CORS-4510: Add GCD cluster profile

[rochacbruno]

Summary

• Add gcd (Google Cloud Dedicated) cluster profile with cluster_type: gcp, owned by openshift/installer
• Add cluster-secrets-gcd to secret bootstrap config (distributed to non_app_ci clusters)
• Add 3 Boskos quota slices for gcd-quota-slice (region europe-west3)

The installer CI job (e2e-gcd) will be added in a follow-up PR once the profile is registered.

Context

Part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

Companion PRs

• CORS-4510: Add GCD cluster profile ci-tools#5261 - registers ClusterProfileGCD in clusterprofile.go (must merge first)
• CORS-4420, CORS-4421, CORS-4422, CORS-4449, CORS-4514, CORS-4515: Add GCP Germany Sovereign Cloud support installer#10630 - adds GCP Germany Sovereign Cloud support to the installer

Test plan

• ci-tools PR merges first
• Vault secret cluster-secrets-gcd is populated with WIF credential config
• WIF pool/provider setup completed in GCD (tracked separately)
• Follow-up PR adds e2e-gcd installer job

Generated with Claude Code

Summary by CodeRabbit

This PR establishes infrastructure support for the GCD (Google Cloud Dedicated) cluster profile, enabling OpenShift installer testing on Google Cloud Dedicated's Berlin environment using Workload Identity Federation authentication.

Infrastructure Changes:

1. Cluster Profile Registration (cluster-profiles-config.yaml): Added a new gcd cluster profile configured for GCP with ownership assigned to both the openshift/installer and csi-operator teams, making it available for CI jobs targeting this testing environment.

2. Secret Distribution (ci-secret-bootstrap/_config.yaml): Integrated cluster-secrets-gcd into the secret bootstrap configuration to distribute credentials to non_app_ci clusters, ensuring proper credential management for the new profile.

3. Resource Quotas (_boskos.yaml): Added three Boskos quota slices for gcd-quota-slice in the europe-west3 region to manage resource allocation for GCD cluster provisioning.

Scope: This PR focuses exclusively on cluster profile registration and infrastructure setup. The corresponding e2e-gcd installer CI job will be added in a follow-up PR once the profile becomes available in the system (dependent on openshift/ci-tools#5261).

[coderabbitai]

Walkthrough

A new gcd cluster profile is registered in three configuration files: the cluster profile registry (type gcp, owner openshift/installer), the secret bootstrap config (cluster-secrets-gcd targeting non_app_ci), and Boskos quota resources (two germany-northeast1 quota slices).

Changes

gcd Cluster Profile Registration

Layer / File(s)	Summary
gcd profile definition, secrets, and quota slices ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml, core-services/ci-secret-bootstrap/_config.yaml, core-services/prow/02_config/_boskos.yaml	Adds the gcd profile entry with cluster_type: gcp and openshift/installer ownership, a cluster-secrets-gcd secret destination targeting cluster_groups: [non_app_ci] in the ci namespace, and two germany-northeast1--gcd-quota-slice-{0,1} Boskos resources with state: free.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only YAML configuration files (cluster-profiles-config.yaml, _config.yaml, _boskos.yaml) with no Go test files or Ginkgo tests. The custom check for stable test names is not applic...
Test Structure And Quality	✅ Passed	This PR contains only YAML configuration files (cluster-profiles-config.yaml, _config.yaml, _boskos.yaml) and no Ginkgo test code. The check is not applicable.
Microshift Test Compatibility	✅ Passed	PR contains only YAML configuration files (cluster profiles, secret bootstrap, Boskos resources) with no Ginkgo e2e tests. MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to YAML configuration files (cluster profile, secret bootstrap, and Boskos quota configuration). The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies infrastructure configuration files (cluster profiles, secret bootstrap, Boskos quotas) without adding deployment manifests, operator code, or controllers with scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files (cluster profiles, secret bootstrap, Boskos resource config); no OTE binary, test code, or stdout-writing code is present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds infrastructure configuration (YAML files) for a new cluster profile, not Ginkgo e2e tests. The e2e tests (e2e-gcd) are deferred to a follow-up PR, making this check not applicable.
No-Weak-Crypto	✅ Passed	PR adds only YAML configuration files for cluster profiles, secrets, and Boskos quotas with no cryptographic code, weak crypto algorithms, or custom implementations.
Container-Privileges	✅ Passed	The PR modifies only configuration files (cluster profiles, secret bootstrap, and resource quotas) that do not contain Kubernetes container/pod manifests. No privilege-related configurations detected.
No-Sensitive-Data-In-Logs	✅ Passed	All additions are YAML configuration files containing only metadata and resource identifiers. No passwords, tokens, API keys, PII, or sensitive data are exposed in the added content.
Title check	✅ Passed	The title is concise and clearly describes the main change: adding the GCD cluster profile.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-merge-bot]

@rochacbruno, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: invalid ci-operator config: invalid configuration: tests[28]: invalid cluster profile "gcd"

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@rochacbruno, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: invalid ci-operator config: invalid configuration: tests[28]: invalid cluster profile "gcd"

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[tthvo]

I wonder if we should scope this PR to just adding the cluster-profile. We can add the installer CI job in a follow-up 🤔 WDYT?

[rochacbruno]

@tthvo Good point. The CI tests are failing because the ci-tools PR (openshift/ci-tools#5261) needs to merge first to register the gcd cluster profile - otherwise validation rejects it as invalid.

I'll split this into two PRs:

1. This PR - scoped to just the cluster profile registration (cluster-profiles-config, boskos, secret bootstrap)
2. Follow-up PR - adds the e2e-gcd installer CI job once the profile is available

Will push an update shortly.

[patrickdillon]

@coderabbitai can you look at the details of the failing tests?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="openshift/release"
pr="80743"

echo "== PR overview =="
gh pr view "$pr" --repo "$repo" --json number,title,url,state,headRefName,baseRefName,statusCheckRollup \
  --jq '{
    number,
    title,
    url,
    state,
    headRefName,
    baseRefName,
    checks: (.statusCheckRollup // [] | map({
      name: .name,
      conclusion: (.conclusion // .state // "UNKNOWN"),
      detailsUrl: (.detailsUrl // ""),
      workflow: (.workflowName // ""),
      startedAt: (.startedAt // ""),
      completedAt: (.completedAt // "")
    }))
  }'

echo
echo "== Failed / non-success checks =="
gh pr view "$pr" --repo "$repo" --json statusCheckRollup \
  --jq '.statusCheckRollup // [] | map(select((.conclusion // .state // "UNKNOWN") != "SUCCESS")) | map({
      name: .name,
      conclusion: (.conclusion // .state // "UNKNOWN"),
      detailsUrl: (.detailsUrl // ""),
      workflow: (.workflowName // ""),
      startedAt: (.startedAt // ""),
      completedAt: (.completedAt // "")
    })'

echo
echo "== Recent issue comments mentioning failure/invalid/gcd =="
gh api "repos/$repo/issues/$pr/comments?per_page=100" --jq '
  map(select((.body | ascii_downcase) | test("fail|invalid|gcd|ci-tools|validation"))) |
  map({
    user: .user.login,
    created_at,
    body
  })'

Length of output: 27475

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

urls=(
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/pull-ci-openshift-release-check-gh-automation/2067620749031510016"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/pull-ci-openshift-release-main-generated-config/2067621656372711424"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/pull-ci-openshift-release-main-ci-operator-config-metadata/2067616903194480640"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/pull-ci-openshift-release-check-cluster-profiles-config/2069350340913795072"
  "https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/pull-ci-openshift-release-main-boskos-config-generation/2069350356013289472"
)

workdir="$(mktemp -d)"
trap 'rm -rf "$workdir"' EXIT

fetch_one() {
  local url="$1"
  local id
  id="$(basename "$url")"
  local page="$workdir/$id.html"
  echo "== JOB PAGE: $url =="
  curl -fsSL "$url" -o "$page" || { echo "failed to fetch page"; echo; return; }

  # Print a compact summary from the HTML if present.
  grep -Eo 'pull-ci-[^"< ]+' "$page" | head -n1 || true
  grep -Eo 'FAILED|FAILURE|SUCCESS|PENDING' "$page" | head -n3 || true

  # Extract candidate log/artifact links from the page.
  echo "-- candidate artifact links --"
  grep -Eo 'https://gcsweb[^\"]+|/view/gcs/test-platform-results[^\"]+|/view/gs/test-platform-results[^\"]+' "$page" | sed 's/&amp;/\&/g' | head -n 20 || true

