cluster-authentication-operator: add external-oidc conformance periodic

liouk · liouk · commit cdca71a564b7 · 2025-09-22T12:31:28.000+02:00
Run the complete conformance suite except External OIDC tests (covered
by other jobs) and any tests that depend on the OAuth stack (e.g. APIs)
as the OAuth components do not exist in External OIDC.
diff --git a/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml b/ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml
@@ -330,6 +330,25 @@ tests:
       TEST_SUITE: openshift/auth/external-oidc
     workflow: openshift-e2e-aws-single-node
   timeout: 5h0m0s
+- as: e2e-aws-external-oidc-conformance-parallel-techpreview
+  interval: 24h
+  steps:
+    cluster_profile: aws-3
+    env:
+      FEATURE_SET: TechPreviewNoUpgrade
+      TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth
+        access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]\[Serial\] authorization
+        TestAuthorizationResourceAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]
+        authorization TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-cli\]
+        templates process \[apigroup:template.openshift.io\]\[Skipped:Disconnected\]
+        \[Suite:openshift\/conformance\/parallel\]\|\[sig-auth\]\[Feature:Authentication\]
+        TestFrontProxy should succeed \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\]
+        templateinstance security tests \[apigroup:authorization.openshift.io\]\[apigroup:template.openshift.io\]
+        should pass security tests \[apigroup:route.openshift.io\] \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\]
+        templateinstance impersonation tests \[apigroup:user.openshift.io\]\[apigroup:authorization.openshift.io\]
+      TEST_SUITE: openshift/conformance/parallel
+    workflow: idp-external-oidc-keycloak-aws
+  timeout: 8h0m0s
 zz_generated_metadata:
   branch: release-4.21
   org: openshift
diff --git a/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml b/ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml
@@ -74,6 +74,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    timeout: 8h0m0s
+  extra_refs:
+  - base_ref: release-4.21
+    org: openshift
+    repo: cluster-authentication-operator
+  interval: 24h
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-3
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.21"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-external-oidc-conformance-parallel-techpreview
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   decorate: true
