diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml index 2d6adf1458cfe..71214c0ca0f3e 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml @@ -208,22 +208,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" - TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml index 13b6d47ae992c..76c809db142e2 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml @@ -220,22 +220,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" - TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml index 5784de6e3f8b4..20f5f4e31048e 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml @@ -296,22 +296,7 @@ tests: env: BASE_DOMAIN: qe.devcluster.openshift.com HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" - TEST_ARGS: --disable-monitor=apiserver-incluster-availability,service-type-load-balancer-availability - TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| - Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should - provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] - net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on - whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| - sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created - test: - - chain: hypershift-conformance - workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico + workflow: hypershift-aws-conformance-calico-private - as: e2e-kubevirt-metal-conformance-calico capabilities: - intranet diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index 14ab8c018dbf4..fc5fdbdee0b59 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -237,6 +237,37 @@ tests: steps: cluster_profile: openshift-org-aws workflow: hypershift-kubevirt-csi-e2e +- as: e2e-aws-conformance-calico + minimum_interval: 168h + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-conformance-calico +- as: e2e-aws-conformance-calico-private + minimum_interval: 168h + steps: + cluster_profile: aws-qe + env: + BASE_DOMAIN: qe.devcluster.openshift.com + HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true" + workflow: hypershift-aws-conformance-calico-private +- as: e2e-kubevirt-metal-conformance-calico + capabilities: + - intranet + minimum_interval: 168h + steps: + cluster_profile: equinix-ocp-hcp + env: + KONFLUX_DEPLOY_CATALOG_SOURCE: "true" + KONFLUX_DEPLOY_OPERATORS: "true" + KONFLUX_DEPLOY_SUBSCRIPTION: "false" + LOCAL_STORAGE_OPERATOR_SUB_SOURCE: local-storage-konflux + LVM_OPERATOR_SUB_CHANNEL: stable-4.22 + LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource + METALLB_OPERATOR_SUB_SOURCE: metallb-konflux + ODF_OPERATOR_SUB_CHANNEL: stable-4.21 + ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-21 + REDHAT_OPERATORS_INDEX_TAG: v4.21 + workflow: hypershift-kubevirt-baremetalds-conformance-calico - as: e2e-azure-aks-ovn-conformance cron: 0 */2 * * * steps: diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml index 4c567409a32ee..ce5e3763369e5 100644 --- a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml +++ b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.22-periodics.yaml @@ -418,6 +418,172 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-calico-private + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-conformance-calico-private + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 decorate: true @@ -1660,6 +1826,90 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build11 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: release-4.22 + org: openshift + repo: hypershift + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + minimum_interval: 168h + name: periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-calico + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-kubevirt-metal-conformance-calico + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build01 cron: 0 10 * * * diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh index 876f570250ff1..5760bcc1cd5d6 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/enable-qe/pull-secret/cucushift-hypershift-extended-enable-qe-pull-secret-commands.sh @@ -135,6 +135,18 @@ rm /tmp/global-pull-secret.json echo "{\"spec\":{\"pullSecret\":{\"name\":\"$CLUSTER_NAME-pull-secret-new\"}}}" > /tmp/patch.json oc patch hostedclusters -n "$HYPERSHIFT_NAMESPACE" "$CLUSTER_NAME" --type=merge -p="$(cat /tmp/patch.json)" +# Patching the HostedCluster pullSecret triggers a MachineDeployment rolling update +# (new ignition/user-data). Wait for the rollout to complete before proceeding, +# otherwise conformance tests will run on a cluster with nodes being replaced. +echo "Waiting for MachineDeployment rollouts" +MD_NAMESPACE="${HYPERSHIFT_NAMESPACE}-${CLUSTER_NAME}" +timeout 5m bash -c 'until oc get machinedeployments -n "'"${MD_NAMESPACE}"'" -l "cluster.x-k8s.io/cluster-name='"${CLUSTER_NAME}"'" --no-headers 2>/dev/null | grep -q .; do sleep 10; done' +for md in $(oc get machinedeployments -n "${MD_NAMESPACE}" -l "cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}" -o jsonpath='{.items[*].metadata.name}'); do + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=True --timeout=5m + echo "Waiting for MachineDeployment ${md} to finish rolling out..." + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=False --timeout=45m +done + echo "check day-2 pull-secret update" export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" RETRIES=45 diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml index 28d6017833997..c14d71ddda73f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/ovn/hypershift/private/guest/calico/cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest-calico-workflow.yaml @@ -4,6 +4,7 @@ workflow: env: HYPERSHIFT_NETWORK_TYPE: "Other" HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "calico" pre: - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision - ref: cucushift-hypershift-extended-calico diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json new file mode 100644 index 0000000000000..051262fec672f --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml new file mode 100644 index 0000000000000..8824e5388e1af --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico-private/hypershift-aws-conformance-calico-private-workflow.yaml @@ -0,0 +1,38 @@ +workflow: + as: hypershift-aws-conformance-calico-private + documentation: |- + Provisions a private HyperShift hosted cluster on AWS with Calico CNI + and runs OpenShift conformance tests against it. + steps: + env: + HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade + CNI_PROVIDER: "calico" + TEST_ARGS: --disable-monitor=apiserver-incluster-availability + TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| + balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] + when installed on the cluster should provide named network metrics\| Unidling + \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work + with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should + work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] + net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on + whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| + sysctl allowlist update should start a pod with custom sysctl only when the + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| loadbalancer + NLB internal should be reachable with hairpinning traffic\| loadbalancer NLB + should be reachable with target-node-labels\| Critical-CCO-based flow for + olm managed operators and AWS STS\|The HAProxy router should pass the http2 + tests + pre: + - chain: hypershift-aws-private-provision + - ref: hypershift-calico-install + - ref: hypershift-calico-health-check + - chain: hypershift-enable-qe-catalogsource + - ref: hypershift-enable-guest + test: + - chain: hypershift-conformance + post: + - ref: hypershift-disable-guest + - chain: hypershift-aws-private-deprovision diff --git a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml index 3a9939e5ad244..019933839467e 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-calico/hypershift-aws-conformance-calico-workflow.yaml @@ -7,9 +7,11 @@ workflow: steps: env: HYPERSHIFT_NETWORK_TYPE: "Other" - TEST_ARGS: --disable-monitor=service-type-load-balancer-availability + CNI_PROVIDER: "calico" + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\| - Cluster scoped load balancer healthcheck port and path should be 10256/healthz\| + balancer healthcheck port and path should be 10256/healthz\| Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] @@ -19,7 +21,10 @@ workflow: net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\| sysctl allowlist update should start a pod with custom sysctl only when the - sysctl is added to whitelist\|Ensure HTTPRoute object is created + sysctl is added to whitelist\|Ensure HTTPRoute object is created\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS post: - chain: hypershift-dump - chain: hypershift-aws-destroy @@ -31,5 +36,5 @@ workflow: - chain: hypershift-setup-nested-management-cluster - ref: hypershift-install - chain: hypershift-aws-create - - ref: cucushift-hypershift-extended-calico - - ref: cucushift-hypershift-extended-calico-health-check + - ref: hypershift-calico-install + - ref: hypershift-calico-health-check diff --git a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml index fe78c17db6075..0cbc1b6c0a3ae 100644 --- a/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml +++ b/ci-operator/step-registry/hypershift/aws/create/hypershift-aws-create-chain.yaml @@ -88,7 +88,7 @@ chain: documentation: "The additional ca bundle file name in the shared directory" - name: CNI_PROVIDER default: "" - documentation: "The CNI provider to use for the cluster. Supported values: cilium" + documentation: "The CNI provider to use for the cluster. Supported values: cilium, calico" commands: |- set -exuo pipefail AWS_GUEST_INFRA_CREDENTIALS_FILE="/etc/hypershift-ci-jobs-awscreds/credentials" @@ -189,7 +189,7 @@ chain: fi # Required for Cilium, see OCPBUGS-85607. - if [[ "$CNI_PROVIDER" == "cilium" ]]; then + if [[ "$CNI_PROVIDER" == "cilium" || "$CNI_PROVIDER" == "calico" ]]; then COMMAND+=(--annotations=hypershift.openshift.io/aws-load-balancer-health-probe-mode=ServiceNodePort) fi diff --git a/ci-operator/step-registry/hypershift/aws/install-private/OWNERS b/ci-operator/step-registry/hypershift/aws/install-private/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/install-private/config/OWNERS b/ci-operator/step-registry/hypershift/aws/install-private/config/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/config/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-commands.sh b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-commands.sh new file mode 100644 index 0000000000000..19d5e307ddb97 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-commands.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +set -o errexit +set -o nounset +set -o pipefail + +if [[ "${CLUSTER_TYPE,,}" != *aws* ]]; then + echo "Running on platform ${CLUSTER_TYPE}, skipping this step" + exit 0 +fi + +export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred" +REGION=${HYPERSHIFT_AWS_REGION:-$LEASED_RESOURCE} + +BUCKET_NAME="$(echo -n "${PROW_JOB_ID}" | sha256sum | cut -c-20)" +echo "create bucket name: $BUCKET_NAME, region $REGION" +if [ "$REGION" == "us-east-1" ]; then + aws s3api create-bucket --bucket "$BUCKET_NAME" \ + --region us-east-1 +else + aws s3api create-bucket --bucket "$BUCKET_NAME" \ + --create-bucket-configuration LocationConstraint="$REGION" \ + --region "$REGION" +fi +aws s3api delete-public-access-block --bucket "$BUCKET_NAME" +export BUCKET_NAME=$BUCKET_NAME +# shellcheck disable=SC2016 +echo '{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::${BUCKET_NAME}/*" + } + ] +}' | envsubst > /tmp/bucketpolicy.json +aws s3api put-bucket-policy --bucket "$BUCKET_NAME" --policy file:///tmp/bucketpolicy.json diff --git a/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.metadata.json b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.metadata.json new file mode 100644 index 0000000000000..f76f157d1d29d --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.yaml b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.yaml new file mode 100644 index 0000000000000..4f62cb0fd2c33 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/config/hypershift-aws-install-private-config-ref.yaml @@ -0,0 +1,19 @@ +ref: + as: hypershift-aws-install-private-config + from_image: + namespace: ocp + name: "4.16" + tag: upi-installer + env: + - name: HYPERSHIFT_AWS_REGION + default: "" + documentation: | + Specifies the AWS region for the cluster. If left as an empty string, + the region defaults to that of the management cluster. + commands: hypershift-aws-install-private-config-commands.sh + grace_period: 10m0s + resources: + requests: + cpu: 100m + documentation: |- + This step, when running on AWS, creates an S3 bucket to hold the OIDC documents. diff --git a/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.metadata.json b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.metadata.json new file mode 100644 index 0000000000000..28d92611976a2 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/install-private/hypershift-aws-install-private-chain.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.yaml b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.yaml new file mode 100644 index 0000000000000..10f71cd9e31fa --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-chain.yaml @@ -0,0 +1,9 @@ +chain: + as: hypershift-aws-install-private + steps: + - ref: hypershift-aws-install-private-config + - ref: hypershift-aws-install-private + documentation: |- + This chain performs the following steps: + - (AWS only) Create an S3 bucket to hold the OIDC documents + - Install Hypershift operator diff --git a/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-commands.sh b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-commands.sh new file mode 100644 index 0000000000000..5aad2b2dabadd --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-commands.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +set -euo pipefail + +# Get HO image and Hypershift CLI +HCP_CLI="bin/hypershift" +OPERATOR_IMAGE=$HYPERSHIFT_RELEASE_LATEST +if [[ $HO_MULTI == "true" ]]; then + OPERATOR_IMAGE="quay.io/acm-d/rhtap-hypershift-operator:latest" + oc extract secret/pull-secret -n openshift-config --to=/tmp --confirm + mkdir /tmp/hs-cli + oc image extract quay.io/acm-d/rhtap-hypershift-operator:latest --path /usr/bin/hypershift:/tmp/hs-cli --registry-config=/tmp/.dockerconfigjson --filter-by-os="linux/amd64" + chmod +x /tmp/hs-cli/hypershift + HCP_CLI="/tmp/hs-cli/hypershift" +fi + +# Build up the hypershift install command +COMMAND=( + "${HCP_CLI}" install + --hypershift-image="${OPERATOR_IMAGE}" + --platform-monitoring=All + --wait-until-available +) + +case "${HYPERSHIFT_FEATURE_SET:-}" in +"") + ;; +TechPreviewNoUpgrade) + COMMAND+=(--tech-preview-no-upgrade) + ;; +*) + echo "Unsupported feature set ${HYPERSHIFT_FEATURE_SET}" >&2 + exit 1 + ;; +esac + +if [[ "$HYPERSHIFT_ENABLE_CONVERSION_WEBHOOK" == "true" ]]; then + COMMAND+=(--enable-conversion-webhook="true") +else + COMMAND+=(--enable-conversion-webhook="false") +fi + +if [[ "$HYPERSHIFT_OPERATOR_PULL_SECRET" == "true" ]]; then + PULL_SECRET_PATH="${CLUSTER_PROFILE_DIR}/pull-secret" + if [[ -f "${SHARED_DIR}/hypershift-pull-secret" ]]; then + PULL_SECRET_PATH="${SHARED_DIR}/hypershift-pull-secret" + fi + COMMAND+=(--pull-secret="$PULL_SECRET_PATH") +fi + +case "${CLUSTER_TYPE,,}" in +*aws*) + BUCKET_NAME="$(echo -n "$PROW_JOB_ID"|sha256sum|cut -c-20)" + REGION=${HYPERSHIFT_AWS_REGION:-$LEASED_RESOURCE} + + COMMAND+=( + --oidc-storage-provider-s3-credentials="${CLUSTER_PROFILE_DIR}/.awscred" + --oidc-storage-provider-s3-bucket-name="${BUCKET_NAME}" + --oidc-storage-provider-s3-region="${REGION}" + ) + + if [[ -n "$HYPERSHIFT_EXTERNAL_DNS_DOMAIN" ]]; then + COMMAND+=( + --external-dns-credentials="${CLUSTER_PROFILE_DIR}/.awscred" + --external-dns-provider=aws + --external-dns-domain-filter="$HYPERSHIFT_EXTERNAL_DNS_DOMAIN" + ) + fi + + if [[ "${ENABLE_PRIVATE}" = "true" ]]; then + COMMAND+=( + --private-platform=AWS + --aws-private-creds=/etc/hypershift-pool-aws-credentials/awsprivatecred + --aws-private-region="${REGION}" + ) + fi + + # If latest supported version is 4.15.0 or above, add the cvo conditional update while installing HO + ho_version_info=$("${HCP_CLI}" -v) + ocp_version=$(echo "${ho_version_info}" | grep -oP 'Latest supported OCP: \K\d+\.\d+\.