CNTRLPLANE-249 Build CI to cover Cilium CNI test for HCP on kubevirt platform

This commit brings a workflow for running conformance tests on hosted
cluster created by kubevirt. The manamenent cluster is bare metal.

* Introduce step hypershift-kubevirt-health-check-nodecount for cases when HostedCluster doesn't get Complete until Cilium CNI (or other
network stack) is installed on Nodes. In this case, we only check that number of available nodes matches the one from HostedCluster resource.
* Exclude same tests as for hypershift-aws-conformance-cilium workflow
  as they fail for Cilium in general (not specific for kubevirt)
* Exclude "StatefulSet Basic" and "StatefulSet Non-retain". Copied from hypershift-kubevirt-baremetalds-conformance workflow.These tests are flaky on Kubevirt.
* Exclude "[Feature:bond]" until
  openshift/origin#29630 is merged.

Author: mgencur

ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml

@@ -162,6 +162,16 @@ tests:
       ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-17
       REDHAT_OPERATORS_INDEX_TAG: v4.17
     workflow: hypershift-kubevirt-baremetalds-conformance
+- as: e2e-kubevirt-metal-conformance-cilium
+  minimum_interval: 168h
+  steps:
+    cluster_profile: equinix-ocp-hcp
+    env:
+      LVM_OPERATOR_SUB_CHANNEL: stable-4.19
+      ODF_OPERATOR_SUB_CHANNEL: stable-4.18
+      ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-18
+      REDHAT_OPERATORS_INDEX_TAG: v4.18
+    workflow: hypershift-kubevirt-baremetalds-conformance-cilium
 - as: e2e-kubevirt-metal-ovn-disconnected
   cron: 0 8 * * *
   steps:

ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-periodics.yaml

@@ -1101,6 +1101,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.19
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: equinix-ocp-metal
+    ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.19"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  minimum_interval: 168h
+  name: periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-kubevirt-metal-conformance-cilium
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-kubevirt-metal-conformance-cilium
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   cron: 0 4 * * *

ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.metadata.json

@@ -0,0 +1,21 @@
+{
+	"path": "hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"davidvossel",
+			"nirarg",
+			"nunnatsa",
+			"qinqon",
+			"orenc1",
+			"LiangquanLi930"
+		],
+		"reviewers": [
+			"davidvossel",
+			"nirarg",
+			"nunnatsa",
+			"qinqon",
+			"orenc1",
+			"LiangquanLi930"
+		]
+	}
+}

ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml

@@ -0,0 +1,67 @@
+workflow:
+  as: hypershift-kubevirt-baremetalds-conformance-cilium
+  documentation: |-
+    Executes tests against a new ephemeral HyperShift cluster with Cilium CNI.
+    Administrative access to the control plane is provided via the `KUBECONFIG`
+    environment variable.
+
+    Learn more about HyperShift here: https://github.com/openshift/hypershift
+
+    Track HyperShift's development here: https://issues.redhat.com/projects/HOSTEDCP
+  steps:
+    post:
+    - chain: hypershift-dump
+    - chain: gather-core-dump
+    - chain: hypershift-kubevirt-destroy
+    - chain: baremetalds-ipi-post
+    test:
+    - chain: hypershift-conformance
+    pre:
+    - chain: baremetalds-ipi-pre
+    - ref: enable-qe-catalogsource
+    - chain: hypershift-kubevirt-baremetalds-lvm
+    - chain: hypershift-kubevirt-baremetalds-metallb
+    - chain: hypershift-kubevirt-baremetalds-odf
+    - ref: hypershift-kubevirt-install
+    - ref: hypershift-install
+    - ref: hypershift-kubevirt-create
+    - ref: hypershift-kubevirt-baremetalds-proxy
+    - ref: hypershift-kubevirt-health-check-nodecount
+    - ref: cucushift-hypershift-extended-cilium
+    - ref: cucushift-hypershift-extended-cilium-health-check
+    env:
+      HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium.
+      METALLB_OPERATOR_SUB_SOURCE: qe-app-registry
+      LOCAL_STORAGE_OPERATOR_SUB_SOURCE: qe-app-registry
+      LVM_OPERATOR_SUB_CHANNEL: stable-4.19
+      LVM_OPERATOR_SUB_SOURCE: qe-app-registry
+      LVM_OPERATOR_SUB_INSTALL_NAMESPACE: openshift-lvm-storage
+      ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-18
+      ETCD_STORAGE_CLASS: lvms-vg1
+      TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress
+        access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\]
+        \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure
+        an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\]
+        \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve
+        endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\]
+        \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce
+        except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\]
+        \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with
+        Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully
+        idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\|
+        Unidling with Deployments \[apigroup:route.openshift.io\] should work with
+        UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using
+        the local DNS endpoint \[Suite:openshift/conformance/parallel\] \| \[Feature:bond\] \| StatefulSet Basic \| StatefulSet Non-retain
+      PACKET_OS: rocky_9
+      DEVSCRIPTS_CONFIG: |
+        IP_STACK=v4
+        NETWORK_TYPE=OVNKubernetes
+        NUM_WORKERS=0
+        NUM_MASTERS=3
+        MASTER_VCPU=16
+        MASTER_MEMORY=81920
+        VM_EXTRADISKS=true
+        VM_EXTRADISKS_LIST="vda vdb"
+        VM_EXTRADISKS_SIZE=250G

ci-operator/step-registry/hypershift/kubevirt/create/hypershift-kubevirt-create-commands.sh

