Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@mtulio: This pull request references SPLAT-2637 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

No actionable comments were generated in the recent review. 🎉

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

/test ?

PR-Agent: could not fine a component named ? in a supported language in this PR.

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Hello @mtulio! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

/test all

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

/test verify-feature-promotion
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

@mtulio: This pull request references SPLAT-2637 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

e2e-aws-ovn-hypershift-conformance is legitm, I just created the skip openshift/release#75211 while we are waiting for the feature PR in hypershift openshift/hypershift#7460

verify-feature-promotion is also failing locally.

$ make verify-feature-promotion 
hack/verify-promoted-features-pass-tests.sh
comparing against master
...
Query sippy for all test run results for pattern "FeatureGate:AWSServiceLBNetworkSecurityGroup]" on variant main.JobVariant{Cloud:"aws", Architecture:"amd64", Topology:"single", NetworkStack:""}
Querying sippy release 4.22 for test run results
F0224 11:24:48.988679 2287144 root.go:64] Error running codegen: Get "https://sippy.dptools.openshift.org/api/tests?filter=%7....erator%22%3A%22and%22%7D&period=default&release=4.22":
 context deadline exceeded (Client.Timeout exceeded while awaiting headers)
make: *** [Makefile:95: verify-feature-promotion] Error 255

/test e2e-aws-ovn-techpreview

PR-Agent: could not fine a component named e2e-aws-ovn-techpreview in a supported language in this PR.

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ccm-techpreview

@mtulio: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ccm-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f8192380-1722-11f1-9762-ff925bc266de-0

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ccm-techpreview

@mtulio: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ccm-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/beb86480-18a2-11f1-8079-b2880f72d5dc-0

/test all

Based in verify-feature-promotion, I've updated this PR to focus on HA profile as that's the target for GA.

Hey @JoelSpeed , would you mind reviewing this PR? I am awaiting for tests to populate Sippy, meanwhile looking for feedback to have time to fix anything that might not be ready (except those tests). Thanks in advance.

Holding this PR until get tests populated for verify-feature-promotion:

/hold

Just ran the make verify-feature-promotion and got:

Query sippy for all test run results for feature gate "AWSServiceLBNetworkSecurityGroup" on clusterProfile ["SelfManagedHA"]
Query sippy for all test run results for pattern "FeatureGate:AWSServiceLBNetworkSecurityGroup]" on variant main.JobVariant{Cloud:"aws", Architecture:"amd64", Topology:"ha", NetworkStack:""}
Querying sippy release 4.22 for test run results
Query sippy for all test run results for pattern "FeatureGate:AWSServiceLBNetworkSecurityGroup]" on variant main.JobVariant{Cloud:"aws", Architecture:"amd64", Topology:"single", NetworkStack:""}
Querying sippy release 4.22 for test run results
Sufficient CI testing for "AWSServiceLBNetworkSecurityGroup".

I am addressing the Joel's feedback of HCP TP strategy in parallel of self-managed.

/pipeline required

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

• e2e-aws-ovn-hypershift: Issue is unrelated with the change:

/test e2e-aws-ovn-hypershift

• e2e-aws-ovn-techpreview: unrelated issue, all six tests cloud-provider-aws-e2e-openshift are passing:

/test e2e-aws-ovn-techpreview

/test e2e-aws-serial-1of2

e2e-azure failed on destroy, failing to delete RG. Unrelated to this change, since it's not required and feature not related to the platform, I will skip the re-run.

e2e-aws-serial-1of2 and e2e-azure are failing for unrelated reasons:

• e2e-aws-serial-1of2: monitor test on disruption/metrics-api
• e2e-azure: destroy flow

Hi Joel, would you mind reviewing it please?
/assign @JoelSpeed

/lgtm
/verified by CI

@JoelSpeed: This PR has been marked as verified by CI.

