CNTRLPLANE-3629: cluster-authentication-operator: add periodic TPNU job for external oidc tests

[everettraven]

I noticed that we had removed all the TPNU jobs for the external oidc feature tests after promoting it to the default feature set.

As part of CNTRLPLANE-3629 we want to validate that promoting a new feature to TPNU, that builds on top of the base external oidc feature, does not introduce a regression as part of promoting it. Draft promotion PR: openshift/api#2893

To do that, this PR adds a couple AWS-based TPNU jobs that we can trigger for a rough assessment of this.

Summary by CodeRabbit

This PR re-adds periodic TPNU (Testing for Promotion to Next Update) test jobs for AWS-based external OIDC feature testing in the cluster-authentication-operator's CI configuration. Specifically, two new periodic test job definitions are added to the 5.0 release CI configuration:

1. e2e-aws-external-oidc-configure-techpreview – A new periodic AWS external OIDC configuration test running every 168 hours with the TechPreviewNoUpgrade feature set enabled
2. e2e-aws-external-oidc-revertoauth-techpreview – A new periodic AWS external OIDC revert-to-auth test running every 168 hours with the TechPreviewNoUpgrade feature set enabled

Both jobs mirror the structure and configuration of their non-TechPreview counterparts (which already exist in the file), including the same cluster profiles, test arguments, test suites, and workflow wiring. The key difference is the addition of FEATURE_SET: TechPreviewNoUpgrade in the environment configuration.

This enables validation that a new feature building on top of the base external OIDC feature (as referenced in ticket CNTRLPLANE-3629) does not introduce regressions during its promotion through the feature set hierarchy.

Impact: OpenShift CI infrastructure – cluster-authentication-operator's release 5.0 periodic job definitions

[openshift-ci-robot]

@everettraven: This pull request references CNTRLPLANE-3629 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

I noticed that we had removed all the TPNU jobs for the external oidc feature tests after promoting it to the default feature set.

As part of CNTRLPLANE-3629 we want to validate that promoting a new feature to TPNU, that builds on top of the base external oidc feature, does not introduce a regression as part of promoting it. Draft promotion PR: openshift/api#2893

To do that, this PR adds a couple AWS-based TPNU jobs that we can trigger for a rough assessment of this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Two new periodic e2e test entries — e2e-aws-external-oidc-configure-techpreview and e2e-aws-external-oidc-revertoauth-techpreview — are added to the release-5.0 periodics YAML. Each mirrors its existing non-TechPreview counterpart and adds FEATURE_SET: TechPreviewNoUpgrade to the env section.

Changes

TechPreview Periodic Job Additions

Layer / File(s)	Summary
TechPreview configure and revert-on-auth periodic jobs ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml	Adds e2e-aws-external-oidc-configure-techpreview (lines 49–60) and e2e-aws-external-oidc-revertoauth-techpreview (lines 160–171), each duplicating the corresponding non-TechPreview job's interval, cluster profile, test arguments, feature gate skips, and workflow, with FEATURE_SET: TechPreviewNoUpgrade added to the env section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically references the main change: adding periodic TPNU jobs for external OIDC tests in the cluster-authentication-operator, with a JIRA ticket reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Both added test names (e2e-aws-external-oidc-configure-techpreview and e2e-aws-external-oidc-revertoauth-techpreview) are static, descriptive strings with no dynamic content such as generated suffi...
Test Structure And Quality	✅ Passed	PR adds CI configuration entries in YAML files, not Ginkgo test code. The custom check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR adds CI job configuration only, not new Ginkgo e2e tests. The check applies only when new test code (It(), Describe(), etc.) is added, which is not the case here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only adds CI job configurations (YAML) for existing tests, not new Ginkgo e2e test code. The check applies only to new Ginkgo tests (It(), Describe(), Context(), When()), which are absent here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies CI test job configuration files, not deployment manifests, operator code, or controllers. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML CI configuration files, not Go test code. The OTE Binary Stdout Contract check applies to process-level Go code (main, init, suite setup), not configuration files, making it i...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only CI/CD YAML configuration files in openshift/release, not Ginkgo test code. The custom check requires new Ginkgo tests to be added; this PR doesn't add test code.
No-Weak-Crypto	✅ Passed	PR only modifies YAML CI configuration with test job definitions; no cryptographic code, weak algorithms, or token comparisons present.
Container-Privileges	✅ Passed	No privileged container settings found; file contains CI test job configs without container/pod security definitions, privileged flags, hostPID/hostNetwork/hostIPC, SYS_ADMIN capabilities, or root-...
No-Sensitive-Data-In-Logs	✅ Passed	PR adds 2 test configurations with standard env variables (FEATURE_SET, TEST_ARGS, TEST_SKIPS, etc.); no passwords, tokens, API keys, PII, session IDs, or internal hostnames detected.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@everettraven: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-revertoauth-techpreview	N/A	periodic	Periodic changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[everettraven]

/pj-rehearse

[openshift-merge-bot]

@everettraven: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ehearne-redhat]

/lgtm

[ehearne-redhat]

/pj-rehearse ack

/hold

Holding in case you wanted someone else to approve. Feel free to unhold if I misunderstood :D .

[openshift-merge-bot]

@ehearne-redhat: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[liouk]

Not sure why tide says that this needs to be by authors openshift-bot, openshift-ci[bot] or openshift-merge-bot[bot]?

/lgtm

/hold cancel

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ehearne-redhat, everettraven, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-authentication-operator/OWNERS [everettraven,liouk]
• ci-operator/jobs/openshift/cluster-authentication-operator/OWNERS [everettraven,liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

It looks like there are several merge patterns but it does pass at least one. So it should be fine. :)

[everettraven]

Wonder if these required checks are stuck - trying to kick them again...

/retest-required

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.