From d14009d7750e88a4430267d44ed68bd3e894cf8b Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 19 May 2026 10:37:26 -0400 Subject: [PATCH 01/19] [DEBUG] Update kbs-client to v0.19.0 with auto-discovery and fix validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Critical fixes for kbs-client connectivity test: 1. **Update kbs-client image**: v0.17.0 → v0.19.0 - Newer version with updated KBS protocol support - Fixes compatibility issues with current KBS 2. **Auto-discover latest tag with skopeo**: - NEW: get_kbs_client_tag() function - Checks KBS_CLIENT_TAG env var first (for overrides) - Uses skopeo to find latest v.X.Y.Z tag automatically - Falls back to v0.19.0 if skopeo fails - Command: skopeo list-tags docker://quay.io/confidential-containers/kbs-client 3. **Environment variable support**: - NEW: KBS_CLIENT_TAG env var in ref.yaml - Allows pinning specific version in CI config - Empty (default) = auto-discover latest - Set to specific tag = use that version 4. **Fix resource validation logic**: - REMOVED: 404 treated as success (was incorrect) - NOW: Must actually retrieve a resource to pass - Test resource: default/cosign-keys/key-0 (exists from KbsConfig) - Only succeeds if kbs-client exit code is 0 (resource retrieved) 5. **Better error detection**: - 404: Resource not found - KbsConfig secret publishing issue - 401: Unauthorized - Attestation failure - Timeout: KBS service unreachable - SSL/TLS: Wrong URL protocol Previous behavior: - Hardcoded v0.17.0 (outdated) - Got 401 Unauthorized but treated as success - Never actually retrieved a resource - False positive on connectivity New behavior: - Auto-discovers latest kbs-client version - Must successfully retrieve cosign-keys/key-0 resource - Fails if 404, 401, timeout, or any error - Proves KBS connectivity AND attestation work - Allows version override via KBS_CLIENT_TAG env var Co-Authored-By: Claude Sonnet 4.5 --- ...rator-install-trustee-operator-commands.sh | 960 ++++++++++++++++++ ...operator-install-trustee-operator-ref.yaml | 52 + 2 files changed, 1012 insertions(+) create mode 100755 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh new file mode 100755 index 0000000000000..7e0cd9f7a60f8 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -0,0 +1,960 @@ +#!/usr/bin/env bash + +set -euo pipefail + +cat <>> Install trustee operator and operands using pre-rendered manifests [$(date -u || true)]. +* Use embedded manifests (no network access required) +* Derive the cluster domain +* Generate and apply trustee-operator manifests with runtime substitution +* Wait for the operator to be ready +* Generate and apply trustee-operands manifests with runtime substitution +* Wait for the operands to be ready +* Retrieve Trustee KBS service URL and save to SHARED_DIR +* Create INITDATA for confidential containers and save to SHARED_DIR +* Update osc-config ConfigMap with TRUSTEE_URL and INITDATA +* Verify Trustee connectivity using kbs-client pod +* Capture KBS pod logs showing attestation attempts +EOF + +echo ">>> Prepare script environment" +export SHARED_DIR=${SHARED_DIR:-/tmp} +echo "SHARED_DIR=${SHARED_DIR}" + +export KUBECONFIG=${KUBECONFIG:-${SHARED_DIR}/kubeconfig} +echo "KUBECONFIG=${KUBECONFIG}" + +TRUSTEE_INSTALL=${TRUSTEE_INSTALL:-false} +echo "TRUSTEE_INSTALL=${TRUSTEE_INSTALL}" + +# Check if trustee installation is enabled +if [[ "${TRUSTEE_INSTALL}" != "true" ]]; then + echo ">>> Trustee operator installation is disabled (TRUSTEE_INSTALL=${TRUSTEE_INSTALL})" + echo ">>> To enable, set TRUSTEE_INSTALL=true in the job configuration" + echo ">>> Skipping trustee operator installation" + exit 0 +fi + +echo ">>> Trustee operator installation is enabled" + +TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE:-trustee-operator-system} +echo "TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE}" + +TRUSTEE_IMAGE_REPO=${TRUSTEE_IMAGE_REPO:-quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc} +echo "TRUSTEE_IMAGE_REPO=${TRUSTEE_IMAGE_REPO}" + +TRUSTEE_IMAGE_TAG=${TRUSTEE_IMAGE_TAG:-1.1.0-1776506656} +echo "TRUSTEE_IMAGE_TAG=${TRUSTEE_IMAGE_TAG}" + +SCRATCH=$(mktemp -d) +echo "SCRATCH=${SCRATCH}" +cd "${SCRATCH}" + +function exit_handler() { + exitcode=$? + set +e + echo ">>> End trustee operator install" + echo "[$(date -u || true)] SECONDS=${SECONDS}" + rm -rf "${SCRATCH}" + if [[ ${exitcode} -ne 0 ]]; then + echo "Failed to install trustee operator" + echo ">>> Checking trustee operator namespace status" + oc get all -n "${TRUSTEE_NAMESPACE}" || true + echo ">>> Checking trustee operator pod logs" + oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true + else + echo "Successfully installed trustee operator" + fi +} +trap 'exit_handler' EXIT + +function retry() { + "$@" && return 0 # unrolled 1 to simplify sleep only between tries + for (( i = 0; i < 9; i++ )); do + sleep 30 + "$@" && return 0 + done + return 1 +} + +function get_cluster_domain() { + echo ">>> Deriving cluster domain" >&2 + local cluster_domain="" + + # Method 1: Try to get domain from ingress config (most reliable) + cluster_domain=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}' 2>/dev/null || true) + + # Method 2: If that fails, try getting it from a console route + if [[ -z "${cluster_domain}" ]]; then + echo ">>> Trying alternative method to get cluster domain" >&2 + cluster_domain=$(oc get route -n openshift-console console -o jsonpath='{.spec.host}' 2>/dev/null | sed 's/^console-openshift-console\.//' || true) + fi + + # Method 3: If that fails, try parsing from cluster console URL + if [[ -z "${cluster_domain}" ]]; then + echo ">>> Trying to derive from console URL" >&2 + local console_url + console_url=$(oc whoami --show-console 2>/dev/null || true) + if [[ -n "${console_url}" ]]; then + cluster_domain=$(echo "${console_url}" | sed 's|https://console-openshift-console\.||' | sed 's|/.*||') + fi + fi + + if [[ -z "${cluster_domain}" ]]; then + echo "ERROR: Failed to derive cluster domain" >&2 + return 1 + fi + + echo ">>> Cluster domain: ${cluster_domain}" >&2 + echo "${cluster_domain}" +} + +function get_trustee_operator_manifests() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Namespace +metadata: + name: TRUSTEE_NAMESPACE_PLACEHOLDER +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: CatalogSource +metadata: + name: trustee-operator-dev-catalog + namespace: openshift-marketplace +spec: + displayName: Trustee Operator Dev Catalog + sourceType: grpc + image: "TRUSTEE_IMAGE_PLACEHOLDER" + publisher: Confidential Containers Team +--- +apiVersion: config.openshift.io/v1 +kind: ImageDigestMirrorSet +metadata: + name: trustee-registry +spec: + imageDigestMirrors: + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-rhel9 + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-rhel9-operator + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator-bundle + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-operator-bundle + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee + source: registry.redhat.io/build-of-trustee/trustee-rhel9 + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator + source: registry.redhat.io/build-of-trustee/trustee-rhel9-operator + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator-bundle + source: registry.redhat.io/build-of-trustee/trustee-operator-bundle +--- +apiVersion: config.openshift.io/v1 +kind: ImageTagMirrorSet +metadata: + name: trustee-registry +spec: + imageTagMirrors: + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-rhel9 + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-rhel9-operator + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator-bundle + source: registry.redhat.io/confidential-compute-attestation-tech-preview/trustee-operator-bundle + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee + source: registry.redhat.io/build-of-trustee/trustee-rhel9 + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator + source: registry.redhat.io/build-of-trustee/trustee-rhel9-operator + - mirrors: + - quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee-operator-bundle + source: registry.redhat.io/build-of-trustee/trustee-operator-bundle +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: trustee-operator-group + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +spec: + targetNamespaces: + - TRUSTEE_NAMESPACE_PLACEHOLDER +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: trustee-operator + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +spec: + channel: stable + installPlanApproval: Automatic + name: trustee-operator + source: trustee-operator-dev-catalog + sourceNamespace: openshift-marketplace +MANIFEST_EOF +} + +function get_trustee_operands_manifests() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Secret +metadata: + name: cosign-keys + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +type: Opaque +stringData: + key-0: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwQEjdCiL3ILUf07NDkDVhgKCj1C6 + BsCfmM/zt1kNSj0/+nAqA+25XfyClYq2lJFJ6TkgCsf57cTCkXYDz9c+Yg== + -----END PUBLIC KEY----- +--- +apiVersion: v1 +kind: Secret +metadata: + name: containers-policy + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +type: Opaque +stringData: + insecure: | + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": {} + } + reject: | + { + "default": [ + { + "type": "reject" + } + ], + "transports": {} + } + signed: | + { + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/confidential-containers/test-container-image-rs": [ + { + "type": "sigstoreSigned", + "keyPath": "kbs:///default/cosign-keys/key-0" + } + ] + } + } + } +--- +apiVersion: confidentialcontainers.org/v1alpha1 +kind: KbsConfig +metadata: + name: trustee-operands-kbs-config + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +spec: + kbsSecretResources: + - containers-policy + - cosign-keys +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: kbs-service + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +spec: + to: + kind: Service + name: kbs-service + port: + targetPort: kbs-port + tls: + termination: edge + insecureEdgeTerminationPolicy: Allow +--- +apiVersion: confidentialcontainers.org/v1alpha1 +kind: TrusteeConfig +metadata: + name: trustee-operands + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +spec: + profileType: Permissive + kbsServiceType: ClusterIP +MANIFEST_EOF +} + +function install_trustee_operator() { + echo ">>> Creating namespace and applying trustee operator manifests" + echo ">>> Using image: ${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}" + + get_trustee_operator_manifests | \ + sed "s@TRUSTEE_NAMESPACE_PLACEHOLDER@${TRUSTEE_NAMESPACE}@g" | \ + sed "s@TRUSTEE_IMAGE_PLACEHOLDER@${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}@g" | \ + oc apply -f - +} + +function wait_for_operator() { + echo ">>> Waiting for trustee operator to be ready" + + # Poll for operator deployment to be ready (10 tries, 15s apart = 150s total) + local deployment_ready=false + for i in {1..10}; do + echo ">>> Attempt ${i}/10: Checking operator deployment status" + + if oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then + echo ">>> Trustee operator deployment is Available" + deployment_ready=true + break + fi + + # Show current status + echo ">>> Current deployment status:" + oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status}' 2>/dev/null || echo "Deployment not found yet" + + if [[ ${i} -lt 10 ]]; then + echo ">>> Waiting 15 seconds before retry..." + sleep 15 + fi + done + + if [[ "${deployment_ready}" != "true" ]]; then + echo ">>> ERROR: Operator deployment failed to become ready after 10 attempts (150s)" + echo ">>> Final deployment status:" + oc get deployment -n "${TRUSTEE_NAMESPACE}" || true + echo ">>> Pod status:" + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + echo ">>> Pod describe:" + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + return 1 + fi + + echo ">>> Trustee operator is ready" + oc get all -n "${TRUSTEE_NAMESPACE}" +} + +function install_trustee_operands() { + echo ">>> Installing trustee operands" + echo ">>> Applying trustee operands manifests" + echo ">>> Using cluster domain: ${CLUSTER_DOMAIN}" + + get_trustee_operands_manifests | \ + sed "s@TRUSTEE_NAMESPACE_PLACEHOLDER@${TRUSTEE_NAMESPACE}@g" | \ + sed "s@CLUSTER_DOMAIN_PLACEHOLDER@${CLUSTER_DOMAIN}@g" | \ + oc apply -f - + + echo ">>> Trustee operands manifests applied" +} + +function wait_for_operands() { + echo ">>> Waiting for trustee operands to be ready" + + # Give some time for operands to be created + sleep 10 + + # Get operand deployments (exclude operator controller) + local operand_deployments + operand_deployments=$(oc get deployment -n "${TRUSTEE_NAMESPACE}" -o name 2>/dev/null | grep -v controller-manager || true) + + if [[ -n "${operand_deployments}" ]]; then + for deployment in ${operand_deployments}; do + echo ">>> Waiting for ${deployment} to be ready" + + # Poll for deployment to be ready (10 tries, 15s apart = 150s total) + local deployment_ready=false + for i in {1..10}; do + echo ">>> Attempt ${i}/10: Checking ${deployment} status" + + if oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then + echo ">>> ${deployment} is Available" + deployment_ready=true + break + fi + + # Show current status + echo ">>> Current status:" + oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status}' 2>/dev/null || echo "Deployment status unavailable" + + if [[ ${i} -lt 10 ]]; then + echo ">>> Waiting 15 seconds before retry..." + sleep 15 + fi + done + + if [[ "${deployment_ready}" != "true" ]]; then + echo ">>> WARNING: ${deployment} failed to become ready after 10 attempts (150s)" + echo ">>> Final status:" + oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + oc describe "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true + # Continue checking other deployments instead of failing immediately + fi + done + else + echo ">>> No operand deployments found, checking for other resources" + fi + + echo ">>> Trustee operands status:" + oc get all -n "${TRUSTEE_NAMESPACE}" +} + +function get_tls_certificate() { + echo ">>> Retrieving TLS certificate for Trustee" + + local cert_data="" + + # Method 1: Try to get certificate from ingress controller + if oc get secret -n openshift-ingress-operator router-ca &>/dev/null; then + cert_data=$(oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + + # Method 2: Try ingress-operator secret + if [[ -z "${cert_data}" ]]; then + local cert_secret + cert_secret=$(oc get secret -n openshift-ingress-operator -o name 2>/dev/null | grep -E 'router-certs|ingress-operator' | head -1) + if [[ -n "${cert_secret}" ]]; then + cert_data=$(oc get "${cert_secret}" -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + # Method 3: Try to extract from the route using openssl + if [[ -z "${cert_data}" ]] && [[ -n "${TRUSTEE_HOST}" ]]; then + cert_data=$(echo | timeout 5 openssl s_client -connect "${TRUSTEE_HOST}:443" -servername "${TRUSTEE_HOST}" 2>/dev/null | openssl x509 2>/dev/null || echo "") + fi + + # Method 4: Fallback to any ingress-related secret + if [[ -z "${cert_data}" ]]; then + local cert_info + cert_info=$(oc get secret -A -o json 2>/dev/null | jq -r '.items[] | select(.metadata.name | contains("ingress")) | select(.data."tls.crt" != null) | "\(.metadata.namespace)/\(.metadata.name)"' | head -1 || echo "") + if [[ -n "${cert_info}" ]]; then + local ns name + ns=$(echo "${cert_info}" | cut -d/ -f1) + name=$(echo "${cert_info}" | cut -d/ -f2) + cert_data=$(oc get secret "${name}" -n "${ns}" -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") + fi + fi + + if [[ -z "${cert_data}" ]]; then + echo ">>> WARNING: Could not retrieve TLS certificate, using empty cert (may work for HTTP)" + cert_data="" + else + echo ">>> TLS certificate retrieved successfully" + fi + + echo "${cert_data}" +} + +function get_trustee_url() { + echo ">>> Retrieving Trustee KBS service URL" + + local kbs_service="kbs-service" + local trustee_url="" + local trustee_host="" + local trustee_port="" + + # First, always get the service port for reference + trustee_port=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.ports[0].port}' 2>/dev/null || echo "8080") + echo ">>> Trustee service port: ${trustee_port}" + + # Method 1: Try to get OpenShift route (most common for OpenShift) + if oc get route -n "${TRUSTEE_NAMESPACE}" &>/dev/null; then + trustee_host=$(oc get route "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.host}' 2>/dev/null || echo "") + if [[ -n "${trustee_host}" ]]; then + # Use HTTP for test environments to avoid self-signed certificate issues + # The route has insecureEdgeTerminationPolicy: Allow which permits HTTP + # Production CoCo workloads will use the certificate embedded in INITDATA + trustee_url="http://${trustee_host}" + echo ">>> Found OpenShift route: ${trustee_url}" + echo ">>> Using HTTP to avoid self-signed certificate issues in test environment" + fi + fi + + # Method 2: Try LoadBalancer service + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + if [[ -z "${trustee_ip}" ]]; then + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "") + fi + if [[ -n "${trustee_ip}" ]]; then + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + echo ">>> Found LoadBalancer service: ${trustee_url}" + fi + fi + + # Method 3: Fall back to ClusterIP (internal only) + if [[ -z "${trustee_url}" ]]; then + local trustee_ip + trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "") + if [[ -n "${trustee_ip}" ]]; then + echo ">>> WARNING: Trustee service is ClusterIP only (not externally accessible)" + echo ">>> You may need to use port-forward or create a route/ingress" + trustee_url="http://${trustee_ip}:${trustee_port}" + trustee_host="${trustee_ip}" + else + echo ">>> ERROR: Cannot find Trustee KBS service in namespace ${TRUSTEE_NAMESPACE}" + return 1 + fi + fi + + echo ">>> TRUSTEE_URL: ${trustee_url}" + echo ">>> TRUSTEE_HOST: ${trustee_host}" + echo ">>> TRUSTEE_PORT: ${trustee_port}" + + # Save Trustee URL, host, and port to shared directory + echo "${trustee_url}" > "${SHARED_DIR}/TRUSTEE_URL" + echo "${trustee_host}" > "${SHARED_DIR}/TRUSTEE_HOST" + echo "${trustee_port}" > "${SHARED_DIR}/TRUSTEE_PORT" + + echo ">>> Saved TRUSTEE_URL to ${SHARED_DIR}/TRUSTEE_URL" + echo ">>> Saved TRUSTEE_HOST to ${SHARED_DIR}/TRUSTEE_HOST" + echo ">>> Saved TRUSTEE_PORT to ${SHARED_DIR}/TRUSTEE_PORT" + + export TRUSTEE_URL="${trustee_url}" + export TRUSTEE_HOST="${trustee_host}" + export TRUSTEE_PORT="${trustee_port}" +} + +function create_initdata() { + echo ">>> Creating INITDATA for confidential containers" + + # Get TLS certificate + local tls_cert + tls_cert=$(get_tls_certificate) + + # Get image security policy from containers-policy secret + echo ">>> Retrieving image security policy from containers-policy secret" + local policy_data + policy_data=$(oc get secret containers-policy -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.signed}' 2>/dev/null | base64 -d || echo "") + + if [[ -z "${policy_data}" ]]; then + echo ">>> WARNING: containers-policy secret not found, using default reject policy" + policy_data='{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/confidential-containers/test-container-image-rs": [ + { + "type": "sigstoreSigned", + "keyPath": "kbs:///default/cosign-keys/key-0" + } + ] + } + } +}' + fi + + # Compact JSON (single line) for embedding in TOML + local policy_json + if command -v jq &> /dev/null; then + policy_json=$(echo "${policy_data}" | jq -c '.') + else + policy_json=$(echo "${policy_data}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin), separators=(",", ":")))' 2>/dev/null || echo "${policy_data}") + fi + + echo ">>> Policy retrieved successfully" + + # Create initdata.toml + local initdata_file="${SCRATCH}/initdata.toml" + echo ">>> Generating initdata.toml" + + cat > "${initdata_file}" <>> Created: ${initdata_file}" + + # Encode INITDATA (gzip + base64) + echo ">>> Encoding INITDATA" + local encoded_initdata + encoded_initdata=$(gzip -c "${initdata_file}" | base64 -w 0) + + # Save to shared directory + echo "${encoded_initdata}" > "${SHARED_DIR}/INITDATA" + cp "${initdata_file}" "${SHARED_DIR}/initdata.toml" + + echo ">>> Saved INITDATA to ${SHARED_DIR}/INITDATA ($(echo -n "${encoded_initdata}" | wc -c) bytes)" + echo ">>> Saved initdata.toml to ${SHARED_DIR}/initdata.toml (plain text for inspection)" + + export INITDATA="${encoded_initdata}" +} + +function update_env_configmap() { + echo ">>> Updating osc-config ConfigMap with Trustee values" + + # Check if the ConfigMap exists + if ! oc get configmap osc-config -n default &>/dev/null; then + echo ">>> WARNING: osc-config ConfigMap not found, skipping update" + echo ">>> This is normal if env-cm step hasn't run yet or if running standalone" + return 0 + fi + + echo ">>> Updating osc-config ConfigMap with TRUSTEE_URL and INITDATA" + + # Update the ConfigMap with the new values + oc patch configmap osc-config -n default --type=json -p="[ + {\"op\": \"replace\", \"path\": \"/data/trusteeUrl\", \"value\": \"${TRUSTEE_URL}\"}, + {\"op\": \"replace\", \"path\": \"/data/INITDATA\", \"value\": \"${INITDATA}\"} + ]" + + echo ">>> ConfigMap osc-config updated successfully" + echo ">>> trusteeUrl: ${TRUSTEE_URL}" + echo ">>> INITDATA: <$(echo -n "${INITDATA}" | wc -c) bytes>" + + # Verify the update + echo ">>> Verifying ConfigMap update" + oc get configmap osc-config -n default -o yaml | grep -E "trusteeUrl|INITDATA" | head -2 +} + +function get_kbs_client_manifest() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Pod +metadata: + name: KBS_CLIENT_POD_PLACEHOLDER + namespace: KBS_CLIENT_NAMESPACE_PLACEHOLDER +spec: + containers: + - name: kbs-client + image: KBS_CLIENT_IMAGE_PLACEHOLDER + command: ["sleep", "infinity"] + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + restartPolicy: Never +MANIFEST_EOF +} + +function get_kbs_client_tag() { + echo ">>> Determining kbs-client image tag" >&2 + + # Check if tag is specified via environment variable + if [[ -n "${KBS_CLIENT_TAG:-}" ]]; then + echo ">>> Using KBS_CLIENT_TAG from environment: ${KBS_CLIENT_TAG}" >&2 + echo "${KBS_CLIENT_TAG}" + return 0 + fi + + # Use skopeo to find the latest v.X.Y.Z tag + echo ">>> Looking up latest kbs-client tag with skopeo" >&2 + local latest_tag="" + latest_tag=$(skopeo list-tags docker://quay.io/confidential-containers/kbs-client 2>/dev/null | \ + jq -r '.Tags[]' | \ + grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | \ + sort -V | \ + tail -1 || echo "") + + if [[ -n "${latest_tag}" ]]; then + echo ">>> Found latest kbs-client tag: ${latest_tag}" >&2 + echo "${latest_tag}" + return 0 + fi + + # Fallback to known good version if skopeo fails + echo ">>> WARNING: Could not determine latest tag, using fallback: v0.19.0" >&2 + echo "v0.19.0" +} + +function verify_trustee_connectivity() { + echo ">>> Verifying Trustee connectivity using kbs-client" + + local kbs_client_pod="kbs-client-test" + local kbs_client_namespace="$TRUSTEE_NAMESPACE" + + # Get kbs-client tag (from env var or latest via skopeo) + local kbs_client_tag + kbs_client_tag=$(get_kbs_client_tag) + local kbs_client_image="quay.io/confidential-containers/kbs-client:${kbs_client_tag}" + + echo ">>> Using kbs-client image: ${kbs_client_image}" + + # Create kbs-client pod + echo ">>> Creating kbs-client pod" + get_kbs_client_manifest | \ + sed "s@KBS_CLIENT_POD_PLACEHOLDER@${kbs_client_pod}@g" | \ + sed "s@KBS_CLIENT_NAMESPACE_PLACEHOLDER@${kbs_client_namespace}@g" | \ + sed "s@KBS_CLIENT_IMAGE_PLACEHOLDER@${kbs_client_image}@g" | \ + oc apply -f - + + # Poll for pod to be ready (10 tries, 15s apart = 150s total) + echo ">>> Waiting for kbs-client pod to be ready" + local pod_ready=false + for i in {1..10}; do + echo ">>> Attempt ${i}/10: Checking kbs-client pod status" + + if oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' 2>/dev/null | grep -q "True"; then + echo ">>> kbs-client pod is Ready" + pod_ready=true + break + fi + + # Show current status + echo ">>> Current pod phase:" + oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.phase}' 2>/dev/null || echo "Pod not found yet" + echo ">>> Current pod conditions:" + oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[*].type}' 2>/dev/null || true + + if [[ ${i} -lt 10 ]]; then + echo ">>> Waiting 15 seconds before retry..." + sleep 15 + fi + done + + if [[ "${pod_ready}" != "true" ]]; then + echo ">>> ERROR: kbs-client pod failed to become ready after 10 attempts (150s)" + echo ">>> Pod describe:" + oc describe pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + echo ">>> Pod logs:" + oc logs pod/${kbs_client_pod} -n ${kbs_client_namespace} || true + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + return 1 + fi + + echo ">>> kbs-client pod is ready" + + # Test basic connectivity to Trustee KBS by retrieving a real resource + echo ">>> Testing connectivity to Trustee KBS at ${TRUSTEE_URL}" + echo ">>> Using HTTP to avoid certificate issues in test environment" + echo ">>> Retrieving cosign public key (configured in KbsConfig)" + + local kbs_test_failed=false + + # Try to fetch the cosign-keys/key-0 resource (should exist from KbsConfig) + if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ + kbs-client --url "${TRUSTEE_URL}" get-resource --path default/cosign-keys/key-0 2>&1 | tee /tmp/kbs-test-output.txt; then + echo ">>> SUCCESS: Successfully retrieved resource from Trustee KBS" + echo ">>> Retrieved resource content:" + cat /tmp/kbs-test-output.txt | head -20 + kbs_test_failed=false + else + # Failed to retrieve resource - this is a real failure + echo ">>> ERROR: Failed to retrieve resource from Trustee KBS" + echo ">>> kbs-client MUST successfully retrieve resources for CoCo workloads to function" + echo ">>> Full output:" + cat /tmp/kbs-test-output.txt || true + + # Check for specific error patterns + if grep -q "404\|not found\|NotFound" /tmp/kbs-test-output.txt; then + echo ">>> ERROR: Resource not found (404) - KbsConfig may not have published secrets correctly" + fi + if grep -q "401\|Unauthorized" /tmp/kbs-test-output.txt; then + echo ">>> ERROR: Unauthorized (401) - Attestation may have failed" + fi + if grep -q "timed out\|Connection timed out" /tmp/kbs-test-output.txt; then + echo ">>> ERROR: Connection timeout - KBS service may not be accessible" + fi + if grep -q "certificate verify failed\|SSL\|TLS" /tmp/kbs-test-output.txt; then + echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS" + echo ">>> Current TRUSTEE_URL: ${TRUSTEE_URL}" + fi + + kbs_test_failed=true + fi + + # Capture logs from KBS pod showing the attestation attempts + echo ">>> Capturing KBS pod logs showing attestation attempts" + + local kbs_pod + kbs_pod=$(oc get pod -n "${TRUSTEE_NAMESPACE}" -l app=kbs -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + + if [[ -n "${kbs_pod}" ]]; then + echo ">>> Found KBS pod: ${kbs_pod}" + + # Get recent logs showing the kbs-client requests + echo ">>> Retrieving KBS logs from last 5 minutes" + local log_file="${ARTIFACT_DIR:-${SHARED_DIR}}/kbs-attestation-logs.txt" + oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m > "${log_file}" 2>&1 || true + + # Also save to SHARED_DIR if ARTIFACT_DIR is different + if [[ -n "${ARTIFACT_DIR}" && "${ARTIFACT_DIR}" != "${SHARED_DIR}" ]]; then + cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true + fi + + # Show relevant attestation log entries + echo ">>> KBS attestation log summary:" + echo "================================================" + grep -E "attest|resource|POST|GET|kbs/v0" "${log_file}" 2>/dev/null | tail -30 || \ + echo ">>> No attestation-related logs found (may be using different log format)" + echo "================================================" + + echo ">>> Full KBS logs saved to ${log_file}" + if [[ -n "${ARTIFACT_DIR}" ]]; then + echo ">>> Logs will be included in CI job artifacts" + fi + + # Show log statistics + local log_lines + log_lines=$(wc -l < "${log_file}" 2>/dev/null || echo "0") + echo ">>> Captured ${log_lines} lines of KBS logs" + + # Look for specific attestation patterns + echo ">>> Checking for attestation patterns:" + if grep -q "POST.*attest" "${log_file}" 2>/dev/null; then + echo ">>> ✓ Found attestation POST requests" + grep "POST.*attest" "${log_file}" | tail -5 + else + echo ">>> ⚠ No attestation POST requests found" + fi + + if grep -q "GET.*resource" "${log_file}" 2>/dev/null; then + echo ">>> ✓ Found resource GET requests" + grep "GET.*resource" "${log_file}" | tail -5 + else + echo ">>> ⚠ No resource GET requests found" + fi + + else + echo ">>> WARNING: Could not find KBS pod in namespace ${TRUSTEE_NAMESPACE}" + echo ">>> Listing all pods in namespace:" + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + fi + + # Clean up the pod + echo ">>> Cleaning up kbs-client pod" + oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true + + # Fail the step if kbs-client could not connect + if [[ "${kbs_test_failed}" == "true" ]]; then + echo ">>> FAILED: kbs-client connectivity test failed" + echo ">>> The Trustee KBS service must be accessible for CoCo workloads to function" + return 1 + fi + + echo ">>> SUCCESS: Trustee connectivity verification completed" + return 0 +} + +echo ">>> Begin trustee operator installation" + +# Get cluster domain +CLUSTER_DOMAIN=$(get_cluster_domain) +export CLUSTER_DOMAIN +echo "CLUSTER_DOMAIN=${CLUSTER_DOMAIN}" + +install_trustee_operator +wait_for_operator +install_trustee_operands +wait_for_operands +get_trustee_url +create_initdata +update_env_configmap +verify_trustee_connectivity + +echo ">>> Trustee operator and operands installation completed successfully" +echo ">>> TRUSTEE_URL: ${TRUSTEE_URL}" +echo ">>> TRUSTEE_HOST: ${TRUSTEE_HOST}" +echo ">>> TRUSTEE_PORT: ${TRUSTEE_PORT}" +echo ">>> INITDATA created and saved to ${SHARED_DIR}/INITDATA" +echo ">>> ConfigMap osc-config updated with Trustee values" +echo ">>> Trustee connectivity verified with kbs-client" +if [[ -n "${ARTIFACT_DIR}" ]]; then + echo ">>> KBS attestation logs saved to ${ARTIFACT_DIR}/kbs-attestation-logs.txt (in artifacts)" +else + echo ">>> KBS attestation logs saved to ${SHARED_DIR}/kbs-attestation-logs.txt" +fi diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml new file mode 100644 index 0000000000000..a17c799cb313a --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml @@ -0,0 +1,52 @@ +ref: + as: sandboxed-containers-operator-install-trustee-operator + from: tools + grace_period: 10m + commands: sandboxed-containers-operator-install-trustee-operator-commands.sh + resources: + requests: + cpu: 1000m + memory: 2000Mi + env: + - name: TRUSTEE_INSTALL + default: "false" + documentation: |- + Whether to install the trustee operator. Set to "true" to enable installation. + - name: TRUSTEE_NAMESPACE + default: "trustee-operator-system" + documentation: |- + The namespace where the trustee operator will be installed + - name: TRUSTEE_IMAGE_REPO + default: "quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc" + documentation: |- + The container image repository for the trustee operator + - name: TRUSTEE_IMAGE_TAG + default: "1.1.0-1776506656" + documentation: |- + The container image tag for the trustee operator + - name: TRUSTEE_CHARTS_REF + default: "main" + documentation: |- + The git ref (branch/tag/commit) to use from the confidential-devhub/charts repository + - name: KBS_CLIENT_TAG + default: "" + documentation: |- + The kbs-client image tag to use for connectivity testing. If empty, automatically + discovers the latest v.X.Y.Z tag using skopeo. Override to pin a specific version + (e.g., "v0.19.0"). Fallback is v0.19.0 if skopeo lookup fails. + documentation: |- + A step that installs the trustee operator and operands on the cluster using pre-rendered + manifests embedded in the script. First installs the trustee-operator, waits for it to be + ready, then installs the trustee-operands with the derived cluster domain. After installation, + retrieves the Trustee KBS service URL and saves it to ${SHARED_DIR}/TRUSTEE_URL, + ${SHARED_DIR}/TRUSTEE_HOST, and ${SHARED_DIR}/TRUSTEE_PORT for use by subsequent test steps. + Also creates INITDATA for confidential containers including TLS certificate and image security + policy, saving both the encoded INITDATA and plain text initdata.toml to ${SHARED_DIR}. + When TRUSTEE_INSTALL=true, updates the osc-config ConfigMap with the generated TRUSTEE_URL + and INITDATA values, overriding any empty values set in the job configuration. Finally, + verifies Trustee connectivity by creating a kbs-client pod, testing resource fetching, and + capturing KBS pod logs showing attestation attempts to ${ARTIFACT_DIR}/kbs-attestation-logs.txt + for inclusion in CI job artifacts. + + NO NETWORK ACCESS REQUIRED: This step uses pre-rendered manifests with runtime variable + substitution via sed, eliminating the need for helm or git. Works with restrict_network_access: true. From 777d0f0310e61b94a10901b98e9d4078c346870e Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 19 May 2026 12:11:23 -0400 Subject: [PATCH 02/19] Reduce logging in install-trustee step - Remove INITDATA content from logs (security) - Focus on failures, not success/progress messages - Keep version logging (trustee image, kbs-client tag) - Keep attestation patterns (POST attest, GET resource) - Reduce TEE platform warnings to single line (WARN:) - Remove duplicate/verbose progress updates --- ...rator-install-trustee-operator-commands.sh | 329 +++--------------- 1 file changed, 40 insertions(+), 289 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 7e0cd9f7a60f8..986b2f46243b6 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -2,68 +2,33 @@ set -euo pipefail -cat <>> Install trustee operator and operands using pre-rendered manifests [$(date -u || true)]. -* Use embedded manifests (no network access required) -* Derive the cluster domain -* Generate and apply trustee-operator manifests with runtime substitution -* Wait for the operator to be ready -* Generate and apply trustee-operands manifests with runtime substitution -* Wait for the operands to be ready -* Retrieve Trustee KBS service URL and save to SHARED_DIR -* Create INITDATA for confidential containers and save to SHARED_DIR -* Update osc-config ConfigMap with TRUSTEE_URL and INITDATA -* Verify Trustee connectivity using kbs-client pod -* Capture KBS pod logs showing attestation attempts -EOF - -echo ">>> Prepare script environment" export SHARED_DIR=${SHARED_DIR:-/tmp} -echo "SHARED_DIR=${SHARED_DIR}" - export KUBECONFIG=${KUBECONFIG:-${SHARED_DIR}/kubeconfig} -echo "KUBECONFIG=${KUBECONFIG}" - TRUSTEE_INSTALL=${TRUSTEE_INSTALL:-false} -echo "TRUSTEE_INSTALL=${TRUSTEE_INSTALL}" -# Check if trustee installation is enabled if [[ "${TRUSTEE_INSTALL}" != "true" ]]; then - echo ">>> Trustee operator installation is disabled (TRUSTEE_INSTALL=${TRUSTEE_INSTALL})" - echo ">>> To enable, set TRUSTEE_INSTALL=true in the job configuration" - echo ">>> Skipping trustee operator installation" + echo ">>> Skipping trustee operator installation (TRUSTEE_INSTALL=${TRUSTEE_INSTALL})" exit 0 fi -echo ">>> Trustee operator installation is enabled" - TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE:-trustee-operator-system} -echo "TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE}" - TRUSTEE_IMAGE_REPO=${TRUSTEE_IMAGE_REPO:-quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc} -echo "TRUSTEE_IMAGE_REPO=${TRUSTEE_IMAGE_REPO}" - TRUSTEE_IMAGE_TAG=${TRUSTEE_IMAGE_TAG:-1.1.0-1776506656} -echo "TRUSTEE_IMAGE_TAG=${TRUSTEE_IMAGE_TAG}" +echo ">>> Trustee operator image: ${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}" SCRATCH=$(mktemp -d) -echo "SCRATCH=${SCRATCH}" cd "${SCRATCH}" function exit_handler() { exitcode=$? set +e - echo ">>> End trustee operator install" - echo "[$(date -u || true)] SECONDS=${SECONDS}" rm -rf "${SCRATCH}" if [[ ${exitcode} -ne 0 ]]; then - echo "Failed to install trustee operator" - echo ">>> Checking trustee operator namespace status" + echo ">>> ERROR: Trustee operator installation failed" + echo ">>> Namespace status:" oc get all -n "${TRUSTEE_NAMESPACE}" || true - echo ">>> Checking trustee operator pod logs" + echo ">>> Operator logs:" oc logs -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager --tail=50 || true - else - echo "Successfully installed trustee operator" fi } trap 'exit_handler' EXIT @@ -78,21 +43,16 @@ function retry() { } function get_cluster_domain() { - echo ">>> Deriving cluster domain" >&2 local cluster_domain="" - # Method 1: Try to get domain from ingress config (most reliable) + # Try ingress config, console route, then console URL cluster_domain=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}' 2>/dev/null || true) - # Method 2: If that fails, try getting it from a console route if [[ -z "${cluster_domain}" ]]; then - echo ">>> Trying alternative method to get cluster domain" >&2 cluster_domain=$(oc get route -n openshift-console console -o jsonpath='{.spec.host}' 2>/dev/null | sed 's/^console-openshift-console\.//' || true) fi - # Method 3: If that fails, try parsing from cluster console URL if [[ -z "${cluster_domain}" ]]; then - echo ">>> Trying to derive from console URL" >&2 local console_url console_url=$(oc whoami --show-console 2>/dev/null || true) if [[ -n "${console_url}" ]]; then @@ -101,7 +61,7 @@ function get_cluster_domain() { fi if [[ -z "${cluster_domain}" ]]; then - echo "ERROR: Failed to derive cluster domain" >&2 + echo ">>> ERROR: Failed to derive cluster domain" >&2 return 1 fi @@ -298,9 +258,6 @@ MANIFEST_EOF } function install_trustee_operator() { - echo ">>> Creating namespace and applying trustee operator manifests" - echo ">>> Using image: ${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}" - get_trustee_operator_manifests | \ sed "s@TRUSTEE_NAMESPACE_PLACEHOLDER@${TRUSTEE_NAMESPACE}@g" | \ sed "s@TRUSTEE_IMAGE_PLACEHOLDER@${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}@g" | \ @@ -308,119 +265,68 @@ function install_trustee_operator() { } function wait_for_operator() { - echo ">>> Waiting for trustee operator to be ready" - # Poll for operator deployment to be ready (10 tries, 15s apart = 150s total) local deployment_ready=false for i in {1..10}; do - echo ">>> Attempt ${i}/10: Checking operator deployment status" - if oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then - echo ">>> Trustee operator deployment is Available" deployment_ready=true break fi - - # Show current status - echo ">>> Current deployment status:" - oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status}' 2>/dev/null || echo "Deployment not found yet" - - if [[ ${i} -lt 10 ]]; then - echo ">>> Waiting 15 seconds before retry..." - sleep 15 - fi + [[ ${i} -lt 10 ]] && sleep 15 done if [[ "${deployment_ready}" != "true" ]]; then - echo ">>> ERROR: Operator deployment failed to become ready after 10 attempts (150s)" - echo ">>> Final deployment status:" + echo ">>> ERROR: Operator deployment not ready after 150s" oc get deployment -n "${TRUSTEE_NAMESPACE}" || true - echo ">>> Pod status:" oc get pods -n "${TRUSTEE_NAMESPACE}" || true - echo ">>> Pod describe:" oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true return 1 fi - - echo ">>> Trustee operator is ready" - oc get all -n "${TRUSTEE_NAMESPACE}" } function install_trustee_operands() { - echo ">>> Installing trustee operands" - echo ">>> Applying trustee operands manifests" - echo ">>> Using cluster domain: ${CLUSTER_DOMAIN}" + echo ">>> Cluster domain: ${CLUSTER_DOMAIN}" get_trustee_operands_manifests | \ sed "s@TRUSTEE_NAMESPACE_PLACEHOLDER@${TRUSTEE_NAMESPACE}@g" | \ sed "s@CLUSTER_DOMAIN_PLACEHOLDER@${CLUSTER_DOMAIN}@g" | \ oc apply -f - - - echo ">>> Trustee operands manifests applied" } function wait_for_operands() { - echo ">>> Waiting for trustee operands to be ready" - - # Give some time for operands to be created sleep 10 - # Get operand deployments (exclude operator controller) local operand_deployments operand_deployments=$(oc get deployment -n "${TRUSTEE_NAMESPACE}" -o name 2>/dev/null | grep -v controller-manager || true) if [[ -n "${operand_deployments}" ]]; then for deployment in ${operand_deployments}; do - echo ">>> Waiting for ${deployment} to be ready" - - # Poll for deployment to be ready (10 tries, 15s apart = 150s total) local deployment_ready=false for i in {1..10}; do - echo ">>> Attempt ${i}/10: Checking ${deployment} status" - if oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then - echo ">>> ${deployment} is Available" deployment_ready=true break fi - - # Show current status - echo ">>> Current status:" - oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status}' 2>/dev/null || echo "Deployment status unavailable" - - if [[ ${i} -lt 10 ]]; then - echo ">>> Waiting 15 seconds before retry..." - sleep 15 - fi + [[ ${i} -lt 10 ]] && sleep 15 done if [[ "${deployment_ready}" != "true" ]]; then - echo ">>> WARNING: ${deployment} failed to become ready after 10 attempts (150s)" - echo ">>> Final status:" + echo ">>> WARNING: ${deployment} not ready after 150s" oc get "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true oc describe "${deployment}" -n "${TRUSTEE_NAMESPACE}" || true - # Continue checking other deployments instead of failing immediately fi done - else - echo ">>> No operand deployments found, checking for other resources" fi - - echo ">>> Trustee operands status:" - oc get all -n "${TRUSTEE_NAMESPACE}" } function get_tls_certificate() { - echo ">>> Retrieving TLS certificate for Trustee" - local cert_data="" - # Method 1: Try to get certificate from ingress controller + # Try router-ca, ingress-operator secrets, openssl, then any ingress secret if oc get secret -n openshift-ingress-operator router-ca &>/dev/null; then cert_data=$(oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' 2>/dev/null | base64 -d || echo "") fi - # Method 2: Try ingress-operator secret if [[ -z "${cert_data}" ]]; then local cert_secret cert_secret=$(oc get secret -n openshift-ingress-operator -o name 2>/dev/null | grep -E 'router-certs|ingress-operator' | head -1) @@ -429,12 +335,10 @@ function get_tls_certificate() { fi fi - # Method 3: Try to extract from the route using openssl if [[ -z "${cert_data}" ]] && [[ -n "${TRUSTEE_HOST}" ]]; then cert_data=$(echo | timeout 5 openssl s_client -connect "${TRUSTEE_HOST}:443" -servername "${TRUSTEE_HOST}" 2>/dev/null | openssl x509 2>/dev/null || echo "") fi - # Method 4: Fallback to any ingress-related secret if [[ -z "${cert_data}" ]]; then local cert_info cert_info=$(oc get secret -A -o json 2>/dev/null | jq -r '.items[] | select(.metadata.name | contains("ingress")) | select(.data."tls.crt" != null) | "\(.metadata.namespace)/\(.metadata.name)"' | head -1 || echo "") @@ -446,62 +350,43 @@ function get_tls_certificate() { fi fi - if [[ -z "${cert_data}" ]]; then - echo ">>> WARNING: Could not retrieve TLS certificate, using empty cert (may work for HTTP)" - cert_data="" - else - echo ">>> TLS certificate retrieved successfully" - fi + [[ -z "${cert_data}" ]] && echo ">>> WARN: No TLS certificate found" >&2 echo "${cert_data}" } function get_trustee_url() { - echo ">>> Retrieving Trustee KBS service URL" - local kbs_service="kbs-service" local trustee_url="" local trustee_host="" local trustee_port="" - # First, always get the service port for reference trustee_port=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.ports[0].port}' 2>/dev/null || echo "8080") - echo ">>> Trustee service port: ${trustee_port}" - # Method 1: Try to get OpenShift route (most common for OpenShift) + # Try OpenShift route, LoadBalancer, then ClusterIP if oc get route -n "${TRUSTEE_NAMESPACE}" &>/dev/null; then trustee_host=$(oc get route "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.host}' 2>/dev/null || echo "") if [[ -n "${trustee_host}" ]]; then - # Use HTTP for test environments to avoid self-signed certificate issues - # The route has insecureEdgeTerminationPolicy: Allow which permits HTTP - # Production CoCo workloads will use the certificate embedded in INITDATA trustee_url="http://${trustee_host}" - echo ">>> Found OpenShift route: ${trustee_url}" - echo ">>> Using HTTP to avoid self-signed certificate issues in test environment" + echo ">>> Trustee URL: ${trustee_url} (HTTP for test environment)" fi fi - # Method 2: Try LoadBalancer service if [[ -z "${trustee_url}" ]]; then local trustee_ip trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") - if [[ -z "${trustee_ip}" ]]; then - trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "") - fi + [[ -z "${trustee_ip}" ]] && trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || echo "") if [[ -n "${trustee_ip}" ]]; then trustee_url="http://${trustee_ip}:${trustee_port}" trustee_host="${trustee_ip}" - echo ">>> Found LoadBalancer service: ${trustee_url}" fi fi - # Method 3: Fall back to ClusterIP (internal only) if [[ -z "${trustee_url}" ]]; then local trustee_ip trustee_ip=$(oc get svc "${kbs_service}" -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "") if [[ -n "${trustee_ip}" ]]; then - echo ">>> WARNING: Trustee service is ClusterIP only (not externally accessible)" - echo ">>> You may need to use port-forward or create a route/ingress" + echo ">>> WARN: Trustee using ClusterIP only (not externally accessible)" trustee_url="http://${trustee_ip}:${trustee_port}" trustee_host="${trustee_ip}" else @@ -510,38 +395,24 @@ function get_trustee_url() { fi fi - echo ">>> TRUSTEE_URL: ${trustee_url}" - echo ">>> TRUSTEE_HOST: ${trustee_host}" - echo ">>> TRUSTEE_PORT: ${trustee_port}" - - # Save Trustee URL, host, and port to shared directory echo "${trustee_url}" > "${SHARED_DIR}/TRUSTEE_URL" echo "${trustee_host}" > "${SHARED_DIR}/TRUSTEE_HOST" echo "${trustee_port}" > "${SHARED_DIR}/TRUSTEE_PORT" - echo ">>> Saved TRUSTEE_URL to ${SHARED_DIR}/TRUSTEE_URL" - echo ">>> Saved TRUSTEE_HOST to ${SHARED_DIR}/TRUSTEE_HOST" - echo ">>> Saved TRUSTEE_PORT to ${SHARED_DIR}/TRUSTEE_PORT" - export TRUSTEE_URL="${trustee_url}" export TRUSTEE_HOST="${trustee_host}" export TRUSTEE_PORT="${trustee_port}" } function create_initdata() { - echo ">>> Creating INITDATA for confidential containers" - - # Get TLS certificate local tls_cert tls_cert=$(get_tls_certificate) - # Get image security policy from containers-policy secret - echo ">>> Retrieving image security policy from containers-policy secret" local policy_data policy_data=$(oc get secret containers-policy -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.data.signed}' 2>/dev/null | base64 -d || echo "") if [[ -z "${policy_data}" ]]; then - echo ">>> WARNING: containers-policy secret not found, using default reject policy" + echo ">>> WARN: containers-policy secret not found, using default reject policy" policy_data='{ "default": [ { @@ -561,7 +432,6 @@ function create_initdata() { }' fi - # Compact JSON (single line) for embedding in TOML local policy_json if command -v jq &> /dev/null; then policy_json=$(echo "${policy_data}" | jq -c '.') @@ -569,11 +439,7 @@ function create_initdata() { policy_json=$(echo "${policy_data}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin), separators=(",", ":")))' 2>/dev/null || echo "${policy_data}") fi - echo ">>> Policy retrieved successfully" - - # Create initdata.toml local initdata_file="${SCRATCH}/initdata.toml" - echo ">>> Generating initdata.toml" cat > "${initdata_file}" <>> Created: ${initdata_file}" - - # Encode INITDATA (gzip + base64) - echo ">>> Encoding INITDATA" local encoded_initdata encoded_initdata=$(gzip -c "${initdata_file}" | base64 -w 0) - # Save to shared directory echo "${encoded_initdata}" > "${SHARED_DIR}/INITDATA" cp "${initdata_file}" "${SHARED_DIR}/initdata.toml" - echo ">>> Saved INITDATA to ${SHARED_DIR}/INITDATA ($(echo -n "${encoded_initdata}" | wc -c) bytes)" - echo ">>> Saved initdata.toml to ${SHARED_DIR}/initdata.toml (plain text for inspection)" - export INITDATA="${encoded_initdata}" } function update_env_configmap() { - echo ">>> Updating osc-config ConfigMap with Trustee values" - - # Check if the ConfigMap exists if ! oc get configmap osc-config -n default &>/dev/null; then - echo ">>> WARNING: osc-config ConfigMap not found, skipping update" - echo ">>> This is normal if env-cm step hasn't run yet or if running standalone" + echo ">>> WARN: osc-config ConfigMap not found (normal if env-cm step hasn't run yet)" return 0 fi - echo ">>> Updating osc-config ConfigMap with TRUSTEE_URL and INITDATA" - - # Update the ConfigMap with the new values oc patch configmap osc-config -n default --type=json -p="[ {\"op\": \"replace\", \"path\": \"/data/trusteeUrl\", \"value\": \"${TRUSTEE_URL}\"}, {\"op\": \"replace\", \"path\": \"/data/INITDATA\", \"value\": \"${INITDATA}\"} ]" - - echo ">>> ConfigMap osc-config updated successfully" - echo ">>> trusteeUrl: ${TRUSTEE_URL}" - echo ">>> INITDATA: <$(echo -n "${INITDATA}" | wc -c) bytes>" - - # Verify the update - echo ">>> Verifying ConfigMap update" - oc get configmap osc-config -n default -o yaml | grep -E "trusteeUrl|INITDATA" | head -2 } function get_kbs_client_manifest() { @@ -732,17 +575,12 @@ MANIFEST_EOF } function get_kbs_client_tag() { - echo ">>> Determining kbs-client image tag" >&2 - - # Check if tag is specified via environment variable if [[ -n "${KBS_CLIENT_TAG:-}" ]]; then - echo ">>> Using KBS_CLIENT_TAG from environment: ${KBS_CLIENT_TAG}" >&2 + echo ">>> kbs-client tag (from KBS_CLIENT_TAG): ${KBS_CLIENT_TAG}" >&2 echo "${KBS_CLIENT_TAG}" return 0 fi - # Use skopeo to find the latest v.X.Y.Z tag - echo ">>> Looking up latest kbs-client tag with skopeo" >&2 local latest_tag="" latest_tag=$(skopeo list-tags docker://quay.io/confidential-containers/kbs-client 2>/dev/null | \ jq -r '.Tags[]' | \ @@ -751,91 +589,53 @@ function get_kbs_client_tag() { tail -1 || echo "") if [[ -n "${latest_tag}" ]]; then - echo ">>> Found latest kbs-client tag: ${latest_tag}" >&2 + echo ">>> kbs-client tag (auto-discovered): ${latest_tag}" >&2 echo "${latest_tag}" return 0 fi - # Fallback to known good version if skopeo fails - echo ">>> WARNING: Could not determine latest tag, using fallback: v0.19.0" >&2 + echo ">>> WARN: Could not determine latest tag, using fallback: v0.19.0" >&2 echo "v0.19.0" } function verify_trustee_connectivity() { - echo ">>> Verifying Trustee connectivity using kbs-client" - local kbs_client_pod="kbs-client-test" local kbs_client_namespace="$TRUSTEE_NAMESPACE" - # Get kbs-client tag (from env var or latest via skopeo) local kbs_client_tag kbs_client_tag=$(get_kbs_client_tag) local kbs_client_image="quay.io/confidential-containers/kbs-client:${kbs_client_tag}" - echo ">>> Using kbs-client image: ${kbs_client_image}" - - # Create kbs-client pod - echo ">>> Creating kbs-client pod" get_kbs_client_manifest | \ sed "s@KBS_CLIENT_POD_PLACEHOLDER@${kbs_client_pod}@g" | \ sed "s@KBS_CLIENT_NAMESPACE_PLACEHOLDER@${kbs_client_namespace}@g" | \ sed "s@KBS_CLIENT_IMAGE_PLACEHOLDER@${kbs_client_image}@g" | \ oc apply -f - - # Poll for pod to be ready (10 tries, 15s apart = 150s total) - echo ">>> Waiting for kbs-client pod to be ready" + # Wait for pod ready (10 tries, 15s apart = 150s total) local pod_ready=false for i in {1..10}; do - echo ">>> Attempt ${i}/10: Checking kbs-client pod status" - if oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' 2>/dev/null | grep -q "True"; then - echo ">>> kbs-client pod is Ready" pod_ready=true break fi - - # Show current status - echo ">>> Current pod phase:" - oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.phase}' 2>/dev/null || echo "Pod not found yet" - echo ">>> Current pod conditions:" - oc get pod/${kbs_client_pod} -n ${kbs_client_namespace} -o jsonpath='{.status.conditions[*].type}' 2>/dev/null || true - - if [[ ${i} -lt 10 ]]; then - echo ">>> Waiting 15 seconds before retry..." - sleep 15 - fi + [[ ${i} -lt 10 ]] && sleep 15 done if [[ "${pod_ready}" != "true" ]]; then - echo ">>> ERROR: kbs-client pod failed to become ready after 10 attempts (150s)" - echo ">>> Pod describe:" + echo ">>> ERROR: kbs-client pod not ready after 150s" oc describe pod/${kbs_client_pod} -n ${kbs_client_namespace} || true - echo ">>> Pod logs:" oc logs pod/${kbs_client_pod} -n ${kbs_client_namespace} || true oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true return 1 fi - echo ">>> kbs-client pod is ready" - - # Test basic connectivity to Trustee KBS by retrieving a real resource - echo ">>> Testing connectivity to Trustee KBS at ${TRUSTEE_URL}" - echo ">>> Using HTTP to avoid certificate issues in test environment" - echo ">>> Retrieving cosign public key (configured in KbsConfig)" - local kbs_test_failed=false # Try to fetch the cosign-keys/key-0 resource (should exist from KbsConfig) - if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ + if ! oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ kbs-client --url "${TRUSTEE_URL}" get-resource --path default/cosign-keys/key-0 2>&1 | tee /tmp/kbs-test-output.txt; then - echo ">>> SUCCESS: Successfully retrieved resource from Trustee KBS" - echo ">>> Retrieved resource content:" - cat /tmp/kbs-test-output.txt | head -20 - kbs_test_failed=false - else - # Failed to retrieve resource - this is a real failure - echo ">>> ERROR: Failed to retrieve resource from Trustee KBS" - echo ">>> kbs-client MUST successfully retrieve resources for CoCo workloads to function" + echo ">>> ERROR: Failed to retrieve resource from Trustee KBS at ${TRUSTEE_URL}" echo ">>> Full output:" cat /tmp/kbs-test-output.txt || true @@ -850,92 +650,56 @@ function verify_trustee_connectivity() { echo ">>> ERROR: Connection timeout - KBS service may not be accessible" fi if grep -q "certificate verify failed\|SSL\|TLS" /tmp/kbs-test-output.txt; then - echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS" - echo ">>> Current TRUSTEE_URL: ${TRUSTEE_URL}" + echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS (current: ${TRUSTEE_URL})" fi kbs_test_failed=true fi - # Capture logs from KBS pod showing the attestation attempts - echo ">>> Capturing KBS pod logs showing attestation attempts" - + # Capture KBS logs showing attestation attempts local kbs_pod kbs_pod=$(oc get pod -n "${TRUSTEE_NAMESPACE}" -l app=kbs -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [[ -n "${kbs_pod}" ]]; then - echo ">>> Found KBS pod: ${kbs_pod}" - - # Get recent logs showing the kbs-client requests - echo ">>> Retrieving KBS logs from last 5 minutes" local log_file="${ARTIFACT_DIR:-${SHARED_DIR}}/kbs-attestation-logs.txt" oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m > "${log_file}" 2>&1 || true - # Also save to SHARED_DIR if ARTIFACT_DIR is different if [[ -n "${ARTIFACT_DIR}" && "${ARTIFACT_DIR}" != "${SHARED_DIR}" ]]; then cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true fi - # Show relevant attestation log entries - echo ">>> KBS attestation log summary:" - echo "================================================" - grep -E "attest|resource|POST|GET|kbs/v0" "${log_file}" 2>/dev/null | tail -30 || \ - echo ">>> No attestation-related logs found (may be using different log format)" - echo "================================================" - - echo ">>> Full KBS logs saved to ${log_file}" - if [[ -n "${ARTIFACT_DIR}" ]]; then - echo ">>> Logs will be included in CI job artifacts" - fi - - # Show log statistics - local log_lines - log_lines=$(wc -l < "${log_file}" 2>/dev/null || echo "0") - echo ">>> Captured ${log_lines} lines of KBS logs" - - # Look for specific attestation patterns - echo ">>> Checking for attestation patterns:" + # Show attestation patterns + echo ">>> Attestation patterns:" if grep -q "POST.*attest" "${log_file}" 2>/dev/null; then - echo ">>> ✓ Found attestation POST requests" - grep "POST.*attest" "${log_file}" | tail -5 + echo "✓ Attestation POST requests:" + grep "POST.*attest" "${log_file}" | tail -3 else - echo ">>> ⚠ No attestation POST requests found" + echo "⚠ No attestation POST requests" fi if grep -q "GET.*resource" "${log_file}" 2>/dev/null; then - echo ">>> ✓ Found resource GET requests" - grep "GET.*resource" "${log_file}" | tail -5 + echo "✓ Resource GET requests:" + grep "GET.