DNM: Experimental merge of PR #80851 and PR #80814

[mdbooth]

This is an experimental merge combining:

• PR OCPBUGS-90633: Fix bootstrap failure in openshift-e2e-aws-disconnected #80851: OCPBUGS-90633: Fix bootstrap failure in openshift-e2e-aws-disconnected
• PR OCPBUGS-90545: Fix leaked s3 buckets by ipi-aws-post-disconnected #80814: OCPBUGS-90545: Fix leaked s3 buckets by ipi-aws-post-disconnected

Summary by CodeRabbit

This PR makes changes to OpenShift CI infrastructure configuration for the Cluster API Operator and AWS disconnected installation tests. The changes address two distinct issues in the openshift-e2e-aws-disconnected CI job:

Bootstrap Failure Fix: CredentialRequest Manifest Filtering

Updated the e2e-aws-capi-disconnected-techpreview pipeline configuration in four cluster-capi-operator release branches (main, 4.23, 5.0, and 5.1) to add the EXTRACT_MANIFEST_INCLUDED: "true" environment variable. This enables the modern approach using oc adm release extract --included to properly filter CredentialRequest manifests during CCO manual user provisioning, resolving bootstrap failures that occurred when the old filtering logic attempted to create secrets in non-existent namespaces.

S3 Bucket Leak Prevention: Idempotent Bucket Creation and Cleanup

Bastion host provisioning:

• Made S3 bucket creation idempotent in the aws-provision-bastionhost step by checking whether the per-cluster bucket already exists using aws s3api head-bucket before attempting creation
• If an accessible bucket already exists (typically from a leaked prior run), the script now reuses it with a warning instead of failing
• This allows subsequent job runs to proceed without collision errors

Bastion host deprovisioning:

• Added the aws-deprovision-s3buckets step to the ipi-aws-post-disconnected chain to ensure S3 buckets provisioned during setup are properly cleaned up after test completion
• Updated chain documentation to explicitly note S3 bucket deprovisioning alongside bastion host and CloudFormation VPC stack cleanup

These changes prevent resource leaks that previously caused subsequent runs of the same job on the same PR to fail due to bucket name collisions (since bucket names are derived from the namespace).

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3372e8b0-9795-425f-a82f-2196899f824d

📥 Commits

Reviewing files that changed from the base of the PR and between c111420 and 4c48da9.

📒 Files selected for processing (6)

• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml
• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-release-4.23.yaml
• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-release-5.0.yaml
• ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-release-5.1.yaml
• ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml

---

Walkthrough

The PR makes the S3 bucket creation in the bastion host provisioning script idempotent by checking existence before creating, adds aws-deprovision-s3buckets to the post-disconnected chain, and adds EXTRACT_MANIFEST_INCLUDED: "true" to the e2e-aws-capi-disconnected-techpreview job env across four branch CI configs.

Changes

Disconnected Techpreview S3 Bucket Lifecycle and CI Config

Layer / File(s)	Summary
S3 bucket idempotent creation and deprovisioning wiring ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh, ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml	Provisioning script probes bucket existence via s3api head-bucket and skips creation if accessible; post-disconnected chain gains aws-deprovision-s3buckets step and updated doc text.
EXTRACT_MANIFEST_INCLUDED propagated to all branch configs ci-operator/config/openshift/cluster-capi-operator/openshift-cluster-capi-operator-main.yaml, ...release-4.23.yaml, ...release-5.0.yaml, ...release-5.1.yaml	EXTRACT_MANIFEST_INCLUDED: "true" added to e2e-aws-capi-disconnected-techpreview job steps.env in all four tracked branch configs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The PR introduces aws-provision-bastionhost-commands.sh which writes proxy credentials (in format http://user:password@host:port) to files in ${SHARED_DIR} at lines 462-464, exposing sensitive auth...	Remove lines 462-464 that write PROXY_PUBLIC_URL, PROXY_PRIVATE_URL, and PROXY_PRIVATE_HTTPS_URL to files, as they contain credentials embedded in the URL.
Title check	⚠️ Warning	The title describes this as an experimental merge of two PRs but does not convey the actual substantive changes in the changeset.	Replace with a clear summary of the main technical changes, such as 'Fix S3 bucket leak and bootstrap failure in AWS disconnected test pipeline' or similar to reflect the actual fixes being applied.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This repository contains only CI/CD configuration and tooling (bash scripts, YAML configs); no Ginkgo tests exist in the codebase. The check is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code - only CI/CD configs and shell scripts. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All changes are in CI/CD configuration files (YAML configs, shell scripts, chain files), not test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes are limited to CI operator config files (YAML), bash scripts for provisioning, and step registry chains. No test code is modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI/CD infrastructure changes (pipeline configs, shell scripts, workflow chains) with no deployment manifests, operators, or controller code. Topology-aware scheduling check not app...
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI configuration files and bash shell scripts; no Go source code, OTE binaries, or test code with stdout communication to openshift-tests exists.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are limited to CI configurations (YAML), bash scripts, and infrastructure definitions—not Ginkgo test code.
No-Weak-Crypto	✅ Passed	No weak cryptography, custom crypto implementations, or non-constant-time secret comparisons found. Changes are limited to CI/CD configuration, S3 bucket provisioning logic, and pipeline orchestrat...
Container-Privileges	✅ Passed	No privileged container configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) found in modified CI operator configuration files or bash scripts.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mdbooth]

/hold

I think I'm going to have to undraft this to get pj-rehearse to run.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mdbooth
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-capi-operator/OWNERS [mdbooth]
• ci-operator/step-registry/aws/OWNERS
• ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mdbooth]

/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

[openshift-merge-bot]

@mdbooth: pj-rehearse could not automatically process this event because the request waited in queue for longer than 5 minutes. Use /pj-rehearse to trigger rehearsals manually.

[openshift-merge-bot]

@mdbooth: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[mdbooth]

/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@mdbooth: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.