CORENET-6822: Add ingress-node-firewall non-payload OTE extension step

[anuragthehatter]

Summary

• Add step-registry step infw-extension for ingress-node-firewall non-payload OTE extension discovery
• Creates TestExtensionAdmission CR and ImageStream with testextension.redhat.io annotations
• Resolves extension image from CI pipeline if not explicitly set
• Adds optional e2e-aws-ovn-infw-extension test job to ingress-node-firewall master config

Related PRs

• CORENET-6822: OTE framework for Ingress Node Firewall with LEVEL0 test case ingress-node-firewall#694 — OTE framework + LEVEL0 test case
• CORENET-6822: Register ingress-node-firewall OTE test extension binary origin#31245 — Register binary in extensionBinaries (CI payload path)

References

• Based on example from WIP: non-payload test-extension binary example #76240 (CAPI extension)
• TestExtensionAdmission CRD install: TRT-2295: install TestExtensionAdmission CRD during cluster install #76232
• Non-payload extension enhancement: https://github.com/jupierce/enhancements/blob/openshift-tests-extension/enhancements/testing/openshift-tests-extension.md#non-payload-extension-binaries

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR adds reusable OpenShift CI support to run ingress-node-firewall’s non-payload OpenTest Extension (OTE) discovery tests and wires an optional master CI job to invoke it in the ingress-node-firewall pipeline.

What changed in practical terms:

• New ci-operator step-registry entry: ci-operator/step-registry/infw-extension

  • infw-extension-ref.yaml: defines a ref step as: infw-extension (from tests) that runs infw-extension-commands.sh with a 3600s timeout, declares a dependency that sets EXTENSION_IMAGE from pipeline:ingress-node-firewall, and requests CPU/memory and sets a memory limit; includes documentation about creating TestExtensionAdmission and ImageStream resources.
  • infw-extension-commands.sh: bash script that logs EXTENSION_IMAGE, creates a TestExtensionAdmission CR named infw-extensions permitting test-extensions/*, creates a test-extensions namespace and an ImageStream ingress-node-firewall-tests:latest that imports ${EXTENSION_IMAGE} and sets testextension.redhat.io/component and testextension.redhat.io/binary annotations, then verifies the CR and ImageStreamTag annotations.
  • OWNERS and infw-extension-ref.metadata.json: declare "anusaxen" as the approver/owner.

• CI job wiring: ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml

  • Adds an optional test step e2e-aws-ovn-infw-extension to the tests list (always_run: false, optional: true). The job targets cluster_profile aws-5, sets OO_CHANNEL=alpha and ingress-node-firewall OO_* install/package/namespace environment variables, enables the observers-resource-watch observer, includes test refs optional-operators-subscribe and infw-extension, and runs the openshift-e2e-aws-ovn workflow. The existing verify-deps step is unchanged.

Why this matters:

• Enables CI to validate ingress-node-firewall’s out-of-payload extension discovery by creating the TestExtensionAdmission CR and an ImageStream that points at the built extension binary (EXTENSION_IMAGE is pulled from the pipeline if not explicitly provided).
• The infw-extension step is reusable across jobs; an optional master CI job wires it into AWS OVN E2E runs for ingress-node-firewall.

[openshift-ci-robot]

@anuragthehatter: This pull request references CORENET-7206 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Add step-registry step infw-extension for ingress-node-firewall non-payload OTE extension discovery
• Creates TestExtensionAdmission CR and ImageStream with testextension.redhat.io annotations
• Resolves extension image from CI pipeline if not explicitly set
• Adds optional e2e-aws-ovn-infw-extension test job to ingress-node-firewall master config

Related PRs

• CORENET-6822: OTE framework for Ingress Node Firewall with LEVEL0 test case ingress-node-firewall#694 — OTE framework + LEVEL0 test case
• CORENET-6822: Register ingress-node-firewall OTE test extension binary origin#31245 — Register binary in extensionBinaries (CI payload path)

References

• Based on example from WIP: non-payload test-extension binary example #76240 (CAPI extension)
• TestExtensionAdmission CRD install: TRT-2295: install TestExtensionAdmission CRD during cluster install #76232
• Non-payload extension enhancement: https://github.com/jupierce/enhancements/blob/openshift-tests-extension/enhancements/testing/openshift-tests-extension.md#non-payload-extension-binaries

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds an infw-extension CI step (ref, metadata, OWNERS, commands) and inserts an optional e2e-aws-ovn-infw-extension test step into the ingress-node-firewall job; the step creates TestExtensionAdmission, namespace, and ImageStream pointing at the extension image and verifies them.

Changes

Ingress Firewall Extension Testing

Layer / File(s)	Summary
Step ref, metadata, and ownership ci-operator/step-registry/infw-extension/infw-extension-ref.yaml, ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json, ci-operator/step-registry/infw-extension/OWNERS	Creates a ref-scoped CI step infw-extension, adds owners metadata, and adds OWNERS approvers/reviewers (anusaxen).
Extension step implementation ci-operator/step-registry/infw-extension/infw-extension-commands.sh	Implements the step script: strict shell settings, set PATH/HOME, create TestExtensionAdmission, test-extensions namespace, and an ImageStream tag importing from ${EXTENSION_IMAGE} with testextension annotations; verifies resources.
CI job step integration ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml	Adds optional e2e-aws-ovn-infw-extension to the ingress-node-firewall E2E job (aws-5 cluster_profile), sets OO_CHANNEL: alpha, enables observers-resource-watch, and invokes openshift-e2e-aws-ovn with testref: infw-extension and optional-operators-subscribe.

Sequence Diagram(s):

sequenceDiagram
  participant Job as ingress-node-firewall job
  participant CI as ci-operator
  participant Ref as infw-extension ref
  participant Cluster as OpenShift API
  Job->>CI: trigger optional e2e-aws-ovn-infw-extension
  CI->>Ref: execute infw-extension ref (runs script)
  Ref->>Cluster: create TestExtensionAdmission, namespace, ImageStreamTag (import from EXTENSION_IMAGE)
  Ref->>Cluster: dump/verify resources
  Ref->>CI: exit/signal completion

Loading

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels: rehearsals-ack

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a non-payload OTE extension step for ingress-node-firewall CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test definitions (It, Describe, Context, etc.), only CI configuration files and a bash infrastructure setup script. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code—only CI configuration YAML and bash setup scripts. The check for Ginkgo test quality patterns is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes only add CI infrastructure: a bash setup script (infw-extension-commands.sh) and CI step definitions (YAML files), not executable test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only CI infrastructure and configuration files, not Ginkgo e2e tests. No test code with It(), Describe(), Context(), or When() patterns exists in the changes.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI test infrastructure (step-registry and job config) only; no deployment manifests, operator code, or controllers with topology-incompatible scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds only CI infrastructure (YAML, Bash script, metadata) not OTE extension binary code; stdout contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added; PR contains only CI/CD configuration and infrastructure setup scripts. Check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR files.
Container-Privileges	✅ Passed	No privileged container configurations found in PR files: no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings detected in any files or bash scripts.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data in logging. Script logs only container image URLs and Kubernetes resource metadata, which are non-sensitive CI/CD operational information.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@anuragthehatter: This pull request references CORENET-6822 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Add step-registry step infw-extension for ingress-node-firewall non-payload OTE extension discovery
• Creates TestExtensionAdmission CR and ImageStream with testextension.redhat.io annotations
• Resolves extension image from CI pipeline if not explicitly set
• Adds optional e2e-aws-ovn-infw-extension test job to ingress-node-firewall master config

Related PRs

• CORENET-6822: OTE framework for Ingress Node Firewall with LEVEL0 test case ingress-node-firewall#694 — OTE framework + LEVEL0 test case
• CORENET-6822: Register ingress-node-firewall OTE test extension binary origin#31245 — Register binary in extensionBinaries (CI payload path)

References

• Based on example from WIP: non-payload test-extension binary example #76240 (CAPI extension)
• TestExtensionAdmission CRD install: TRT-2295: install TestExtensionAdmission CRD during cluster install #76232
• Non-payload extension enhancement: https://github.com/jupierce/enhancements/blob/openshift-tests-extension/enhancements/testing/openshift-tests-extension.md#non-payload-extension-binaries

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR adds CI infrastructure support for testing the ingress-node-firewall component's non-payload OpenTest Extension (OTE). It introduces a new reusable step registry entry (infw-extension) and integrates it into the ingress-node-firewall CI pipeline.

