Skip to content

trusted-execution-clusters: Introduce Azure tests #79393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Jakob-Naucke wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

trusted-execution-clusters: Introduce Azure tests #79393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .../trusted-execution-clusters/operator/trusted-execution-clusters-operator-main__azure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
base_images:
nested-podman:
name: nested-podman
namespace: ci
tag: latest
build_root:
image_stream_tag:
name: builder
namespace: ocp
tag: rhel-9-golang-1.25-openshift-4.21
images:
items:
Comment on lines +11 to +12
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Invalid images structure: remove the items: key.

The ci-operator schema expects images: to be a direct list, not an object with an items: sub-key. This will likely cause config validation or parsing failures.

Proposed fix 
 images:
-  items:
-  - dockerfile_literal: |
+- dockerfile_literal: |

Full corrected structure:

images:
- dockerfile_literal: |
    FROM nested-podman
    ...
  from: nested-podman
  inputs:
    src:
      paths:
      - destination_dir: src
        source_path: /go/src/github.com/trusted-execution-clusters/operator
  to: azure-test-image
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/trusted-execution-clusters/operator/trusted-execution-clusters-operator-main__azure.yaml`
around lines 11 - 12, The top-level `images` key is using an invalid object
shape with an `items:` sub-key; change `images:` to be a direct list (array)
instead of `images: items:` so each image entry is a YAML list item (e.g. `-
dockerfile_literal: | ...`, `  from: ...`, `  inputs: ...`, `  to: ...`); remove
the `items:` wrapper and un-indent its entries so the ci-operator can validate
the `images` list properly.

- dockerfile_literal: |
FROM nested-podman
WORKDIR /src/operator
USER root
RUN curl -sSf https://sh.rustup.rs | sh -s -- -y
RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc && \
dnf install -y https://packages.microsoft.com/config/rhel/9.0/packages-microsoft-prod.rpm && \
dnf install -y azure-cli && \
dnf clean all
ENV PATH="/root/.cargo/bin:${PATH}"
from: nested-podman
inputs:
src:
paths:
- destination_dir: src
source_path: /go/src/github.com/trusted-execution-clusters/operator
to: azure-test-image
releases:
latest:
candidate:
architecture: amd64
product: ocp
stream: nightly
version: "4.21"
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- always_run: false
as: integration-test
capabilities:
- nested-podman
optional: true
skip_if_only_changed: ^(\.github|LICENSES|bundle|docs|examples)/|^(README\.md|\.gitignore)$
steps:
cluster_profile: openshift-org-aws
test:
- ref: trusted-execution-clusters-ref-azure-integration-test
workflow: ipi-aws
Comment on lines +51 to +55
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are Azure cluster profiles or workflows available
echo "=== Available Azure cluster profiles ==="
fd -t d 'azure' ci-operator/config/jobs --max-depth 3 2>/dev/null || echo "No azure job configs found"

echo -e "\n=== Azure workflows in step-registry ==="
fd -t d 'azure' ci-operator/step-registry --max-depth 4 2>/dev/null | head -20

echo -e "\n=== Existing Azure cluster profiles ==="
ls -la cluster/test-deploy/azure* 2>/dev/null || fd -t d 'azure' cluster/ --max-depth 3 2>/dev/null | head -10

Repository: openshift/release

Length of output: 1266

🏁 Script executed:

# Check the file structure and look for __azure variants
echo "=== File under review ==="
cat ci-operator/config/trusted-execution-clusters/operator/trusted-execution-clusters-operator-main__azure.yaml

echo -e "\n=== Other __azure variants in same directory ==="
ls -la ci-operator/config/trusted-execution-clusters/operator/ | grep __

Repository: openshift/release

Length of output: 1888

🏁 Script executed:

# Look for the test reference definition
echo "=== Search for the test reference ==="
rg 'trusted-execution-clusters-ref-azure-integration-test' --type yaml -A 5 -B 2

Repository: openshift/release

Length of output: 2949

🏁 Script executed:

# Check for Azure cluster profile definitions
echo "=== Search for Azure cluster profiles ==="
rg 'openshift-org-azure' --type yaml

Repository: openshift/release

Length of output: 50375

🏁 Script executed:

# Look at similar Azure test configurations
echo "=== Search for other Azure integration tests ==="
fd -t f '*.yaml' ci-operator/config | xargs grep -l 'azure.*integration' 2>/dev/null | head -5

Repository: openshift/release

Length of output: 414

🏁 Script executed:

cat ci-operator/step-registry/trusted-execution-clusters/ref/azure-integration-test/trusted-execution-clusters-ref-azure-integration-test-commands.sh

Repository: openshift/release

Length of output: 917

🏁 Script executed:

# Check for similar test configs with cluster/workflow mismatch
rg 'cluster_profile:.*aws' ci-operator/config/trusted-execution-clusters/ -A 3 -B 1

Repository: openshift/release

Length of output: 746

🏁 Script executed:

# Check CI naming convention violations in this directory
ls -la ci-operator/config/trusted-execution-clusters/operator/

Repository: openshift/release

Length of output: 426

Fix cluster profile and workflow to match Azure integration test requirements.

The test trusted-execution-clusters-ref-azure-integration-test explicitly uses Azure credentials (subscription-id, client-id, client-secret, tenant-id) and runs az login with a service principal, setting VIRT_PROVIDER=azure. However, the configuration uses cluster_profile: openshift-org-aws and workflow: ipi-aws. This will cause the test to fail. Change both to use the Azure equivalents: cluster_profile: openshift-org-azure and workflow: ipi-azure.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/trusted-execution-clusters/operator/trusted-execution-clusters-operator-main__azure.yaml`
around lines 51 - 55, Update the CI job to use Azure-specific settings: change
the cluster_profile value from openshift-org-aws to openshift-org-azure and
change the workflow from ipi-aws to ipi-azure so the test ref
trusted-execution-clusters-ref-azure-integration-test runs with the Azure
credentials and VIRT_PROVIDER=azure as expected.

zz_generated_metadata:
branch: main
org: trusted-execution-clusters
repo: operator
variant: azure
Comment on lines +30 to +60
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add the missing promotion section to this ci-operator config.

This config defines build_root, images, tests, and releases, but it omits promotion, which is required for files under ci-operator/config/.

Suggested structure 
 releases:
   latest:
     candidate:
       architecture: amd64
       product: ocp
       stream: nightly
       version: "4.21"
+promotion:
+  to:
+  - namespace: trusted-execution-clusters
+    name: operator

As per coding guidelines, "CI configuration files should define build_root, images, tests (referencing step-registry workflows), promotion, and releases sections in ci-operator/config///".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
releases:
latest:
candidate:
architecture: amd64
product: ocp
stream: nightly
version: "4.21"
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- always_run: false
as: integration-test
capabilities:
- nested-podman
optional: true
skip_if_only_changed: ^(\.github|LICENSES|bundle|docs|examples)/|^(README\.md|\.gitignore)$
steps:
cluster_profile: openshift-org-aws
test:
- ref: trusted-execution-clusters-ref-azure-integration-test
workflow: ipi-aws
zz_generated_metadata:
branch: main
org: trusted-execution-clusters
repo: operator
variant: azure
releases:
latest:
candidate:
architecture: amd64
product: ocp
stream: nightly
version: "4.21"
promotion:
to:
- namespace: trusted-execution-clusters
name: operator
resources:
'*':
limits:
memory: 4Gi
requests:
cpu: 100m
memory: 200Mi
tests:
- always_run: false
as: integration-test
capabilities:
- nested-podman
optional: true
skip_if_only_changed: ^(\.github|LICENSES|bundle|docs|examples)/|^(README\.md|\.gitignore)$
steps:
cluster_profile: openshift-org-aws
test:
- ref: trusted-execution-clusters-ref-azure-integration-test
workflow: ipi-aws
zz_generated_metadata:
branch: main
org: trusted-execution-clusters
repo: operator
variant: azure
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/trusted-execution-clusters/operator/trusted-execution-clusters-operator-main__azure.yaml`
around lines 31 - 61, This config is missing the required top-level promotion
section; add a promotion: block alongside releases/tests/build_root/images that
provides the promotion namespace and a tag_specification mapping image stream
tags to the release tags (e.g., a namespace for the release image push and a
tag_specification object that lists the image stream names/tags to promote), so
the ci-operator can promote built images into the release stream; update the
existing config to include this promotion block at top level (referencing
promotion and tag_specification to align with the releases/tests entries).

