Add GCP custom dns private pre-submit jobs

ci-operator/config/openshift/installer/openshift-installer-main.yaml

@@ -1388,6 +1388,31 @@ tests:
     - ref: cucushift-installer-check-azure-confidential
     test:
     - ref: openshift-e2e-test
+- as: gcp-custom-dns-private
+  optional: true
+  run_if_changed: (gcp|google)
+  steps:
+    cluster_profile: gcp
+    env:
+      BASE_DOMAIN: custom-dns.com
+      PUBLISH: Internal
+      USER_PROVISIONED_DNS: "yes"
+    post:
+    - chain: cucushift-installer-rehearse-gcp-ipi-private-deprovision
+    pre:
+    - ref: gcp-provision-minimal-permission
+    - ref: gcp-provision-vpc
+    - ref: ignition-bastionhost
+    - ref: gcp-provision-bastionhost
+    - ref: proxy-config-generate
+    - chain: ipi-conf-gcp
+    - ref: ipi-install-install
+    - ref: gcp-provision-private-custom-dns
+    - ref: bastion-dnsmasq
+    - ref: cucushift-installer-check-gcp-private
+    - ref: cucushift-installer-check-user-provisioned-dns
+    test:
+    - chain: cucushift-installer-check-cluster-health
 - as: gcp-private
   optional: true
   run_if_changed: (gcp|google)

ci-operator/config/openshift/installer/openshift-installer-release-4.21.yaml

@@ -1374,6 +1374,31 @@ tests:
     - ref: cucushift-installer-check-azure-confidential
     test:
     - ref: openshift-e2e-test
+- as: gcp-custom-dns-private
+  optional: true
+  run_if_changed: (gcp|google)
+  steps:
+    cluster_profile: gcp
+    env:
+      BASE_DOMAIN: custom-dns.com
+      PUBLISH: Internal
+      USER_PROVISIONED_DNS: "yes"
+    post:
+    - chain: cucushift-installer-rehearse-gcp-ipi-private-deprovision
+    pre:
+    - ref: gcp-provision-minimal-permission
+    - ref: gcp-provision-vpc
+    - ref: ignition-bastionhost
+    - ref: gcp-provision-bastionhost
+    - ref: proxy-config-generate
+    - chain: ipi-conf-gcp
+    - ref: ipi-install-install
+    - ref: gcp-provision-private-custom-dns
+    - ref: bastion-dnsmasq
+    - ref: cucushift-installer-check-gcp-private
+    - ref: cucushift-installer-check-user-provisioned-dns
+    test:
+    - chain: cucushift-installer-check-cluster-health
 - as: gcp-private
   optional: true
   run_if_changed: (gcp|google)

ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml

@@ -1389,6 +1389,31 @@ tests:
     - ref: cucushift-installer-check-azure-confidential
     test:
     - ref: openshift-e2e-test
+- as: gcp-custom-dns-private
+  optional: true
+  run_if_changed: (gcp|google)
+  steps:
+    cluster_profile: gcp
+    env:
+      BASE_DOMAIN: custom-dns.com
+      PUBLISH: Internal
+      USER_PROVISIONED_DNS: "yes"
+    post:
+    - chain: cucushift-installer-rehearse-gcp-ipi-private-deprovision
+    pre:
+    - ref: gcp-provision-minimal-permission
+    - ref: gcp-provision-vpc
+    - ref: ignition-bastionhost
+    - ref: gcp-provision-bastionhost
+    - ref: proxy-config-generate
+    - chain: ipi-conf-gcp
+    - ref: ipi-install-install
+    - ref: gcp-provision-private-custom-dns
+    - ref: bastion-dnsmasq
+    - ref: cucushift-installer-check-gcp-private
+    - ref: cucushift-installer-check-user-provisioned-dns
+    test:
+    - chain: cucushift-installer-check-cluster-health
 - as: gcp-private
   optional: true
   run_if_changed: (gcp|google)

ci-operator/jobs/openshift/installer/openshift-installer-main-presubmits.yaml

@@ -7377,6 +7377,80 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-vsphere-static-ovn,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build04
+    context: ci/prow/gcp-custom-dns-private
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: gcp
+      ci-operator.openshift.io/cloud-cluster-profile: gcp
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-installer-main-gcp-custom-dns-private
+    optional: true
+    rerun_command: /test gcp-custom-dns-private
+    run_if_changed: (gcp|google)
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=gcp-custom-dns-private
+        command:
+        - ci-operator
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )gcp-custom-dns-private,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/jobs/openshift/installer/openshift-installer-release-4.21-presubmits.yaml

@@ -7376,6 +7376,80 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-vsphere-static-ovn,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^release-4\.21$
+    - ^release-4\.21-
+    cluster: build02
+    context: ci/prow/gcp-custom-dns-private
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: gcp
+      ci-operator.openshift.io/cloud-cluster-profile: gcp
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-installer-release-4.21-gcp-custom-dns-private
+    optional: true
+    rerun_command: /test gcp-custom-dns-private
+    run_if_changed: (gcp|google)
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=gcp-custom-dns-private
+        command:
+        - ci-operator
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )gcp-custom-dns-private,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/jobs/openshift/installer/openshift-installer-release-4.22-presubmits.yaml

