OCM-23826 | feat: cs-rosa-hcp-backup-restore-integration-main

[andclt]

This PR is for migrating cs-rosa-hcp-backup-restore-integration-main FVT to Prow.

This PR adds a Prow CI configuration for the ROSA HCP backup and restore integration test pipeline in the OpenShift Online repository. The new configuration file defines a scheduled job (ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main) that runs daily at 8 AM UTC to validate ROSA HCP backup and restore functionality. The job executes OCM tests in a nested-podman container environment with access to AWS credentials and JIRA ticket reporting, ensuring that backup and restore operations work correctly for ROSA Hosted Control Planes as part of the regular CI verification process.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: andclt
Once this PR has been reviewed and has the lgtm label, please assign gdbranco for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-e2e/OWNERS
• ci-operator/jobs/openshift-online/rosa-e2e/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@andclt: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-integration-ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main	N/A	periodic	Periodic changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[andclt]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-integration-ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main

[openshift-merge-bot]

@andclt: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Walkthrough

A new CI configuration file is added for ROSA E2E backup/restore integration testing on OpenShift Online, defining base images, resource constraints, and a scheduled ocmtest job that runs within a podman environment.

Changes

ROSA E2E Integration Test Pipeline Configuration

Layer / File(s)	Summary
Configuration Foundation ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml	Base image selection (nested podman), release targeting (OCP 4.22 nightly), and resource requests/limits (4Gi memory, 100m CPU) are declared.
Test Job Definition ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml	Scheduled backup/restore integration test job computes JOB_LINK, generates sanitized environment file with AWS and JIRA credentials, and executes ocmtest test via podman with mounted cs-qe-credentials. Cron schedule is 0 8 * * *.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: migrating the cs-rosa-hcp-backup-restore-integration-main FVT job to Prow, which is clearly reflected in the configuration file addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only CI configuration YAML. No Go test files or Ginkgo test definitions present. Check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	This PR modifies only CI configuration YAML files, not Ginkgo test code. The check is designed for test code review and is not applicable here.
Microshift Test Compatibility	✅ Passed	PR adds only a CI/Prow configuration file (YAML), not Ginkgo e2e test code. The custom check is designed to flag Ginkgo tests with MicroShift-incompatible APIs, which are not present in this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI-Operator configuration (YAML), not Ginkgo e2e tests. SNO compatibility check applies only to new Ginkgo test definitions, which are not present.
Topology-Aware Scheduling Compatibility	✅ Passed	File is a CI configuration, not a deployment manifest, operator code, or controller. Custom check for topology-aware scheduling is not applicable to CI/test infrastructure configuration files.
Ote Binary Stdout Contract	✅ Passed	Check applies to OTE test code, not CI configs. PR adds only YAML configuration for Prow jobs, not test implementation code. Not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only CI configuration (YAML) without Ginkgo e2e test code. The custom check applies to new Ginkgo e2e tests, which are not present here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml (1)

57-58: ⚡ Quick win

Unpinned latest tag on the ocmci test runner image.

quay.io/redhat-services-prod/ocmci/ocmci:latest is a floating tag. A breaking change pushed to that image will silently change job behavior on the next run, with no git history trail. Consider pinning to a digest or a versioned tag.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml`
around lines 57 - 58, The job is using a floating image tag
"quay.io/redhat-services-prod/ocmci/ocmci:latest" (used by the ocmtest command
for job cs-rosa-hcp-backup-restore-integration-main); replace the floating tag
with a stable reference by pinning to a versioned tag or image digest (e.g.,
change ":latest" to a specific semver tag or to "@sha256:<digest>") so the job
image is immutable and future runs are reproducible.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml`:
- Around line 42-50: The inner bash heredoc should fail fast if sourcing
credentials fails; update the heredoc that writes to "${podman_env_file}" (the
block starting with env -i bash --norc --noprofile << EOF >
"${podman_env_file}") so that the inner shell enables errexit — either add
bash's -e flag to that bash invocation or insert a leading set -e as the first
command in the heredoc before the source lines (the lines referencing source
/usr/local/cs-qe-credentials/ocm-tokens and source
/usr/local/cs-qe-credentials/jira-cred) so missing or faulty credential files
cause an immediate failure.

---

Nitpick comments:
In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml`:
- Around line 57-58: The job is using a floating image tag
"quay.io/redhat-services-prod/ocmci/ocmci:latest" (used by the ocmtest command
for job cs-rosa-hcp-backup-restore-integration-main); replace the floating tag
with a stable reference by pinning to a versioned tag or image digest (e.g.,
change ":latest" to a specific semver tag or to "@sha256:<digest>") so the job
image is immutable and future runs are reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 92407cd7-f333-4e28-9133-578baab46193

📥 Commits

Reviewing files that changed from the base of the PR and between 6dbcfb2 and 86cefec.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add set -e to the inner bash invocation to fail fast on sourcing errors.

If either source /usr/local/cs-qe-credentials/ocm-tokens or source /usr/local/cs-qe-credentials/jira-cred fails (e.g., file missing or contains a syntax error), the inner bash process will silently continue, env will emit only the vars set before the failure, and podman run will proceed with incomplete credentials — producing a confusing downstream authentication failure rather than an immediate clear error.

🛡️ Proposed fix

-    env -i bash --norc --noprofile << EOF > "${podman_env_file}"
+    env -i bash -e --norc --noprofile << EOF > "${podman_env_file}"
     export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env -i bash --norc --noprofile << EOF > "${podman_env_file}"
	export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
	export SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-shared-vpc-credentials
	export ENABLE_JIRA_REPORTING=true
	export JOB_LINK="${JOB_LINK}"
	source /usr/local/cs-qe-credentials/ocm-tokens
	source /usr/local/cs-qe-credentials/jira-cred
	env | grep -v '^_='
	EOF
	env -i bash -e --norc --noprofile << EOF > "${podman_env_file}"
	export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
	export SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-shared-vpc-credentials
	export ENABLE_JIRA_REPORTING=true
	export JOB_LINK="${JOB_LINK}"
	source /usr/local/cs-qe-credentials/ocm-tokens
	source /usr/local/cs-qe-credentials/jira-cred
	env | grep -v '^_='
	EOF

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml`
around lines 42 - 50, The inner bash heredoc should fail fast if sourcing
credentials fails; update the heredoc that writes to "${podman_env_file}" (the
block starting with env -i bash --norc --noprofile << EOF >
"${podman_env_file}") so that the inner shell enables errexit — either add
bash's -e flag to that bash invocation or insert a leading set -e as the first
command in the heredoc before the source lines (the lines referencing source
/usr/local/cs-qe-credentials/ocm-tokens and source
/usr/local/cs-qe-credentials/jira-cred) so missing or faulty credential files
cause an immediate failure.

[openshift-ci]

@andclt: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-integration-ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main	86cefec	link	unknown	/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-integration-ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.