CNTRLPLANE-3574: Migrate FIPS testing on AWS nad AKS to upstream

[mgencur]

Partially covers https://redhat.atlassian.net/browse/CNTRLPLANE-3574 (only partially because we also need to remove old tests from openshift-tests-private)

• Add e2e-aws-ovn-conformance-fips periodic jobs (4.16-5.0)
• Add e2e-conformance-fips optional presubmit for main
• Remove fips-guest-f28-destructive and fips-mgmt-f14 from QE configs
• New hypershift-hostedcluster-fips-check
• Add e2e-azure-aks-ovn-conformance-fips (4.19-5.0)
• Add optional e2e-azure-aks-ovn-conformance-fips presubmit for main
• Remove azure-aks-hypershift-byo-vnet-fips-guest and fips-mgmt from openshift-tests-private configs (4.19-4.22, 5.0)

Summary by CodeRabbit

This PR migrates HyperShift FIPS testing on AWS and Azure AKS from QE-owned private jobs into upstream OpenShift CI hypershift conformance workflows as part of CNTRLPLANE-3574.

What changed (practical impact)

• Adds upstream FIPS conformance presubmit/periodics:
  • Main (optional presubmit): introduces optional e2e-conformance-fips (AWS) and e2e-azure-aks-ovn-conformance-fips (Azure AKS) variants wired into the hypershift conformance flows.
  • Release branches (periodics): adds versioned periodic hypershift conformance FIPS jobs:
    • AWS: e2e-aws-ovn-conformance-fips for 4.16 through 5.0, running the minimal conformance parallel suite with EXTRA_ARGS: --fips, PUBLIC_ONLY: "true", and a chained test sequence that includes a hosted-cluster FIPS verification step.
    • Azure AKS: e2e-azure-aks-ovn-conformance-fips for 4.19 through 5.0, enabling FIPS via HYPERSHIFT_AZURE_FIPS: "true" and using the same hosted-cluster FIPS verification prerequisite before hypershift conformance.
• Introduces a reusable hosted-cluster FIPS gate:
  • Adds a new step-registry entry hypershift-hostedcluster-fips-check (OWNERS/ref/metadata + a Bash script) that checks /proc/sys/crypto/fips_enabled on all Kubernetes nodes using oc debug and a nested kubeconfig from SHARED_DIR.
  • Updates the hypershift conformance flows to include the hosted-cluster FIPS check as part of the new FIPS conformance test chains.
  • Updates the AWS and Azure conformance workflows’ TEST_SKIPS to include the new FIPS TestFIPS skip entry with a pending FIPS-related follow-up noted in comments.
• Removes legacy QE FIPS private jobs from openshift-tests-private:
  • AWS: removes FIPS-related hypershift guest/mgmt jobs (notably fips-guest-f28-destructive and fips-mgmt-f14) and replaces them with other hypershift guest/mgmt variants in the affected nightly configs (e.g., 4.16–4.22 and 5.0 regions).
  • Azure AKS: removes azure-aks-hypershift-byo-vnet-fips-guest* and related FIPS mgmt blocks from the private nightly configs for the versions specified in the objectives, replacing them with other hypershift guest workflows.

Why this is being done / expected outcome

• Moves FIPS conformance coverage to upstream hypershift CI for more consistent and maintainable execution across releases (4.16–5.0).
• Adds an explicit node-level FIPS verification gate so conformance runs don’t proceed when hosted clusters aren’t actually FIPS-enabled.
• De-duplicates and eliminates older QE-owned FIPS private job definitions, aligning the remaining private CI coverage with newer upstream workflows.

Current status / dependency

• The PR is held pending coordination with openshift/origin PR 31288 to ensure correct test skipping/step selection behavior across older vs newer branches (skip logic for the new CI step when the origin PR is already available, and skipping tests appropriately for older branches).

[openshift-ci-robot]

@mgencur: This pull request references CNTRLPLANE-3574 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Partially covers https://redhat.atlassian.net/browse/CNTRLPLANE-3574 (only partially because we also need to migrate AKS FIPS tests and then remove old tests from openshift-tests-private)

• Add e2e-aws-ovn-conformance-fips periodic jobs (4.16-5.0)
• Add e2e-conformance-fips optional presubmit for main
• Remove fips-guest-f28-destructive and fips-mgmt-f14 from QE configs
• New hypershift-hostedcluster-fips-check ref (symlinks fips-check script)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a hostedcluster FIPS verification step, metadata and OWNERS; adds FIPS-enabled conformance periodics (4.16–5.0) that run the FIPS check then hypershift-conformance; and updates private-nightly hypershift job variants and a workflow skip list.

Changes

HyperShift FIPS Conformance Testing

Layer / File(s)	Summary
FIPS step registry and script ci-operator/step-registry/hypershift/hostedcluster/fips-check/*	New hypershift-hostedcluster-fips-check step (*.yaml, .metadata.json), execution script (hypershift-hostedcluster-fips-check-commands.sh), and simplified OWNERS. The script checks /proc/sys/crypto/fips_enabled on hosted cluster nodes using nested_kubeconfig from SHARED_DIR.
Conformance workflow FIPS configuration ci-operator/step-registry/hypershift/aws/conformance/hypershift-aws-conformance-workflow.yaml, ci-operator/step-registry/hypershift/azure/aks/conformance/hypershift-azure-aks-conformance-workflow.yaml	Updated both AWS and Azure conformance workflows to append FIPS TestFIPS to TEST_SKIPS. Azure workflow also adds a wait step in the pre phase.
Main optional tests ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml	Adds optional e2e-conformance-fips and e2e-azure-aks-ovn-conformance-fips test entries that set EXTRA_ARGS: --fips (AWS only), PUBLIC_ONLY: "true", use openshift/conformance/parallel/minimal, and run hypershift-hostedcluster-fips-check then hypershift-conformance.
Periodic FIPS conformance jobs (4.16–5.0) ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.*__periodics.yaml, ...release-5.0__periodics.yaml	Adds e2e-aws-ovn-conformance-fips and e2e-azure-aks-ovn-conformance-fips periodic entries across multiple releases with staggered cron schedules, EXTRA_ARGS: --fips/HYPERSHIFT_AZURE_FIPS: "true", PUBLIC_ONLY: "true" (AWS only), and hypershift-hostedcluster-fips-check chained into hypershift-conformance.
Private nightly hypershift job updates ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.*__amd64-nightly.yaml, ...release-5.0__amd64-nightly.yaml	Removes legacy aws-ipi-ovn-hypershift-fips-guest-f28-destructive and aws-ipi-ovn-hypershift-fips-mgmt-f14 jobs, replaces with new hypershift OVN guest/mgmt variants (external OIDC, IPsec, compliance, destructive, advanced, longduration, private/shared-VPC). For Azure, removes byo-vnet-fips-* variants and introduces disaster-recovery, ephemeral-creds, and other guest configurations. Adds idp-openldap pre-step to some OpenLDAP guest jobs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

rehearsals-ack

Suggested reviewers

• sjenning
• bryan-cox

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title describes the primary change: migrating FIPS testing on AWS and AKS to upstream configurations, which aligns with the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR adds no Ginkgo test code. All additions are CI configuration files (YAML), a shell script for FIPS checks, and metadata. All test names are static and descriptive with no dynamic content.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code; check is for reviewing Ginkgo test quality only. Changes consist of YAML configurations, shell scripts, and metadata files unrelated to test code review.
Microshift Test Compatibility	✅ Passed	The custom check targets new Ginkgo e2e tests, but this PR adds only CI operator configuration and a shell script verification step—no new Ginkgo test code is added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only configures CI jobs and adds a FIPS verification shell script step; no Go test files with It(), Describe(), etc. are added, so SNO compatibility check does not...
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI/test infrastructure (job configs, step registry definitions, shell scripts) and does not add deployment manifests, operator code, or controllers with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR adds no Go code that violates OTE Binary Stdout Contract. Changes consist of YAML CI configs, a bash step script, and metadata—not OTE binaries. The bash script is a CI step executed in iso...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds CI/CD configuration and infrastructure only (YAML configs, shell scripts, step registry definitions). No new Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility...
No-Weak-Crypto	✅ Passed	PR adds FIPS test automation but no weak crypto: script only checks /proc/sys/crypto/fips_enabled status, has no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, no custom crypto code, no secret comparisons.
Container-Privileges	✅ Passed	PR contains only OpenShift CI configuration files and scripts, no Kubernetes container/pod manifests with privilege-related settings to flag.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data) found in logs or environment variables. Shell script only outputs FIPS status checks; configs...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-commands.sh`:
- Around line 13-21: The script currently loops over the result of oc get nodes
and silently passes if that list is empty; capture the node list into a variable
(e.g., nodes="$(oc get nodes -o jsonpath='{.items[*].metadata.name}')" or
similar), check if that variable is empty/unset before entering the for loop,
and if so print an explicit error ("no nodes returned") and set failed=1 and
exit non-zero (or return non-zero) so the job fails; then iterate over the nodes
variable (not invoking oc again for the list) and keep the existing per-node
check using oc debug node/"${node}" and the fips variable. Ensure you reference
and update the existing variables node, nodes, fips, and failed in the script.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c515c388-df95-446b-85fb-2a2400027ef4

📥 Commits

Reviewing files that changed from the base of the PR and between 71055bd and 0b41b36.

