WIP: [CGQE-772] [POC]: CI-config for Windows VM chaos end-to-end pipeline

[Sau1506mya]

Summary by CodeRabbit

Adds a new OpenShift CI job config for the redhat-chaos/lp-chaos repository to run a Windows VM chaos end-to-end workflow on AWS against OCP 4.21 nightly. The config defines the job’s base images, release target, shared resource settings, and Windows VM-specific environment variables needed to provision and exercise the workload. It also wires in the chaos workflow steps and includes generated metadata for the branch/repo/variant.

[coderabbitai]

Walkthrough

A new ci-operator YAML config file is added for the windows-vm-chaos variant targeting OCP 4.21 nightly on AWS with CNV 4.21 stable. It defines top-level base images, release selectors, global resources, a single windows-vm-chaos test entry with environment variables and workflow references, and generated metadata.

Windows VM Chaos CI Config

Layer / File(s)	Summary
Full config: top-level settings, test definition, and metadata ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml	Sets CLI 4.21 base image, OCP nightly release selector, global CPU/memory resources, and the windows-vm-chaos test (always_run: false) using the redhat-lp-chaos-ocp-installer-aws-cnv workflow with CNV/Windows image environment variables. A previously duplicated releases/resources block under tests is removed. Includes zz_generated_metadata.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The config checks in a presigned S3 URL with live X-Amz signature/Credential params, which exposes a token-like secret and can leak in logs.	Move WINDOWS_URL behind a secret/runtime lookup or use a stable non-expiring location, and ensure it is not echoed in job logs.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new job downloads from public URLs (raw.githubusercontent.com and a presigned S3 URL), so it will fail in disconnected IPv6 CI.	Move assets behind cluster-internal/mirrored artifacts or runtime secrets; if external access is required, mark the test [Skipped:Disconnected] and verify in IPv6 CI.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The added test/job name is a static windows-vm-chaos; no Ginkgo titles or dynamic identifiers appear in the changed config.
Test Structure And Quality	✅ Passed	Not applicable: the PR only changes ci-operator YAML config; no Ginkgo test code or test blocks are introduced to review.
Microshift Test Compatibility	✅ Passed	This PR only adds ci-operator YAML; no new Ginkgo test code or test names were introduced, so MicroShift compatibility checks are not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR only adds CI YAML wiring existing shell-based chaos steps; no new Ginkgo e2e tests or multi-node/HA assertions were introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The only changed file is a ci-operator YAML; it adds a test job and contains no manifests/controllers or topology-sensitive scheduling rules.
Ote Binary Stdout Contract	✅ Passed	Only ci-operator YAML was changed; no process-level Go/test setup code was touched, so the stdout contract isn’t implicated.
No-Weak-Crypto	✅ Passed	PASS: The PR contains no MD5/SHA1/DES/RC4/ECB/custom-crypto code; the only crypto string is AWS4-HMAC-SHA256 in a presigned URL.
Container-Privileges	✅ Passed	No privileged, hostPID/hostNetwork/hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings were added in the changed config or generated jobs.
Title check	✅ Passed	The title is clearly related to the change and identifies the main CI-config work for the Windows VM chaos pipeline.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Sau1506mya
Once this PR has been reviewed and has the lgtm label, please assign paigerube14 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/redhat-chaos/lp-chaos/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml`:
- Line 52: The WINDOWS_URL value is a checked-in presigned S3 link with a
temporary SigV4 signature, so it should not be stored in the config. Update the
redhat-chaos LP chaos config to fetch the image URL at runtime or from a
secret/CI variable instead of hardcoding it, using the existing WINDOWS_URL
setting as the replacement point. If a stable artifact location is available,
switch the WINDOWS_URL reference there so the job does not depend on an expiring
presigned URL.
- Around line 24-38: Remove the duplicated top-level releases/resources/tests
stanza in the ci-operator config so the YAML has only one definition of each
key. Update the existing config block for the windows-vm-chaos test instead of
reintroducing a second block, and verify the final structure is deterministic
and valid for ci-operator parsing.
- Around line 39-64: Regenerate the Prow job artifacts for the new
windows-vm-chaos variant so the generated output under
ci-operator/jobs/redhat-chaos/lp-chaos/ includes a matching job for this config.
Update the generated job set to reflect the new as: windows-vm-chaos definition
and ensure the variant name in zz_generated_metadata and the workflow
redhat-lp-chaos-ocp-installer-aws-cnv are represented in the generated artifact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 09e9763b-34c1-470f-a89e-de91c4537779

📥 Commits

Reviewing files that changed from the base of the PR and between ef6669c and 7d7f6b8.

📒 Files selected for processing (1)

• ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml

[coderabbitai]

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Remove the duplicated top-level stanza before this config lands.

Lines 25-38 reintroduce releases/resources/tests after they were already defined above, so this YAML is not deterministic. Depending on the parser, ci-operator will either reject the file or silently keep only one copy, which can drop the windows-vm-chaos test entirely.

