openshift · maximunited · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-disconnected.yaml b/ci-operator/config/medik8s/system-tests/medik8s-system-tests-main__4.22-disconnected.yaml
@@ -0,0 +1,52 @@
+base_images:
+  upi-installer:
+    name: "4.22"
+    namespace: ocp
+    tag: upi-installer
+build_root:
+  from_repository: true
+releases:
+  latest:
+    candidate:
+      product: ocp
+      stream: nightly
+      version: "4.22"
+resources:
+  '*':
+    requests:
+      cpu: 500m
+      memory: 1000Mi
+tests:
+- as: e2e-sbr-weekly-aws-disconnected-nfs
+  capabilities:
+  - intranet
+  cron: 0 8 * * 0
+  steps:
+    cluster_profile: medik8s-aws
+    env:
+      BASE_DOMAIN: ocp-ci.medik8s-ci.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m5.xlarge
+      ECO_TEST_FEATURES: sbr-operator
+      OCP_VERSION: "422"
+      OO_CHANNEL: stable
+      OPERATORS: storage-based-remediation
+    test:
+    - ref: medik8s-disconnected-catalogsource
+    - ref: medik8s-operator-subscribe
+    - ref: medik8s-sbr-nfs-bastion
+    - as: e2e-test
+      cli: latest
+      commands: make run-tests
+      env:
+      - name: ECO_TEST_FEATURES
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+          memory: 200Mi
+    workflow: openshift-e2e-aws-disconnected
+zz_generated_metadata:
+  branch: main
+  org: medik8s
+  repo: system-tests
+  variant: 4.22-disconnected
diff --git a/ci-operator/jobs/medik8s/system-tests/medik8s-system-tests-main-periodics.yaml b/ci-operator/jobs/medik8s/system-tests/medik8s-system-tests-main-periodics.yaml
@@ -1,4 +1,91 @@
 periodics:
+- agent: kubernetes
+  cluster: build03
+  cron: 0 8 * * 0
+  decorate: true
+  decoration_config:
+    sparse_checkout_files:
+    - .ci-operator.yaml
+  extra_refs:
+  - base_ref: main
+    org: medik8s
+    repo: system-tests
+    sparse_checkout_files:
+    - .ci-operator.yaml
+  labels:
+    capability/intranet: intranet
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: medik8s-aws
+    ci-operator.openshift.io/variant: 4.22-disconnected
+    ci.openshift.io/generator: prowgen
+    job-release: "4.22"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-medik8s-system-tests-main-4.22-disconnected-e2e-sbr-weekly-aws-disconnected-nfs
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-sbr-weekly-aws-disconnected-nfs
+      - --variant=4.22-disconnected
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build05
   cron: 0 4 * * 0

diff --git a/ci-operator/step-registry/medik8s/sbr/OWNERS b/ci-operator/step-registry/medik8s/sbr/OWNERS
@@ -0,0 +1,16 @@
+approvers:
+  - beekhof
+  - clobrano
+  - maximunited
+  - mshitrit
+  - razo7
+  - slintes
+  - ugreener
+reviewers:
+  - beekhof
+  - clobrano
+  - maximunited
+  - mshitrit
+  - razo7
+  - slintes
+  - ugreener
diff --git a/ci-operator/step-registry/medik8s/sbr/nfs-bastion/OWNERS b/ci-operator/step-registry/medik8s/sbr/nfs-bastion/OWNERS
@@ -0,0 +1,16 @@
+approvers:
+  - beekhof
+  - clobrano
+  - maximunited
+  - mshitrit
+  - razo7
+  - slintes
+  - ugreener
+reviewers:
+  - beekhof
+  - clobrano
+  - maximunited
+  - mshitrit
+  - razo7
+  - slintes
+  - ugreener
diff --git a/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-commands.sh b/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-commands.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BASTION_PUBLIC=$(head -n 1 "${SHARED_DIR}/bastion_public_address")
+BASTION_PRIVATE=$(head -n 1 "${SHARED_DIR}/bastion_private_address")
