Add Windows BYOH provisioning support to Prow CI #71002

rrasouli · 2025-11-04T10:22:20Z

Add Windows BYOH Provisioning Support to Prow CI

This PR adds step-registry components for provisioning Windows nodes via BYOH (Bring Your Own Host) using https://github.com/openshift/terraform-windows-provisioner.

Overview

BYOH is the default Windows node provisioning method for Windows Container testing in OpenShift. This PR integrates BYOH provisioning into the Prow CI step-registry, enabling automated Windows node deployment across all supported platforms.

Changes

New Step-Registry Components

1. Windows BYOH Steps (windows/byoh/)

windows-byoh-provision: Provisions Windows nodes using terraform-windows-provisioner
- Supports AWS, Azure, GCP, vSphere, Nutanix, and platform "none"
- Auto-configures credentials from cluster profile secrets
- Exports instance info in WMCO BYOH format for e2e tests
- Uses upi-installer image for cloud CLI access (aws, gcloud, az)
windows-byoh-destroy: Cleanup step for BYOH Windows nodes
- Runs terraform destroy using state from provision step
- Fallback mechanism: If Terraform state unavailable, uses cloud CLI to delete instances by name pattern
- Prevents orphaned instances that could block cluster network deletion

2. Deprovision Chains (All Platforms)

Created deprovision chains with proper cleanup ordering:

cucushift-installer-rehearse-aws-ipi-ovn-winc-deprovision
cucushift-installer-rehearse-azure-ipi-ovn-winc-deprovision
cucushift-installer-rehearse-gcp-ipi-ovn-winc-deprovision
cucushift-installer-rehearse-vsphere-ipi-ovn-winc-deprovision
cucushift-installer-rehearse-nutanix-ipi-ovn-winc-deprovision
cucushift-installer-rehearse-aws-upi-ovn-winc-deprovision

Cleanup Order:

Gather diagnostics (gather, gather-core-dump) - Collects logs while Windows nodes exist
Platform deprovision - Tears down cluster infrastructure
Destroy BYOH nodes (windows-byoh-destroy) - Cleans up Windows instances

This ensures diagnostics are captured before destroying Windows nodes, while still cleaning up BYOH instances before final network teardown.

3. Updated Provision Chains (All Platforms)

Added windows-byoh-provision as mandatory step to all winc chains:

cucushift-installer-rehearse-aws-ipi-ovn-winc-provision
cucushift-installer-rehearse-azure-ipi-ovn-winc-provision
cucushift-installer-rehearse-gcp-ipi-ovn-winc-provision
cucushift-installer-rehearse-vsphere-ipi-ovn-winc-provision
cucushift-installer-rehearse-nutanix-ipi-ovn-winc-provision

4. Updated Workflows (All Platforms)

Updated workflows to use new deprovision chains in post: section:

cucushift-installer-rehearse-aws-ipi-ovn-winc-workflow
cucushift-installer-rehearse-azure-ipi-ovn-winc-workflow
cucushift-installer-rehearse-gcp-ipi-ovn-winc-workflow
cucushift-installer-rehearse-vsphere-ipi-ovn-winc-workflow
cucushift-installer-rehearse-nutanix-ipi-ovn-winc-workflow

5. New Platform "None" Chain and Workflow

cucushift-installer-rehearse-aws-upi-ovn-winc-provision
cucushift-installer-rehearse-aws-upi-ovn-winc-deprovision
cucushift-installer-rehearse-aws-upi-ovn-winc-workflow
- UPI (platform=none) on AWS with Windows BYOH
- BYOH-only (no MachineSets support on platform "none")

Platform Coverage

Platform	Deployment Method	Chain Type	Status
AWS IPI	MachineSet + BYOH	IPI + BYOH	✅
Azure IPI	MachineSet + BYOH	IPI + BYOH	✅
GCP IPI	MachineSet + BYOH	IPI + BYOH	✅
vSphere IPI	MachineSet + BYOH	IPI + BYOH	✅
Nutanix IPI	MachineSet + BYOH	IPI + BYOH	✅
AWS UPI (platform "none")	BYOH only	BYOH only	✅

How It Works

Provision Step Flow

Install Terraform: Downloads and installs Terraform 1.0.11 (matches existing infrastructure)
Detect Platform: Auto-detects platform from cluster infrastructure
Load Credentials:
- Cloud credentials from CLUSTER_PROFILE_DIR (auto-provided by Prow)
- Windows SSH key auto-extracted from WMCO cloud-private-key secret (by terraform-windows-provisioner)
- Windows password auto-generated if not provided (by terraform-windows-provisioner)
Provision Nodes: Runs terraform-windows-provisioner via byoh.sh apply
Wait for Ready: Waits up to 30 minutes for Windows nodes to become Ready
Export Instance Info: Creates files in ${SHARED_DIR}/<ip>_windows_instance.txt format for WMCO BYOH e2e tests

