From 8dddeeb3e19b1a25557568fbecf3ebbdab1a974f Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Wed, 25 Feb 2026 12:15:26 -0500 Subject: [PATCH 1/2] OCPBUGS: Add HyperShift e2e gating tests to cluster-machine-approver Add optional HyperShift AWS and AKS e2e presubmit tests to the cluster-machine-approver CI configuration. This ensures that changes to the machine-approver are validated against HyperShift environments before merging. Motivated by cluster-machine-approver PR #286 which introduced a TLS profile fetch requiring new RBAC that broke all HyperShift e2e tests. Co-Authored-By: Claude Opus 4.6 --- ...enshift-cluster-machine-approver-main.yaml | 23 +++ ...ster-machine-approver-main-presubmits.yaml | 162 ++++++++++++++++++ 2 files changed, 185 insertions(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main.yaml index c8d0bcfe86d46..758fd18d6327b 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main.yaml @@ -1,3 +1,12 @@ +base_images: + hypershift-operator: + name: hypershift-operator + namespace: hypershift + tag: latest + hypershift-tests: + name: hypershift-tests + namespace: hypershift + tag: latest build_root: from_repository: true images: @@ -86,6 +95,20 @@ tests: steps: cluster_profile: aws-3 workflow: openshift-e2e-aws-capi +- as: e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-e2e-external +- as: e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aks + env: + AUTH_THROUGH_CERTS: "true" + ENABLE_HYPERSHIFT_CERT_ROTATION_SCALE: "true" + HYPERSHIFT_AZURE_LOCATION: uksouth + workflow: hypershift-azure-aks-e2e - as: verify-deps steps: env: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main-presubmits.yaml index 6adf0c3ba8680..dc85e9e3f9e07 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-main-presubmits.yaml @@ -405,6 +405,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-gcp-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build11 + context: ci/prow/e2e-hypershift-aks + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aks + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aks + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aks + rerun_command: /test e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aks + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aks,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build11 + context: ci/prow/e2e-hypershift-aws + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws + rerun_command: /test e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aws + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aws,?($|\s.*) - agent: kubernetes always_run: false branches: From bb28fe483168c75f8bbf0ffed8c632ca41bd63ec Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Wed, 25 Feb 2026 17:05:52 -0500 Subject: [PATCH 2/2] Add HyperShift e2e tests to cluster-machine-approver release-4.22 and release-4.23 Extend HyperShift AWS and AKS e2e presubmit tests to the release-4.22 and release-4.23 branch configurations, matching the tests already added to the main config. Co-Authored-By: Claude Opus 4.6 --- ...cluster-machine-approver-release-4.22.yaml | 23 +++ ...cluster-machine-approver-release-4.23.yaml | 23 +++ ...hine-approver-release-4.22-presubmits.yaml | 162 ++++++++++++++++++ ...hine-approver-release-4.23-presubmits.yaml | 162 ++++++++++++++++++ 4 files changed, 370 insertions(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 6575448c155cd..43a44ee182869 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -1,3 +1,12 @@ +base_images: + hypershift-operator: + name: hypershift-operator + namespace: hypershift + tag: latest + hypershift-tests: + name: hypershift-tests + namespace: hypershift + tag: latest build_root: from_repository: true images: @@ -87,6 +96,20 @@ tests: steps: cluster_profile: aws-3 workflow: openshift-e2e-aws-capi +- as: e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-e2e-external +- as: e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aks + env: + AUTH_THROUGH_CERTS: "true" + ENABLE_HYPERSHIFT_CERT_ROTATION_SCALE: "true" + HYPERSHIFT_AZURE_LOCATION: uksouth + workflow: hypershift-azure-aks-e2e - as: verify-deps steps: env: diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23.yaml index 6c5d09733bd87..f9fd54a09431e 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23.yaml @@ -1,3 +1,12 @@ +base_images: + hypershift-operator: + name: hypershift-operator + namespace: hypershift + tag: latest + hypershift-tests: + name: hypershift-tests + namespace: hypershift + tag: latest build_root: from_repository: true images: @@ -86,6 +95,20 @@ tests: steps: cluster_profile: aws-3 workflow: openshift-e2e-aws-capi +- as: e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aws + workflow: hypershift-aws-e2e-external +- as: e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + steps: + cluster_profile: hypershift-aks + env: + AUTH_THROUGH_CERTS: "true" + ENABLE_HYPERSHIFT_CERT_ROTATION_SCALE: "true" + HYPERSHIFT_AZURE_LOCATION: uksouth + workflow: hypershift-azure-aks-e2e - as: verify-deps steps: env: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml index de31eece47420..6623ef8d2c2ea 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml @@ -405,6 +405,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-gcp-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build02 + context: ci/prow/e2e-hypershift-aks + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aks + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aks + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-hypershift-aks + rerun_command: /test e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aks + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aks,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build02 + context: ci/prow/e2e-hypershift-aws + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-hypershift-aws + rerun_command: /test e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aws + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aws,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23-presubmits.yaml index 493125f305fc3..df57650c55602 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.23-presubmits.yaml @@ -405,6 +405,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-gcp-operator,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.23$ + - ^release-4\.23- + cluster: build02 + context: ci/prow/e2e-hypershift-aks + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aks + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aks + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.23-e2e-hypershift-aks + rerun_command: /test e2e-hypershift-aks + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aks + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aks,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.23$ + - ^release-4\.23- + cluster: build02 + context: ci/prow/e2e-hypershift-aws + decorate: true + labels: + ci-operator.openshift.io/cloud: hypershift-aws + ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.23-e2e-hypershift-aws + rerun_command: /test e2e-hypershift-aws + skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-hypershift-aws + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-hypershift-aws,?($|\s.*) - agent: kubernetes always_run: false branches: