From 5d6a09ac4c2fbcb4e4db986e02d57f11498df838 Mon Sep 17 00:00:00 2001
From: gangwgr <rgangwar@redhat.com>
Date: Fri, 29 May 2026 12:51:03 +0530
Subject: [PATCH] cli-manager-operator: add OTE extension test job

Add a step-registry ref and presubmit CI job to run cli-manager-operator
out-of-payload extension tests (OTE) via openshift-tests. The new
e2e-aws-operator-serial-ote job provisions a FIPS-enabled AWS cluster,
sets up a TestExtensionAdmission CR and ImageStream to let openshift-tests
discover the test extension binary from the operator image, then executes
the OTE suite.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .../openshift-cli-manager-operator-main.yaml  | 13 +++
 ...-cli-manager-operator-main-presubmits.yaml | 78 ++++++++++++++++++
 ci-operator/step-registry/cli-manager/OWNERS  | 12 +++
 .../cli-manager/test-extension/OWNERS         | 12 +++
 .../cli-manager-test-extension-commands.sh    | 79 +++++++++++++++++++
 ...i-manager-test-extension-ref.metadata.json | 19 +++++
 .../cli-manager-test-extension-ref.yaml       | 23 ++++++
 7 files changed, 236 insertions(+)
 create mode 100644 ci-operator/step-registry/cli-manager/OWNERS
 create mode 100644 ci-operator/step-registry/cli-manager/test-extension/OWNERS
 create mode 100755 ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-commands.sh
 create mode 100644 ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.metadata.json
 create mode 100644 ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.yaml

diff --git a/ci-operator/config/openshift/cli-manager-operator/openshift-cli-manager-operator-main.yaml b/ci-operator/config/openshift/cli-manager-operator/openshift-cli-manager-operator-main.yaml
index c235c186623de..76cc40be4159c 100644
--- a/ci-operator/config/openshift/cli-manager-operator/openshift-cli-manager-operator-main.yaml
+++ b/ci-operator/config/openshift/cli-manager-operator/openshift-cli-manager-operator-main.yaml
@@ -48,6 +48,19 @@ tests:
         requests:
           cpu: 100m
     workflow: ipi-aws
+- as: e2e-aws-operator-serial-ote
+  skip_if_only_changed: ^\.tekton/|bundle.Dockerfile|\.md$|^(LICENSE|OWNERS)$
+  steps:
+    cluster_profile: openshift-org-aws
+    env:
+      FIPS_ENABLED: "true"
+      TEST_SUITE: openshift/cli-manager-operator/operator/serial
+    pre:
+    - chain: ipi-aws-pre
+    - ref: fips-check
+    test:
+    - ref: cli-manager-test-extension
+    workflow: ipi-aws
 - as: security
   optional: true
   skip_if_only_changed: ^\.tekton/|bundle.Dockerfile|\.md$|^(LICENSE|OWNERS)$
diff --git a/ci-operator/jobs/openshift/cli-manager-operator/openshift-cli-manager-operator-main-presubmits.yaml b/ci-operator/jobs/openshift/cli-manager-operator/openshift-cli-manager-operator-main-presubmits.yaml
index 3fa6a52ac09a6..b08a994667cc3 100644
--- a/ci-operator/jobs/openshift/cli-manager-operator/openshift-cli-manager-operator-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/cli-manager-operator/openshift-cli-manager-operator-main-presubmits.yaml
@@ -78,6 +78,84 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-aws-operator,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build06
+    context: ci/prow/e2e-aws-operator-serial-ote
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - .ci-operator.yaml
+      - Dockerfile.ci
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: openshift-org-aws
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cli-manager-operator-main-e2e-aws-operator-serial-ote
+    rerun_command: /test e2e-aws-operator-serial-ote
+    skip_if_only_changed: ^\.tekton/|bundle.Dockerfile|\.md$|^(LICENSE|OWNERS)$
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --target=e2e-aws-operator-serial-ote
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-operator-serial-ote,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:
diff --git a/ci-operator/step-registry/cli-manager/OWNERS b/ci-operator/step-registry/cli-manager/OWNERS
new file mode 100644
index 0000000000000..08454bd16f7b8
--- /dev/null
+++ b/ci-operator/step-registry/cli-manager/OWNERS
@@ -0,0 +1,12 @@
+approvers:
+- ardaguclu
+- ingvagabund
+- p0lyn0mial
+- gangwgr
+- ropatil010
+reviewers:
+- ardaguclu
+- ingvagabund
+- p0lyn0mial
+- gangwgr
+- ropatil010
diff --git a/ci-operator/step-registry/cli-manager/test-extension/OWNERS b/ci-operator/step-registry/cli-manager/test-extension/OWNERS
new file mode 100644
index 0000000000000..08454bd16f7b8
--- /dev/null
+++ b/ci-operator/step-registry/cli-manager/test-extension/OWNERS
@@ -0,0 +1,12 @@
+approvers:
+- ardaguclu
+- ingvagabund
+- p0lyn0mial
+- gangwgr
+- ropatil010
+reviewers:
+- ardaguclu
+- ingvagabund
+- p0lyn0mial
+- gangwgr
+- ropatil010
diff --git a/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-commands.sh b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-commands.sh
new file mode 100755
index 0000000000000..46710148225b0
--- /dev/null
+++ b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-commands.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+export PATH=/usr/libexec/origin:$PATH
+export HOME=/tmp/home
+mkdir -p "${HOME}"
+
+echo "Setting up cli-manager-operator extension testing"
+
+openshift-tests extension-admission create cli-manager-extensions \
+  --permit=test-extensions/*
+
+echo "Creating test-extensions namespace and ImageStream..."
