hypershift: add 5.0 HCM Azure AKS upgrade-minor periodic

[bryan-cox]

Summary

• Adds the periodics-hcm-azure variant for release-5.0, mirroring the existing 4.23 config
• Contains the e2e-aks-upgrade-minor test that upgrades from 4.22 to 5.0 using the HCM hypershift-operator image from acm-d

Test plan

• Rehearsal job passes
• Verify periodic job appears in Prow after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR adds a new periodic CI configuration for the hypershift repo on the release-5.0 branch that mirrors the existing 4.23 HCM Azure setup. It introduces ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics-hcm-azure.yaml which registers a daily periodic job (cron 0 11 * * *) for the periodics-hcm-azure variant.

In practical terms the job:

• Runs an e2e AKS upgrade-minor workflow (as: e2e-aks-upgrade-minor) using the hypershift-azure-aks-e2e workflow and the hypershift-aks cluster profile.
• Performs an upgrade scenario from OpenShift 4.22 (initial-minor) to 5.0 (initial/latest).
• Uses external hypershift operator image rhtap-hypershift-operator:latest from quay.io/acm-d.
• Uses base images: hypershift-tests:latest (namespace hypershift) and upi-installer tagged "5.0" (namespace ocp).
• Sets test env vars: AUTH_THROUGH_CERTS=true, CI_TESTS_RUN=^TestUpgradeControlPlane$, and HYPERSHIFT_AZURE_LOCATION=centralus.
• Applies default small resource requests (cpu 100m, memory 200Mi) for tests.

The commit also staggers the 5.0 HCM Azure periodic to 11:00 UTC (offset from the 4.23 job) to avoid competing for hypershift-aks leases. The change is configuration-only and adds the periodic job to ensure minor-upgrade scenarios to OpenShift 5.0 on Azure are continuously validated.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7ff7d98f-df18-480c-a1bb-44e126f7fe93

📥 Commits

Reviewing files that changed from the base of the PR and between e728bef and 603ea5e.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-5.0-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics-hcm-azure.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics-hcm-azure.yaml

---

Walkthrough

This PR adds a new hypershift periodic CI configuration file for OpenShift 5.0 on Azure with HCM. The configuration defines base/external image references, release candidate streams/versions, default resource requests, a scheduled e2e-aks-upgrade-minor workflow wired to hypershift-azure-aks-e2e with environment variables, and generated metadata.

Changes

HyperShift Azure Periodic Configuration

Layer / File(s)

Summary

Release 5.0 Azure HCM periodic E2E configuration ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics-hcm-azure.yaml

Full periodic configuration specifying base images (hypershift-tests, upi-installer tagged for OCP 5.0), external hypershift operator image reference, release stream/version definitions (initial, initial-minor, latest), default resource requests, and the e2e-aks-upgrade-minor E2E test workflow wired to hypershift-azure-aks-e2e with environment variables (AUTH_THROUGH_CERTS, CI_TESTS_RUN, HYPERSHIFT_AZURE_LOCATION) and zz_generated_metadata for branch/org/repo/variant tracking.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• enxebre
• devguyio
• csrwng

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new HCM Azure AKS upgrade-minor periodic job for hypershift release 5.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only a YAML CI configuration file with no Ginkgo test definitions, making the check not applicable to this PR.
Test Structure And Quality	✅ Passed	PR adds only a YAML CI configuration file with no Ginkgo test code. The check for test structure and quality is not applicable to configuration-only changes.
Microshift Test Compatibility	✅ Passed	PR adds only CI configuration YAML file, not Ginkgo e2e test code. Check applies to new test definitions, not CI config files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only a CI configuration YAML file with no new Ginkgo e2e test code. The SNO compatibility check applies only to new test code, not CI configuration.
Topology-Aware Scheduling Compatibility	✅ Passed	File is a CI/CD configuration with no Kubernetes manifests, operator code, or scheduling constraints like affinity, node selectors, or topology spreads.
Ote Binary Stdout Contract	✅ Passed	PR adds only YAML CI configuration file with no executable code; OTE Binary Stdout Contract check is inapplicable to configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only CI configuration (YAML), not new Ginkgo e2e test code, so IPv6/disconnected network test compatibility check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds only a YAML configuration file for CI/CD jobs; no cryptographic code, weak crypto algorithms, or secret comparisons detected.
Container-Privileges	✅ Passed	The added YAML configuration file contains no privileged container settings including privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation.
No-Sensitive-Data-In-Logs	✅ Passed	The YAML configuration file contains no passwords, tokens, API keys, or sensitive data in logs. Environment variables are non-sensitive configuration values.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/hypershift/OWNERS [bryan-cox]
• ci-operator/jobs/openshift/hypershift/OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/test ?

[openshift-ci]

@bryan-cox: The following commands are available to trigger required jobs:

/test boskos-config

/test boskos-config-generation

/test check-gh-automation

/test check-gh-automation-tide

/test check-trigger-trusted-apps

/test ci-operator-config

/test ci-operator-config-metadata

/test ci-operator-registry

/test ci-secret-bootstrap-config-validation

/test ci-testgrid-allow-list

/test clusterimageset-validate

/test config

/test core-valid

/test generated-config

/test generated-dashboards

/test hyperfleet-risk-scorer-test

/test image-mirroring-config-validation

/test jira-lifecycle-config

/test labels

/test openshift-image-mirror-mappings

/test ordered-prow-config

/test owners

/test pr-reminder-config

/test prow-config

/test prow-config-filenames

/test prow-config-semantics

/test pylint

/test release-config

/test release-controller-config

/test rover-groups-config-validation

/test secret-generator-config-valid

/test services-valid

/test stackrox-stackrox-stackrox-stackrox-check

/test step-registry-metadata

/test step-registry-shellcheck

/test sync-rover-groups

/test verified-config

/test yamllint

The following commands are available to trigger optional jobs:

/test check-cluster-profiles-config

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-release-check-gh-automation

pull-ci-openshift-release-main-ci-operator-config

pull-ci-openshift-release-main-ci-operator-config-metadata

pull-ci-openshift-release-main-ci-operator-registry

pull-ci-openshift-release-main-config

pull-ci-openshift-release-main-core-valid

pull-ci-openshift-release-main-generated-config

pull-ci-openshift-release-main-ordered-prow-config

pull-ci-openshift-release-main-owners

pull-ci-openshift-release-main-prow-config-filenames

pull-ci-openshift-release-main-prow-config-semantics

pull-ci-openshift-release-main-release-controller-config

pull-ci-openshift-release-openshift-image-mirror-mappings

pull-ci-openshift-release-yamllint

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-hcm-azure-e2e-aks-upgrade-minor

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[cblecker]

The other HCM Azure periodic configs all use N-1 as the initial-minor (4.21→4.20, 4.22→4.21, 4.23→4.22). This one upgrades from 4.22→5.0 which is a two-minor jump. Is that intentional, or should this be 4.23 to stay consistent with the pattern?

I notice the existing release-5.0__periodics.yaml also uses 4.22 as its N-1, so maybe the team treats 4.22 as the predecessor to 5.0 — just want to make sure.

[bryan-cox]

Intentional — 4.22 is the correct predecessor for 5.0. Per Trevor (wking), there is no 4.23 → 5.0 upgrade path. 4.23 and 5.0 are parallel tracks (4.23 is essentially 5.0 with new features disabled), so the supported minor upgrade into 5.0 is from 4.22.

[cblecker]

Minor nit: this is the same schedule as the 4.23 HCM Azure periodic. The other versions are staggered (4am, 5am, 7am, 9am). Might be worth offsetting to avoid competing for hypershift-aks leases at the same time — but not a blocker if it's intentional.

[bryan-cox]

Good catch — staggered to 11am UTC in the latest push to avoid competing for hypershift-aks leases.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bryan-cox: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-hypershift-release-5.0-periodics-hcm-azure-e2e-aks-upgrade-minor	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bryan-cox]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-hcm-azure-e2e-aks-upgrade-minor

[openshift-merge-bot]

@bryan-cox: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.