SREP-4417: Add AVO operator e2e as Prow presubmit and postsubmit

Create reusable step registry components for operator e2e testing:
- rosa-operator-install: installs operator via PKO ClusterPackage
- rosa-operator-e2e: runs Ginkgo e2e binary (ephemeral or persistent cluster)
- rosa-operator-e2e-workflow: provisions ROSA Classic STS, installs
  operator via PKO, runs tests, deprovisions

Add AVO as the first consumer with:
- Presubmit: runs on PRs that change operator/test code
- Postsubmit: runs on every merge, GitHub commit status gates
  SAPM promotion to stage/production

No osde2e dependency -- runs the Ginkgo binary directly.

Jira: SREP-4417

Author: dustman9000

ci-operator/config/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main.yaml

@@ -3,7 +3,9 @@ build_root:
 images:
   items:
   - dockerfile_path: build/Dockerfile
-    to: unused
+    to: aws-vpce-operator
+  - dockerfile_path: test/e2e/Containerfile.prow
+    to: operator-e2e
 resources:
   '*':
     limits:
@@ -53,6 +55,28 @@ tests:
   container:
     from: src
   skip_if_only_changed: ^(?:\.tekton|\.github)|\.md$|^(?:\.gitignore|OWNERS|LICENSE)$
+- as: avo-e2e-presubmit
+  run_if_changed: ^(test/e2e/.*|pkg/.*|api/.*|cmd/.*|deploy/.*|go\.mod|go\.sum)$
+  steps:
+    cluster_profile: rosa-e2e-01
+    env:
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: staging
+      OPERATOR_IMAGE: quay.io/redhat-services-prod/openshift/aws-vpce-operator:latest
+      OPERATOR_NAME: aws-vpce-operator
+      OPERATOR_PKO_IMAGE: quay.io/redhat-services-prod/openshift/aws-vpce-operator-pko:latest
+    workflow: rosa-operator-e2e-workflow
+- as: avo-e2e-postsubmit
+  postsubmit: true
+  steps:
+    cluster_profile: rosa-e2e-01
+    env:
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: staging
+      OPERATOR_IMAGE: quay.io/redhat-services-prod/openshift/aws-vpce-operator:latest
+      OPERATOR_NAME: aws-vpce-operator
+      OPERATOR_PKO_IMAGE: quay.io/redhat-services-prod/openshift/aws-vpce-operator-pko:latest
+    workflow: rosa-operator-e2e-workflow
 zz_generated_metadata:
   branch: main
   org: openshift

ci-operator/jobs/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main-postsubmits.yaml

@@ -1,5 +1,74 @@
 postsubmits:
   openshift/aws-vpce-operator:
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    cluster: build03
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-01
+      ci.openshift.io/generator: prowgen
+    max_concurrency: 1
+    name: branch-ci-openshift-aws-vpce-operator-main-avo-e2e-postsubmit
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=avo-e2e-postsubmit
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
   - agent: kubernetes
     always_run: true
     branches:

ci-operator/jobs/openshift/aws-vpce-operator/openshift-aws-vpce-operator-main-presubmits.yaml

@@ -1,5 +1,79 @@
 presubmits:
   openshift/aws-vpce-operator:
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build01
+    context: ci/prow/avo-e2e-presubmit
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-01
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-aws-vpce-operator-main-avo-e2e-presubmit
+    rerun_command: /test avo-e2e-presubmit
+    run_if_changed: ^(test/e2e/.*|pkg/.*|api/.*|cmd/.*|deploy/.*|go\.mod|go\.sum)$
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=avo-e2e-presubmit
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )avo-e2e-presubmit,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/rosa/operator/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e-workflow/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.metadata.json

@@ -0,0 +1,17 @@
+{
+	"path": "rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		],
+		"reviewers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		]
+	}
+}

ci-operator/step-registry/rosa/operator/e2e-workflow/rosa-operator-e2e-workflow-workflow.yaml

@@ -0,0 +1,19 @@
+workflow:
+  as: rosa-operator-e2e-workflow
+  steps:
+    env:
+      CHANNEL_GROUP: stable
+      OPENSHIFT_VERSION: ""
+    pre:
+      - chain: rosa-aws-sts-provision
+      - ref: rosa-cluster-wait-ready-nodes
+      - ref: rosa-operator-install
+    test:
+      - ref: rosa-operator-e2e
+    post:
+      - ref: osd-gather-extra
+      - chain: rosa-aws-sts-deprovision
+  documentation: |-
+    Provisions a ROSA Classic STS cluster, installs an operator via PKO,
+    runs the operator e2e tests, then deprovisions. Designed for operator
+    CI validation with ephemeral clusters.

ci-operator/step-registry/rosa/operator/e2e/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri
+reviewers:
+- tiwillia
+- dustman9000
+- bmeng
+- ravitri

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-commands.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+log(){
+    echo -e "\033[1m$(date "+%d-%m-%YT%H:%M:%S") " "${*}\033[0m" >&2
+}
+
+if [[ -z "${OPERATOR_NAME:-}" ]]; then
+    log "ERROR: OPERATOR_NAME is required"
+    exit 1
+fi
+
+# Get cluster access: prefer shared kubeconfig from provision step,
+# fall back to backplane for persistent clusters
+if [[ -f "${SHARED_DIR}/kubeconfig" ]]; then
+    log "Using kubeconfig from provision step"
+    export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+elif [[ -n "${OPERATOR_E2E_CLUSTER_ID:-}" ]]; then
+    # Log into OCM for backplane access
+    SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true)
+    SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true)
+    OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true)
+
+    if [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with SSO credentials"
+        ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}"
+    elif [[ -n "${OCM_TOKEN}" ]]; then
+        log "Logging into ${OCM_LOGIN_ENV} with offline token"
+        ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}"
+    else
+        log "ERROR: No OCM credentials found in cluster profile"
+        exit 1
+    fi
+
+    log "Getting kubeconfig for cluster ${OPERATOR_E2E_CLUSTER_ID} via backplane"
+    ocm backplane login "${OPERATOR_E2E_CLUSTER_ID}"
+else
+    log "ERROR: No cluster access method available (no SHARED_DIR/kubeconfig or OPERATOR_E2E_CLUSTER_ID)"
+    exit 1
+fi
+
+# Verify cluster access
+oc whoami
+log "Connected to cluster: $(oc whoami --show-server)"
+
+# Run the operator e2e tests
+JUNIT_REPORT="${ARTIFACT_DIR}/junit-${OPERATOR_NAME}-e2e.xml"
+GINKGO_FLAGS="--ginkgo.junit-report=${JUNIT_REPORT} --ginkgo.v"
+
+if [[ -n "${GINKGO_LABEL_FILTER:-}" ]]; then
+    GINKGO_FLAGS="${GINKGO_FLAGS} --ginkgo.label-filter=${GINKGO_LABEL_FILTER}"
+fi
+
+log "Running ${OPERATOR_NAME} e2e tests..."
+/usr/local/bin/e2e.test ${GINKGO_FLAGS} || {
+    log "Tests failed. JUnit report at ${JUNIT_REPORT}"
+    exit 1
+}
+
+log "Tests passed. JUnit report at ${JUNIT_REPORT}"

ci-operator/step-registry/rosa/operator/e2e/rosa-operator-e2e-ref.metadata.json

@@ -0,0 +1,17 @@
+{
+	"path": "rosa/operator/e2e/rosa-operator-e2e-ref.yaml",
+	"owners": {
+		"approvers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		],
+		"reviewers": [
+			"tiwillia",
+			"dustman9000",
+			"bmeng",
+			"ravitri"
+		]
+	}
+}