CORS-4510: Add GCD cluster profile

[rochacbruno]

Summary

• Register ClusterProfileGCD ("gcd") for Google Cloud Dedicated
• Maps to cluster type "gcp" (reuses existing GCP cloud type)
• Lease type: "gcd-quota-slice"
• Added to LeaseTypeFromClusterType for template-based test compatibility

Context

This is part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

The corresponding openshift/release PR will add the cluster profile config, Boskos quota slices, secret bootstrap entry, and installer CI job configuration.

Generated with Claude Code

Summary

This PR extends OpenShift CI’s cluster profile support to include Google Cloud Dedicated (GCD) by introducing a new gcd cluster profile in the CI API layer. CI jobs can now reference gcd as a first-class target, while the tooling reuses the existing Google Cloud (GCP) provider implementation under the hood.

Changes

pkg/api/clusterprofile.go

• Added a new exported cluster profile constant: ClusterProfileGCD ("gcd").
• Registered gcd in the list of supported cluster profiles (ClusterProfiles()).
• Updated profile-to-cloud-type mapping so gcd is treated like the existing GCP-based cloud type.
• Added gcd to LeaseTypeFromClusterType and wired the profile to a dedicated lease type: gcd-quota-slice.
  • This keeps template-based CI tests compatible by ensuring the lease-type resolution logic understands the new gcd cluster type.

Impact

CI operators and job authors can configure and run tests against Google Cloud Dedicated clusters by selecting the new gcd profile, without duplicating provider logic. The implementation also ensures quota-slice lease handling works correctly for GCD (gcd-quota-slice), which is a prerequisite for the Berlin environment setup related to Workload Identity Federation authentication for the OpenShift installer (CORS-4508).

Test/validation notes

The PR triggered end-to-end testing and retesting requests (/test e2e and /retest e2e) and included coordination on CI overrides for e2e execution. An approval was provided after review and naming verification.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new exported constant ClusterProfileGCD = "gcd" and wires it into profile enumeration, cluster-type mapping, lease-type mapping, and lease-type derivation from cluster type.

Changes

GCD Cluster Profile Registration

Layer / File(s)	Summary
Profile constant and mappings pkg/api/clusterprofile.go	Declares ClusterProfileGCD, includes it in ClusterProfiles(), maps it in ClusterType(), returns gcd-quota-slice from LeaseType(), and accepts gcd in LeaseTypeFromClusterType.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 16 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Coverage For New Features	⚠️ Warning	No direct tests cover the new gcd profile mapping; pkg/api has no clusterprofile tests, and LeaseTypeFromClusterType has no test at all.	Add table-driven tests in pkg/api for ClusterProfiles(), ClusterType(), LeaseType(), and LeaseTypeFromClusterType with gcd -> gcp/gcd-quota-slice.

✅ Passed checks (16 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	PASS: The GCD additions only touch constants/switches; no ignored errors, panics, or unsafe nil dereferences were introduced.
Stable And Deterministic Test Names	✅ Passed	PASS: Only pkg/api/clusterprofile.go changed; it adds a constant/mappings, and no Ginkgo test titles were introduced or edited.
Test Structure And Quality	✅ Passed	PR only changes pkg/api/clusterprofile.go; no *_test.go files or Ginkgo tests were modified, so this test-quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PASS: The PR only updates pkg/api/clusterprofile.go for GCD profile mappings; it adds no new Ginkgo e2e tests or MicroShift-unsafe APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Only pkg/api/clusterprofile.go changed; no Ginkgo e2e tests were added, and no SNO-sensitive test logic exists in the diff.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds a cluster profile constant and mapping logic in pkg/api/clusterprofile.go; no manifests, controllers, or scheduling constraints were introduced.
Ote Binary Stdout Contract	✅ Passed	PR only adds GCD enum/mapping entries in pkg/api/clusterprofile.go; no stdout/log writes or process-level setup code were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Only cluster-profile mappings changed in pkg/api/clusterprofile.go; no new Ginkgo e2e tests or network-dependent code were added.
No-Weak-Crypto	✅ Passed	Only enum/mapping additions in clusterprofile.go; no weak algorithms, custom crypto, or secret comparisons were introduced.
Container-Privileges	✅ Passed	PASS: The PR only changes pkg/api/clusterprofile.go to add GCD profile mappings; no container/K8s manifests or privilege-related fields are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PASS: The change only adds GCD profile/type mappings; the file contains no new logging or output paths exposing secrets, PII, hostnames, or tokens.
Title check	✅ Passed	The title clearly summarizes the main change: adding a new GCD cluster profile.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[rochacbruno]

cc @patrickdillon @barbacbd

[rochacbruno]

/retest

[tthvo]

/test e2e

[patrickdillon]

/lgtm
Names look good & comparing to #4973 looks like everything is covered
Will ping the test platform team for approval

[patrickdillon]

/retest e2e

[tthvo]

/test e2e

[Prucek]

/override ci/prow/e2e

[openshift-ci]

@Prucek: Overrode contexts on behalf of Prucek: ci/prow/e2e

Details

In response to this:

/override ci/prow/e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD e05bba9 and 2 for PR HEAD a3f44ae in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD a1a4aa3 and 1 for PR HEAD a3f44ae in total

[tthvo]

/lgtm

[rochacbruno]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 79476b2 and 2 for PR HEAD 3d7ecc2 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 86bf880 and 1 for PR HEAD 3d7ecc2 in total

[rochacbruno]

/retest-required

[tthvo]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD dda4ca4 and 0 for PR HEAD 3d7ecc2 in total

[openshift-merge-bot]

/hold

Revision 3d7ecc2 was retested 3 times: holding

[tthvo]

/hold cancel

We may need an override here :D

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD dda4ca4 and 2 for PR HEAD 3d7ecc2 in total

[tthvo]

/test e2e

[patrickdillon]

@coderabbitai why are the tests failing on this pr?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="openshift/ci-tools"
pr="5261"

echo "== PR status =="
gh pr view "$pr" --repo "$repo" --json number,state,isDraft,headRefName,baseRefName,statusCheckRollup \
  --jq '{
    number,
    state,
    isDraft,
    headRefName,
    baseRefName,
    checks: (.statusCheckRollup // [] | map(
      if has("workflowName") then
        {
          kind: "check",
          name: ((.workflowName // "unknown") + " / " + (.name // "unknown")),
          status,
          conclusion,
          detailsUrl
        }
      else
        {
          kind: "status",
          name: (.context // "unknown"),
          state,
          targetUrl,
          description
        }
      end
    ))
  }'

echo
echo "== Failed / pending checks only =="
gh pr view "$pr" --repo "$repo" --json statusCheckRollup \
  --jq '.statusCheckRollup // []
    | map(
      if has("workflowName") then
        {
          kind: "check",
          name: ((.workflowName // "unknown") + " / " + (.name // "unknown")),
          status,
          conclusion,
          detailsUrl
        }
      else
        {
          kind: "status",
          name: (.context // "unknown"),
          state,
          targetUrl,
          description
        }
      end
    )
    | map(select(
        (.kind == "check" and ((.conclusion != "SUCCESS") or (.status != "COMPLETED")))
        or
        (.kind == "status" and (.state != "SUCCESS"))
      ))'

echo
echo "== Recent PR comments (last 20) =="
gh pr view "$pr" --repo "$repo" --comments --json comments \
  --jq '.comments[-20:] | map({author: .author.login, createdAt, body})'

Length of output: 13562

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

urls=(
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ci-tools/5261/pull-ci-openshift-ci-tools-main-breaking-changes/2069852764065763328"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ci-tools/5261/pull-ci-openshift-ci-tools-main-e2e/2070363820177494016"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ci-tools/5261/pull-ci-openshift-ci-tools-main-integration/2070337968417017856"
)

for url in "${urls[@]}"; do
  echo "===== JOB: $url ====="
  base="${url#https://prow.ci.openshift.org/view/gs/}"
  gcs="https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/${base}"
  echo "GCS base: $gcs"

  echo "-- finished.json --"
  curl -fsSL "${gcs}/finished.json" | jq . || echo "finished.json unavailable"

  echo "-- prowjob.json (subset) --"
  curl -fsSL "${gcs}/prowjob.json" | jq '{state: .status.state, description: .status.description, url: .status.url, job: .spec.job, cluster: .spec.cluster}' || echo "prowjob.json unavailable"

  echo "-- build-log error summary --"
  tmp=$(mktemp)
  if curl -fsSL "${gcs}/build-log.txt" -o "$tmp"; then
    rg -n -i -C2 '(^E[0-9]{4} )|(error:)|(fail(ed|ure))|(panic:)|(timed? out)|(context deadline exceeded)|(no such host)|(connection refused)|(quota)|(boskos)|(unable to)|(cannot )' "$tmp" | tail -n 80 || true
    echo "-- tail build-log --"
    tail -n 80 "$tmp" || true
  else
    echo "build-log.txt unavailable"
  fi
  rm -f "$tmp"
  echo
done

