[ Staged Rollout ] - Enable OP in ABI static-3-plus-1 jobs

ci-operator/step-registry/baremetal/lab/agent/install/baremetal-lab-agent-install-commands.sh

@@ -230,6 +230,13 @@ cp "${INSTALL_DIR}/auth/kubeconfig" "${SHARED_DIR}/"
 cp "${INSTALL_DIR}/auth/kubeadmin-password" "${SHARED_DIR}/"
 scp "${SSHOPTS[@]}" "${INSTALL_DIR}"/auth/* "root@${AUX_HOST}:/var/builds/${CLUSTER_NAME}/"
 
+# Copy coreos stream file so the observer pod can check if the correct live image was booted
+echo -e "\nGenerating coreOS stream file..."
+
+# Creating file straight into $SHARED_DIR is not 100% reliable because of propagation issues (author guessing)
+oinst coreos print-stream-json > "${INSTALL_DIR}/coreos-stream.json"
+scp "${SSHOPTS[@]}" "${INSTALL_DIR}/coreos-stream.json" "root@${AUX_HOST}:/var/builds/${CLUSTER_NAME}/coreos-stream.json"
+
 proxy="$(<"${CLUSTER_PROFILE_DIR}/proxy")"
 # shellcheck disable=SC2154
 for bmhost in $(yq e -o=j -I=0 '.[]' "${SHARED_DIR}/hosts.yaml"); do
@@ -256,6 +263,9 @@ echo "Launching 'wait-for bootstrap-complete' installation step....."
 http_proxy="${proxy}" https_proxy="${proxy}" HTTP_PROXY="${proxy}" HTTPS_PROXY="${proxy}" \
   oinst agent wait-for bootstrap-complete 2>&1 &
 if ! wait $!; then
+  # Used by observer pod
+  touch "${SHARED_DIR}/failure"
+  # TODO: gather logs??
   echo "ERROR: Bootstrap failed. Aborting execution."
   exit 1
 fi
@@ -266,9 +276,16 @@ http_proxy="${proxy}" https_proxy="${proxy}" HTTP_PROXY="${proxy}" HTTPS_PROXY="
   oinst agent wait-for install-complete &
 if ! wait "$!"; then
   echo "ERROR: Installation failed. Aborting execution."
+  # Used by observer pod
+  touch "${SHARED_DIR}/failure"
+  # TODO: gather logs??
   exit 1
 fi
 
+# Used by observer pod
+touch  "${SHARED_DIR}/success"
+
 echo "Ensure that all the cluster operators remain stable and ready until OCPBUGS-18658 is fixed."
 oc adm wait-for-stable-cluster --minimum-stable-period=1m --timeout=15m
 update_image_registry
+

ci-operator/step-registry/baremetal/lab/agent/install/network/static/3-plus-1/baremetal-lab-agent-install-network-static-3-plus-1-workflow.yaml

@@ -7,6 +7,9 @@ workflow:
       - chain: baremetal-lab-agent-install
     post:
       - chain: baremetal-lab-post
+    observers:
+      enable:
+      - observers-ocp-baremetal-qe
     env:
       ipv4_enabled: "true"
       ipv6_enabled: "false"

ci-operator/step-registry/baremetal/lab/post/firewall/baremetal-lab-post-firewall-commands.sh

@@ -41,6 +41,6 @@ timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
   INTERNAL_NET_CIDR="${1}"
   IP_ARRAY="${@:2}"
   for ip in $IP_ARRAY; do
-    iptables -D FORWARD -s ${ip} ! -d "${INTERNAL_NET_CIDR}" -j DROP
+    iptables -D FORWARD -s ${ip} ! -d "${INTERNAL_NET_CIDR}" ! -p tcp --dport 22 -j DROP
   done
 EOF

ci-operator/step-registry/baremetal/lab/pre/firewall/baremetal-lab-pre-firewall-commands.sh

@@ -56,7 +56,8 @@ timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
   IP_ARRAY="${@:2}"
   for ip in $IP_ARRAY; do
     # TODO: change to firewalld or nftables
-    iptables -A FORWARD -s ${ip} ! -d "${INTERNAL_NET_CIDR}" -j DROP
+    # Allow connections on port 22 used by observer pod
+    iptables -A FORWARD -s ${ip} ! -d "${INTERNAL_NET_CIDR}" ! -p tcp --dport 22 -j DROP
   done
 EOF
 

ci-operator/step-registry/observers/ocp-baremetal-qe/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+- aleskandro
+- pamoedom
+- bmanzari
+reviewers:
+- aleskandro
+- jadhaj
+- bmanzari
+- pamoedom
+- sgoveas