  # Try common artifact paths directly from the known Prow layout.
  local base="https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/80743"
  local job_path
  job_path="$(echo "$url" | sed -E 's#https://prow\.ci\.openshift\.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80743/##')"

  echo "-- trying common artifact URLs --"
  for suffix in \
    "artifacts/build-log.txt" \
    "build-log.txt" \
    "artifacts/e2e/build-log.txt" \
    "artifacts/artifacts/build-log.txt" \
    "prowjob.json" \
    "finished.json" \
    "artifacts/junit_operator.xml" \
    "junit_operator.xml"; do
    candidate="$base/$job_path/$suffix"
    code="$(curl -s -o "$workdir/out.tmp" -w '%{http_code}' "$candidate" || true)"
    if [ "$code" = "200" ]; then
      echo "FOUND $candidate"
      echo "--- excerpt from $suffix ---"
      grep -nEi 'error|failed|failure|invalid|panic|traceback|cannot|unable|not found' "$workdir/out.tmp" | head -n 40 || sed -n '1,120p' "$workdir/out.tmp"
    fi
  done
  echo
}

for url in "${urls[@]}"; do
  fetch_one "$url"
done

Length of output: 77426

---

---

@patrickdillon I checked the failing jobs.

There are really two buckets of failures here:

• Older commit failures (c36f6c2...) from before the PR was split down
• Current failures on the latest commit (6a7ee1b...)

Older failures on c36f6c2...

These all fail for the same reason:

• ci/prow/check-gh-automation
• ci/prow/generated-config
• ci/prow/ci-operator-config-metadata

All three report:

invalid ci-operator config: invalid configuration: tests[28]: invalid cluster profile "gcd"

coming from:

ci-operator/config/openshift/installer/openshift-installer-main.yaml

So this matches the earlier explanation: the branch still had installer CI config referencing gcd, but the profile wasn’t yet registered in ci-tools/resolver logic.

Current failures on 6a7ee1b...

These look like the ones that still matter now:

1. ci/prow/check-cluster-profiles-config
   Fails with:

   failed to validate secrets for cluster profiles
   failed to retrieve details from config resolver for 'gcd' cluster profile
   

   This looks like the same underlying dependency issue: the resolver/check logic still doesn’t know about gcd yet.

2. ci/prow/boskos-config-generation
   Fails with:

   ERROR: This check enforces that the Boskos configuration is generated
   ...
   ERROR: Run the following command to re-generate the Boskos configuration:
   ERROR: $ make boskos-config
   

   So this one is separate: it’s complaining that the generated Boskos config is out of date relative to the _boskos.yaml change.

Bottom line

• The cluster-profile-related failures are consistent with gcd not being fully registered/available in the resolver yet.
• The Boskos failure looks like a normal generated-file drift issue and likely needs the generated Boskos output refreshed and committed.

If you want, I can also dig one step further and identify exactly which generated Boskos file is expected to change.

[deepsm007]

/approve
wait for openshift/ci-tools#5261 to be merged and build

[tthvo]

/retitle CORS-4510: Add GCD cluster profile

[openshift-ci-robot]

@rochacbruno: This pull request references CORS-4510 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Add gcd (Google Cloud Dedicated) cluster profile with cluster_type: gcp, owned by openshift/installer
• Add cluster-secrets-gcd to secret bootstrap config (distributed to non_app_ci clusters)
• Add 3 Boskos quota slices for gcd-quota-slice (region europe-west3)

The installer CI job (e2e-gcd) will be added in a follow-up PR once the profile is registered.

Context

Part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

Companion PRs

• CORS-4510: Add GCD cluster profile ci-tools#5261 - registers ClusterProfileGCD in clusterprofile.go (must merge first)
• CORS-4420, CORS-4421, CORS-4422, CORS-4449, CORS-4514, CORS-4515: Add GCP Germany Sovereign Cloud support installer#10630 - adds GCP Germany Sovereign Cloud support to the installer

Test plan

• ci-tools PR merges first
• Vault secret cluster-secrets-gcd is populated with WIF credential config
• WIF pool/provider setup completed in GCD (tracked separately)
• Follow-up PR adds e2e-gcd installer job

Generated with Claude Code

Summary by CodeRabbit

This PR establishes infrastructure support for the GCD (Google Cloud Dedicated) cluster profile, enabling OpenShift installer testing on Google Cloud Dedicated's Berlin environment using Workload Identity Federation authentication.

Infrastructure Changes:

1. Cluster Profile Registration (cluster-profiles-config.yaml): Added a new gcd cluster profile configured for GCP with ownership assigned to both the openshift/installer and csi-operator teams, making it available for CI jobs targeting this testing environment.