Changes made:

1. New step registry entry (ci-operator/step-registry/infw-extension/): Provides the infw-extension step that:

• Automatically resolves the extension image from the CI pipeline (unless explicitly provided)
• Creates a TestExtensionAdmission custom resource to enable extension testing
• Sets up a dedicated test-extensions namespace with an ImageStream for the ingress-node-firewall test extension
• Includes metadata defining anusaxen as the owner/approver

2. CI job configuration: Adds an optional e2e-aws-ovn-infw-extension test step to the ingress-node-firewall master CI configuration, configured to run the AWS OVN E2E workflow with the extension enabled.

This enables the ingress-node-firewall project to validate its extension functionality as part of the standard CI testing matrix, supporting the non-payload extension discovery mechanism described in the referenced OpenShift tests extension enhancement.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml`:
- Around line 75-85: You added a new test entry (ref: infw-extension) and job
metadata (as: e2e-aws-ovn-infw-extension, workflow: openshift-e2e-aws-ovn) in
the CI-operator config but did not regenerate the derived Prow job configs; run
make update to regenerate CI outputs, commit the changed files under
ci-operator/jobs (and any other generated job/config diffs), and ensure the new
job e2e-aws-ovn-infw-extension and its generated prow job entries are present
and validated before pushing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 553c96d9-beca-42bd-b1d1-ce42f58b9e24

📥 Commits

Reviewing files that changed from the base of the PR and between bbababf and 7b5efc7.

📒 Files selected for processing (5)

• ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
• ci-operator/step-registry/infw-extension/OWNERS
• ci-operator/step-registry/infw-extension/infw-extension-commands.sh
• ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json
• ci-operator/step-registry/infw-extension/infw-extension-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/infw-extension/infw-extension-commands.sh (1)

49-52: ⚡ Quick win

Make verification error handling consistent.

Line 51 will cause the script to exit if the testextensionadmission resource doesn't exist (due to set -o errexit), while line 52 tolerates failures with || true. For verification commands, consider making both tolerate failures consistently.

♻️ Proposed fix for consistent error handling

 # Verify setup
 echo "Verifying extension setup..."
-oc get testextensionadmission infw-extensions -o yaml
+oc get testextensionadmission infw-extensions -o yaml || true
 oc get imagestreamtag ingress-node-firewall-tests:latest -n test-extensions -o jsonpath='{.metadata.annotations}' | python3 -m json.tool || true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/infw-extension/infw-extension-commands.sh` around
lines 49 - 52, The verification step is inconsistent: the command "oc get
testextensionadmission infw-extensions -o yaml" will fail the script under
errexit while the subsequent "oc get imagestreamtag
ingress-node-firewall-tests:latest -n test-extensions -o
jsonpath='{.metadata.annotations}' | python3 -m json.tool || true" intentionally
tolerates failure; make them consistent by ensuring both verification commands
tolerate non-existence (e.g., append "|| true" to the testextensionadmission oc
get or wrap both in a non-failing check), updating the invocation referencing
"oc get testextensionadmission infw-extensions -o yaml" and the imagestreamtag
command so neither causes the script to exit on missing resources.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci-operator/step-registry/infw-extension/infw-extension-commands.sh`:
- Around line 49-52: The verification step is inconsistent: the command "oc get
testextensionadmission infw-extensions -o yaml" will fail the script under
errexit while the subsequent "oc get imagestreamtag
ingress-node-firewall-tests:latest -n test-extensions -o
jsonpath='{.metadata.annotations}' | python3 -m json.tool || true" intentionally
tolerates failure; make them consistent by ensuring both verification commands
tolerate non-existence (e.g., append "|| true" to the testextensionadmission oc
get or wrap both in a non-failing check), updating the invocation referencing
"oc get testextensionadmission infw-extensions -o yaml" and the imagestreamtag
command so neither causes the script to exit on missing resources.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 12ac790c-bcd7-45b5-a2cc-485ea9846412

📥 Commits

Reviewing files that changed from the base of the PR and between 7b5efc7 and ffeea56.

