SREP-4417: Add AVO operator e2e as Prow periodic with ephemeral cluster

Create reusable step registry components for operator e2e testing:
- rosa-operator-install: installs operator via PKO ClusterPackage
- rosa-operator-e2e: runs Ginkgo e2e binary against target cluster
- rosa-operator-e2e-workflow: provisions ROSA Classic STS, installs
  operator, runs tests, deprovisions

Add AVO as the first consumer with a daily periodic at 6 AM UTC.
No osde2e dependency -- runs the Ginkgo binary directly with
cluster access via backplane.

Jira: SREP-4417

Author: dustman9000

ci-operator/config/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main__periodics.yaml

@@ -0,0 +1,35 @@
+base_images:
+  rosa-aws-cli:
+    name: rosa-aws-cli
+    namespace: ci
+    tag: latest
+build_root:
+  from_repository: true
+images:
+  items:
+  - dockerfile_path: test/e2e/Containerfile.prow
+    to: operator-e2e
+resources:
+  '*':
+    limits:
+      memory: 4Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: avo-e2e-stage
+  cron: 0 6 * * *
+  steps:
+    cluster_profile: rosa-e2e-01
+    env:
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: staging
+      OPERATOR_NAME: aws-vpce-operator
+      OPERATOR_PKO_IMAGE: "quay.io/redhat-services-prod/openshift/aws-vpce-operator-pko:latest"
+      OPERATOR_IMAGE: "quay.io/redhat-services-prod/openshift/aws-vpce-operator:latest"
+    workflow: rosa-operator-e2e-workflow
+zz_generated_metadata:
+  branch: main
+  org: openshift
+  repo: aws-vpce-operator
+  variant: periodics

ci-operator/jobs/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main-periodics.yaml

@@ -0,0 +1,74 @@
+periodics:
+- agent: kubernetes
+  cluster: build11
+  cron: 0 6 * * *
+  decorate: true
+  extra_refs:
+  - base_ref: main
+    org: openshift
+    repo: aws-vpce-operator
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-01
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-aws-vpce-operator-main-periodics-avo-e2e-stage
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --target=avo-e2e-stage
+      - --variant=periodics
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main-presubmits.yaml

@@ -246,6 +246,61 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )lint,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build11
+    context: ci/prow/periodics-images
+    decorate: true
+    labels:
+      ci-operator.openshift.io/variant: periodics
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-aws-vpce-operator-main-periodics-images
+    rerun_command: /test periodics-images
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=[images]
+        - --variant=periodics
+        command:
+        - ci-operator
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )periodics-images,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/rosa/operator/e2e-workflow/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.metadata.json

@@ -0,0 +1,7 @@
+{
+  "path": "rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml",
+  "owners": {
+    "approvers": ["tiwillia", "dustman9000", "bmeng", "ravitri"],
+    "reviewers": ["tiwillia", "dustman9000", "bmeng", "ravitri"]
+  }
+}

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml

@@ -0,0 +1,19 @@
+workflow:
+  as: rosa-operator-e2e-workflow
+  steps:
+    env:
+      CHANNEL_GROUP: stable
+      OPENSHIFT_VERSION: ""
+    pre:
+      - chain: rosa-aws-sts-provision
+      - ref: rosa-cluster-wait-ready-nodes
+      - ref: rosa-operator-install
+    test:
+      - ref: rosa-operator-e2e
+    post:
+      - ref: osd-gather-extra
+      - chain: rosa-aws-sts-deprovision
+  documentation: |-
+    Provisions a ROSA Classic STS cluster, installs an operator via PKO,
+    runs the operator e2e tests, then deprovisions. Designed for operator
+    CI validation with ephemeral clusters.

ci-operator/step-registry/rosa/operator/e2e/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-commands.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+log(){
+    echo -e "\033[1m$(date "+%d-%m-%YT%H:%M:%S") " "${*}\033[0m" >&2
+}
+
+if [[ -z "${OPERATOR_NAME:-}" ]]; then
+    log "ERROR: OPERATOR_NAME is required"
+    exit 1
+fi
+
+# Get cluster access: prefer shared kubeconfig from provision step,
+# fall back to backplane for persistent clusters
+if [[ -f "${SHARED_DIR}/kubeconfig" ]]; then
+    log "Using kubeconfig from provision step"
+    export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+elif [[ -n "${OPERATOR_E2E_CLUSTER_ID:-}" ]]; then
+    # Log into OCM for backplane access
+    SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+    SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+    OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+
+    if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with SSO credentials"
+        ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+    elif [[ -n "${OCM_TOKEN}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with offline token"
+        ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+    else
+        log "ERROR: No OCM credentials found in cluster profile"
+        exit 1
+    fi
+
+    log "Getting kubeconfig for cluster ${OPERATOR_E2E_CLUSTER_ID} via backplane"
+    ocm backplane login "${OPERATOR_E2E_CLUSTER_ID}"
+else
+    log "ERROR: No cluster access method available (no SHARED_DIR/kubeconfig or OPERATOR_E2E_CLUSTER_ID)"
+    exit 1
+fi
+
+# Verify cluster access
+oc whoami
+log "Connected to cluster: $(oc whoami --show-server)"
+
+# Run the operator e2e tests
+JUNIT_REPORT="${ARTIFACT_DIR}/junit-${OPERATOR_NAME}-e2e.xml"
+GINKGO_FLAGS="--ginkgo.junit-report=${JUNIT_REPORT} --ginkgo.v"
+
+if [[ -n "${GINKGO_LABEL_FILTER:-}" ]]; then
+    GINKGO_FLAGS="${GINKGO_FLAGS} --ginkgo.label-filter=${GINKGO_LABEL_FILTER}"
+fi
+
+log "Running ${OPERATOR_NAME} e2e tests..."
+/usr/local/bin/e2e.test ${GINKGO_FLAGS} || {
+    log "Tests failed. JUnit report at ${JUNIT_REPORT}"
+    exit 1
+}
+
+log "Tests passed. JUnit report at ${JUNIT_REPORT}"

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-ref.metadata.json

@@ -0,0 +1,7 @@
+{
+  "path": "rosa/operator/e2e/rosa-operator-e2e-ref.yaml",
+  "owners": {
+    "approvers": ["tiwillia", "dustman9000", "bmeng", "ravitri"],
+    "reviewers": ["tiwillia", "dustman9000", "bmeng", "ravitri"]
+  }
+}

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-ref.yaml

@@ -0,0 +1,29 @@
+ref:
+  as: rosa-operator-e2e
+  from: operator-e2e
+  grace_period: 10m
+  commands: rosa-operator-e2e-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 300Mi
+  timeout: 1h0m0s
+  env:
+  - name: OPERATOR_NAME
+    default: ""
+    documentation: Short name of the operator (e.g. aws-vpce-operator).
+  - name: OPERATOR_E2E_CLUSTER_ID
+    default: ""
+    documentation: OCM cluster ID to test against. For MC/SC-resident operators, use the MC or SC cluster ID directly.
+  - name: OCM_LOGIN_ENV
+    default: "production"
+    documentation: OCM environment where the target cluster is registered. MCs and SCs are registered in production.
+  - name: GINKGO_LABEL_FILTER
+    default: ""
+    documentation: Optional Ginkgo label filter expression.
+  documentation: |-
+    Runs an operator e2e test binary against an existing ROSA cluster.
+    Uses OCM credentials from the cluster profile to get cluster access
+    via backplane. For MC/SC-resident operators (AVO, RMO, etc.), target
+    the MC or SC directly. The e2e binary must be baked into the
+    operator-e2e image at /usr/local/bin/e2e.test.