HIVE-3096: CI: Skip image signature verification

[2uasimojo]

Prerequisite to being able to run our CI against 4.22 nightlies, we have to instruct installer to skip image signature verification, as nightly payloads are not being signed.

Ref: https://groups.google.com/u/1/a/redhat.com/g/openshift-eng/c/CLErmvJ2lY0

As written, this will also be set for presubmits against GAed releases. That's okay -- signature verification testing is well covered elsewhere.

Summary by CodeRabbit

• Chores
  • Updated end-to-end testing scripts to support experimental scenarios by setting an installer environment flag that disables image policy and by emitting/modifying cluster pool configuration as JSON before applying changes.
• Tests
  • Adjusted CI test flow and comments to reflect nightly image signature verification and cost-aware worker considerations.

[openshift-ci-robot]

@2uasimojo: An error was encountered searching for bug HIVE-3096 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/HIVE-3096": GET https://issues.redhat.com/rest/api/2/issue/HIVE-3096 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Prerequisite to being able to run our CI against 4.22 nightlies, we have to instruct installer to skip image signature verification, as nightly payloads are not being signed.

Ref: https://groups.google.com/u/1/a/redhat.com/g/openshift-eng/c/CLErmvJ2lY0

As written, this will also be set for presubmits against GAed releases. That's okay -- signature verification testing is well covered elsewhere.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0c18f750-a507-448a-8dfb-e189b8d190b6

📥 Commits

Reviewing files that changed from the base of the PR and between 706b247 and bbf4326.

📒 Files selected for processing (2)

• hack/e2e-pool-test.sh
• hack/e2e-test.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• hack/e2e-test.sh

---

📝 Walkthrough

Walkthrough

Scripts that create test clusters now inject an installerEnv entry (setting OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY=true) in addition to apiURLOverride when transforming created cluster/clusterpool JSON before applying it.

Changes

Cohort / File(s)	Summary
E2E Test Script hack/e2e-test.sh	jq transformation updated to add provisioning.installerEnv with OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY=true alongside existing apiURLOverride when preparing ClusterDeployment JSON.
E2E Pool Creation hack/e2e-pool-test.sh	ClusterPool creation now emits JSON (-o json), pipes through jq to set items[0].spec.provisioning.installerEnv to disable image policy, then applies the modified resource with oc apply -f -.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudge a JSON, soft and spry,
A flag to hush the image sky,
Pipelines ripple, scripts delight,
E2E nights sleep snug and tight,
Hooray — tests hop on by! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: skipping image signature verification in CI, which aligns with the core purpose of modifying e2e test scripts to set OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@2uasimojo: An error was encountered searching for bug HIVE-3096 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/HIVE-3096": GET https://issues.redhat.com/rest/api/2/issue/HIVE-3096 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Prerequisite to being able to run our CI against 4.22 nightlies, we have to instruct installer to skip image signature verification, as nightly payloads are not being signed.

Ref: https://groups.google.com/u/1/a/redhat.com/g/openshift-eng/c/CLErmvJ2lY0

As written, this will also be set for presubmits against GAed releases. That's okay -- signature verification testing is well covered elsewhere.

Summary by CodeRabbit

• Chores
• Updated end-to-end testing infrastructure configuration to support experimental testing scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[2uasimojo]

/hold

This shouldn't affect presubmits at all. So once e2e[-pool] passes, we want to look at the artifacts and make sure the CD got the following in .spec.provisioning:

          "installerEnv": [{
            "name": "OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY",
            "value": "true"
          }]

The final verification will be whether our e2e-weekly periodic starts to succeed (been experimenting via openshift/release#75057).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/e2e-test.sh`:
- Line 118: The jq command is assigning an object to
.items[0].spec.provisioning.installerEnv but the Hive API/CRD expects
installerEnv to be an array ([]EnvVar); change the assignment to provide an
array of env var objects instead of a single object. Update the jq expression
that sets .items[0].spec.provisioning.installerEnv (the line with jq
'.items[0].spec.controlPlaneConfig.apiURLOverride = "bogus-url.example.com" |
.items[0].spec.provisioning.installerEnv = ...') so it assigns a JSON array like
[{"name":"OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY","value":"true"}]
rather than a bare object.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 70481965-6176-4186-81e2-86aa78f23523

📥 Commits

Reviewing files that changed from the base of the PR and between 4f955dc and 706b247.

📒 Files selected for processing (1)

• hack/e2e-test.sh

[openshift-ci-robot]

@2uasimojo: An error was encountered searching for bug HIVE-3096 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/HIVE-3096": GET https://issues.redhat.com/rest/api/2/issue/HIVE-3096 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Prerequisite to being able to run our CI against 4.22 nightlies, we have to instruct installer to skip image signature verification, as nightly payloads are not being signed.

Ref: https://groups.google.com/u/1/a/redhat.com/g/openshift-eng/c/CLErmvJ2lY0

As written, this will also be set for presubmits against GAed releases. That's okay -- signature verification testing is well covered elsewhere.

Summary by CodeRabbit

• Chores
• Updated end-to-end testing scripts to support experimental scenarios by setting an installer environment flag that disables image policy and by emitting/modifying cluster pool configuration as JSON before applying changes.
• Tests
• Adjusted CI test flow and comments to reflect nightly image signature verification and cost-aware worker considerations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[suhanime]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, suhanime

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo,suhanime]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

/hold cancel

installerEnv confirmed in the real CD for e2e; and the clusterpool and all CDs for e2e-pool ✓