+cat <<EOF | oc apply -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-extensions
+---
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: cli-manager-operator-tests
+  namespace: test-extensions
+spec:
+  lookupPolicy:
+    local: false
+  tags:
+    - name: latest
+      annotations:
+        testextension.redhat.io/component: "cli-manager-operator"
+        testextension.redhat.io/binary: "/usr/bin/cli-manager-operator-tests-ext.gz"
+      from:
+        kind: DockerImage
+        name: ${EXTENSION_IMAGE}
+      importPolicy:
+        scheduled: false
+      referencePolicy:
+        type: Source
+EOF
+
+echo "Importing image to resolve ImageStreamTag..."
+oc import-image cli-manager-operator-tests:latest \
+  --from="${EXTENSION_IMAGE}" \
+  -n test-extensions \
+  --confirm
+
+echo "Annotating ImageStreamTag with extension metadata..."
+oc annotate imagestreamtag cli-manager-operator-tests:latest -n test-extensions \
+  testextension.redhat.io/component="cli-manager-operator" \
+  testextension.redhat.io/binary="/usr/bin/cli-manager-operator-tests-ext.gz" \
+  --overwrite
+
+echo "Verifying extension setup..."
+oc get testextensionadmission cli-manager-extensions -o yaml
+oc get imagestreamtag cli-manager-operator-tests:latest -n test-extensions -o yaml
+oc get imagestreamtag cli-manager-operator-tests:latest -n test-extensions -o jsonpath='{.metadata.annotations.testextension\.redhat\.io/component}{"\n"}' | grep -Fx "cli-manager-operator"
+oc get imagestreamtag cli-manager-operator-tests:latest -n test-extensions -o jsonpath='{.metadata.annotations.testextension\.redhat\.io/binary}{"\n"}' | grep -Fx "/usr/bin/cli-manager-operator-tests-ext.gz"
+
+echo "Installing krew..."
+if ! oc krew version; then
+  (
+    set -x; cd "$(mktemp -d)" &&
+    OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
+    ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
+    KREW="krew-${OS}_${ARCH}" &&
+    curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
+    tar zxvf "${KREW}.tar.gz" &&
+    ./"${KREW}" install krew
+  )
+fi
+export PATH="${HOME}/.krew/bin:${PATH}"
+
+echo "Running cli-manager-operator OTE test suite..."
+openshift-tests run "${TEST_SUITE}" \
+  --junit-dir="${ARTIFACT_DIR}/junit"
diff --git a/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.metadata.json b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.metadata.json
new file mode 100644
index 0000000000000..08817f805d5f5
--- /dev/null
+++ b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.metadata.json
@@ -0,0 +1,19 @@
+{
+	"path": "cli-manager/test-extension/cli-manager-test-extension-ref.yaml",
+	"owners": {
+		"approvers": [
+			"ardaguclu",
+			"ingvagabund",
+			"p0lyn0mial",
+			"gangwgr",
+			"ropatil010"
+		],
+		"reviewers": [
+			"ardaguclu",
+			"ingvagabund",
+			"p0lyn0mial",
+			"gangwgr",
+			"ropatil010"
+		]
+	}
+}
\ No newline at end of file
diff --git a/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.yaml b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.yaml
new file mode 100644
index 0000000000000..64b327e99e8dc
--- /dev/null
+++ b/ci-operator/step-registry/cli-manager/test-extension/cli-manager-test-extension-ref.yaml
@@ -0,0 +1,23 @@
+ref:
+  as: cli-manager-test-extension
+  from: tests
+  commands: cli-manager-test-extension-commands.sh
+  timeout: 3600s
+  env:
+  - name: TEST_SUITE
+    default: "openshift/cli-manager-operator/operator/serial"
+    documentation: |-
+      The OTE test suite to run
+  dependencies:
+  - name: cli-manager-operator
+    env: EXTENSION_IMAGE
+  resources:
+    requests:
+      cpu: "3"
+      memory: 600Mi
+    limits:
+      memory: 10Gi
+  documentation: |-
+    Sets up and runs the cli-manager-operator out-of-payload OTE extension tests.
+    Creates a TestExtensionAdmission CR and ImageStream to allow openshift-tests
+    to discover and execute the extension binary from the operator image.