2. Secret Distribution (ci-secret-bootstrap/_config.yaml): Integrated cluster-secrets-gcd into the secret bootstrap configuration to distribute credentials to non_app_ci clusters, ensuring proper credential management for the new profile.

3. Resource Quotas (_boskos.yaml): Added three Boskos quota slices for gcd-quota-slice in the europe-west3 region to manage resource allocation for GCD cluster provisioning.

Scope: This PR focuses exclusively on cluster profile registration and infrastructure setup. The corresponding e2e-gcd installer CI job will be added in a follow-up PR once the profile becomes available in the system (dependent on openshift/ci-tools#5261).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rochacbruno]

check-cluster-profiles-config fails because the cluster-secrets-gcd K8s secret doesn't exist in the cluster yet (vault hasn't been populated). This should be a non-blocking/optional check, it will pass once the vault secret is created.

[patrickdillon]

/lgtm

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rochacbruno: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[patrickdillon]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, patrickdillon, rochacbruno

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/cluster-profiles/OWNERS [deepsm007]
• core-services/ci-secret-bootstrap/OWNERS [deepsm007]
• core-services/prow/02_config/OWNERS [deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@rochacbruno: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/check-gh-automation	c36f6c2	link	true	/test check-gh-automation
ci/prow/generated-config	c36f6c2	link	true	/test generated-config
ci/prow/ci-operator-config-metadata	c36f6c2	link	true	/test ci-operator-config-metadata
ci/prow/check-cluster-profiles-config	1571b53	link	false	/test check-cluster-profiles-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@rochacbruno: Updated the following 3 configmaps:

• ci-secret-bootstrap configmap in namespace ci at cluster app.ci using the following files:
  • key _config.yaml using file core-services/ci-secret-bootstrap/_config.yaml
• ci-secret-bootstrap configmap in namespace ci at cluster core-ci using the following files:
  • key _config.yaml using file core-services/ci-secret-bootstrap/_config.yaml
• resources configmap in namespace ci at cluster app.ci using the following files:
  • key boskos.yaml using file core-services/prow/02_config/_boskos.yaml

Details

In response to this:

Summary

• Add gcd (Google Cloud Dedicated) cluster profile with cluster_type: gcp, owned by openshift/installer
• Add cluster-secrets-gcd to secret bootstrap config (distributed to non_app_ci clusters)
• Add 3 Boskos quota slices for gcd-quota-slice (region europe-west3)

The installer CI job (e2e-gcd) will be added in a follow-up PR once the profile is registered.

Context

Part of CORS-4508: setting up Workload Identity Federation authentication for the OpenShift installer on Google Cloud Dedicated (Berlin environment).

Companion PRs

• CORS-4510: Add GCD cluster profile ci-tools#5261 - registers ClusterProfileGCD in clusterprofile.go (must merge first)
• CORS-4420, CORS-4421, CORS-4422, CORS-4449, CORS-4514, CORS-4515: Add GCP Germany Sovereign Cloud support installer#10630 - adds GCP Germany Sovereign Cloud support to the installer

Test plan

• ci-tools PR merges first
• Vault secret cluster-secrets-gcd is populated with WIF credential config
• WIF pool/provider setup completed in GCD (tracked separately)
• Follow-up PR adds e2e-gcd installer job

Generated with Claude Code

Summary by CodeRabbit

This PR establishes infrastructure support for the GCD (Google Cloud Dedicated) cluster profile, enabling OpenShift installer testing on Google Cloud Dedicated's Berlin environment using Workload Identity Federation authentication.

Infrastructure Changes:

1. Cluster Profile Registration (cluster-profiles-config.yaml): Added a new gcd cluster profile configured for GCP with ownership assigned to both the openshift/installer and csi-operator teams, making it available for CI jobs targeting this testing environment.

2. Secret Distribution (ci-secret-bootstrap/_config.yaml): Integrated cluster-secrets-gcd into the secret bootstrap configuration to distribute credentials to non_app_ci clusters, ensuring proper credential management for the new profile.

3. Resource Quotas (_boskos.yaml): Added three Boskos quota slices for gcd-quota-slice in the europe-west3 region to manage resource allocation for GCD cluster provisioning.

Scope: This PR focuses exclusively on cluster profile registration and infrastructure setup. The corresponding e2e-gcd installer CI job will be added in a follow-up PR once the profile becomes available in the system (dependent on openshift/ci-tools#5261).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.