add rosa hypershift prod advanced & private link job

openshift · Nov 16, 2023 · dd726dc · dd726dc
1 parent 76be058
commit dd726dc
Show file tree

Hide file tree

Showing 7 changed files with 316 additions and 1 deletion.
diff --git a/...openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-stable.yaml b/...openshift-tests-private/openshift-openshift-tests-private-release-4.14__amd64-stable.yaml
@@ -235,6 +235,42 @@ tests:
     test:
     - chain: openshift-e2e-test-hypershift-qe
     workflow: rosa-aws-sts-hypershift-sector
+- as: aws-rosa-sts-hypershift-sector-guest-prod-advanced-full-f2
+  cron: 12 3 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 * *
+  steps:
+    cluster_profile: aws-sd-qe
+    env:
+      CLUSTER_SECTOR: canary
+      E2E_RUN_TAGS: '@amd64 and @aws-ipi and @rosa and @network-ovnkubernetes and
+        @hypershift-hosted and not @fips'
+      ENABLE_AUTOSCALING: "false"
+      OCM_LOGIN_ENV: production
+      OPENSHIFT_VERSION: "4.14"
+      REGION: us-east-1
+      REPLICAS: "3"
+      ROSA_LOGIN_ENV: production
+      TAG_VERSION: '@4.14'
+      TEST_FILTERS: ~ChkUpgrade&;~NonPreRelease&;~Serial&;~Disruptive&;~DisconnectedOnly&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;ROSA&
+    test:
+    - chain: openshift-e2e-test-hypershift-qe
+    workflow: rosa-aws-sts-hypershift-sector-advanced
+- as: aws-rosa-sts-hypershift-sec-guest-prod-private-link-full-f2
+  cron: 53 16 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *
+  steps:
+    cluster_profile: aws-sd-qe
+    env:
+      CLUSTER_SECTOR: canary
+      E2E_RUN_TAGS: '@amd64 and @aws-ipi and @rosa and @network-ovnkubernetes and
+        @hypershift-hosted and not @fips'
+      OCM_LOGIN_ENV: production
+      OPENSHIFT_VERSION: "4.14"
+      REGION: us-east-1
+      ROSA_LOGIN_ENV: production
+      TAG_VERSION: '@4.14'
+      TEST_FILTERS: ~ChkUpgrade&;~NonPreRelease&;~Serial&;~Disruptive&;~ConnectedOnly&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;ROSA&
+    test:
+    - chain: openshift-e2e-test-hypershift-qe
+    workflow: rosa-aws-sts-hypershift-sector-private-link
 - as: aws-usgov-ipi-private-sts-f14
   cron: 58 14 14,29 * *
   steps:

diff --git a/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.14-periodics.yaml b/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.14-periodics.yaml
@@ -40184,6 +40184,200 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 53 16 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.14
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-sd-qe
+    ci-operator.openshift.io/variant: amd64-stable
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-stable-aws-rosa-sts-hypershift-sec-guest-prod-private-link-full-f2
+  reporter_config:
+    slack:
+      channel: '#managed-hypershift-ci-watcher'
+      job_states_to_report:
+      - failure
+      - error
+      report_template: '{{if eq .Status.State "success"}} :rainbow: Job *{{.Spec.Job}}*
+        ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :rainbow: {{else}}
+        :volcano: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View
+        logs> :volcano: {{end}}'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/aws-rosa-sts-hypershift-sec-guest-prod-private-link-full-f2-cluster-profile
+      - --target=aws-rosa-sts-hypershift-sec-guest-prod-private-link-full-f2
+      - --variant=amd64-stable
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/aws-rosa-sts-hypershift-sec-guest-prod-private-link-full-f2-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-aws-sd-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 12 3 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.14
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-sd-qe
+    ci-operator.openshift.io/variant: amd64-stable
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.14-amd64-stable-aws-rosa-sts-hypershift-sector-guest-prod-advanced-full-f2
+  reporter_config:
+    slack:
+      channel: '#managed-hypershift-ci-watcher'
+      job_states_to_report:
+      - failure
+      - error
+      report_template: '{{if eq .Status.State "success"}} :rainbow: Job *{{.Spec.Job}}*
+        ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :rainbow: {{else}}
+        :volcano: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View
+        logs> :volcano: {{end}}'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/aws-rosa-sts-hypershift-sector-guest-prod-advanced-full-f2-cluster-profile
+      - --target=aws-rosa-sts-hypershift-sector-guest-prod-advanced-full-f2
+      - --variant=amd64-stable
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/aws-rosa-sts-hypershift-sector-guest-prod-advanced-full-f2-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-aws-sd-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 33 7 1,3,5,7,9,11,13,15,17,19,20,23,25,27,29 * *

diff --git a/ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh b/ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh
@@ -10,7 +10,7 @@ trap 'save_stack_events_to_artifacts' EXIT TERM INT
 
 export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
 
-REGION="${LEASED_RESOURCE}"
+REGION=${REGION:-$LEASED_RESOURCE}
 
 function save_stack_events_to_artifacts()
 {

diff --git a/ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-ref.yaml b/ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-ref.yaml
@@ -23,5 +23,8 @@ ref:
     default: ""
     documentation: |-
       BYO AMI for bastion host
+  - name: REGION
+    default: ""
+    documentation: Use a specific AWS region, overriding the LEASED_RESOURCE environment variable in the cluster_profile.
   documentation: |-
     Create a bastion host on AWS for proxy and mirror registry.
diff --git a/ci-operator/step-registry/rosa/aws/sts/hypershift/sector/private-link/OWNERS b/ci-operator/step-registry/rosa/aws/sts/hypershift/sector/private-link/OWNERS
@@ -0,0 +1,20 @@
+reviewers:
+- yasun1
+- xueli181114
+- yuwang-RH
+- tzhou5
+- yingzhanredhat
+- yufchang
+- jtaleric
+- svetsa-rh
+- LiangquanLi930
+- heliubj18
+approvers:
+- yasun1
+- xueli181114
+- yuwang-RH
+- yufchang
+- jtaleric
+- svetsa-rh
+- LiangquanLi930
+- heliubj18
diff --git a/...ft/sector/private-link/rosa-aws-sts-hypershift-sector-private-link-workflow.metadata.json b/...ft/sector/private-link/rosa-aws-sts-hypershift-sector-private-link-workflow.metadata.json
@@ -0,0 +1,27 @@
+{
+	"path": "rosa/aws/sts/hypershift/sector/private-link/rosa-aws-sts-hypershift-sector-private-link-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"yasun1",
+			"xueli181114",
+			"yuwang-RH",
+			"yufchang",
+			"jtaleric",
+			"svetsa-rh",
+			"LiangquanLi930",
+			"heliubj18"
+		],
+		"reviewers": [
+			"yasun1",
+			"xueli181114",
+			"yuwang-RH",
+			"tzhou5",
+			"yingzhanredhat",
+			"yufchang",
+			"jtaleric",
+			"svetsa-rh",
+			"LiangquanLi930",
+			"heliubj18"
+		]
+	}
+}
diff --git a/.../hypershift/sector/private-link/rosa-aws-sts-hypershift-sector-private-link-workflow.yaml b/.../hypershift/sector/private-link/rosa-aws-sts-hypershift-sector-private-link-workflow.yaml
@@ -0,0 +1,35 @@
+workflow:
+  as: rosa-aws-sts-hypershift-sector-private-link
+  steps:
+    env:
+      HOSTED_CP: "true"
+      STS: "true"
+      PERMISSIONS_BOUNDARY: "arn:aws:iam::aws:policy/AdministratorAccess"
+      MULTI_AZ: "false"
+      COMPUTE_MACHINE_TYPE: "m5.xlarge"
+      REPLICAS: "3"
+      PRIVATE: "true"
+      PRIVATE_LINK: "true"
+      BYO_OIDC: "true"
+      OIDC_CONFIG_MANAGED: "false"
+      ZONES_COUNT: "1"
+      ENABLE_SECTOR: "true"
+    pre:
+    - ref: aws-provision-vpc-shared
+    - ref: aws-provision-tags-for-byo-vpc-ocm-pre
+    - chain: aws-provision-bastionhost
+    - ref: proxy-config-generate
+    - ref: osd-ccs-fleet-manager-provision-shards
+    - chain: rosa-sts-oidc-config-create
+    - chain: rosa-cluster-provision
+    - ref: aws-provision-tags-for-byo-vpc
+    - ref: osd-ccs-conf-idp-htpasswd-multi-users
+    - ref: rosa-cluster-wait-ready-nodes
+    post:
+    - chain: rosa-cluster-deprovision
+    - chain: rosa-sts-oidc-config-delete
+    - ref: aws-deprovision-s3buckets
+    - ref: aws-deprovision-stacks
+  documentation: |-
+    This workflow installs a single AZ rosa hypershfit cluster configured to use private-link. The cluster is set with htpasswd idp, and the login informations are stored under $SHARED_DIR/api.login.
+    After finish testing, the cluster will be deprovsioned.