📒 Files selected for processing (14)

• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.16__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.17__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.18__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.23__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/OWNERS
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-commands.sh
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-ref.metadata.json
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (12)

• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.20__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.23__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-main.yaml
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/OWNERS
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.16__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml
• ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-ref.metadata.json
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.17__periodics.yaml
• ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.18__periodics.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail explicitly when no nodes are returned instead of passing by default.

If oc get nodes yields an empty set, this check currently reports success without validating any node. For a conformance gate, that is a false positive.

Suggested patch

 failed=0
-for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do
+nodes="$(oc get nodes -o jsonpath='{.items[*].metadata.name}')"
+if [[ -z "${nodes}" ]]; then
+  echo "FIPS check FAILED: no nodes returned from hosted cluster"
+  exit 1
+fi
+
+for node in ${nodes}; do
   fips=$(oc debug node/"${node}" -- cat /proc/sys/crypto/fips_enabled 2>/dev/null || echo "error")
   if [[ "${fips}" == "1" ]]; then
     echo "  ${node}: FIPS enabled"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do
	fips=$(oc debug node/"${node}" -- cat /proc/sys/crypto/fips_enabled 2>/dev/null || echo "error")
	if [[ "${fips}" == "1" ]]; then
	echo " ${node}: FIPS enabled"
	else
	echo " ${node}: FIPS NOT enabled (got: ${fips})"
	failed=1
	fi
	done
	nodes="$(oc get nodes -o jsonpath='{.items[*].metadata.name}')"
	if [[ -z "${nodes}" ]]; then
	echo "FIPS check FAILED: no nodes returned from hosted cluster"
	exit 1
	fi
	for node in ${nodes}; do
	fips=$(oc debug node/"${node}" -- cat /proc/sys/crypto/fips_enabled 2>/dev/null || echo "error")
	if [[ "${fips}" == "1" ]]; then
	echo " ${node}: FIPS enabled"
	else
	echo " ${node}: FIPS NOT enabled (got: ${fips})"
	failed=1
	fi
	done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hypershift/hostedcluster/fips-check/hypershift-hostedcluster-fips-check-commands.sh`
around lines 13 - 21, The script currently loops over the result of oc get nodes
and silently passes if that list is empty; capture the node list into a variable
(e.g., nodes="$(oc get nodes -o jsonpath='{.items[*].metadata.name}')" or
similar), check if that variable is empty/unset before entering the for loop,
and if so print an explicit error ("no nodes returned") and set failed=1 and
exit non-zero (or return non-zero) so the job fails; then iterate over the nodes
variable (not invoking oc again for the list) and keep the existing per-node
check using oc debug node/"${node}" and the fips variable. Ensure you reference
and update the existing variables node, nodes, fips, and failed in the script.

[mgencur]

/hold
Depends on openshift/origin#31288 (the current PR needs some changes to skip the test for older branches, and to skip the new CI step for new branches where this pull/31288 is available).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign enxebre, memodi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/hypershift/OWNERS
• ci-operator/config/openshift/openshift-tests-private/OWNERS
• ci-operator/jobs/openshift/hypershift/OWNERS
• ci-operator/jobs/openshift/openshift-tests-private/OWNERS
• ci-operator/step-registry/hypershift/OWNERS [mgencur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@mgencur: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance-fips	40fa34d	link	unknown	/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance-fips
ci/rehearse/periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance-fips	40fa34d	link	unknown	/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance-fips

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mgencur]

/unhold
This PR includes a custom check for FIPS until openshift/origin#31288 is merged and backported.

[mgencur]

/pj-rehearse ack

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mgencur: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-5.1-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-5.0-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.23-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.22-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-ingress-operator-release-4.20-e2e-aws-ovn-hypershift-conformance	openshift/cluster-ingress-operator	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-main-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-5.1-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-5.0-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.23-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.22-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.21-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.20-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.20-e2e-aws-ovn-hypershift-conformance-techpreview	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.19-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.19-e2e-aws-ovn-hypershift-conformance-techpreview	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.18-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.18-e2e-aws-ovn-hypershift-conformance-techpreview	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.17-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.17-e2e-aws-ovn-hypershift-conformance-techpreview	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.16-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.15-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.14-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed
pull-ci-openshift-ovn-kubernetes-release-4.13-e2e-aws-ovn-hypershift	openshift/ovn-kubernetes	presubmit	Registry content changed

A total of 258 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mgencur]

/pj-rehearse ack

[openshift-merge-bot]

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.