[WIP]: CNTRLPLANE-3375: Add ExternalOIDCWithUpstreamParity Default jobs

[ShazaAldawamneh]

This PR adds periodic Prow jobs for the ExternalOIDCWithUpstreamParity feature gate running on the Default feature set, enabling automated regression testing once the feature is promoted from TechPreview to GA.

This PR should be merged alongside the feature gate promotion PR in openshift/api.

Changes

Periodic Jobs Added

Creates daily periodic test jobs for the Default feature set across all supported platforms and releases:

Platforms (all 8 required for promotion):

• AWS
• Azure
• GCP
• VSphere
• Baremetal IPv4
• Baremetal IPv6
• Baremetal Dualstack
• Single Node OpenShift (SNO)

Releases:

• 4.23: Daily jobs (24h intervals, cron schedules for vsphere)
• 5.0: Daily jobs (24h intervals, cron schedules for vsphere)

Summary

This PR updates OpenShift CI configuration for the cluster-authentication-operator repository to add periodic Prow jobs that exercise the ExternalOIDCWithUpstreamParity tests against the Default feature set. The intent is to provide automated regression coverage as the feature gate moves toward GA.

Changes (practical impact)

• Affects: ci-operator/config/openshift/cluster-authentication-operator periodics for release branches 4.23 and 5.0.
• Adds new "upstream parity — default" periodic E2E test entries (platform-specific variants) that run the openshift/auth/external-oidc suite and the appropriate workflows (openshift-e2e-* or baremetalds-e2e).
• Platforms covered: AWS, Azure, GCP, vSphere, Baremetal OVN (IPv4, IPv6, Dualstack), and AWS Single Node OpenShift (SNO).
• Scheduling: new periodic entries added for both 4.23 and 5.0; vSphere periodic cron was adjusted between branches (vSphere cron/day-of-week changed in the 5.0 file). (Scheduling is declared per-entry via interval and/or cron in the YAML.)
• Test configuration commonalities:
  • OPENSHIFT_SKIP_EXTERNAL_TESTS: "True" set where applicable.
  • TEST_ARGS includes disabling legacy monitors/invariants (shared test args); SNO variant adds extra args (audit/log analyzer, node/kube-apiserver invariant disables).
  • TEST_SKIPS expanded to exclude ExternalOIDC and ExternalOIDCWithUIDAndExtraClaimMappings variants as appropriate.
  • Baremetal variants set DEVSCRIPTS_CONFIG to select IP_STACK (v4, v6, v4v6) and NETWORK_TYPE=OVNKubernetes and include the intranet capability.
• No code or exported API changes — configuration-only YAML edits.

Notes / CI metadata

• Total scope: new periodic entries added across both release configurations (platform coverage listed above).
• openshift-ci-robot confirmed the PR references CNTRLPLANE-3375 and issued a warning that the referenced Jira issue lacks the expected target version for the target branch (expecting 5.0.0).

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-3375 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR adds periodic Prow jobs for the ExternalOIDCWithUpstreamParity feature gate running on the Default feature set, enabling automated regression testing once the feature is promoted from TechPreview to GA.

This PR should be merged alongside the feature gate promotion PR in openshift/api.

Changes

Periodic Jobs Added

Creates daily periodic test jobs for the Default feature set across all supported platforms and releases:

Platforms (all 8 required for promotion):

• AWS
• Azure
• GCP
• VSphere
• Baremetal IPv4
• Baremetal IPv6
• Baremetal Dualstack
• Single Node OpenShift (SNO)

Releases:

• 4.23: Daily jobs (24h intervals, cron schedules for vsphere)
• 5.0: Daily jobs (24h intervals, cron schedules for vsphere)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Release-4.23 and release-5.0 periodic CI configs add new External OIDC “upstream parity” default variants for AWS, Azure, GCP, vSphere, Metal (ipv4/ipv6/dualstack) and AWS SNO; release-5.0 also relaxes the vSphere cron day-of-week from 3 to *. New entries use 24h intervals and shared TEST_ARGS/TEST_SKIPS.

Changes

External OIDC Upstream Parity Test Configurations

Layer / File(s)	Summary
Periodic test job definitions (new default variants) ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.23__periodics.yaml, ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml	Added e2e-*-external-oidc-upstream-parity-default periodics for AWS, Azure, GCP, vSphere, Metal OVN (ipv4/ipv6/dualstack) and AWS SNO. Each new job sets interval: 24h (vSphere includes a cron override), configures TEST_ARGS to disable legacy invariant/audit analyzers where applicable, and expands TEST_SKIPS to exclude ExternalOIDC and ExternalOIDCWithUIDAndExtraClaimMappings. Metal variants include capabilities: [intranet] and DEVSCRIPTS_CONFIG for IP stack.
vSphere cron schedule change ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml	Updated existing e2e-vsphere-external-oidc-upstream-parity periodic cron from 30 21 * * 3 to 30 21 * * * (day-of-week 3 -> *).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding ExternalOIDCWithUpstreamParity Default jobs across multiple releases and platforms.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only CI operator configuration YAML files, not Ginkgo test code. The custom check for stable Ginkgo test names is not applicable to configuration files.
Test Structure And Quality	✅ Passed	The PR contains only YAML CI configuration files for Prow periodic jobs, not Ginkgo test code. The custom check for test structure and quality is not applicable to CI configuration files.
Microshift Test Compatibility	✅ Passed	This PR modifies only YAML CI configuration files, not Ginkgo test code. The custom check for new test code is not applicable to configuration-only changes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds Prow periodic job configurations, not new Ginkgo e2e tests. The check applies only to new test code (It(), Describe(), etc.), which is absent here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Prow CI test job configs, not deployment manifests, operator code, or controllers. The topology check is not applicable to CI configuration.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML Prow job configuration files. No source code, OTE binaries, or test code changes present. Check is not applicable to configuration-only changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only Prow CI job configuration (YAML) to schedule existing tests. No new Ginkgo test code is being added, so the IPv6/disconnected compatibility check does not apply.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ShazaAldawamneh
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-authentication-operator/OWNERS
• ci-operator/jobs/openshift/cluster-authentication-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml`:
- Line 457: The cron schedule for the vSphere periodic is set to weekly ("cron:
30 21 * * 3") but should run daily; update the YAML entry for the cron key (the
line containing "cron") to a daily schedule such as "30 21 * * *" so the job
runs every day at 21:30 UTC.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3e437c22-7c02-42c3-aca1-91c0d7849466

📥 Commits

Reviewing files that changed from the base of the PR and between 54c0523 and a953f60.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.23-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (2)

• ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.23__periodics.yaml
• ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ShazaAldawamneh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-aws-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-azure-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-azure-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-sno-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-dualstack-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-gcp-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-vsphere-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv6-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-metal-ovn-ipv6-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-metal-ovn-dualstack-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-gcp-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-aws-sno-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-4.23-periodics-e2e-metal-ovn-ipv4-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv4-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@ShazaAldawamneh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.