*resource" "${log_file}" | tail -3 else - echo ">>> ⚠ No resource GET requests found" + echo "⚠ No resource GET requests" fi - else - echo ">>> WARNING: Could not find KBS pod in namespace ${TRUSTEE_NAMESPACE}" - echo ">>> Listing all pods in namespace:" + echo ">>> WARN: Could not find KBS pod" oc get pods -n "${TRUSTEE_NAMESPACE}" || true fi - # Clean up the pod - echo ">>> Cleaning up kbs-client pod" oc delete pod/${kbs_client_pod} -n ${kbs_client_namespace} --ignore-not-found=true - # Fail the step if kbs-client could not connect if [[ "${kbs_test_failed}" == "true" ]]; then - echo ">>> FAILED: kbs-client connectivity test failed" - echo ">>> The Trustee KBS service must be accessible for CoCo workloads to function" + echo ">>> ERROR: kbs-client connectivity test failed" return 1 fi - echo ">>> SUCCESS: Trustee connectivity verification completed" return 0 } -echo ">>> Begin trustee operator installation" - -# Get cluster domain CLUSTER_DOMAIN=$(get_cluster_domain) export CLUSTER_DOMAIN -echo "CLUSTER_DOMAIN=${CLUSTER_DOMAIN}" install_trustee_operator wait_for_operator @@ -945,16 +709,3 @@ get_trustee_url create_initdata update_env_configmap verify_trustee_connectivity - -echo ">>> Trustee operator and operands installation completed successfully" -echo ">>> TRUSTEE_URL: ${TRUSTEE_URL}" -echo ">>> TRUSTEE_HOST: ${TRUSTEE_HOST}" -echo ">>> TRUSTEE_PORT: ${TRUSTEE_PORT}" -echo ">>> INITDATA created and saved to ${SHARED_DIR}/INITDATA" -echo ">>> ConfigMap osc-config updated with Trustee values" -echo ">>> Trustee connectivity verified with kbs-client" -if [[ -n "${ARTIFACT_DIR}" ]]; then - echo ">>> KBS attestation logs saved to ${ARTIFACT_DIR}/kbs-attestation-logs.txt (in artifacts)" -else - echo ">>> KBS attestation logs saved to ${SHARED_DIR}/kbs-attestation-logs.txt" -fi From 9543ae971503d4ebb5964b5f1208e7e1d79a1f2f Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 19 May 2026 12:38:57 -0400 Subject: [PATCH 03/19] Suppress normal kbs-client protocol warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The RCA (Resource-Centric Authorization) protocol flow includes: 1. GET resource → 401 (no token) - triggers attestation 2. POST /auth + POST /attest - get token via attestation 3. GET resource → 200 (with token) - success kbs-client emits WARN messages during this normal flow: - 'No TEE platform detected. Sample Attester will be used.' - 'Authenticating with KBS failed. Perform a new RCAR handshake' - 'Attestation Token not found' These are expected protocol messages, not errors. Changes: - Separate stdout (resource data) from stderr (warnings) - On success: show resource size and first line only - On failure: show full stderr and stdout for debugging - Add comments explaining RCA protocol flow - Update attestation patterns to show full flow including 401 This eliminates confusing WARN messages that made successful operations appear to have failed. --- ...rator-install-trustee-operator-commands.sh | 69 ++++++++++++++----- 1 file changed, 50 insertions(+), 19 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 986b2f46243b6..cbac77a9465ba 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -632,24 +632,55 @@ function verify_trustee_connectivity() { local kbs_test_failed=false - # Try to fetch the cosign-keys/key-0 resource (should exist from KbsConfig) - if ! oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ - kbs-client --url "${TRUSTEE_URL}" get-resource --path default/cosign-keys/key-0 2>&1 | tee /tmp/kbs-test-output.txt; then + # Test KBS connectivity by retrieving a real resource + # Note: kbs-client will perform RCA protocol handshake: + # 1. GET resource → 401 (no token) + # 2. POST /auth + POST /attest (get attestation token) + # 3. GET resource → 200 (with token) + # We suppress normal protocol warnings (stderr) on success + echo ">>> Testing KBS connectivity at ${TRUSTEE_URL}" + if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ + kbs-client --url "${TRUSTEE_URL}" get-resource --path default/cosign-keys/key-0 \ + > /tmp/kbs-resource.txt 2> /tmp/kbs-stderr.txt; then + + # Success - show that we got the resource + echo ">>> Successfully retrieved default/cosign-keys/key-0" + local resource_size + resource_size=$(wc -c < /tmp/kbs-resource.txt 2>/dev/null || echo "0") + echo ">>> Resource size: ${resource_size} bytes" + + # Show first line of resource (should be base64 data or BEGIN PUBLIC KEY) + head -1 /tmp/kbs-resource.txt 2>/dev/null | head -c 80 || true + echo "" + + kbs_test_failed=false + else + # Failed - show full diagnostics echo ">>> ERROR: Failed to retrieve resource from Trustee KBS at ${TRUSTEE_URL}" - echo ">>> Full output:" - cat /tmp/kbs-test-output.txt || true - # Check for specific error patterns - if grep -q "404\|not found\|NotFound" /tmp/kbs-test-output.txt; then - echo ">>> ERROR: Resource not found (404) - KbsConfig may not have published secrets correctly" + # Show stderr (has the actual error) + if [[ -s /tmp/kbs-stderr.txt ]]; then + echo ">>> Error output:" + cat /tmp/kbs-stderr.txt + fi + + # Show stdout (might have partial data) + if [[ -s /tmp/kbs-resource.txt ]]; then + echo ">>> Partial output:" + cat /tmp/kbs-resource.txt fi - if grep -q "401\|Unauthorized" /tmp/kbs-test-output.txt; then - echo ">>> ERROR: Unauthorized (401) - Attestation may have failed" + + # Check for specific error patterns in both stdout and stderr + local all_output + all_output="$(cat /tmp/kbs-resource.txt /tmp/kbs-stderr.txt 2>/dev/null || true)" + + if echo "${all_output}" | grep -q "404\|not found\|NotFound"; then + echo ">>> ERROR: Resource not found (404) - KbsConfig may not have published secrets correctly" fi - if grep -q "timed out\|Connection timed out" /tmp/kbs-test-output.txt; then - echo ">>> ERROR: Connection timeout - KBS service may not be accessible" + if echo "${all_output}" | grep -q "Connection refused\|Connection timed out\|timed out"; then + echo ">>> ERROR: Cannot connect to KBS service" fi - if grep -q "certificate verify failed\|SSL\|TLS" /tmp/kbs-test-output.txt; then + if echo "${all_output}" | grep -q "certificate verify failed\|SSL\|TLS"; then echo ">>> ERROR: SSL/TLS error - URL should be HTTP, not HTTPS (current: ${TRUSTEE_URL})" fi @@ -668,18 +699,18 @@ function verify_trustee_connectivity() { cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true fi - # Show attestation patterns - echo ">>> Attestation patterns:" + # Show attestation patterns (RCA protocol flow) + echo ">>> Attestation patterns (RCA protocol):" if grep -q "POST.*attest" "${log_file}" 2>/dev/null; then - echo "✓ Attestation POST requests:" - grep "POST.*attest" "${log_file}" | tail -3 + echo "✓ Attestation (POST /auth, POST /attest):" + grep -E "POST.*/auth|POST.*attest" "${log_file}" | tail -4 else echo "⚠ No attestation POST requests" fi if grep -q "GET.*resource" "${log_file}" 2>/dev/null; then - echo "✓ Resource GET requests:" - grep "GET.*resource" "${log_file}" | tail -3 + echo "✓ Resource access (GET → 401 → attest → GET → 200):" + grep "GET.*resource" "${log_file}" | tail -5 else echo "⚠ No resource GET requests" fi From ceb8214f879499020fe7805baa3f2982ff3741fa Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 19 May 2026 15:17:47 -0400 Subject: [PATCH 04/19] Add OLM debugging to install-trustee-operator When operator deployment fails to appear, check: - CatalogSource status and pod - Subscription status and conditions - InstallPlan existence - CSV existence This will help diagnose why OLM isn't creating the operator deployment. --- ...rator-install-trustee-operator-commands.sh | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index cbac77a9465ba..42d557ea75ca0 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -277,9 +277,27 @@ function wait_for_operator() { if [[ "${deployment_ready}" != "true" ]]; then echo ">>> ERROR: Operator deployment not ready after 150s" - oc get deployment -n "${TRUSTEE_NAMESPACE}" || true - oc get pods -n "${TRUSTEE_NAMESPACE}" || true - oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true + + # Check OLM resources to diagnose why operator didn't install + echo ">>> Checking CatalogSource status:" + oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o yaml 2>&1 | grep -A20 "status:" || echo "CatalogSource not found or no status" + + echo ">>> Checking CatalogSource pod:" + oc get pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog 2>&1 || echo "No catalog pod found" + oc describe pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog 2>&1 | tail -50 || true + + echo ">>> Checking Subscription status:" + oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o yaml 2>&1 | grep -A30 "status:" || echo "Subscription not found or no status" + + echo ">>> Checking InstallPlan:" + oc get installplan -n "${TRUSTEE_NAMESPACE}" 2>&1 || echo "No InstallPlan found" + + echo ">>> Checking CSV:" + oc get csv -n "${TRUSTEE_NAMESPACE}" 2>&1 || echo "No CSV found" + + echo ">>> All resources in ${TRUSTEE_NAMESPACE}:" + oc get all -n "${TRUSTEE_NAMESPACE}" || true + return 1 fi } From 632e71270b0c84135f3896adb5b7bfa9d76261f2 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 19 May 2026 15:28:04 -0400 Subject: [PATCH 05/19] Add OLM stage polling to wait_for_operator Instead of just checking for deployment, poll through each OLM stage: 1. CatalogSource READY (60s timeout) 2. Subscription has InstallPlan reference (60s) 3. InstallPlan Complete (60s) 4. CSV Succeeded (60s) 5. Deployment Available (60s) Each stage polls every 5s (12 attempts). Total max wait: 5 minutes (was 150s before). Shows exactly which stage fails with appropriate error output. --- ...rator-install-trustee-operator-commands.sh | 115 ++++++++++++++---- 1 file changed, 93 insertions(+), 22 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 42d557ea75ca0..871db67b0153e 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -265,41 +265,112 @@ function install_trustee_operator() { } function wait_for_operator() { - # Poll for operator deployment to be ready (10 tries, 15s apart = 150s total) - local deployment_ready=false - for i in {1..10}; do - if oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then - deployment_ready=true + # OLM installation stages (poll each with timeout) + # 1. CatalogSource READY + # 2. Subscription has InstallPlan + # 3. InstallPlan Complete + # 4. CSV Succeeded + # 5. Deployment Available + + # Stage 1: Wait for CatalogSource to be READY (60s) + echo ">>> Waiting for CatalogSource to be READY..." + local catalog_ready=false + for i in {1..12}; do + local state=$(oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") + if [[ "${state}" == "READY" ]]; then + echo ">>> CatalogSource is READY" + catalog_ready=true break fi - [[ ${i} -lt 10 ]] && sleep 15 + [[ ${i} -lt 12 ]] && sleep 5 done - if [[ "${deployment_ready}" != "true" ]]; then - echo ">>> ERROR: Operator deployment not ready after 150s" + if [[ "${catalog_ready}" != "true" ]]; then + echo ">>> ERROR: CatalogSource not READY after 60s" + oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o yaml || true + oc get pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog || true + oc describe pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog | tail -50 || true + return 1 + fi - # Check OLM resources to diagnose why operator didn't install - echo ">>> Checking CatalogSource status:" - oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o yaml 2>&1 | grep -A20 "status:" || echo "CatalogSource not found or no status" + # Stage 2: Wait for Subscription to reference an InstallPlan (60s) + echo ">>> Waiting for Subscription to reference InstallPlan..." + local installplan_ref="" + for i in {1..12}; do + installplan_ref=$(oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o jsonpath='{.status.installplan.name}' 2>/dev/null || echo "") + if [[ -n "${installplan_ref}" ]]; then + echo ">>> Subscription references InstallPlan: ${installplan_ref}" + break + fi + [[ ${i} -lt 12 ]] && sleep 5 + done + + if [[ -z "${installplan_ref}" ]]; then + echo ">>> ERROR: Subscription has no InstallPlan reference after 60s" + oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o yaml || true + return 1 + fi - echo ">>> Checking CatalogSource pod:" - oc get pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog 2>&1 || echo "No catalog pod found" - oc describe pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog 2>&1 | tail -50 || true + # Stage 3: Wait for InstallPlan to be Complete (60s) + echo ">>> Waiting for InstallPlan ${installplan_ref} to be Complete..." + local installplan_complete=false + for i in {1..12}; do + local phase=$(oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "") + if [[ "${phase}" == "Complete" ]]; then + echo ">>> InstallPlan is Complete" + installplan_complete=true + break + fi + [[ ${i} -lt 12 ]] && sleep 5 + done - echo ">>> Checking Subscription status:" - oc get subscription -n "${TRUSTEE_NAMESPACE}" trustee-operator -o yaml 2>&1 | grep -A30 "status:" || echo "Subscription not found or no status" + if [[ "${installplan_complete}" != "true" ]]; then + echo ">>> ERROR: InstallPlan not Complete after 60s" + oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o yaml || true + return 1 + fi - echo ">>> Checking InstallPlan:" - oc get installplan -n "${TRUSTEE_NAMESPACE}" 2>&1 || echo "No InstallPlan found" + # Stage 4: Wait for CSV to be Succeeded (60s) + echo ">>> Waiting for CSV to be Succeeded..." + local csv_succeeded=false + for i in {1..12}; do + local csv_phase=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "") + if [[ "${csv_phase}" == "Succeeded" ]]; then + local csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + echo ">>> CSV ${csv_name} is Succeeded" + csv_succeeded=true + break + fi + [[ ${i} -lt 12 ]] && sleep 5 + done - echo ">>> Checking CSV:" - oc get csv -n "${TRUSTEE_NAMESPACE}" 2>&1 || echo "No CSV found" + if [[ "${csv_succeeded}" != "true" ]]; then + echo ">>> ERROR: CSV not Succeeded after 60s" + oc get csv -n "${TRUSTEE_NAMESPACE}" -o yaml || true + return 1 + fi - echo ">>> All resources in ${TRUSTEE_NAMESPACE}:" - oc get all -n "${TRUSTEE_NAMESPACE}" || true + # Stage 5: Wait for Deployment to be Available (60s) + echo ">>> Waiting for operator deployment to be Available..." + local deployment_ready=false + for i in {1..12}; do + if oc get deployment -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager -o jsonpath='{.items[0].status.conditions[?(@.type=="Available")].status}' 2>/dev/null | grep -q "True"; then + echo ">>> Operator deployment is Available" + deployment_ready=true + break + fi + [[ ${i} -lt 12 ]] && sleep 5 + done + if [[ "${deployment_ready}" != "true" ]]; then + echo ">>> ERROR: Operator deployment not Available after 60s" + oc get deployment -n "${TRUSTEE_NAMESPACE}" || true + oc get pods -n "${TRUSTEE_NAMESPACE}" || true + oc describe pods -n "${TRUSTEE_NAMESPACE}" -l control-plane=controller-manager || true return 1 fi + + echo ">>> Operator installation complete" } function install_trustee_operands() { From 4999977fd6e9e44c37d70e6abd58fc3968292f67 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Wed, 20 May 2026 08:28:47 -0400 Subject: [PATCH 06/19] Add test resource kbsres1 and improve kbs-client logging Changes: - Add Secret kbsres1 with key1=cmVzMXZhbDEK for testing - Add kbsres1 to KbsConfig kbsSecretResources - Test kbsres1/key1 instead of cosign-keys/key-0 for better validation - Show full oc exec command in logs - Display retrieved resource value in logs Co-Authored-By: Claude Sonnet 4.5 --- ...rator-install-trustee-operator-commands.sh | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 871db67b0153e..0b929d1a2fbe2 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -221,6 +221,15 @@ stringData: } } --- +apiVersion: v1 +kind: Secret +metadata: + name: kbsres1 + namespace: TRUSTEE_NAMESPACE_PLACEHOLDER +type: Opaque +stringData: + key1: cmVzMXZhbDEK +--- apiVersion: confidentialcontainers.org/v1alpha1 kind: KbsConfig metadata: @@ -230,6 +239,7 @@ spec: kbsSecretResources: - containers-policy - cosign-keys + - kbsres1 --- apiVersion: route.openshift.io/v1 kind: Route @@ -728,19 +738,16 @@ function verify_trustee_connectivity() { # 3. GET resource → 200 (with token) # We suppress normal protocol warnings (stderr) on success echo ">>> Testing KBS connectivity at ${TRUSTEE_URL}" + echo ">>> Running: oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- kbs-client --url \"${TRUSTEE_URL}\" get-resource --path default/kbsres1/key1" if oc exec ${kbs_client_pod} -n ${kbs_client_namespace} -- \ - kbs-client --url "${TRUSTEE_URL}" get-resource --path default/cosign-keys/key-0 \ + kbs-client --url "${TRUSTEE_URL}" get-resource --path default/kbsres1/key1 \ > /tmp/kbs-resource.txt 2> /tmp/kbs-stderr.txt; then # Success - show that we got the resource - echo ">>> Successfully retrieved default/cosign-keys/key-0" - local resource_size - resource_size=$(wc -c < /tmp/kbs-resource.txt 2>/dev/null || echo "0") - echo ">>> Resource size: ${resource_size} bytes" - - # Show first line of resource (should be base64 data or BEGIN PUBLIC KEY) - head -1 /tmp/kbs-resource.txt 2>/dev/null | head -c 80 || true - echo "" + echo ">>> Successfully retrieved default/kbsres1/key1" + local resource_value + resource_value=$(cat /tmp/kbs-resource.txt 2>/dev/null || echo "") + echo ">>> Resource value: ${resource_value}" kbs_test_failed=false else From a58b5dfd61cd73fde12dc5687bbb8799f827a5a3 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Wed, 20 May 2026 13:22:47 -0400 Subject: [PATCH 07/19] Fix kbsres1 Secret to use data instead of stringData MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue: stringData auto-base64-encodes values, causing double-encoding: - stringData: cmVzMXZhbDEK → stored as Y21Wek1YWmhiREVL - KBS returns: Y21Wek1YWmhiREVL (wrong) Fix: Use data field to store pre-encoded value directly: - data: cmVzMXZhbDEK → stored as cmVzMXZhbDEK - KBS returns: cmVzMXZhbDEK (correct, base64 of "res1val1") Co-Authored-By: Claude Sonnet 4.5 --- ...xed-containers-operator-install-trustee-operator-commands.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 0b929d1a2fbe2..305ac950eef64 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -227,7 +227,7 @@ metadata: name: kbsres1 namespace: TRUSTEE_NAMESPACE_PLACEHOLDER type: Opaque -stringData: +data: key1: cmVzMXZhbDEK --- apiVersion: confidentialcontainers.org/v1alpha1 From 329d6f95541dab8c3b49f5a8075f0e38b46f7c62 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Wed, 20 May 2026 15:51:15 -0400 Subject: [PATCH 08/19] Add TRUSTEE_CATALOG_SOURCE_NAME/IMAGE env vars for flexible catalog selection Changes: - Add TRUSTEE_CATALOG_SOURCE_NAME (default: redhat-operators) - Add TRUSTEE_CATALOG_SOURCE_IMAGE (default: empty) - Only create CatalogSource if TRUSTEE_CATALOG_SOURCE_IMAGE is set - Check if CatalogSource exists before creating to avoid overwrites - Skip CatalogSource readiness wait when using existing catalog - Update Subscription to use configurable catalog source name - Deprecate TRUSTEE_IMAGE_REPO/TAG (only used with custom image) Usage patterns: 1. Default (redhat-operators): Set nothing, uses existing catalog 2. Custom catalog (brew-catalog): Set TRUSTEE_CATALOG_SOURCE_NAME only 3. New custom catalog: Set both NAME and IMAGE to create new catalog Benefits: - Simpler than OSC (no auto-discovery of latest image tags) - Supports existing catalogs without modification - Allows custom catalogs when needed - Prevents overwriting existing catalog sources Co-Authored-By: Claude Sonnet 4.5 --- ...rator-install-trustee-operator-commands.sh | 98 +++++++++++++------ ...operator-install-trustee-operator-ref.yaml | 19 +++- 2 files changed, 85 insertions(+), 32 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 305ac950eef64..01b1b8c2309d6 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -12,9 +12,18 @@ if [[ "${TRUSTEE_INSTALL}" != "true" ]]; then fi TRUSTEE_NAMESPACE=${TRUSTEE_NAMESPACE:-trustee-operator-system} +TRUSTEE_CATALOG_SOURCE_NAME=${TRUSTEE_CATALOG_SOURCE_NAME:-redhat-operators} +TRUSTEE_CATALOG_SOURCE_IMAGE=${TRUSTEE_CATALOG_SOURCE_IMAGE:-} + +# Legacy variables for backward compatibility (used when TRUSTEE_CATALOG_SOURCE_IMAGE is set) TRUSTEE_IMAGE_REPO=${TRUSTEE_IMAGE_REPO:-quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc} TRUSTEE_IMAGE_TAG=${TRUSTEE_IMAGE_TAG:-1.1.0-1776506656} -echo ">>> Trustee operator image: ${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}" + +if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + echo ">>> Trustee catalog source: ${TRUSTEE_CATALOG_SOURCE_NAME} (image: ${TRUSTEE_CATALOG_SOURCE_IMAGE})" +else + echo ">>> Trustee catalog source: ${TRUSTEE_CATALOG_SOURCE_NAME} (using existing catalog)" +fi SCRATCH=$(mktemp -d) cd "${SCRATCH}" @@ -69,25 +78,42 @@ function get_cluster_domain() { echo "${cluster_domain}" } -function get_trustee_operator_manifests() { - cat << 'MANIFEST_EOF' ---- -apiVersion: v1 -kind: Namespace -metadata: - name: TRUSTEE_NAMESPACE_PLACEHOLDER +function get_trustee_catalog_source_manifest() { + # Only output CatalogSource manifest if TRUSTEE_CATALOG_SOURCE_IMAGE is set + # and the catalog source doesn't already exist + if [[ -z "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + return 0 + fi + + if oc get catalogsource -n openshift-marketplace "${TRUSTEE_CATALOG_SOURCE_NAME}" &>/dev/null; then + echo ">>> CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} already exists, skipping creation" + return 0 + fi + + cat << 'CATALOG_EOF' --- apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: - name: trustee-operator-dev-catalog + name: TRUSTEE_CATALOG_SOURCE_NAME_PLACEHOLDER namespace: openshift-marketplace spec: - displayName: Trustee Operator Dev Catalog + displayName: Trustee Operator Catalog sourceType: grpc - image: "TRUSTEE_IMAGE_PLACEHOLDER" + image: "TRUSTEE_CATALOG_SOURCE_IMAGE_PLACEHOLDER" publisher: Confidential Containers Team --- +CATALOG_EOF +} + +function get_trustee_operator_manifests() { + cat << 'MANIFEST_EOF' +--- +apiVersion: v1 +kind: Namespace +metadata: + name: TRUSTEE_NAMESPACE_PLACEHOLDER +--- apiVersion: config.openshift.io/v1 kind: ImageDigestMirrorSet metadata: @@ -156,7 +182,7 @@ spec: channel: stable installPlanApproval: Automatic name: trustee-operator - source: trustee-operator-dev-catalog + source: TRUSTEE_CATALOG_SOURCE_NAME_PLACEHOLDER sourceNamespace: openshift-marketplace MANIFEST_EOF } @@ -268,9 +294,16 @@ MANIFEST_EOF } function install_trustee_operator() { + # Apply CatalogSource if needed (only if TRUSTEE_CATALOG_SOURCE_IMAGE is set and catalog doesn't exist) + get_trustee_catalog_source_manifest | \ + sed "s@TRUSTEE_CATALOG_SOURCE_NAME_PLACEHOLDER@${TRUSTEE_CATALOG_SOURCE_NAME}@g" | \ + sed "s@TRUSTEE_CATALOG_SOURCE_IMAGE_PLACEHOLDER@${TRUSTEE_CATALOG_SOURCE_IMAGE}@g" | \ + oc apply -f - || true + + # Apply operator manifests (Namespace, mirrors, OperatorGroup, Subscription) get_trustee_operator_manifests | \ sed "s@TRUSTEE_NAMESPACE_PLACEHOLDER@${TRUSTEE_NAMESPACE}@g" | \ - sed "s@TRUSTEE_IMAGE_PLACEHOLDER@${TRUSTEE_IMAGE_REPO}:${TRUSTEE_IMAGE_TAG}@g" | \ + sed "s@TRUSTEE_CATALOG_SOURCE_NAME_PLACEHOLDER@${TRUSTEE_CATALOG_SOURCE_NAME}@g" | \ oc apply -f - } @@ -283,24 +316,29 @@ function wait_for_operator() { # 5. Deployment Available # Stage 1: Wait for CatalogSource to be READY (60s) - echo ">>> Waiting for CatalogSource to be READY..." - local catalog_ready=false - for i in {1..12}; do - local state=$(oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") - if [[ "${state}" == "READY" ]]; then - echo ">>> CatalogSource is READY" - catalog_ready=true - break - fi - [[ ${i} -lt 12 ]] && sleep 5 - done + # Skip if using existing catalog (no TRUSTEE_CATALOG_SOURCE_IMAGE provided) + if [[ -n "${TRUSTEE_CATALOG_SOURCE_IMAGE}" ]]; then + echo ">>> Waiting for CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} to be READY..." + local catalog_ready=false + for i in {1..12}; do + local state=$(oc get catalogsource -n openshift-marketplace "${TRUSTEE_CATALOG_SOURCE_NAME}" -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") + if [[ "${state}" == "READY" ]]; then + echo ">>> CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} is READY" + catalog_ready=true + break + fi + [[ ${i} -lt 12 ]] && sleep 5 + done - if [[ "${catalog_ready}" != "true" ]]; then - echo ">>> ERROR: CatalogSource not READY after 60s" - oc get catalogsource -n openshift-marketplace trustee-operator-dev-catalog -o yaml || true - oc get pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog || true - oc describe pods -n openshift-marketplace -l olm.catalogSource=trustee-operator-dev-catalog | tail -50 || true - return 1 + if [[ "${catalog_ready}" != "true" ]]; then + echo ">>> ERROR: CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} not READY after 60s" + oc get catalogsource -n openshift-marketplace "${TRUSTEE_CATALOG_SOURCE_NAME}" -o yaml || true + oc get pods -n openshift-marketplace -l olm.catalogSource="${TRUSTEE_CATALOG_SOURCE_NAME}" || true + oc describe pods -n openshift-marketplace -l olm.catalogSource="${TRUSTEE_CATALOG_SOURCE_NAME}" | tail -50 || true + return 1 + fi + else + echo ">>> Using existing CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME}, skipping readiness check" fi # Stage 2: Wait for Subscription to reference an InstallPlan (60s) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml index a17c799cb313a..67d2793338b6b 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml @@ -16,14 +16,29 @@ ref: default: "trustee-operator-system" documentation: |- The namespace where the trustee operator will be installed + - name: TRUSTEE_CATALOG_SOURCE_NAME + default: "redhat-operators" + documentation: |- + The name of the CatalogSource to use for installing trustee operator. + Default is "redhat-operators" (existing catalog, no creation needed). + Can be overridden to use a custom catalog source (e.g., "brew-catalog"). + - name: TRUSTEE_CATALOG_SOURCE_IMAGE + default: "" + documentation: |- + The container image for a custom trustee operator CatalogSource. + If empty (default), uses TRUSTEE_CATALOG_SOURCE_NAME as-is (must already exist). + If set, creates a new CatalogSource with this image (unless it already exists). + Example: "quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656" - name: TRUSTEE_IMAGE_REPO default: "quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc" documentation: |- - The container image repository for the trustee operator + (DEPRECATED - only used when TRUSTEE_CATALOG_SOURCE_IMAGE is set) + The container image repository for the trustee operator catalog - name: TRUSTEE_IMAGE_TAG default: "1.1.0-1776506656" documentation: |- - The container image tag for the trustee operator + (DEPRECATED - only used when TRUSTEE_CATALOG_SOURCE_IMAGE is set) + The container image tag for the trustee operator catalog - name: TRUSTEE_CHARTS_REF default: "main" documentation: |- From e203b69b3707a5f492b395102f982618586317fe Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 21 May 2026 08:28:10 -0400 Subject: [PATCH 09/19] Map kbs-client version to trustee operator version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Add map_trustee_to_kbs_client_version() function - Extract trustee version from CSV name (e.g., trustee-operator.v1.1.0) - Map trustee versions to compatible kbs-client versions: - trustee 1.1.x → kbs-client v0.17.0 - trustee 1.11.x → kbs-client v0.19.0 - Export TRUSTEE_CSV_NAME from wait_for_operator for use in mapping - Update get_kbs_client_tag() to use version mapping before auto-discovery Version selection priority: 1. KBS_CLIENT_TAG env var (explicit override) 2. Version mapping from trustee CSV (semantic versioning) 3. Auto-discovery (latest semver tag from registry) 4. Fallback: v0.17.0 This ensures kbs-client compatibility with the installed trustee version. Co-Authored-By: Claude Sonnet 4.5 --- ...rator-install-trustee-operator-commands.sh | 65 +++++++++++++++++-- 1 file changed, 60 insertions(+), 5 deletions(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 01b1b8c2309d6..2dbfbcaa68282 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -381,10 +381,11 @@ function wait_for_operator() { # Stage 4: Wait for CSV to be Succeeded (60s) echo ">>> Waiting for CSV to be Succeeded..." local csv_succeeded=false + local csv_name="" for i in {1..12}; do local csv_phase=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "") if [[ "${csv_phase}" == "Succeeded" ]]; then - local csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") + csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") echo ">>> CSV ${csv_name} is Succeeded" csv_succeeded=true break @@ -398,6 +399,9 @@ function wait_for_operator() { return 1 fi + # Export CSV name for kbs-client version mapping + export TRUSTEE_CSV_NAME="${csv_name}" + # Stage 5: Wait for Deployment to be Available (60s) echo ">>> Waiting for operator deployment to be Available..." local deployment_ready=false @@ -711,13 +715,62 @@ spec: MANIFEST_EOF } +function map_trustee_to_kbs_client_version() { + local trustee_version="$1" + + # Map trustee operator versions to compatible kbs-client versions + # Based on semantic versioning compatibility + case "${trustee_version}" in + 1.1.