SPLAT-2668: hypershift/aws/ccm: enable optional managed security group conformance job

[mtulio]

Summary

Add monthly periodic jobs to validate the AWS CCM managed security group feature
(AWSServiceLBNetworkSecurityGroup) on HyperShift for 4.23 and 5.0.

Changes

• Periodics (release-4.23 and release-5.0): Two monthly jobs each:
  • e2e-aws-ovn-conformance-ccm — conformance with managed SG enabled
  • e2e-aws-ovn-conformance-ccm-techpreview — same with TechPreviewNoUpgrade
  • Both use hypershift-aws-conformance workflow with TEST_SKIPS adjusted
    to include NLB security group tests
• Slack alerts: Failure/error notifications to #forum-ocp-splat-alerts-aws

Context

Dedicated jobs to validate CCM managed SG on HyperShift without disrupting
existing monitoring. Once the feature is stable, these will be removed and the
AWSServiceLBNetworkSecurityGroup skip reverted from baseline conformance.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2587 which is a valid jira issue.

Details

In response to this:

Create a dedicated conformance job enabling managed security group feature of CCM for NLB, so that we can validate the feature on hypershift at PR
openshift/hypershift#7460

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2587 which is a valid jira issue.

Details

In response to this:

Create a dedicated conformance job enabling managed security group feature of CCM for NLB, so that we can validate the feature on hypershift at PR
openshift/hypershift#7460

The new job presubmit job for hypershift project, overrides the TESTS_SKIPS from conformance workflow. A dedicated job has been created to prevent disruption in existing monitoring, while we can validate the PR individually. Once the tests are validated on Hypershift, and feature deliverable and stable, we will remove this one, and the TEST_SKIPS for AWSServiceLBNetworkSecurityGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

This is expected to fail as the feature is not merged on hypershift:

/pj-rehearse pull-ci-openshift-hypershift-main-e2e-conformance-aws-ccm-nlb-sg

[openshift-ci-robot]

@mtulio: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mtulio]

/assign enxebre

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2587 which is a valid jira issue.

Details

In response to this:

Create a dedicated conformance job enabling managed security group feature of CCM for NLB, so that we can validate the feature on hypershift at PR
openshift/hypershift#7460

The new job presubmit job for hypershift project, overrides the TESTS_SKIPS from conformance workflow. A dedicated job has been created to prevent disruption in existing monitoring, while we can validate the PR individually. Once the tests are validated on Hypershift, and feature deliverable and stable, we will remove this one, and the TEST_SKIPS for AWSServiceLBNetworkSecurityGroup

https://redhat.atlassian.net/browse/SPLAT-2668

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2668 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Create a dedicated conformance job enabling managed security group feature of CCM for NLB, so that we can validate the feature on hypershift at PR
openshift/hypershift#7460

The new job presubmit job for hypershift project, overrides the TESTS_SKIPS from conformance workflow. A dedicated job has been created to prevent disruption in existing monitoring, while we can validate the PR individually. Once the tests are validated on Hypershift, and feature deliverable and stable, we will remove this one, and the TEST_SKIPS for AWSServiceLBNetworkSecurityGroup

https://redhat.atlassian.net/browse/SPLAT-2668

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2668 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Create a dedicated conformance job enabling managed security group feature of CCM for NLB, so that we can validate the feature on hypershift at PR
openshift/hypershift#7460

The new job presubmit job for hypershift project, overrides the TESTS_SKIPS from conformance workflow. A dedicated job has been created to prevent disruption in existing monitoring, while we can validate the PR individually. Once the tests are validated on Hypershift, and feature deliverable and stable, we will remove this one, and the TEST_SKIPS for AWSServiceLBNetworkSecurityGroup

https://redhat.atlassian.net/browse/SPLAT-2587
https://redhat.atlassian.net/browse/SPLAT-2668

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

job is passing: rehearse-77567-pull-ci-openshift-hypershift-main-e2e-conformance-aws-ccm-nlb-sg #2042066510754615296

I just fixed the "ci metadata" with EOL fixes (nit):

/pj-rehearse ack

[openshift-merge-bot]

@mtulio: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mtulio]

/assign @muraee

[mtulio]

/assign @enxebre

[mtulio]

@enxebre @muraee WDYT to create a periodic and an alert to Slack (my teams channel) to this job, so i can monitor it closely. Are you ok to add one more job for that purpose? I will remove it as part of getting complete the task https://redhat.atlassian.net/browse/SPLAT-2668

[vr4manta]

/lgtm

[mtulio]

Adding the periiodic with alerts to SPLAT channel to monitor closely the progress of NLB+SG feature

[mtulio]

As described in the comment #77567 (comment), the new job is expected to fail as it blocked by OCPBUGS-85414, and we need this job to validate the fix on the PR, currently WIP on openshift/cluster-cloud-controller-manager-operator#462

/pj-rehearse ack

/pj-rehearse ack

[openshift-merge-bot]

@mtulio: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jcpowermac]

/lgtm

[enxebre]

/approve

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e4bba04 and 2 for PR HEAD 43d8f31 in total

[openshift-ci]

@mtulio: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-release-main-hypershift-4.22-hypershift-conformance-aws-ccm-nlb-sg	f1a1529	link	unknown	/pj-rehearse periodic-ci-openshift-release-main-hypershift-4.22-hypershift-conformance-aws-ccm-nlb-sg
ci/rehearse/periodic-ci-openshift-hypershift-release-4.23-periodics-e2e-aws-ovn-conformance-ccm-techpreview	f5086a5	link	unknown	/pj-rehearse periodic-ci-openshift-hypershift-release-4.23-periodics-e2e-aws-ovn-conformance-ccm-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mtulio]

I needed to rebase to resolve the job generated-config. Applying the required labels again:

/pj-rehearsal ack

[jcpowermac]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enxebre, jcpowermac, mtulio, vr4manta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/hypershift/OWNERS [enxebre]
• ci-operator/jobs/openshift/hypershift/OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 54c0523 and 1 for PR HEAD 43d8f31 in total

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mtulio: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-hypershift-release-5.0-e2e-aws-ovn-conformance-ccm-techpreview	N/A	periodic	Periodic changed
periodic-ci-openshift-hypershift-release-4.23-periodics-e2e-aws-ovn-conformance-ccm	N/A	periodic	Periodic changed
periodic-ci-openshift-hypershift-release-5.0-e2e-aws-ovn-conformance-ccm	N/A	periodic	Periodic changed
periodic-ci-openshift-hypershift-release-4.23-periodics-e2e-aws-ovn-conformance-ccm-techpreview	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mtulio]

As described in the comment #77567 (comment), the new job is expected to fail as it blocked by OCPBUGS-85414, and we need this job to validate the fix on the PR, currently WIP on openshift/cluster-cloud-controller-manager-operator#462
/pj-rehearse ack

/pj-rehearse ack

Re-adding, no reason to spend infra resource w/ expected jobs to fail. fyi openshift/cluster-cloud-controller-manager-operator#462 openshift/api#2838

/pj-rehearsal ack

[mtulio]

/pj-rehearse ack

[openshift-merge-bot]

@mtulio: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.