kube-apiserver cert rotation job addition

[kaleemsiddiqu]

This is added as cert rotation job based on PKI key size is disruptive and cannot be part existing e2e job as it affects the run of few tests there.

Summary by CodeRabbit

This PR adds a new disruptive certificate rotation test job to the CI configuration for the OpenShift kube-apiserver operator. The change modifies ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml to include a new optional test entry named e2e-gcp-operator-cert-rotation-disruptive.

The new test job:

• Runs on the GCP cluster profile (openshift-org-gcp)
• Is conditionally triggered (via run_if_changed) when changes are made to certificate rotation or PKI-related code paths, including:
  • Certificate rotation test code (test/e2e-cert-rotation-disruptive)
  • Operator cert rotation controller (pkg/operator/certrotationcontroller, pkg/cmd/certregenerationcontroller)
  • Shared library crypto and PKI utilities (vendor/github.com/openshift/library-go/pkg/crypto, vendor/github.com/openshift/library-go/pkg/operator/certrotation, vendor/github.com/openshift/library-go/pkg/pki)
  • OpenShift API PKI configuration (vendor/github.com/openshift/api/config/v1alpha1/.*pki)
• Executes the openshift/cluster-kube-apiserver-operator/cert-rotation-disruptive test suite using the standard openshift-e2e-test reference and ipi-gcp workflow

This dedicated, optional test job allows OpenShift CI to validate certificate rotation behavior in isolation, since the certification rotation process is disruptive and interferes with other concurrent tests if integrated into existing workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cc847ec7-fdd4-44bc-b59c-d62c3f60954e

📥 Commits

Reviewing files that changed from the base of the PR and between 3d4752d and 6ae1a3a.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml

---

Walkthrough

A new optional CI test job e2e-gcp-operator-cert-rotation-disruptive is added to the openshift-cluster-kube-apiserver-operator-main.yaml config. It runs on the openshift-org-gcp cluster profile using the ipi-gcp workflow, sets TEST_SUITE to the cert-rotation-disruptive suite, and is gated by run_if_changed regexes covering cert-rotation, crypto, controller, and PKI paths.

Changes

Cert-rotation disruptive e2e job

Layer / File(s)	Summary
New e2e-gcp-operator-cert-rotation-disruptive test job ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml	Adds an optional test entry with run_if_changed guards for cert-rotation/crypto/PKI paths, openshift-org-gcp cluster profile, TEST_SUITE=openshift/cluster-kube-apiserver-operator/cert-rotation-disruptive, openshift-e2e-test ref, and ipi-gcp workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'kube-apiserver cert rotation job addition' accurately and concisely describes the main change - adding a new certificate rotation test job to the configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies CI/CD YAML configuration files, not Go test files containing Ginkgo test definitions. The check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR modifies only CI/CD configuration (YAML file), not Ginkgo test code. Custom check for Ginkgo test quality does not apply to CI configuration files.
Microshift Test Compatibility	✅ Passed	PR only modifies CI configuration files (YAML), not Ginkgo test code. Check is for when new Ginkgo e2e tests are added, which does not apply here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds a CI job configuration, not new Ginkgo e2e test code. The check applies only when new test code (It(), Describe(), etc.) is added, which is not the case here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI/CD configuration files in ci-operator/ directories, not deployment manifests, operator code, or controllers. Check applies only to deployments/operators/controllers.
Ote Binary Stdout Contract	✅ Passed	This PR only modifies a YAML CI configuration file (openshift-cluster-kube-apiserver-operator-main.yaml), not actual test or executable code. The OTE Binary Stdout Contract check applies to process...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies a CI configuration YAML file (openshift/release repo), not adding new Ginkgo e2e test code. Custom check requires new test code additions and is not applicable here.
No-Weak-Crypto	✅ Passed	PR only adds YAML CI configuration file; no actual cryptographic code, weak crypto algorithms, custom implementations, or timing-sensitive comparisons are introduced.
Container-Privileges	✅ Passed	The PR adds a CI job configuration with no privileged container settings. The file is a CI Operator config defining test pipelines, not a K8s manifest with container specs. No privileged: true, hos...
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds a standard CI test configuration entry with only public test names, cluster profiles, and workflow references. No passwords, tokens, API keys, PII, or sensitive data are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@kaleemsiddiqu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-cert-rotation-disruptive	openshift/cluster-kube-apiserver-operator	presubmit	Presubmit changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[kaleemsiddiqu]

/pj-rehearse

[openshift-merge-bot]

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@kaleemsiddiqu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-cert-rotation-disruptive	6ae1a3a	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-cert-rotation-disruptive

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

not added additional job try first run with conformance tech preview jobs.
if you needed same for multiple repos, then many jobs needed

[oceanc80]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaleemsiddiqu, oceanc80

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-kube-apiserver-operator/OWNERS [kaleemsiddiqu]
• ci-operator/jobs/openshift/cluster-kube-apiserver-operator/OWNERS [kaleemsiddiqu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment