openshift · shaior · May 31, 2026 · coderabbitai · May 31, 2026
diff --git a/...erator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__cnf-ran-ibu-4.20.yaml b/...erator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__cnf-ran-ibu-4.20.yaml
@@ -0,0 +1,35 @@
+build_root:
+  image_stream_tag:
+    name: eco-ci-cd
+    namespace: telcov10n-ci
+    tag: eco-ci-cd
+releases:
+  latest:
+    candidate:
+      product: ocp
+      stream: nightly
+      version: "4.20"
+resources:
+  '*':
+    limits:
+      memory: 4Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: cnf-ran-ztp-tests
+  capabilities:
+  - intranet
+  cron: 0 0 31 2 *
+  steps:
+    env:
+      SEED_CLUSTER_NAME: kni-qe-108
+      SEED_HUB_VERSION: "4.20"
+      TARGET_CLUSTER_NAME: kni-qe-109
+      TARGET_HUB_VERSION: "4.18"
+    workflow: telcov10n-functional-cnf-ran-ibu
+zz_generated_metadata:
+  branch: main
+  org: openshift-kni
+  repo: eco-ci-cd
+  variant: cnf-ran-ibu-4.20
diff --git a/ci-operator/jobs/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main-periodics.yaml b/ci-operator/jobs/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main-periodics.yaml
@@ -4758,6 +4758,88 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build07
+  cron: 0 0 31 2 *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: main
+    org: openshift-kni
+    repo: eco-ci-cd
+  labels:
+    capability/intranet: intranet
+    ci-operator.openshift.io/variant: cnf-ran-ibu-4.20
+    ci.openshift.io/generator: prowgen
+    job-release: "4.20"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-kni-eco-ci-cd-main-cnf-ran-ibu-4.20-cnf-ran-ztp-tests
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=cnf-ran-ztp-tests
+      - --variant=cnf-ran-ibu-4.20
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build07
   cron: 0 0 31 2 *

diff --git a/ci-operator/step-registry/telcov10n/functional/cnf-ran/ibu-seed-hub-deploy/OWNERS b/ci-operator/step-registry/telcov10n/functional/cnf-ran/ibu-seed-hub-deploy/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- shaior
+- kononovn
+- eifrach
diff --git a/.../cnf-ran/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-commands.sh b/.../cnf-ran/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-commands.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -euo pipefail
+
+if [ -f "${SHARED_DIR}/skip.txt" ]; then
+  echo "Detected skip.txt — skipping"
+  exit 0
+fi
+
+MOUNTED_HOST_INVENTORY="/var/host_variables"
+
+process_inventory() {
+  local directory="$1"
+  local dest_file="$2"
+
+  if [ -z "$directory" ]; then
+    echo "Usage: process_inventory <directory> <dest_file>"
+    return 1
+  fi
+
+  if [ ! -d "$directory" ]; then
+    echo "Error: '$directory' is not a valid directory"
+    return 1
+  fi
+
+  find "$directory" -type f | while IFS= read -r filename; do
+    if [[ $filename == *"secretsync-vault-source-path"* ]]; then
+      continue
+    else
+      echo "$(basename "${filename}")": \'"$(cat "$filename")"\'
+    fi
+  done > "${dest_file}"
+}
+
+echo "SEED_CLUSTER_NAME=${SEED_CLUSTER_NAME}"
+echo "SEED_HUB_VERSION=${SEED_HUB_VERSION}"
+
+echo "Processing common group_vars"
+mkdir /eco-ci-cd/inventories/ocp-deployment/group_vars
+
+find /var/group_variables/common/ -mindepth 1 -type d | while read -r dir; do
+  echo "  group_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/group_vars/"$(basename "${dir}")"
+done
+
+echo "Processing seed hub group_vars (${SEED_CLUSTER_NAME})"
+find "/var/group_variables/${SEED_CLUSTER_NAME}/" -mindepth 1 -type d | while read -r dir; do
+  echo "  group_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/group_vars/"$(basename "${dir}")"
+done
+
+echo "Processing seed hub host_vars (${SEED_CLUSTER_NAME})"
+mkdir /eco-ci-cd/inventories/ocp-deployment/host_vars
+
+find "${MOUNTED_HOST_INVENTORY}/${SEED_CLUSTER_NAME}/" -mindepth 1 -type d | while read -r dir; do
+  echo "  host_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/host_vars/"$(basename "${dir}")"
+done
+
+cd /eco-ci-cd
+
+echo "Running deploy-ocp-sno for seed hub ${SEED_CLUSTER_NAME} (version=${SEED_HUB_VERSION})"
+EXTRA_VARS="release=${SEED_HUB_VERSION} cluster_name=${SEED_CLUSTER_NAME} disconnected=true"
+if [ "${DISABLE_INSIGHTS}" = "true" ]; then
+  EXTRA_VARS="${EXTRA_VARS} disable_insights=true"
+fi
+
+ansible-playbook ./playbooks/deploy-ocp-sno.yml \
+  -i ./inventories/ocp-deployment/build-inventory.py \
+  --extra-vars "${EXTRA_VARS}"
+
+# Write seed hub inventory to SHARED_DIR.
+# host_vars are cluster-specific and get a "seed_" prefix to avoid collision with target hub files.
+# group_vars/all is common across all clusters — no prefix needed.
+echo "Copying seed hub inventory to SHARED_DIR"
+find /eco-ci-cd/inventories/ocp-deployment/host_vars -maxdepth 1 -type f | while read -r f; do
+  cp "$f" "${SHARED_DIR}/seed_$(basename "$f")"
+done
+cp /eco-ci-cd/inventories/ocp-deployment/group_vars/all "${SHARED_DIR}/all"
+
+echo "Getting seed hub cluster version"
+HUB_KUBECONFIG="/home/telcov10n/project/generated/${SEED_CLUSTER_NAME}/auth/kubeconfig"
+
+BASTION_IP=$(grep -oP '(?<=ansible_host: ).*' /eco-ci-cd/inventories/ocp-deployment/host_vars/bastion | sed "s/'//g")
+BASTION_USER=$(grep -oP '(?<=ansible_user: ).*' /eco-ci-cd/inventories/ocp-deployment/group_vars/all | sed "s/'//g")
+
+cat /var/group_variables/common/all/ansible_ssh_private_key > "/tmp/temp_ssh_key"
+chmod 600 "/tmp/temp_ssh_key"
+
+CLUSTER_VERSION=$(ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  -i /tmp/temp_ssh_key "${BASTION_USER}@${BASTION_IP}" \
+  "KUBECONFIG=${HUB_KUBECONFIG} oc get clusterversion version -ojsonpath='{.status.desired.version}'")
+
+echo "Seed hub cluster version: ${CLUSTER_VERSION}"
+echo "${CLUSTER_VERSION}" > "${SHARED_DIR}/seed_hub_version"
diff --git a/...an/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-ref.metadata.json b/...an/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-ref.metadata.json
@@ -0,0 +1,10 @@
+{
+	"path": "telcov10n/functional/cnf-ran/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-ref.yaml",
+	"owners": {
+		"approvers": [
+			"shaior",
+			"kononovn",
+			"eifrach"
+		]
+	}
+}
diff --git a/...nal/cnf-ran/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-ref.yaml b/...nal/cnf-ran/ibu-seed-hub-deploy/telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-ref.yaml
@@ -0,0 +1,52 @@
+ref:
+  as: telcov10n-functional-cnf-ran-ibu-seed-hub-deploy
+  from_image:
+    namespace: telcov10n-ci
+    name: eco-ci-cd
+    tag: eco-ci-cd
+  commands: telcov10n-functional-cnf-ran-ibu-seed-hub-deploy-commands.sh
+  timeout: 4h
+  resources:
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  env:
+    - name: SEED_HUB_VERSION
+      default: "4.20"
+      documentation: OCP version to deploy on the seed hub (the upgrade destination version — the version spokes will upgrade TO)
+    - name: SEED_CLUSTER_NAME
+      default: "kni-qe-108"
+      documentation: BM cluster name for the IBU seed hub
+    - name: DISABLE_INSIGHTS
+      default: "false"
+      documentation: Set to "true" to remove cloud.openshift.com from pull secret, disabling Insights and Telemetry
+  credentials:
+    - namespace: test-credentials
+      name: telcov10n-ansible-group-all
+      mount_path: /var/group_variables/common/all
+    - namespace: test-credentials
+      name: telcov10n-ansible-group-bastions
+      mount_path: /var/group_variables/common/bastions
+    - namespace: test-credentials
+      name: telcov10n-ansible-group-hypervisors
+      mount_path: /var/group_variables/common/hypervisors
+    # kni-qe-108 (seed hub)
+    - namespace: test-credentials
+      name: telcov10n-ansible-kni-qe-108-master0
+      mount_path: /var/host_variables/kni-qe-108/master0
+    - namespace: test-credentials
+      name: telcov10n-ansible-kni-qe-108-bastion
+      mount_path: /var/host_variables/kni-qe-108/bastion
+    - namespace: test-credentials
+      name: telcov10n-ansible-group-kni-qe-108-nodes
+      mount_path: /var/group_variables/kni-qe-108/nodes
+    - namespace: test-credentials
+      name: telcov10n-ansible-group-kni-qe-108-masters
+      mount_path: /var/group_variables/kni-qe-108/masters
+    - namespace: test-credentials
+      name: telcov10n-ansible-hypervisors-helix89
+      mount_path: /var/host_variables/kni-qe-108/hypervisor
+  documentation: |-
+    Deploy IBU seed hub (kni-qe-108).
+    The seed hub provides the OCP image used for upgrading target spokes.
+
diff --git a/ci-operator/step-registry/telcov10n/functional/cnf-ran/ibu-target-hub-deploy/OWNERS b/ci-operator/step-registry/telcov10n/functional/cnf-ran/ibu-target-hub-deploy/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- shaior
+- kononovn
+- eifrach
diff --git a/...-ran/ibu-target-hub-deploy/telcov10n-functional-cnf-ran-ibu-target-hub-deploy-commands.sh b/...-ran/ibu-target-hub-deploy/telcov10n-functional-cnf-ran-ibu-target-hub-deploy-commands.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -euo pipefail
+
+if [ -f "${SHARED_DIR}/skip.txt" ]; then
+  echo "Detected skip.txt — skipping"
+  exit 0
+fi
+
+MOUNTED_HOST_INVENTORY="/var/host_variables"
+
+process_inventory() {
+  local directory="$1"
+  local dest_file="$2"
+
+  if [ -z "$directory" ]; then
+    echo "Usage: process_inventory <directory> <dest_file>"
+    return 1
+  fi
+
+  if [ ! -d "$directory" ]; then
+    echo "Error: '$directory' is not a valid directory"
+    return 1
+  fi
+
+  find "$directory" -type f | while IFS= read -r filename; do
+    if [[ $filename == *"secretsync-vault-source-path"* ]]; then
+      continue
+    else
+      echo "$(basename "${filename}")": \'"$(cat "$filename")"\'
+    fi
+  done > "${dest_file}"
+}
+
+echo "TARGET_CLUSTER_NAME=${TARGET_CLUSTER_NAME}"
+echo "TARGET_HUB_VERSION=${TARGET_HUB_VERSION}"
+
+echo "Processing common group_vars"
+mkdir /eco-ci-cd/inventories/ocp-deployment/group_vars
+
+find /var/group_variables/common/ -mindepth 1 -type d | while read -r dir; do
+  echo "  group_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/group_vars/"$(basename "${dir}")"
+done
+
+echo "Processing target hub group_vars (${TARGET_CLUSTER_NAME})"
+find "/var/group_variables/${TARGET_CLUSTER_NAME}/" -mindepth 1 -type d | while read -r dir; do
+  echo "  group_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/group_vars/"$(basename "${dir}")"
+done
+
+echo "Processing target hub host_vars (${TARGET_CLUSTER_NAME})"
+mkdir /eco-ci-cd/inventories/ocp-deployment/host_vars
+
+find "${MOUNTED_HOST_INVENTORY}/${TARGET_CLUSTER_NAME}/" -mindepth 1 -type d | while read -r dir; do
+  echo "  host_var: $(basename "${dir}")"
+  process_inventory "$dir" /eco-ci-cd/inventories/ocp-deployment/host_vars/"$(basename "${dir}")"
+done
+
+cd /eco-ci-cd
+
+echo "Running deploy-ocp-sno for target hub ${TARGET_CLUSTER_NAME} (version=${TARGET_HUB_VERSION})"
+EXTRA_VARS="release=${TARGET_HUB_VERSION} cluster_name=${TARGET_CLUSTER_NAME} disconnected=true"
+if [ "${DISABLE_INSIGHTS}" = "true" ]; then
+  EXTRA_VARS="${EXTRA_VARS} disable_insights=true"
+fi
+
+ansible-playbook ./playbooks/deploy-ocp-sno.yml \
+  -i ./inventories/ocp-deployment/build-inventory.py \
+  --extra-vars "${EXTRA_VARS}"
+
+# Write target hub inventory to SHARED_DIR (used by downstream steps).
+# host_vars are copied flat — no prefix, as these are the "primary" hub files.
+# group_vars/all is common across all clusters — same approach as seed hub.
+echo "Copying target hub inventory to SHARED_DIR"
+find /eco-ci-cd/inventories/ocp-deployment/host_vars -maxdepth 1 -type f | while read -r f; do
+  cp "$f" "${SHARED_DIR}/$(basename "$f")"
+done
+cp /eco-ci-cd/inventories/ocp-deployment/group_vars/all "${SHARED_DIR}/all"
+
+echo "Getting target hub cluster version"
+HUB_KUBECONFIG="/home/telcov10n/project/generated/${TARGET_CLUSTER_NAME}/auth/kubeconfig"
+
+BASTION_IP=$(grep -oP '(?<=ansible_host: ).*' /eco-ci-cd/inventories/ocp-deployment/host_vars/bastion | sed "s/'//g")
+BASTION_USER=$(grep -oP '(?<=ansible_user: ).*' /eco-ci-cd/inventories/ocp-deployment/group_vars/all | sed "s/'//g")
+
+cat /var/group_variables/common/all/ansible_ssh_private_key > "/tmp/temp_ssh_key"
+chmod 600 "/tmp/temp_ssh_key"
+
+CLUSTER_VERSION=$(ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  -i /tmp/temp_ssh_key "${BASTION_USER}@${BASTION_IP}" \
+  "KUBECONFIG=${HUB_KUBECONFIG} oc get clusterversion version -ojsonpath='{.status.desired.version}'")
+
+echo "Target hub cluster version: ${CLUSTER_VERSION}"
+echo "${CLUSTER_VERSION}" > "${SHARED_DIR}/target_hub_version"