Skip to content

NE-2215: add CI step and nightly job for testing previous HAProxy version#80171

Draft
gcs278 wants to merge 1 commit into
openshift:mainfrom
gcs278:haproxy-multi-version-ci-scaffolding
Draft

NE-2215: add CI step and nightly job for testing previous HAProxy version#80171
gcs278 wants to merge 1 commit into
openshift:mainfrom
gcs278:haproxy-multi-version-ci-scaffolding

Conversation

@gcs278
Copy link
Copy Markdown
Contributor

@gcs278 gcs278 commented Jun 5, 2026
edited
Loading

Summary

Adds a CI step and nightly job definitions to test the previous HAProxy version on the default IngressController. This supports the HAProxy version selection feature described in openshift/enhancements#1965.

What's included

  • CI step (ingress-conf-haproxy-version): Inspects the release payload for HAProxy sidecar images via oc adm release info and configures the default IngressController to use a specific version at install time by writing a manifest to SHARED_DIR. Supports both explicit version selection (HAPROXY_VERSION) and auto-discovery (HAPROXY_AUTO_SELECT: "previous" or "newest"). If only one HAProxy version exists in the payload, the step exits cleanly (no-op).

  • Nightly job definitions (commented out pending EP decisions): Two job variants for e2e-aws-ovn with TechPreviewNoUpgrade:

    • e2e-aws-ovn-haproxy-previous-techpreview — installs with the oldest HAProxy version in the payload
    • e2e-aws-ovn-haproxy-newest-techpreview — installs with the newest HAProxy version in the payload

    Only one job is needed — which one depends on the default version decision in the EP. The base e2e-aws-ovn job already tests whatever the default is, so we only need one additional job for the non-default version.

Pending EP decisions

  • API field name: haproxyVersion (HAProxy-version based) vs haproxyOCPVersion (OCP-version based)
  • Default HAProxy version on upgrade (current vs previous)
  • Default HAProxy version on fresh install
  • Uncomment the appropriate job definition

How it works

  1. Job sets HAPROXY_AUTO_SELECT: "previous" (or "newest")
  2. Step runs oc adm release info against the payload to discover haproxy-* images
  3. If 2+ HAProxy images exist, selects the target version and writes an IngressController manifest to SHARED_DIR
  4. If only 1 image exists, exits cleanly — no alternative version to test
  5. Installer picks up the manifest, cluster installs with the selected HAProxy version
  6. Standard e2e suite runs against it

Prior art

Follows the same pattern as RHCOS dual-stream testing:

  • Step: rhcos-conf-osstream discovers and configures the OS version
  • Jobs: e2e-aws-ovn-rhcos10-techpreview tests the non-default OS variant

https://redhat.atlassian.net/browse/NE-2215

🤖 Generated with Claude Code

@gcs278 @claude
NE-2215: add CI scaffolding for HAProxy multi-version testing
1171f38 
Add a CI step and nightly job definitions for testing multiple HAProxy
versions. This supports the HAProxy version selection feature described
in openshift/enhancements#1965.

The step (ingress-conf-haproxy-version) auto-discovers HAProxy sidecar
images from the release payload and configures the default
IngressController to use a specific version at install time.

Two job definitions are included (both commented out pending EP
decisions on API field name and default version behavior):
- e2e-aws-ovn-haproxy-previous-techpreview
- e2e-aws-ovn-haproxy-newest-techpreview

TODOs:
- Finalize API field name (haproxyVersion vs haproxyOCPVersion)
- Determine default version behavior (current vs previous on upgrade)
- Uncomment the appropriate job once decisions are made

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 5, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jun 5, 2026
edited by atlassian Bot
Loading

@gcs278: This pull request references NE-2215 which is a valid jira issue.

Details

In response to this:

Summary

Scaffolding for CI testing of multiple HAProxy versions per openshift/enhancements#1965.

What's included

  • CI step (ingress-conf-haproxy-version): Auto-discovers HAProxy sidecar images from the release payload and configures the default IngressController to use a specific version at install time. Supports both explicit version selection (HAPROXY_VERSION) and auto-discovery (HAPROXY_AUTO_SELECT: "previous" or "newest").

  • Nightly job definitions (commented out): Two job variants for e2e-aws-ovn with TechPreviewNoUpgrade, one for testing the previous HAProxy version and one for the newest. Only one is needed — which one depends on the default version decision in the EP.

Pending decisions (from EP review)

  • API field name: haproxyVersion (HAProxy-version based) vs haproxyOCPVersion (OCP-version based)
  • Default version on upgrade: current (3.2) vs previous (2.8)
  • Default version on fresh install
  • Uncomment the appropriate job definition

How it works

  1. Job runs with HAPROXY_AUTO_SELECT: "previous" (or "newest")
  2. Step inspects the release payload via oc adm release info for haproxy-* images
  3. If 2+ HAProxy images exist, selects the target version and writes an IngressController manifest to SHARED_DIR
  4. If only 1 image, exits cleanly (no-op — nothing to test)
  5. Installer picks up the manifest, cluster installs with the selected HAProxy version
  6. Standard e2e suite runs against it

Pattern

Follows the same approach as RHCOS dual-stream testing (rhcos-conf-osstream step, e2e-aws-ovn-rhcos10-techpreview jobs).

https://redhat.atlassian.net/browse/NE-2215

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 5, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jun 5, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Walkthrough

This PR introduces a new reusable CI step for configuring OpenShift IngressController HAProxy versions. The step supports explicit version injection or automatic discovery from release payloads, with new job templates demonstrating integration patterns.

Changes

HAProxy Version Configuration Step

Layer / File(s) Summary
Step declaration and ownership
ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-ref.yaml, ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-ref.metadata.json, ci-operator/step-registry/ingress/conf/haproxy-version/OWNERS		 Defines the ingress-conf-haproxy-version step with resource requests, environment variables for explicit injection (HAPROXY_VERSION) and auto-discovery (HAPROXY_AUTO_SELECT), and repository ownership metadata.
HAProxy version selection implementation
ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-commands.sh		 Bash script that validates environment, selects HAProxy version from either explicit injection or auto-discovered release metadata (oldest or newest), and writes the resolved version into an IngressController manifest.
Example job templates
ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml		 Commented AWS HAProxy techpreview job templates demonstrating step usage with different version selection strategies (previous vs newest).

🎯 2 (Simple) | ⏱️ ~12 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error Line 26 exposes credential file path: --registry-config "${CLUSTER_PROFILE_DIR}/pull-secret" reveals pull-secret location in CI logs. Avoid exposing credential file paths in logged command invocations. Use redirection or keep path references outside logged sections.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR adds CI configuration files only (YAML, bash scripts, OWNERS); no Ginkgo test definitions (It/Describe/Context/When) are present, so the check is not applicable.
Test Structure And Quality ✅ Passed The custom check for Ginkgo test quality is not applicable to this PR. The PR only adds CI configuration files (YAML), a bash shell script, and metadata—no Ginkgo or Go test code exists.
Microshift Test Compatibility ✅ Passed PR adds CI infrastructure scaffolding (YAML configs, bash scripts, OWNERS files) but does not add any Ginkgo e2e tests. No test code with It(), Describe(), Context(), When() patterns found.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds CI infrastructure and step configurations only, no Ginkgo e2e tests are introduced. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR adds CI scaffolding for HAProxy testing. No scheduling constraints found; IngressController manifest only configures haproxyVersion field.
Ote Binary Stdout Contract ✅ Passed This PR adds CI configuration and Bash step scripts, not OTE binaries. The OTE Binary Stdout Contract check only applies to test extension binaries, which are absent here.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR adds CI scaffolding (bash scripts, YAML configs) for HAProxy testing, not Ginkgo e2e tests. No Ginkgo test patterns found; check doesn't apply.
No-Weak-Crypto ✅ Passed PR adds HAProxy version CI scaffolding with no weak crypto algorithms, custom implementations, or non-constant-time comparisons detected in any files.
Container-Privileges ✅ Passed No privileged container configurations found. PR contains CI scaffolding with commented-out jobs and unprivileged bash scripts with resource requests.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a CI step and nightly job scaffolding for testing HAProxy versions, which aligns with the file additions (ingress-conf-haproxy-version step and commented job templates).
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@gcs278 gcs278 changed the title NE-2215: add CI scaffolding for HAProxy multi-version testing [WIP] NE-2215: add CI scaffolding for HAProxy multi-version testing Jun 5, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jun 5, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gcs278
Once this PR has been reviewed and has the lgtm label, please assign sosiouxme for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jun 5, 2026
@openshift-merge-bot
Copy link
Copy Markdown
Contributor

