From 9697d150f4e9ab8a42941596b89abab3c444989b Mon Sep 17 00:00:00 2001
From: omer-vishlitzky <omer.vishlitzky@gmail.com>
Date: Sat, 16 May 2026 15:07:08 +0300
Subject: [PATCH] OSAC-853: add AAP presubmit e2e-vmaas job using cluster-tool

Add e2e-vmaas presubmit test for osac-aap PRs. Unlike other OSAC
components, AAP has three independently-versioned artifacts: the
execution environment image, playbooks synced from git, and config
manifests. The standard single-image swap doesn't cover playbook sync.

Build the EE image from the PR source, copy config/ into the installer,
and embed the PR head SHA as a marker file. The boot script detects the
marker and overrides AAP_PROJECT_GIT_BRANCH and AAP_EE_IMAGE in the
kustomize overlay so AAP uses the PR's code for all three artifacts.
---
 .../osac-aap/osac-project-osac-aap-main.yaml  | 73 +++++++++++++++-
 ...sac-project-osac-aap-main-postsubmits.yaml |  1 +
 ...osac-project-osac-aap-main-presubmits.yaml | 85 ++++++++++++++++++-
 ...osac-project-cluster-tool-boot-commands.sh | 17 +++-
 4 files changed, 173 insertions(+), 3 deletions(-)

diff --git a/ci-operator/config/osac-project/osac-aap/osac-project-osac-aap-main.yaml b/ci-operator/config/osac-project/osac-aap/osac-project-osac-aap-main.yaml
index 6fb180f3c2594..04c00358d8c5f 100644
--- a/ci-operator/config/osac-project/osac-aap/osac-project-osac-aap-main.yaml
+++ b/ci-operator/config/osac-project/osac-aap/osac-project-osac-aap-main.yaml
@@ -1,3 +1,22 @@
+base_images:
+  dev-scripts:
+    name: test
+    namespace: ocp-kni
+    tag: dev-scripts
+  origin-cli:
+    name: "4.20"
+    namespace: ocp
+    tag: cli
+  osac-installer:
+    name: latest
+    namespace: osac-project
+    tag: osac-installer
+  osac-test-infra:
+    name: latest
+    namespace: osac-project
+    tag: osac-test-infra
+binary_build_commands: git rev-parse HEAD^2 > /tmp/source-sha 2>/dev/null || git rev-parse
+  HEAD > /tmp/source-sha
 build_root:
   image_stream_tag:
     name: release
@@ -9,10 +28,50 @@ images:
       FROM src
     from: src
     to: osac-aap
+  - dockerfile_literal: |
+      FROM quay.io/centos/centos:stream9
+      RUN dnf install -y python3.12 python3.12-pip python3.12-devel \
+          systemd-libs systemd-devel gcc git-core bind-utils krb5-devel \
+          && dnf clean all
+      COPY execution-environment/requirements.txt /tmp/requirements.txt
+      RUN python3.12 -m pip install --no-cache-dir -r /tmp/requirements.txt
+      COPY collections/ /usr/share/ansible/collections/
+      COPY vendor/ /usr/share/ansible/collections/
+      COPY oc /usr/local/bin/oc
+      RUN ln -s /usr/local/bin/oc /usr/local/bin/kubectl
+    from: src
+    inputs:
+      origin-cli:
+        paths:
+        - destination_dir: .
+          source_path: /usr/bin/oc
+    to: osac-aap-pr
+  - dockerfile_literal: |
+      FROM osac-installer
+      COPY config/ /installer/base/osac-aap/config/
+      COPY source-sha /installer/.aap-source-sha
+    inputs:
+      bin:
+        paths:
+        - destination_dir: .
+          source_path: /tmp/source-sha
+      osac-installer:
+        as:
+        - osac-installer
+    to: osac-installer-with-pr
 promotion:
   to:
-  - name: latest
+  - excluded_images:
+    - osac-aap-pr
+    - osac-installer-with-pr
+    name: latest
     namespace: osac-project
+releases:
+  latest:
+    candidate:
+      product: ocp
+      stream: nightly
+      version: "4.20"
 resources:
   '*':
     limits:
@@ -20,6 +79,18 @@ resources:
     requests:
       cpu: 100m
       memory: 200Mi
+tests:
+- as: e2e-vmaas
+  capabilities:
+  - intranet
+  steps:
+    dependencies:
+      COMPONENT_IMAGE: osac-aap-pr
+      OSAC_INSTALLER_IMAGE: osac-installer-with-pr
+      OSAC_TEST_IMAGE: osac-test-infra
+    env:
+      COMPONENT_IMAGE_NAME: osac-aap
+    workflow: osac-project-cluster-tool-vmaas
 zz_generated_metadata:
   branch: main
   org: osac-project
diff --git a/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-postsubmits.yaml b/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-postsubmits.yaml
index bb17ac465a30c..3917f9176765e 100644
--- a/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-postsubmits.yaml
+++ b/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-postsubmits.yaml
@@ -11,6 +11,7 @@ postsubmits:
     labels:
       ci-operator.openshift.io/is-promotion: "true"
       ci.openshift.io/generator: prowgen
+      job-release: "4.20"
     max_concurrency: 1
     name: branch-ci-osac-project-osac-aap-main-images
     spec:
diff --git a/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-presubmits.yaml b/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-presubmits.yaml
index 736195ec90b3e..403c29a0770b2 100644
--- a/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-presubmits.yaml
+++ b/ci-operator/jobs/osac-project/osac-aap/osac-project-osac-aap-main-presubmits.yaml
@@ -5,13 +5,96 @@ presubmits:
     branches:
     - ^main$
     - ^main-
-    cluster: build04
+    cluster: build06
+    context: ci/prow/e2e-vmaas
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      capability/intranet: intranet
+      ci.openshift.io/generator: prowgen
+      job-release: "4.20"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-osac-project-osac-aap-main-e2e-vmaas
+    rerun_command: /test e2e-vmaas
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-vmaas
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-vmaas,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build08
     context: ci/prow/images
     decorate: true
     decoration_config:
       skip_cloning: true
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.20"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-osac-project-osac-aap-main-images
     rerun_command: /test images
diff --git a/ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh b/ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh
index 016517a38dc61..d433219966db0 100644
--- a/ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh
+++ b/ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh
@@ -167,6 +167,21 @@ if [[ -n "${COMPONENT_IMAGE}" ]] && [[ -n "${COMPONENT_IMAGE_NAME}" ]]; then
     COMPONENT_OVERRIDE_CMD="curl -fsSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz | tar xzf - -C /usr/local/bin && cd /installer/base && kustomize edit set image ${COMPONENT_IMAGE_NAME}=${COMPONENT_IMAGE} && cd /installer && "
 fi
 