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcpowermac, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/hold cancel

Investigation of job e2e-aws-serial-1of2 failure by Claude 🤖

PR Analysis by Claude 🤖

Analyzing test failures for job pull-ci-openshift-api-master-e2e-aws-serial-1of2 (ID: 2031076482759004160)

Failed Tests

• [Monitor:metrics-api-availability][sig-instrumentation] disruption/metrics-api connection/new should be available throughout the test
• [Monitor:metrics-api-availability][sig-instrumentation] disruption/metrics-api connection/reused should be available throughout the test

Both tests failed with 31 seconds of disruption against an allowed threshold of 6 seconds, reporting 503 Service Unavailable errors starting at Mar 09 19:52:11.

Root Cause

The failures are caused by a test framework interaction between two concurrent tests:

Disruptive Test (running in foreground):

[sig-node] NoExecuteTaintManager Multiple Pods [Serial]
only evicts pods without tolerations from tainted nodes

• Started: ~19:51:08
• Completed: 19:53:14
• Duration: 2m6s
• Purpose: Validates pod eviction behavior when nodes are tainted

Monitor Test (running in background):

[Monitor:metrics-api-availability][sig-instrumentation]
disruption/metrics-api connection/new|reused

• Runs continuously throughout the test suite
• Measures API availability and allowed disruption windows

Event Timeline

19:51:08  NoExecuteTaintManager test begins
          ├─ Adds NoExecute taints to worker nodes
          │
19:52:09  TaintManager triggers mass pod eviction
          ├─ 23 pods evicted from 7 namespaces
          ├─ Including: thanos-querier (serves metrics-api)
          ├─              prometheus-k8s-1
          ├─              metrics-server instances
          └─              alertmanager, kube-state-metrics, etc.
          │
19:52:10  Replacement pods created and scheduled
          ├─ thanos-querier-f9488dbcd-f4pzt
          └─ metrics-server, kube-state-metrics (new instances)
          │
19:52:11  metrics-api becomes unavailable
          ├─ Old thanos-querier terminating
          ├─ New thanos-querier starting (pulling image, initializing)
          └─ Monitor tests detect: 503 Service Unavailable
          │
19:52:42  New monitoring pods become Ready
          ├─ metrics-api service restored
          │
19:53:14  NoExecuteTaintManager test completes
          └─ Taints removed from nodes

Technical Details

Event Breakdown (19:52:09 - 19:52:30):

• TaintManagerEviction: 23 events
• Killing: 46 events
• SuccessfulCreate: 15 events
• Started: 12 events

Affected Namespaces:

• openshift-monitoring (11 pods)
• openshift-cluster-storage-operator
• openshift-dns
• openshift-image-registry
• openshift-ingress-canary
• openshift-insights
• openshift-network-console

Critical Impact:
The thanos-querier pod, which serves the metrics-api endpoint, was evicted and rescheduled. During the ~30-second gap between the old pod terminating and the new pod becoming Ready, the metrics-api endpoint returned 503 errors.

Disruption Calculation:

• Historical P99: 0s (new connections) / 680ms (reused connections)
• Rounded up: 1s
• Grace period: 5s
• Total allowed: 6s
• Actual disruption: 31s
• Result: Failed by 25s

Test Framework Issue

This represents a known conflict in the test suite design:

1. Serial disruptive tests (like NoExecuteTaintManager) intentionally cause node-level disruptions to validate cluster behavior
2. Background monitor tests continuously measure API availability across all operations
3. Result: Legitimate test-induced disruptions are flagged as failures by the monitors

The NoExecuteTaintManager test is working correctly - it successfully validated that pods without tolerations are evicted when nodes receive NoExecute taints. The monitoring stack pods (thanos-querier, prometheus, etc.) correctly do not tolerate arbitrary test taints and were properly evicted.

References

• Job: pull-ci-openshift-api-master-e2e-aws-serial-1of2/2031076482759004160
• JUnit: e2e-monitor-tests__20260309-193528.xml
• Events: events.json
• Test history: Job History

Analysis Artifacts

Full analysis available in the investigation artifacts:

• Event correlation and pod eviction details
• Node status verification (all nodes Ready, no persistent taints)
• Monitoring pod lifecycle during the disruption window

/retest-required

context deadline exceeded (Client.Timeout exceeded while awaiting headers)

^ verify-feature-promotion while calling to Sippy.

/test verify-feature-promotion

@mtulio: all tests passed!

Full PR test history. Your PR dashboard.