SREP-4053: Add rosa-e2e nightly periodic job

ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main.yaml

@@ -3,6 +3,10 @@ base_images:
     name: nested-podman
     namespace: ci
     tag: latest
+  rosa-aws-cli:
+    name: rosa-aws-cli
+    namespace: ci
+    tag: latest
 build_root:
   image_stream_tag:
     name: builder
@@ -12,6 +16,12 @@ images:
   items:
   - dockerfile_path: Containerfile
     to: rosa-e2e
+releases:
+  latest:
+    candidate:
+      product: ocp
+      stream: nightly
+      version: "4.22"
 resources:
   '*':
     limits:
@@ -57,6 +67,17 @@ tests:
     make lint
   container:
     from: src
+- as: rosa-hcp-e2e-nightly
+  cron: 0 4 * * *
+  steps:
+    cluster_profile: rosa-e2e-01
+    env:
+      CHANNEL_GROUP: stable
+      ENABLE_BILLING_ACCOUNT: "yes"
+      HOSTED_CP: "true"
+      OCM_LOGIN_ENV: staging
+      REPLICAS: "3"
+    workflow: rosa-e2e
 zz_generated_metadata:
   branch: main
   org: openshift-online

ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml

@@ -12,6 +12,7 @@ periodics:
   labels:
     capability/nested-podman: nested-podman
     ci.openshift.io/generator: prowgen
+    job-release: "4.22"
     pj-rehearse.openshift.io/can-be-rehearsed: "true"
   name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-periodic-cs-rosa-hcp-ad-staging-main
   spec:
@@ -68,3 +69,84 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build09
+  cron: 0 4 * * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: main
+    org: openshift-online
+    repo: rosa-e2e
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-01
+    ci.openshift.io/generator: prowgen
+    job-release: "4.22"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-online-rosa-e2e-main-rosa-hcp-e2e-nightly
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=rosa-hcp-e2e-nightly
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-presubmits.yaml

@@ -12,6 +12,7 @@ presubmits:
       skip_cloning: true
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.22"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-online-rosa-e2e-main-images
     rerun_command: /test images
@@ -67,6 +68,7 @@ presubmits:
       skip_cloning: true
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.22"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-online-rosa-e2e-main-lint
     rerun_command: /test lint
@@ -130,6 +132,7 @@ presubmits:
       skip_cloning: true
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.22"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-online-rosa-e2e-main-unit
     rerun_command: /test unit

ci-operator/step-registry/rosa/e2e/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/e2e/rosa-e2e-workflow.metadata.json

@@ -0,0 +1,17 @@
+{
+	"path": "rosa/e2e/rosa-e2e-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		],
+		"reviewers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		]
+	}
+}

ci-operator/step-registry/rosa/e2e/rosa-e2e-workflow.yaml

@@ -0,0 +1,18 @@
+workflow:
+  as: rosa-e2e
+  steps:
+    env:
+      CHANNEL_GROUP: stable
+      HOSTED_CP: "true"
+      REPLICAS: "2"
+    pre:
+      - chain: rosa-aws-sts-hcp-provision
+      - ref: rosa-cluster-wait-ready-nodes
+    test:
+      - ref: rosa-e2e-test
+    post:
+      - chain: rosa-aws-sts-hcp-deprovision
+        best_effort: true
+  documentation: |-
+    This workflow provisions a ROSA HCP cluster and runs the rosa-e2e
+    managed service validation suite, then tears down the cluster.

