ROSAENG-1067: add gcp marketplace testing to rosa-e2e

ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml

@@ -3,6 +3,10 @@ base_images:
     name: nested-podman
     namespace: ci
     tag: latest
+  ocm-cli:
+    name: ocm-cli
+    namespace: ci
+    tag: latest
   rosa-aws-cli:
     name: rosa-aws-cli
     namespace: ci
@@ -151,6 +155,19 @@ tests:
       REPLICAS: "2"
       STS: "true"
     workflow: rosa-e2e-classic
+- as: osd-gcp-e2e-candidate-4-22
+  cron: 30 7 * * *
+  steps:
+    cluster_profile: rosa-e2e-03
+    env:
+      CHANNEL_GROUP: candidate
+      CLUSTER_TOPOLOGY: osd-gcp
+      LABEL_FILTER: Platform:OSD-GCP && !Access:MC
+      OCM_LOGIN_ENV: staging
+      OPENSHIFT_VERSION: "4.22"
+      REGION: us-east1
+      SUBSCRIPTION_TYPE: marketplace-gcp
+    workflow: rosa-e2e-osd-gcp
 zz_generated_metadata:
   branch: main
   org: openshift-online

ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml

@@ -1655,6 +1655,92 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build09
+  cron: 30 7 * * *
+  decorate: true
+  decoration_config:
+    sparse_checkout_files:
+    - Containerfile
+  extra_refs:
+  - base_ref: main
+    org: openshift-online
+    repo: rosa-e2e
+    sparse_checkout_files:
+    - Containerfile
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-03
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.22"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=osd-gcp-e2e-candidate-4-22
+      - --variant=periodics
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build09
   cron: 0 7 * * *

ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh

@@ -8,9 +8,19 @@ trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wa
 
 # Log in
 OCM_VERSION=$(ocm version)
-OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token")
-echo "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
-ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+if [[ -n "${OCM_TOKEN}" ]]; then
+  echo "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+  echo "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+else
+  echo "Cannot login! You need to securely supply an ocm-token or SSO credentials!"
+  exit 1
+fi
 
 # Deprovision cluster
 CLUSTER_ID=$(cat "${SHARED_DIR}/cluster-id")

ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh

@@ -129,6 +129,7 @@ CHANNEL_GROUP=${CHANNEL_GROUP:-"stable"}
 ETCD_ENCRYPTION=${ETCD_ENCRYPTION:-false}
 DISABLE_WORKLOAD_MONITORING=${DISABLE_WORKLOAD_MONITORING:-false}
 SUBSCRIPTION_TYPE=${SUBSCRIPTION_TYPE:-"standard"}
+ENABLE_WIF=${ENABLE_WIF:-"no"}
 REGION=${REGION:-"${LEASED_RESOURCE}"}
 CLUSTER_TIMEOUT=${CLUSTER_TIMEOUT}
 BOOTSTRAP_TIMEOUT=${BOOTSTRAP_TIMEOUT}
@@ -145,9 +146,19 @@ fi
 
 # Log in
 OCM_VERSION=$(ocm version)
-OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token")
-logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
-ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+if [[ -n "${OCM_TOKEN}" ]]; then
+  logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+  logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+else
+  logger "ERROR" "Cannot login! You need to securely supply an ocm-token or SSO credentials!"
+  exit 1
+fi
 
 # Check whether the cluster with the same cluster name existes.
 OLD_CLUSTER_ID=$(ocm list clusters --columns=id --parameter search="name is '${CLUSTER_NAME}'" | tail -n 1)
@@ -157,8 +168,17 @@ if [[ "$OLD_CLUSTER_ID" != ID* ]]; then
   exit 1
 fi
 
-# Required
+# GCP credentials / WIF config
 GCP_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/osd-ccs-gcp.json"
+WIF_CONFIG_ID=""
+if [[ "${ENABLE_WIF}" == "yes" ]]; then
+  WIF_CONFIG_ID=$(cat "${SHARED_DIR}/wif-config-id" 2>/dev/null || true)
+  if [[ -z "${WIF_CONFIG_ID}" ]]; then
+    logger "ERROR" "ENABLE_WIF is set but no WIF config ID found in SHARED_DIR/wif-config-id"
+    exit 1
+  fi
+  logger "INFO" "Using WIF config: ${WIF_CONFIG_ID}"
+fi
 
 versionList=$(ocm list versions --channel-group ${CHANNEL_GROUP})
 logger "INFO" "Available cluster versions:"
@@ -266,18 +286,27 @@ echo "  Disable workload monitoring: ${DISABLE_WORKLOAD_MONITORING}"
 echo "  Subscription type: ${SUBSCRIPTION_TYPE}"
 echo "  Secure boot for shielded VMs: ${SECURE_BOOT_FOR_SHIELDED_VMS}"
 echo "  Private: ${PRIVATE}"
+echo "  WIF: ${ENABLE_WIF}"
+if [[ "${ENABLE_WIF}" == "yes" ]]; then
+  echo "  WIF config ID: ${WIF_CONFIG_ID}"
+fi
 if [ "${ENABLE_SHARED_VPC}" == "yes" ]; then
   echo "  VPC project id: ${VPC_PROJECT_ID}"
   echo "  VPC name: ${VPC_NAME}"
   echo "  Control-plane subnet: ${CONTROL_PLANE_SUBNET}"
   echo "  Compute subnet: ${COMPUTE_SUBNET}"
 fi
 
