ROSAENG-8194 | task: Migrate cs-rosa-hcp-ad-production-main

[davidleerh]

Summary by CodeRabbit

This PR adds a new CI configuration for automating ROSA (Red Hat OpenShift Service on AWS) HCP (Hosted Control Plane) E2E testing with Active Directory production settings.

What's being added:
A periodic test job configuration file (openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml) that:

• Runs OCM FVT (Functional Verification Tests) for ROSA HCP against an Active Directory production environment
• Executes daily at 03:00 UTC
• Uses OCP 4.22 nightly release targeting with a golang-1.24 builder image
• Configures resource limits (4Gi memory, 100m CPU minimum) appropriate for nested Podman workloads
• Sets a 5-hour timeout to accommodate longer integration tests
• References the existing rosa-e2e-ocm-fvt test framework

Infrastructure impact:
This migrates the ROSA HCP AD production testing infrastructure into the main branch's CI configuration, enabling automated daily validation of the ROSA platform against a production-like AD environment. The test will run alongside other ROSA E2E tests in the OpenShift CI pipeline.

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b344a491-45fa-4b12-a57e-7837011fce56

📥 Commits

Reviewing files that changed from the base of the PR and between 95ce63c and e09c2b1.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml

---

Walkthrough

A new ROSA E2E CI configuration file is added for OpenShift Online to define base image building, default resource allocations, OCP 4.22 nightly release targeting, and a daily periodic test job (ocm-fvt-periodic-cs-rosa-hcp-ad-production-main) that runs at 03:00 UTC with nested podman enabled and a 5-hour timeout.

Changes

ROSA E2E HCP Production CI Configuration

Layer / File(s)	Summary
Global CI configuration and base images ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml	Establishes nested-podman base image, specifies builder image stream tag (ocp/builder:rhel-9-golang-1.24-openshift-4.22), targets the latest nightly OCP 4.22 release stream, and sets default resource requests (100m CPU, 200Mi memory) and limits (4Gi memory) for all resources.
Periodic test job definition and metadata ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml	Defines a periodic E2E test job (ocm-fvt-periodic-cs-rosa-hcp-ad-production-main) that runs daily at 03:00 UTC, enables nested podman, sets OCM FVT environment variables, references the rosa-e2e-ocm-fvt test, applies a 5-hour timeout, and assigns metadata labels for tracking (branch: main, org: openshift-online, repo: rosa-e2e, variant: ocm-fvt-rosa-hcp-production).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#80231: Adds a related ROSA E2E OpenShift Online CI configuration with the same base images, builder tag, OCP 4.22 targeting, and global resource defaults but with a different OCM FVT test variant job name.
• openshift/release#80229: Updates multiple existing ROSA E2E OCM-FVT periodic test jobs to set timeout to 5 hours; this PR introduces the same 5-hour timeout pattern for the new HCP production job.

Suggested labels

lgtm, approved, ok-to-test, rehearsals-ack, jira/valid-reference

Suggested reviewers

• bmeng
• dustman9000

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the task/migration objective (ROSAENG-8194 | cs-rosa-hcp-ad-production-main) that is being implemented in the changeset by adding the ROSA E2E CI configuration file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds CI configuration and utility tools but no Ginkgo test definitions. Check is not applicable as there are no Ginkgo test titles (It, Describe, Context, etc.) to evaluate.
Test Structure And Quality	✅ Passed	PR adds a YAML CI configuration file, not Ginkgo test code; custom check for test structure review is not applicable to this change.
Microshift Test Compatibility	✅ Passed	PR only adds CI configuration files and references existing test steps. No new Ginkgo e2e test code is added, making the MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only CI configuration (YAML), not new Ginkgo e2e tests. The check for SNO compatibility applies only to new Ginkgo test code, which is not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds only CI configuration and test step files with no deployment manifests or operator code containing topology-unsafe scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR adds only YAML CI configuration file with no Go test code; OTE Binary Stdout Contract check applies only to Go test binaries, not CI configuration.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only a CI configuration file referencing existing OCM FVT test steps. No new Ginkgo e2e tests (It(), Describe(), Context(), When(), etc.) are introduced, so check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds YAML CI configuration file with no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or insecure secret comparisons detected.
Container-Privileges	✅ Passed	The new YAML configuration file contains no privileged container settings such as privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root execution.
No-Sensitive-Data-In-Logs	✅ Passed	Configuration file and test scripts do not expose passwords, tokens, API keys, PII, or sensitive data in logs. Credentials are properly handled via mounted volumes with restricted permissions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: davidleerh
Once this PR has been reviewed and has the lgtm label, please assign ravitri for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-e2e/OWNERS
• ci-operator/jobs/openshift-online/rosa-e2e/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@davidleerh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main	N/A	periodic	Periodic changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@coderabbitai[bot]: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[davidleerh]

/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

[openshift-merge-bot]

@davidleerh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@davidleerh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main	e09c2b1	link	unknown	/pj-rehearse periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[davidleerh]

/retest