From 6ae1a3aca97ec1b07100f01dce9052fd3c82919b Mon Sep 17 00:00:00 2001
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Date: Wed, 24 Jun 2026 06:11:48 +0530
Subject: [PATCH] kube-apiserver cert rotation job addition

This is added as cert rotation job based on PKI key size is disruptive and cannot be part
existing e2e job as it affects the run of few tests there.

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
---
 ...-cluster-kube-apiserver-operator-main.yaml | 11 +++
 ...be-apiserver-operator-main-presubmits.yaml | 86 +++++++++++++++++++
 2 files changed, 97 insertions(+)

diff --git a/ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml b/ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml
index 7ed20f352ad13..82e6a6739d01d 100644
--- a/ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml
+++ b/ci-operator/config/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main.yaml
@@ -453,6 +453,17 @@ tests:
     test:
     - ref: openshift-e2e-test
     workflow: ipi-gcp
+- always_run: false
+  as: e2e-gcp-operator-cert-rotation-disruptive
+  optional: true
+  run_if_changed: ^(test/e2e-cert-rotation-disruptive)|^(pkg/operator/certrotationcontroller)|^(pkg/cmd/certregenerationcontroller)|^(vendor/github.com/openshift/library-go/pkg/crypto)|^(vendor/github.com/openshift/library-go/pkg/operator/certrotation)|^(vendor/github.com/openshift/library-go/pkg/pki)|^(vendor/github.com/openshift/api/config/v1alpha1/.*pki)
+  steps:
+    cluster_profile: openshift-org-gcp
+    env:
+      TEST_SUITE: openshift/cluster-kube-apiserver-operator/cert-rotation-disruptive
+    test:
+    - ref: openshift-e2e-test
+    workflow: ipi-gcp
 - always_run: false
   as: e2e-aws-operator-encryption-kms
   optional: true
diff --git a/ci-operator/jobs/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main-presubmits.yaml b/ci-operator/jobs/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main-presubmits.yaml
index 419818516ace4..a8dd749570b04 100644
--- a/ci-operator/jobs/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/cluster-kube-apiserver-operator/openshift-cluster-kube-apiserver-operator-main-presubmits.yaml
@@ -763,6 +763,92 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-gcp-operator,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build08
+    context: ci/prow/e2e-gcp-operator-cert-rotation-disruptive
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - .ci-operator.yaml
+      - Dockerfile.rhel7
+    labels:
+      ci-operator.openshift.io/cloud: gcp
+      ci-operator.openshift.io/cloud-cluster-profile: openshift-org-gcp
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-cert-rotation-disruptive
+    optional: true
+    rerun_command: /test e2e-gcp-operator-cert-rotation-disruptive
+    run_if_changed: ^(test/e2e-cert-rotation-disruptive)|^(pkg/operator/certrotationcontroller)|^(pkg/cmd/certregenerationcontroller)|^(vendor/github.com/openshift/library-go/pkg/crypto)|^(vendor/github.com/openshift/library-go/pkg/operator/certrotation)|^(vendor/github.com/openshift/library-go/pkg/pki)|^(vendor/github.com/openshift/api/config/v1alpha1/.*pki)
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-gcp-operator-cert-rotation-disruptive
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-gcp-operator-cert-rotation-disruptive,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: