diff --git a/ci-operator/config/openshift/installer/openshift-installer-main.yaml b/ci-operator/config/openshift/installer/openshift-installer-main.yaml index 0111afaa89542..96791191ae7db 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-main.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-main.yaml @@ -271,6 +271,34 @@ tests: keyB valueB keyC valueC workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-default-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: ECDSA + EXPECTED_KEY_PARAM: secp384r1 + FEATURE_SET: TechPreviewNoUpgrade + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-rsa-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: RSA + EXPECTED_KEY_PARAM: "4096" + FEATURE_SET: TechPreviewNoUpgrade + PKI_ALGORITHM: RSA + PKI_RSA_KEY_SIZE: "4096" + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws - always_run: false as: e2e-aws-ovn-dualstack-ipv4-primary-techpreview optional: true diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml index 7d0d3ebf0df25..390c1b752335d 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-4.22.yaml @@ -272,6 +272,34 @@ tests: keyB valueB keyC valueC workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-default-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: ECDSA + EXPECTED_KEY_PARAM: secp384r1 + FEATURE_SET: TechPreviewNoUpgrade + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-rsa-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: RSA + EXPECTED_KEY_PARAM: "4096" + FEATURE_SET: TechPreviewNoUpgrade + PKI_ALGORITHM: RSA + PKI_RSA_KEY_SIZE: "4096" + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws - always_run: false as: e2e-aws-ovn-dualstack-ipv4-primary-techpreview optional: true diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml index a8e0257dc41fb..fe29f9bf0db21 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-4.23.yaml @@ -271,6 +271,34 @@ tests: keyB valueB keyC valueC workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-default-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: ECDSA + EXPECTED_KEY_PARAM: secp384r1 + FEATURE_SET: TechPreviewNoUpgrade + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-rsa-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: RSA + EXPECTED_KEY_PARAM: "4096" + FEATURE_SET: TechPreviewNoUpgrade + PKI_ALGORITHM: RSA + PKI_RSA_KEY_SIZE: "4096" + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws - always_run: false as: e2e-aws-ovn-dualstack-ipv4-primary-techpreview optional: true diff --git a/ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml b/ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml index 3b21235372444..5b6a3531fbae7 100644 --- a/ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml +++ b/ci-operator/config/openshift/installer/openshift-installer-release-5.0.yaml @@ -271,6 +271,34 @@ tests: keyB valueB keyC valueC workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-default-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: ECDSA + EXPECTED_KEY_PARAM: secp384r1 + FEATURE_SET: TechPreviewNoUpgrade + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws +- always_run: false + as: e2e-aws-ovn-pki-rsa-techpreview + optional: true + steps: + cluster_profile: openshift-org-aws + env: + EXPECTED_ALGORITHM: RSA + EXPECTED_KEY_PARAM: "4096" + FEATURE_SET: TechPreviewNoUpgrade + PKI_ALGORITHM: RSA + PKI_RSA_KEY_SIZE: "4096" + test: + - ref: openshift-installer-pki-verify + - ref: openshift-e2e-test + workflow: openshift-e2e-aws - always_run: false as: e2e-aws-ovn-dualstack-ipv4-primary-techpreview optional: true diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-main-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-main-presubmits.yaml index 64c9b9ba9bb4d..de2ce762be8f4 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-main-presubmits.yaml @@ -2435,6 +2435,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-aws-ovn-imdsv2,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-default-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-main-e2e-aws-ovn-pki-default-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-default-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-default-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-default-techpreview,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-rsa-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-rsa-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-rsa-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-rsa-techpreview,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.22-presubmits.yaml index fb10a1ae6abf6..82cfe6bc1f492 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.22-presubmits.yaml @@ -2434,6 +2434,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-aws-ovn-imdsv2,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-default-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-pki-default-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-default-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-default-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-default-techpreview,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-rsa-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-4.22-e2e-aws-ovn-pki-rsa-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-rsa-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-rsa-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-rsa-techpreview,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.23-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.23-presubmits.yaml index 3297512689aff..9b66c0139a893 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.23-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.23-presubmits.yaml @@ -2435,6 +2435,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-aws-ovn-imdsv2,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.23$ + - ^release-4\.23- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-default-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-pki-default-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-default-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-default-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-default-techpreview,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.23$ + - ^release-4\.23- + cluster: build01 + context: ci/prow/e2e-aws-ovn-pki-rsa-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-4.23-e2e-aws-ovn-pki-rsa-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-rsa-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-rsa-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-rsa-techpreview,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-5.0-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-5.0-presubmits.yaml index 17c8008c9a520..6d9b17ced779f 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-5.0-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-5.0-presubmits.yaml @@ -2435,6 +2435,168 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )e2e-aws-ovn-imdsv2,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-5\.0$ + - ^release-5\.0- + cluster: build11 + context: ci/prow/e2e-aws-ovn-pki-default-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-pki-default-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-default-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-default-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-default-techpreview,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-5\.0$ + - ^release-5\.0- + cluster: build11 + context: ci/prow/e2e-aws-ovn-pki-rsa-techpreview + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-installer-release-5.0-e2e-aws-ovn-pki-rsa-techpreview + optional: true + rerun_command: /test e2e-aws-ovn-pki-rsa-techpreview + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ovn-pki-rsa-techpreview + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )e2e-aws-ovn-pki-rsa-techpreview,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh index 7e1197bb16af8..d35367f1eb25e 100755 --- a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh +++ b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-commands.sh @@ -609,3 +609,38 @@ EOF cp "${patch_dualstack}" "${ARTIFACT_DIR}/" echo "Dual-stack networking configuration added to install-config.yaml" fi + +# Configure PKI signer certificates if PKI_ALGORITHM is set +if [[ -n "${PKI_ALGORITHM:-}" ]]; then + echo "Configuring PKI with algorithm: ${PKI_ALGORITHM}" + patch_pki="${SHARED_DIR}/install-config-pki.yaml.patch" + case "${PKI_ALGORITHM}" in + RSA) + cat > "${patch_pki}" << EOF +pki: + signerCertificates: + key: + algorithm: RSA + rsa: + keySize: ${PKI_RSA_KEY_SIZE} +EOF + ;; + ECDSA) + cat > "${patch_pki}" << EOF +pki: + signerCertificates: + key: + algorithm: ECDSA + ecdsa: + curve: ${PKI_ECDSA_CURVE} +EOF + ;; + *) + echo "ERROR: Unsupported PKI_ALGORITHM: ${PKI_ALGORITHM}. Must be RSA or ECDSA." + exit 1 + ;; + esac + yq-go m -x -i "${CONFIG}" "${patch_pki}" + cp "${patch_pki}" "${ARTIFACT_DIR}/" + echo "PKI configuration added to install-config.yaml" +fi diff --git a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml index a36fd2be24576..b68102b7f3f9c 100644 --- a/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml +++ b/ci-operator/step-registry/ipi/conf/aws/ipi-conf-aws-ref.yaml @@ -142,5 +142,19 @@ ref: Custom RHCOS AMI ID for compute nodes. When "" (default), uses installer's built-in AMI for the region. + - name: PKI_ALGORITHM + default: "" + documentation: |- + Algorithm for PKI signer certificates when ConfigurablePKI feature gate is enabled. + Valid values: "RSA", "ECDSA". When "" (default), no pki section is added to install-config.yaml. + - name: PKI_RSA_KEY_SIZE + default: "4096" + documentation: |- + RSA key size in bits for PKI signer certificates. Only used when PKI_ALGORITHM=RSA. + - name: PKI_ECDSA_CURVE + default: "P-384" + documentation: |- + ECDSA curve name for PKI signer certificates. Only used when PKI_ALGORITHM=ECDSA. + Valid values: "P-256", "P-384". documentation: |- The IPI AWS configure step generates the AWS-specific install-config.yaml contents based on the cluster profile and optional input files. diff --git a/ci-operator/step-registry/openshift/installer/pki/OWNERS b/ci-operator/step-registry/openshift/installer/pki/OWNERS new file mode 100644 index 0000000000000..e99525ac8b743 --- /dev/null +++ b/ci-operator/step-registry/openshift/installer/pki/OWNERS @@ -0,0 +1,10 @@ +approvers: +- mtulio +- patrickdillon +- sadasu +- yunjiang29 +reviewers: +- mtulio +- patrickdillon +- sadasu +- yunjiang29 diff --git a/ci-operator/step-registry/openshift/installer/pki/verify/OWNERS b/ci-operator/step-registry/openshift/installer/pki/verify/OWNERS new file mode 100644 index 0000000000000..e99525ac8b743 --- /dev/null +++ b/ci-operator/step-registry/openshift/installer/pki/verify/OWNERS @@ -0,0 +1,10 @@ +approvers: +- mtulio +- patrickdillon +- sadasu +- yunjiang29 +reviewers: +- mtulio +- patrickdillon +- sadasu +- yunjiang29 diff --git a/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh new file mode 100755 index 0000000000000..200b046245b0a --- /dev/null +++ b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-commands.sh @@ -0,0 +1,164 @@ +#!/bin/bash + +set -euo pipefail + +ARTIFACT_LOG="${ARTIFACT_DIR}/pki-verification.log" +: > "${ARTIFACT_LOG}" + +failures=0 +total=0 + +# Signer secrets to verify: "description|secret_name|namespace|cert_key" +declare -a SIGNERS=( + "root-ca|machine-config-server-ca|openshift-machine-config-operator|tls.crt" + "kube-apiserver-to-kubelet-signer|kube-apiserver-to-kubelet-signer|openshift-kube-apiserver-operator|tls.crt" + "kube-apiserver-localhost-signer|localhost-serving-signer|openshift-kube-apiserver-operator|tls.crt" + "kube-apiserver-service-network-signer|service-network-serving-signer|openshift-kube-apiserver-operator|tls.crt" + "kube-apiserver-lb-signer|loadbalancer-serving-signer|openshift-kube-apiserver-operator|tls.crt" + "kube-control-plane-signer|kube-control-plane-signer|openshift-kube-apiserver-operator|tls.crt" + "aggregator-signer|aggregator-client-signer|openshift-kube-apiserver-operator|tls.crt" +) + +# Map expected algorithm to openssl output strings +case "${EXPECTED_ALGORITHM}" in + RSA) + expected_algo_str="rsaEncryption" + expected_param_str="Public-Key: (${EXPECTED_KEY_PARAM} bit)" + ;; + ECDSA) + expected_algo_str="id-ecPublicKey" + expected_param_str="ASN1 OID: ${EXPECTED_KEY_PARAM}" + ;; + *) + echo "ERROR: Unsupported EXPECTED_ALGORITHM: ${EXPECTED_ALGORITHM}" + exit 1 + ;; +esac + +echo "=============================================" +echo "PKI Verification" +echo "Expected algorithm: ${EXPECTED_ALGORITHM}" +echo "Expected key param: ${EXPECTED_KEY_PARAM}" +echo "=============================================" +echo "" + +declare -a results=() + +for signer in "${SIGNERS[@]}"; do + IFS='|' read -r description secret_name namespace cert_key <<< "${signer}" + total=$((total + 1)) + status="PASS" + + echo "--- Checking: ${description} (${namespace}/${secret_name}) ---" | tee -a "${ARTIFACT_LOG}" + + cert_data="" + cert_data=$(oc get secret "${secret_name}" -n "${namespace}" -o jsonpath="{.data.${cert_key//./\\.}}" 2>&1) || true + + if [[ -z "${cert_data}" ]]; then + echo " FAIL: Could not retrieve secret ${namespace}/${secret_name} key ${cert_key}" | tee -a "${ARTIFACT_LOG}" + results+=("FAIL|${description}|secret not found") + failures=$((failures + 1)) + continue + fi + + cert_text=$(echo "${cert_data}" | base64 -d | openssl x509 -text -noout 2>&1) || true + + if [[ -z "${cert_text}" ]]; then + echo " FAIL: Could not decode certificate from ${namespace}/${secret_name}" | tee -a "${ARTIFACT_LOG}" + results+=("FAIL|${description}|cert decode failed") + failures=$((failures + 1)) + continue + fi + + # Write full cert details to artifact log + echo "${cert_text}" >> "${ARTIFACT_LOG}" + echo "" >> "${ARTIFACT_LOG}" + + # Check algorithm + algo_match=false + echo "${cert_text}" | grep -qF "${expected_algo_str}" && algo_match=true || true + if [[ "${algo_match}" == "true" ]]; then + echo " Algorithm: ${expected_algo_str} - OK" + else + actual_algo=$(echo "${cert_text}" | grep -F "Public Key Algorithm:" | head -1 | xargs) || true + echo " FAIL: Expected algorithm '${expected_algo_str}', got '${actual_algo}'" | tee -a "${ARTIFACT_LOG}" + status="FAIL" + fi + + # Check key parameter + param_match=false + echo "${cert_text}" | grep -qF "${expected_param_str}" && param_match=true || true + if [[ "${param_match}" == "true" ]]; then + echo " Key param: ${expected_param_str} - OK" + else + # Try ECDSA curve OID first (e.g., "ASN1 OID: secp384r1"), fall back to + # generic key size (e.g., "Public-Key: (2048 bit)") when the cert uses + # a different algorithm entirely and has no ASN1 OID field. + actual_param=$(echo "${cert_text}" | grep -F "ASN1 OID:" | head -1 | xargs) || true + if [[ -z "${actual_param}" ]]; then + actual_param=$(echo "${cert_text}" | grep -F "Public-Key:" | head -1 | xargs) || true + fi + echo " FAIL: Expected '${expected_param_str}', got '${actual_param:-not found}'" | tee -a "${ARTIFACT_LOG}" + status="FAIL" + fi + + if [[ "${status}" == "FAIL" ]]; then + failures=$((failures + 1)) + fi + results+=("${status}|${description}|${namespace}/${secret_name}") +done + +# Verify PKI CR +echo "" +echo "--- Checking PKI CR ---" | tee -a "${ARTIFACT_LOG}" +total=$((total + 1)) + +pki_cr=$(oc get pki cluster -o yaml 2>&1) || true + +if [[ -z "${pki_cr}" ]] || echo "${pki_cr}" | grep -q "not found\|error\|Error"; then + echo " FAIL: PKI CR 'cluster' not found or error retrieving it" | tee -a "${ARTIFACT_LOG}" + echo "${pki_cr}" >> "${ARTIFACT_LOG}" + results+=("FAIL|PKI CR|not found or error") + failures=$((failures + 1)) +else + echo "${pki_cr}" >> "${ARTIFACT_LOG}" + pki_status="PASS" + + # Check mode + mode=$(echo "${pki_cr}" | grep "mode:" | head -1 | awk '{print $2}' || true) + if [[ "${mode}" == "Custom" ]]; then + echo " Mode: Custom - OK" + else + echo " FAIL: Expected mode 'Custom', got '${mode:-not set}'" | tee -a "${ARTIFACT_LOG}" + pki_status="FAIL" + fi + + if [[ "${pki_status}" == "FAIL" ]]; then + failures=$((failures + 1)) + fi + results+=("${pki_status}|PKI CR|mode=${mode:-unknown}") +fi + +# Print summary table +echo "" +echo "=============================================" +echo "PKI Verification Summary" +echo "=============================================" +printf "%-6s | %-45s | %s\n" "STATUS" "CHECK" "DETAIL" +printf "%-6s-+-%-45s-+-%s\n" "------" "---------------------------------------------" "------" +for result in "${results[@]}"; do + IFS='|' read -r rstatus rdesc rdetail <<< "${result}" + printf "%-6s | %-45s | %s\n" "${rstatus}" "${rdesc}" "${rdetail}" +done +echo "" +echo "Total: ${total}, Passed: $((total - failures)), Failed: ${failures}" +echo "=============================================" + +if [[ ${failures} -gt 0 ]]; then + echo "" + echo "FAILURE: ${failures} check(s) failed. See ${ARTIFACT_LOG} for details." + exit 1 +fi + +echo "" +echo "All PKI checks passed." diff --git a/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.metadata.json b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.metadata.json new file mode 100644 index 0000000000000..60e18ea51b6bc --- /dev/null +++ b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "openshift/installer/pki/verify/openshift-installer-pki-verify-ref.yaml", + "owners": { + "approvers": [ + "mtulio", + "patrickdillon", + "sadasu", + "yunjiang29" + ], + "reviewers": [ + "mtulio", + "patrickdillon", + "sadasu", + "yunjiang29" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.yaml b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.yaml new file mode 100644 index 0000000000000..391718e72fc9f --- /dev/null +++ b/ci-operator/step-registry/openshift/installer/pki/verify/openshift-installer-pki-verify-ref.yaml @@ -0,0 +1,26 @@ +ref: + as: openshift-installer-pki-verify + commands: openshift-installer-pki-verify-commands.sh + from: cli + resources: + requests: + cpu: 10m + memory: 100Mi + env: + - name: EXPECTED_ALGORITHM + default: "ECDSA" + documentation: |- + Expected public key algorithm for signer certificates. + Valid values: "RSA", "ECDSA". + - name: EXPECTED_KEY_PARAM + default: "secp384r1" + documentation: |- + Expected key parameter for signer certificates. + For RSA: key size in bits (e.g., "4096"). + For ECDSA: curve OID name (e.g., "secp384r1" for P-384, "prime256v1" for P-256). + documentation: |- + Verifies that installer-generated signer CA certificates use the expected + public key algorithm and key parameters. Also verifies the PKI custom + resource exists with the correct mode and profile. Checks 7 signer secrets + accessible as cluster secrets post-install and produces a pass/fail summary + table with full certificate details written to the artifact directory.