Length of output: 63518

---

---

@patrickdillon The PR has 3 separate failures:

• ci/prow/breaking-changes: this is failing because determinize-prow-config would modify openshift/release (core-services/prow/.../_pluginconfig.yaml files). So this one is a downstream sync issue, not a unit-test failure in this PR.
• ci/prow/integration: this fails in the clusterimageset-updater integration suite because generated output no longer matches the expected fixture (diff ... input ... output fails).
• ci/prow/e2e: this is failing in pod-scaler admission tests with local API connection-refused errors (0.0.0.0:46483) and 3 test failures. From the log, that looks unrelated to the new gcd cluster-profile code path and more like a flaky/test-harness issue.

So short version: not one root cause, and the visible failures do not point directly at the ClusterProfileGCD change itself. The only clearly actionably related one is breaking-changes, which needs the corresponding openshift/release update to land.

[rochacbruno]

The only clearly actionably related one is breaking-changes, which needs the corresponding openshift/release update to land

@patrickdillon the /release PR is depending on this one, what is the proper order to merge? os is there something I can split from that PR to make breaking-changes happy?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, patrickdillon, Prucek, rochacbruno, tthvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepsm007]

/override ci/prow/e2e
/override ci/prow/integration

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/e2e, ci/prow/integration

Details

In response to this:

/override ci/prow/e2e
/override ci/prow/integration

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tthvo]

/tide refresh

[deepsm007]

/override ci/prow/breaking-changes

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/breaking-changes

Details

In response to this:

/override ci/prow/breaking-changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[deepsm007]

/override ci/prow/images

[openshift-ci]

@deepsm007: Overrode contexts on behalf of deepsm007: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tthvo]

/retitle CORS-4510: Add GCD cluster profile

[openshift-ci-robot]

@rochacbruno: This pull request references CORS-4510 which is a valid jira issue.

Details

In response to this:

Summary

• Register ClusterProfileGCD ("gcd") for Google Cloud Dedicated
• Maps to cluster type "gcp" (reuses existing GCP cloud type)
• Lease type: "gcd-quota-slice"
• Added to LeaseTypeFromClusterType for template-based test compatibility

Context

This is part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

The corresponding openshift/release PR will add the cluster profile config, Boskos quota slices, secret bootstrap entry, and installer CI job configuration.

Generated with Claude Code

Summary

This PR extends OpenShift CI’s cluster profile support to include Google Cloud Dedicated (GCD) by introducing a new gcd cluster profile in the CI API layer. CI jobs can now reference gcd as a first-class target, while the tooling reuses the existing Google Cloud (GCP) provider implementation under the hood.

Changes

pkg/api/clusterprofile.go

• Added a new exported cluster profile constant: ClusterProfileGCD ("gcd").
• Registered gcd in the list of supported cluster profiles (ClusterProfiles()).
• Updated profile-to-cloud-type mapping so gcd is treated like the existing GCP-based cloud type.
• Added gcd to LeaseTypeFromClusterType and wired the profile to a dedicated lease type: gcd-quota-slice.
• This keeps template-based CI tests compatible by ensuring the lease-type resolution logic understands the new gcd cluster type.

Impact

CI operators and job authors can configure and run tests against Google Cloud Dedicated clusters by selecting the new gcd profile, without duplicating provider logic. The implementation also ensures quota-slice lease handling works correctly for GCD (gcd-quota-slice), which is a prerequisite for the Berlin environment setup related to Workload Identity Federation authentication for the OpenShift installer (CORS-4508).

Test/validation notes

The PR triggered end-to-end testing and retesting requests (/test e2e and /retest e2e) and included coordination on CI overrides for e2e execution. An approval was provided after review and naming verification.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.