SREP-4417: Add AVO operator e2e as Prow postsubmit with ephemeral cluster

Create reusable step registry components for operator e2e testing:
- rosa-operator-install: installs operator via PKO ClusterPackage
- rosa-operator-e2e: runs Ginkgo e2e binary (supports ephemeral and persistent clusters)
- rosa-operator-e2e-workflow: provisions ROSA Classic STS, installs
  operator, runs tests, deprovisions

Add AVO as the first consumer. Runs as a postsubmit on every merge
to openshift/aws-vpce-operator main, so SAPM can poll the result
for the deployed commit SHA to gate production promotion.

No osde2e dependency -- runs the Ginkgo binary directly.

Jira: SREP-4417

Author: dustman9000

ci-operator/config/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main.yaml

@@ -4,6 +4,8 @@ images:
   items:
   - dockerfile_path: build/Dockerfile
     to: unused
+  - dockerfile_path: test/e2e/Containerfile.prow
+    to: operator-e2e
 resources:
   '*':
     limits:
@@ -53,6 +55,17 @@ tests:
   container:
     from: src
   skip_if_only_changed: ^(?:\.tekton|\.github)|\.md$|^(?:\.gitignore|OWNERS|LICENSE)$
+- as: avo-e2e-stage
+  postsubmit: true
+  steps:
+    cluster_profile: rosa-e2e-01
+    env:
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: staging
+      OPERATOR_NAME: aws-vpce-operator
+      OPERATOR_PKO_IMAGE: "quay.io/redhat-services-prod/openshift/aws-vpce-operator-pko:latest"
+      OPERATOR_IMAGE: "quay.io/redhat-services-prod/openshift/aws-vpce-operator:latest"
+    workflow: rosa-operator-e2e-workflow
 zz_generated_metadata:
   branch: main
   org: openshift

ci-operator/jobs/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main-postsubmits.yaml

@@ -1,5 +1,74 @@
 postsubmits:
   openshift/aws-vpce-operator:
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    cluster: build03
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-01
+      ci.openshift.io/generator: prowgen
+    max_concurrency: 1
+    name: branch-ci-openshift-aws-vpce-operator-main-avo-e2e-stage
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=avo-e2e-stage
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
   - agent: kubernetes
     always_run: true
     branches:

ci-operator/step-registry/rosa/operator/e2e-workflow/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.metadata.json

@@ -0,0 +1,7 @@
+{
+  "path": "rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml",
+  "owners": {
+    "approvers": ["tiwillia", "dustman9000", "bmeng", "ravitri"],
+    "reviewers": ["tiwillia", "dustman9000", "bmeng", "ravitri"]
+  }
+}

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml

@@ -0,0 +1,19 @@
+workflow:
+  as: rosa-operator-e2e-workflow
+  steps:
+    env:
+      CHANNEL_GROUP: stable
+      OPENSHIFT_VERSION: ""
+    pre:
+      - chain: rosa-aws-sts-provision
+      - ref: rosa-cluster-wait-ready-nodes
+      - ref: rosa-operator-install
+    test:
+      - ref: rosa-operator-e2e
+    post:
+      - ref: osd-gather-extra
+      - chain: rosa-aws-sts-deprovision
+  documentation: |-
+    Provisions a ROSA Classic STS cluster, installs an operator via PKO,
+    runs the operator e2e tests, then deprovisions. Designed for operator
+    CI validation with ephemeral clusters.

ci-operator/step-registry/rosa/operator/e2e/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-commands.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+log(){
+    echo -e "\033[1m$(date "+%d-%m-%YT%H:%M:%S") " "${*}\033[0m" >&2
+}
+
+if [[ -z "${OPERATOR_NAME:-}" ]]; then
+    log "ERROR: OPERATOR_NAME is required"
+    exit 1
+fi
+
+# Get cluster access: prefer shared kubeconfig from provision step,
+# fall back to backplane for persistent clusters
+if [[ -f "${SHARED_DIR}/kubeconfig" ]]; then
+    log "Using kubeconfig from provision step"
+    export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+elif [[ -n "${OPERATOR_E2E_CLUSTER_ID:-}" ]]; then
+    # Log into OCM for backplane access
+    SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+    SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+    OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+
+    if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with SSO credentials"
+        ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+    elif [[ -n "${OCM_TOKEN}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with offline token"
+        ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+    else
+        log "ERROR: No OCM credentials found in cluster profile"
+        exit 1
+    fi
+
+    log "Getting kubeconfig for cluster ${OPERATOR_E2E_CLUSTER_ID} via backplane"
+    ocm backplane login "${OPERATOR_E2E_CLUSTER_ID}"
+else
+    log "ERROR: No cluster access method available (no SHARED_DIR/kubeconfig or OPERATOR_E2E_CLUSTER_ID)"
+    exit 1
+fi
+
+# Verify cluster access
+oc whoami
+log "Connected to cluster: $(oc whoami --show-server)"
+
+# Run the operator e2e tests
+JUNIT_REPORT="${ARTIFACT_DIR}/junit-${OPERATOR_NAME}-e2e.xml"
+GINKGO_FLAGS="--ginkgo.junit-report=${JUNIT_REPORT} --ginkgo.v"
+
+if [[ -n "${GINKGO_LABEL_FILTER:-}" ]]; then
+    GINKGO_FLAGS="${GINKGO_FLAGS} --ginkgo.label-filter=${GINKGO_LABEL_FILTER}"
+fi
+
+log "Running ${OPERATOR_NAME} e2e tests..."
+/usr/local/bin/e2e.test ${GINKGO_FLAGS} || {
+    log "Tests failed. JUnit report at ${JUNIT_REPORT}"
+    exit 1
+}
+
+log "Tests passed. JUnit report at ${JUNIT_REPORT}"

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-ref.metadata.json

@@ -0,0 +1,7 @@
+{
+  "path": "rosa/operator/e2e/rosa-operator-e2e-ref.yaml",
+  "owners": {
+    "approvers": ["tiwillia", "dustman9000", "bmeng", "ravitri"],
+    "reviewers": ["tiwillia", "dustman9000", "bmeng", "ravitri"]
+  }
+}

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-ref.yaml

@@ -0,0 +1,29 @@
+ref:
+  as: rosa-operator-e2e
+  from: operator-e2e
+  grace_period: 10m
+  commands: rosa-operator-e2e-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 300Mi
+  timeout: 1h0m0s
+  env:
+  - name: OPERATOR_NAME
+    default: ""
+    documentation: Short name of the operator (e.g. aws-vpce-operator).
+  - name: OPERATOR_E2E_CLUSTER_ID
+    default: ""
+    documentation: OCM cluster ID to test against. For MC/SC-resident operators, use the MC or SC cluster ID directly.
+  - name: OCM_LOGIN_ENV
+    default: "production"
+    documentation: OCM environment where the target cluster is registered. MCs and SCs are registered in production.
+  - name: GINKGO_LABEL_FILTER
+    default: ""
+    documentation: Optional Ginkgo label filter expression.
+  documentation: |-
+    Runs an operator e2e test binary against an existing ROSA cluster.
+    Uses OCM credentials from the cluster profile to get cluster access
+    via backplane. For MC/SC-resident operators (AVO, RMO, etc.), target
+    the MC or SC directly. The e2e binary must be baked into the
+    operator-e2e image at /usr/local/bin/e2e.test.

ci-operator/step-registry/rosa/operator/install/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri