From e3ba7cce49d15d2f6b59021d5bf90944b8c91265 Mon Sep 17 00:00:00 2001 From: Ilias Rinis Date: Mon, 8 Sep 2025 14:37:07 +0200 Subject: [PATCH 1/2] cao: add idp-external-oidc-keycloak-aws workflow --- .../idp/external-oidc/keycloak/aws/OWNERS | 11 +++++++++++ ...al-oidc-keycloak-aws-workflow.metadata.json | 18 ++++++++++++++++++ ...dp-external-oidc-keycloak-aws-workflow.yaml | 15 +++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 ci-operator/step-registry/idp/external-oidc/keycloak/aws/OWNERS create mode 100644 ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.metadata.json create mode 100644 ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.yaml diff --git a/ci-operator/step-registry/idp/external-oidc/keycloak/aws/OWNERS b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/OWNERS new file mode 100644 index 0000000000000..fe2512bd2ef25 --- /dev/null +++ b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/OWNERS @@ -0,0 +1,11 @@ +approvers: + - heliubj18 + - xingxingxia + - xiuwang + - liouk + - everettraven +reviewers: + - xingxingxia + - xiuwang + - liouk + - everettraven diff --git a/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.metadata.json b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.metadata.json new file mode 100644 index 0000000000000..154bb630bb14a --- /dev/null +++ b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.metadata.json @@ -0,0 +1,18 @@ +{ + "path": "idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.yaml", + "owners": { + "approvers": [ + "heliubj18", + "xingxingxia", + "xiuwang", + "liouk", + "everettraven" + ], + "reviewers": [ + "xingxingxia", + "xiuwang", + "liouk", + "everettraven" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.yaml b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.yaml new file mode 100644 index 0000000000000..11e672ea96720 --- /dev/null +++ b/ci-operator/step-registry/idp/external-oidc/keycloak/aws/idp-external-oidc-keycloak-aws-workflow.yaml @@ -0,0 +1,15 @@ +workflow: + as: idp-external-oidc-keycloak-aws + steps: + allow_best_effort_post_steps: true + pre: + - chain: ipi-aws-pre + - chain: idp-external-oidc-keycloak + test: + - ref: openshift-e2e-test + post: + - chain: gather-core-dump + - chain: ipi-aws-post + documentation: |- + This workflow creates a cluster configured with External OIDC as auth provider with + an in-cluster Keycloak deployment and executes the common end-to-end-test suite on AWS. From 8e31ddb040f2ba589dac2e47e0a4106b7e3448ef Mon Sep 17 00:00:00 2001 From: Ilias Rinis Date: Fri, 11 Jul 2025 15:10:10 +0200 Subject: [PATCH 2/2] cluster-authentication-operator: add external-oidc conformance periodics Run the complete conformance suite except External OIDC tests (covered by other jobs) and any tests that depend on the OAuth stack (e.g. APIs) as the OAuth components do not exist in External OIDC. --- ...tion-operator-release-4.21__periodics.yaml | 35 ++++ ...ation-operator-release-4.21-periodics.yaml | 150 ++++++++++++++++++ 2 files changed, 185 insertions(+) diff --git a/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml b/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml index 8da845c69479e..8e67acbd86b3c 100644 --- a/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml +++ b/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml @@ -377,6 +377,41 @@ tests: TEST_SUITE: openshift/auth/external-oidc workflow: openshift-e2e-aws-single-node timeout: 5h0m0s +- as: e2e-aws-external-oidc-conformance-parallel-techpreview + interval: 24h + steps: + cluster_profile: aws-3 + env: + FEATURE_SET: TechPreviewNoUpgrade + TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth + access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\] authorization + TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-cli\] + templates process \[apigroup:template.openshift.io\]\[Skipped:Disconnected\] + \[Suite:openshift\/conformance\/parallel\]\|\[sig-auth\]\[Feature:Authentication\] + TestFrontProxy should succeed \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\] + templateinstance security tests \[apigroup:authorization.openshift.io\]\[apigroup:template.openshift.io\] + should pass security tests \[apigroup:route.openshift.io\] \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\] + templateinstance impersonation tests \[apigroup:user.openshift.io\]\[apigroup:authorization.openshift.io\] + TEST_SUITE: openshift/conformance/parallel + workflow: idp-external-oidc-keycloak-aws + timeout: 8h0m0s +- as: e2e-aws-external-oidc-conformance-serial-techpreview + interval: 24h + steps: + cluster_profile: aws-3 + env: + FEATURE_SET: TechPreviewNoUpgrade + TEST_ARGS: --disable-monitor=legacy-test-framework-invariants + TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth + access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]\[Serial\] authorization + TestAuthorizationResourceAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-auth\]\[Feature:OpenShiftAuthorization\] + authorization TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-devex\]\[Feature:Templates\] + templateinstance impersonation tests \[apigroup:user.openshift.io\]\[apigroup:authorization.openshift.io\]\|\[sig-api-machinery\] + API data in etcd should be stored at the correct location and version for + all resources \[Serial\] + TEST_SUITE: openshift/conformance/serial + workflow: idp-external-oidc-keycloak-aws + timeout: 8h0m0s zz_generated_metadata: branch: release-4.21 org: openshift diff --git a/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml b/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml index dc29fc5b68eda..6262d6df1183e 100644 --- a/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml +++ b/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml @@ -74,6 +74,156 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build09 + decorate: true + decoration_config: + timeout: 8h0m0s + extra_refs: + - base_ref: release-4.21 + org: openshift + repo: cluster-authentication-operator + interval: 24h + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-3 + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.21" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-external-oidc-conformance-parallel-techpreview + - --variant=periodics + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build09 + decorate: true + decoration_config: + timeout: 8h0m0s + extra_refs: + - base_ref: release-4.21 + org: openshift + repo: cluster-authentication-operator + interval: 24h + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-3 + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.21" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-serial-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-external-oidc-conformance-serial-techpreview + - --variant=periodics + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 decorate: true