Skip to content

WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows#7415

Closed
devguyio wants to merge 1 commit into
openshift:mainfrom
devguyio:aro-hcp-dev-taskfile
Closed

WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows#7415
devguyio wants to merge 1 commit into
openshift:mainfrom
devguyio:aro-hcp-dev-taskfile

Conversation

@devguyio

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Adds Taskfile-based automation for ARO-HCP development under hack/aro-hcp/. Provides modular tasks for managing Azure infrastructure, AKS clusters, HyperShift operator deployment, and hosted cluster lifecycle.

Key features:

  • Modular task structure with prereq, keyvault, oidc, dataplane, aks, dns, operator, and cluster task files
  • Example configuration files for credentials and environment setup
  • Comprehensive README with prerequisites and workflow documentation

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 19, 2025
@openshift-ci

openshift-ci Bot commented Dec 19, 2025

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Dec 19, 2025

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added do-not-merge/needs-area area/ci-tooling Indicates the PR includes changes for CI or tooling labels Dec 19, 2025
@openshift-ci

openshift-ci Bot commented Dec 19, 2025

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: devguyio

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-area labels Dec 19, 2025
Adds Taskfile-based automation for ARO-HCP development under hack/aro-hcp/.
Provides modular tasks for managing Azure infrastructure, AKS clusters,
HyperShift operator deployment, and hosted cluster lifecycle.

Key features:
- Modular task structure with prereq, keyvault, oidc, dataplane, aks,
  dns, operator, and cluster task files
- Example configuration files for credentials and environment setup
- Comprehensive README with prerequisites and workflow documentation

Commit-Message-Assisted-by: Claude (via Claude Code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Ahmed Abdalla <aabdelre@redhat.com>
@devguyio devguyio force-pushed the aro-hcp-dev-taskfile branch from 5eb4783 to 9c54600 Compare December 22, 2025 00:06
@openshift-ci

openshift-ci Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

@devguyio: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Stale PRs are closed after 21d of inactivity.

If this PR is still relevant, comment to refresh it or remove the stale label.
Mark the PR as fresh by commenting /remove-lifecycle stale.

If this PR is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 11, 2026
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Stale PRs rot after 14d of inactivity.

Mark the PR as fresh by commenting /remove-lifecycle rotten.
Rotten PRs close after an additional 7d of inactivity.

If this PR is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci Bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 25, 2026
@hypershift-jira-solve-ci

Copy link
Copy Markdown

Now I have the complete picture. Here is the final report:

Test Failure Analysis Complete

Job Information

  • Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main
  • Build ID: hypershift-operator-main-enterprise-contract-98kxk (pipeline run completed 2025-12-22)
  • Second Job: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main (hypershift-operator-enterprise-contract-cbq58)
  • Snapshot: hypershift-operator-865qt
  • PR: WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows #7415WIP: feat(azure): add ARO-HCP Taskfile automation for dev workflows
  • PR Author: devguyio (fork: devguyio/hypershift, branch: aro-hcp-dev-taskfile)
  • PR Created: 2025-12-19 (~6 months ago, never rebased)
  • Result: 222 successes, 26 warnings, 2 failures (identical in both jobs)

Test Failure Analysis

Error

Enterprise Contract verify task: 2 failure(s) out of 250 checks

Containerfile.operator on PR branch is missing vs. main:
1. Missing: LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9"
2. Missing: ARG COMMIT_HASH

Summary

Both Konflux Enterprise Contract checks fail with 2 policy violations because PR #7415's branch was forked from main on 2025-12-19 and has never been rebased. The Containerfile.operator on the PR branch is missing the mandatory CPE label (LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9") and the ARG COMMIT_HASH build argument — both of which were added to main in 2026. The PR's actual code changes (Taskfile automation files under hack/aro-hcp/) are completely unrelated to the Enterprise Contract failures. A rebase onto current main will resolve both failures.

