[DO NOT MERGE] sandboxed-containers-operator: add Azure disconnected workflow

[balintTobik]

sandboxed-containers-operator: add Azure disconnected workflow

Add e2e workflow for testing OSC on a disconnected ARO cluster.

Summary by CodeRabbit

This PR expands the OpenShift CI infrastructure to run end-to-end (e2e) Sandboxed Containers Operator tests on a disconnected (air-gapped) Azure Red Hat OpenShift (ARO) cluster, including private image/registry mirroring and proxy-aware execution. It’s intentionally blocked from merging into main (marked “[DO NOT MERGE]” with a /hold), and includes a rehearsal trigger (/pj-rehearse) for validation of the new downstream periodic workflow.

Key changes:

1. New e2e workflow for disconnected ARO (sandboxed-containers-operator-e2e-aro-disconnected)
   Adds a dedicated workflow that sets up a private ARO environment (Azure resource group/VNet/bastion/proxy), mirrors required catalogs/images for disconnected operation, performs operator pre-setup, runs OpenShift extended tests, runs must-gather-related post-steps, and then tears down resources. The workflow is designed for disconnected/private visibility scenarios and includes the full step ordering and configuration needed for isolated testing.

2. New periodic downstream CI job (aro-ipi-kata-disconnected)
   Adds a tests job to the 4.19 downstream candidate CI config to run the disconnected ARO e2e workflow with:

   • ENABLE_MUST_GATHER: "false"
   • SLEEP_DURATION: 3h
   • TEST_FILTERS: ~Disruptive&
   • TEST_PARALLEL: "1"
   • the same baseline timeout/reporter structure style as neighboring jobs
     (Notably, the new job definition omits a restrict_network_access field.)

3. New mirror-operator step to support disconnected catalogs/images
   Introduces a new mirroring command implementation that logs into the mirror registry and Red Hat operator registries, generates and runs oc-mirror v2 to mirror operator catalogs, applies generated disconnected cluster-resources, and optionally mirrors extra images (including must-gather/hello-openshift defaults). It also:

   • configures trusted CA for the mirror registry host,
   • disables default OperatorHub catalog sources,
   • waits for relevant MCP stabilization,
   • waits for the disconnected CatalogSource (when discovered/recorded) to become READY,
   • prints catalog status and supports recording the disconnected catalog source name for cluster use.

4. Proxy + disconnected catalog source awareness across supporting steps
   Updates multiple step scripts to be proxy-aware in disconnected environments by conditionally sourcing a shared proxy-conf.sh when present:

   • sandboxed-containers-operator-env-cm-commands.sh (also reads a disconnected_catalog_source_name file from SHARED_DIR and sets CATALOG_SOURCE_NAME accordingly)
   • gather-must-gather-commands.sh
   • get-kata-rpm-commands.sh
   • record-metadata-commands.sh

5. Governance/metadata for the new workflow and step
   Adds/updates OWNERS and workflow metadata for both:

   • the disconnected e2e workflow (e2e/aro-disconnected)
   • the new mirror operator step (mirror-operator)
     to define consistent approvers/reviewers (ldoktor, tbuskey, vvoronko, wainersm).

[balintTobik]

/hold

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d1699357-eea9-4ebb-8a56-7ba25c2f0867

📥 Commits

Reviewing files that changed from the base of the PR and between 18cf38f and 50bff37.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml

---

Walkthrough

Adds a new aro-ipi-kata-disconnected CI job and its backing sandboxed-containers-operator-e2e-aro-disconnected workflow for testing sandboxed containers on a disconnected ARO cluster. Introduces a new mirror-operator step registry entry that mirrors operator catalogs and images into a local registry. Updates several existing step scripts to source proxy configuration and support a disconnected CatalogSource name from shared state.

Changes

ARO Disconnected E2E Testing Pipeline

Layer / File(s)	Summary
Mirror-operator step registry and execution logic ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml, ...-commands.sh, ...-ref.metadata.json, OWNERS	Introduces the complete mirror-operator step: ref spec with vault credentials and environment variables for operator/image selection; commands script performing skopeo login, operator catalog mirroring via oc-mirror v2, cluster-resources application, CatalogSource extraction, ImageTagMirrorSet creation, mirror registry CA trust configuration, OperatorHub disablement, and MCP/CatalogSource readiness polling.
ARO disconnected e2e workflow orchestration ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml, ...workflow.metadata.json, OWNERS	Defines the sandboxed-containers-operator-e2e-aro-disconnected workflow with disconnected/private ARO environment configuration and an ordered pre/test/post step chain: Azure provisioning → bastion/proxy setup → mirror-operator → operator pre-setup → extended tests → must-gather → deprovisioning.
ARO disconnected test job registration ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml	Registers aro-ipi-kata-disconnected CI job targeting azure-qe cluster profile with environment variables disabling must-gather, setting TEST_FILTERS to ~Disruptive&, TEST_PARALLEL to "1", and 3h sleep duration; points to ARO disconnected workflow with 24h0m0s timeout and reporter configuration.
Proxy configuration and disconnected catalog source propagation ci-operator/step-registry/sandboxed-containers-operator/env-cm/...-commands.sh, gather-must-gather/...-commands.sh, get-kata-rpm/...-commands.sh, record-metadata/...-commands.sh	Updates four existing step scripts to conditionally source ${SHARED_DIR}/proxy-conf.sh at startup for proxy environment propagation; extends env-cm to read disconnected_catalog_source_name from shared state and override CATALOG_SOURCE_NAME, enabling mirror-operator output to be consumed by dependent steps.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

rehearsals-ack

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	mirror-operator-commands.sh enables 'set -x' (line 6) and then executes skopeo login commands with registry credentials (lines 35-36), exposing usernames and passwords in logs.	Remove 'set -x' before credential extraction, or temporarily disable it with 'set +x' around lines 35-36 where credentials are used in commands.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding an Azure disconnected workflow for the sandboxed-containers-operator.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI/CD workflow configs and shell scripts only. No Ginkgo test definitions (It(), Describe(), etc.) found in any modified files. Check is not applicable.
Test Structure And Quality	✅ Passed	PR adds CI/CD workflow infrastructure (YAML, JSON, shell scripts) for disconnected ARO testing, not Ginkgo tests. The custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR adds only CI/CD infrastructure (YAML workflows, JSON metadata, shell scripts, OWNERS files) with no new Ginkgo e2e tests, making the MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no new Ginkgo e2e tests (0 Go test files). Changes are CI configuration, workflow definitions, and shell scripts only. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI configuration files (Prow jobs, workflows, step registry metadata, scripts, OWNERS) with no deployment manifests containing scheduling constraints that assume standard HA topology.
Ote Binary Stdout Contract	✅ Passed	PR contains no Go test binaries or OTE binary code; only CI configuration YAML, shell scripts, and metadata files. Custom check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI infrastructure and setup scripts for disconnected ARO testing, but contains zero new Ginkgo test definitions (It, Describe, Context, When). Check applies only to new tests; therefore not...
No-Weak-Crypto	✅ Passed	Comprehensive review of all PR changes found no weak cryptography usage in newly added files. Only additions to existing scripts detected, with no MD5/SHA1/DES/RC4/ECB algorithms or non-constant-ti...
Container-Privileges	✅ Passed	No privileged container configurations found. PR adds CI workflow configs and shell scripts without privileged: true, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: balintTobik
Once this PR has been reviewed and has the lgtm label, please assign wainersm for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/sandboxed-containers-operator/OWNERS
• ci-operator/jobs/openshift/sandboxed-containers-operator/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`:
- Line 107: The oc apply and oc patch commands at lines 107, 123, and 159 are
using || true to suppress errors, which masks critical cluster configuration
failures and allows the step to report success even when the cluster is only
partially configured. Remove the || true error suppression from all three oc
apply and oc patch command invocations to allow the script to fail appropriately
when these critical operations encounter errors, ensuring the cluster is
properly configured before the step completes.
- Line 6: Remove the global xtrace setting by replacing the `set -x` on line 6
with the default strict mode `set -euo pipefail`, which enables error handling
and variable expansion without command tracing. Additionally, refactor the
registry login commands at lines 35-37 to use the `--password-stdin` method
instead of passing the password directly with the `-p` flag, which pipes the
password through stdin instead of exposing it as a command-line argument that
could be captured in traces or process listings.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml`:
- Around line 15-16: The environment variable declared with the name
OPERTORS_TO_MIRROR contains a typo (missing the "A" in OPERATORS). Rename the
variable declaration from OPERTORS_TO_MIRROR to OPERATORS_TO_MIRROR in the YAML
file at the name field. Additionally, add backward-compatible fallback logic in
the associated command script to check for the old misspelled variable name
OPERTORS_TO_MIRROR and use it if OPERATORS_TO_MIRROR is not set, ensuring
existing callers using the misspelled name continue to work while new code uses
the correct spelling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0d6c86a0-0e95-4d47-a407-c355b3f87023

📥 Commits

Reviewing files that changed from the base of the PR and between c75ad6f and 18cf38f.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (12)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml
• ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml
• ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Stop tracing and argv-passing registry credentials.

Line 6 enables global xtrace, and Lines 35-37 pass passwords with -p; together this can expose credential material in traces/process args. Keep default strict mode without -x, and use --password-stdin for registry logins.
As per coding guidelines, "Use default set -euo pipefail (without -x) in step registry command scripts; only enable -x when actively debugging" and "Protect sensitive information... never echo or print passwords, tokens, API keys."

Suggested patch

-set -x
+# Keep default strict mode without global xtrace.
@@
-echo "Logging into registries..."
-skopeo login "${MIRROR_REGISTRY_HOST}" -u "${mirror_registry_user}" -p "${mirror_registry_password}" --tls-verify=false
-skopeo login registry.redhat.io -u "${redhat_auth_user}" -p "${redhat_auth_password}"
+echo "Logging into registries..."
+printf '%s' "${mirror_registry_password}" | \
+  skopeo login "${MIRROR_REGISTRY_HOST}" -u "${mirror_registry_user}" --password-stdin --tls-verify=false
+printf '%s' "${redhat_auth_password}" | \
+  skopeo login registry.redhat.io -u "${redhat_auth_user}" --password-stdin

Also applies to: 35-37

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`
at line 6, Remove the global xtrace setting by replacing the `set -x` on line 6
with the default strict mode `set -euo pipefail`, which enables error handling
and variable expansion without command tracing. Additionally, refactor the
registry login commands at lines 35-37 to use the `--password-stdin` method
instead of passing the password directly with the `-p` flag, which pipes the
password through stdin instead of exposing it as a command-line argument that
could be captured in traces or process listings.

Source: Coding guidelines

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Do not suppress critical cluster-configuration failures.

Lines 107, 123, and 159 ignore oc apply/patch errors with || true, which can leave the cluster partially configured while this step reports success.

Suggested patch

-            oc apply -f "$f" || true
+            oc apply -f "$f"
@@
-    cat <<EOFITMS | oc apply -f - || true
+    cat <<EOFITMS | oc apply -f -
@@
-oc patch operatorhub cluster --type=merge -p '{"spec":{"disableAllDefaultSources":true}}' || true
+oc patch operatorhub cluster --type=merge -p '{"spec":{"disableAllDefaultSources":true}}'

Also applies to: 123-123, 159-159

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`
at line 107, The oc apply and oc patch commands at lines 107, 123, and 159 are
using || true to suppress errors, which masks critical cluster configuration
failures and allows the step to report success even when the cluster is only
partially configured. Remove the || true error suppression from all three oc
apply and oc patch command invocations to allow the script to fail appropriately
when these critical operations encounter errors, ensuring the cluster is
properly configured before the step completes.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the operator env var name typo before this interface spreads.

Line 15 declares OPERTORS_TO_MIRROR (misspelled). This makes intuitive callers of OPERATORS_TO_MIRROR silently ineffective and can produce unexpected defaults at runtime. Rename the declared variable and keep a temporary backward-compatible fallback in the command script.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml`
around lines 15 - 16, The environment variable declared with the name
OPERTORS_TO_MIRROR contains a typo (missing the "A" in OPERATORS). Rename the
variable declaration from OPERTORS_TO_MIRROR to OPERATORS_TO_MIRROR in the YAML
file at the name field. Additionally, add backward-compatible fallback logic in
the associated command script to check for the old misspelled variable name
OPERTORS_TO_MIRROR and use it if OPERATORS_TO_MIRROR is not set, ensuring
existing callers using the misspelled name continue to work while new code uses
the correct spelling.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@balintTobik: job(s): periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected either don't exist or were not found to be affected, and cannot be rehearsed

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@balintTobik: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-coco	N/A	periodic	Registry content changed

A total of 50 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@balintTobik: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected	50bff37	link	unknown	/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.