Add CI configuration for openshift/oc-tnf

[Neilhamza]

Summary

Register Prow CI jobs and merge configuration for the new openshift/oc-tnf plugin repository.

oc-tnf is a standalone oc plugin for Two Node with Fencing (TNF) cluster operations, distributed via krew custom index.

Files added

ci-operator/config/openshift/oc-tnf/openshift-oc-tnf-main.yaml

• Unit tests (make test with --race)
• golangci-lint (make golangci-lint)
• go mod tidy verification
• Dependency verification (go-verify-deps)

core-services/prow/02_config/openshift/oc-tnf/_prowconfig.yaml

• Tide merge rules: requires lgtm + approved labels

core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml

• Enables /approve and /lgtm commands

Context

• Repo request: DPP-21132
• ACL PR: https://github.com/openshift/config/pull/12006
• Epic: OCPEDGE-2254
• CI config modeled after openshift/kube-compare

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores

  • Updated CI configuration for the OpenShift oc-tnf project, including refreshed Go linter/tooling and CI container settings.
  • Added new presubmit checks for linting, module tidiness, unit testing, and dependency verification.
  • Tuned CI job resource limits and behavior.
  • Updated Prow automation for PR approval/LGTM and Tide label-based merge conditions.

• Tests

  • Enabled additional automated presubmit validations: golint, modtidy, unit, and verify-deps.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Five new YAML files onboard the openshift/oc-tnf repository to the OpenShift CI infrastructure: a ci-operator job definition with four test steps, four corresponding Prow presubmit jobs, Prow plugin configuration enabling approve and lgtm workflows, tide configuration enforcing label-based merge requirements, and an OWNERS file identifying repository maintainers.

Changes

openshift/oc-tnf CI Infrastructure Onboarding

Layer / File(s)	Summary
CI operator job definition ci-operator/config/openshift/oc-tnf/openshift-oc-tnf-main.yaml	Defines the ci-operator job for the main branch: golangci-lint base image at v1.64.8, build root using rhel-9-release-golang-1.24-openshift-4.20, resource limits (cpu: 100m, memory: 200Mi/4Gi), and four test steps—unit (make test with GOFLAGS="-mod=readonly"), golint (make golangci-lint), modtidy (go mod tidy + git diff check), and verify-deps (go-verify-deps with CHECK_MOD_LIST: "false").
Prow presubmit jobs ci-operator/jobs/openshift/oc-tnf/openshift-oc-tnf-main-presubmits.yaml	Adds four presubmit jobs for main branch PRs: pull-ci-openshift-oc-tnf-main-golint and pull-ci-openshift-oc-tnf-main-modtidy with conditional execution via skip_if_only_changed rules, and pull-ci-openshift-oc-tnf-main-unit and pull-ci-openshift-oc-tnf-main-verify-deps with always_run: true. The verify-deps job includes Boskos credentials volume and --lease-server-credentials-file argument. All jobs wire /test trigger commands and required secret mounts.
Prow plugins and tide merge configuration core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml, core-services/prow/02_config/openshift/oc-tnf/_prowconfig.yaml	Adds _pluginconfig.yaml enabling the approve plugin with require_self_approval: true. Adds _prowconfig.yaml configuring tide to require approved and lgtm labels and exclude PRs carrying any missingLabels (do-not-merge/\*, needs-rebase, jira/invalid-bug, backports, unvalidated-commits).
Repository ownership ci-operator/config/openshift/oc-tnf/OWNERS	Defines OWNERS configuration with eight users as both approvers and reviewers: dhensel-rh, eggfoobar, fonata-rh, fracappa, jaypoulz, lucaconsalvi, neilhamza, vimauro.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

lgtm

Suggested reviewers

• bear-redhat

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding CI configuration for the openshift/oc-tnf repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML CI/CD configuration files with no Ginkgo test definitions, making the test name stability check not applicable.
Test Structure And Quality	✅ Passed	Check not applicable: PR adds CI/Prow YAML configuration files only; no Ginkgo test code is present to review against test quality requirements.
Microshift Test Compatibility	✅ Passed	This PR adds only CI/CD configuration files (YAML), not Ginkgo e2e test code. The MicroShift Test Compatibility check applies only when new Ginkgo tests are added, which is not the case here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds CI/CD configuration files (YAML) only, not Ginkgo e2e tests. The SNO check applies to new test code, not infrastructure configuration.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI/Prow configuration files with no deployment manifests, operator code, or scheduling constraints that could break on SNO/TNF/TNA/HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI/Prow configuration files; no source code, test code, or process-level code that could violate OTE Binary Stdout Contract present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only CI configuration and OWNERS files (5 YAML/metadata files), no Ginkgo e2e tests. Custom check for IPv6/disconnected network compatibility only applies when new tests are added.
No-Weak-Crypto	✅ Passed	No weak cryptography detected. All files are YAML CI/CD configuration files with no cryptographic implementations, MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, custom crypto code, or non-constant-time...
Container-Privileges	✅ Passed	No privileged container configurations found. All container specs use standard security posture without privileged mode, host access, elevated capabilities, or privilege escalation.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, internal hostnames, customer data) found in any of the CI configuration files added for openshift/oc-tnf.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Neilhamza

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/config/openshift/oc-tnf/openshift-oc-tnf-main.yaml`:
- Line 21: The test command in the `commands` field on line 21 does not include
race detection, which means the tests are not checking for race conditions. Add
the `-race` flag to the GOFLAGS variable in the command string so that race
detection is enabled when running the make test target. The fix involves
modifying the GOFLAGS string from "-mod=readonly" to include the -race flag
alongside the existing -mod=readonly flag.

In `@core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml`:
- Around line 10-13: The lgtm plugin is configured with repo-scoped settings but
is not registered in the plugins list for the openshift/oc-tnf repository. Since
tide requires the lgtm label to function properly, this missing plugin can block
normal label workflows. To fix this, add lgtm to the plugins list under
plugins.openshift/oc-tnf.plugins alongside the existing approve entry so the
plugin is properly enabled for the repository.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c215a18a-866f-4c5a-9bea-d30db8ca19e5

📥 Commits

Reviewing files that changed from the base of the PR and between 66d6a09 and 57e8461.

📒 Files selected for processing (3)

• ci-operator/config/openshift/oc-tnf/openshift-oc-tnf-main.yaml
• core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml
• core-services/prow/02_config/openshift/oc-tnf/_prowconfig.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enable race detection in the unit test command.

The current command runs make test without --race, so it does not meet the intended race-check coverage for this onboarding CI path.

Suggested patch

-  commands: GOFLAGS="-mod=readonly" make test
+  commands: GOFLAGS="-mod=readonly" make test --race

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	commands: GOFLAGS="-mod=readonly" make test
	commands: GOFLAGS="-mod=readonly -race" make test

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/oc-tnf/openshift-oc-tnf-main.yaml` at line 21,
The test command in the `commands` field on line 21 does not include race
detection, which means the tests are not checking for race conditions. Add the
`-race` flag to the GOFLAGS variable in the command string so that race
detection is enabled when running the make test target. The fix involves
modifying the GOFLAGS string from "-mod=readonly" to include the -race flag
alongside the existing -mod=readonly flag.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/jobs/openshift/oc-tnf/openshift-oc-tnf-main-presubmits.yaml`:
- Around line 20-55: The container spec for the ci-operator target is missing
required security hardening settings. Add a securityContext field to the
container specification that includes runAsNonRoot set to true,
readOnlyRootFilesystem set to true, allowPrivilegeEscalation set to false, and
capabilities with drop set to ALL. These settings should be added at the same
level as the args, command, env, image, and other container properties to ensure
the generated job inherits the proper security hardening.
- Around line 39-41: The presubmit containers are missing required resource
specifications: they only define requests.cpu but lack memory requests, memory
limits, and CPU limits. Rather than editing the generated yaml files directly in
ci-operator/jobs/, locate the source job configuration in
ci-operator/config/openshift/oc-tnf/ and add the missing resource specifications
(memory requests, memory limits, and CPU limits) to each of the four container
specs. After making these changes to the source configuration, regenerate the
job manifests by running make update to properly update the ci-operator/jobs/
output files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: adae36e0-16d3-4b9f-a236-0311f9109c00

📥 Commits

Reviewing files that changed from the base of the PR and between 57e8461 and d97d7e7.

📒 Files selected for processing (3)

• ci-operator/config/openshift/oc-tnf/OWNERS
• ci-operator/jobs/openshift/oc-tnf/openshift-oc-tnf-main-presubmits.yaml
• core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/config/openshift/oc-tnf/OWNERS

🚧 Files skipped from review as they are similar to previous changes (1)

• core-services/prow/02_config/openshift/oc-tnf/_pluginconfig.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden container securityContext for all generated presubmit pod specs.

The container specs do not set required hardening (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and dropping ALL capabilities). Add these in the source ci-operator config so generated jobs inherit them.

As per coding guidelines, manifest containers should set securityContext with runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and “Drop ALL capabilities, add only what is required.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/jobs/openshift/oc-tnf/openshift-oc-tnf-main-presubmits.yaml`
around lines 20 - 55, The container spec for the ci-operator target is missing
required security hardening settings. Add a securityContext field to the
container specification that includes runAsNonRoot set to true,
readOnlyRootFilesystem set to true, allowPrivilegeEscalation set to false, and
capabilities with drop set to ALL. These settings should be added at the same
level as the args, command, env, image, and other container properties to ensure
the generated job inherits the proper security hardening.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add memory/cpu limits (and memory requests) to each presubmit container spec.

All four job containers only set requests.cpu and omit memory requests/limits and cpu limits. This breaks the manifest baseline and risks unstable scheduling/resource contention. Apply this in the source ci-operator/config/... and regenerate jobs with make update instead of editing generated output directly.

As per coding guidelines, Kubernetes/OpenShift manifests must define “Resource limits (cpu, memory) on every container,” and ci-operator/jobs/**/*.yaml must be regenerated from ci-operator/config/ via make update.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/jobs/openshift/oc-tnf/openshift-oc-tnf-main-presubmits.yaml`
around lines 39 - 41, The presubmit containers are missing required resource
specifications: they only define requests.cpu but lack memory requests, memory
limits, and CPU limits. Rather than editing the generated yaml files directly in
ci-operator/jobs/, locate the source job configuration in
ci-operator/config/openshift/oc-tnf/ and add the missing resource specifications
(memory requests, memory limits, and CPU limits) to each of the four container
specs. After making these changes to the source configuration, regenerate the
job manifests by running make update to properly update the ci-operator/jobs/
output files.

Source: Coding guidelines

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Neilhamza: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-oc-tnf-main-golint	openshift/oc-tnf	presubmit	Presubmit changed
pull-ci-openshift-oc-tnf-main-modtidy	openshift/oc-tnf	presubmit	Presubmit changed
pull-ci-openshift-oc-tnf-main-unit	openshift/oc-tnf	presubmit	Presubmit changed
pull-ci-openshift-oc-tnf-main-verify-deps	openshift/oc-tnf	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@Neilhamza: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.