*|1.1) + echo "v0.17.0" + ;; + 1.11.*|1.11) + echo "v0.19.0" + ;; + *) + # Return empty string if no mapping exists + echo "" + ;; + esac +} + function get_kbs_client_tag() { + # Override: explicit KBS_CLIENT_TAG takes precedence if [[ -n "${KBS_CLIENT_TAG:-}" ]]; then echo ">>> kbs-client tag (from KBS_CLIENT_TAG): ${KBS_CLIENT_TAG}" >&2 echo "${KBS_CLIENT_TAG}" return 0 fi + # Try to determine from trustee operator CSV version + if [[ -n "${TRUSTEE_CSV_NAME:-}" ]]; then + # Extract version from CSV name (e.g., "trustee-operator.v1.10.0" -> "1.10.0") + local trustee_version + trustee_version=$(echo "${TRUSTEE_CSV_NAME}" | sed 's/^trustee-operator\.v//') + + if [[ -n "${trustee_version}" ]]; then + # Try major.minor mapping first (e.g., "1.10.0" -> "1.10") + local trustee_minor="${trustee_version%.*}" + local mapped_tag + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_minor}") + + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + + # Try full version mapping if minor didn't match + mapped_tag=$(map_trustee_to_kbs_client_version "${trustee_version}") + if [[ -n "${mapped_tag}" ]]; then + echo ">>> kbs-client tag (mapped from trustee ${trustee_version}): ${mapped_tag}" >&2 + echo "${mapped_tag}" + return 0 + fi + fi + fi + + # Fallback: Auto-discover latest semver tag from registry local latest_tag="" latest_tag=$(skopeo list-tags docker://quay.io/confidential-containers/kbs-client 2>/dev/null | \ jq -r '.Tags[]' | \ @@ -726,13 +779,14 @@ function get_kbs_client_tag() { tail -1 || echo "") if [[ -n "${latest_tag}" ]]; then - echo ">>> kbs-client tag (auto-discovered): ${latest_tag}" >&2 + echo ">>> kbs-client tag (auto-discovered latest semver): ${latest_tag}" >&2 echo "${latest_tag}" return 0 fi - echo ">>> WARN: Could not determine latest tag, using fallback: v0.19.0" >&2 - echo "v0.19.0" + # Last resort fallback + echo ">>> WARN: Could not determine kbs-client tag, using fallback: v0.17.0" >&2 + echo "v0.17.0" } function verify_trustee_connectivity() { @@ -827,7 +881,8 @@ function verify_trustee_connectivity() { if [[ -n "${kbs_pod}" ]]; then local log_file="${ARTIFACT_DIR:-${SHARED_DIR}}/kbs-attestation-logs.txt" - oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m > "${log_file}" 2>&1 || true + # Strip ANSI color codes from logs for cleaner output + oc logs "${kbs_pod}" -n "${TRUSTEE_NAMESPACE}" --since=5m 2>&1 | sed 's/\x1b\[[0-9;]*m//g' > "${log_file}" || true if [[ -n "${ARTIFACT_DIR}" && "${ARTIFACT_DIR}" != "${SHARED_DIR}" ]]; then cp "${log_file}" "${SHARED_DIR}/kbs-attestation-logs.txt" 2>/dev/null || true From 3b4bf640f8fe0d1895f40dc1a2e976d627b84fa3 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 2 Jun 2026 14:07:18 -0400 Subject: [PATCH 10/19] Add install-trustee-operator step to azure-ipi-coco test - Add install-trustee-operator step to sandboxed-containers-operator-pre chain - Enable TRUSTEE_INSTALL=true for azure-ipi-coco test - Add TRUSTEE_CATALOG_SOURCE_IMAGE and TRUSTEE_CATALOG_SOURCE_NAME env vars This integrates the trustee operator installation step into the CoCo test workflow, allowing automated deployment and testing of confidential containers with KBS (Key Broker Service) support. Co-Authored-By: Claude Sonnet 4.5 --- ...dboxed-containers-operator-devel__downstream-candidate.yaml | 3 +++ .../pre/sandboxed-containers-operator-pre-chain.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 22df2a4256a6b..181c517f96f0a 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -125,6 +125,9 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure diff --git a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml index a46aca64e11a5..3cb7b9fc097a3 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/pre/sandboxed-containers-operator-pre-chain.yaml @@ -4,6 +4,7 @@ chain: - ref: sandboxed-containers-operator-get-kata-rpm - ref: sandboxed-containers-operator-peerpods-param-cm - ref: sandboxed-containers-operator-env-cm + - ref: sandboxed-containers-operator-install-trustee-operator - ref: sandboxed-containers-operator-record-metadata documentation: |- The sandboxed containers operator pre-testing chain \ No newline at end of file From 6cd07ca7b8bd3ec9a8c2dc89645b259589a73eaf Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 2 Jun 2026 14:41:59 -0400 Subject: [PATCH 11/19] Fix validation failures in install-trustee-operator step - Add missing OWNERS file for step-registry-metadata check - Fix shellcheck SC2155 warnings by declaring and assigning variables separately Co-Authored-By: Claude Sonnet 4.5 --- .../install-trustee-operator/OWNERS | 10 ++++++++++ ...iners-operator-install-trustee-operator-commands.sh | 9 ++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS new file mode 100644 index 0000000000000..5c31fe0ceccfc --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/OWNERS @@ -0,0 +1,10 @@ +reviewers: + - ldoktor + - tbuskey + - vvoronko + - wainersm +approvers: + - ldoktor + - tbuskey + - vvoronko + - wainersm diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh index 2dbfbcaa68282..964ee6f0ccc1a 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-commands.sh @@ -321,7 +321,8 @@ function wait_for_operator() { echo ">>> Waiting for CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} to be READY..." local catalog_ready=false for i in {1..12}; do - local state=$(oc get catalogsource -n openshift-marketplace "${TRUSTEE_CATALOG_SOURCE_NAME}" -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") + local state + state=$(oc get catalogsource -n openshift-marketplace "${TRUSTEE_CATALOG_SOURCE_NAME}" -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") if [[ "${state}" == "READY" ]]; then echo ">>> CatalogSource ${TRUSTEE_CATALOG_SOURCE_NAME} is READY" catalog_ready=true @@ -363,7 +364,8 @@ function wait_for_operator() { echo ">>> Waiting for InstallPlan ${installplan_ref} to be Complete..." local installplan_complete=false for i in {1..12}; do - local phase=$(oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "") + local phase + phase=$(oc get installplan -n "${TRUSTEE_NAMESPACE}" "${installplan_ref}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "") if [[ "${phase}" == "Complete" ]]; then echo ">>> InstallPlan is Complete" installplan_complete=true @@ -383,7 +385,8 @@ function wait_for_operator() { local csv_succeeded=false local csv_name="" for i in {1..12}; do - local csv_phase=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "") + local csv_phase + csv_phase=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].status.phase}' 2>/dev/null || echo "") if [[ "${csv_phase}" == "Succeeded" ]]; then csv_name=$(oc get csv -n "${TRUSTEE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") echo ">>> CSV ${csv_name} is Succeeded" From 6f0001da5b42d10d02fc7b0a579bfac0649a6c5a Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 2 Jun 2026 14:58:11 -0400 Subject: [PATCH 12/19] Add generated metadata for install-trustee-operator step Co-Authored-By: Claude Sonnet 4.5 --- ...r-install-trustee-operator-ref.metadata.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json new file mode 100644 index 0000000000000..9c3449cf51876 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.yaml", + "owners": { + "approvers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ], + "reviewers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ] + } +} From ae1b7b8eb4abb64ff954e3ae93e148bde2b63de6 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 2 Jun 2026 15:29:40 -0400 Subject: [PATCH 13/19] Fix metadata file formatting (no trailing newline) Co-Authored-By: Claude Sonnet 4.5 --- ...ntainers-operator-install-trustee-operator-ref.metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json index 9c3449cf51876..f738b203a5415 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json @@ -14,4 +14,4 @@ "wainersm" ] } -} +}\ From 582bbd9fd6d52626493f751162bcd892a52f68fe Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Tue, 2 Jun 2026 15:38:12 -0400 Subject: [PATCH 14/19] Fix metadata JSON formatting - remove invalid backslash Co-Authored-By: Claude Sonnet 4.5 --- ...ntainers-operator-install-trustee-operator-ref.metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json index f738b203a5415..3bf63215782f7 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json +++ b/ci-operator/step-registry/sandboxed-containers-operator/install-trustee-operator/sandboxed-containers-operator-install-trustee-operator-ref.metadata.json @@ -14,4 +14,4 @@ "wainersm" ] } -}\ +} \ No newline at end of file From b2461db1baa0c2aeb36626085fec8f55e23901d3 Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Wed, 3 Jun 2026 13:55:15 -0400 Subject: [PATCH 15/19] Enable TRUSTEE_INSTALL for all candidate versions of aws-ipi-coco Add TRUSTEE_INSTALL=true and trustee catalog env vars to all downstream-candidate version configs (417-421) for aws-ipi-coco test. Previously only modified the base downstream-candidate.yaml, but jobs run from version-specific files. Co-Authored-By: Claude Sonnet 4.5 --- ...xed-containers-operator-devel__downstream-candidate417.yaml | 3 +++ ...xed-containers-operator-devel__downstream-candidate418.yaml | 3 +++ ...xed-containers-operator-devel__downstream-candidate419.yaml | 3 +++ ...xed-containers-operator-devel__downstream-candidate420.yaml | 3 +++ ...xed-containers-operator-devel__downstream-candidate421.yaml | 3 +++ 5 files changed, 15 insertions(+) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index eed240831f6ec..882ed79b5c2fb 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -282,6 +282,9 @@ tests: TEST_TIMEOUT: "90" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index aa1a15e0a702c..beff4f7ddf4de 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -282,6 +282,9 @@ tests: TEST_TIMEOUT: "90" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index de6b8ed0eee7f..df10b8dd5f461 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -282,6 +282,9 @@ tests: TEST_TIMEOUT: "90" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index c07b3ead5e346..803a2d2cf8073 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -282,6 +282,9 @@ tests: TEST_TIMEOUT: "90" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index b2cc5bc3924a8..fb28071811573 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -282,6 +282,9 @@ tests: TEST_TIMEOUT: "90" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: "true" workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: From 855f2a20837b58f831b729781485175fc8868e7d Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 4 Jun 2026 09:38:08 -0400 Subject: [PATCH 16/19] Enable TRUSTEE_INSTALL for all CoCo jobs (azure, aro, aws) Add TRUSTEE_INSTALL=true and trustee catalog env vars to: - azure-ipi-coco (all candidate versions) - aro-ipi-coco (all candidate versions) - aws-ipi-coco (already done, this completes the set) Co-Authored-By: Claude Sonnet 4.5 --- ...-operator-devel__downstream-candidate.yaml | 111 +++++++-------- ...erator-devel__downstream-candidate417.yaml | 128 +++++++++--------- ...erator-devel__downstream-candidate418.yaml | 128 +++++++++--------- ...erator-devel__downstream-candidate419.yaml | 128 +++++++++--------- ...erator-devel__downstream-candidate420.yaml | 128 +++++++++--------- ...erator-devel__downstream-candidate421.yaml | 120 ++++++++-------- 6 files changed, 388 insertions(+), 355 deletions(-) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 181c517f96f0a..6b90bfdfeadcc 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.19" + name: '4.19' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.19" + version: '4.19' resources: '*': requests: @@ -42,17 +42,17 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -76,19 +76,19 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -113,22 +113,22 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" + TEST_TIMEOUT: '90' TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" - TRUSTEE_URL: "" + TRUSTEE_INSTALL: 'true' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -149,24 +149,24 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.17.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -187,25 +187,28 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.17.