CNTRLPLANE-706 Build CI to cover Calico CNI test for private HCP on AWS

mgencur · mgencur · commit 6424c5948d62 · 2025-06-04T15:30:21.000+02:00
Exclude the following tests: * Test name: The default cluster RBAC policy should have correct RBAC rules Reason: The test fails as it finds unexpected RBACs from Calico. * Test name: Cluster scoped load balancer healthcheck port and path should be 10256/healthz Reason: Reported https://issues.redhat.com/browse/CNTRLPLANE-788. It's a valid bug in HCP * Test name: Prometheus [apigroup:image.openshift.io] when installed on the cluster should provide named network metrics Reason: Reported projectcalico/calico#10351 against Calico (seem to be breaking the spec) * Test name: Unidling* Reason: Feature not implemented in Calico. * Test name: pod should not start for sysctls not on whitelist [apigroup:k8s.cni.cncf.io] net.ipv4.conf.IFNAME.arp_filter Reason: Calico doesn’t validate sysctl conf against the "allowlist.conf". It has its own way. * Test name: pod should not start for sysctls not on whitelist [apigroup:k8s.cni.cncf.io] net.ipv4.conf.all.send_redirects Reason: Calico doesn’t validate sysctl conf against the "allowlist.conf". It has its own way. * Test name: sysctl allowlist update should start a pod with custom sysctl only when the sysctl is added to whitelist sysctl is added to whitelist Reason: Calico doesn’t validate sysctl conf against the "allowlist.conf". It has its own way. * Disable monitoring test apiserver-incluster-availability Reason: The test reads the KAS URL from .status.apiServerInternalURI of Infrastructure resource named "cluster" but that is in the form of https://api.d560406ce00e8ae40e77.hypershift.local:443 in the hosted cluster and is not reachable. See openshift/origin#29711 More details in https://docs.google.com/document/d/19lYcivp3eRcQQjhDssZnY89nKM_RG84TyVGCeIk5keA/edit?tab=t.0
diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml
@@ -170,6 +170,29 @@ tests:
         sysctl allowlist update should start a pod with custom sysctl only when the
         sysctl is added to whitelist
     workflow: hypershift-aws-conformance-calico
+- as: e2e-aws-conformance-calico-private
+  minimum_interval: 168h
+  steps:
+    cluster_profile: aws-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      HYPERSHIFT_GUEST_INFRA_OCP_ACCOUNT: "true"
+      TEST_ARGS: --disable-monitor=apiserver-incluster-availability
+      TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\|
+        Cluster scoped load balancer healthcheck port and path should be 10256/healthz\|
+        Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should
+        provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\]
+        should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\]
+        should work with UDP\|pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\]
+        net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on
+        whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\|
+        sysctl allowlist update should start a pod with custom sysctl only when the
+        sysctl is added to whitelist
+    test:
+    - chain: hypershift-conformance
+    workflow: cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest
 - as: e2e-powervs-ovn
   cron: 0 8 * * *
   steps:
diff --git a/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-periodics.yaml b/ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-periodics.yaml
@@ -149,6 +149,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build01
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.19
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.19"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  minimum_interval: 168h
+  name: periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-calico-private
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-conformance-calico-private
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build01
   decorate: true
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/calico/health-check/cucushift-hypershift-extended-calico-health-check-commands.sh
@@ -2,6 +2,10 @@
 
 set -xeuo pipefail
 
+if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+  source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
 if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then
     export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig"
 fi
diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/OWNERS
@@ -0,0 +1 @@
+../../OWNERS
diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/OWNERS
@@ -0,0 +1 @@
+../../../OWNERS
diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest-workflow.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest-workflow.metadata.json
@@ -0,0 +1,19 @@
+{
+	"path": "cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"jianlinliu",
+			"yunjiang29",
+			"gpei",
+			"LiangquanLi930",
+			"mgencur"
+		],
+		"reviewers": [
+			"jianlinliu",
+			"yunjiang29",
+			"gpei",
+			"LiangquanLi930",
+			"mgencur"
+		]
+	}
+}
diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/calico/hypershift/private/guest/cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest-workflow.yaml
@@ -0,0 +1,15 @@
+workflow:
+  as: cucushift-installer-rehearse-aws-ipi-calico-hypershift-private-guest
+  steps:
+    env:
+      HYPERSHIFT_NETWORK_TYPE: "Other"
+      HYPERSHIFT_FEATURE_SET: TechPreviewNoUpgrade
+    pre:
+    - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-provision
+    - ref: cucushift-hypershift-extended-calico
+    - ref: cucushift-hypershift-extended-calico-health-check
+    - chain: cucushift-hypershift-extended-enable-qe-catalogsource
+    post:
+    - chain: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-deprovision
+  documentation: |-
+    This is the workflow to install private Hypershift cluster with Tigera Calico CNI network stack.
