Resubmission of PR 50929 with fixes

Signed-off-by: Feilian Xie <fxie@redhat.com>

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16__amd64-nightly.yaml

@@ -591,6 +591,29 @@ tests:
     test:
     - chain: openshift-e2e-test-hypershift-qe-mgmt
     workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift
+- as: aws-ipi-ovn-hypershift-private-guest-f7
+  cron: 33 13 2,11,18,25 * *
+  steps:
+    cluster_profile: aws-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
+      TEST_TIMEOUT: "30"
+    test:
+    - chain: openshift-e2e-test-hypershift-qe
+    workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private-guest
+- as: aws-ipi-ovn-hypershift-private-mgmt-f7
+  cron: 15 1 5,12,21,28 * *
+  steps:
+    cluster_profile: aws-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      TEST_ADDITIONAL: Hypershift|Network_Observability
+      TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~MicroShiftOnly&;HyperShiftMGMT&
+      TEST_TIMEOUT: "30"
+    test:
+    - chain: openshift-e2e-test-hypershift-qe-mgmt
+    workflow: cucushift-installer-rehearse-aws-ipi-ovn-hypershift-private
 - as: aws-ipi-ovn-ipsec-f2-obo
   cron: 26 1 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *
   steps:

ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.16-periodics.yaml

@@ -17781,6 +17781,204 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build05
+  cron: 33 13 2,11,18,25 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.16
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: amd64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.16"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-aws-ipi-ovn-hypershift-private-guest-f7
+  reporter_config:
+    slack:
+      channel: '#forum-prow-hypershift-qe-ci'
+      job_states_to_report:
+      - failure
+      - error
+      - success
+      report_template: '{{if eq .Status.State "success"}} :rainbow: Job *{{.Spec.Job}}*
+        ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :rainbow: {{else}}
+        :volcano: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View
+        logs> :volcano: {{end}}'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/aws-ipi-ovn-hypershift-private-guest-f7-cluster-profile
+      - --target=aws-ipi-ovn-hypershift-private-guest-f7
+      - --variant=amd64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/aws-ipi-ovn-hypershift-private-guest-f7-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-aws-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
+- agent: kubernetes
+  cluster: build05
+  cron: 15 1 5,12,21,28 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.16
+    org: openshift
+    repo: openshift-tests-private
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: amd64-nightly
+    ci.openshift.io/generator: prowgen
+    job-release: "4.16"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-aws-ipi-ovn-hypershift-private-mgmt-f7
+  reporter_config:
+    slack:
+      channel: '#forum-prow-hypershift-qe-ci'
+      job_states_to_report:
+      - failure
+      - error
+      - success
+      report_template: '{{if eq .Status.State "success"}} :rainbow: Job *{{.Spec.Job}}*
+        ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :rainbow: {{else}}
+        :volcano: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View
+        logs> :volcano: {{end}}'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --oauth-token-path=/usr/local/github-credentials/oauth
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --secret-dir=/usr/local/aws-ipi-ovn-hypershift-private-mgmt-f7-cluster-profile
+      - --target=aws-ipi-ovn-hypershift-private-mgmt-f7
+      - --variant=amd64-nightly
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /usr/local/aws-ipi-ovn-hypershift-private-mgmt-f7-cluster-profile
+        name: cluster-profile
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /usr/local/github-credentials
+        name: github-credentials-openshift-ci-robot-private-git-cloner
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: cluster-profile
+      secret:
+        secretName: cluster-secrets-aws-qe
+    - name: github-credentials-openshift-ci-robot-private-git-cloner
+      secret:
+        secretName: github-credentials-openshift-ci-robot-private-git-cloner
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build05
   cron: 26 1 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29 * *

ci-operator/step-registry/cucushift/hypershift-extended/enable-guest/cucushift-hypershift-extended-enable-guest-commands.sh

@@ -6,7 +6,9 @@ if [ ! -f "${SHARED_DIR}/nested_kubeconfig" ]; then
   exit 1
 fi
 
-export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+    source "${SHARED_DIR}/proxy-conf.sh"
+fi
 
 echo "https://$(oc --kubeconfig="$SHARED_DIR"/nested_kubeconfig -n openshift-console get routes console -o=jsonpath='{.spec.host}')" > "$SHARED_DIR/hostedcluster_console.url"
 echo "hostedcluster_console.url path:$SHARED_DIR/hostedcluster_console.url"

ci-operator/step-registry/cucushift/hypershift-extended/enable-guest/cucushift-hypershift-extended-enable-guest-ref.yaml

@@ -15,4 +15,4 @@ ref:
   documentation: |-
     enable Hypershift hostedcluster by setting "${SHARED_DIR}/nested_kubeconfig" as $KUBECONFIG to support hypershift. 
     The current cluster should be the mgmt cluster and there is at least one hostedcluster.
-    The hotsedcluster’s kubeconfig file should be "${SHARED_DIR}/nested_kubeconfig".
+    The hostedcluster’s kubeconfig file should be "${SHARED_DIR}/nested_kubeconfig".

ci-operator/step-registry/cucushift/hypershift-extended/health-check/cucushift-hypershift-extended-health-check-commands.sh

@@ -109,14 +109,15 @@ function check_node_status {
 }
 
 ###Main###
+export KUBECONFIG=${SHARED_DIR}/kubeconfig
+if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+    source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
 if [ -f "${SHARED_DIR}/cluster-type" ] ; then
     CLUSTER_TYPE=$(cat "${SHARED_DIR}/cluster-type")
     if [[ "$CLUSTER_TYPE" == "osd" ]] || [[ "$CLUSTER_TYPE" == "rosa" ]]; then
         echo "this cluster is ROSA-HyperShift"
-        export KUBECONFIG=${SHARED_DIR}/kubeconfig
-        if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
-            source "${SHARED_DIR}/proxy-conf.sh"
-        fi
         print_clusterversion
         check_node_status || exit 1
         retry check_cluster_operators || exit 1
@@ -126,7 +127,6 @@ if [ -f "${SHARED_DIR}/cluster-type" ] ; then
 fi
 
 echo "check mgmt cluster's HyperShift part"
-export KUBECONFIG=${SHARED_DIR}/kubeconfig
 if test -s "${SHARED_DIR}/mgmt_kubeconfig" ; then
   export KUBECONFIG=${SHARED_DIR}/mgmt_kubeconfig
   print_clusterversion

ci-operator/step-registry/cucushift/hypershift-extended/install-private/config/cucushift-hypershift-extended-install-private-config-commands.sh

@@ -4,16 +4,17 @@ set -o nounset
 set -o pipefail
 
 export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
+REGION=${HYPERSHIFT_AWS_REGION:-$LEASED_RESOURCE}
 
 BUCKET_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)"
-echo "create bucket name: $BUCKET_NAME ,region $HYPERSHIFT_AWS_REGION"
-if [ "$HYPERSHIFT_AWS_REGION" == "us-east-1" ]; then
+echo "create bucket name: $BUCKET_NAME, region $REGION"
+if [ "$REGION" == "us-east-1" ]; then
     aws s3api create-bucket --bucket "$BUCKET_NAME" \
         --region us-east-1
 else
     aws s3api create-bucket --bucket "$BUCKET_NAME" \
-        --create-bucket-configuration LocationConstraint="$HYPERSHIFT_AWS_REGION" \
-        --region "$HYPERSHIFT_AWS_REGION"
+        --create-bucket-configuration LocationConstraint="$REGION" \
+        --region "$REGION"
 fi
 aws s3api delete-public-access-block --bucket "$BUCKET_NAME"
 export BUCKET_NAME=$BUCKET_NAME

ci-operator/step-registry/cucushift/hypershift-extended/install-private/config/cucushift-hypershift-extended-install-private-config-ref.yaml

@@ -6,8 +6,10 @@ ref:
     tag: upi-installer
   env:
   - name: HYPERSHIFT_AWS_REGION
-    default: "us-east-1"
-    documentation: "The AWS region of the cluster."
+    default: ""
+    documentation: |
+      Specifies the AWS region for the cluster. If left as an empty string, 
+      the region defaults to that of the management cluster.
   commands: cucushift-hypershift-extended-install-private-config-commands.sh
   grace_period: 10m0s
   resources:

ci-operator/step-registry/cucushift/hypershift-extended/install-private/cucushift-hypershift-extended-install-private-commands.sh

@@ -3,7 +3,7 @@
 set -u
 
 BUCKET_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)"
-
+REGION=${HYPERSHIFT_AWS_REGION:-$LEASED_RESOURCE}
 EXTRA_ARGS=""
 
 OPERATOR_IMAGE=$HYPERSHIFT_RELEASE_LATEST
@@ -14,7 +14,7 @@ fi
 if [ "${ENABLE_PRIVATE}" = "true" ]; then
   EXTRA_ARGS="${EXTRA_ARGS} --private-platform=AWS \
   --aws-private-creds=/etc/hypershift-pool-aws-credentials/awsprivatecred \
-  --aws-private-region=${HYPERSHIFT_AWS_REGION} \
+  --aws-private-region=${REGION} \
   --external-dns-credentials=${CLUSTER_PROFILE_DIR}/.awscred \
   --external-dns-provider=aws \
   --external-dns-domain-filter=hypershift-ext.qe.devcluster.openshift.com "
@@ -34,7 +34,7 @@ set -xe
 bin/hypershift install --hypershift-image=${OPERATOR_IMAGE} \
 --oidc-storage-provider-s3-credentials=${CLUSTER_PROFILE_DIR}/.awscred \
 --oidc-storage-provider-s3-bucket-name=${BUCKET_NAME} \
---oidc-storage-provider-s3-region=${HYPERSHIFT_AWS_REGION} \
+--oidc-storage-provider-s3-region=${REGION} \
 --wait-until-available \
 ${EXTRA_ARGS}
 echo "" > ${SHARED_DIR}/.awsprivatecred

ci-operator/step-registry/cucushift/hypershift-extended/install-private/cucushift-hypershift-extended-install-private-ref.yaml

@@ -6,8 +6,10 @@ ref:
     name: hypershift-operator
   env:
   - name: HYPERSHIFT_AWS_REGION
-    default: "us-east-1"
-    documentation: "The AWS region of the cluster."
+    default: ""
+    documentation: |
+      Specifies the AWS region for the cluster. If left as an empty string, 
+      the region defaults to that of the management cluster.
   - name: OCP_ARCH
     default: "amd64"
     documentation: "The architecture of the control plane nodes (e.g., amd64, arm64)."
@@ -24,4 +26,4 @@ ref:
     name: hypershift-qe-aws-privatecred
     namespace: test-credentials
   documentation: |-
-    Install HyperShift Operator
+    Install HyperShift Operator on an AWS cluster.

ci-operator/step-registry/cucushift/hypershift-extended/metadata/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+  - LiangquanLi930
+  - heliubj18
+  - fxierh
+reviewers:
+  - LiangquanLi930
+  - heliubj18
+  - fxierh

ci-operator/step-registry/cucushift/hypershift-extended/metadata/cucushift-hypershift-extended-metadata-commands.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -x
+set -o pipefail
+
+export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
+REGION=${LEASED_RESOURCE}
+
+vpc_id=$(oc get hc -A -o jsonpath='{.items[0].spec.platform.aws.cloudProviderConfig.vpc}')
+infra_id="$(oc get hc -A -o jsonpath='{.items[0].spec.infraID}')"
+public_subnet=$(aws --region "${REGION}" ec2 describe-subnets --filters "Name=tag:kubernetes.io/cluster/${infra_id},Values=owned" "Name=tag:Name,Values=*public*" --query 'Subnets[0].SubnetId' --output text)
+
+if [[ -f "${SHARED_DIR}/vpc_id" ]]; then
+    echo "Error: The file ${SHARED_DIR}/vpc_id already exists. Operation aborted to prevent overwriting."
+    exit 1
+fi
+if [[ -f "${SHARED_DIR}/public_subnet_ids" ]]; then
+    echo "Error: The file ${SHARED_DIR}/public_subnet_ids already exists. Operation aborted to prevent overwriting."
+    exit 1
+fi
+echo "$vpc_id" > "${SHARED_DIR}/vpc_id"
+echo "- $public_subnet" > "${SHARED_DIR}/public_subnet_ids"