[DO NOT MERGE] sandboxed-containers-operator: add Azure disconnected workflow

[balintTobik]

sandboxed-containers-operator: add Azure disconnected workflow

Add e2e workflow for testing OSC on a disconnected ARO cluster.

Summary by CodeRabbit

This PR adds an end-to-end disconnected (air-gapped) Azure Red Hat OpenShift (ARO) test workflow for the Sandboxed Containers Operator (OSC) to OpenShift CI infrastructure, including private/disconnected catalog & image mirroring and proxy-aware execution. The PR is intentionally kept on hold ([DO NOT MERGE] with /hold) and is being rehearsed via a downstream disconnected ARO periodic CI job.

Key changes:

• New downstream periodic job for disconnected ARO (aro-ipi-kata-disconnected)
  Adds a new tests job in the 4.19 downstream candidate configuration to run the disconnected Azure ARO OSC e2e workflow on the azure-qe cluster profile. It disables must-gather (ENABLE_MUST_GATHER: "false"), sets SLEEP_DURATION: 3h, narrows tests to non-disruptive via TEST_FILTERS: ~Disruptive&, forces TEST_PARALLEL: "1", includes reporter configuration, and sets a 24h0m0s timeout. (restrict_network_access is not set on the new job entry.)

• New disconnected ARO e2e workflow (sandboxed-containers-operator-e2e-aro-disconnected)
  Introduces a workflow that provisions a disconnected/private ARO environment (resource group/VNet/bastion/proxy and network setup), configures required mirroring/disconnected parameters, runs the operator pre-chain, executes openshift-extended-test, then runs the operator post-chain and deprovisions resources. The workflow supports disconnected routing/mirroring controls (including mirror registry DNS/base domain inputs) and configures must-gather behavior as failure-only (MUST_GATHER_ON_FAILURE_ONLY: "true" while ENABLE_MUST_GATHER stays off).

• New mirror-operator mirroring step/implementation
  Adds a mirroring command script that authenticates to the target mirror registry and Red Hat operator registry, generates/runs oc-mirror v2 to mirror operator catalogs, applies generated disconnected cluster-resources, optionally mirrors extra images, configures trust for the mirror registry host (trusted CA), disables default OperatorHub catalog sources, waits for required MCP/catalog readiness, and can record the discovered disconnected CatalogSource name for downstream use.

• Proxy-aware + disconnected catalog propagation across step scripts
  Several step scripts now conditionally source ${SHARED_DIR}/proxy-conf.sh (when present and non-empty) to ensure proxy settings are applied early. Additionally, the env-cm commands script can read a disconnected catalog source name from a shared file and set CATALOG_SOURCE_NAME accordingly; this value is then used by other steps (must-gather, Kata RPM fetching, and record-metadata).

• Owners/metadata for the new disconnected workflow and mirroring step
  Updates OWNERS and adds/fills workflow/step metadata JSON for the new disconnected ARO workflow and the new mirroring reference, with consistent approver/reviewer lists across the added components.

[balintTobik]

/hold

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a disconnected ARO CI job and workflow for sandboxed-containers-operator, a mirror-operator step for registry mirroring, and script updates that load shared proxy settings and disconnected catalog-source state.

Changes

Disconnected ARO pipeline

Layer / File(s)	Summary
Job and workflow registration ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml, ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/*	Adds the disconnected ARO workflow metadata and ownership files, registers aro-ipi-kata-disconnected, and sets its cluster profile, environment, reporter config, workflow, and timeout.
Workflow execution chain ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml	Defines the disconnected ARO workflow environment and the ordered pre, test, and post steps for provisioning, mirroring, testing, must-gather collection, and deprovisioning.
Mirror operator step ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/*	Adds the mirror-operator ref, metadata, ownership, and command script that logs into registries, runs oc-mirror, applies generated cluster resources, configures trust and mirror mappings, disables default OperatorHub sources, and waits for CatalogSource and MCP readiness.
Shared proxy and catalog source state ci-operator/step-registry/sandboxed-containers-operator/env-cm/..., gather-must-gather/..., get-kata-rpm/..., record-metadata/...	Updates step scripts to source ${SHARED_DIR}/proxy-conf.sh when available, and lets env-cm read disconnected_catalog_source_name from shared state to override CATALOG_SOURCE_NAME.