ci-operator/step-registry/rosa/e2e/test/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/e2e/test/rosa-e2e-test-commands.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+log(){
+    echo -e "\033[1m$(date "+%d-%m-%YT%H:%M:%S") " "${*}\033[0m" >&2
+}
+
+# Configure AWS
+AWSCRED="${CLUSTER_PROFILE_DIR}/.awscred"
+if [[ -f "${AWSCRED}" ]]; then
+  export AWS_SHARED_CREDENTIALS_FILE="${AWSCRED}"
+  export AWS_DEFAULT_REGION="${LEASED_RESOURCE}"
+else
+  log "No AWS credentials found in cluster profile"
+fi
+
+# Log into OCM
+SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+ROSA_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+
+if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+  log "Logging into ${OCM_LOGIN_ENV} with SSO credentials"
+  ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+elif [[ -n "${ROSA_TOKEN}" ]]; then
+  log "Logging into ${OCM_LOGIN_ENV} with offline token"
+  ocm login --url "${OCM_LOGIN_ENV}" --token "${ROSA_TOKEN}"
+else
+  log "No OCM credentials found in cluster profile"
+  exit 1
+fi
+
+# Get cluster info from shared dir
+CLUSTER_ID=$(cat "${SHARED_DIR}/cluster-id")
+log "Testing cluster: ${CLUSTER_ID}"
+
+OCM_TOKEN=$(ocm token)
+export OCM_TOKEN
+export OCM_ENV="${OCM_LOGIN_ENV}"
+export CLUSTER_ID
+export AWS_REGION="${LEASED_RESOURCE}"
+
+# Try to get MC access via backplane
+log "Attempting MC access via backplane..."
+if ocm backplane login "${CLUSTER_ID}" --manager 2>/dev/null; then
+  export MC_KUBECONFIG="${HOME}/.kube/config"
+  MC_SERVER=$(oc whoami --show-server 2>/dev/null || true)
+  if [[ "${MC_SERVER}" == *"backplane"* ]]; then
+    MANAGEMENT_CLUSTER_ID=$(echo "${MC_SERVER}" | sed 's|.*/cluster/||; s|/.*||')
+    export MANAGEMENT_CLUSTER_ID
+    log "MC access established: ${MANAGEMENT_CLUSTER_ID}"
+  fi
+fi
+
+# Run tests
+GINKGO_FLAGS="--ginkgo.junit-report=${ARTIFACT_DIR}/junit-rosa-e2e.xml --ginkgo.v"
+if [[ -n "${LABEL_FILTER}" ]]; then
+  GINKGO_FLAGS="${GINKGO_FLAGS} --ginkgo.label-filter=${LABEL_FILTER}"
+fi
+
+if [[ -n "${EXCLUDE_CLUSTER_OPERATORS}" ]]; then
+  export EXCLUDE_CLUSTER_OPERATORS
+fi
+
+log "Running rosa-e2e tests..."
+/usr/local/bin/e2e.test ${GINKGO_FLAGS}
+
+log "Tests complete. Results at ${ARTIFACT_DIR}/junit-rosa-e2e.xml"

ci-operator/step-registry/rosa/e2e/test/rosa-e2e-test-ref.metadata.json

@@ -0,0 +1,17 @@
+{
+	"path": "rosa/e2e/test/rosa-e2e-test-ref.yaml",
+	"owners": {
+		"approvers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		],
+		"reviewers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		]
+	}
+}

ci-operator/step-registry/rosa/e2e/test/rosa-e2e-test-ref.yaml

@@ -0,0 +1,25 @@
+ref:
+  as: rosa-e2e-test
+  from: rosa-e2e
+  grace_period: 10m
+  commands: rosa-e2e-test-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 300Mi
+  env:
+  - name: OCM_LOGIN_ENV
+    default: "staging"
+    documentation: The environment for OCM login.
+  - name: LABEL_FILTER
+    default: ""
+    documentation: Ginkgo label filter for test selection (e.g. "Area:ManagedService").
+  - name: EXCLUDE_CLUSTER_OPERATORS
+    default: ""
+    documentation: Comma-separated list of ClusterOperators to exclude from health checks.
+  dependencies:
+  - name: rosa-e2e
+    env: ROSA_E2E_IMAGE
+  documentation: |-
+    Runs the rosa-e2e test suite against an existing ROSA HCP cluster.
+    Expects CLUSTER_ID in SHARED_DIR/cluster-id and AWS credentials in the cluster profile.