📒 Files selected for processing (5)

• ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
• ci-operator/step-registry/infw-extension/OWNERS
• ci-operator/step-registry/infw-extension/infw-extension-commands.sh
• ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json
• ci-operator/step-registry/infw-extension/infw-extension-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/infw-extension/OWNERS
• ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml

[anuragthehatter]

/pj-rehearse pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension

[openshift-merge-bot]

@anuragthehatter: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[anuragthehatter]

/testwith openshift/ingress-node-firewall#694

[anuragthehatter]

/pj-rehearse pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension

[openshift-merge-bot]

@anuragthehatter: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[anuragthehatter]

/pj-rehearse pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension

[openshift-merge-bot]

@anuragthehatter: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

♻️ Duplicate comments (1)

ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml (1)

75-91: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Run make update to regenerate ProwJob configs for the new test.

Adding a new test definition is a structural change that requires regenerating the derived ProwJob configurations under ci-operator/jobs/. This was already flagged in a previous review and remains unresolved.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml`
around lines 75 - 91, You added a new test definition (as:
e2e-aws-ovn-infw-extension, refs: optional-operators-subscribe and
infw-extension, workflow: openshift-e2e-aws-ovn) but did not regenerate derived
ProwJob configs; run the repository regeneration step (make update) to
regenerate ci-operator/jobs/* ProwJob files for this new test and commit the
resulting changes so the new test is picked up by CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml`:
- Around line 75-91: You added a new test definition (as:
e2e-aws-ovn-infw-extension, refs: optional-operators-subscribe and
infw-extension, workflow: openshift-e2e-aws-ovn) but did not regenerate derived
ProwJob configs; run the repository regeneration step (make update) to
regenerate ci-operator/jobs/* ProwJob files for this new test and commit the
resulting changes so the new test is picked up by CI.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e0d2576a-c221-4aea-ae70-1b4956a47a7e

📥 Commits

Reviewing files that changed from the base of the PR and between 2672a1c and a104170.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (5)

• ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml
• ci-operator/step-registry/infw-extension/OWNERS
• ci-operator/step-registry/infw-extension/infw-extension-commands.sh
• ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json
• ci-operator/step-registry/infw-extension/infw-extension-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/infw-extension/infw-extension-ref.yaml
• ci-operator/step-registry/infw-extension/OWNERS
• ci-operator/step-registry/infw-extension/infw-extension-commands.sh

[anuragthehatter]

/pj-rehearse pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension

[openshift-merge-bot]

@anuragthehatter: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@anuragthehatter: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anuragthehatter
Once this PR has been reviewed and has the lgtm label, please assign dtantsur, knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/ingress-node-firewall/OWNERS
• ci-operator/jobs/openshift/ingress-node-firewall/OWNERS
• ci-operator/step-registry/baremetalds/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

The OWNERS file contains untrusted users, which makes it INVALID. The following users are mentioned in OWNERS file(s) but are untrusted for the following reasons. One way to make the user trusted is to add them as members of the openshift org. You can then trigger verification by writing /verify-owners in a comment.

• anusaxen
  • User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted.
  • ci-operator/step-registry/infw-extension/OWNERS

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@anuragthehatter: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension	openshift/ingress-node-firewall	presubmit	Presubmit changed
pull-ci-openshift-ingress-node-firewall-master-ci-index	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-images	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-lint	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-test-fmt	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-unit-test	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-master-verify-deps	openshift/ingress-node-firewall	presubmit	Ci-operator config changed
pull-ci-openshift-ingress-node-firewall-release-5.1-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-5.0-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.23-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.22-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.21-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.20-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.19-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.18-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.17-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.16-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.15-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.14-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.13-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed
pull-ci-openshift-ingress-node-firewall-release-4.12-ingress-node-firewall-e2e-metal-ipi	openshift/ingress-node-firewall	presubmit	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.