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

rehearsals-ack, ok-to-test

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	mirror-operator enables set -x before skopeo login ... -p, so registry passwords will hit logs; it also echoes the mirror host.	Disable xtrace around secret-bearing commands, and avoid echoing hostnames or other sensitive env values.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new disconnected ARO workflow still fetches from Quay, registry.redhat.io, GitHub raw, and Brew, and it strips host ports with cut -d: -f1, which is IPv6-unsafe.	Mirror those assets internally or skip them in disconnected runs, and replace cut -d: -f1 with IPv6-safe host/port handling.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding an Azure disconnected workflow for sandboxed-containers-operator.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo titles were added in the modified files; the PR changes only workflow/config and shell scripts, not test cases.
Test Structure And Quality	✅ Passed	No Ginkgo test code was added; the PR only changes ci-operator YAML and shell helpers, so this test-quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PASS: the PR adds CI workflow/config and shell scripts only; no new Go/Ginkgo tests or MicroShift-unsupported test APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo test code was added—only CI/workflow and shell/config changes. The new ARO job runs an existing extended-test workflow, so SNO check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Changed files are CI workflow/config and shell helpers; no pod scheduling constraints, replicas, affinity, or topology-based placement were introduced.
Ote Binary Stdout Contract	✅ Passed	The PR only adds CI YAML/shell step files; no Go main/TestMain/init or suite setup code was changed, so the OTE stdout contract is not implicated.
No-Weak-Crypto	✅ Passed	PASS: The patch adds CI/workflow plumbing only; no newly added MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret-compare code appears in the diff.
Container-Privileges	✅ Passed	Reviewed all new/modified sandboxed-containers-operator manifests and scripts; none add privileged:true, hostPID/hostNetwork/hostIPC, SYS_ADMIN, or allowPrivilegeEscalation:true.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: balintTobik
Once this PR has been reviewed and has the lgtm label, please assign wainersm for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/sandboxed-containers-operator/OWNERS
• ci-operator/jobs/openshift/sandboxed-containers-operator/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`:
- Line 107: The oc apply and oc patch commands at lines 107, 123, and 159 are
using || true to suppress errors, which masks critical cluster configuration
failures and allows the step to report success even when the cluster is only
partially configured. Remove the || true error suppression from all three oc
apply and oc patch command invocations to allow the script to fail appropriately
when these critical operations encounter errors, ensuring the cluster is
properly configured before the step completes.
- Line 6: Remove the global xtrace setting by replacing the `set -x` on line 6
with the default strict mode `set -euo pipefail`, which enables error handling
and variable expansion without command tracing. Additionally, refactor the
registry login commands at lines 35-37 to use the `--password-stdin` method
instead of passing the password directly with the `-p` flag, which pipes the
password through stdin instead of exposing it as a command-line argument that
could be captured in traces or process listings.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml`:
- Around line 15-16: The environment variable declared with the name
OPERTORS_TO_MIRROR contains a typo (missing the "A" in OPERATORS). Rename the
variable declaration from OPERTORS_TO_MIRROR to OPERATORS_TO_MIRROR in the YAML
file at the name field. Additionally, add backward-compatible fallback logic in
the associated command script to check for the old misspelled variable name
OPERTORS_TO_MIRROR and use it if OPERATORS_TO_MIRROR is not set, ensuring
existing callers using the misspelled name continue to work while new code uses
the correct spelling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0d6c86a0-0e95-4d47-a407-c355b3f87023

📥 Commits

Reviewing files that changed from the base of the PR and between c75ad6f and 18cf38f.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (12)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__downstream-candidate419.yaml
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.metadata.json
• ci-operator/step-registry/sandboxed-containers-operator/e2e/aro-disconnected/sandboxed-containers-operator-e2e-aro-disconnected-workflow.yaml
• ci-operator/step-registry/sandboxed-containers-operator/env-cm/sandboxed-containers-operator-env-cm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/gather-must-gather/sandboxed-containers-operator-gather-must-gather-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/get-kata-rpm/sandboxed-containers-operator-get-kata-rpm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/OWNERS
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.metadata.json
• ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml
• ci-operator/step-registry/sandboxed-containers-operator/record-metadata/sandboxed-containers-operator-record-metadata-commands.sh

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Stop tracing and argv-passing registry credentials.

