virt-platform-autopilot: add periodic e2e test on Azure with CNV

[rlobillo]

Summary

• Add a periodic CI job for virt-platform-autopilot that deploys OCP 5.0 nightly on Azure, installs CNV 4.99 via cnv-ci, and runs make run-e2e-tests-only
• Uses a dedicated __periodics.yaml to avoid duplication via config-brancher
• Artifacts are collected regardless of test pass/fail via trap EXIT

Test plan

• Rehearsal job passes on this PR
• Periodic job triggers and provisions Azure cluster successfully
• CNV installs correctly
• make run-e2e-tests-only executes and artifacts are collected

🤖 Generated with Claude Code

Summary by CodeRabbit

This PR adds a new periodic CI job in the OpenShift release repository for the OpenShift Virtualization team’s virt-platform-autopilot project. It runs nightly weekday end-to-end validation against OCP 5.0 on Azure using the ipi-azure workflow.

Concretely, it introduces a dedicated __periodics.yaml to define an e2e-azure scheduled test that:

• Provisions an Azure virtualization cluster (with azure-virtualization cluster profiling) and sets Azure base domain + compute node type.
• Installs CNV by downloading the openshift-cnv/cnv-ci toolchain, deriving CNV catalog image/channel from version-mapping.json, updating pull secret/imagedigest mirror set, and deploying CNV.
• Patches the kubevirt-hyperconverged (hco) custom resource to set spec.defaultCPUModel to Broadwell.
• Executes make run-e2e-tests-only for the E2E suite.
• Uses a trap ... EXIT in the test step to copy _output/* into the configured artifacts directory so artifacts are collected whether the tests succeed or fail.

The periodic job is configured to use a shared resources: '*' default and an explicit artifacts/grace-period/resource configuration for the test run.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b1390b1c-c47f-4807-a4f4-9472255a5dc0

📥 Commits

Reviewing files that changed from the base of the PR and between 6877520 and 00762d5.

📒 Files selected for processing (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

---

Walkthrough

A new periodic CI configuration is added for openshift-virtualization/virt-platform-autopilot on main. It defines the build root, OCP 5.0 candidate release, default resources, an Azure weekday e2e test, and generated metadata.

Changes

Periodic CI Configuration for virt-platform-autopilot

Layer / File(s)	Summary
Build root and release config ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml	Sets the build root image stream tag, the OCP 5.0 nightly candidate release, and default resource limits and requests.
Azure e2e periodic test ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml	Adds the e2e-azure weekday cron test with Azure profiling and environment variables, runs install-cnv and e2e-test, and records zz_generated_metadata for branch, org, repo, and variant.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

ok-to-test, rehearsals-ack

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new periodic job curls cnv-ci from GitHub, and shared CNV helpers fetch raw.githubusercontent.com, so it requires public internet.	Mirror cnv-ci assets internally or skip/gate this job for disconnected environments; remove direct public GitHub/raw.githubusercontent downloads.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a periodic Azure e2e test with CNV for virt-platform-autopilot.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Only a CI YAML file changed; it contains static step names and no Ginkgo titles like It/Describe/Context/When.
Test Structure And Quality	✅ Passed	PR only adds a CI YAML config; no Ginkgo test code or test patterns are present to evaluate against this check.
Microshift Test Compatibility	✅ Passed	PR only adds a ci-operator periodic YAML; no Ginkgo test code or new test names/APIs were added, so MicroShift compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PASS: PR only adds a periodic CI YAML; no new Go/Ginkgo test definitions or SNO-sensitive test logic were added in this repo.
Topology-Aware Scheduling Compatibility	✅ Passed	Only a CI periodic job YAML was added; no deployment manifests, operator code, or controller scheduling logic changed.
Ote Binary Stdout Contract	✅ Passed	Only a CI YAML file changed; no Go/test entrypoint code or stdout-writing logic was added, so the OTE stdout contract is unaffected.
No-Weak-Crypto	✅ Passed	The only changed file is CI YAML and contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto/secret-comparison code.
Container-Privileges	✅ Passed	The added periodics YAML contains no privileged/container security settings; no hits for privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation were found.
No-Sensitive-Data-In-Logs	✅ Passed	No secret-bearing values are logged; the new steps only run setup/test commands and pass credentials via mounted files/env paths without echoing them.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rlobillo
Once this PR has been reviewed and has the lgtm label, please assign dominikholler for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/OWNERS
• ci-operator/jobs/openshift-virtualization/virt-platform-autopilot/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml`:
- Around line 34-59: The curl command downloading the cnv-ci tarball is
hardcoded to fetch from `tarball/master`, but the job declares a specific
`CNV_VERSION: "4.99"`. Replace the hardcoded `master` reference in the curl URL
with a reference to the `CNV_VERSION` variable so the tarball version matches
the declared release version. This ensures the test infrastructure version
remains synchronized with the declared release versions rather than always
pulling from the master branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 977612ad-9c02-4ab3-b2e5-c223a3aa1935

📥 Commits

Reviewing files that changed from the base of the PR and between 91ed90d and ef81d37.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml"

echo "1) Verify current tarball source in config:"
rg -n 'cnv-ci/tarball|CNV_VERSION|OCP_VERSION' "$FILE"

echo
echo "2) Verify release tarball endpoints resolve:"
CNV_VERSION="$(awk '/name: CNV_VERSION/{getline; gsub(/"/,"",$2); print $2}' "$FILE")"
OCP_VERSION="$(awk '/name: OCP_VERSION/{getline; gsub(/"/,"",$2); print $2}' "$FILE")"

echo "Checking release-\${CNV_VERSION}: ${CNV_VERSION}"
curl -sSI "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" | head -n 1

echo "Checking release-\${OCP_VERSION}: ${OCP_VERSION}"
curl -sSI "https://github.com/openshift-cnv/cnv-ci/tarball/release-${OCP_VERSION}" | head -n 1

Repository: openshift/release

Length of output: 506

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml"

echo "=== Full file content for context ==="
cat -n "$FILE"

echo
echo "=== Check for other cnv-ci tarball references in codebase ==="
rg 'cnv-ci/tarball' --type yaml -A 2 -B 2 | head -60

Repository: openshift/release

Length of output: 3555

---

Pin cnv-ci tarball to the declared CNV_VERSION.

Line 34 hardcodes tarball/master, but the job declares CNV_VERSION: "4.99" and OCP_VERSION: "5.0" (lines 56–59). This creates nondeterminism—the test infrastructure diverges from the declared release versions, causing unpredictable failures.

Suggested fix

-        curl -L https://github.com/openshift-cnv/cnv-ci/tarball/master -o /tmp/cnv-ci.tgz
+        curl -fsSL "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" -o /tmp/cnv-ci.tgz

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -L https://github.com/openshift-cnv/cnv-ci/tarball/master -o /tmp/cnv-ci.tgz
	mkdir -p /tmp/cnv-ci
	tar -xvzf /tmp/cnv-ci.tgz -C /tmp/cnv-ci --strip-components=1
	cd /tmp/cnv-ci
	make update_pull_secret set_imagedigestmirrorset deploy_cnv
	oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p='[{"op": "add", "path": "/spec/defaultCPUModel", "value": "Broadwell"}]'
	credentials:
	- mount_path: /var/run/cnv-ci-brew-pull-secret
	name: cnv-ci-brew-pull-secret
	namespace: test-credentials
	- mount_path: /var/run/cnv-ci-konflux-pull-secret
	name: konflux-pull-secret
	namespace: test-credentials
	env:
	- default: '|7820aea2-0d75-11e7-9259-28d244ea5a6d.hhav.f63e13'
	name: BREW_IMAGE_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-brew-pull-secret/token
	name: BREW_IMAGE_REGISTRY_TOKEN_PATH
	- default: openshift-virtualization+konflux_ro_bot
	name: KONFLUX_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-konflux-pull-secret/token
	name: KONFLUX_REGISTRY_TOKEN_PATH
	- default: "5.0"
	name: OCP_VERSION
	- default: "4.99"
	name: CNV_VERSION
	curl -fsSL "https://github.com/openshift-cnv/cnv-ci/tarball/release-${CNV_VERSION}" -o /tmp/cnv-ci.tgz
	mkdir -p /tmp/cnv-ci
	tar -xvzf /tmp/cnv-ci.tgz -C /tmp/cnv-ci --strip-components=1
	cd /tmp/cnv-ci
	make update_pull_secret set_imagedigestmirrorset deploy_cnv
	oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p='[{"op": "add", "path": "/spec/defaultCPUModel", "value": "Broadwell"}]'
	credentials:
	- mount_path: /var/run/cnv-ci-brew-pull-secret
	name: cnv-ci-brew-pull-secret
	namespace: test-credentials
	- mount_path: /var/run/cnv-ci-konflux-pull-secret
	name: konflux-pull-secret
	namespace: test-credentials
	env:
	- default: '|7820aea2-0d75-11e7-9259-28d244ea5a6d.hhav.f63e13'
	name: BREW_IMAGE_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-brew-pull-secret/token
	name: BREW_IMAGE_REGISTRY_TOKEN_PATH
	- default: openshift-virtualization+konflux_ro_bot
	name: KONFLUX_REGISTRY_USERNAME
	- default: /var/run/cnv-ci-konflux-pull-secret/token
	name: KONFLUX_REGISTRY_TOKEN_PATH
	- default: "5.0"
	name: OCP_VERSION
	- default: "4.99"
	name: CNV_VERSION

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift-virtualization/virt-platform-autopilot/openshift-virtualization-virt-platform-autopilot-main__periodics.yaml`
around lines 34 - 59, The curl command downloading the cnv-ci tarball is
hardcoded to fetch from `tarball/master`, but the job declares a specific
`CNV_VERSION: "4.99"`. Replace the hardcoded `master` reference in the curl URL
with a reference to the `CNV_VERSION` variable so the tarball version matches
the declared release version. This ensures the test infrastructure version
remains synchronized with the declared release versions rather than always
pulling from the master branch.

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rlobillo: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[rlobillo]

/rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rlobillo]

/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

[openshift-merge-bot]

@rlobillo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@rlobillo: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure	00762d5	link	unknown	/pj-rehearse periodic-ci-openshift-virtualization-virt-platform-autopilot-main-periodics-e2e-azure

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.