GCP-431: feat: pass cloud-network SA to GCP HyperShift e2e tests

[patjlm]

Summary

• Extract cloud-network SA email from IAM output in hosted-cluster-setup step
• Pass --e2e.gcp-network-sa flag to e2e test binary in run-e2e step

Context

HyperShift PR openshift/hypershift#7824 added e2e flag plumbing for the CNCC
network service account (--e2e.gcp-network-sa). The CI step needs to extract
the SA email and pass it through.

Dependencies

• Requires: GCP-431: feat: Add CNCC support for GCP WIF in HyperShift hypershift#7824 (already merged)

Jira

• GCP-431

Summary by CodeRabbit

• New Features
  • GCP network service account configuration is now extracted and validated during hosted cluster setup from IAM/WIF output, with service account credentials automatically stored for downstream operations
  • Network service account parameter is now supported in e2e testing workflows and can be passed through to testing infrastructure

[openshift-ci-robot]

@patjlm: This pull request references GCP-431 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Extract cloud-network SA email from IAM output in hosted-cluster-setup step
• Pass --e2e.gcp-network-sa flag to e2e test binary in run-e2e step

Context

HyperShift PR openshift/hypershift#7824 added e2e flag plumbing for the CNCC
network service account (--e2e.gcp-network-sa). The CI step needs to extract
the SA email and pass it through.

Dependencies

• Requires: GCP-431: feat: Add CNCC support for GCP WIF in HyperShift hypershift#7824 (already merged)

Jira

• GCP-431

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The changes add support for a GCP network service account parameter to the HyperShift GCP CI workflow. The hosted-cluster-setup script extracts a cloud-network value from IAM/WIF output JSON and writes it to a shared directory, while the run-e2e script reads this value and forwards it to the E2E test execution.

Changes

Cohort / File(s)	Summary
GCP Network Service Account Integration ci-operator/step-registry/hypershift/gcp/hosted-cluster-setup/hypershift-gcp-hosted-cluster-setup-commands.sh, ci-operator/step-registry/hypershift/gcp/run-e2e/hypershift-gcp-run-e2e-commands.sh	Adds parsing and extraction of cloud-network value from JSON output, persists it to shared directory as network-sa, includes it in validation checks, and passes it to E2E test script via --e2e.gcp-network-sa parameter.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding support for passing a cloud-network service account to GCP HyperShift e2e tests, which aligns with both the file changes and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies shell scripts in CI operator step registry, not Ginkgo test files. No test definitions with dynamic names are present.
Test Structure And Quality	✅ Passed	PR modifies bash shell scripts in CI/CD infrastructure, not Go test code, so Ginkgo test quality requirements do not apply.
Microshift Test Compatibility	✅ Passed	PR modifies CI/CD shell scripts only; does not introduce new Ginkgo e2e tests. Changes are infrastructure setup and parameter passing for existing test binaries.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes are limited to two shell scripts in the CI infrastructure that extract and pass GCP service account parameters to existing e2e tests. The search for Ginkgo test patterns returned no matches.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI test scripts that extract and pass GCP service account parameters for e2e testing, not Kubernetes deployment manifests or operator code defining scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR modifies CI operator wrapper shell scripts that extract a service account identifier and pass it as a command-line flag to the test runner. These scripts do not implement test code (main(), BeforeSuite()) and do not write to stdout in ways that would corrupt JSON output from test binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The changes consist entirely of shell scripts in the CI operator infrastructure that extract a cloud-network service account value and pass it as a CLI argument to existing e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patjlm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/hypershift/gcp/hosted-cluster-setup/OWNERS [patjlm]
• ci-operator/step-registry/hypershift/gcp/run-e2e/OWNERS [patjlm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@patjlm: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-hypershift-main-e2e-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.1-e2e-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.0-e2e-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.23-e2e-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.22-e2e-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-main-e2e-v2-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.1-e2e-v2-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-5.0-e2e-v2-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.23-e2e-v2-gke	openshift/hypershift	presubmit	Registry content changed
pull-ci-openshift-hypershift-release-4.22-e2e-v2-gke	openshift/hypershift	presubmit	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@ci-operator/step-registry/hypershift/gcp/run-e2e/hypershift-gcp-run-e2e-commands.sh`:
- Around line 75-77: Add a strict non-empty guard for the NETWORK_SA variable
after it is read from SHARED_DIR so an empty string cannot be propagated into
test execution; check that NETWORK_SA is set and not empty (e.g., test -n or [[
-n "${NETWORK_SA}" ]]) and exit with an error message if it is empty, so
wherever NETWORK_SA is later used in the script (the test execution invocation
that currently forwards NETWORK_SA) you can assume a valid value; update the
block that reads NETWORK_SA and add the guard/early-exit handling with a clear
error log.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cc2a67a1-0b98-43b2-af3a-6b2350eec26e

📥 Commits

Reviewing files that changed from the base of the PR and between 8327295 and bd36814.

📒 Files selected for processing (2)

• ci-operator/step-registry/hypershift/gcp/hosted-cluster-setup/hypershift-gcp-hosted-cluster-setup-commands.sh
• ci-operator/step-registry/hypershift/gcp/run-e2e/hypershift-gcp-run-e2e-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add an explicit non-empty guard for NETWORK_SA before test execution.

Right now, an empty value still gets forwarded on Line 160. Failing early here would make workflow breakages much easier to diagnose.

Suggested hardening

 if [[ -f "${SHARED_DIR}/network-sa" ]]; then
     NETWORK_SA="$(<"${SHARED_DIR}/network-sa")"
 fi
+
+if [[ -z "${NETWORK_SA}" ]]; then
+    echo "ERROR: network service account not found or empty at ${SHARED_DIR}/network-sa"
+    echo "Ensure hypershift-gcp-hosted-cluster-setup step produced network-sa"
+    exit 1
+fi

Also applies to: 160-160

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@ci-operator/step-registry/hypershift/gcp/run-e2e/hypershift-gcp-run-e2e-commands.sh`
around lines 75 - 77, Add a strict non-empty guard for the NETWORK_SA variable
after it is read from SHARED_DIR so an empty string cannot be propagated into
test execution; check that NETWORK_SA is set and not empty (e.g., test -n or [[
-n "${NETWORK_SA}" ]]) and exit with an error message if it is empty, so
wherever NETWORK_SA is later used in the script (the test execution invocation
that currently forwards NETWORK_SA) you can assume a valid value; update the
block that reads NETWORK_SA and add the guard/early-exit handling with a clear
error log.

[patjlm]

Closing - local clone was stale, will recreate from a fresh base.