146 changes: 146 additions & 0 deletions ...sted-execution-clusters/operator/trusted-execution-clusters-operator-main-presubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,151 @@
presubmits:
trusted-execution-clusters/operator:
- agent: kubernetes
always_run: true
branches:
- ^main$
- ^main-
cluster: build03
context: ci/prow/azure-images
decorate: true
decoration_config:
skip_cloning: true
labels:
ci-operator.openshift.io/variant: azure
ci.openshift.io/generator: prowgen
job-release: "4.21"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-trusted-execution-clusters-operator-main-azure-images
rerun_command: /test azure-images
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --report-credentials-file=/etc/report/credentials
- --target=[images]
- --variant=azure
command:
- ci-operator
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )azure-images,?($|\s.*)
- agent: kubernetes
always_run: false
branches:
- ^main$
- ^main-
cluster: build03
context: ci/prow/azure-integration-test
decorate: true
decoration_config:
skip_cloning: true
labels:
capability/nested-podman: nested-podman
ci-operator.openshift.io/cloud: aws
ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
ci-operator.openshift.io/variant: azure
ci.openshift.io/generator: prowgen
job-release: "4.21"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-trusted-execution-clusters-operator-main-azure-integration-test
optional: true
rerun_command: /test azure-integration-test
skip_if_only_changed: ^(\.github|LICENSES|bundle|docs|examples)/|^(README\.md|\.gitignore)$
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --target=integration-test
- --variant=azure
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )azure-integration-test,?($|\s.*)
- agent: kubernetes
always_run: false
branches:
Expand Down
4 changes: 0 additions & 4 deletions ci-operator/step-registry/trusted-execution-clusters/ref/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
reviewers:
- alicefr
- yalzhang
- Jakob-Naucke
- fangge1212
approvers:
- alicefr
- Jakob-Naucke
- fangge1212
- yalzhang
1 change: 1 addition & 0 deletions ci-operator/step-registry/trusted-execution-clusters/ref/azure-integration-test/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../OWNERS
29 changes: 29 additions & 0 deletions .../azure-integration-test/trusted-execution-clusters-ref-azure-integration-test-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/bin/bash

set -euo pipefail

NAMESPACE=$(oc project -q)
REGISTRY="image-registry.openshift-image-registry.svc:5000/${NAMESPACE}"

echo "[INFO] Logging in to internal registry..."
podman login -u "$(oc whoami)" -p "$(oc whoami -t)" \
image-registry.openshift-image-registry.svc:5000 --tls-verify=false

AZURE_SUBSCRIPTION_ID=$(cat /tmp/secrets/azure/subscription-id)
TEST_IMAGE=$(cat /tmp/secrets/azure/test-image)
export AZURE_SUBSCRIPTION_ID TEST_IMAGE

export VIRT_PROVIDER=azure
export PLATFORM=openshift
export REGISTRY="${REGISTRY}"

az login --service-principal \
-u "$(cat /tmp/secrets/azure/client-id)" \
-p "$(cat /tmp/secrets/azure/client-secret)" \
--tenant "$(cat /tmp/secrets/azure/tenant-id)"

echo "[INFO] Building and pushing images to ${REGISTRY}..."
make push

echo "[INFO] Running integration tests..."
make integration-tests
13 changes: 13 additions & 0 deletions ...-integration-test/trusted-execution-clusters-ref-azure-integration-test-ref.metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"path": "trusted-execution-clusters/ref/azure-integration-test/trusted-execution-clusters-ref-azure-integration-test-ref.yaml",
"owners": {
"approvers": [
"alicefr",
"Jakob-Naucke"
],
"reviewers": [
"alicefr",
"Jakob-Naucke"
]
}
}
15 changes: 15 additions & 0 deletions ...ref/azure-integration-test/trusted-execution-clusters-ref-azure-integration-test-ref.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
ref:
as: trusted-execution-clusters-ref-azure-integration-test
from: azure-test-image
nested_podman: true
commands: trusted-execution-clusters-ref-azure-integration-test-commands.sh
credentials:
- namespace: test-credentials
name: trusted-execution-clusters-azure
mount_path: /tmp/secrets/azure
resources:
requests:
cpu: 500m
memory: 500Mi
documentation: |-
Runs Azure integration tests for the trusted-execution-clusters operator