Skip to content

OCM-23826 | feat: cs-rosa-hcp-backup-restore-integration-main #79043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andclt wants to merge 1 commit into
base: main
Choose a base branch
from
+144 −0
Open

OCM-23826 | feat: cs-rosa-hcp-backup-restore-integration-main #79043

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions ...enshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
base_images:
nested-podman:
name: nested-podman
namespace: ci
tag: latest
build_root:
image_stream_tag:
name: builder
namespace: ocp
tag: rhel-9-golang-1.24-openshift-4.22
releases:
latest:
candidate:
product: ocp
stream: nightly
version: "4.22"
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- as: ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main
capabilities:
- nested-podman
commands: |
old_umask=$(umask)
umask 077
podman_env_file="$(mktemp /tmp/podman.env.XXXXXX)"
trap 'rm -f "${podman_env_file}"' EXIT
umask "$old_umask"

JOB_LINK="https://prow.ci.openshift.org/view/gs/test-platform-results/"
if [ -n "${PULL_NUMBER:-}" ]; then
JOB_LINK="${JOB_LINK}pr-logs/pull/openshift_release/${PULL_NUMBER}/${JOB_NAME}/${BUILD_ID}"
else
JOB_LINK="${JOB_LINK}logs/${JOB_NAME}/${BUILD_ID}"
fi

env -i bash --norc --noprofile << EOF > "${podman_env_file}"
export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
export SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-shared-vpc-credentials
export ENABLE_JIRA_REPORTING=true
export JOB_LINK="${JOB_LINK}"
source /usr/local/cs-qe-credentials/ocm-tokens
source /usr/local/cs-qe-credentials/jira-cred
env | grep -v '^_='
EOF
Comment on lines +42 to +50
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add set -e to the inner bash invocation to fail fast on sourcing errors.

If either source /usr/local/cs-qe-credentials/ocm-tokens or source /usr/local/cs-qe-credentials/jira-cred fails (e.g., file missing or contains a syntax error), the inner bash process will silently continue, env will emit only the vars set before the failure, and podman run will proceed with incomplete credentials — producing a confusing downstream authentication failure rather than an immediate clear error.

🛡️ Proposed fix 
-    env -i bash --norc --noprofile << EOF > "${podman_env_file}"
+    env -i bash -e --norc --noprofile << EOF > "${podman_env_file}"
     export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
env -i bash --norc --noprofile << EOF > "${podman_env_file}"
export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
export SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-shared-vpc-credentials
export ENABLE_JIRA_REPORTING=true
export JOB_LINK="${JOB_LINK}"
source /usr/local/cs-qe-credentials/ocm-tokens
source /usr/local/cs-qe-credentials/jira-cred
env | grep -v '^_='
EOF
env -i bash -e --norc --noprofile << EOF > "${podman_env_file}"
export AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-cred
export SHARED_VPC_AWS_SHARED_CREDENTIALS_FILE=/credentials/aws-shared-vpc-credentials
export ENABLE_JIRA_REPORTING=true
export JOB_LINK="${JOB_LINK}"
source /usr/local/cs-qe-credentials/ocm-tokens
source /usr/local/cs-qe-credentials/jira-cred
env | grep -v '^_='
EOF
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-integration.yaml`
around lines 42 - 50, The inner bash heredoc should fail fast if sourcing
credentials fails; update the heredoc that writes to "${podman_env_file}" (the
block starting with env -i bash --norc --noprofile << EOF >
"${podman_env_file}") so that the inner shell enables errexit — either add
bash's -e flag to that bash invocation or insert a leading set -e as the first
command in the heredoc before the source lines (the lines referencing source
/usr/local/cs-qe-credentials/ocm-tokens and source
/usr/local/cs-qe-credentials/jira-cred) so missing or faulty credential files
cause an immediate failure.


podman run \
--authfile /usr/local/cs-qe-credentials/.dockerconfigjson \
--env-file "${podman_env_file}" \
-v /usr/local/cs-qe-credentials:/credentials:ro,z \
--rm \
quay.io/redhat-services-prod/ocmci/ocmci:latest \
ocmtest test --service cms --job cs-rosa-hcp-backup-restore-integration-main --reportJiraTicket
container:
from: nested-podman
memory_backed_volume:
size: 1Gi
cron: 0 8 * * *
nested_podman: true
secrets:
- mount_path: /usr/local/cs-qe-credentials
name: cs-qe-credentials
zz_generated_metadata:
branch: main
org: openshift-online
repo: rosa-e2e
variant: ocm-fvt-rosa-hcp-integration
72 changes: 72 additions & 0 deletions ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -863,6 +863,78 @@ periodics:
- name: result-aggregator
secret:
secretName: result-aggregator
- agent: kubernetes
cluster: build06
cron: 0 8 * * *
decorate: true
decoration_config:
skip_cloning: true
extra_refs:
- base_ref: main
org: openshift-online
repo: rosa-e2e
labels:
capability/nested-podman: nested-podman
ci-operator.openshift.io/variant: ocm-fvt-rosa-hcp-integration
ci.openshift.io/generator: prowgen
job-release: "4.22"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-integration-ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/cs-qe-credentials
- --target=ocm-fvt-periodic-cs-rosa-hcp-backup-restore-integration-main
- --variant=ocm-fvt-rosa-hcp-integration
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /secrets/cs-qe-credentials
name: cs-qe-credentials
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: cs-qe-credentials
secret:
secretName: cs-qe-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
- agent: kubernetes
cluster: build06
cron: 0 8 * * *
Expand Down