\d+') + if [ -n "${ocp_version}" ]; then + if [ "$(printf '%s\n' "4.15.0" "${ocp_version}" | sort -V | tail -n 1)" == "${ocp_version}" ]; then + COMMAND+=(--enable-cvo-management-cluster-metrics-access=true --enable-uwm-telemetry-remote-write=true) + fi + fi + ;; +*) + echo "Unsupported platform ${CLUSTER_TYPE}" >&2 + exit 1 + ;; +esac + +# Hypershift install +set -x +"${COMMAND[@]}" diff --git a/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.metadata.json b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.metadata.json new file mode 100644 index 0000000000000..11610b4786210 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/install-private/hypershift-aws-install-private-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.yaml b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.yaml new file mode 100644 index 0000000000000..a492e124e3c6e --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/install-private/hypershift-aws-install-private-ref.yaml @@ -0,0 +1,44 @@ +ref: + as: hypershift-aws-install-private + cli: latest + from: hypershift-operator + dependencies: + - env: HYPERSHIFT_RELEASE_LATEST + name: hypershift-operator + env: + - name: HYPERSHIFT_AWS_REGION + default: "" + documentation: | + Specifies the AWS region for the cluster. If left as an empty string, + the region defaults to that of the management cluster. + - name: HYPERSHIFT_ENABLE_CONVERSION_WEBHOOK + default: "true" + documentation: Whether to enable webhook for converting hypershift API types. + - name: HYPERSHIFT_EXTERNAL_DNS_DOMAIN + default: "hypershift-ext.qe.devcluster.openshift.com" + documentation: Specifies the external DNS domain. If left empty, external DNS is assumed to be disabled. + - name: HYPERSHIFT_FEATURE_SET + default: "" + documentation: Defines the feature set utilized by Hypershift hosted clusters. + - name: HYPERSHIFT_OPERATOR_PULL_SECRET + default: "false" + documentation: If set to true, adds --pull-secret= to the hypershift install command. + - name: HO_MULTI + default: "false" + documentation: "If true, HyperShift Operator image will be multi" + - name: ENABLE_PRIVATE + default: "true" + documentation: | + Whether to enable private mode (due to https://issues.redhat.com/browse/NE-1298 only supporting amd64) + commands: hypershift-aws-install-private-commands.sh + grace_period: 10m0s + timeout: 20m0s + resources: + requests: + cpu: 100m + credentials: + - mount_path: /etc/hypershift-pool-aws-credentials + name: hypershift-qe-aws-privatecred + namespace: test-credentials + documentation: |- + Install HyperShift Operator. diff --git a/ci-operator/step-registry/hypershift/aws/metadata/OWNERS b/ci-operator/step-registry/hypershift/aws/metadata/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/metadata/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-commands.sh b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-commands.sh new file mode 100644 index 0000000000000..122caf0053563 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-commands.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +set -e +set -u +set -x +set -o pipefail + +export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred" +REGION=${LEASED_RESOURCE} + +vpc_id="$(oc get hc -A -o jsonpath='{.items[0].spec.platform.aws.cloudProviderConfig.vpc}')" +if [[ -z "${vpc_id}" || "${vpc_id}" == "null" ]]; then + echo "Error: HostedCluster VPC ID not found." >&2 + exit 1 +fi + +infra_id="$(oc get hc -A -o jsonpath='{.items[0].spec.infraID}')" +if [[ -z "${infra_id}" || "${infra_id}" == "null" ]]; then + echo "Error: HostedCluster infraID not found." >&2 + exit 1 +fi + +public_subnet="$(aws --region "${REGION}" ec2 describe-subnets --filters "Name=tag:kubernetes.io/cluster/${infra_id},Values=owned" "Name=tag:Name,Values=*public*" --query 'Subnets[0].SubnetId' --output text)" +if [[ -z "${public_subnet}" || "${public_subnet}" == "None" || "${public_subnet}" == "null" ]]; then + echo "Error: Public subnet ID lookup failed for infraID ${infra_id} in region ${REGION}." >&2 + exit 1 +fi + +if [[ -f "${SHARED_DIR}/vpc_id" ]]; then + echo "Error: The file ${SHARED_DIR}/vpc_id already exists. Operation aborted to prevent overwriting." + exit 1 +fi +if [[ -f "${SHARED_DIR}/public_subnet_ids" ]]; then + echo "Error: The file ${SHARED_DIR}/public_subnet_ids already exists. Operation aborted to prevent overwriting." + exit 1 +fi +echo "$vpc_id" > "${SHARED_DIR}/vpc_id" +echo "- $public_subnet" > "${SHARED_DIR}/public_subnet_ids" diff --git a/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.metadata.json b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.metadata.json new file mode 100644 index 0000000000000..023b2b2ef25d0 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/metadata/hypershift-aws-metadata-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.yaml b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.yaml new file mode 100644 index 0000000000000..a2e56ec8547df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/metadata/hypershift-aws-metadata-ref.yaml @@ -0,0 +1,16 @@ +ref: + as: hypershift-aws-metadata + from_image: + namespace: ocp + name: "4.16" + tag: upi-installer + cli: latest + commands: hypershift-aws-metadata-commands.sh + grace_period: 10m0s + resources: + requests: + cpu: 100m + documentation: |- + This step retrieves the VPC ID and a public subnet ID from the first hosted cluster from the management cluster. + Files named ${SHARED_DIR}/vpc_id and ${SHARED_DIR}/public_subnet_ids are created to store these IDs, respectively. + It is expected that these files do not exist prior to this step. diff --git a/ci-operator/step-registry/hypershift/aws/private-deprovision/OWNERS b/ci-operator/step-registry/hypershift/aws/private-deprovision/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-deprovision/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.metadata.json b/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.metadata.json new file mode 100644 index 0000000000000..a8c2c0321ec41 --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.yaml b/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.yaml new file mode 100644 index 0000000000000..f5d88a88fe34e --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-deprovision/hypershift-aws-private-deprovision-chain.yaml @@ -0,0 +1,25 @@ +chain: + as: hypershift-aws-private-deprovision + steps: + - chain: hypershift-dump + - chain: gather-network + - ref: gather-proxy + - chain: gather-core-dump + - ref: gather-aws-console + - ref: aws-deprovision-security-group + - ref: aws-deprovision-stacks + - ref: aws-deprovision-s3buckets + - ref: proxy-config-remove + - chain: hypershift-aws-destroy + - chain: ipi-deprovision + env: + - name: HYPERSHIFT_AWS_REGION + default: "" + - name: HYPERSHIFT_BASE_DOMAIN + default: "hypershift-ci.qe.devcluster.openshift.com" + - name: HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT + default: "true" + documentation: |- + This chain deprovisions a fully private Hypershift hosted cluster on AWS. + Note that the bastion host must be deprovisioned before the hosted cluster to avoid dependency violations + which will otherwise occur during the removal of the hosted cluster. diff --git a/ci-operator/step-registry/hypershift/aws/private-provision/OWNERS b/ci-operator/step-registry/hypershift/aws/private-provision/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-provision/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.metadata.json b/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.metadata.json new file mode 100644 index 0000000000000..decbe46036e9e --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/aws/private-provision/hypershift-aws-private-provision-chain.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.yaml b/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.yaml new file mode 100644 index 0000000000000..730ea7344cfaa --- /dev/null +++ b/ci-operator/step-registry/hypershift/aws/private-provision/hypershift-aws-private-provision-chain.yaml @@ -0,0 +1,36 @@ +chain: + as: hypershift-aws-private-provision + steps: + - chain: cucushift-installer-rehearse-aws-ipi-ovn-provision + - chain: hypershift-aws-install-private + - chain: hypershift-aws-create + - ref: hypershift-aws-metadata + - chain: aws-provision-bastionhost + - ref: proxy-config-generate + env: + - name: HYPERSHIFT_AWS_REGION + default: "" + - name: HYPERSHIFT_HC_ZONES + default: "" + - name: HYPERSHIFT_EXTERNAL_DNS_DOMAIN + default: "hypershift-ext.qe.devcluster.openshift.com" + - name: HYPERSHIFT_BASE_DOMAIN + default: "hypershift-ci.qe.devcluster.openshift.com" + - name: HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT + default: "true" + - name: HYPERSHIFT_CP_AVAILABILITY_POLICY + default: "HighlyAvailable" + - name: HYPERSHIFT_INFRA_AVAILABILITY_POLICY + default: "HighlyAvailable" + - name: ZONES_COUNT + default: "3" + - name: ENABLE_ICSP + default: "true" + - name: ENDPOINT_ACCESS + default: "Private" + - name: COMPUTE_NODE_REPLICAS + default: "3" + - name: USAGE_CLUSTER_TYPE + default: "hypershift-mgmt" + documentation: |- + This chain provisions a fully private hypershift hosted cluster. diff --git a/ci-operator/step-registry/hypershift/calico/OWNERS b/ci-operator/step-registry/hypershift/calico/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/calico/health-check/OWNERS b/ci-operator/step-registry/hypershift/calico/health-check/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/health-check/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-commands.sh b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-commands.sh new file mode 100644 index 0000000000000..6678c92d60b7d --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-commands.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -xeuo pipefail + +if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + +if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then + export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" +fi + +if [[ -z "${HYPERSHIFT_NODE_COUNT:-}" || ! "${HYPERSHIFT_NODE_COUNT}" =~ ^[0-9]+$ ]]; then + echo "HYPERSHIFT_NODE_COUNT must be a non-negative integer" >&2 + exit 1 +fi + +# shellcheck disable=SC2016 +timeout 30m bash -c 'until [[ $(oc get nodes --no-headers | wc -l) -eq "$HYPERSHIFT_NODE_COUNT" ]]; do sleep 15; done' + +echo "Waiting for the guest cluster to be ready" +oc wait nodes --all --for=condition=Ready=true --timeout=15m + +oc wait tigerastatus calico --for=condition=Available --timeout=30m +oc wait tigerastatus apiserver --for=condition=Available --timeout=30m +oc wait tigerastatus ippools --for=condition=Available --timeout=30m + +oc wait clusteroperators --all --for=condition=Available=True --timeout=30m +oc wait clusteroperators --all --for=condition=Progressing=False --timeout=30m +oc wait clusteroperators --all --for=condition=Degraded=False --timeout=30m +oc wait clusterversion/version --for=condition=Available=True --timeout=30m diff --git a/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.metadata.json b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.metadata.json new file mode 100644 index 0000000000000..e2f1a0e283900 --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/calico/health-check/hypershift-calico-health-check-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.yaml b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.yaml new file mode 100644 index 0000000000000..71d33fac6e725 --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/health-check/hypershift-calico-health-check-ref.yaml @@ -0,0 +1,15 @@ +ref: + as: hypershift-calico-health-check + from: cli + commands: hypershift-calico-health-check-commands.sh + grace_period: 5m0s + env: + - name: HYPERSHIFT_NODE_COUNT + default: "3" + documentation: "The number nodes to automatically create and join to the cluster." + resources: + requests: + cpu: 100m + memory: 100Mi + documentation: |- + This step checks health of Calico CNI in the hosted cluster. diff --git a/ci-operator/step-registry/hypershift/calico/install/OWNERS b/ci-operator/step-registry/hypershift/calico/install/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/install/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/calico/install/hypershift-calico-install-commands.sh b/ci-operator/step-registry/hypershift/calico/install/hypershift-calico-install-commands.sh new file mode 100644 index 0000000000000..088c3c0c3bbd4 --- /dev/null +++ b/ci-operator/step-registry/hypershift/calico/install/hypershift-calico-install-commands.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +set -xeuo pipefail + +if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + +export KUBECONFIG="${SHARED_DIR}/kubeconfig" +if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then + export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" +fi + +# Install AWS credentials for the tigera-operator. It creates additional +# inbound rules for the existing Security Group to allow traffic between its components. +platform=$(oc get infrastructure cluster -ojsonpath='{.status.platformStatus.type}') +if [[ "$platform" == "AWS" ]]; then + export AWS_SHARED_CREDENTIALS_FILE="/etc/hypershift-ci-jobs-awscreds/credentials" + if [[ ${HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT:-} == "true" ]]; then + export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred" + fi + aws configure export-credentials --format env > /tmp/aws_creds + set +x + source /tmp/aws_creds + key=$(echo -n "$AWS_ACCESS_KEY_ID" | base64 --wrap=0) + pass=$(echo -n "$AWS_SECRET_ACCESS_KEY" | base64 --wrap=0) + oc apply -f - <&2 + exit 1 +fi + +echo "switch kubeconfig" +cat "${SHARED_DIR}/mgmt_kubeconfig" > "${SHARED_DIR}/kubeconfig" diff --git a/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.metadata.json b/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.metadata.json new file mode 100644 index 0000000000000..b7ace5812c86b --- /dev/null +++ b/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/disable-guest/hypershift-disable-guest-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.yaml b/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.yaml new file mode 100644 index 0000000000000..5addc39ad82f3 --- /dev/null +++ b/ci-operator/step-registry/hypershift/disable-guest/hypershift-disable-guest-ref.yaml @@ -0,0 +1,13 @@ +ref: + as: hypershift-disable-guest + from: cli + grace_period: 5m + cli: latest + commands: hypershift-disable-guest-commands.sh + resources: + requests: + cpu: 100m + memory: 100Mi + documentation: |- + disable Hypershift hostedcluster in cluster. + hypershift-disable-guest needs to be used in conjunction with hypershift-enable-guest diff --git a/ci-operator/step-registry/hypershift/enable-guest/OWNERS b/ci-operator/step-registry/hypershift/enable-guest/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-guest/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-commands.sh b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-commands.sh new file mode 100644 index 0000000000000..2c749b7015d94 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-commands.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +set -euo pipefail + +if [ ! -f "${SHARED_DIR}/nested_kubeconfig" ]; then + echo "ERROR: ${SHARED_DIR}/nested_kubeconfig not found, cannot switch to guest cluster" >&2 + exit 1 +fi + +if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + +console_host="$(oc --kubeconfig="${SHARED_DIR}/nested_kubeconfig" -n openshift-console get routes console -o=jsonpath='{.spec.host}')" +if [ -z "${console_host}" ]; then + echo "ERROR: Failed to determine hosted cluster console route host" >&2 + exit 1 +fi +echo "https://${console_host}" > "${SHARED_DIR}/hostedcluster_console.url" +echo "hostedcluster_console.url path:${SHARED_DIR}/hostedcluster_console.url" +cat "${SHARED_DIR}/hostedcluster_console.url" + +echo "switch kubeconfig" +cp "${SHARED_DIR}/kubeconfig" "${SHARED_DIR}/mgmt_kubeconfig" +cat "${SHARED_DIR}/nested_kubeconfig" > "${SHARED_DIR}/kubeconfig" +echo "hypershift-guest" > "${SHARED_DIR}/cluster-type" diff --git a/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.metadata.json b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.metadata.json new file mode 100644 index 0000000000000..658e49eeea8cf --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/enable-guest/hypershift-enable-guest-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.yaml b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.yaml new file mode 100644 index 0000000000000..857d69e9fec27 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-guest/hypershift-enable-guest-ref.yaml @@ -0,0 +1,18 @@ +ref: + as: hypershift-enable-guest + from: cli + grace_period: 5m + cli: latest + env: + - name: HYPERSHIFT_NAMESPACE + default: "clusters" + documentation: "The Namespace where to create the HostedCluster and NodePools" + commands: hypershift-enable-guest-commands.sh + resources: + requests: + cpu: 100m + memory: 100Mi + documentation: |- + enable Hypershift hostedcluster by setting "${SHARED_DIR}/nested_kubeconfig" as $KUBECONFIG to support hypershift. + The current cluster should be the mgmt cluster and there is at least one hostedcluster. + The hostedcluster's kubeconfig file should be "${SHARED_DIR}/nested_kubeconfig". diff --git a/ci-operator/step-registry/hypershift/enable-qe/OWNERS b/ci-operator/step-registry/hypershift/enable-qe/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-qe/catalogsource/OWNERS b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.metadata.json b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.metadata.json new file mode 100644 index 0000000000000..4a21c42e2e136 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.yaml b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.yaml new file mode 100644 index 0000000000000..89868d0d8751e --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-chain.yaml @@ -0,0 +1,8 @@ +chain: + as: hypershift-enable-qe-catalogsource + steps: + - ref: hypershift-enable-qe-pull-secret + - ref: hypershift-enable-qe-catalogsource + documentation: |- + Updates the pull secret and installs the QE catalog source on + a HyperShift hosted cluster. diff --git a/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-commands.sh b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-commands.sh new file mode 100644 index 0000000000000..03d8655221eb8 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/catalogsource/hypershift-enable-qe-catalogsource-commands.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +set -e +set -u +set -o pipefail +set -x + +function run_command() { + local CMD="$1" + echo "Running Command: ${CMD}" + eval "${CMD}" +} + +# From 4.11 on, the marketplace is optional. +# That means, once the marketplace disabled, its "openshift-marketplace" project will NOT be created as default. +# But, for OLM, its global namespace still is "openshift-marketplace"(details: https://bugzilla.redhat.com/show_bug.cgi?id=2076878), +# so we need to create it manually so that optional operator teams' test cases can be run smoothly. +function check_marketplace () { + # caps=`oc get clusterversion version -o=jsonpath="{.status.capabilities.enabledCapabilities}"` + # if [[ ${caps} =~ "marketplace" ]]; then + # echo "marketplace installed, skip..." + # return 0 + # fi + ret=0 + run_command "oc get ns openshift-marketplace" || ret=$? + if [[ $ret -eq 0 ]]; then + echo "openshift-marketplace project AlreadyExists, skip creating." + return 0 + fi + + cat < [args...] +# - retries : max number of attempts +# - sleep_time : seconds between attempts +# - func : the function to be called or a sub shell call +function retry_until_success() { + local retries="$1" + local sleep_time="$2" + shift 2 # drop retries and sleep_time + for i in $(seq 1 "$retries"); do + echo "Attempt $i/$retries: running $*" + if "$@"; then + echo "Success on attempt $i" + return 0 + fi + echo "Failed attempt $i, retrying in $sleep_time seconds..." + sleep "$sleep_time" + done + echo "$* did not succeed after $retries attempts" + return 1 +} + +function check_node() { + local node_number ready_number + node_number=$(oc get node --no-headers | grep -cv STATUS) + ready_number=$(oc get node --no-headers | awk '$2 == "Ready"' | wc -l) + if (( node_number == ready_number )); then + echo "All nodes status check PASSED" + return 0 + else + if (( ready_number == 0 )); then + echo >&2 "No any ready node" + else + echo >&2 "We found failed node" + oc get node --no-headers | awk '$2 != "Ready"' + fi + return 1 + fi +} + +function check_pod() { + echo "Show all pods status for reference/debug" + oc get pods --all-namespaces +} + +function health_check() { + echo "Step #1: Check all cluster operators get stable and ready" + timeout 900s bash < /tmp/global-pull-secret.json + +optional_auth_user=$(cat "/var/run/vault/mirror-registry/registry_quay.json" | jq -r '.user') +optional_auth_password=$(cat "/var/run/vault/mirror-registry/registry_quay.json" | jq -r '.password') +qe_registry_auth=`echo -n "${optional_auth_user}:${optional_auth_password}" | base64 -w 0` + +openshifttest_auth_user=$(cat "/var/run/vault/mirror-registry/registry_quay_openshifttest.json" | jq -r '.user') +openshifttest_auth_password=$(cat "/var/run/vault/mirror-registry/registry_quay_openshifttest.json" | jq -r '.password') +openshifttest_registry_auth=`echo -n "${openshifttest_auth_user}:${openshifttest_auth_password}" | base64 -w 0` + +stage_auth_user=$(cat "/var/run/vault/mirror-registry/registry_stage.json" | jq -r '.user') +stage_auth_password=$(cat "/var/run/vault/mirror-registry/registry_stage.json" | jq -r '.password') +stage_registry_auth=`echo -n "${stage_auth_user}:${stage_auth_password}" | base64 -w 0` + +reg_brew_user=$(cat "/var/run/vault/mirror-registry/registry_brew.json" | jq -r '.user') +reg_brew_password=$(cat "/var/run/vault/mirror-registry/registry_brew.json" | jq -r '.password') +brew_registry_auth=`echo -n "${reg_brew_user}:${reg_brew_password}" | base64 -w 0` +jq --argjson a "{\"brew.registry.redhat.io\": {\"auth\": \"${brew_registry_auth}\"},\"quay.io/openshift-qe-optional-operators\": {\"auth\": \"${qe_registry_auth}\"},\"quay.io/openshifttest\": {\"auth\": \"${openshifttest_registry_auth}\"},\"registry.stage.redhat.io\": {\"auth\": \"$stage_registry_auth\"}}" '.auths |= . + $a' "/tmp/global-pull-secret.json" > /tmp/global-pull-secret.json.tmp + +mv /tmp/global-pull-secret.json.tmp /tmp/global-pull-secret.json +oc create secret -n "$HYPERSHIFT_NAMESPACE" generic "$CLUSTER_NAME"-pull-secret-new --from-file=.dockerconfigjson=/tmp/global-pull-secret.json +rm /tmp/global-pull-secret.json + +echo "{\"spec\":{\"pullSecret\":{\"name\":\"$CLUSTER_NAME-pull-secret-new\"}}}" > /tmp/patch.json +oc patch hostedclusters -n "$HYPERSHIFT_NAMESPACE" "$CLUSTER_NAME" --type=merge -p="$(cat /tmp/patch.json)" + +# Patching the HostedCluster pullSecret triggers a MachineDeployment rolling update +# (new ignition/user-data). Wait for the rollout to complete before proceeding, +# otherwise conformance tests will run on a cluster with nodes being replaced. +echo "Waiting for MachineDeployment rollouts" +MD_NAMESPACE="${HYPERSHIFT_NAMESPACE}-${CLUSTER_NAME}" +timeout 5m bash -c 'until oc get machinedeployments -n "'"${MD_NAMESPACE}"'" -l "cluster.x-k8s.io/cluster-name='"${CLUSTER_NAME}"'" --no-headers 2>/dev/null | grep -q .; do sleep 10; done' +for md in $(oc get machinedeployments -n "${MD_NAMESPACE}" -l "cluster.x-k8s.io/cluster-name=${CLUSTER_NAME}" -o jsonpath='{.items[*].metadata.name}'); do + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=True --timeout=5m + echo "Waiting for MachineDeployment ${md} to finish rolling out..." + oc wait machinedeployment "${md}" -n "${MD_NAMESPACE}" --for=condition=RollingOut=False --timeout=45m +done + +echo "check day-2 pull-secret update" +export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" +RETRIES=45 +for i in $(seq ${RETRIES}); do + UPDATED_COUNT=0 + workers=$(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{range .items[*]}{.metadata.name}{","}{end}') + IFS="," read -r -a workers_arr <<< "$workers" + COUNT=${#workers_arr[*]} + for worker in "${workers_arr[@]}" + do + count=$(oc debug -n kube-system node/${worker} -- chroot /host/ bash -c 'cat /var/lib/kubelet/config.json' | grep -c quay.io/openshifttest || true) + if [ $count -gt 0 ] ; then + UPDATED_COUNT=`expr $UPDATED_COUNT + 1` + fi + done + if [ "$UPDATED_COUNT" == "$COUNT" ] ; then + echo "day 2 pull-secret successful" + health_check + exit 0 + fi + echo "Try ${i}/${RETRIES}: pull-secret is not updated yet. Checking again in 60 seconds" + sleep 60 +done +echo "day 2 pull-secret update error" +exit 1 diff --git a/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.metadata.json b/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.metadata.json new file mode 100644 index 0000000000000..3db5ad2ff1ab6 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.yaml", + "owners": { + "approvers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ], + "reviewers": [ + "csrwng", + "enxebre", + "sjenning", + "mgencur", + "bryan-cox", + "jparrill" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.yaml b/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.yaml new file mode 100644 index 0000000000000..dc02810210989 --- /dev/null +++ b/ci-operator/step-registry/hypershift/enable-qe/pull-secret/hypershift-enable-qe-pull-secret-ref.yaml @@ -0,0 +1,26 @@ +ref: + as: hypershift-enable-qe-pull-secret + from: upi-installer + cli: latest + grace_period: 10m + timeout: 60m0s + env: + - name: HYPERSHIFT_NAMESPACE + default: "clusters" + documentation: "The Namespace where to create the HostedCluster and NodePools" + - name: SKIP_HYPERSHIFT_PULL_SECRET_UPDATE + default: "false" + documentation: "if set true, skip update HyperShift HostedCluster pull-secret by day-2" + commands: hypershift-enable-qe-pull-secret-commands.sh + resources: + requests: + cpu: 100m + memory: 100Mi + credentials: + - namespace: test-credentials + name: openshift-custom-mirror-registry + mount_path: /var/run/vault/mirror-registry + documentation: |- + Update HyperShift HostedCluster pull-secret by day-2. + For some workflows, due to different installation methods, the hosted cluster may already include the pull-secret for QE. + Therefore, this step will first check if it is included, and if so, it will be skipped. diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml index e393e25ae4776..f50f7730b70ad 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-calico/hypershift-kubevirt-baremetalds-conformance-calico-workflow.yaml @@ -25,10 +25,11 @@ workflow: - ref: hypershift-install - ref: hypershift-kubevirt-create - ref: hypershift-kubevirt-baremetalds-proxy - - ref: cucushift-hypershift-extended-calico - - ref: cucushift-hypershift-extended-calico-health-check + - ref: hypershift-calico-install + - ref: hypershift-calico-health-check env: HYPERSHIFT_NETWORK_TYPE: "Other" + HYPERSHIFT_NODE_CPU_CORES: "8" KONFLUX_DEPLOY_OPERATORS: "false" KONFLUX_TARGET_OPERATORS: metallb,local-storage CLUSTERTYPE: host_384gb_el9 diff --git a/ci-operator/step-registry/hypershift/mce/agent/metal3/create/calico/hypershift-mce-agent-metal3-create-calico-chain.yaml b/ci-operator/step-registry/hypershift/mce/agent/metal3/create/calico/hypershift-mce-agent-metal3-create-calico-chain.yaml index 1d5b19e1b428c..32e514284f95e 100644 --- a/ci-operator/step-registry/hypershift/mce/agent/metal3/create/calico/hypershift-mce-agent-metal3-create-calico-chain.yaml +++ b/ci-operator/step-registry/hypershift/mce/agent/metal3/create/calico/hypershift-mce-agent-metal3-create-calico-chain.yaml @@ -6,12 +6,12 @@ chain: - ref: hypershift-agent-create-config-dns - ref: hypershift-mce-agent-create-hostedcluster - ref: hypershift-agent-create-proxy - - ref: cucushift-hypershift-extended-calico + - ref: hypershift-calico-install - ref: hypershift-agent-create-add-worker-metal3 - ref: cucushift-hypershift-extended-enable-qe-catalogsource - ref: hypershift-agent-create-metallb-catalogsource - ref: hypershift-agent-create-metallb - - ref: cucushift-hypershift-extended-calico-health-check + - ref: hypershift-calico-health-check - ref: hypershift-agent-check-conditions env: - name: HYPERSHIFT_NETWORK_TYPE