@@ -7375,6 +7375,80 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-vsphere-static-ovn,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^release-4\.22$
+    - ^release-4\.22-
+    cluster: build02
+    context: ci/prow/gcp-custom-dns-private
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: gcp
+      ci-operator.openshift.io/cloud-cluster-profile: gcp
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-installer-release-4.22-gcp-custom-dns-private
+    optional: true
+    rerun_command: /test gcp-custom-dns-private
+    run_if_changed: (gcp|google)
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=gcp-custom-dns-private
+        command:
+        - ci-operator
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )gcp-custom-dns-private,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/gcp/provision/bastionhost/gcp-provision-bastionhost-commands.sh

@@ -37,6 +37,10 @@ function run_ssh_cmd() {
 CLUSTER_NAME="${NAMESPACE}-${UNIQUE_HASH}"
 bastion_ignition_file="${SHARED_DIR}/${CLUSTER_NAME}-bastion.ign"
 SSH_PRIV_KEY_PATH=${CLUSTER_PROFILE_DIR}/ssh-privatekey
+GCP_BASE_DOMAIN="$(< ${CLUSTER_PROFILE_DIR}/public_hosted_zone)"
+if [[ -n "${BASE_DOMAIN}" ]]; then
+  GCP_BASE_DOMAIN="${BASE_DOMAIN}"
+fi
 
 if [[ ! -f "${bastion_ignition_file}" ]]; then
   echo "'${bastion_ignition_file}' not found, abort." && exit 1
@@ -185,29 +189,28 @@ echo "${bastion_public_ip}" > "${SHARED_DIR}/proxyip"
 ####Register mirror registry DNS#####
 #####################################
 if [[ "${REGISTER_MIRROR_REGISTRY_DNS}" == "yes" ]]; then
-  BASE_DOMAIN="$(< ${CLUSTER_PROFILE_DIR}/public_hosted_zone)"
-  BASE_DOMAIN_ZONE_NAME="$(gcloud dns managed-zones list --filter "DNS_NAME=${BASE_DOMAIN}." --format json | jq -r .[0].name)"
+  BASE_DOMAIN_ZONE_NAME="$(gcloud dns managed-zones list --filter "DNS_NAME=${GCP_BASE_DOMAIN}." --format json | jq -r .[0].name)"
 
   echo "Configuring public DNS for the mirror registry..."
-  gcloud dns record-sets create "${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN}." \
+  gcloud dns record-sets create "${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN}." \
   --rrdatas="${bastion_public_ip}" --type=A --ttl=60 --zone="${BASE_DOMAIN_ZONE_NAME}"
 
   echo "Configuring private DNS for the mirror registry..."
   gcloud dns managed-zones create "${CLUSTER_NAME}-mirror-registry-private-zone" \
   --description "Private zone for the mirror registry." \
-  --dns-name "mirror-registry.${BASE_DOMAIN}." --visibility "private" --networks "${NETWORK}"
-  gcloud dns record-sets create "${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN}." \
+  --dns-name "mirror-registry.${GCP_BASE_DOMAIN}." --visibility "private" --networks "${NETWORK}"
+  gcloud dns record-sets create "${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN}." \
   --rrdatas="${bastion_private_ip}" --type=A --ttl=60 --zone="${CLUSTER_NAME}-mirror-registry-private-zone"
 
   cat > "${SHARED_DIR}/mirror-dns-destroy.sh" << EOF
-  gcloud dns record-sets delete -q "${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN}." --type=A --zone="${BASE_DOMAIN_ZONE_NAME}"
-  gcloud dns record-sets delete -q "${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN}." --type=A --zone="${CLUSTER_NAME}-mirror-registry-private-zone"
+  gcloud dns record-sets delete -q "${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN}." --type=A --zone="${BASE_DOMAIN_ZONE_NAME}"
+  gcloud dns record-sets delete -q "${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN}." --type=A --zone="${CLUSTER_NAME}-mirror-registry-private-zone"
   gcloud dns managed-zones delete -q "${CLUSTER_NAME}-mirror-registry-private-zone"
 EOF
 
-  echo "Waiting for ${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN} taking effect..." && sleep 120s
+  echo "Waiting for ${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN} taking effect..." && sleep 120s
 
-  MIRROR_REGISTRY_URL="${CLUSTER_NAME}.mirror-registry.${BASE_DOMAIN}:5000"
+  MIRROR_REGISTRY_URL="${CLUSTER_NAME}.mirror-registry.${GCP_BASE_DOMAIN}:5000"
   echo "${MIRROR_REGISTRY_URL}" > "${SHARED_DIR}/mirror_registry_url"
 fi
 

ci-operator/step-registry/gcp/provision/bastionhost/gcp-provision-bastionhost-ref.yaml

@@ -29,5 +29,9 @@ ref:
   - name: OSD_QE_PROJECT_AS_SERVICE_PROJECT
     default: "no"
     documentation: Whether to use OSD QE's project as the service project. The supported values are [no, yes].
+  - name: BASE_DOMAIN
+    default: ""
+    documentation: |-
+      The base domain.
   documentation: |-
     The step launches Linux bastion host within the CONTROL_PLANE_SUBNET.