Root Cause

The PR branch (devguyio/hypershift:aro-hcp-dev-taskfile) was forked from main on 2025-12-19 and has never been rebased. The Konflux Enterprise Contract (EC) verify task checks the container image metadata against required policy rules. Two rules fail because the PR branch's Containerfile.operator is missing changes that were merged to main after the branch was created:

EC Failure #1: Missing CPE Label
The LABEL cpe= directive is required by Red Hat Enterprise Contract policy for CVE tracking and product compliance. It was added to main in early 2026 and later updated to cpe:/a:redhat:multicluster_engine:5.0::el9. The PR branch has no CPE label at all.

EC Failure #2: Missing COMMIT_HASH Build Argument
ARG COMMIT_HASH was added to main in April 2026 to support git worktree builds. The PR branch is missing this ARG entirely.

Confirmed by direct file comparison — the diff between the PR branch and main for Containerfile.operator:

< FROM registry.access.redhat.com/ubi9/go-toolset:1.24.6-1760420453 AS builder
---
> FROM registry.access.redhat.com/ubi9/go-toolset:1.25.9-1778054913 AS builder
> ARG COMMIT_HASH          ← MISSING on PR branch (EC failure #2)
...
> LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9"  ← MISSING on PR branch (EC failure #1)
< LABEL version=4.21
> LABEL version=5.0

The PR's functional changes (16 new files under hack/aro-hcp/) add Taskfile-based automation for ARO-HCP development and do not touch any Containerfile, Tekton pipeline, or EC-relevant artifact. The failures are entirely caused by branch staleness.

The 26 warnings are also likely from stale Tekton task bundle versions and missing parameters (e.g., enable-package-registry-proxy) that have been updated on main since December 2025.

Recommendations
  1. Rebase the PR branch onto current main to pick up the CPE label, COMMIT_HASH ARG, updated base images, Tekton bundles, and all other compliance changes:

    git fetch upstream
    git checkout aro-hcp-dev-taskfile
    git rebase upstream/main
    git push --force-with-lease origin aro-hcp-dev-taskfile
  2. Consider whether this WIP PR is still needed — the PR carries lifecycle/rotten and do-not-merge/work-in-progress labels, was created 6 months ago, and is extremely far behind main. If the ARO-HCP Taskfile feature is still desired, creating a fresh branch from current main may be cleaner than rebasing across 6 months of infrastructure changes (go-toolset 1.24→1.25, ubi-minimal 9.6→9.7, MCE 4.21→5.0, etc.).

  3. No code fix is needed — the PR's functional changes (files under hack/aro-hcp/) are correct and unrelated to the EC failures.

Evidence
Evidence Detail
PR Branch Created 2025-12-19 (6 months stale, never rebased)
EC Check Timestamps Both completed 2025-12-22T00:15:03Z
PR Branch Go Toolset ubi9/go-toolset:1.24.6-1760420453
Main Branch Go Toolset ubi9/go-toolset:1.25.9-1778054913
PR Branch UBI Minimal ubi9/ubi-minimal:9.6-1760515502
Main Branch UBI Minimal ubi9/ubi-minimal:9.7-1777857961
Missing CPE Label LABEL cpe="cpe:/a:redhat:multicluster_engine:5.0::el9" — absent on PR branch
Missing COMMIT_HASH ARG COMMIT_HASH — absent on PR branch
PR Version Label version=4.21 vs main's version=5.0
EC Result 222 pass, 26 warn, 2 fail (identical in both jobs)
Recent Merged PRs EC Status NEUTRAL/skipping — confirms main is compliant
PR Labels approved, lifecycle/rotten, do-not-merge/work-in-progress, area/ci-tooling
Files Changed by PR 16 files, all under hack/aro-hcp/ (none touch Containerfile or Tekton)
Pipeline Run 1 hypershift-operator-main-enterprise-contract-98kxk
Pipeline Run 2 hypershift-operator-enterprise-contract-cbq58

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Rotten PRs close after 7d of inactivity.

Reopen the PR by commenting /reopen.
Mark the PR as fresh by commenting /remove-lifecycle rotten.

/close

@openshift-ci openshift-ci Bot closed this Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@openshift-ci[bot]: Closed this PR.

Details

In response to this:

Rotten PRs close after 7d of inactivity.

Reopen the PR by commenting /reopen.
Mark the PR as fresh by commenting /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ci-tooling Indicates the PR includes changes for CI or tooling do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant