Skip to content

fleetshift: add CI config for image build and mirror #77996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 6 commits into from
Apr 20, 2026
Merged

fleetshift: add CI config for image build and mirror #77996

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b2e654d
fleetshift: add CI config for image build and mirror
mshort55 Apr 18, 2026
bb00079
Added initial owners files
mshort55 Apr 18, 2026
9c3bb3a
Removed Alec from owners until he gets added to openshift org
mshort55 Apr 20, 2026
acf60fe
fleetshift: add prow plugin config
mshort55 Apr 20, 2026
c91749a
fleetshift: add trusted_apps to prow plugin config
mshort55 Apr 20, 2026
9b6a035
fleetshift: add org-level prow trigger config
mshort55 Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ci-operator/config/fleetshift/fleetshift-poc/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
approvers:
- Hyperkid123
- mshort55
reviewers:
34 changes: 34 additions & 0 deletions ci-operator/config/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
build_root:
from_repository: true
images:
items:
- dockerfile_path: Dockerfile
to: fleetshift-server
resources:
'*':
requests:
cpu: 100m
memory: 200Mi
tests:
- as: pr-image-mirror
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-server
env:
IMAGE_REPO: fleetshift-server
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-merge-image-mirror
postsubmit: true
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-server
env:
IMAGE_REPO: fleetshift-server
IMAGE_TAG: latest
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
zz_generated_metadata:
branch: main
org: fleetshift
repo: fleetshift-poc
4 changes: 4 additions & 0 deletions ci-operator/config/fleetshift/fleetshift-user-interface/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
approvers:
- Hyperkid123
- mshort55
reviewers:
74 changes: 74 additions & 0 deletions ...onfig/fleetshift/fleetshift-user-interface/fleetshift-fleetshift-user-interface-main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
build_root:
from_repository: true
images:
items:
- dockerfile_path: Dockerfile.gui
to: fleetshift-gui
- dockerfile_path: Dockerfile.mock-servers
to: fleetshift-mock-servers
- dockerfile_path: Dockerfile.mock-ui-plugins
to: fleetshift-mock-ui-plugins
resources:
'*':
requests:
cpu: 100m
memory: 200Mi
tests:
- as: pr-image-mirror-gui
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-gui
env:
IMAGE_REPO: fleetshift-gui
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-merge-image-mirror-gui
postsubmit: true
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-gui
env:
IMAGE_REPO: fleetshift-gui
IMAGE_TAG: latest
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-image-mirror-mock-servers
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-mock-servers
env:
IMAGE_REPO: fleetshift-mock-servers
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-merge-image-mirror-mock-servers
postsubmit: true
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-mock-servers
env:
IMAGE_REPO: fleetshift-mock-servers
IMAGE_TAG: latest
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-image-mirror-mock-ui-plugins
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-mock-ui-plugins
env:
IMAGE_REPO: fleetshift-mock-ui-plugins
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
- as: pr-merge-image-mirror-mock-ui-plugins
postsubmit: true
steps:
dependencies:
SOURCE_IMAGE_REF: fleetshift-mock-ui-plugins
env:
IMAGE_REPO: fleetshift-mock-ui-plugins
IMAGE_TAG: latest
REGISTRY_ORG: stolostron
workflow: ocm-ci-image-mirror
zz_generated_metadata:
branch: main
org: fleetshift
repo: fleetshift-user-interface
4 changes: 4 additions & 0 deletions ci-operator/jobs/fleetshift/fleetshift-poc/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
approvers:
- Hyperkid123
- mshort55
reviewers:
69 changes: 69 additions & 0 deletions ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
postsubmits:
fleetshift/fleetshift-poc:
- agent: kubernetes
always_run: true
branches:
- ^main$
cluster: build01
decorate: true
labels:
ci.openshift.io/generator: prowgen
max_concurrency: 1
name: branch-ci-fleetshift-fleetshift-poc-main-pr-merge-image-mirror
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --target=pr-merge-image-mirror
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
Comment on lines +37 to +69
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml | head -75

Repository: openshift/release

Length of output: 2586

🏁 Script executed:

# Check if gcs-credentials volumeMount exists and if gcs-credentials volume is defined
grep -n "gcs-credentials" ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 95

🏁 Script executed:

# Look for similar postsubmit files to understand the naming convention for GCS secrets
find ci-operator/jobs -name "*postsubmits*" -type f | head -5 | xargs grep -l "gcs-credentials" | head -3

Repository: openshift/release

Length of output: 297

🏁 Script executed:

# Check what secret name is used for gcs-credentials in similar files
grep -A 3 "name: gcs-credentials" ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml | grep -A 2 "volumes:" | head -20

Repository: openshift/release

Length of output: 43

🏁 Script executed:

# Better approach: get the volumes section from a similar file
sed -n '/volumes:/,/^$/p' ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml | grep -A 3 "gcs-credentials"

Repository: openshift/release

Length of output: 792

🏁 Script executed:

# Search more broadly for the gcs-credentials secret definition pattern
rg "name: gcs-credentials" -A 3 ci-operator/jobs/Azure/ARO-HCP/ | head -30

Repository: openshift/release

Length of output: 2550

🏁 Script executed:

# Find the volumes section in a similar file to see the gcs-credentials volume definition
rg "name: gcs-credentials" -B 2 -A 3 ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml | grep -A 5 "^volumes:" | head -20

Repository: openshift/release

Length of output: 43

🏁 Script executed:

# More specific: get the volumes section from ARO-HCP file
python3 << 'EOF'
import yaml

with open('ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml', 'r') as f:
    data = yaml.safe_load(f)

# Get the first postsubmit job's volumes
job = data['postsubmits']['Azure/ARO-HCP'][0]
if 'spec' in job and 'volumes' in job['spec']:
    volumes = job['spec']['volumes']
    for vol in volumes:
        if vol.get('name') == 'gcs-credentials':
            print(f"Found gcs-credentials volume:")
            print(yaml.dump({'volumes': [vol]}, default_flow_style=False))
            break
EOF

Repository: openshift/release

Length of output: 43

🏁 Script executed:

# Let's look at the full volumes section in the ARO-HCP file
sed -n '/^postsubmits:/,/^[^ ]/p' ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml | sed -n '/volumes:/,/^      [a-z]/p' | head -40

Repository: openshift/release

Length of output: 1130

🏁 Script executed:

# Alternative: use grep to find the volumes section
grep -A 20 "volumes:" ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml | grep -B 2 -A 2 "gcs-credentials" | head -20

Repository: openshift/release

Length of output: 43

🏁 Script executed:

# Check if gce-sa-credentials-gcs-publisher is used anywhere in the repository
rg "gce-sa-credentials-gcs-publisher" | head -10

Repository: openshift/release

Length of output: 819

🏁 Script executed:

# Check if ARO-HCP file also has the same gcs-credentials volume mount issue
grep -n "name: gcs-credentials" ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml

Repository: openshift/release

Length of output: 275

🏁 Script executed:

# Get the full postsubmit job spec from ARO-HCP to see complete structure
python3 << 'EOF'
import yaml

with open('ci-operator/jobs/Azure/ARO-HCP/Azure-ARO-HCP-main-postsubmits.yaml', 'r') as f:
    data = yaml.safe_load(f)

# Check the first postsubmit
if data and 'postsubmits' in data:
    for repo, jobs in data['postsubmits'].items():
        for idx, job in enumerate(jobs[:1]):  # First job only
            if 'spec' in job:
                spec = job['spec']
                # Show volumeMounts
                if 'containers' in spec and len(spec['containers']) > 0:
                    container = spec['containers'][0]
                    if 'volumeMounts' in container:
                        print("VolumeMounts:")
                        for vm in container['volumeMounts']:
                            print(f"  - {vm.get('name')}")
                # Show volumes
                if 'volumes' in spec:
                    print("\nVolumes:")
                    for vol in spec['volumes']:
                        print(f"  - {vol.get('name')}")
EOF

Repository: openshift/release

Length of output: 274

🏁 Script executed:

# Check the fleetshift file to see what gcs-credentials expects
rg "gcs" ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 190

🏁 Script executed:

# Verify the exact line numbers in fleetshift file for volumes section
sed -n '54,69p' ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 513

🏁 Script executed:

# Show all volumeMounts in fleetshift file 
sed -n '37,52p' ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 549

🏁 Script executed:

# Check if there are multiple postsubmit jobs in the fleetshift file and verify all have the same issue
grep -n "^    name: " ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 136

Add the missing gcs-credentials volume.

Line 41 mounts gcs-credentials, but the volumes list never defines it. The postsubmit pod will be rejected by Kubernetes.

🐛 Proposed fix 
       serviceAccountName: ci-operator
       volumes:
       - name: boskos
         secret:
           items:
           - key: credentials
             path: credentials
           secretName: boskos-credentials
+      - name: gcs-credentials
+        secret:
+          secretName: gce-sa-credentials-gcs-publisher
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
       - name: pull-secret
         secret:
           secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml`
around lines 37 - 69, The volumeMounts section references a volume named
"gcs-credentials" but the volumes list doesn't define it; add a volumes entry
with name: gcs-credentials and a secret block pointing to the appropriate secret
(e.g., secretName: gcs-credentials) so the mount in the pod spec (volumeMounts
-> name: gcs-credentials) is backed by a defined secret volume; update the
volumes array alongside the existing
boskos/manifest-tool-local-pusher/pull-secret/result-aggregator entries.

126 changes: 126 additions & 0 deletions ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-presubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
presubmits:
fleetshift/fleetshift-poc:
- agent: kubernetes
always_run: true
branches:
- ^main$
- ^main-
cluster: build01
context: ci/prow/images
decorate: true
labels:
ci.openshift.io/generator: prowgen
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-fleetshift-fleetshift-poc-main-images
rerun_command: /test images
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --report-credentials-file=/etc/report/credentials
- --target=[images]
command:
- ci-operator
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )images,?($|\s.*)
Comment on lines +31 to +55
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python -m pip install --quiet pyyaml

python - <<'PY'
import subprocess
import sys
import yaml

paths = subprocess.check_output(
    ["fd", "-t", "f", r"fleetshift-fleetshift-poc-main-(pre|post)submits\.yaml"],
    text=True,
).splitlines()

failed = False
for path in paths:
    with open(path, "r", encoding="utf-8") as f:
        data = yaml.safe_load(f)

    for job_kind in ("presubmits", "postsubmits"):
        for repo_jobs in (data.get(job_kind) or {}).values():
            for job in repo_jobs:
                spec = job.get("spec") or {}
                volumes = {v.get("name") for v in spec.get("volumes", [])}
                for container in spec.get("containers", []):
                    for mount in container.get("volumeMounts", []):
                        name = mount.get("name")
                        if name not in volumes:
                            failed = True
                            print(f"{path}: {job.get('name')}: missing volume for mount {name!r}")

if failed:
    sys.exit(1)
PY

Repository: openshift/release

Length of output: 630

🏁 Script executed:

# Search for GCS secret usage patterns and naming conventions
rg "gce-sa-credentials|gcs.*secret" --type yaml -i | head -20

Repository: openshift/release

Length of output: 2324

🏁 Script executed:

# Check for existing gcs-credentials volume declarations in similar jobs
rg "gcs-credentials" --type yaml -B 2 -A 2

Repository: openshift/release

Length of output: 50523

🏁 Script executed:

# Verify the postsubmits file to understand its scope
fd -t f "fleetshift-fleetshift-poc-main-postsubmits.yaml" -x wc -l

Repository: openshift/release

Length of output: 156

🏁 Script executed:

# View the postsubmits file to see if it has similar job structure
cat ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-postsubmits.yaml

Repository: openshift/release

Length of output: 2103

Declare the gcs-credentials volume in presubmits and postsubmits.

Both container specs mount gcs-credentials, but no pod spec declares that volume. These jobs will fail Kubernetes pod validation before ci-operator starts. Affects three jobs across both files: pull-ci-fleetshift-fleetshift-poc-main-images, pull-ci-fleetshift-fleetshift-poc-main-pr-image-mirror (presubmits), and branch-ci-fleetshift-fleetshift-poc-main-pr-merge-image-mirror (postsubmits).

🐛 Proposed fix 
       serviceAccountName: ci-operator
       volumes:
+      - name: gcs-credentials
+        secret:
+          secretName: gce-sa-credentials-gcs-publisher
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
       - name: pull-secret
         secret:
           secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
@@
       serviceAccountName: ci-operator
       volumes:
       - name: boskos
         secret:
           items:
           - key: credentials
             path: credentials
           secretName: boskos-credentials
+      - name: gcs-credentials
+        secret:
+          secretName: gce-sa-credentials-gcs-publisher
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
       - name: pull-secret
         secret:
           secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/jobs/fleetshift/fleetshift-poc/fleetshift-fleetshift-poc-main-presubmits.yaml`
around lines 31 - 55, The presubmit/postsubmit job pod specs reference a
volumeMount with mountPath /secrets/gcs and name gcs-credentials but never
declare that volume, causing pod validation failures; for each affected job
(pull-ci-fleetshift-fleetshift-poc-main-images,
pull-ci-fleetshift-fleetshift-poc-main-pr-image-mirror,
branch-ci-fleetshift-fleetshift-poc-main-pr-merge-image-mirror) add a volumes:
entry with name: gcs-credentials and the appropriate secret: secretName: <gcs
secret name> (or other backing type) alongside the existing
manifest-tool/pull-secret/result-aggregator volumes so the gcs-credentials mount
is backed by a declared volume.

- agent: kubernetes
always_run: true
branches:
- ^main$
- ^main-
cluster: build01
context: ci/prow/pr-image-mirror
decorate: true
labels:
ci.openshift.io/generator: prowgen
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-fleetshift-fleetshift-poc-main-pr-image-mirror
rerun_command: /test pr-image-mirror
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --target=pr-image-mirror
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )pr-image-mirror,?($|\s.*)
4 changes: 4 additions & 0 deletions ci-operator/jobs/fleetshift/fleetshift-user-interface/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
approvers:
- Hyperkid123
- mshort55
reviewers:
Loading