Line 6 enables global xtrace, and Lines 35-37 pass passwords with -p; together this can expose credential material in traces/process args. Keep default strict mode without -x, and use --password-stdin for registry logins.
As per coding guidelines, "Use default set -euo pipefail (without -x) in step registry command scripts; only enable -x when actively debugging" and "Protect sensitive information... never echo or print passwords, tokens, API keys."

Suggested patch

-set -x
+# Keep default strict mode without global xtrace.
@@
-echo "Logging into registries..."
-skopeo login "${MIRROR_REGISTRY_HOST}" -u "${mirror_registry_user}" -p "${mirror_registry_password}" --tls-verify=false
-skopeo login registry.redhat.io -u "${redhat_auth_user}" -p "${redhat_auth_password}"
+echo "Logging into registries..."
+printf '%s' "${mirror_registry_password}" | \
+  skopeo login "${MIRROR_REGISTRY_HOST}" -u "${mirror_registry_user}" --password-stdin --tls-verify=false
+printf '%s' "${redhat_auth_password}" | \
+  skopeo login registry.redhat.io -u "${redhat_auth_user}" --password-stdin

Also applies to: 35-37

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`
at line 6, Remove the global xtrace setting by replacing the `set -x` on line 6
with the default strict mode `set -euo pipefail`, which enables error handling
and variable expansion without command tracing. Additionally, refactor the
registry login commands at lines 35-37 to use the `--password-stdin` method
instead of passing the password directly with the `-p` flag, which pipes the
password through stdin instead of exposing it as a command-line argument that
could be captured in traces or process listings.

Source: Coding guidelines

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Do not suppress critical cluster-configuration failures.

Lines 107, 123, and 159 ignore oc apply/patch errors with || true, which can leave the cluster partially configured while this step reports success.

Suggested patch

-            oc apply -f "$f" || true
+            oc apply -f "$f"
@@
-    cat <<EOFITMS | oc apply -f - || true
+    cat <<EOFITMS | oc apply -f -
@@
-oc patch operatorhub cluster --type=merge -p '{"spec":{"disableAllDefaultSources":true}}' || true
+oc patch operatorhub cluster --type=merge -p '{"spec":{"disableAllDefaultSources":true}}'

Also applies to: 123-123, 159-159

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-commands.sh`
at line 107, The oc apply and oc patch commands at lines 107, 123, and 159 are
using || true to suppress errors, which masks critical cluster configuration
failures and allows the step to report success even when the cluster is only
partially configured. Remove the || true error suppression from all three oc
apply and oc patch command invocations to allow the script to fail appropriately
when these critical operations encounter errors, ensuring the cluster is
properly configured before the step completes.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the operator env var name typo before this interface spreads.

Line 15 declares OPERTORS_TO_MIRROR (misspelled). This makes intuitive callers of OPERATORS_TO_MIRROR silently ineffective and can produce unexpected defaults at runtime. Rename the declared variable and keep a temporary backward-compatible fallback in the command script.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/mirror-operator/sandboxed-containers-operator-mirror-operator-ref.yaml`
around lines 15 - 16, The environment variable declared with the name
OPERTORS_TO_MIRROR contains a typo (missing the "A" in OPERATORS). Rename the
variable declaration from OPERTORS_TO_MIRROR to OPERATORS_TO_MIRROR in the YAML
file at the name field. Additionally, add backward-compatible fallback logic in
the associated command script to check for the old misspelled variable name
OPERTORS_TO_MIRROR and use it if OPERATORS_TO_MIRROR is not set, ensuring
existing callers using the misspelled name continue to work while new code uses
the correct spelling.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@balintTobik: job(s): periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected either don't exist or were not found to be affected, and cannot be rehearsed

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@balintTobik: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-peerpods	N/A	periodic	Registry content changed

A total of 50 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[balintTobik]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aro-ipi-kata-disconnected

[openshift-merge-bot]

@balintTobik: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.