CNTRLPLANE-3371: Re-enable KAS allowed CIDRs test in Azure v2 self-managed e2e

[bryan-cox]

Summary

• Remove --ginkgo.skip="KAS allowed CIDRs" from the hypershift-azure-run-e2e-v2-selfmanaged step registry chain
• The upstream fix (wait for HCP propagation before checking KAS reachability) has landed on hypershift main

Test plan

• Rehearsal of hypershift-azure-e2e-v2-self-managed passes with the KAS allowed CIDRs test enabled

🤖 Generated with Claude Code

Summary

This PR re-enables the KAS allowed CIDRs validation test in the HyperShift Azure v2 self-managed E2E test suite. The test was previously skipped via a --ginkgo.skip="KAS allowed CIDRs" flag in the CI step registry, pending an upstream fix in the HyperShift operator. That fix—which ensures HCP propagates before checking KAS reachability—has now landed on HyperShift main, making it safe to run this test.

Changes

The modification removes the ginkgo skip directive from the hypershift-azure-run-e2e-v2-selfmanaged step registry chain, allowing the ValidateKASAllowedCIDRs test to execute as part of the standard E2E test suite. This validates that the Kubernetes API Server properly respects CIDR allowlist configurations in Azure self-managed deployments.

Testing

The change will be validated through rehearsal of the hypershift-azure-e2e-v2-self-managed test job to confirm the previously-skipped test now passes with the upstream fix in place.

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3371 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Remove --ginkgo.skip="KAS allowed CIDRs" from the hypershift-azure-run-e2e-v2-selfmanaged step registry chain
• The upstream fix (wait for HCP propagation before checking KAS reachability) has landed on hypershift main

Test plan

• Rehearsal of hypershift-azure-e2e-v2-self-managed passes with the KAS allowed CIDRs test enabled

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5bc90e62-f472-47f7-9895-f5efaac32a5e

📥 Commits

Reviewing files that changed from the base of the PR and between a2c45a6 and ab8ded8.

📒 Files selected for processing (1)

• ci-operator/step-registry/hypershift/azure/run-e2e-v2-selfmanaged/hypershift-azure-run-e2e-v2-selfmanaged-chain.yaml

💤 Files with no reviewable changes (1)

• ci-operator/step-registry/hypershift/azure/run-e2e-v2-selfmanaged/hypershift-azure-run-e2e-v2-selfmanaged-chain.yaml

---

Walkthrough

This PR removes a Ginkgo test skip flag from the hypershift Azure E2E public cluster test invocation. The "KAS allowed CIDRs" test will now run as part of the public test suite instead of being skipped.

Changes

Test Configuration Update

Layer / File(s)	Summary
Test Command Configuration ci-operator/step-registry/hypershift/azure/run-e2e-v2-selfmanaged/hypershift-azure-run-e2e-v2-selfmanaged-chain.yaml	The public cluster test command no longer skips the "KAS allowed CIDRs" test; the --ginkgo.skip="KAS allowed CIDRs" flag is removed from the Ginkgo invocation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: re-enabling a previously skipped Ginkgo test (KAS allowed CIDRs) in the Azure v2 self-managed e2e pipeline step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check is not applicable. PR only modifies CI pipeline YAML configuration (removes --ginkgo.skip argument), not Ginkgo test definitions. No test names are being added or modified.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code quality reviews .go test files. This PR only modifies CI pipeline YAML, removing a ginkgo.skip flag. No test code was changed.
Microshift Test Compatibility	✅ Passed	PR only modifies CI configuration YAML to re-enable an existing test. No new Ginkgo test code (It(), Describe(), etc.) is added. Custom check only applies to new test definitions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Check not applicable. PR only modifies CI pipeline config (removes --ginkgo.skip flag). Does not add new Ginkgo e2e tests or test code. Test itself lives in HyperShift repo.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI test config file, not deployment manifests or operator code. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies CI pipeline YAML configuration only (removes ginkgo skip arg), not OTE binary code. Check applies to process-level code violations. No applicable code changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests. It only removes a skip flag from CI configuration to re-enable an existing test. The custom check applies only to PRs adding new test definitions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/hypershift/azure/run-e2e-v2-selfmanaged/OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/test e2e-azure-v2-self-managed

[openshift-ci]

@bryan-cox: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test app-ci-config-dry

/test boskos-config

/test boskos-config-generation

/test build03-dry

/test build04-dry

/test build05-dry

/test build06-dry

/test build07-dry

/test build08-dry

/test build09-dry

/test build10-dry

/test build11-dry

/test check-gh-automation

/test check-gh-automation-tide

/test check-trigger-trusted-apps

/test ci-operator-config

/test ci-operator-config-metadata

/test ci-operator-registry

/test ci-secret-bootstrap-config-validation

/test ci-testgrid-allow-list

/test clusterimageset-validate

/test config

/test core-ci-config-dry

/test core-valid

/test generated-config

/test generated-dashboards

/test hosted-mgmt-dry

/test image-mirroring-config-validation

/test jira-lifecycle-config

/test labels

/test openshift-image-mirror-mappings

/test ordered-prow-config

/test owners

/test pr-reminder-config

/test prow-config

/test prow-config-filenames

/test prow-config-semantics

/test pylint

/test release-config

/test release-controller-config

/test rover-groups-config-validation

/test secret-generator-config-valid

/test services-valid

/test stackrox-stackrox-stackrox-stackrox-check

/test step-registry-metadata

/test step-registry-shellcheck

/test sync-rover-groups

/test verified-config

/test vsphere02-dry

/test yamllint

The following commands are available to trigger optional jobs:

/test check-cluster-profiles-config

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-release-main-ci-operator-config

pull-ci-openshift-release-main-ci-operator-registry

pull-ci-openshift-release-main-core-valid

pull-ci-openshift-release-main-owners

pull-ci-openshift-release-main-release-controller-config

pull-ci-openshift-release-main-step-registry-metadata

pull-ci-openshift-release-main-step-registry-shellcheck

pull-ci-openshift-release-openshift-image-mirror-mappings

pull-ci-openshift-release-yamllint

Details

In response to this:

/test e2e-azure-v2-self-managed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bryan-cox: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed	openshift/hypershift	presubmit	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bryan-cox]

/pj-rehearse

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bryan-cox]

/pj-rehearse pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/hypershift/main/e2e-azure-v2-self-managed	ab8ded8	link	unknown	/pj-rehearse pull-ci-openshift-hypershift-main-e2e-azure-v2-self-managed

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.