adding cluster claim

[JoaoFula]

and changing getting kubeconfig, base url and password

Summary by CodeRabbit

• Chores
  • Updated the integration testing infrastructure to use ephemeral cluster provisioning, improving resource efficiency and test reliability during the testing process.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Tekton integration pipeline was refactored to replace static cluster provisioning with ephemeral cluster provisioning. A new task sourced from Konflux tasks provisions AWS/FIPS clusters on demand, and the e2e test task receives cluster credentials via a parameter mapped from provisioning task results rather than extracting them locally.

Changes

Ephemeral cluster provisioning migration

Layer / File(s)	Summary
New ephemeral cluster provisioning task .tekton/integration-tests/lightspeed-console-pre-commit.yaml	Added provision-ephemeral-cluster task using Konflux task definition with AWS/FIPS cluster configuration (region, timeout, version), replacing previous provision-cluster implementation.
Test task dependency and credential wiring .tekton/integration-tests/lightspeed-console-pre-commit.yaml	Rewired ols-e2e-tests to depend on provision-ephemeral-cluster and introduced clusterCredentialsSecretRef parameter wired from provisioning task results; added debug-secret-keys step to inspect secret structure.
Credential parameter and script integration .tekton/integration-tests/lightspeed-console-pre-commit.yaml	Updated run-e2e-tests environment to source KUBECONFIG_VALUE directly from credentials secret parameter, modified script to write kubeconfig and compute base URL via oc, hardcoded LOGIN_PASSWORD placeholder, and updated gather-cluster-resources references.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested reviewers

• kyoto

Poem

🐰 A cluster born ephemeral and bright,
No static bonds to hold it tight—
Credentials flow through secret keys,
The pipeline dances in the breeze.
From provision to test, a seamless chain,
Konflux tasks ease the refactoring pain! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'adding cluster claim' directly reflects the main change in the pull request, which replaces the provision-cluster task with provision-ephemeral-cluster (that uses cluster claim parameters).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joaofula for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• .tekton/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/integration-tests/lightspeed-console-pre-commit.yaml (1)

233-243: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: oc command used before it's downloaded.

Line 234 executes oc --kubeconfig to compute BASE_URL, but the oc client isn't downloaded until lines 240-243. The Playwright image does not include the OpenShift CLI. This will fail with "command not found".

Move the oc download before computing BASE_URL, or move the BASE_URL computation after the download.

Proposed fix: move BASE_URL computation after oc download

              echo "$KUBECONFIG_VALUE" > /credentials/kubeconfig
-              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
              echo "COMMIT_SHA: ${COMMIT_SHA}"
-              echo "BASE_URL: ${BASE_URL}"
              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
              echo "---------------------------------------------"
              wget --no-verbose -O oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
                  && tar -xvzf oc.tar.gz \
                  && chmod +x kubectl oc \
                  && mv oc kubectl /usr/local/bin/
              echo "---------------------------------------------"
+              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
+              echo "BASE_URL: ${BASE_URL}"
+              echo "---------------------------------------------"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
233 - 243, The script computes BASE_URL using the oc binary (oc --kubeconfig
"$KUBECONFIG_PATH") before downloading/installing oc, causing a "command not
found" error; fix by moving the oc download/install block (the wget/tar/chmod/mv
sequence that installs kubectl and oc) to run before the export BASE_URL line
(or alternatively defer the export BASE_URL until after installation), ensuring
the oc client is available when computing BASE_URL using
KUBECONFIG_PATH/KUBECONFIG_VALUE.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 271-273: The LOGIN_PASSWORD is hardcoded to "placeholder" causing
auth failures; update the pipeline to read the real password from the secret
output exposed by the debug-secret-keys step and assign it to LOGIN_PASSWORD
(use the PASSWORD_VALUE variable referenced in the TODO) instead of the
placeholder. Locate the environment export for LOGIN_PASSWORD in the pre-commit
task and wire it to the secret output (or the pipeline/step result named by
debug-secret-keys) so LOGIN_PASSWORD is set from PASSWORD_VALUE at runtime
rather than a hardcoded string.
- Around line 40-49: The pipeline task block for provision-ephemeral-cluster is
using the wrong key; replace the top-level ref: block with taskRef: (keeping the
same resolver and params) so the task declaration matches how
eaas-provision-space is referenced; specifically update the
provision-ephemeral-cluster task block to use taskRef (with resolver: git and
the same url/revision/pathInRepo params) instead of ref.

---

Outside diff comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 233-243: The script computes BASE_URL using the oc binary (oc
--kubeconfig "$KUBECONFIG_PATH") before downloading/installing oc, causing a
"command not found" error; fix by moving the oc download/install block (the
wget/tar/chmod/mv sequence that installs kubectl and oc) to run before the
export BASE_URL line (or alternatively defer the export BASE_URL until after
installation), ensuring the oc client is available when computing BASE_URL using
KUBECONFIG_PATH/KUBECONFIG_VALUE.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9fbf07ee-9043-4c22-b2fa-b20e46bbefcb

📥 Commits

Reviewing files that changed from the base of the PR and between f62f15c and db6e7dd.

📒 Files selected for processing (1)

• .tekton/integration-tests/lightspeed-console-pre-commit.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Use taskRef instead of ref for pipeline tasks.

In Tekton v1beta1 Pipelines, tasks must be referenced using taskRef, not ref. The ref field is used for StepActions within steps (as correctly used at line 286), not for tasks at the pipeline level. This inconsistency with eaas-provision-space (line 24) will cause the pipeline to fail.

Proposed fix

     - name: provision-ephemeral-cluster
-      ref:
+      taskRef:
         resolver: git
         params:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: provision-ephemeral-cluster
	ref:
	resolver: git
	params:
	- name: url
	value: https://github.com/openshift/konflux-tasks
	- name: revision
	value: main
	- name: pathInRepo
	value: tasks/provision-ephemeral-cluster/0.1/provision-ephemeral-cluster.yaml
	- name: provision-ephemeral-cluster
	taskRef:
	resolver: git
	params:
	- name: url
	value: https://github.com/openshift/konflux-tasks
	- name: revision
	value: main
	- name: pathInRepo
	value: tasks/provision-ephemeral-cluster/0.1/provision-ephemeral-cluster.yaml

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines 40
- 49, The pipeline task block for provision-ephemeral-cluster is using the wrong
key; replace the top-level ref: block with taskRef: (keeping the same resolver
and params) so the task declaration matches how eaas-provision-space is
referenced; specifically update the provision-ephemeral-cluster task block to
use taskRef (with resolver: git and the same url/revision/pathInRepo params)
instead of ref.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Hardcoded placeholder password will cause authentication failures.

LOGIN_PASSWORD is set to "placeholder" which will cause any test requiring cluster authentication to fail. The TODO indicates the correct secret key is unknown.

Once the debug-secret-keys step output reveals the correct key name, wire PASSWORD_VALUE from the secret and use it here. Until then, e2e tests requiring login will not pass.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
271 - 273, The LOGIN_PASSWORD is hardcoded to "placeholder" causing auth
failures; update the pipeline to read the real password from the secret output
exposed by the debug-secret-keys step and assign it to LOGIN_PASSWORD (use the
PASSWORD_VALUE variable referenced in the TODO) instead of the placeholder.
Locate the environment export for LOGIN_PASSWORD in the pre-commit task and wire
it to the secret output (or the pipeline/step result named by debug-secret-keys)
so LOGIN_PASSWORD is set from PASSWORD_VALUE at runtime rather than a hardcoded
string.