Add a provision healthcheck job per region periodic job

[roivaz]

Summary by CodeRabbit

This PR updates OpenShift CI configuration and the ci-operator step-registry for the Azure/ARO-HCP repository to add periodic per-region provision healthchecks, a corresponding workflow and ownership metadata, and a targeted provisioning script change.

What changed in practical terms

• CI job configuration (ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml)

  • Adds a new periodic-healthcheck workflow that builds ARO-HCP images and schedules three regional provision-healthcheck runs (westus3, centralus, canadacentral).
  • Each job runs the aro-hcp-provision-healthcheck workflow with env vars ARO_HCP_CLOUD=dev, ARO_HCP_DEPLOY_ENV=ci01, LOCATION set per-region, and a 2h timeout.
  • Declares a build_root image stream tag (aro-hcp-ci-images:aro-hcp-e2e-base-ci) and builds images for backend, frontend, admin API, sessiongate, fleet, mgmt-agent, kube-applier, hcp-recovery, plus aro-hcp-e2e-tools (built from a literal Dockerfile that runs tooling/templatize and cleans Go caches) and aro-hcp-e2e-tests (dockerfile path).
  • Sets default resource requests (100m CPU / 200Mi) and raises resource requests/limits for aro-hcp-e2e-tests to 8 CPU / 12Gi.

• New workflow and ownership (ci-operator/step-registry/aro-hcp/provision-healthcheck/)

  • Adds aro-hcp-provision-healthcheck workflow which orchestrates:
    • pre: aro-hcp-write-config (from aro-hcp-e2e-tools)
    • test: aro-hcp-provision-environment
    • post: aro-hcp-gather-provision-failure, aro-hcp-gather-visualization, aro-hcp-deprovision-environment
  • Enables allow_best_effort_post_steps so post steps run for cleanup on failure.
  • Adds OWNERS and workflow metadata declaring approvers/reviewers (aro-hcp-sl-approvers, aro-hcp-sl-reviewers, geoberle, deads2k).

• Provision script change (ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh)

  • Separates “Image overrides” from “MSI mock SP overrides” when generating config-override.yaml.
  • Makes MSI mock SP overrides conditional: when LEASED_MSI_MOCK_SP is set the script reads clientId/principalId/certName from dev-infrastructure/openshift-ci/msi-mock-pool.yaml, validates they are present (fails fast if missing), and writes them into the override file; if LEASED_MSI_MOCK_SP is unset it logs that mock-SP overrides are skipped.
  • Continues to emit the override config for debugging.

Scope and impact

• Only CI configuration and step-registry for Azure/ARO-HCP are affected; no runtime library/API changes.
• Adds automated periodic regional provisioning probes to surface region-specific provisioning regressions and ensures the test build has larger resource allocations to support the provisioning steps.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: roivaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/Azure/ARO-HCP/OWNERS [roivaz]
• ci-operator/jobs/Azure/ARO-HCP/OWNERS [roivaz]
• ci-operator/step-registry/aro-hcp/OWNERS [roivaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 889b8925-5cd5-4cee-8854-b3aebe75c1cc

📥 Commits

Reviewing files that changed from the base of the PR and between e975b81 and 800fc79.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (5)

• ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml
• ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.metadata.json
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml
• ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.metadata.json

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml
• ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml
• ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh

---

Walkthrough

Adds periodic CI healthchecks for ARO-HCP: new ci-operator config scheduling regional provision workflows, a provision-healthcheck workflow with ownership metadata, and a provision script change to apply MSI mock SP overrides only when leased.

Changes

ARO-HCP Periodic Healthcheck

Layer / File(s)	Summary
Healthcheck CI config and schedules ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml	Adds build_root/images matrix, resource defaults and an aro-hcp-e2e-tools image, and schedules three cron provision-healthcheck jobs (westus3, centralus, canadacentral) with region env and 2h timeout.
Workflow definition and ownership ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml, ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.metadata.json, ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS	Introduces aro-hcp-provision-healthcheck workflow wired pre/test/post to existing steps and adds corresponding owners metadata and OWNERS file.
MSI mock SP conditional overrides ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh	Separates "Image overrides" header and applies MSI mock SP fields only when LEASED_MSI_MOCK_SP is set: reads values from msi-mock-pool.yaml, validates non-null, exits on missing, and updates config-override.yaml in-place via yq.

Sequence Diagram

sequenceDiagram
  participant Cron
  participant CI_Operator
  participant ProvisionWorkflow as aro_hcp_provision_healthcheck
  participant ProvisionScript as aro_hcp_provision_environment
  Cron->>CI_Operator: trigger scheduled job (region)
  CI_Operator->>ProvisionWorkflow: start workflow (pre/test/post)
  ProvisionWorkflow->>ProvisionScript: run provision step (may apply MSI mock overrides)
  ProvisionWorkflow->>ProvisionScript: run post steps (gather/deprovision)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/release#80093: Related edits to aro-hcp-provision-environment-commands.sh altering config-override.yaml generation and overrides via yq.

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• deads2k
• bennerv

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 110 logs MSI_MOCK_CLIENT_ID (authentication credential). Line 120 cats entire config file containing miMockClientId, miMockPrincipalId, miMockCertName, and other sensitive values to CI logs.	Remove credential logging on line 110 and suppress sensitive fields in config output. Log only non-sensitive deployment info like environment name/status instead of secrets.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add a provision healthcheck job per region periodic job' accurately describes the primary change: adding periodic healthcheck jobs for different Azure regions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test definitions. Files modified are CI/CD configuration (YAML), metadata (JSON), and shell scripts in the openshift/release repository, not test source code.
Test Structure And Quality	✅ Passed	PR contains only CI/workflow configuration (YAML, JSON, shell scripts), no Ginkgo test code. Custom check for test structure is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds CI/workflow configuration and shell scripts only—no Ginkgo e2e tests are introduced, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI/workflow configuration and bash scripts only; no Ginkgo e2e tests (It(), Describe(), etc.) are added, so SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/workflow configuration files only. No Kubernetes manifests, operators, or production scheduling constraints present.
Ote Binary Stdout Contract	✅ Passed	PR contains no Go code; check applies only to Go test binaries. Changes consist entirely of YAML configs, shell scripts, JSON metadata, and OWNERS file.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI/workflow configuration and scripts but no new Ginkgo e2e tests; IPv6/disconnected network check is not applicable.
No-Weak-Crypto	✅ Passed	PR contains CI workflow configuration and infrastructure provisioning scripts with no weak crypto algorithms, custom crypto, or non-constant-time secret comparisons.
Container-Privileges	✅ Passed	No container privilege escalation configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation: true) found in any new or modified files in this PR.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh`:
- Around line 100-109: When LEASED_MSI_MOCK_SP is set, the script currently
reads MSI_MOCK_CLIENT_ID, MSI_MOCK_PRINCIPAL_ID, and MSI_MOCK_CERT_NAME from
dev-infrastructure/openshift-ci/msi-mock-pool.yaml and blindly writes them to
OVERRIDE_CONFIG_FILE; if the SP key is missing the yq reads yield empty/"null"
and you must fail fast. After populating MSI_MOCK_CLIENT_ID,
MSI_MOCK_PRINCIPAL_ID, and MSI_MOCK_CERT_NAME, validate that none are empty or
equal to "null" (check variables MSI_MOCK_CLIENT_ID, MSI_MOCK_PRINCIPAL_ID,
MSI_MOCK_CERT_NAME) and if any validation fails, print an error including
LEASED_MSI_MOCK_SP and the missing field(s) and exit with a non‑zero status
instead of writing the override. Ensure the check runs before the yq -i override
to prevent propagating bad values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d3ca1e2e-0cc5-4495-9a70-9105c4e03629

📥 Commits

Reviewing files that changed from the base of the PR and between 5ce5ea0 and 7900ba0.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (4)

• ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml
• ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml
• ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh

[roivaz]

/pj-rehearse pull-ci-Azure-ARO-HCP-main-e2e-parallel

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml (1)

77-77: ⚡ Quick win

Use more restrictive permissions than chmod 777.

Setting chmod 777 makes the directory world-writable, allowing any process to modify the code. Consider using more restrictive permissions (e.g., chmod 755 for read/execute by all, or chmod 775 if group-write is needed).

🔒 Proposed fix for more restrictive permissions

-      RUN chmod 777 /opt/app-root/src/github.com/Azure/ARO-HCP
+      RUN chmod 755 /opt/app-root/src/github.com/Azure/ARO-HCP

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml`
at line 77, The Dockerfile line using the command "RUN chmod 777
/opt/app-root/src/github.com/Azure/ARO-HCP" grants world-writable permissions;
change it to a more restrictive mode such as "chmod 755" (or "chmod 775" if
group-write is intentionally required) and, if appropriate, ensure ownership is
set to the intended runtime user via chown (e.g., chown -R <user>:<group> on the
same path) so only the owner (and optionally group) can write while others can
only read/execute.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml`:
- Line 71: The Dockerfile sets USER root (the "USER root" directive) with no
justification—either document why root is necessary (e.g., required privileged
steps for make/cleanup) or change to a non-root user; preferably revert to the
same non-root "src" base image user and adjust ownership/permissions for build
artifacts (use chown/chmod during image build) so make and cleanup can run
without root, and add a short comment explaining any remaining need for USER
root if you must keep it.
- Around line 1-84: The dockerfile_literal used for the aro-hcp-e2e-tools image
is running as root and uses an overly-permissive chmod 777; change the
Dockerfile literal to create/use a non-root user (e.g., add a dedicated
user/group and switch via USER) and replace chmod 777 with least-permission
adjustments (chown to the new user and chmod only what’s required, e.g., 0755 or
0700) or document/justify why root and 777 are necessary; update the
dockerfile_literal block (the FROM src ... USER root ... RUN chmod 777 ...
sequence) accordingly so the image no longer runs as root and files have
restrictive permissions.

---

Nitpick comments:
In
`@ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml`:
- Line 77: The Dockerfile line using the command "RUN chmod 777
/opt/app-root/src/github.com/Azure/ARO-HCP" grants world-writable permissions;
change it to a more restrictive mode such as "chmod 755" (or "chmod 775" if
group-write is intentionally required) and, if appropriate, ensure ownership is
set to the intended runtime user via chown (e.g., chown -R <user>:<group> on the
same path) so only the owner (and optionally group) can write while others can
only read/execute.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a4273532-06c4-40ad-94db-4409043d8f9f

📥 Commits

Reviewing files that changed from the base of the PR and between 7900ba0 and 94869cc.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (5)

• ci-operator/config/Azure/ARO-HCP/Azure-ARO-HCP-main__periodic-healthcheck.yaml
• ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.metadata.json
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml
• ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh

✅ Files skipped from review due to trivial changes (3)

• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.metadata.json
• ci-operator/step-registry/aro-hcp/provision-healthcheck/aro-hcp-provision-healthcheck-workflow.yaml
• ci-operator/step-registry/aro-hcp/provision-healthcheck/OWNERS

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/aro-hcp/provision/environment/aro-hcp-provision-environment-commands.sh

[roivaz]

/pj-rehearse pull-ci-Azure-ARO-HCP-main-e2e-parallel

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse ci/rehearse/periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@roivaz: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-Azure-ARO-HCP-main-periodic-healthcheck-images	Azure/ARO-HCP	presubmit	Presubmit changed
pull-ci-Azure-ARO-HCP-main-e2e-parallel	Azure/ARO-HCP	presubmit	Registry content changed
periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-canadacentral	N/A	periodic	Periodic changed
periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-westus3	N/A	periodic	Periodic changed
periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-westus3

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[roivaz]

/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-canadacentral

[openshift-merge-bot]

@roivaz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@roivaz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus	800fc79	link	unknown	/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-centralus
ci/rehearse/periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-canadacentral	800fc79	link	unknown	/pj-rehearse periodic-ci-Azure-ARO-HCP-main-periodic-healthcheck-provision-canadacentral

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.