Suggested fix

 tests:
--releases:
-  latest:
-    candidate:
-      product: ocp
-      stream: nightly
-      version: "4.21"
-resources:
-  '*':
-    limits:
-      memory: 4Gi
-    requests:
-      cpu: 100m
-      memory: 200Mi
-tests:
 - as: windows-vm-chaos
   always_run: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	tests:
	-releases:
	latest:
	candidate:
	product: ocp
	stream: nightly
	version: "4.21"
	resources:
	'*':
	limits:
	memory: 4Gi
	requests:
	cpu: 100m
	memory: 200Mi
	tests:
	tests:
	- as: windows-vm-chaos
	always_run: false

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 31-31: duplication of key "resources" in mapping

(key-duplicates)

---

[error] 38-38: duplication of key "tests" in mapping

(key-duplicates)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml`
around lines 24 - 38, Remove the duplicated top-level releases/resources/tests
stanza in the ci-operator config so the YAML has only one definition of each
key. Update the existing config block for the windows-vm-chaos test instead of
reintroducing a second block, and verify the final structure is deterministic
and valid for ci-operator parsing.

Source: Linters/SAST tools

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

fd -p 'redhat-chaos-lp-chaos.*windows-vm-chaos.*\.yaml' ci-operator/jobs
rg -n 'windows-vm-chaos|ocp4\.21-nightly--cnv-4\.21-stable-windows-vm-chaos--aws' ci-operator/jobs

Repository: openshift/release

Length of output: 155

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## matching job/config filenames"
git ls-files 'ci-operator/jobs/**' 'ci-operator/config/**' | grep -E 'redhat-chaos|lp-chaos|windows-vm-chaos|ocp4\.21-nightly--cnv-4\.21-stable-windows-vm-chaos--aws' || true

echo
echo "## broader job content matches"
rg -n --hidden --glob 'ci-operator/jobs/**' 'windows-vm-chaos|ocp4\.21-nightly--cnv-4\.21-stable-windows-vm-chaos--aws|redhat-chaos-kubevirt-outage|redhat-lp-chaos-lp-cnv-windows-vm-create|redhat-lp-chaos-lp-cnv-windows-vm-clean' ci-operator/jobs || true

echo
echo "## nearby config files"
git ls-files 'ci-operator/config/redhat-chaos/lp-chaos/**'

Repository: openshift/release

Length of output: 6135

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## variant config"
sed -n '1,220p' ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml

echo
echo "## generated periodics matching lp-chaos"
rg -n 'windows-vm-chaos|cnv-4\.21-stable|ocp4\.21-nightly' ci-operator/jobs/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main-periodics.yaml

echo
echo "## generated presubmits/postsubmits matching lp-chaos"
rg -n 'windows-vm-chaos|cnv-4\.21-stable|ocp4\.21-nightly' ci-operator/jobs/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main-presubmits.yaml ci-operator/jobs/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main-postsubmits.yaml

Repository: openshift/release

Length of output: 5597

---

Regenerate the generated Prow jobs for this variant
ci-operator/jobs/redhat-chaos/lp-chaos/ still only contains the existing ...--aws and ...cnvcases--aws jobs, so the new windows-vm-chaos config has no matching generated artifact yet.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml`
around lines 39 - 64, Regenerate the Prow job artifacts for the new
windows-vm-chaos variant so the generated output under
ci-operator/jobs/redhat-chaos/lp-chaos/ includes a matching job for this config.
Update the generated job set to reflect the new as: windows-vm-chaos definition
and ensure the variant name in zz_generated_metadata and the workflow
redhat-lp-chaos-ocp-installer-aws-cnv are represented in the generated artifact.

Sources: Coding guidelines, Learnings

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Replace the checked-in presigned S3 URL.

This URL embeds a live SigV4 signature and expires on June 29, 2026 at 16:46:40 UTC. That both leaks temporary object access in a public repo and makes the job fail as soon as the signature ages out. Please move this behind a secret/runtime lookup or switch to a stable non-expiring location.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/redhat-chaos/lp-chaos/redhat-chaos-lp-chaos-main__ocp4.21-nightly--cnv-4.21-stable-windows-vm-chaos--aws.yaml`
at line 52, The WINDOWS_URL value is a checked-in presigned S3 link with a
temporary SigV4 signature, so it should not be stored in the config. Update the
redhat-chaos LP chaos config to fetch the image URL at runtime or from a
secret/CI variable instead of hardcoding it, using the existing WINDOWS_URL
setting as the replacement point. If a stable artifact location is available,
switch the WINDOWS_URL reference there so the job does not depend on an expiring
presigned URL.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Sau1506mya: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@Sau1506mya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-operator-config-metadata	7d7f6b8	link	true	/test ci-operator-config-metadata
ci/prow/generated-config	7d7f6b8	link	true	/test generated-config
ci/prow/ci-operator-config	7d7f6b8	link	true	/test ci-operator-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.