diff --git a/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml b/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml index df7b7c4c4eb66..e53c9f38e952b 100644 --- a/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml +++ b/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.22.yaml @@ -1,3 +1,20 @@ +base_images: + cli: + name: "4.22" + namespace: ocp + tag: cli + dev-scripts: + name: test + namespace: ocp-kni + tag: dev-scripts + installer: + name: "4.22" + namespace: ocp + tag: installer + upi-installer: + name: "4.22" + namespace: ocp + tag: upi-installer build_root: image_stream_tag: name: release @@ -273,8 +290,7 @@ tests: BASE_DOMAIN: quay.devcluster.openshift.com FIPS_ENABLED: "true" pre: - - chain: ipi-aws-pre - - ref: fips-check + - chain: ipi-aws-pre-fips test: - as: test cli: latest @@ -454,8 +470,7 @@ tests: BASE_DOMAIN: quay.devcluster.openshift.com FIPS_ENABLED: "true" pre: - - chain: ipi-aws-pre - - ref: fips-check + - chain: ipi-aws-pre-fips test: - as: test cli: latest @@ -483,8 +498,7 @@ tests: BASE_DOMAIN: quay.devcluster.openshift.com FIPS_ENABLED: "true" pre: - - chain: ipi-aws-pre - - ref: fips-check + - chain: ipi-aws-pre-fips test: - as: test cli: latest @@ -556,6 +570,477 @@ tests: requests: cpu: 100m workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-high-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=high-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-rhcos4-high-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=high + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-pci-dss-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + export PROFILE=pci-dss-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-stig-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=stig-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-rhcos4-stig-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=stig + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10 + capabilities: + - intranet + steps: + cluster_profile: equinix-ocp-metal-qe + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + DEVSCRIPTS_CONFIG: | + FIPS_MODE=true + IP_STACK=v4 + NETWORK_TYPE=OVNKubernetes + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OSSTREAM: rhel-10 + pre: + - ref: baremetalds-devscripts-conf-featureset + - chain: cucushift-installer-rehearse-baremetalds-ipi-ofcir-provision + - ref: cucushift-installer-reportportal-marker + - ref: fips-check + test: + - as: test + cli: latest + commands: | + export PROFILE=stig + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: cucushift-installer-rehearse-baremetalds-ipi-ovn +- always_run: false + as: e2e-aws-ocp4-cis-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + export PROFILE=cis-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-moderate-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=moderate-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-gcp-ocp4-moderate-node-rhcos10 + cluster: build11 + steps: + cluster_profile: openshift-org-gcp + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-gcp-pre + - ref: fips-check + test: + - as: test + cli: latest + commands: | + export PROFILE=moderate-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-gcp +- always_run: false + as: e2e-aws-rhcos4-moderate-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OS_IMAGE_STREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: test + cli: latest + commands: | + export PROFILE=moderate + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-bsi-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + export PROFILE=bsi-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-rhcos4-bsi-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + set -x + export PROFILE=bsi + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-rhcos4-e8-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + set -x + export PROFILE=e8 + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-ocp4-nerc-cip-node-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + export PROFILE=nerc-cip-node + export PRODUCT=ocp4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws +- always_run: false + as: e2e-aws-rhcos4-nerc-cip-rhcos10 + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + OS_IMAGE_STREAM: rhel-10 + test: + - as: test + cli: latest + commands: | + set -x + export PROFILE=nerc-cip + export PRODUCT=rhcos4 + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + dependencies: + - env: CONTENT_IMAGE + name: ocp4-content-ds + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws - as: e2e-aws-openshift-platform-compliance-weekly cron: 45 23 * * 3,6 steps: @@ -768,6 +1253,48 @@ tests: requests: cpu: 100m workflow: rosa-aws-sts-hcp +- always_run: false + as: e2e-aws-rhcos4-moderate-rhcos10-osstream + steps: + cluster_profile: aws-stackrox + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest + env: + BASE_DOMAIN: perfscale.rox.systems + FEATURE_SET: TechPreviewNoUpgrade + FIPS_ENABLED: "true" + OSSTREAM: rhel-10 + pre: + - chain: ipi-aws-pre-fips + test: + - as: wait-for-rhcos10-rollout + cli: latest + commands: | + set -euo pipefail + echo "Waiting for master and worker MCPs to complete rhel-10 rollout..." + oc wait machineconfigpool/master machineconfigpool/worker --for=condition=Updated=True --timeout=60m + echo "Master and worker MCP rollout complete." + from: cli + resources: + requests: + cpu: 100m + - as: test + cli: latest + commands: | + export PROFILE=moderate + export PRODUCT=rhcos4 + export CONTENT_IMAGE=quay.io/redhat-user-workloads/ocp-isc-tenant/compliance-operator-content-dev:master + export CONTENT_DIRECTORY=$PWD + export component=ocp4-content-ds + git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e + pushd ocp4e2e; make install-jq + PATH=$PATH:/tmp/bin go test -v -timeout 240m . -run=^TestProfileRemediations$ -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -content-directory="$CONTENT_DIRECTORY" + sleep 7200 + from: src + resources: + requests: + cpu: 100m + workflow: ipi-aws zz_generated_metadata: branch: master org: ComplianceAsCode diff --git a/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml b/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml index 09fbdb60571f2..31fd1a8573206 100644 --- a/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml +++ b/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml @@ -13380,6 +13380,92 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-bsi-node|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-ocp4-bsi-node-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-bsi-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-bsi-node-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-ocp4-bsi-node-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-bsi-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: @@ -13558,20 +13644,20 @@ presubmits: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-e8 + context: ci/prow/4.22-e2e-aws-ocp4-cis-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-e8 - rerun_command: /test 4.22-e2e-aws-ocp4-e8 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-cis-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-cis-node-rhcos10 spec: containers: - args: @@ -13580,7 +13666,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-e8 + - --target=e2e-aws-ocp4-cis-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -13637,14 +13723,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-e8|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-cis-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-high + context: ci/prow/4.22-e2e-aws-ocp4-e8 decorate: true decoration_config: sparse_checkout_files: @@ -13656,8 +13742,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high - rerun_command: /test 4.22-e2e-aws-ocp4-high + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-e8 + rerun_command: /test 4.22-e2e-aws-ocp4-e8 spec: containers: - args: @@ -13666,7 +13752,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-high + - --target=e2e-aws-ocp4-e8 - --variant=4.22 command: - ci-operator @@ -13723,14 +13809,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-high|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-e8|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-high-node + context: ci/prow/4.22-e2e-aws-ocp4-high decorate: true decoration_config: sparse_checkout_files: @@ -13742,8 +13828,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high-node - rerun_command: /test 4.22-e2e-aws-ocp4-high-node + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high + rerun_command: /test 4.22-e2e-aws-ocp4-high spec: containers: - args: @@ -13752,7 +13838,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-high-node + - --target=e2e-aws-ocp4-high - --variant=4.22 command: - ci-operator @@ -13809,14 +13895,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-high-node|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-high|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-moderate + context: ci/prow/4.22-e2e-aws-ocp4-high-node decorate: true decoration_config: sparse_checkout_files: @@ -13828,8 +13914,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate - rerun_command: /test 4.22-e2e-aws-ocp4-moderate + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high-node + rerun_command: /test 4.22-e2e-aws-ocp4-high-node spec: containers: - args: @@ -13838,7 +13924,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-moderate + - --target=e2e-aws-ocp4-high-node - --variant=4.22 command: - ci-operator @@ -13895,27 +13981,27 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-moderate|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-high-node|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-moderate-node + context: ci/prow/4.22-e2e-aws-ocp4-high-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node - rerun_command: /test 4.22-e2e-aws-ocp4-moderate-node + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-high-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-high-node-rhcos10 spec: containers: - args: @@ -13924,7 +14010,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-moderate-node + - --target=e2e-aws-ocp4-high-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -13981,14 +14067,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-moderate-node|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-high-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-pci-dss + context: ci/prow/4.22-e2e-aws-ocp4-moderate decorate: true decoration_config: sparse_checkout_files: @@ -14000,8 +14086,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss - rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate + rerun_command: /test 4.22-e2e-aws-ocp4-moderate spec: containers: - args: @@ -14010,7 +14096,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-pci-dss + - --target=e2e-aws-ocp4-moderate - --variant=4.22 command: - ci-operator @@ -14067,14 +14153,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-moderate|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-4-0 + context: ci/prow/4.22-e2e-aws-ocp4-moderate-node decorate: true decoration_config: sparse_checkout_files: @@ -14086,8 +14172,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-4-0 - rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-4-0 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node + rerun_command: /test 4.22-e2e-aws-ocp4-moderate-node spec: containers: - args: @@ -14096,7 +14182,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-pci-dss-4-0 + - --target=e2e-aws-ocp4-moderate-node - --variant=4.22 command: - ci-operator @@ -14153,27 +14239,27 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-4-0|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-moderate-node|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-node + context: ci/prow/4.22-e2e-aws-ocp4-moderate-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node - rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-node + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-moderate-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-moderate-node-rhcos10 spec: containers: - args: @@ -14182,7 +14268,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-pci-dss-node + - --target=e2e-aws-ocp4-moderate-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -14239,27 +14325,27 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-node|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-moderate-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-node-4-0 + context: ci/prow/4.22-e2e-aws-ocp4-nerc-cip-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-4-0 - rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-node-4-0 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-nerc-cip-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-nerc-cip-node-rhcos10 spec: containers: - args: @@ -14268,7 +14354,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-pci-dss-node-4-0 + - --target=e2e-aws-ocp4-nerc-cip-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -14325,14 +14411,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-node-4-0|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-nerc-cip-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-stig + context: ci/prow/4.22-e2e-aws-ocp4-pci-dss decorate: true decoration_config: sparse_checkout_files: @@ -14344,8 +14430,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig - rerun_command: /test 4.22-e2e-aws-ocp4-stig + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss + rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss spec: containers: - args: @@ -14354,7 +14440,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-stig + - --target=e2e-aws-ocp4-pci-dss - --variant=4.22 command: - ci-operator @@ -14411,14 +14497,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-stig|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-ocp4-stig-node + context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-4-0 decorate: true decoration_config: sparse_checkout_files: @@ -14430,8 +14516,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig-node - rerun_command: /test 4.22-e2e-aws-ocp4-stig-node + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-4-0 + rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-4-0 spec: containers: - args: @@ -14440,7 +14526,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-ocp4-stig-node + - --target=e2e-aws-ocp4-pci-dss-4-0 - --variant=4.22 command: - ci-operator @@ -14497,14 +14583,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-stig-node|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-4-0|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-openshift-node-compliance-rhcos10 + context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-node decorate: true decoration_config: sparse_checkout_files: @@ -14516,8 +14602,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-openshift-node-compliance-rhcos10 - rerun_command: /test 4.22-e2e-aws-openshift-node-compliance-rhcos10 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node + rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-node spec: containers: - args: @@ -14526,7 +14612,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-openshift-node-compliance-rhcos10 + - --target=e2e-aws-ocp4-pci-dss-node - --variant=4.22 command: - ci-operator @@ -14583,14 +14669,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-openshift-node-compliance-rhcos10|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-node|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-openshift-platform-compliance-rhcos10 + context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-node-4-0 decorate: true decoration_config: sparse_checkout_files: @@ -14602,8 +14688,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-openshift-platform-compliance-rhcos10 - rerun_command: /test 4.22-e2e-aws-openshift-platform-compliance-rhcos10 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-4-0 + rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-node-4-0 spec: containers: - args: @@ -14612,7 +14698,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-openshift-platform-compliance-rhcos10 + - --target=e2e-aws-ocp4-pci-dss-node-4-0 - --variant=4.22 command: - ci-operator @@ -14669,27 +14755,27 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-openshift-platform-compliance-rhcos10|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-node-4-0|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-rhcos4-bsi + context: ci/prow/4.22-e2e-aws-ocp4-pci-dss-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-bsi - rerun_command: /test 4.22-e2e-aws-rhcos4-bsi + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-pci-dss-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-pci-dss-node-rhcos10 spec: containers: - args: @@ -14698,7 +14784,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-rhcos4-bsi + - --target=e2e-aws-ocp4-pci-dss-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -14755,14 +14841,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-bsi|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-pci-dss-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-rhcos4-e8 + context: ci/prow/4.22-e2e-aws-ocp4-stig decorate: true decoration_config: sparse_checkout_files: @@ -14774,8 +14860,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-e8 - rerun_command: /test 4.22-e2e-aws-rhcos4-e8 + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig + rerun_command: /test 4.22-e2e-aws-ocp4-stig spec: containers: - args: @@ -14784,7 +14870,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-rhcos4-e8 + - --target=e2e-aws-ocp4-stig - --variant=4.22 command: - ci-operator @@ -14841,14 +14927,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-e8|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-stig|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-rhcos4-high + context: ci/prow/4.22-e2e-aws-ocp4-stig-node decorate: true decoration_config: sparse_checkout_files: @@ -14860,8 +14946,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high - rerun_command: /test 4.22-e2e-aws-rhcos4-high + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig-node + rerun_command: /test 4.22-e2e-aws-ocp4-stig-node spec: containers: - args: @@ -14870,7 +14956,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-rhcos4-high + - --target=e2e-aws-ocp4-stig-node - --variant=4.22 command: - ci-operator @@ -14927,27 +15013,27 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-high|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-stig-node|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-rhcos4-moderate + context: ci/prow/4.22-e2e-aws-ocp4-stig-node-rhcos10 decorate: true decoration_config: sparse_checkout_files: - Dockerfiles/ocp4_content labels: ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox ci-operator.openshift.io/variant: "4.22" ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-moderate - rerun_command: /test 4.22-e2e-aws-rhcos4-moderate + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-ocp4-stig-node-rhcos10 + rerun_command: /test 4.22-e2e-aws-ocp4-stig-node-rhcos10 spec: containers: - args: @@ -14956,7 +15042,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-rhcos4-moderate + - --target=e2e-aws-ocp4-stig-node-rhcos10 - --variant=4.22 command: - ci-operator @@ -15013,14 +15099,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-moderate|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-ocp4-stig-node-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: - ^master$ - ^master- cluster: build11 - context: ci/prow/4.22-e2e-aws-rhcos4-stig + context: ci/prow/4.22-e2e-aws-openshift-node-compliance-rhcos10 decorate: true decoration_config: sparse_checkout_files: @@ -15032,8 +15118,8 @@ presubmits: ci.openshift.io/generator: prowgen job-release: "4.22" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-stig - rerun_command: /test 4.22-e2e-aws-rhcos4-stig + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-openshift-node-compliance-rhcos10 + rerun_command: /test 4.22-e2e-aws-openshift-node-compliance-rhcos10 spec: containers: - args: @@ -15042,7 +15128,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=e2e-aws-rhcos4-stig + - --target=e2e-aws-openshift-node-compliance-rhcos10 - --variant=4.22 command: - ci-operator @@ -15099,7 +15185,1299 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-stig|remaining-required),?($|\s.*) + trigger: (?m)^/test( | .* )(4.22-e2e-aws-openshift-node-compliance-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-openshift-platform-compliance-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-openshift-platform-compliance-rhcos10 + rerun_command: /test 4.22-e2e-aws-openshift-platform-compliance-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-openshift-platform-compliance-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-openshift-platform-compliance-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-bsi + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-bsi + rerun_command: /test 4.22-e2e-aws-rhcos4-bsi + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-bsi + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-bsi|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-bsi-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-bsi-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-bsi-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-bsi-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-bsi-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-e8 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-e8 + rerun_command: /test 4.22-e2e-aws-rhcos4-e8 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-e8 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-e8|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-e8-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-e8-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-e8-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-e8-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-e8-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-high + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high + rerun_command: /test 4.22-e2e-aws-rhcos4-high + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-high + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-high|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-high-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-high-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-high-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-high-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-high-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-moderate + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-moderate + rerun_command: /test 4.22-e2e-aws-rhcos4-moderate + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-moderate + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-moderate|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-moderate-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-moderate-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-moderate-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-moderate-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-moderate-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-moderate-rhcos10-osstream + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-moderate-rhcos10-osstream + rerun_command: /test 4.22-e2e-aws-rhcos4-moderate-rhcos10-osstream + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-moderate-rhcos10-osstream + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-moderate-rhcos10-osstream|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-nerc-cip-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-nerc-cip-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-nerc-cip-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-nerc-cip-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-nerc-cip-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-stig + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: quay-aws + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-stig + rerun_command: /test 4.22-e2e-aws-rhcos4-stig + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-stig + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-stig|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-aws-rhcos4-stig-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-stackrox + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-aws-rhcos4-stig-rhcos10 + rerun_command: /test 4.22-e2e-aws-rhcos4-stig-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-aws-rhcos4-stig-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-aws-rhcos4-stig-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build11 + context: ci/prow/4.22-e2e-gcp-ocp4-moderate-node-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + ci-operator.openshift.io/cloud: gcp + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-gcp + ci-operator.openshift.io/cluster: build11 + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-gcp-ocp4-moderate-node-rhcos10 + rerun_command: /test 4.22-e2e-gcp-ocp4-moderate-node-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-gcp-ocp4-moderate-node-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-gcp-ocp4-moderate-node-rhcos10|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^master$ + - ^master- + cluster: build12 + context: ci/prow/4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10 + decorate: true + decoration_config: + sparse_checkout_files: + - Dockerfiles/ocp4_content + labels: + capability/intranet: intranet + ci-operator.openshift.io/cloud: equinix-ocp-metal + ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-metal-qe + ci-operator.openshift.io/variant: "4.22" + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-ComplianceAsCode-content-master-4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10 + rerun_command: /test 4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10 + - --variant=4.22 + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(4.22-e2e-metal-ds-ipi-ovn-rhcos4-stig-rhcos10|remaining-required),?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/step-registry/ipi/aws/pre/fips/OWNERS b/ci-operator/step-registry/ipi/aws/pre/fips/OWNERS new file mode 100644 index 0000000000000..cbce637dec637 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/fips/OWNERS @@ -0,0 +1,8 @@ +approvers: +- taimurhafeez +- Anna-Koudelkova +- yuumasato +reviewers: +- taimurhafeez +- Anna-Koudelkova +- yuumasato diff --git a/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.metadata.json b/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.metadata.json new file mode 100644 index 0000000000000..354a4fc89ccad --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml", + "owners": { + "approvers": [ + "taimurhafeez", + "Anna-Koudelkova", + "yuumasato" + ], + "reviewers": [ + "taimurhafeez", + "Anna-Koudelkova", + "yuumasato" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml b/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml new file mode 100644 index 0000000000000..447eef4282e96 --- /dev/null +++ b/ci-operator/step-registry/ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml @@ -0,0 +1,12 @@ +chain: + as: ipi-aws-pre-fips + steps: + - chain: ipi-conf-aws + - ref: ipi-conf-fips-sshkey + - chain: aws-provision-iam-user-minimal-permission + - ref: rhcos-conf-osstream + - chain: ipi-install + - ref: fips-check + documentation: |- + AWS IPI pre chain for FIPS clusters on profiles that ship ed25519 SSH keys. + Replaces the cluster-profile sshKey with ecdsa/rsa keys before installation. diff --git a/ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS b/ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS new file mode 100644 index 0000000000000..cbce637dec637 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS @@ -0,0 +1,8 @@ +approvers: +- taimurhafeez +- Anna-Koudelkova +- yuumasato +reviewers: +- taimurhafeez +- Anna-Koudelkova +- yuumasato diff --git a/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-commands.sh b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-commands.sh new file mode 100644 index 0000000000000..193f7ce619721 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-commands.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +# Ensure our UID, which is randomly generated, is in /etc/passwd. This is required +# to be able to SSH. +if ! whoami &> /dev/null; then + if [[ -w /etc/passwd ]]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + else + echo "/etc/passwd is not writeable, and user matching this uid is not found." + exit 1 + fi +fi + +if [[ -z "${SSH_KEY_TYPE_LIST}" ]]; then + echo "ERROR: not specify any ssh key types via ENV 'SSH_KEY_TYPE_LIST'!" + exit 1 +fi + +CONFIG="${SHARED_DIR}/install-config.yaml" +CONFIG_PATCH="/tmp/install-config-fips-sshkey.patch" + +# Replace the cluster-profile sshKey with FIPS-compatible keys only. Ed25519 keys +# from the cluster profile are rejected by openshift-install when fips: true. +cat > "${CONFIG_PATCH}" << EOF +sshKey: | +EOF + +for key_type in ${SSH_KEY_TYPE_LIST}; do + key_file="/tmp/key-${key_type}" + keygen_options=() + case "${key_type}" in + ecdsa) + keygen_options=(-b 521) + ;; + rsa) + keygen_options=(-b 4096) + ;; + *) + echo "ERROR: unsupported FIPS SSH key type '${key_type}'; use ecdsa or rsa" + exit 1 + ;; + esac + echo "Generating FIPS-compatible ssh key with type ${key_type}..." + ssh-keygen -t "${key_type}" "${keygen_options[@]}" -N '' -f "${key_file}" + cp "${key_file}" "${SHARED_DIR}/" + cat >> "${CONFIG_PATCH}" << EOF + $(<"${key_file}.pub") +EOF +done + +yq-go m -x -i "${CONFIG}" "${CONFIG_PATCH}" + +cat "${CONFIG_PATCH}" diff --git a/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.metadata.json b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.metadata.json new file mode 100644 index 0000000000000..56d37156b9c07 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml", + "owners": { + "approvers": [ + "taimurhafeez", + "Anna-Koudelkova", + "yuumasato" + ], + "reviewers": [ + "taimurhafeez", + "Anna-Koudelkova", + "yuumasato" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml new file mode 100644 index 0000000000000..5a9dc0886b006 --- /dev/null +++ b/ci-operator/step-registry/ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml @@ -0,0 +1,15 @@ +ref: + as: ipi-conf-fips-sshkey + from: upi-installer + commands: ipi-conf-fips-sshkey-commands.sh + resources: + requests: + cpu: 10m + memory: 100Mi + env: + - name: SSH_KEY_TYPE_LIST + default: "ecdsa rsa" + documentation: FIPS-compatible SSH key types to generate for the core user. Only ecdsa and rsa are accepted. + documentation: |- + Replace install-config sshKey with FIPS-compatible keys (ecdsa/rsa only), + omitting the cluster-profile ed25519 key.