#v}/cilium-linux-amd64.tar.gz"

for url in "$bad" "$good"; do
  code="$(curl -sS -o /dev/null -w '%{http_code}' -L "$url")"
  printf '%s -> HTTP %s\n' "$url" "$code"
done

Repository: openshift/release

Length of output: 264

---

🏁 Script executed:

cat "ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh"

Repository: openshift/release

Length of output: 2227

---

Normalize CILIUM_CLI_VERSION before composing the release URL.

Line 33 prepends v, but if CILIUM_CLI_VERSION is set to v0.19.2 (as intended by this PR), the download URL becomes .../vv0.19.2/... and fails with HTTP 404. The test confirms: vv0.19.2 returns 404, while v0.19.2 returns 200.

Proposed fix

-CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"}
+CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"v0.19.2"}
+CILIUM_CLI_TAG="${CILIUM_CLI_VERSION#v}"
@@
-curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/
+curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_TAG}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`
at line 6, Normalize the CILIUM_CLI_VERSION variable before building the release
URL: detect and strip any leading "v" from CILIUM_CLI_VERSION (so both "0.19.2"
and "v0.19.2" become "0.19.2"), then explicitly prefix a single "v" when
composing the download URL; update the code that composes the URL (the place
that currently prepends "v" to CILIUM_CLI_VERSION) to use the normalized value
to avoid producing "vv..." in the URL.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mgencur: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-5.1-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-5.0-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.23-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.22-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.20-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-hypershift-main-agentic-qe-aws	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.1-agentic-qe-aws	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.0-agentic-qe-aws	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.23-agentic-qe-aws	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.22-agentic-qe-aws	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-main-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.1-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.0-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.23-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.22-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.21-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.20-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.19-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.18-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.17-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.16-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.15-e2e-conformance	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.14-e2e-conformance	openshift/hypershift	presubmit	Registry content changed

A total of 738 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@mgencur: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium	cdaf539	link	unknown	/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium
ci/rehearse/periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium	cdaf539	link	unknown	/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.