+# When testing an osac-aap PR, the installer-with-pr image contains
+# .aap-source-sha with the PR's head commit SHA. Override both
+# AAP_PROJECT_GIT_BRANCH (playbook sync) and AAP_EE_IMAGE (execution
+# environment) so AAP uses the PR's code instead of the pinned versions.
+AAP_OVERRIDE_CMD=""
+AAP_SOURCE_SHA=$(podman run --authfile /root/pull-secret --rm "${INSTALLER_IMAGE}" cat /installer/.aap-source-sha 2>/dev/null || true)
+if [[ -n "${AAP_SOURCE_SHA}" ]]; then
+    echo "=== AAP project git ref override: ${AAP_SOURCE_SHA} ==="
+    AAP_OVERRIDE_CMD="sed -i 's|AAP_PROJECT_GIT_BRANCH=.*|AAP_PROJECT_GIT_BRANCH=${AAP_SOURCE_SHA}|' /installer/overlays/${KUSTOMIZE_OVERLAY}/kustomization.yaml && grep -q 'AAP_PROJECT_GIT_BRANCH=${AAP_SOURCE_SHA}' /installer/overlays/${KUSTOMIZE_OVERLAY}/kustomization.yaml || { echo 'ERROR: AAP_PROJECT_GIT_BRANCH override failed'; exit 1; } && "
+    if [[ -n "${COMPONENT_IMAGE}" ]]; then
+        echo "=== AAP EE image override: ${COMPONENT_IMAGE} ==="
+        AAP_OVERRIDE_CMD="${AAP_OVERRIDE_CMD}sed -i 's|AAP_EE_IMAGE=.*|AAP_EE_IMAGE=${COMPONENT_IMAGE}|' /installer/overlays/${KUSTOMIZE_OVERLAY}/kustomization.yaml && grep -q 'AAP_EE_IMAGE=${COMPONENT_IMAGE}' /installer/overlays/${KUSTOMIZE_OVERLAY}/kustomization.yaml || { echo 'ERROR: AAP_EE_IMAGE override failed'; exit 1; } && "
+    fi
+fi
+
 # --- Phase 5: refresh ---
 echo "=== Running refresh ==="
 podman run --authfile /root/pull-secret --rm --network=host \
@@ -178,7 +193,7 @@ podman run --authfile /root/pull-secret --rm --network=host \
     -e INSTALLER_VM_TEMPLATE="${VM_TEMPLATE}" \
     -e INSTALLER_NAMESPACE="${NAMESPACE}" \
     "${INSTALLER_IMAGE}" \
-    bash -c "${COMPONENT_OVERRIDE_CMD}cd /installer && sh scripts/refresh-after-snapshot.sh"
+    bash -c "${COMPONENT_OVERRIDE_CMD}${AAP_OVERRIDE_CMD}cd /installer && sh scripts/refresh-after-snapshot.sh"
 
 echo "=== Boot + refresh complete ==="
 REMOTE_SCRIPT