openshift-merge-bot Bot commented Jun 5, 2026

[REHEARSALNOTIFIER]
@gcs278: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-commands.sh`:
- Around line 26-50: The current pipeline that builds HAPROXY_IMAGES uses plain
lexicographic sort which misorders multi-digit tags; change the pipeline that
sets HAPROXY_IMAGES to use version-aware sorting (e.g., replace the plain sort
with a version-aware sort such as sort -V or sort -t- -k2,2V) so that selecting
TARGET_IMAGE for HAPROXY_AUTO_SELECT (in the case branches that use head/tail)
picks the true previous/newest semantic version; keep the rest of the logic (the
grep '^haproxy-' filter, COUNT check, and HAPROXY_AUTO_SELECT case) the same.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b987fb87-db29-4eae-ab43-fe063a7c4c7a

📥 Commits

Reviewing files that changed from the base of the PR and between 1e72272 and 1171f38.

📒 Files selected for processing (5)
  • ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml
  • ci-operator/step-registry/ingress/conf/haproxy-version/OWNERS
  • ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-commands.sh
  • ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-ref.metadata.json
  • ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-ref.yaml

Comment thread ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-commands.sh
Comment on lines +26 to +50
HAPROXY_IMAGES=$(oc adm release info --registry-config "${CLUSTER_PROFILE_DIR}/pull-secret" \
"${RELEASE_IMAGE_LATEST}" --output=json | \
jq -r '.references.spec.tags[].name' | grep '^haproxy-' | sort || true)

if [[ -z "${HAPROXY_IMAGES}" ]]; then
echo "No HAProxy sidecar images found in payload, skipping"
exit 0
fi

COUNT=$(echo "${HAPROXY_IMAGES}" | wc -l)
echo "Found ${COUNT} HAProxy image(s) in payload: ${HAPROXY_IMAGES}"

if [[ "${COUNT}" -lt 2 ]]; then
echo "Only one HAProxy version in payload, no alternative version to test. Skipping."
exit 0
fi

# Image names follow the pattern "haproxy-28", "haproxy-32", etc.
case "${HAPROXY_AUTO_SELECT}" in
previous)
TARGET_IMAGE=$(echo "${HAPROXY_IMAGES}" | head -1)
;;
newest)
TARGET_IMAGE=$(echo "${HAPROXY_IMAGES}" | tail -1)
;;
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use version-aware ordering before selecting previous/newest.

Line 28 uses lexicographic sort, which can select the wrong image when tags include multi-digit components (for example, haproxy-310 vs haproxy-39).

💡 Proposed fix 
-  HAPROXY_IMAGES=$(oc adm release info --registry-config "${CLUSTER_PROFILE_DIR}/pull-secret" \
-    "${RELEASE_IMAGE_LATEST}" --output=json | \
-    jq -r '.references.spec.tags[].name' | grep '^haproxy-' | sort || true)
+  HAPROXY_IMAGES=$(oc adm release info --registry-config "${CLUSTER_PROFILE_DIR}/pull-secret" \
+    "${RELEASE_IMAGE_LATEST}" --output=json | \
+    jq -r '.references.spec.tags[].name | select(startswith("haproxy-"))' | sort -V || true)
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/ingress/conf/haproxy-version/ingress-conf-haproxy-version-commands.sh`
around lines 26 - 50, The current pipeline that builds HAPROXY_IMAGES uses plain
lexicographic sort which misorders multi-digit tags; change the pipeline that
sets HAPROXY_IMAGES to use version-aware sorting (e.g., replace the plain sort
with a version-aware sort such as sort -V or sort -t- -k2,2V) so that selecting
TARGET_IMAGE for HAPROXY_AUTO_SELECT (in the case branches that use head/tail)
picks the true previous/newest semantic version; keep the rest of the logic (the
grep '^haproxy-' filter, COUNT check, and HAPROXY_AUTO_SELECT case) the same.

@gcs278 gcs278 changed the title [WIP] NE-2215: add CI scaffolding for HAProxy multi-version testing NE-2215: add CI step and nightly job for testing previous HAProxy version Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gcs278 @openshift-ci-robot