Add OCP 4.22 to prow

[tbuskey]

Other changes:
MUST_GATHER_ON_FAILURE_ONLY: "false" # so prow always runs kata must-gather
tests-private tag: "4.23" # new openshift-tests-private main
INSTALL_KATA_RPM: true
KATA_RPM_VERSION: 3.31.0-1.rhaos4.19.el9 # 4.19 -> 4.21
KATA_RPM_VERSION: 3.31.0-1.rhaos4.22.el9 # 4.22

KATA-5408

Summary by CodeRabbit

This pull request extends Prow CI configuration for the sandboxed-containers-operator to support OCP 4.22 by updating Kata container runtime settings and test image versions across multiple downstream CI pipelines.

Changes Made

The PR modifies CI configuration files for the sandboxed-containers-operator across OCP versions 4.19–4.22:

Across OCP 4.19–4.21 configurations (downstream-candidate419.yaml, downstream-candidate420.yaml, downstream-candidate421.yaml):

• Updated the tests-private base image tag from 4.22 to 4.23 to align with the latest OpenShift test suite version
• Enabled Kata RPM installation by setting INSTALL_KATA_RPM to "true" (previously disabled)
• Set KATA_RPM_VERSION to 3.31.0-1.rhaos4.19.el9 to ensure compatible Kata container runtime versions across these OCP releases
• Changed MUST_GATHER_ON_FAILURE_ONLY from "true" to "false" to ensure Kata diagnostics are always collected during e2e testing, not just on failures

These changes apply to periodic e2e test jobs across Azure IPI, ARO, and AWS platforms with various workload variants (kata, peerpods, coco).

For OCP 4.22 (downstream-candidate422.yaml):

• New configuration file that establishes the CI pipeline for OCP 4.22 with embedded Kata RPM and must-gather settings pre-configured to align with 4.19–4.21 behavior

Impact

The configuration changes ensure consistent Kata container runtime behavior across OCP 4.19–4.22 by standardizing RPM versioning and diagnostic collection, addressing requirements from JIRA issue KATA-5408. The updated test image tags ensure CI jobs use the latest OpenShift test suites for more comprehensive compatibility validation.

[tbuskey]

/assign @wainersm
/assign @vvoronko

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 44546a42-b3e6-4b07-b199-6263c941b937

📥 Commits

Reviewing files that changed from the base of the PR and between 790c5b4 and 58c889e.

📒 Files selected for processing (4)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml
• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate420.yaml
• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml
• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml
• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate421.yaml

---

Walkthrough

Three existing downstream-candidate CI configs (419, 420, 421) are updated to restrict network access, enable Kata RPM installation with pinned version 3.31.0-1.rhaos4.19.el9, and collect must-gather logs unconditionally across all periodic e2e job variants. A new downstream-candidate422 config file is added with base image pinning to 4.22, default resource requests, and complete job definitions for Azure, ARO, and AWS platforms.

Changes

Sandboxed Containers CI Configuration Updates

Layer / File(s)	Summary
Candidates 419–421 network and Kata configuration updates ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml, ...downstream-candidate420.yaml, ...downstream-candidate421.yaml	Across all seven job variants in each config (azure-ipi-kata, azure-ipi-peerpods, azure-ipi-coco, aro-ipi-peerpods, aro-ipi-coco, aws-ipi-peerpods, aws-ipi-coco), sets restrict_network_access to true, enables INSTALL_KATA_RPM: "true", pins KATA_RPM_VERSION to 3.31.0-1.rhaos4.19.el9, and changes MUST_GATHER_ON_FAILURE_ONLY to "false".
New downstream-candidate422 configuration ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate422.yaml	Adds complete configuration for downstream-candidate422: base images and releases pinned to 4.22, default resource requests (100m CPU, 200Mi memory), prowgen sparse checkout disabled, six scheduled e2e test jobs with reporter configuration to #kata-ocp-ci-reports, Kata RPM pinning, must-gather enabled, workload routing via environment variables (ENABLEPEERPODS, RUNTIMECLASS, WORKLOAD_TO_TEST, TEST_FILTERS), platform-specific environment variables for ARO and AWS, and generated metadata.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add OCP 4.22 to prow' accurately reflects the main objective of the pull request - adding OCP 4.22 support with kata testing configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only CI/CD YAML configuration files, not Ginkgo test code. The custom check for stable test names is not applicable to non-test code files.
Test Structure And Quality	✅ Passed	This PR contains only CI/prow configuration changes (YAML files), not Ginkgo test code. The custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR modifies only CI configuration YAML files, not test code. No new Ginkgo e2e tests are being added, so the MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All changes are CI configuration updates (YAML files defining test job environments and parameters), not test code.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are CI job configuration files (ci-operator config for prow jobs), not deployment manifests or operator code. No Kubernetes scheduling constraints, pod affinity rules, or topology-aware dep...
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI configuration changes for test jobs, not binary/source code. OTE Binary Stdout Contract check is not applicable to CI configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only CI configuration YAML files (prow job definitions), not Ginkgo e2e test code. No new test definitions (It(), Describe(), Context(), When()) found. Check not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only CI/CD configuration files (YAML) with no cryptographic code, weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or insecure comparisons.
Container-Privileges	✅ Passed	The PR modifies CI operator configuration files, not Kubernetes container manifests. These YAML files define test job configurations with environment variables and cluster profiles, not container s...
No-Sensitive-Data-In-Logs	✅ Passed	PR configuration changes don't add logging that exposes passwords, tokens, API keys, or PII. Environment variables configured are standard non-sensitive values; must-gather script includes MCO sani...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tbuskey]

/pj-rehearse abort

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tbuskey]

Cannot do pj-rehearse because restrict_network_access: false prevents it. PR needs it checked in as false.

[wainersm]

Hi @tbuskey ,

On the log of the rehearse'ed job:

 * could not run steps: step [input:tests-private] failed: failed to wait for importing imagestreamtags on ci-op-gnq835mp/pipeline:tests-private: failed to reimport the tag ci-op-gnq835mp/pipeline:tests-private: unable to import tag ci-op-gnq835mp/pipeline:tests-private with message Internal error occurred: [dockerimage.image.openshift.io "quay.io/openshift/ci:ci_tests-private_4.23" not found, dockerimage.image.openshift.io "quay-proxy.ci.openshift.org/openshift/ci:ci_tests-private_4.23" not found] on the image stream even after (6) imports: timed out waiting for the condition 

It seems that the private repo isn't even built alongside 4.23.

And regarding the MUST_GATHER_ON_FAILURE_ONLY change, IMHO we should not make it and risk the pipelines to become unstable. We don't know if must-gather will cause the pipeline to fail even if the tests pass.

[tbuskey]

/pj-rehearse ack

I'll revert this in a bit

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tbuskey]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-kata

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tbuskey]

/pj-rehearse list

[openshift-merge-bot]

@tbuskey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@tbuskey: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-kata	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aro-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-azure-ipi-coco	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aws-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aro-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aws-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-kata	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-kata	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-peerpods	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-peerpods	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aro-ipi-coco	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-coco	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-coco	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate422-aws-ipi-peerpods	N/A	periodic	Periodic changed

A total of 28 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[vvoronko]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tbuskey, vvoronko

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/sandboxed-containers-operator/OWNERS [tbuskey,vvoronko]
• ci-operator/jobs/openshift/sandboxed-containers-operator/OWNERS [tbuskey,vvoronko]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@tbuskey: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-peerpods	5567ab3	link	unknown	/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-peerpods

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.