+BASTION_USER=$(head -n 1 "${SHARED_DIR}/bastion_ssh_user")
+SSH_KEY="${CLUSTER_PROFILE_DIR}/ssh-privatekey"
+
+NFS_EXPORT="/srv/nfs/sbr"
+
+ssh_bastion() {
+    ssh \
+        -o StrictHostKeyChecking=no \
+        -o UserKnownHostsFile=/dev/null \
+        -o LogLevel=ERROR \
+        -i "${SSH_KEY}" \
+        "${BASTION_USER}@${BASTION_PUBLIC}" \
+        "$@"
+}
+
+echo "Configuring NFS server on bastion ${BASTION_PUBLIC} (private: ${BASTION_PRIVATE})"
+
+ssh_bastion "sudo mkdir -p ${NFS_EXPORT} && sudo chmod 777 ${NFS_EXPORT}"
+
+# Write export; no_root_squash required so the NFS provisioner can chown PV dirs
+ssh_bastion "echo '${NFS_EXPORT} *(rw,sync,no_root_squash,no_subtree_check)' | sudo tee /etc/exports.d/sbr.exports"
+
+ssh_bastion "sudo systemctl enable --now nfs-server && sudo exportfs -ra"
+echo "NFS server ready: ${BASTION_PRIVATE}:${NFS_EXPORT}"
+
+# Create StorageClass backed by the bastion NFS export.
+# soft + timeo=50: if the NFS server becomes unreachable the kernel returns
+# EIO to the caller after ~5 seconds instead of retrying indefinitely.
+# Without soft mount, SBR storage loss tests would hang in kernel retries
+# and never trigger the remediation path.
+oc apply -f - <<EOF
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs-sbr
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: kubernetes.io/no-provisioner
+volumeBindingMode: Immediate
+mountOptions:
+  - vers=4.1
+  - soft
+  - timeo=50
+EOF
+
+oc apply -f - <<EOF
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-sbr-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  mountOptions:
+    - vers=4.1
+    - soft
+    - timeo=50
+  nfs:
+    server: ${BASTION_PRIVATE}
+    path: ${NFS_EXPORT}
+  storageClassName: nfs-sbr
+  persistentVolumeReclaimPolicy: Retain
+EOF
+
+echo "StorageClass 'nfs-sbr' and PersistentVolume 'nfs-sbr-pv' created"
+oc get sc nfs-sbr
+oc get pv nfs-sbr-pv
diff --git a/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-ref.metadata.json b/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-ref.metadata.json
@@ -0,0 +1,23 @@
+{
+	"path": "medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-ref.yaml",
+	"owners": {
+		"approvers": [
+			"beekhof",
+			"clobrano",
+			"maximunited",
+			"mshitrit",
+			"razo7",
+			"slintes",
+			"ugreener"
+		],
+		"reviewers": [
+			"beekhof",
+			"clobrano",
+			"maximunited",
+			"mshitrit",
+			"razo7",
+			"slintes",
+			"ugreener"
+		]
+	}
+}
diff --git a/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-ref.yaml b/ci-operator/step-registry/medik8s/sbr/nfs-bastion/medik8s-sbr-nfs-bastion-ref.yaml
@@ -0,0 +1,23 @@
+ref:
+  as: medik8s-sbr-nfs-bastion
+  from: upi-installer
+  cli: latest
+  grace_period: 10m
+  commands: medik8s-sbr-nfs-bastion-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  documentation: |-
+    Configures an NFS server on the disconnected bastion host and creates a
+    StorageClass and PersistentVolume in the cluster backed by that NFS export.
+    Used by SBR tests to provide a shared RWX storage class in disconnected
+    environments where ODF is not available.
+
+    Reads bastion connection details from SHARED_DIR (bastion_public_address,
+    bastion_private_address, bastion_ssh_user) and the SSH key from
+    CLUSTER_PROFILE_DIR/ssh-privatekey.
+
+    The PV is created with soft NFS mount options (soft,timeo=50) so that
+    storage loss surfaces as I/O errors to the application rather than causing
+    indefinite kernel retries — required for SBR fault detection to work.