virt-platform-autopilot: add periodic e2e test on Azure with CNV

[rlobillo]

Summary

• Add a periodic CI job for virt-platform-autopilot that deploys OCP 5.0 nightly on Azure, installs CNV 4.99 via cnv-ci, and runs make run-e2e-tests-only
• Uses a dedicated __periodics.yaml to avoid duplication via config-brancher
• Artifacts are collected regardless of test pass/fail via trap EXIT

Test plan

• Rehearsal job passes on this PR
• Periodic job triggers and provisions Azure cluster successfully
• CNV installs correctly
• make run-e2e-tests-only executes and artifacts are collected

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR adds a periodic CI autopilot job in the OpenShift release repository for the OpenShift virtualization team’s virt-platform-autopilot project. The new workflow provisions an OCP 5.0 nightly cluster on Azure, installs OpenShift Virtualization (CNV) via the cnv-ci mechanism, and runs the project’s end-to-end suite using make run-e2e-tests-only.

Key implementation details include:

• A dedicated __periodics.yaml file for the periodic configuration to avoid duplication with config-brancher.
• Scheduling the Azure E2E run on weekdays using an ipi-azure-backed workflow with Azure-specific environment setup.
• CNV installation and deployment steps driven by openshift-cnv/cnv-ci, followed by a patch to kubevirt-hyperconverged to set defaultCPUModel.
• A trap EXIT mechanism that ensures CI artifacts are collected and preserved whether the E2E tests pass or fail.
• Switching the CNV version from 4.99 to 4.23 to prevent install timeouts caused by missing/unavailable CNV 4.99 IIBs in the brew registry.

Overall, this enables regular automated E2E validation of virt-platform-autopilot against nightly OpenShift builds with reliable artifact capture for debugging failures.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8c28ac6c-3792-4707-8c36-6fa76a6dc409

📥 Commits

Reviewing files that changed from the base of the PR and between ef81d37 and 6877520.

📒 Files selected for processing (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

---

Walkthrough

A new periodic CI operator configuration file is added for openshift-virtualization/virt-platform-autopilot targeting the main branch. It configures a RHEL 9 / Go 1.26 build root, an OCP 5.0 nightly release, default resource limits, and a weekday Azure e2e test that installs CNV and runs end-to-end tests.

Changes

Periodic CI Configuration for virt-platform-autopilot

Layer / File(s)	Summary
Build root and resource configuration ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml	Sets the build root to an RHEL 9 / Go 1.26 / OCP 5.0 image stream tag, configures the OCP 5.0 nightly candidate release channel, and applies default resource limits/requests to all components.
e2e-azure test workflow and metadata ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml	Adds the e2e-azure weekday cron test with Azure cluster profile, base domain and compute node env vars, an install-cnv step (downloads cnv-ci tarball, updates pull secrets, deploys CNV, patches kubevirt-hyperconverged defaultCPUModel), an e2e-test step (make run-e2e-tests-only with artifact collection), and zz_generated_metadata for branch/org/repo/variant.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding a periodic e2e test for virt-platform-autopilot on Azure with CNV integration, which matches the file addition and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only CI operator YAML configuration, not Go test code with Ginkgo test definitions. The custom check for Ginkgo test name stability is not applicable to this CI configuration file.
Test Structure And Quality	✅ Passed	PR adds only YAML CI configuration file, not Ginkgo test code. Custom check for Ginkgo test quality is not applicable to CI/CD configuration files.
Microshift Test Compatibility	✅ Passed	PR adds only CI orchestration config, not Ginkgo test code. Check applies to tests with It()/Describe() patterns; this YAML file contains no test definitions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds CI configuration files (YAML) only, not new Ginkgo e2e test code. The custom check applies to new Ginkgo tests (It(), Describe(), etc.), which are not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds a CI-Operator configuration file, not deployment manifests or operator code. No scheduling constraints, affinity rules, topology spread constraints, or topology-aware logic is present i...
Ote Binary Stdout Contract	✅ Passed	This PR modifies only YAML CI configuration files for virt-platform-autopilot, not executable code. The OTE Binary Stdout Contract check applies to source code that might write to stdout inappropri...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI config YAML for virt-platform-autopilot periodic job, not Ginkgo e2e test code. Check applies only to new test implementations with It(), Describe(), etc.
No-Weak-Crypto	✅ Passed	The PR adds a CI configuration YAML file with no cryptographic implementations, weak crypto patterns, or unsafe secret comparisons.
Container-Privileges	✅ Passed	No privileged container settings detected. The PR adds a ci-operator configuration file containing no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root p...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, or session IDs) exposed in logs. Credentials properly mounted from test-credentials namespace; usernames set in env vars follow established repo...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rlobillo
Once this PR has been reviewed and has the lgtm label, please assign dominikholler for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/OWNERS
• ci-operator/jobs/openshift-virtualization/virt-platform-autopilot/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml`:
- Around line 34-59: The curl command downloading the cnv-ci tarball is
hardcoded to fetch from `tarball/master`, but the job declares a specific
`CNV_VERSION: "4.99"`. Replace the hardcoded `master` reference in the curl URL
with a reference to the `CNV_VERSION` variable so the tarball version matches
the declared release version. This ensures the test infrastructure version
remains synchronized with the declared release versions rather than always
pulling from the master branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 977612ad-9c02-4ab3-b2e5-c223a3aa1935

📥 Commits

Reviewing files that changed from the base of the PR and between 91ed90d and ef81d37.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml"

echo "1) Verify current tarball source in config:"
rg -n 'cnv-ci/tarball|CNV_VERSION|OCP_VERSION' "$FILE"

echo
echo "2) Verify release tarball endpoints resolve:"
CNV_VERSION="$(awk '/name: CNV_VERSION/{getline; gsub(/"/,"",$2); print $2}' "$FILE")"
OCP_VERSION="$(awk '/name: OCP_VERSION/{getline; gsub(/"/,"",$2); print $2}' "$FILE")"

echo "Checking release-\${CNV_VERSION}: ${CNV_VERSION}"
curl -sSI "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" | head -n 1

echo "Checking release-\${OCP_VERSION}: ${OCP_VERSION}"
curl -sSI "https://github.com/openshift-cnv/cnv-ci/tarball/release-${OCP_VERSION}" | head -n 1

Repository: openshift/release

Length of output: 506

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml"

echo "=== Full file content for context ==="
cat -n "$FILE"

echo
echo "=== Check for other cnv-ci tarball references in codebase ==="
rg 'cnv-ci/tarball' --type yaml -A 2 -B 2 | head -60

Repository: openshift/release

Length of output: 3555

---

Pin cnv-ci tarball to the declared CNV_VERSION.

Line 34 hardcodes tarball/master, but the job declares CNV_VERSION: "4.99" and OCP_VERSION: "5.0" (lines 56–59). This creates nondeterminism—the test infrastructure diverges from the declared release versions, causing unpredictable failures.

Suggested fix

-        curl -L https://github.com/openshift-cnv/cnv-ci/tarball/master -o /tmp/cnv-ci.tgz
+        curl -fsSL "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" -o /tmp/cnv-ci.tgz

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -L https://github.com/openshift-cnv/cnv-ci/tarball/master -o /tmp/cnv-ci.tgz
	mkdir -p /tmp/cnv-ci
	tar -xvzf /tmp/cnv-ci.tgz -C /tmp/cnv-ci --strip-components=1
	cd /tmp/cnv-ci
	make update_pull_secret set_imagedigestmirrorset deploy_cnv
	oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p='[{"op": "add", "path": "/spec/defaultCPUModel", "value": "Broadwell"}]'
	credentials:
	- mount_path: /var/run/cnv-ci-brew-pull-secret
	name: cnv-ci-brew-pull-secret
	namespace: test-credentials
	- mount_path: /var/run/cnv-ci-konflux-pull-secret
	name: konflux-pull-secret
	namespace: test-credentials
	env:
	- default: '|7820aea2-0d75-11e7-9259-28d244ea5a6d.hhav.f63e13'
	name: BREW_IMAGE_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-brew-pull-secret/token
	name: BREW_IMAGE_REGISTRY_TOKEN_PATH
	- default: openshift-virtualization+konflux_ro_bot
	name: KONFLUX_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-konflux-pull-secret/token
	name: KONFLUX_REGISTRY_TOKEN_PATH
	- default: "5.0"
	name: OCP_VERSION
	- default: "4.99"
	name: CNV_VERSION
	curl -fsSL "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" -o /tmp/cnv-ci.tgz
	mkdir -p /tmp/cnv-ci
	tar -xvzf /tmp/cnv-ci.tgz -C /tmp/cnv-ci --strip-components=1
	cd /tmp/cnv-ci
	make update_pull_secret set_imagedigestmirrorset deploy_cnv
	oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p='[{"op": "add", "path": "/spec/defaultCPUModel", "value": "Broadwell"}]'
	credentials:
	- mount_path: /var/run/cnv-ci-brew-pull-secret
	name: cnv-ci-brew-pull-secret
	namespace: test-credentials
	- mount_path: /var/run/cnv-ci-konflux-pull-secret
	name: konflux-pull-secret
	namespace: test-credentials
	env:
	- default: '|7820aea2-0d75-11e7-9259-28d244ea5a6d.hhav.f63e13'
	name: BREW_IMAGE_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-brew-pull-secret/token
	name: BREW_IMAGE_REGISTRY_TOKEN_PATH
	- default: openshift-virtualization+konflux_ro_bot
	name: KONFLUX_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-konflux-pull-secret/token
	name: KONFLUX_REGISTRY_TOKEN_PATH
	- default: "5.0"
	name: OCP_VERSION
	- default: "4.99"
	name: CNV_VERSION

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml`
around lines 34 - 59, The curl command downloading the cnv-ci tarball is
hardcoded to fetch from `tarball/master`, but the job declares a specific
`CNV_VERSION: "4.99"`. Replace the hardcoded `master` reference in the curl URL
with a reference to the `CNV_VERSION` variable so the tarball version matches
the declared release version. This ensures the test infrastructure version
remains synchronized with the declared release versions rather than always
pulling from the master branch.

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rlobillo: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@rlobillo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure	6877520	link	unknown	/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.