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -228,19 +231,19 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -264,19 +267,19 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index 882ed79b5c2fb..0df03755f243d 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.17" + name: '4.17' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.17" + version: '4.17' resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,21 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -149,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -188,26 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -230,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index beff4f7ddf4de..644d14993083c 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.18" + name: '4.18' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.18" + version: '4.18' resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,21 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -149,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -188,26 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -230,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index df10b8dd5f461..d11469ec93df2 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.19" + name: '4.19' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.19" + version: '4.19' resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,21 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -149,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -188,26 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -230,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 803a2d2cf8073..0561ec0cf06b3 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.20" + name: '4.20' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.20" + version: '4.20' resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,21 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -149,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -188,26 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -230,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index fb28071811573..cdaad5c22c63c 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: '4.22' upi-installer: - name: "4.21" + name: '4.21' namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: "4.21" + version: '4.21' resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - INITDATA: "" - INSTALL_KATA_RPM: "true" + ENABLE_MUST_GATHER: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'true' KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'true' KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,21 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -149,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "true" + INITDATA: '' + INSTALL_KATA_RPM: 'true' KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -188,26 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: "4.17" + ARO_CLUSTER_VERSION: '4.17' CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -230,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "true" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'true' KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: "true" - ENABLEPEERPODS: "true" - INITDATA: "" - INSTALL_KATA_RPM: "false" - KATA_RPM_VERSION: "" + ENABLE_MUST_GATHER: 'true' + ENABLEPEERPODS: 'true' + INITDATA: '' + INSTALL_KATA_RPM: 'false' + KATA_RPM_VERSION: '' MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: "true" + MUST_GATHER_ON_FAILURE_ONLY: 'true' RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: "90" - TRUSTEE_URL: "" + TEST_TIMEOUT: '90' + TRUSTEE_URL: '' WORKLOAD_TO_TEST: coco TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: "true" + TRUSTEE_INSTALL: 'true' workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: From a2fa5639ee6d3f390c003c8ef07cb3fcd3da4fec Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 4 Jun 2026 10:19:27 -0400 Subject: [PATCH 17/19] Add TRUSTEE operator config to CoCo tests (fix formatting) Enable TRUSTEE_INSTALL for all CoCo jobs (aws-ipi-coco, azure-ipi-coco, aro-ipi-coco) across candidate versions 4.17-4.21. Fixed: Used Python YAML library which reformatted all quotes. Now using surgical line insertion to preserve exact formatting. Co-Authored-By: Claude Sonnet 4.5 --- ...erator-devel__downstream-candidate417.yaml | 132 +++++++++--------- ...erator-devel__downstream-candidate418.yaml | 132 +++++++++--------- ...erator-devel__downstream-candidate419.yaml | 132 +++++++++--------- ...erator-devel__downstream-candidate420.yaml | 132 +++++++++--------- ...erator-devel__downstream-candidate421.yaml | 124 ++++++++-------- 5 files changed, 326 insertions(+), 326 deletions(-) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index 0df03755f243d..8921677e5ed56 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.17' + name: "4.17" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.17' + version: "4.17" resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,24 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -152,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -191,29 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -236,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -273,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index 644d14993083c..8f7464938a699 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.18' + name: "4.18" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.18' + version: "4.18" resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,24 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -152,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -191,29 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -236,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -273,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index d11469ec93df2..00dc2547b5b0c 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.19' + name: "4.19" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.19' + version: "4.19" resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,24 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -152,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -191,29 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -236,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -273,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 0561ec0cf06b3..771a537f84868 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.20' + name: "4.20" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.20' + version: "4.20" resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,24 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -152,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -191,29 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -236,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -273,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index cdaad5c22c63c..528ae7b24c9bf 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.21' + name: "4.21" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.21' + version: "4.21" resources: '*': requests: @@ -42,18 +42,18 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'true' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -77,20 +77,20 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -115,24 +115,24 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: aro-ipi-peerpods @@ -152,25 +152,25 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'true' + INITDATA: "" + INSTALL_KATA_RPM: "true" KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -191,29 +191,29 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -236,20 +236,20 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "true" KATA_RPM_VERSION: 3.25.0-2.rhaos4.21.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -273,24 +273,24 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' - KATA_RPM_VERSION: '' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_FILTERS: ~DisconnectedOnly&;~Disruptive& TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s zz_generated_metadata: From 2a57e347d4c8e7d0aed919ace05f034ccb43382d Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 4 Jun 2026 10:31:09 -0400 Subject: [PATCH 18/19] Run make ci-operator-config to sort environment variables The determinize-ci-operator tool alphabetically sorted TRUSTEE_* environment variables in all candidate configs. Co-Authored-By: Claude Sonnet 4.5 --- ...-operator-devel__downstream-candidate.yaml | 112 +++++++++--------- ...erator-devel__downstream-candidate417.yaml | 6 +- ...erator-devel__downstream-candidate418.yaml | 6 +- ...erator-devel__downstream-candidate419.yaml | 6 +- ...erator-devel__downstream-candidate420.yaml | 6 +- ...erator-devel__downstream-candidate421.yaml | 6 +- 6 files changed, 71 insertions(+), 71 deletions(-) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 6b90bfdfeadcc..6a4ac3b71479f 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -2,9 +2,9 @@ base_images: tests-private: name: tests-private namespace: ci - tag: '4.22' + tag: "4.22" upi-installer: - name: '4.19' + name: "4.19" namespace: ocp tag: upi-installer prowgen: @@ -14,7 +14,7 @@ releases: release: architecture: amd64 channel: fast - version: '4.19' + version: "4.19" resources: '*': requests: @@ -42,17 +42,17 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' + ENABLE_MUST_GATHER: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s - as: azure-ipi-peerpods @@ -76,19 +76,19 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -113,22 +113,22 @@ tests: CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog CUSTOM_AZURE_REGION: eastus - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' + TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' - TRUSTEE_URL: '' + TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -149,24 +149,24 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.17.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -187,28 +187,28 @@ tests: steps: cluster_profile: azure-qe env: - ARO_CLUSTER_VERSION: '4.17' + ARO_CLUSTER_VERSION: "4.17" CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" HYPERSHIFT_AZURE_LOCATION: eastus - INITDATA: '' - INSTALL_KATA_RPM: 'false' + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.17.el9 LOCATION: eastus MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' - WORKLOAD_TO_TEST: coco + TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog - TRUSTEE_INSTALL: 'true' + TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" + WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s - as: aws-ipi-peerpods @@ -231,19 +231,19 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: peer-pods workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s @@ -267,19 +267,19 @@ tests: AWS_REGION_OVERRIDE: us-east-2 CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog - ENABLE_MUST_GATHER: 'true' - ENABLEPEERPODS: 'true' - INITDATA: '' - INSTALL_KATA_RPM: 'false' + ENABLE_MUST_GATHER: "true" + ENABLEPEERPODS: "true" + INITDATA: "" + INSTALL_KATA_RPM: "false" KATA_RPM_VERSION: 3.21.0-3.rhaos4.19.el9 MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest - MUST_GATHER_ON_FAILURE_ONLY: 'true' + MUST_GATHER_ON_FAILURE_ONLY: "true" RUNTIMECLASS: kata-remote SLEEP_DURATION: 0h TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author - TEST_TIMEOUT: '90' - TRUSTEE_URL: '' + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index 8921677e5ed56..9b756c60202e9 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -128,10 +128,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -209,10 +209,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -286,10 +286,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index 8f7464938a699..7e2d0f68e7e12 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -128,10 +128,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -209,10 +209,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -286,10 +286,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 00dc2547b5b0c..38ae1bd3c866d 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -128,10 +128,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -209,10 +209,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -286,10 +286,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 771a537f84868..404b26307b7b8 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -128,10 +128,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -209,10 +209,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -286,10 +286,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index 528ae7b24c9bf..0774309caef19 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -128,10 +128,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-azure timeout: 24h0m0s @@ -209,10 +209,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s @@ -286,10 +286,10 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" - TRUSTEE_URL: "" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog TRUSTEE_INSTALL: "true" + TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws timeout: 24h0m0s From 4aadbfbcece222454513c625783c396d2781117d Mon Sep 17 00:00:00 2001 From: Tom Buskey Date: Thu, 4 Jun 2026 13:49:39 -0400 Subject: [PATCH 19/19] Fix TRUSTEE_CATALOG_SOURCE_NAME to trustee-catalog Changed from brew-catalog to trustee-catalog in all candidate configs. Co-Authored-By: Claude Sonnet 4.5 --- ...ed-containers-operator-devel__downstream-candidate.yaml | 7 +++++-- ...containers-operator-devel__downstream-candidate417.yaml | 6 +++--- ...containers-operator-devel__downstream-candidate418.yaml | 6 +++--- ...containers-operator-devel__downstream-candidate419.yaml | 6 +++--- ...containers-operator-devel__downstream-candidate420.yaml | 6 +++--- ...containers-operator-devel__downstream-candidate421.yaml | 6 +++--- 6 files changed, 20 insertions(+), 17 deletions(-) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml index 6a4ac3b71479f..1975eb1c12568 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate.yaml @@ -126,7 +126,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -205,7 +205,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -279,6 +279,9 @@ tests: TEST_RELEASE_TYPE: Pre-GA TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" + TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog + TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aws diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml index 9b756c60202e9..86cc8490f7432 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate417.yaml @@ -129,7 +129,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -210,7 +210,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -287,7 +287,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml index 7e2d0f68e7e12..87d2645d580ab 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate418.yaml @@ -129,7 +129,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -210,7 +210,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -287,7 +287,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 38ae1bd3c866d..c5ef3c8ea3ad3 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -129,7 +129,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -210,7 +210,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -287,7 +287,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml index 404b26307b7b8..622a3e0d85844 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml @@ -129,7 +129,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -210,7 +210,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -287,7 +287,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml index 0774309caef19..46e463347dd6d 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml @@ -129,7 +129,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -210,7 +210,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco @@ -287,7 +287,7 @@ tests: TEST_SCENARIOS: sig-kata.*Kata Author TEST_TIMEOUT: "90" TRUSTEE_CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/trustee-test-fbc:1.1.0-1776506656 - TRUSTEE_CATALOG_SOURCE_NAME: brew-catalog + TRUSTEE_CATALOG_SOURCE_NAME: trustee-catalog TRUSTEE_INSTALL: "true" TRUSTEE_URL: "" WORKLOAD_TO_TEST: coco