CNTRLPLANE-3375: Add ExternalOIDCWithUpstreamParity Default jobs

[ShazaAldawamneh]

This PR adds periodic Prow jobs for the ExternalOIDCWithUpstreamParity feature gate running on the Default feature set, enabling automated regression testing once the feature is promoted from TechPreview to GA.

This PR should be merged alongside the feature gate promotion PR in openshift/api.

Changes

Periodic Jobs Added

Creates daily periodic test jobs for the Default feature set across all supported platforms and releases:

Platforms (all 8 required for promotion):

• AWS
• Azure
• GCP
• VSphere
• Baremetal IPv4
• Baremetal IPv6
• Baremetal Dualstack
• Single Node OpenShift (SNO)

Releases:

• 4.23: Daily jobs (24h intervals, cron schedules for vsphere)
• 5.0: Daily jobs (24h intervals, cron schedules for vsphere)

Summary by CodeRabbit

• Tests
  • Expanded periodic test coverage for external OIDC upstream parity validation across AWS, Azure, GCP, vSphere, and Metal platforms
  • Updated test scheduling frequencies to ensure consistent validation of cluster authentication functionality
  • Added platform-specific configurations to optimize test execution across different infrastructure environments

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-3375 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR adds periodic Prow jobs for the ExternalOIDCWithUpstreamParity feature gate running on the Default feature set, enabling automated regression testing once the feature is promoted from TechPreview to GA.

This PR should be merged alongside the feature gate promotion PR in openshift/api.

Changes

Periodic Jobs Added

Creates daily periodic test jobs for the Default feature set across all supported platforms and releases:

Platforms (all 8 required for promotion):

• AWS
• Azure
• GCP
• VSphere
• Baremetal IPv4
• Baremetal IPv6
• Baremetal Dualstack
• Single Node OpenShift (SNO)

Releases:

• 4.23: Daily jobs (24h intervals, cron schedules for vsphere)
• 5.0: Daily jobs (24h intervals, cron schedules for vsphere)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated the vSphere external OIDC test schedule to run on all days instead of Wednesdays only, and added new 24-hour periodic test suites for external OIDC upstream parity across cloud platforms (AWS, Azure, GCP, vSphere, Metal) and AWS single-node, each with platform-specific test skip settings and configurations.

Changes

External OIDC Upstream Parity Testing Configuration

Layer / File(s)	Summary
Cron schedule update for vSphere OIDC test ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml	Updated e2e-vsphere-external-oidc-upstream-parity cron expression to run on all days of the week by replacing fixed day-of-week value with wildcard.
New external OIDC upstream parity default test suites ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml	Added 24-hour periodic test entries for AWS, Azure, GCP, vSphere, Metal OVN (ipv4/ipv6/dualstack), and AWS SNO. Cloud platform variants set OPENSHIFT_SKIP_EXTERNAL_TESTS: "True" and skip external OIDC tests. Metal variants add intranet capability and configure IP stack. AWS SNO extends test arguments with legacy node/apiserver invariants and audit-log-analyzer. All variants exclude ExternalOIDC feature gate tests.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML Prow configuration, not Go test code. No Ginkgo test names present to evaluate. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only YAML CI configuration changes (Prow periodic job definitions), not Ginkgo test code. The custom check requiring Ginkgo test code review is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only modifies CI configuration YAML files to schedule existing tests. No new Ginkgo e2e tests are added. The MicroShift compatibility check applies only to new test code, not CI configuration.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. This PR only modifies Prow CI configuration to schedule existing tests. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Prow CI configuration (test scheduling), not deployment manifests, operator code, or controllers. The topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files for Prow job scheduling. OTE Binary Stdout Contract check applies to Go source code, not configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR modifies only Prow CI job configuration (YAML), not Ginkgo test code. The custom check applies only to new Ginkgo e2e test additions, which are not present in this PR.
Title check	✅ Passed	The title clearly and specifically identifies the main change: adding ExternalOIDCWithUpstreamParity Default jobs, which directly matches the primary objective of adding periodic Prow jobs for this feature gate across multiple platforms.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml`:
- Line 457: The cron schedule for the vSphere periodic is set to weekly ("cron:
30 21 * * 3") but should run daily; update the YAML entry for the cron key (the
line containing "cron") to a daily schedule such as "30 21 * * *" so the job
runs every day at 21:30 UTC.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3e437c22-7c02-42c3-aca1-91c0d7849466

📥 Commits

Reviewing files that changed from the base of the PR and between 54c0523 and a953f60.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.23-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (2)

• ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.23__periodics.yaml
• ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-5.0__periodics.yaml

[ehearne-redhat]

As @everettraven pointed out in a conversation, we should probably have only 5.0 periodics.

Since openshift/hypershift#8287 adds new tests for this feature gate, we should probably hold off on merging until this one is merged.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ShazaAldawamneh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-gcp-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-azure-external-oidc-configure	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-sno-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-azure-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-dualstack-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv6-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv4-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ShazaAldawamneh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-dualstack-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-azure-external-oidc-configure	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv4-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-sno-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-vsphere-external-oidc-upstream-parity	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-gcp-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-metal-ovn-ipv6-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-azure-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed
periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-upstream-parity-default	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@ShazaAldawamneh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ehearne-redhat]

/hold
/lgtm

Holding as this PR is dependent on tests in openshift/hypershift#8287 . Once this is merged we can lift the hold.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat, ShazaAldawamneh
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cluster-authentication-operator/OWNERS
• ci-operator/jobs/openshift/cluster-authentication-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment