MGMT-24194: add component installer step and workflow

[omer-vishlitzky]

Summary

https://redhat.atlassian.net/browse/MGMT-24194

Adds shared CI infrastructure for running vmaas E2E tests on component repo PRs (fulfillment-service, osac-operator, osac-aap).

Why new step/workflow?

The existing osac-project-installer step deploys OSAC using the promoted osac-installer image, which pins component versions via kustomize image tags (e.g., ghcr.io/osac-project/fulfillment-service:sha-f2cd619). When testing a component PR, we need the deployed cluster to run the PR's code, not the released version.

The new osac-project-installer-component step extends the existing one by patching the osac-installer image at runtime before deploying:

1. Overrides the kustomize image tag in base/kustomization.yaml — replaces the pinned SHA tag with the CI-built image from the PR, so the cluster deploys the PR's container image
2. Overrides AAP_EE_IMAGE in the overlay kustomization (osac-aap only) — so AAP runs playbooks using the PR's execution environment instead of the released one

New components

• Step: osac-project-installer-component — accepts COMPONENT_IMAGE (CI-built image pull spec) and COMPONENT_IMAGE_NAME (kustomize image name to replace), patches kustomization before running setup.sh
• Workflow: osac-project-ofcir-baremetal-component — identical to osac-project-ofcir-baremetal but uses the new installer step

How component repos use it

Each component repo's CI config builds two images:

1. The component's container image from the PR source
2. A modified osac-installer image with the PR's manifests overlaid on the submodule

Then the test definition overrides dependencies:

dependencies:
  OSAC_INSTALLER_IMAGE: osac-installer-with-pr   # modified installer with PR manifests
  COMPONENT_IMAGE: fulfillment-service-pr         # PR's container image
env:
  COMPONENT_IMAGE_NAME: ghcr.io/osac-project/fulfillment-service  # which image to replace

Test plan

• Prow validation checks pass
• Merge before component repo PRs (MGMT-24194: add required vmaas E2E presubmit tests to osac-operator #78716, MGMT-24194: add required vmaas E2E presubmit tests to fulfillment-service #78717, MGMT-24194: add required vmaas E2E presubmit tests to osac-aap #78718)

Summary by CodeRabbit

• Chores
  • Added new CI step-registry components for the OSAC installer and baremetal variant, including a runtime command script and component reference.
  • Added ownership/governance entries for the new CI components (approvers/reviewers/options).
• Tests
  • Introduced a new workflow to run the end-to-end test suite on Packet-provisioned servers with defaults, resource limits, credential mounts, and image-override inputs.

[openshift-ci-robot]

@omer-vishlitzky: This pull request references MGMT-24194 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

https://redhat.atlassian.net/browse/MGMT-24194

• New step osac-project-installer-component: variant of the installer step that patches kustomize image tags to use CI-built component images before deploying
• New workflow osac-project-ofcir-baremetal-component: full E2E workflow using the new step

This is shared infrastructure for PRs that add vmaas E2E presubmits to component repos (fulfillment-service, osac-operator, osac-aap).

Test plan

• Prow validation checks pass (ci-operator-registry, step-registry-shellcheck, etc.)
• Merge before component repo PRs

This PR must merge first. Component repo PRs depend on it:

• osac-operator PR (pending)
• fulfillment-service PR (pending)
• osac-aap PR (pending)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9154519b-a6e2-4c4a-8325-2b08ae7ce851

📥 Commits

Reviewing files that changed from the base of the PR and between 89cf855 and 822a0b5.

📒 Files selected for processing (4)

• ci-operator/step-registry/osac-project/installer/component/OWNERS
• ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.metadata.json
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/OWNERS
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.metadata.json

✅ Files skipped from review due to trivial changes (3)

• ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.metadata.json
• ci-operator/step-registry/osac-project/installer/component/OWNERS
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/OWNERS

---

Walkthrough

Adds CI step-registry artifacts: a new installer component (commands script, step ref, and metadata/OWNERS) and a Packet-assisted baremetal workflow (workflow YAML, metadata/OWNERS) that composes pre/test/post step groups to run E2E OSAC tests with a PR-built component image override.

Changes

Installer Component Setup

Layer / File(s)	Summary
Ownership Configuration ci-operator/step-registry/osac-project/installer/component/OWNERS, ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.metadata.json	Adds OWNERS and metadata mapping; approvers and reviewers set to ["osac-cicd","assisted-cicd"].
Step Definition ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.yaml	Introduces osac-project-installer-component ref (from dev-scripts), declares env deps (OSAC_INSTALLER_IMAGE, COMPONENT_IMAGE), grace/timeout, resource requests, credentials mount, and inputs (E2E_*, COMPONENT_IMAGE_NAME, AAP_EE_IMAGE_OVERRIDE).
Command Implementation ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-commands.sh	Adds strict-mode bash script: prints env, base64-decodes license, scp to ci_machine, ssh (with redaction), sets remote KUBECONFIG, annotates default storageclass, waits for kubevirt readiness, applies OVN NetworkAttachmentDefinition, runs installer container via podman mounting kubeconfig/pull-secret/license, rewrites overlay kustomization (newName/newTag, optional AAP_EE_IMAGE) and invokes /installer/scripts/setup.sh.

Baremetal Component Workflow

Layer / File(s)	Summary
Ownership Configuration ci-operator/step-registry/osac-project/ofcir/baremetal/component/OWNERS, ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.metadata.json	Adds OWNERS and workflow metadata; approvers and reviewers set to ["osac-cicd","assisted-cicd"].
Workflow Definition ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.yaml	Adds osac-project-ofcir-baremetal-component workflow: cluster_profile: packet-assisted, enables best-effort/skip-on-success, wires pre/test/post to referenced step groups (including the installer component), sets env.CLUSTERTYPE to assisted_medium_el9, and includes documentation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Runner as CI Runner
  participant CI_Machine as ci_machine
  participant Cluster as Target Cluster
  participant Installer as Installer Container

  Runner->>Runner: decode license -> /tmp/license.zip
  Runner->>CI_Machine: scp /tmp/license.zip
  Runner->>CI_Machine: ssh (remote shell, redacted output)
  CI_Machine->>Cluster: set KUBECONFIG, annotate storageclass
  CI_Machine->>Cluster: wait for kubevirt-hyperconverged
  CI_Machine->>Cluster: apply OVN NetworkAttachmentDefinition
  Runner->>CI_Machine: run podman installer container (mounts kubeconfig, pull-secret, license)
  Installer->>Installer: rewrite overlay kustomization (newName/newTag, optional AAP_EE_IMAGE)
  Installer->>Cluster: run /installer/scripts/setup.sh using mounted KUBECONFIG
  Installer-->>Runner: exit status / logs (redacted)

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding a component installer step and workflow for OSAC project CI infrastructure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable Ginkgo test names is not applicable; PR contains only CI/CD infrastructure files without Go test code.
Test Structure And Quality	✅ Passed	The PR contains only CI/CD infrastructure files (YAML, bash scripts, JSON metadata, OWNERS files) with no Ginkgo test code or Go test files, making the check not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; it only contains infrastructure, step-registry components, and CI workflow definitions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only CI/CD infrastructure files (bash scripts, YAML step/workflow definitions, configuration files) with no Ginkgo e2e tests or Go test files.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI infrastructure files in ci-operator/step-registry/, not production deployment manifests, operator code, or controllers deployed to clusters.
Ote Binary Stdout Contract	✅ Passed	PR adds only CI/CD infrastructure files (bash scripts, YAML, JSON) with no Go test binaries, so OTE Binary Stdout Contract check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. Changes consist entirely of CI infrastructure files including OWNERS files, bash script, and YAML/JSON CI workflow definitions. No Ginkgo test patterns detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 7/10 reviews remaining, refill in 17 minutes and 35 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-commands.sh`:
- Around line 57-70: The script currently attempts to patch kustomization.yaml
but doesn't error if the target image entry "name: ${COMPONENT_IMAGE_NAME}" is
missing; add an explicit existence check before the sed blocks that greps for
"name: ${COMPONENT_IMAGE_NAME}" in kustomization.yaml and if not found call
process fail (exit 1) with a descriptive message so the job fails fast instead
of silently continuing; reference the existing variables and the
kustomization.yaml modification logic around the sed blocks that set
newName/newTag for COMPONENT_IMAGE_NAME, COMPONENT_REGISTRY and COMPONENT_TAG to
locate where to insert this check.

