From a8e2b87d5576ad681ce894d4b118a70c95b90ae8 Mon Sep 17 00:00:00 2001 From: Balint Tobik Date: Tue, 23 Jun 2026 13:20:17 +0200 Subject: [PATCH 1/5] sandboxed-containers-operator: add Azure disconnected workflow Add e2e workflow for testing OSC on a disconnected ARO cluster. Co-Authored-By: Claude Signed-off-by: Balint Tobik --- .../e2e/aro-disconnected/OWNERS | 10 + ...2e-aro-disconnected-workflow.metadata.json | 17 ++ ...perator-e2e-aro-disconnected-workflow.yaml | 50 +++++ ...xed-containers-operator-env-cm-commands.sh | 9 + ...rs-operator-gather-must-gather-commands.sh | 4 + ...ntainers-operator-get-kata-rpm-commands.sh | 4 + .../mirror-operator/OWNERS | 10 + ...iners-operator-mirror-operator-commands.sh | 189 ++++++++++++++++++ ...operator-mirror-operator-ref.metadata.json | 17 ++ ...ntainers-operator-mirror-operator-ref.yaml | 33 +++ ...iners-operator-record-metadata-commands.sh | 4 + 11 files changed, 347 insertions(+) create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json create mode 100644 ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml diff --git a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS new file mode 100644 index 0000000000000..90aef831f9778 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS @@ -0,0 +1,10 @@ +reviewers: + - ldoktor + - tbuskey + - vvoronko + - wainersm +approvers: + - ldoktor + - tbuskey + - vvoronko + - wainersm \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json new file mode 100644 index 0000000000000..b37c3bfd15732 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml", + "owners": { + "approvers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ], + "reviewers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml new file mode 100644 index 0000000000000..9031889c72655 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml @@ -0,0 +1,50 @@ +workflow: + as: sandboxed-containers-operator-e2e-aro-disconnected + steps: + env: + ARO_API_SERVER_VISIBILITY: Private + ARO_INGRESS_VISIBILITY: Private + ARO_OUTBOUND_TYPE: UserDefinedRouting + ARO_BYO_NSG: "true" + ARO_WORKER_COUNT: "3" + ARO_WORKER_VM_SIZE: Standard_D8s_v3 + REGISTER_MIRROR_REGISTRY_DNS: "yes" + BASTION_BOOT_IMAGE: "azureopenshift:aro4:aro_417:417.94.20240701" + BASTION_VM_SIZE: "Standard_D4s_v3" + ENALBE_DNSMASQ_METHOD: "NetworkManager" + OPERTORS_TO_MIRROR: "sandboxed-containers-operator" + SLEEP_DURATION: 3h + TEST_PARALLEL: 1 + FORCE_SUCCESS_EXIT: "no" + MUST_GATHER_IMAGE: "registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest" + MUST_GATHER_TIMEOUT: "35m" + ENABLE_MUST_GATHER: "false" + MUST_GATHER_ON_FAILURE_ONLY: "true" + TEST_FILTERS: ~Disruptive& + pre: + - ref: azure-provision-resourcegroup + - ref: aro-provision-vnet + - chain: azure-provision-bastionhost + - ref: proxy-config-generate + - ref: openshift-cluster-bot-rbac + - chain: mirror-images-by-oc-adm + - ref: sandboxed-containers-operator-mirror-operator + - ref: bastion-dnsmasq + - ref: aro-provision-nsg + - ref: aro-provision-cluster + - chain: sandboxed-containers-operator-pre + test: + - ref: openshift-extended-test + post: + - ref: cucushift-installer-wait + timeout: 12h10m0s + best_effort: true + optional_on_success: true + - ref: sandboxed-containers-operator-gather-must-gather + - ref: sandboxed-containers-operator-post + - ref: aro-deprovision + documentation: |- + Run openshift-extended-test on a disconnected ARO cluster + with sandboxed containers deployed. Uses ARO provisioning steps + with private/disconnected configuration and the OSC pre chain for + operator setup. \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh index 927a70286a81e..295c9225e946d 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh @@ -1,7 +1,16 @@ #!/bin/bash +if test -s "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + configmap_path="${SHARED_DIR:-$(pwd)}/env-cm.yaml" +if [[ -f "${SHARED_DIR}/disconnected_catalog_source_name" ]]; then + CATALOG_SOURCE_NAME=$(cat "${SHARED_DIR}/disconnected_catalog_source_name") + echo "Using disconnected CatalogSource: ${CATALOG_SOURCE_NAME}" +fi + # TODO: still needed? 600 seconds will cause the step timeout? #echo "Giving a 10min stabilization time for AWS fresh 4.18 cluster before applying kataconfig as workaround for KATA-3451" #sleep 600 diff --git a/ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh index 7d8c571bafb96..0c5358755b1f1 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh @@ -1,5 +1,9 @@ #!/bin/bash +if test -s "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + set -o nounset set -o errexit set -o pipefail diff --git a/ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh index ee9aad2679a71..ce9b7fe6d9ef4 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh @@ -3,6 +3,10 @@ # Download and copy the kata containers RPM to /host/var/local/kata-containers.rpm # on each worker node. The RPM is going to be installed by the test automation code. +if test -s "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + set -o nounset set -o errexit set -o pipefail diff --git a/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS new file mode 100644 index 0000000000000..90aef831f9778 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS @@ -0,0 +1,10 @@ +reviewers: + - ldoktor + - tbuskey + - vvoronko + - wainersm +approvers: + - ldoktor + - tbuskey + - vvoronko + - wainersm \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh new file mode 100644 index 0000000000000..97fbf700b8884 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh @@ -0,0 +1,189 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail +set -x + +if test -s "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + +MIRROR_REGISTRY_HOST=$(head -n 1 "${SHARED_DIR}/mirror_registry_url") +echo "MIRROR_REGISTRY_HOST: ${MIRROR_REGISTRY_HOST}" + +OCP_VERSION=$(oc get clusterversion version -o jsonpath='{.status.desired.version}' | cut -d. -f1,2) +echo "OCP_VERSION: ${OCP_VERSION}" + +OPERATOR_INDEX="registry.redhat.io/redhat/redhat-operator-index:v${OCP_VERSION}" +echo "OPERATOR_INDEX: ${OPERATOR_INDEX}" + +mirror_registry_cred_file="/var/run/vault/mirror-registry/registry_creds" +mirror_registry_user=$(cut -d: -f1 < "$mirror_registry_cred_file") +mirror_registry_password=$(cut -d: -f2 < "$mirror_registry_cred_file") + +redhat_auth_user=$(jq -r '.user' /var/run/vault/mirror-registry/registry_redhat.json) +redhat_auth_password=$(jq -r '.password' /var/run/vault/mirror-registry/registry_redhat.json) + +work_dir="/tmp/mirror-operator" +mkdir -p "${work_dir}" +export XDG_RUNTIME_DIR="${work_dir}" +export REGISTRY_AUTH_FILE="${XDG_RUNTIME_DIR}/containers/auth.json" +mkdir -p "$(dirname "${REGISTRY_AUTH_FILE}")" + +echo "Logging into registries..." +skopeo login "${MIRROR_REGISTRY_HOST}" -u "${mirror_registry_user}" -p "${mirror_registry_password}" --tls-verify=false +skopeo login registry.redhat.io -u "${redhat_auth_user}" -p "${redhat_auth_password}" + +OPERATORS_TO_MIRROR="${OPERTORS_TO_MIRROR:-sandboxed-containers-operator}" + +cat > "${work_dir}/imageset-config.yaml" <> "${work_dir}/imageset-config.yaml" < ${MIRROR_REGISTRY_HOST}/extra/${dest_path}" + skopeo copy --all \ + "docker://${img}" \ + "docker://${MIRROR_REGISTRY_HOST}/extra/${dest_path}" \ + --dest-tls-verify=false \ + --src-tls-verify=false || echo "WARNING: failed to copy ${img}" + done +fi + +echo "oc-mirror version:" +oc-mirror version --v2 || oc-mirror --v2 version || echo "cannot get version" + +auth_file="${work_dir}/containers/auth.json" +echo "Running oc-mirror v2 (mirror to mirror)..." +unset REGISTRY_AUTH_FILE +oc-mirror \ + -c "${work_dir}/imageset-config.yaml" \ + --workspace "file://${work_dir}/workspace" \ + --dest-tls-verify=false \ + --src-tls-verify=false \ + --authfile "${auth_file}" \ + "docker://${MIRROR_REGISTRY_HOST}" \ + --v2 + +echo "oc-mirror completed successfully" + +echo "Listing workspace contents..." +find "${work_dir}/workspace" -name "*.yaml" -o -name "*.json" 2>/dev/null | head -20 || true + +results_dir="${work_dir}/workspace/working-dir/cluster-resources" +if [[ ! -d "${results_dir}" ]]; then + results_dir=$(find "${work_dir}" -type d -name "cluster-resources" 2>/dev/null | head -1 || true) +fi + +echo "Applying generated cluster resources..." +if [[ -n "${results_dir}" && -d "${results_dir}" ]]; then + echo "Found cluster-resources at: ${results_dir}" + ls -la "${results_dir}/" + for f in "${results_dir}"/*.yaml; do + if [[ -f "$f" ]]; then + echo "=== Applying: $f ===" + cat "$f" + oc apply -f "$f" || true + fi + done + cs_name=$(grep -l "kind: CatalogSource" "${results_dir}"/*.yaml 2>/dev/null | head -1 | xargs grep "name:" 2>/dev/null | head -1 | awk '{print $2}' || true) + if [[ -n "${cs_name}" ]]; then + echo "CatalogSource name: ${cs_name}" + echo "${cs_name}" > "${SHARED_DIR}/disconnected_catalog_source_name" + fi +else + echo "ERROR: No cluster-resources directory found" + find "${work_dir}" -type f -name "*.yaml" 2>/dev/null + exit 1 +fi + +if [[ -n "${EXTRA_IMAGES}" ]]; then + echo "Creating ITMS for extra images..." + cat </dev/null || echo "") +if [[ -z "${ca_name}" || "${ca_name}" != "registry-config" ]]; then + REGISTRY_HOST=$(echo "${MIRROR_REGISTRY_HOST}" | cut -d: -f1) + QE_ADDITIONAL_CA_FILE="/var/run/vault/mirror-registry/client_ca.crt" + + oc create configmap registry-config \ + --from-file="${REGISTRY_HOST}..5000=${QE_ADDITIONAL_CA_FILE}" \ + -n openshift-config 2>/dev/null || echo "registry-config already exists" + + oc patch image.config.openshift.io/cluster \ + --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' \ + --type=merge + echo "CA trust configured" +else + echo "CA trust already configured" +fi + +echo "Disabling default CatalogSources (not mirrored)..." +oc patch operatorhub cluster --type=merge -p '{"spec":{"disableAllDefaultSources":true}}' || true + +echo "Waiting for MCP to stabilize..." +sleep 30 +oc wait mcp --all --for=condition=Updated --timeout=600s || { + echo "WARNING: MCP did not finish updating in time" + oc get mcp || true +} + +if [[ -n "${cs_name}" ]]; then + echo "Waiting for CatalogSource ${cs_name} to be READY..." + for i in $(seq 1 30); do + state=$(oc get catalogsource -n openshift-marketplace "${cs_name}" -o jsonpath='{.status.connectionState.lastObservedState}' 2>/dev/null || echo "") + if [[ "${state}" == "READY" ]]; then + echo "CatalogSource ${cs_name} is READY" + break + fi + echo " waiting... (${i}/30, state: ${state})" + sleep 10 + done + if [[ "${state}" != "READY" ]]; then + echo "WARNING: CatalogSource ${cs_name} not READY after 5min" + oc get catalogsource -n openshift-marketplace "${cs_name}" -o yaml || true + oc get pods -n openshift-marketplace -l "olm.catalogSource=${cs_name}" -o yaml || true + fi +fi + +echo "CatalogSources status:" +oc get catalogsource -n openshift-marketplace || true + +echo "Mirror operator step completed successfully" \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json new file mode 100644 index 0000000000000..3d7c690a77d72 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml", + "owners": { + "approvers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ], + "reviewers": [ + "ldoktor", + "tbuskey", + "vvoronko", + "wainersm" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml new file mode 100644 index 