ROSAENG-8194 | task: Migrate cs-rosa-hcp-ad-production-main

[davidleerh]

Summary by CodeRabbit

This PR adds a new CI configuration for automating ROSA (Red Hat OpenShift Service on AWS) HCP (Hosted Control Plane) E2E testing with Active Directory production settings.

What's being added:
A periodic test job configuration file (openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml) that:

• Runs OCM FVT (Functional Verification Tests) for ROSA HCP against an Active Directory production environment
• Executes daily at 03:00 UTC
• Uses OCP 4.22 nightly release targeting with a golang-1.24 builder image
• Configures resource limits (4Gi memory, 100m CPU minimum) appropriate for nested Podman workloads
• Sets a 5-hour timeout to accommodate longer integration tests
• References the existing rosa-e2e-ocm-fvt test framework

Infrastructure impact:
This migrates the ROSA HCP AD production testing infrastructure into the main branch's CI configuration, enabling automated daily validation of the ROSA platform against a production-like AD environment. The test will run alongside other ROSA E2E tests in the OpenShift CI pipeline.

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml is excluded by !ci-operator/jobs/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b38cee13-d46c-4c7c-bc0c-7815dd6e6a9a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

A new ROSA E2E CI configuration file is added for OpenShift Online to define base image building, default resource allocations, OCP 4.22 nightly release targeting, and a daily periodic test job (ocm-fvt-periodic-cs-rosa-hcp-ad-production-main) that runs at 03:00 UTC with nested podman enabled and a 5-hour timeout.

Changes

ROSA E2E HCP Production CI Configuration

Layer / File(s)	Summary
Global CI configuration and base images ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml	Establishes nested-podman base image, specifies builder image stream tag (ocp/builder:rhel-9-golang-1.24-openshift-4.22), targets the latest nightly OCP 4.22 release stream, and sets default resource requests (100m CPU, 200Mi memory) and limits (4Gi memory) for all resources.
Periodic test job definition and metadata ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml	Defines a periodic E2E test job (ocm-fvt-periodic-cs-rosa-hcp-ad-production-main) that runs daily at 03:00 UTC, enables nested podman, sets OCM FVT environment variables, references the rosa-e2e-ocm-fvt test, applies a 5-hour timeout, and assigns metadata labels for tracking (branch: main, org: openshift-online, repo: rosa-e2e, variant: ocm-fvt-rosa-hcp-production).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#80231: Adds a related ROSA E2E OpenShift Online CI configuration with the same base images, builder tag, OCP 4.22 targeting, and global resource defaults but with a different OCM FVT test variant job name.
• openshift/release#80229: Updates multiple existing ROSA E2E OCM-FVT periodic test jobs to set timeout to 5 hours; this PR introduces the same 5-hour timeout pattern for the new HCP production job.

Suggested labels

lgtm, approved, ok-to-test, rehearsals-ack, jira/valid-reference

Suggested reviewers

• bmeng
• dustman9000

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the task/migration objective (ROSAENG-8194 | cs-rosa-hcp-ad-production-main) that is being implemented in the changeset by adding the ROSA E2E CI configuration file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI configuration and utility tools but no Ginkgo test definitions. Check is not applicable as there are no Ginkgo test titles (It, Describe, Context, etc.) to evaluate.
Test Structure And Quality	✅ Passed	PR adds a YAML CI configuration file, not Ginkgo test code; custom check for test structure review is not applicable to this change.
Microshift Test Compatibility	✅ Passed	PR only adds CI configuration files and references existing test steps. No new Ginkgo e2e test code is added, making the MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only CI configuration (YAML), not new Ginkgo e2e tests. The check for SNO compatibility applies only to new Ginkgo test code, which is not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds only CI configuration and test step files with no deployment manifests or operator code containing topology-unsafe scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR adds only YAML CI configuration file with no Go test code; OTE Binary Stdout Contract check applies only to Go test binaries, not CI configuration.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only a CI configuration file referencing existing OCM FVT test steps. No new Ginkgo e2e tests (It(), Describe(), Context(), When(), etc.) are introduced, so check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds YAML CI configuration file with no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or insecure secret comparisons detected.
Container-Privileges	✅ Passed	The new YAML configuration file contains no privileged container settings such as privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root execution.
No-Sensitive-Data-In-Logs	✅ Passed	Configuration file and test scripts do not expose passwords, tokens, API keys, PII, or sensitive data in logs. Credentials are properly handled via mounted volumes with restricted permissions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: davidleerh
Once this PR has been reviewed and has the lgtm label, please assign ravitri for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-e2e/OWNERS
• ci-operator/jobs/openshift-online/rosa-e2e/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

@coderabbitai[bot]: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@davidleerh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main	e09c2b1	link	unknown	/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[davidleerh]

/retest

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@davidleerh, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't rebase candidate onto e479ec43d9417380b6aa8b4a11cdd0088a176de2 due to conflicts

[openshift-merge-bot]

@davidleerh, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto e479ec43d9417380b6aa8b4a11cdd0088a176de2 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@davidleerh, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't rebase candidate onto e479ec43d9417380b6aa8b4a11cdd0088a176de2 due to conflicts

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@davidleerh, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't rebase candidate onto 9fe6bab8bd2db0516e387e8167b748e49c53f4d0 due to conflicts

[davidleerh]

closing in favor of #80434