From c4f2c675e3118b4806a9d577d52740007c4817db Mon Sep 17 00:00:00 2001 From: Anurag Saxena Date: Mon, 1 Jun 2026 16:41:13 -0400 Subject: [PATCH 1/2] CORENET-7206: Add ingress-node-firewall non-payload OTE extension step Co-Authored-By: Claude Opus 4.6 --- ...penshift-ingress-node-firewall-master.yaml | 23 ++++- ...gress-node-firewall-master-presubmits.yaml | 86 +++++++++++++++++++ .../step-registry/infw-extension/OWNERS | 4 + .../infw-extension/infw-extension-commands.sh | 59 +++++++++++++ .../infw-extension-ref.metadata.json | 5 ++ .../infw-extension/infw-extension-ref.yaml | 18 ++++ 6 files changed, 192 insertions(+), 3 deletions(-) create mode 100644 ci-operator/step-registry/infw-extension/OWNERS create mode 100644 ci-operator/step-registry/infw-extension/infw-extension-commands.sh create mode 100644 ci-operator/step-registry/infw-extension/infw-extension-ref.metadata.json create mode 100644 ci-operator/step-registry/infw-extension/infw-extension-ref.yaml diff --git a/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml b/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml index 6f3af43e95793..fc9f225944af7 100644 --- a/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml +++ b/ci-operator/config/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master.yaml @@ -21,10 +21,10 @@ operator: bundles: - dockerfile_path: bundle.Dockerfile substitutions: - - pullspec: quay.io/openshift/origin-ingress-node-firewall:4.13 - with: pipeline:ingress-node-firewall - - pullspec: quay.io/openshift/origin-ingress-node-firewall-daemon:4.13 + - pullspec: quay.io/openshift/origin-ingress-node-firewall:latest with: pipeline:ingress-node-firewall + - pullspec: quay.io/openshift/origin-ingress-node-firewall-daemon:latest + with: pipeline:ingress-node-firewall-daemon promotion: to: - name: "5.0" @@ -72,6 +72,23 @@ tests: IP_STACK=v4v6 NETWORK_TYPE=OVNKubernetes workflow: baremetalds-ingress-node-firewall-e2e +- always_run: false + as: e2e-aws-ovn-infw-extension + optional: true + steps: + cluster_profile: aws-5 + env: + OO_CHANNEL: alpha + OO_INSTALL_NAMESPACE: openshift-ingress-node-firewall + OO_PACKAGE: ingress-node-firewall + OO_TARGET_NAMESPACES: '!all' + observers: + enable: + - observers-resource-watch + test: + - ref: optional-operators-subscribe + - ref: infw-extension + workflow: openshift-e2e-aws-ovn - as: verify-deps steps: env: diff --git a/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml b/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml index 379df95cbefb7..18123c72546b2 100644 --- a/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/ingress-node-firewall/openshift-ingress-node-firewall-master-presubmits.yaml @@ -58,6 +58,92 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )ci-index,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build10 + context: ci/prow/e2e-aws-ovn-infw-extension + decorate: true + decoration_config: + sparse_checkout_files: + - .ci-operator.yaml + - Dockerfile.daemon.openshift + - Dockerfile.openshift + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-ingress-node-firewall-master-e2e-aws-ovn-infw-extension + optional: true + rerun_command: /test e2e-aws-ovn-infw-extension + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-infw-extension + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-infw-extension,?($|\s.*) - agent: kubernetes always_run: true branches: diff --git a/ci-operator/step-registry/infw-extension/OWNERS b/ci-operator/step-registry/infw-extension/OWNERS new file mode 100644 index 0000000000000..0c9bdab16ae6f --- /dev/null +++ b/ci-operator/step-registry/infw-extension/OWNERS @@ -0,0 +1,4 @@ +approvers: + - anusaxen +reviewers: + - anusaxen diff --git a/ci-operator/step-registry/infw-extension/infw-extension-commands.sh b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh new file mode 100644 index 0000000000000..a49aa666ccea9 --- /dev/null +++ b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +export PATH=/usr/libexec/origin:$PATH +export HOME=/tmp/home +mkdir -p "${HOME}" + +echo "Setting up ingress-node-firewall extension testing" +echo "Extension image: ${EXTENSION_IMAGE}" + +# Create the TestExtensionAdmission CR +echo "Creating TestExtensionAdmission CR..." +openshift-tests extension-admission create infw-extensions \ + --permit=test-extensions/* + +# Create namespace and ImageStream +echo "Creating test-extensions namespace and ImageStream..." +cat < Date: Wed, 3 Jun 2026 14:34:47 -0400 Subject: [PATCH 2/2] Add configurable suite selection and baremetal OTE support Make the infw-extension step suite-configurable via INFW_TEST_SUITE env var, defaulting to the aws suite (excludes Baremetal-labeled tests). Add the infw-extension step to the baremetal workflow with INFW_TEST_SUITE set to "all" to include Baremetal-labeled tests. Co-Authored-By: Claude Opus 4.6 --- .../baremetalds-ingress-node-firewall-e2e-workflow.yaml | 3 +++ .../step-registry/infw-extension/infw-extension-commands.sh | 5 +++-- .../step-registry/infw-extension/infw-extension-ref.yaml | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml b/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml index 80702fd94a9ee..6e75a410b9a6f 100644 --- a/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml +++ b/ci-operator/step-registry/baremetalds/ingress-node-firewall-e2e/baremetalds-ingress-node-firewall-e2e-workflow.yaml @@ -5,6 +5,9 @@ workflow: - chain: baremetalds-ofcir-pre test: - ref: baremetalds-ingress-node-firewall-e2e-test + - ref: infw-extension + env: + INFW_TEST_SUITE: "openshift/ingress-node-firewall/all" post: - chain: baremetalds-ofcir-post documentation: |- diff --git a/ci-operator/step-registry/infw-extension/infw-extension-commands.sh b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh index a49aa666ccea9..8db685bf2a130 100644 --- a/ci-operator/step-registry/infw-extension/infw-extension-commands.sh +++ b/ci-operator/step-registry/infw-extension/infw-extension-commands.sh @@ -54,6 +54,7 @@ oc get imagestreamtag ingress-node-firewall-tests:latest -n test-extensions -o j echo "Ingress Node Firewall extension setup complete!" # Run the extension tests -echo "Running ingress-node-firewall extension tests..." -openshift-tests run openshift/ingress-node-firewall/all \ +SUITE="${INFW_TEST_SUITE:-openshift/ingress-node-firewall/aws}" +echo "Running ingress-node-firewall extension tests (suite: ${SUITE})..." +openshift-tests run "${SUITE}" \ --junit-dir="${ARTIFACT_DIR}/junit" diff --git a/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml b/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml index 5a051c783ac20..3a6fd9726569d 100644 --- a/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml +++ b/ci-operator/step-registry/infw-extension/infw-extension-ref.yaml @@ -6,6 +6,12 @@ ref: dependencies: - name: "pipeline:ingress-node-firewall" env: EXTENSION_IMAGE + env: + - name: INFW_TEST_SUITE + default: "openshift/ingress-node-firewall/aws" + documentation: |- + The test suite to run. Defaults to the aws suite which excludes Baremetal-labeled tests. + Set to "openshift/ingress-node-firewall/all" for baremetal profiles. resources: requests: cpu: "3"