0000000000000..0faa72e97a483 --- /dev/null +++ b/ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml @@ -0,0 +1,33 @@ +ref: + as: sandboxed-containers-operator-mirror-operator + from_image: + namespace: ci + name: tests-private-base + tag: latest + cli: latest + grace_period: 10m + commands: sandboxed-containers-operator-mirror-operator-commands.sh + resources: + requests: + cpu: 100m + memory: 200Mi + env: + - name: OPERTORS_TO_MIRROR + default: "sandboxed-containers-operator" + documentation: |- + Comma-separated list of operators to mirror from the official + Red Hat operator index to the local mirror registry. + - name: EXTRA_IMAGES_TO_MIRROR + default: "quay.io/openshift/origin-hello-openshift:latest,registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest" + documentation: |- + Comma-separated list of extra container images to mirror + to the local registry for use in disconnected tests. + credentials: + - namespace: test-credentials + name: openshift-custom-mirror-registry + mount_path: /var/run/vault/mirror-registry + documentation: |- + Mirror operator images from the official Red Hat operator catalog + to the local mirror registry and configure IDMS for transparent + redirect. This allows the default redhat-operators CatalogSource + to work in disconnected clusters. \ No newline at end of file diff --git a/ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh b/ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh index 2b5b9de87755e..92dc11bea6f3c 100755 --- a/ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh +++ b/ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh @@ -1,5 +1,9 @@ #!/bin/bash +if test -s "${SHARED_DIR}/proxy-conf.sh"; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + set -o nounset set -o errexit set -o pipefail From e38f1a05a5a97d11fbd117163ef060a5ec66c589 Mon Sep 17 00:00:00 2001 From: Balint Tobik Date: Tue, 23 Jun 2026 14:58:34 +0200 Subject: [PATCH 2/5] sandboxed-containers-operator: add disconnected job config add aro-ipi-kata-disconnected job to the 4.19 downstream candidate config using the new disconnected workflow. Co-Authored-By: Claude noreply@anthropic.com Signed-off-by: Balint Tobik --- ...erator-devel__downstream-candidate419.yaml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 6ebb5e7e369df..54a5c96c24e12 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -210,6 +210,42 @@ tests: WORKLOAD_TO_TEST: coco workflow: sandboxed-containers-operator-e2e-aro timeout: 24h0m0s +- as: aro-ipi-kata-disconnected + capabilities: + - intranet + cron: 0 0 31 2 1 + reporter_config: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + steps: + cluster_profile: azure-qe + env: + ARO_CLUSTER_VERSION: "4.17" + CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest + CATALOG_SOURCE_NAME: brew-catalog + ENABLE_MUST_GATHER: "false" + HYPERSHIFT_AZURE_LOCATION: eastus + INITDATA: "" + INSTALL_KATA_RPM: "false" + KATA_RPM_VERSION: "" + LOCATION: eastus + MUST_GATHER_IMAGE: registry.redhat.io/openshift-sandboxed-containers/osc-must-gather-rhel9:latest + MUST_GATHER_ON_FAILURE_ONLY: "true" + SLEEP_DURATION: 3h + TEST_FILTERS: ~Disruptive& + TEST_PARALLEL: "1" + TEST_RELEASE_TYPE: Pre-GA + TEST_SCENARIOS: sig-kata.*Kata Author + TEST_TIMEOUT: "90" + TRUSTEE_URL: "" + workflow: sandboxed-containers-operator-e2e-aro-disconnected + timeout: 24h0m0s - as: aws-ipi-peerpods capabilities: - intranet From 50bff3729a2f52db2ebff76f3bd1de79dda0f158 Mon Sep 17 00:00:00 2001 From: Balint Tobik Date: Tue, 23 Jun 2026 15:00:59 +0200 Subject: [PATCH 3/5] sandboxed-containers-operator: regenerate jobs and metadata Run make jobs && make registry-metadata to generate prow job configs and step registry metadata. Co-Authored-By: Claude Signed-off-by: Balint Tobik --- ...d-containers-operator-devel-periodics.yaml | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml index ea278d814439b..210ebe4cd3ab8 100644 --- a/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml +++ b/ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml @@ -2067,6 +2067,100 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 0 0 31 2 1 + decorate: true + decoration_config: + skip_cloning: true + timeout: 24h0m0s + extra_refs: + - base_ref: devel + org: openshift + repo: sandboxed-containers-operator + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: azure-qe + ci-operator.openshift.io/variant: downstream-candidate419 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected + reporter_config: + slack: + channel: '#kata-ocp-ci-reports' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}}SUCCESS{{else}}ERROR{{end}} + {{trimPrefix "periodic-ci-openshift-sandboxed-containers-operator-" .Spec.Job}} + <{{.Status.URL}}|View logs>' + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aro-ipi-kata-disconnected + - --variant=downstream-candidate419 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 0 31 2 1 From fdd5c6bfe685cf9594efc62aba023b70263db5ec Mon Sep 17 00:00:00 2001 From: Balint Tobik Date: Wed, 24 Jun 2026 09:34:06 +0200 Subject: [PATCH 4/5] sandboxed-containers-operator: fix ARO disconnected workflow Remove REGISTER_MIRROR_REGISTRY_DNS parameter which is not needed for ARO deployments. DNS resolution for the mirror registry is handled by bastion-dnsmasq instead of Azure private DNS zones. Co-Authored-By: Claude Sonnet 4.5 --- ...dboxed-containers-operator-e2e-aro-disconnected-workflow.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml index 9031889c72655..d518e1e508c3c 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml @@ -8,7 +8,6 @@ workflow: ARO_BYO_NSG: "true" ARO_WORKER_COUNT: "3" ARO_WORKER_VM_SIZE: Standard_D8s_v3 - REGISTER_MIRROR_REGISTRY_DNS: "yes" BASTION_BOOT_IMAGE: "azureopenshift:aro4:aro_417:417.94.20240701" BASTION_VM_SIZE: "Standard_D4s_v3" ENALBE_DNSMASQ_METHOD: "NetworkManager" From 716257b2b560745d51a6928db7e35d3128bed896 Mon Sep 17 00:00:00 2001 From: Balint Tobik Date: Wed, 24 Jun 2026 11:02:00 +0200 Subject: [PATCH 5/5] sandboxed-containers-operator: add BASE_DOMAIN for ARO disconnected Add REGISTER_MIRROR_REGISTRY_DNS and BASE_DOMAIN to enable proper mirror registry URL creation. The azure-provision-bastionhost step requires BASE_DOMAIN when REGISTER_MIRROR_REGISTRY_DNS is enabled to create the mirror_registry_url file needed by mirror-images-by-oc-adm. Co-Authored-By: Claude Sonnet 4.5 --- ...boxed-containers-operator-devel__downstream-candidate419.yaml | 1 + ...dboxed-containers-operator-e2e-aro-disconnected-workflow.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml index 54a5c96c24e12..7e90da18b55de 100644 --- a/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml +++ b/ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml @@ -227,6 +227,7 @@ tests: cluster_profile: azure-qe env: ARO_CLUSTER_VERSION: "4.17" + BASE_DOMAIN: qe.azure.devcluster.openshift.com CATALOG_SOURCE_IMAGE: quay.io/redhat-user-workloads/ose-osc-tenant/osc-test-fbc:latest CATALOG_SOURCE_NAME: brew-catalog ENABLE_MUST_GATHER: "false" diff --git a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml index d518e1e508c3c..9031889c72655 100644 --- a/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml +++ b/ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml @@ -8,6 +8,7 @@ workflow: ARO_BYO_NSG: "true" ARO_WORKER_COUNT: "3" ARO_WORKER_VM_SIZE: Standard_D8s_v3 + REGISTER_MIRROR_REGISTRY_DNS: "yes" BASTION_BOOT_IMAGE: "azureopenshift:aro4:aro_417:417.94.20240701" BASTION_VM_SIZE: "Standard_D4s_v3" ENALBE_DNSMASQ_METHOD: "NetworkManager"