Add Jenkins pipeline for airgap infrastructure deployment and testing

[floatingman]

Implement a Jenkins pipeline to facilitate airgap infrastructure deployment and testing. This includes enhancements to the Dockerfile for Go testing, improvements in the Jenkinsfile for better logging and test handling, and the addition of stages for admin token injection and verification. The pipeline also integrates a retry mechanism for Ansible playbook executions and incorporates Qase reporting for test results.

rancher/qa-tasks#2125

[Copilot]

Pull request overview

This PR adds a new Jenkins pipeline to provision airgapped RKE2/Rancher infrastructure, inject an admin token, run Go-based validation tests, and publish results (including to Qase), plus a dedicated Docker image for these Go test runs.

Changes:

• Introduces Jenkinsfile.airgap.go-tests to clone the tests and qa-infra repos, build an infra tools image with Go, deploy airgapped infra via Tofu/Ansible, inject an admin token, run Go tests with gotestsum, and optionally report to Qase.
• Adds Dockerfile.airgap-go-tests to build an Alpine-based infra tools image that includes OpenTofu, Ansible, AWS CLI, Go, and gotestsum for use in the pipeline.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
validation/pipeline/Jenkinsfile.airgap.go-tests	Defines the end-to-end Jenkins pipeline for airgapped infra setup, admin token generation, Go test execution, artifact publishing, and optional Qase reporting.
validation/pipeline/Dockerfile.airgap-go-tests	Builds the infra tools Docker image with Go toolchain and gotestsum used by the new pipeline stages.

[Copilot]

This pipeline introduces GO_REPO_BRANCH/GO_REPO_URL for the tests repo, which diverges from the established RANCHER_TEST_REPO_BRANCH/RANCHER_TEST_REPO_URL naming used by other airgap pipelines (for example validation/pipeline/Jenkinsfile.setup.airgap.rke2:13-14 and validation/pipeline/Jenkinsfile.destroy.airgap.rke2:11-12). Reusing the existing env var names (or at least falling back to them) would keep job configuration consistent and avoid confusion when wiring Jenkins jobs to different airgap pipelines.

[floatingman]

This is a good point.

[Copilot]

On failure the catch block already performs a best‑effort destroy/deleteWorkspace when DESTROY_ON_FAILURE is enabled, and then the finally block can run the same destroy logic again if DESTROY_AFTER_TESTS is also true. This double attempt to clean up the same workspace can create noisy errors in logs and makes it harder to reason about which flag controls teardown; consider centralizing the destroy logic in one place (or tracking whether cleanup has already succeeded) to keep the control flow clearer.

[floatingman]

This is a good point.

[Copilot]

Installing gotestsum with go install gotest.tools/gotestsum@latest pulls executable code from a mutable, third-party module reference at build time, which introduces a supply-chain risk. If the gotest.tools/gotestsum module or its distribution channel is ever compromised or a malicious version is published, the resulting binary will run inside this image (and thus in Jenkins jobs) with access to AWS credentials and other secrets used by the pipeline. Pin this dependency to a specific, vetted version (for example, a fixed tag or commit) and, if possible, enforce integrity verification via checksums or vendored binaries to prevent untrusted code from being pulled implicitly.

[floatingman]

I'll look into this.

[slickwarren]

we typically try to use suse based images

[hamistao]

I think this still needs to be addressed

[hamistao]

In fact, I think instead of using this file we probably either:
1- Use Dockerfile.infra and make it FROM registry.suse.com/bci/golang:1.25
2- Use Dockerfile.e2e

[slickwarren]

this seems unnecessary, what use case would it not be available (unless the build failed outright)?

[slickwarren]

I get wanting more resolute logs, but now there are too many stages to be viewed on a standard screen (when looking at the jenkins job). Since each of these take less than 10 seconds, can you consolidate into 1 stage?

[slickwarren]

if you consolidate these 2 with the previous stage, I think it would fit on 1 screen again.

[slickwarren]

iirc, optional stages break the view in jenkins if the stage is actually non-existent when its not specified. In this case, it might be OK since there's the def + echo?

[slickwarren]

clarifying question; for error handling, if it fails on the 3rd attempt, does it stop the jenkins job too (assuming so but just double checking)

[slickwarren]

since this is in the qa-infra-automation docs already and basically no one looks at jenkinsfiles, I think you should remove these comments.

[slickwarren]

why is this necessary?

[slickwarren]

having conditional stages like this with different names will cause the job history to not show up properly in jenkins. It looks like 'cleanup on failure' and 'destroy after tests' are doing the same thing? in which case, if you use the same stage name in both cases you can avoid this problem.

If they do different things, can you update to persist each stage, even if there's nothing to do on a particular run for it? see the rancher comment for a potential solution.

[floatingman]

Fixed to use the same name. The two stages were doing different things. One destroys the infrastructure on failure; the other destroys it at the end of the build in case you want to investigate something manually.

[hamistao]

I think this still needs to be addressed

[hamistao]

In fact, I think instead of using this file we probably either:
1- Use Dockerfile.infra and make it FROM registry.suse.com/bci/golang:1.25
2- Use Dockerfile.e2e

[hamistao]

Surely this is me being dumb with Jenkins, but why is this here?

[hamistao]

do we need both of these?

[hamistao]

Again possibly a dumb question, but why sh """?

[hamistao]

I will use this oportunity to comment on something I was thinking of regarding the ansible stuff. And that is the fact that we have a bunch of variables like deploy_rancher that basically make the playbook that uses them useless when not set, so instead of setting deploy_rancher: false, why not just don't run the playbook?

Again, no implications for this PR, I just was thinking of this for a while.

[hamistao]

Is it not possible to use runPlaybook here?

[hamistao]

Doesn't ansible already use this if nothing is set?