@@ -172,6 +172,9 @@ if [[ -f "${SHARED_DIR}/GPU_DEVICE_NAME" ]]; then
   EXTRA_ARGS="${EXTRA_ARGS} --host-device-name $(cat "${SHARED_DIR}/GPU_DEVICE_NAME"),count:2"
 fi
 
+if [[ -n "${HYPERSHIFT_NETWORK_TYPE}" ]]; then
+  EXTRA_ARGS="${EXTRA_ARGS} --network-type=${HYPERSHIFT_NETWORK_TYPE}"
+fi
 
 echo "$(date) Creating HyperShift guest cluster ${CLUSTER_NAME}"
 # Workaround for: https://issues.redhat.com/browse/OCPBUGS-42867

ci-operator/step-registry/hypershift/kubevirt/create/hypershift-kubevirt-create-ref.yaml

@@ -14,6 +14,9 @@ ref:
     - name: HYPERSHIFT_NODE_CPU_CORES
       default: "4"
       documentation: "The number of CPU cores that will be assigned for the kubevirt hosted cluster's nodes."
+    - name: HYPERSHIFT_NETWORK_TYPE
+      default: ""
+      documentation: "Specifies the cluster SDN provider."
     - name: RUN_HOSTEDCLUSTER_CREATION
       default: "true"
       documentation: |-

ci-operator/step-registry/hypershift/kubevirt/health-check/nodecount/OWNERS

@@ -0,0 +1,15 @@
+approvers:
+- davidvossel
+- nirarg
+- nunnatsa
+- qinqon
+- orenc1
+- LiangquanLi930
+options: {}
+reviewers:
+- davidvossel
+- nirarg
+- nunnatsa
+- qinqon
+- orenc1
+- LiangquanLi930

ci-operator/step-registry/hypershift/kubevirt/health-check/nodecount/hypershift-kubevirt-health-check-nodecount-commands.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+MCE=${MCE_VERSION:-""}
+CLUSTER_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)"
+if [[ -n ${MCE} ]] ; then
+    CLUSTER_NAMESPACE_PREFIX=local-cluster
+else
+    CLUSTER_NAMESPACE_PREFIX=clusters
+fi
+CLUSTER_NAMESPACE=${CLUSTER_NAMESPACE_PREFIX}-${CLUSTER_NAME}
+
+echo "Waiting for nested cluster's node count to reach the desired replicas count in the NodePool"
+until \
+  [[ $(oc get nodepool ${CLUSTER_NAME} -n ${CLUSTER_NAMESPACE_PREFIX} -o jsonpath='{.spec.replicas}') \
+    == $(oc --kubeconfig=${SHARED_DIR}/nested_kubeconfig get nodes --no-headers | wc -l) ]]; do
+      echo "$(date --rfc-3339=seconds) Nested cluster's node count is not equal to the desired replicas in the NodePool. Retrying in 30 seconds."
+      oc get vmi -n ${CLUSTER_NAMESPACE}
+      sleep 30s
+done

ci-operator/step-registry/hypershift/kubevirt/health-check/nodecount/hypershift-kubevirt-health-check-nodecount-ref.metadata.json

@@ -0,0 +1,21 @@
+{
+	"path": "hypershift/kubevirt/health-check/nodecount/hypershift-kubevirt-health-check-nodecount-ref.yaml",
+	"owners": {
+		"approvers": [
+			"davidvossel",
+			"nirarg",
+			"nunnatsa",
+			"qinqon",
+			"orenc1",
+			"LiangquanLi930"
+		],
+		"reviewers": [
+			"davidvossel",
+			"nirarg",
+			"nunnatsa",
+			"qinqon",
+			"orenc1",
+			"LiangquanLi930"
+		]
+	}
+}

ci-operator/step-registry/hypershift/kubevirt/health-check/nodecount/hypershift-kubevirt-health-check-nodecount-ref.yaml

@@ -0,0 +1,16 @@
+ref:
+  as: hypershift-kubevirt-health-check-nodecount
+  from: cli
+  grace_period: 10m
+  timeout: 45m0s
+  env:
+    - name: MCE_VERSION
+      default: ""
+      documentation: "version of the mce if installed. (\"\", 2.2, 2.3)"
+  commands: hypershift-kubevirt-health-check-nodecount-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  documentation: |-
+    HyperShift HostedCluster health - check node count against HostedCluster resource.