cluster-authentication-operator: add external-oidc conformance periodic

Run the complete conformance suite except External OIDC tests (covered
by other jobs) and any tests that depend on the OAuth stack (e.g. APIs)
as the OAuth components do not exist in External OIDC.

Author: liouk

ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.20__periodics.yaml

@@ -193,6 +193,19 @@ tests:
       TEST_SUITE: openshift/auth/external-oidc
     workflow: openshift-e2e-vsphere
   timeout: 5h0m0s
+- as: e2e-aws-external-oidc-conformance
+  interval: 24h
+  steps:
+    cluster_profile: aws-3
+    env:
+      FEATURE_SET: TechPreviewNoUpgrade
+      TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth
+        access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]\[Serial\] authorization
+        TestAuthorizationResourceAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]
+        authorization TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]
+      TEST_SUITE: openshift/conformance
+    workflow: idp-external-oidc-keycloak-aws
+  timeout: 8h0m0s
 zz_generated_metadata:
   branch: release-4.20
   org: openshift

ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.20-periodics.yaml

@@ -74,6 +74,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build09
+  decorate: true
+  decoration_config:
+    timeout: 8h0m0s
+  extra_refs:
+  - base_ref: release-4.20
+    org: openshift
+    repo: cluster-authentication-operator
+  interval: 24h
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-3
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.20"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cluster-authentication-operator-release-4.20-periodics-e2e-aws-external-oidc-conformance
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-external-oidc-conformance
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build09
   decorate: true