[WIP] CMP-4229: Add CO, SPO and FIO tests for RHCOS10 on AWS

[yuumasato]

Testing our operators on RHCOS10 on AWS

Summary by CodeRabbit

This change updates the OpenShift CI configuration in the openshift/release repository to add rehearsal test coverage for RHCOS10 on AWS (4.22 multi-nightly private tests). It introduces four new AWS IPI installer-rehearsal jobs in the openshift-tests-private multi-nightly config to validate operator behavior and security features on RHCOS10 with FIPS enabled:

What changed in practical terms

• Adds four new multi-nightly installer-rehearsal job entries to the private 4.22 multi-nightly CI config for AWS:
  • Compliance (standard)
  • Compliance (destructive)
  • File Integrity Monitoring (FIO)
  • Security Profiles (SPO)
• Each job runs the cucushift-installer-rehearse-aws-ipi workflow under cluster_profile: aws-qe and targets RHCOS10 (OS_IMAGE_STREAM: rhel-10) with FEATURE_SET: TechPreviewNoUpgrade and FIPS_ENABLED: "true".
• Jobs are configured for AMD64 f28-type workers, set TEST_PARALLEL: "3", define TEST_SCENARIOS/TEST_FILTERS per job, and include job-specific TEST_TIMEOUT settings (the destructive Compliance variant uses a longer timeout and includes StressTest in its filters).
• Non-destructive Compliance, File Integrity, and Security Profiles follow the standard openshift-e2e test/report chain; the destructive Compliance job runs disruptive/web test steps and extended stress testing.

Infrastructure impact

• Extends the private 4.22 multi-nightly CI rehearsal coverage for AWS to exercise cluster operators and security-focused components (compliance, FIO, security profiles) on RHCOS10 + FIPS under TechPreviewNoUpgrade constraints, improving CI validation for upcoming RHCOS10-related operator behavior on AWS.

Notes

• CI metadata/comments mention a linked Jira (CMP-4229) and an automated robot warning that the Jira's target version for the branch is missing/invalid; this is an external tracking detail and does not affect the CI configuration changes themselves.

[coderabbitai]

Walkthrough

Adds four OpenShift multi-nightly AWS installer-rehearsal CI jobs for FIPS on RHCOS10 TechPreviewNoUpgrade (AMD f28): Compliance, Compliance (destructive), File Integrity, and Security Profiles; each enables FIPS, sets OS_IMAGE_STREAM: rhel-10, configures scenario-specific tests/filters, and uses the cucushift-installer-rehearse-aws-ipi workflow.

Changes

FIPS RHCOS10 AMD Test Jobs

Layer / File(s)	Summary
Compliance job ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml	Non-destructive Compliance job added with CATALOG_SOURCE_NAME, FIPS_ENABLED: "true", OS_IMAGE_STREAM: rhel-10, FEATURE_SET: TechPreviewNoUpgrade, TEST_SCENARIOS, TEST_FILTERS, TEST_PARALLEL: "3", TEST_TIMEOUT, installer rehearsal refs (including openshift-extended-test), then cucushift-installer-rehearse-aws-ipi.
Compliance (destructive) job ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml	Destructive Compliance job added with StressTest/Disruptive filters, longer TEST_TIMEOUT, and disruptive/web rehearsal refs (openshift-extended-test-disruptive, openshift-extended-web-tests) before cucushift-installer-rehearse-aws-ipi.
File Integrity job ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml	File Integrity job added with file-integrity-operator catalog source, file-integrity TEST_SCENARIOS, standard rehearsal refs, then cucushift-installer-rehearse-aws-ipi.
Security Profiles job ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__multi-nightly.yaml	Security Profiles job added with security-profiles-operator catalog source, combined security-profiles TEST_SCENARIOS, standard rehearsal refs, then cucushift-installer-rehearse-aws-ipi.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• asood-rh
• oliver-smakal

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references specific test types (CO, SPO, FIO) and the target platform (RHCOS10 on AWS), which align with the main changes in the PR. However, the title omits Compliance tests, which represent half of the new job entries added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check does not apply. PR adds CI configuration YAML entries only, not Ginkgo test code. No Ginkgo It()/Describe()/Context() definitions are present or modified.
Test Structure And Quality	✅ Passed	PR only modifies YAML CI configuration files, not Ginkgo test code. The custom check for Ginkgo test quality requirements is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only CI YAML configuration to run existing test chains on RHCOS10/FIPS. No new Ginkgo test code is added, so the MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI job config entries only, not new Ginkgo e2e test code. SNO compatibility check applies only to new test implementations, not CI configuration.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies a CI test configuration file (not deployment manifests, operator code, or controllers) and introduces no scheduling constraints that could break topology-aware scheduling.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML CI configuration files (no Go source code), making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only YAML CI job configuration, no new Ginkgo e2e tests. Check requires "new Ginkgo e2e tests" to apply; this is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@yuumasato: This pull request references CMP-4229 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Testing our operators on RHCOS10 on AWS

Summary by CodeRabbit

This PR adds four new CI test entries to the OpenShift 4.22 multi-nightly rehearsal pipeline for AWS, enabling end-to-end validation of operators on RHCOS10 with FIPS enabled on AWS infrastructure.

What's being tested:

• Compliance (standard and destructive variants)
• File Integrity Monitoring
• Security Profiles

Each test configuration is scoped to AMD64 architecture (f28 machine type), includes RHCOS10 in TechPreviewNoUpgrade mode, and explicitly enables FIPS mode. The destructive Compliance variant includes additional stress testing and extended timeout configurations.

Infrastructure impact:
These changes extend the CI testing coverage for RHCOS10 adoption on AWS by ensuring that critical cluster operators and security-focused components function correctly under FIPS constraints. The tests use the standard AWS IPI installer workflow and run under the aws-qe cluster profile, integrating into the existing multi-nightly rehearsal pipeline for OpenShift's private test suite.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yuumasato
Once this PR has been reviewed and has the lgtm label, please assign jhuttana for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/openshift-tests-private/OWNERS
• ci-operator/jobs/openshift/openshift-tests-private/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@yuumasato: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-security-profiles	N/A	periodic	Periodic changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-file-integrity	N/A	periodic	Periodic changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance-destructive	N/A	periodic	Periodic changed
periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[yuumasato]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance
/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance-destructive

[openshift-merge-bot]

@yuumasato: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@yuumasato: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command.

[yuumasato]

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance-destructive

[openshift-merge-bot]

@yuumasato: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance	b318c21	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance-destructive	b318c21	link	unknown	/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.22-multi-nightly-aws-ipi-fips-rhcos10-tp-amd-f28-compliance-destructive

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.