intra-step leasing: Add lease proxy server specs in prowgen

[danilo-gemoli]

This is the preparatory work that ci-operator requires in order to run a small lease proxy server.

We are working on the intra-step leasing capability that will allow a step from the ci-operator step registry to acquire lease from boskos.
As of today, ci-operator acquire any leases required by a workflow and then run the test. With the new feature we are about to introduce, a step could also do that by sending requests to ci-operator that will, in turn, forward them to boskos.

A typical scenario looks like so:

1. ci-operator is supposed to run the e2e-aws-ovn test:

- as: e2e-aws-ovn
  skip_if_only_changed: (^(docs|upi|hack)/)|((^|/)OWNERS(_ALIASES)?$)|((^|/)[A-Z]+\.md$)|(^images/(baremetal|libvirt|openstack))|(^cluster-api/providers/([^a]|a[^w]|aw[^s]).*/)|(/agent/)
  steps:
    cluster_profile: aws-4
    env:
      AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
      USER_TAGS: |
        keyA valueA
        key2 value2
        keySpecial v@lu3-Special_.:/=+
        keyD valueD spaces
    workflow: openshift-e2e-aws

2. The test uses a cluster_profile, therefore ci-operator runs a small HTTP server that acts as a lease proxy server, actually forwarding any requests to boskos.
3. The workflow openshift-e2e-aws executes.
4. Every step of the workflow has the CI_OPERATOR_POD_IP environment variable set, that it might uses to send requests to the proxy run by ci-operator.
5. The ipi-install-install step runs and tries to acquire a lease from the proxy.
6. ci-operator receives the request, forwards it to boskos and finally returns the result back to the ipi-install-install step.

ipi-install-install.sh step
|
HTTP POST `/acquire?type=aws-1-qe-quota-slice&count=1`
|
+----> lease-proxy-server run by `ci-operator`
          |
          HTTP POST `/acquire?type=aws-1-qe-quota-slice&count=1`
          |
          +----> `boskos`

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

Adds a lease-proxy port and Pod IP environment propagation: a new exported constant for port 8082, a PodSpec mutator that injects a named port and CI_OPERATOR_POD_IP env, updates the prowgen test builder to apply the mutator, and updates multiple test fixtures and generated job YAMLs.

Changes

Cohort / File(s)	Summary
Constants pkg/api/constant.go	Added exported constant LeaseProxyServerPort = 8082.
Pod spec mutator pkg/prowgen/podspec.go	Added helper addPort(), new env var leaseProxyServerEnv, and exported LeaseProxyServer() PodSpecMutator to add a lease-proxy port and inject CI_OPERATOR_POD_IP.
Test builder pkg/prowgen/jobbase.go	NewProwJobBaseBuilderForTest now applies LeaseProxyServer() (in addition to existing LeaseClient wiring) when cluster profile is present for multi-stage configs.
prowgen test fixture pkg/prowgen/testdata/zz_fixture_...yaml	Added CI_OPERATOR_POD_IP env (from fieldRef.status.podIP) and container port 8082 named lease-proxy.
ephemeralcluster controller fixtures pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_...yaml	Added CI_OPERATOR_POD_IP env and lease-proxy port (8082) to ProwJob podSpecs.
Integration/generated job YAMLs test/integration/**, test/integration/pj-rehearse/**, test/integration/repo-init/**	Updated multiple generated/expected presubmit job YAMLs to include CI_OPERATOR_POD_IP env and lease-proxy container port 8082 across affected jobs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c12dd13 and 2bb9007.

📒 Files selected for processing (9)

• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_An_EphemeralCluster_request_creates_a_ProwJob.yaml
• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Hive_cluster_request_creates_a_ProwJob.yaml
• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Inject_missing_PR_metadata.yaml
• test/integration/ci-operator-prowgen/output/jobs/super/duper/super-duper-master-presubmits.yaml
• test/integration/pj-rehearse/candidate/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml
• test/integration/pj-rehearse/expected.yaml
• test/integration/pj-rehearse/master/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml
• test/integration/repo-init/expected/ci-operator/jobs/org/repo/org-repo-main-presubmits.yaml
• test/integration/repo-init/expected/ci-operator/jobs/org/third/org-third-nonstandard-presubmits.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• test/integration/pj-rehearse/master/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml
• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_An_EphemeralCluster_request_creates_a_ProwJob.yaml
• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Hive_cluster_request_creates_a_ProwJob.yaml
• test/integration/repo-init/expected/ci-operator/jobs/org/repo/org-repo-main-presubmits.yaml
• test/integration/pj-rehearse/expected.yaml
• test/integration/ci-operator-prowgen/output/jobs/super/duper/super-duper-master-presubmits.yaml
• test/integration/pj-rehearse/candidate/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml
• pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Inject_missing_PR_metadata.yaml
• test/integration/repo-init/expected/ci-operator/jobs/org/third/org-third-nonstandard-presubmits.yaml

🔇 Additional comments (10)

test/integration/pj-rehearse/master/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml (1)

294-304: LGTM! Pod IP and lease-proxy port correctly configured.

The changes properly enable intra-step leasing for the multistage3 job:

• Pod IP is correctly exposed via the Downward API
• Port 8082 (lease-proxy) is properly declared for the ci-operator HTTP server
• These additions are appropriately scoped to a job with a cluster profile (azure4) that requires leasing

test/integration/repo-init/expected/ci-operator/jobs/org/third/org-third-nonstandard-presubmits.yaml (1)

33-43: LGTM! Lease proxy configuration correctly added.

The Pod IP environment variable and lease-proxy port are correctly configured for this e2e job with AWS cluster profile, consistent with the intra-step leasing feature.

pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Inject_missing_PR_metadata.yaml (1)

56-59: LGTM! Test fixture correctly updated.

The test fixture properly reflects the addition of Pod IP propagation and lease-proxy port for jobs with cluster profiles, ensuring test coverage for the new intra-step leasing feature.

Also applies to: 130-132

test/integration/repo-init/expected/ci-operator/jobs/org/repo/org-repo-main-presubmits.yaml (2)

86-96: LGTM! Lease proxy configuration correctly added to e2e job.

Pod IP and port configuration are properly set for this AWS-based e2e job.

---

168-178: LGTM! Lease proxy configuration correctly added to e2e-aws job.

Pod IP and port configuration are properly set for this AWS-based e2e job, consistent with the pattern applied across all cluster-profile jobs.

test/integration/pj-rehearse/expected.yaml (1)

1331-1342: LGTM! Lease proxy configuration correctly added to rehearsal job.

The multistage3 rehearsal job properly includes Pod IP propagation and lease-proxy port configuration, consistent with the azure4 cluster profile and the intra-step leasing feature requirements.

pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_An_EphemeralCluster_request_creates_a_ProwJob.yaml (1)

56-59: LGTM: Pod IP propagation and lease-proxy port added correctly.

The addition of CI_OPERATOR_POD_IP via downward API and the lease-proxy port (8082) correctly implements the preparatory infrastructure for intra-step leasing. These changes are appropriately applied to this test fixture since it uses a cluster profile.

Also applies to: 130-132

test/integration/pj-rehearse/candidate/ci-operator/jobs/super/trooper/super-trooper-master-presubmits.yaml (1)

294-298: LGTM: Lease-proxy configuration correctly applied to cluster-profile job.

The Pod IP environment variable and lease-proxy port are correctly added only to the multistage3 job, which has the azure4 cluster profile. Other jobs in this file appropriately lack these additions, demonstrating proper conditional generation logic.

Also applies to: 302-304

pkg/controller/ephemeralcluster/testdata/zz_fixture_pj_TestCreateProwJob_Hive_cluster_request_creates_a_ProwJob.yaml (1)

57-60: LGTM: Hive cluster test fixture updated appropriately.

The lease-proxy infrastructure (Pod IP env var and port 8082) is correctly added to this Hive cluster test fixture, which uses an AWS cluster profile. The changes align with the intended intra-step leasing implementation.

Also applies to: 136-138

test/integration/ci-operator-prowgen/output/jobs/super/duper/super-duper-master-presubmits.yaml (1)

330-334: LGTM: Selective lease-proxy configuration correctly applied.

The Pod IP environment variable and lease-proxy port are correctly added only to optional-job and registry-with-profile, which are the two jobs in this file that use cluster profiles (AWS). The remaining jobs appropriately lack these additions, demonstrating correct conditional generation across diverse job configurations.

Also applies to: 338-340, 458-462, 466-468

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/prowgen/podspec.go (1)

184-189: Consider adding duplicate check for consistency.

The addPort helper always appends without checking for existing ports, unlike similar helpers (addEnvVar, addVolume, addVolumeMount) which prevent duplicates. While not an issue with current usage, adding a duplicate check would maintain consistency with the established pattern in this file.

🔎 Optional: Add duplicate port check

 func addPort(c *corev1.Container, name string, port int32) {
+	for _, p := range c.Ports {
+		if p.Name == name && p.ContainerPort == port {
+			return
+		}
+	}
 	c.Ports = append(c.Ports, corev1.ContainerPort{
 		Name:          name,
 		ContainerPort: port,
 	})
 }

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9dfdb9e and c12dd13.

📒 Files selected for processing (4)

• pkg/api/constant.go
• pkg/prowgen/jobbase.go
• pkg/prowgen/podspec.go
• pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_cluster_profile.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/api/constant.go
• pkg/prowgen/jobbase.go
• pkg/prowgen/podspec.go
• pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_cluster_profile.yaml

🧬 Code graph analysis (2)

pkg/prowgen/jobbase.go (1)

pkg/prowgen/podspec.go (1)

• LeaseProxyServer (498-504)

pkg/prowgen/podspec.go (1)

pkg/api/constant.go (1)

• LeaseProxyServerPort (89-89)

🔇 Additional comments (7)

pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_cluster_profile.yaml (2)

19-23: LGTM!

The environment variable correctly uses the downward API to expose the Pod IP, which is necessary for test steps to locate the lease proxy server.

---

27-29: LGTM!

The container port configuration correctly exposes port 8082 as "lease-proxy", matching the constant defined in pkg/api/constant.go and used by the LeaseProxyServer() mutator.

pkg/api/constant.go (1)

88-89: LGTM!

The constant definition is clear, follows existing naming conventions, and centralizes the port configuration for the lease proxy server.

pkg/prowgen/jobbase.go (2)

149-149: LGTM!

The LeaseProxyServer() mutator is correctly added when a cluster profile is present, enabling ci-operator to run the lease proxy alongside the lease client configuration.

---

162-162: LGTM!

The LeaseProxyServer() mutator is consistently added for the MultiStageTestConfiguration case, ensuring both configuration paths have the same lease proxy functionality.

pkg/prowgen/podspec.go (2)

470-478: LGTM!

The environment variable correctly uses the Kubernetes downward API to expose the Pod's IP address, which test steps can use to connect to the lease proxy server.

---

498-504: LGTM!

The LeaseProxyServer mutator correctly configures the pod specification to expose the lease proxy port and inject the Pod IP environment variable, enabling intra-step leasing functionality.

[danilo-gemoli]

/label tide/merge-method-squash

[openshift-ci]

@danilo-gemoli: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	2bb9007	link	true	/test images
ci/prow/breaking-changes	2bb9007	link	false	/test breaking-changes

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.