+if [[ "${ENABLE_WIF}" == "yes" ]]; then
+  GCP_AUTH_SWITCH="--wif-config ${WIF_CONFIG_ID}"
+else
+  GCP_AUTH_SWITCH="--ccs --service-account-file ${GCP_CREDENTIALS_FILE}"
+fi
+
 cmd="ocm create cluster ${CLUSTER_NAME} \
---ccs \
+${GCP_AUTH_SWITCH} \
 --provider=gcp \
 --region ${REGION} \
---service-account-file ${GCP_CREDENTIALS_FILE} \
 --version ${OPENSHIFT_VERSION} \
 --channel-group ${CHANNEL_GROUP} \
 --compute-machine-type ${COMPUTE_MACHINE_TYPE} \

ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml

@@ -57,6 +57,9 @@ ref:
   - name: PRIVATE
     default: "no"
     documentation: Restrict master API endpoint and application routes to direct, private connectivity. The supported values are [no, yes].
+  - name: ENABLE_WIF
+    default: "no"
+    documentation: Whether to create the cluster using GCP Workload Identity Federation. When set to "yes", the WIF config ID is read from SHARED_DIR/wif-config-id. The supported values are [no, yes].
 
   documentation: |-
     Using ocm cli to create an osd ccs GCP cluster with the provided cluster profile. The cluster profile should include the offline token ocm-token to login.

ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS

@@ -0,0 +1,15 @@
+approvers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia
+options: {}
+reviewers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia

ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS

@@ -0,0 +1,15 @@
+approvers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia
+options: {}
+reviewers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia

ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+function logger() {
+  local -r log_level=$1; shift
+  local -r log_msg=$1; shift
+  echo "$(date -u --rfc-3339=seconds) - ${log_level}: ${log_msg}"
+}
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+GCP_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/osd-ccs-gcp.json"
+export GOOGLE_APPLICATION_CREDENTIALS="${GCP_CREDENTIALS_FILE}"
+
+# Log in
+OCM_VERSION=$(ocm version)
+OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+if [[ -n "${OCM_TOKEN}" ]]; then
+  logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+  logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}"
+  ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+else
+  logger "ERROR" "Cannot login! You need to securely supply an ocm-token or SSO credentials!"
+  exit 1
+fi
+
+WIF_CONFIG_ID=$(cat "${SHARED_DIR}/wif-config-id" 2>/dev/null || true)
+if [[ -z "${WIF_CONFIG_ID}" ]]; then
+  logger "INFO" "No WIF config ID found in SHARED_DIR, skipping deletion"
+  exit 0
+fi
+
+logger "INFO" "Deleting WIF config: ${WIF_CONFIG_ID}"
+ocm gcp delete wif-config "${WIF_CONFIG_ID}"
+logger "INFO" "WIF config ${WIF_CONFIG_ID} deleted successfully"

ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.metadata.json

@@ -0,0 +1,21 @@
+{
+	"path": "osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml",
+	"owners": {
+		"approvers": [
+			"bmeng",
+			"dustman9000",
+			"gdbranco",
+			"jfrazierredhat",
+			"ravitri",
+			"tiwillia"
+		],
+		"reviewers": [
+			"bmeng",
+			"dustman9000",
+			"gdbranco",
+			"jfrazierredhat",
+			"ravitri",
+			"tiwillia"
+		]
+	}
+}

ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml

@@ -0,0 +1,17 @@
+ref:
+  as: osd-ccs-gcp-wif-config-deprovision
+  from: ocm-cli
+  grace_period: 10m
+  commands: osd-ccs-gcp-wif-config-deprovision-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 300Mi
+  timeout: 30m
+  env:
+  - name: OCM_LOGIN_ENV
+    default: "staging"
+    documentation: The environment for ocm login. The supported values are [production, staging].
+  documentation: |-
+    Deletes a GCP WIF (Workload Identity Federation) config using ocm cli.
+    Reads the WIF config ID from SHARED_DIR/wif-config-id.

ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS

@@ -0,0 +1,15 @@
+approvers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia
+options: {}
+reviewers:
+- bmeng
+- dustman9000
+- gdbranco
+- jfrazierredhat
+- ravitri
+- tiwillia