Skip to content

OSAC-866: Consolidate 8 periodic vmaas jobs into 2 #80146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
omer-vishlitzky wants to merge 3 commits into
base: main
Choose a base branch
from
+83 −557
Open

OSAC-866: Consolidate 8 periodic vmaas jobs into 2 #80146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bda84a4
OSAC-866: Consolidate 8 periodic vmaas jobs into 2
omer-vishlitzky Jun 5, 2026
82900be
Add helm full-setup job and fix kustomize deploy mode
omer-vishlitzky Jun 5, 2026
b81d843
Fix helm NOTIFY_LABEL and write test-result for Slack notifications
omer-vishlitzky Jun 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion ci-operator/config/osac-project/osac-installer/osac-project-osac-installer-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ images:
ADD . /installer
WORKDIR /installer

RUN dnf install -y git jq
RUN dnf install -y git jq && \
curl -fsSL https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz | tar xz -C /tmp && \
mv /tmp/linux-amd64/helm /usr/local/bin/helm
Comment on lines +30 to +32
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify Helm release artifact has published checksums for the pinned version.
ver="v3.17.3"
curl -fsSL "https://get.helm.sh/helm-${ver}-linux-amd64.tar.gz.sha256" | sed -n '1,3p'
curl -fsSL "https://get.helm.sh/helm-${ver}-linux-amd64.tar.gz.sha256sum" | sed -n '1,3p'

Repository: openshift/release

Length of output: 224

Add checksum verification for downloaded Helm artifact

The Docker build installs Helm fetched from the network (curl ... | tar) without checksum/signature verification, leaving a supply-chain integrity gap. Helm v3.17.3 publishes SHA256 checksums, so downloading the tarball and verifying it with sha256sum before extracting/install is straightforward.

Suggested hardening diff 
-      RUN dnf install -y git jq && \
-          curl -fsSL https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz | tar xz -C /tmp && \
-          mv /tmp/linux-amd64/helm /usr/local/bin/helm
+      ARG HELM_VERSION=v3.17.3
+      ARG HELM_SHA256
+      RUN dnf install -y git jq && \
+          curl -fsSLo /tmp/helm.tar.gz "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" && \
+          echo "${HELM_SHA256}  /tmp/helm.tar.gz" | sha256sum -c - && \
+          tar xzf /tmp/helm.tar.gz -C /tmp && \
+          install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/osac-project/osac-installer/osac-project-osac-installer-main.yaml`
around lines 30 - 32, The Dockerfile RUN that fetches and extracts Helm (the RUN
line using curl to download https://get.helm.sh/helm-v3.17.3-linux-amd64.tar.gz
and then tar/mv) must verify the artifact before extraction: download both the
tarball and its published SHA256 file (or the .tar.gz.sha256sum), compute the
local sha256 (sha256sum) and compare to the published value, aborting the build
if they differ; only after successful verification proceed to tar -xzf and mv
/tmp/linux-amd64/helm /usr/local/bin/helm. Ensure the verification is done in
the same RUN step so intermediate layers don’t keep an unverified artifact and
clean up downloaded files afterwards.

RUN git submodule update --init --recursive

RUN cp oc /usr/local/bin/oc
Expand Down
120 changes: 9 additions & 111 deletions ci-operator/config/osac-project/osac-test-infra/osac-project-osac-test-infra-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,118 +67,16 @@ tests:
- intranet
steps:
workflow: osac-project-cluster-tool-vmaas
- as: e2e-metal-vmaas-compute-instance-creation
- as: e2e-vmaas-periodic
capabilities:
- intranet
cron: 0 2 * * 1
cron: 0 6,18 * * *
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_creation.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-compute-instance-api-fields
capabilities:
- intranet
cron: 0 6 * * 1
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_api_fields.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-compute-instance-cli-fields
capabilities:
- intranet
cron: 0 2 * * 2
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_cli_fields.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-compute-instance-delete-during-provision
capabilities:
- intranet
cron: 0 6 * * 2
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_delete_during_provision.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-compute-instance-restart
capabilities:
- intranet
cron: 0 2 * * 3
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_restart.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-compute-instance-restart-negative
capabilities:
- intranet
cron: 0 6 * * 3
steps:
cluster_profile: packet-assisted
env:
ASSISTED_CONFIG: |
OLM_OPERATORS=cnv,lvm
NUM_MASTERS=1
NUM_WORKERS=0
MASTER_MEMORY=57344
MASTER_DISK_COUNT=2
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_compute_instance_restart_negative.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-subnet-lifecycle
workflow: osac-project-cluster-tool-vmaas
- as: e2e-vmaas-full-setup-kustomize
capabilities:
- intranet
cron: 0 2 * * 4
cron: 0 0 * * *
steps:
cluster_profile: packet-assisted
env:
Expand All @@ -191,12 +89,11 @@ tests:
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_subnet_lifecycle.py
workflow: osac-project-ofcir-baremetal
- as: e2e-metal-vmaas-virtual-network-lifecycle
- as: e2e-vmaas-full-setup-helm
capabilities:
- intranet
cron: 0 6 * * 4
cron: 0 0 * * *
steps:
cluster_profile: packet-assisted
env:
Expand All @@ -209,7 +106,8 @@ tests:
MASTER_DISK=200000000000
MASTER_CPU=24
OPENSHIFT_VERSION=4.20
TEST: test_virtual_network_lifecycle.py
DEPLOY_MODE: helm
NOTIFY_LABEL: Full Setup vmaas (helm)
workflow: osac-project-ofcir-baremetal
zz_generated_metadata:
branch: main
Expand Down
Loading