In
`@ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.yaml`:
- Around line 19-23: Update the workflow documentation to explicitly list the
required consumer inputs: callers must supply a dependency mapping named
"component-image" and set the environment variable "COMPONENT_IMAGE_NAME" (used
by the pre step that performs the image override), and note the expected
format/value (CI-built image reference) and failure behavior if omitted;
reference the workflow variant description and the pre step that performs the
override so consumers know to provide these inputs when invoking this variant.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6560fc2a-6082-44ca-91cc-811e6e2af1b2

📥 Commits

Reviewing files that changed from the base of the PR and between 47e52e1 and 192bccb.

📒 Files selected for processing (7)

• ci-operator/step-registry/osac-project/installer/component/OWNERS
• ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-commands.sh
• ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.metadata.json
• ci-operator/step-registry/osac-project/installer/component/osac-project-installer-component-ref.yaml
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/OWNERS
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.metadata.json
• ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Document required consumer inputs for this workflow variant.

The description says this overrides a component image, but it doesn’t state that consuming jobs must provide the component-image dependency mapping and COMPONENT_IMAGE_NAME. Without that, the pre step can fail or run without the intended override.

Suggested doc update

   documentation: |-
     This workflow executes the common end-to-end osac-test-infra test suite on a cluster
     provisioned by running assisted-installer on a packet server. Unlike the base workflow,
     this variant overrides a single component image with a CI-built version from a PR,
     enabling E2E validation of component repo changes before merge.
+    Consuming jobs must map the `component-image` dependency and set `COMPONENT_IMAGE_NAME`
+    to the exact `name:` entry in `/installer/base/kustomization.yaml`.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	documentation: |-
	This workflow executes the common end-to-end osac-test-infra test suite on a cluster
	provisioned by running assisted-installer on a packet server. Unlike the base workflow,
	this variant overrides a single component image with a CI-built version from a PR,
	enabling E2E validation of component repo changes before merge.
	documentation: |-
	This workflow executes the common end-to-end osac-test-infra test suite on a cluster
	provisioned by running assisted-installer on a packet server. Unlike the base workflow,
	this variant overrides a single component image with a CI-built version from a PR,
	enabling E2E validation of component repo changes before merge.
	Consuming jobs must map the `component-image` dependency and set `COMPONENT_IMAGE_NAME`
	to the exact `name:` entry in `/installer/base/kustomization.yaml`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/osac-project/ofcir/baremetal/component/osac-project-ofcir-baremetal-component-workflow.yaml`
around lines 19 - 23, Update the workflow documentation to explicitly list the
required consumer inputs: callers must supply a dependency mapping named
"component-image" and set the environment variable "COMPONENT_IMAGE_NAME" (used
by the pre step that performs the image override), and note the expected
format/value (CI-built image reference) and failure behavior if omitted;
reference the workflow variant description and the pre step that performs the
override so consumers know to provide these inputs when invoking this variant.

[danmanor]

/approve

[eranco74]

/lgtm

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@omer-vishlitzky: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[danmanor]

To truly test the components we need to import their up-to-date code as well and use it as the submodules

[omer-vishlitzky]

https://github.com/openshift/release/pull/78716/changes#diff-839c036529a0e9487a73ea19a77185c047e760dc067deb3bf024386833287641R47-R58
here we build a modified osac-installer image: FROM osac-installer starts from the promoted baseline (all components at their pinned versions), then COPY config/ overlays the PR's
manifests over the osac-operator submodule. Lines 49-50 (of this file) build the PR's container image. The step registry in #78715 patches base/kustomization.yaml at runtime to point the image tag to
this CI-built image. So both the manifests and the running binary come from the PR, while everything else stays at the released versions.

[eranco74]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danmanor, eranco74, jhernand, omer-vishlitzky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/osac-project/installer/OWNERS [jhernand]
• ci-operator/step-registry/osac-project/ofcir/baremetal/OWNERS [jhernand]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[omer-vishlitzky]

/retest

[openshift-ci]

@omer-vishlitzky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.