Destroy Step Flow

Load Work Directory: Reads Terraform state location from provision step
Run Terraform Destroy: Executes byoh.sh destroy to clean up resources
Fallback Mechanism (if Terraform state unavailable):
- GCP: Uses gcloud compute instances delete to find and remove instances by name pattern
- AWS: Uses aws ec2 terminate-instances to find and remove instances by tag
- Azure: Uses az vm delete to find and remove VMs in cluster resource group
- Prevents orphaned instances even when Terraform state is unavailable
Cleanup: Removes temporary files

Integration with WMCO Tests

The instance info format is compatible with existing WMCO BYOH e2e tests:

# Exported by windows-byoh-provision
${SHARED_DIR}/10.0.0.100_windows_instance.txt:
  username: Administrator  # or 'capi' for Azure

Consumed by windows-e2e-operator-test-byoh

Configuration

Default Values

All values are overridable via environment variables:

BYOH_INSTANCE_NAME="byoh-winc"       # Instance name prefix
BYOH_NUM_WORKERS="2"                 # Number of Windows nodes
BYOH_WINDOWS_VERSION="2022"          # Windows Server version (2019|2022)
WINC_ADMIN_PASSWORD="P@ssw0rd123!@#" # Windows admin password (auto-generated if not set)

Platform-Specific Settings

All platform-specific configuration (instance types, disk sizes, network settings) is auto-detected from the cluster or can be overridden via environment variables. See https://github.com/openshift/terraform-windows-provisioner for details.

Testing

These step-registry components can be tested using /pj-rehearse before merging.

Example Test Workflow

steps:
  pre:
    - chain: cucushift-installer-rehearse-gcp-ipi-ovn-winc-provision
  post:
    - chain: cucushift-installer-rehearse-gcp-ipi-ovn-winc-deprovision

Test Results

Validated with /pj-rehearse on AWS IPI 4.17:

✅ AWS IPI 4.17: periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14 - SUCCEEDED
- Provisioning completed in 10m8s
- Both MachineSet and BYOH nodes provisioned successfully
- All Windows nodes became Ready

Updates

2025-11-12: Fixed deprovision step ordering across all platforms

Issue: windows-byoh-destroy was running before gather-must-gather, preventing log collection from Windows nodes
Fix: Reordered steps to gather diagnostics first, then destroy BYOH nodes
Impact: Ensures complete diagnostic collection for debugging test failures

Dependencies

This step-registry uses terraform-windows-provisioner for provisioning Windows nodes:

Repository: terraform-windows-provisioner
Status: Production-ready, vendor-neutral tool
Integration: Cloned and executed during provision step

The provisioner is a standalone tool with:

Zero hardcoded values, fully configurable
Multi-cloud support (AWS, Azure, GCP, vSphere, Nutanix, bare metal)
Auto-credential detection from cluster secrets
Auto-password generation if not provided
Auto-SSH key extraction from WMCO secrets

Container Image

Both provision and destroy steps use the upi-installer image which includes:

Cloud CLIs pre-installed (aws, gcloud, az)
oc/kubectl tools
Standard utilities

This ensures cloud CLI commands are available for both normal operation and fallback cleanup.

Migration Path

This PR adds BYOH as a mandatory step to all winc chains. Existing Windows testing workflows will now provision nodes via both MachineSets (IPI platforms) and BYOH.

Future Work

Planned for separate PRs:

Create actual periodic/presubmit job definitions using these chains
Add upgrade testing workflows (N+1 scenarios)
Complete migration from Jenkins Flexy to Prow CI for Windows testing

Files Changed

ci-operator/step-registry/
├── windows/byoh/
│   ├── OWNERS
│   ├── provision/
│   │   ├── OWNERS
│   │   ├── windows-byoh-provision-commands.sh
│   │   ├── windows-byoh-provision-ref.yaml
│   │   └── windows-byoh-provision-ref.metadata.json
│   └── destroy/
│       ├── OWNERS
│       ├── windows-byoh-destroy-commands.sh
│       ├── windows-byoh-destroy-ref.yaml
│       └── windows-byoh-destroy-ref.metadata.json
├── cucushift/installer/rehearse/
│   ├── aws/
│   │   ├── ipi/ovn/winc/
│   │   │   ├── provision/ (updated)
│   │   │   └── deprovision/ (new)
│   │   └── upi/ovn/winc/ (new - platform "none")
│   │       ├── provision/
│   │       └── deprovision/
│   ├── azure/ipi/ovn/winc/
│   │   ├── provision/ (updated)
│   │   └── deprovision/ (new)
│   ├── gcp/ipi/ovn/winc/
│   │   ├── provision/ (updated)
│   │   └── deprovision/ (new)
│   ├── vsphere/ipi/ovn/winc/
│   │   ├── provision/ (updated)
│   │   └── deprovision/ (new)
│   └── nutanix/ipi/ovn/winc/
│       ├── provision/ (updated)
│       └── deprovision/ (new)

Preview

You can preview the step-registry structure at:

ci-operator/step-registry/windows/byoh/provision/ - Reusable BYOH provision step
ci-operator/step-registry/windows/byoh/destroy/ - Reusable BYOH destroy step with fallback
ci-operator/step-registry/cucushift/installer/rehearse/ - Updated chains and workflows with BYOH

/cc @jrvaldes @weinliu

rrasouli · 2025-11-04T16:05:03Z

/pj-rehearse periodic-ci-terraform-windows-provisioner-main-e2e-aws-upi-winc-byoh

openshift-ci-robot · 2025-11-04T16:05:06Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2025-11-04T16:07:19Z

@rrasouli: job(s): periodic-ci-terraform-windows-provisioner-main-e2e-aws-upi-winc-byoh either don't exist or were not found to be affected, and cannot be rehearsed

rrasouli · 2025-11-04T18:04:15Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2025-11-04T18:04:18Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T09:15:38Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2025-11-05T09:15:42Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T10:25:56Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

rrasouli · 2025-11-05T10:40:05Z

/pj-rehearse abort

openshift-ci-robot · 2025-11-05T10:40:08Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T10:48:12Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2025-11-05T10:48:15Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T13:12:58Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2025-11-05T13:13:00Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T15:15:01Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2025-11-05T15:15:04Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T17:20:14Z

https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/71002/rehearse-71002-periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14/1986090951067570176
Passed job!

rrasouli · 2025-11-05T17:35:12Z

/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-azure-ipi
/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-gcp-ipi
/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-vsphere-ipi
/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.17-debug-winc-nutanix-ipi

openshift-ci-robot · 2025-11-05T17:35:15Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2025-11-05T18:22:37Z

/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-vsphere-ipi

openshift-ci-robot · 2026-01-20T13:24:15Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2026-01-20T13:30:15Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2026-01-20T13:30:18Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2026-01-20T13:33:58Z

@rrasouli: job(s): periodic-ci-openshift-openshift-tests-private-release-4.21-amd64-nightly-aws-ipi-ovn-winc-f14 either don't exist or were not found to be affected, and cannot be rehearsed

rrasouli · 2026-01-20T13:37:19Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2026-01-20T13:37:23Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2026-01-20T15:14:16Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14 pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-aws-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-azure-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-gcp-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-vsphere-ipi

openshift-ci-robot · 2026-01-20T15:14:19Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2026-01-20T15:30:21Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14 pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-aws-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-azure-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-gcp-ipi pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-vsphere-ipi

openshift-ci-robot · 2026-01-20T15:30:25Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2026-01-21T07:41:41Z

@jianlinliu The image is now available and all implementation comments have been resolved:

Bootstrap PR merged: #73680 built the terraform-windows-provisioner image at registry.ci.openshift.org/ci/terraform-windows-provisioner:latest

Successful rehearsal: https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/71002/rehearse-71002-periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14/2013636132352299008

The windows-byoh-provision step succeeded in 16m17s:

No Terraform downloads (pre-installed in image via Dockerfile)
No git clone (scripts pre-copied to /usr/local/share/byoh-provisioner/)
Terraform state in ${SHARED_DIR}/terraform_byoh/ (not /tmp)
Container image includes all dependencies

The debug-winc-* job failures are unrelated - they're failing on missing stable:tests-private image in the internal registry (infrastructure issue), not BYOH provisioning.

jianlinliu · 2026-01-21T07:59:17Z

all implementation comments have been resolved

In https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/pr-logs/pull/openshift_release/71002/rehearse-71002-periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14/2013636132352299008/artifacts/aws-ipi-ovn-winc-f14/windows-byoh-provision/build-log.txt, obviously some windows machines are created, but in https://gcsweb-qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/qe-private-deck/pr-logs/pull/openshift_release/71002/rehearse-71002-periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14/2013636132352299008/artifacts/aws-ipi-ovn-winc-f14/windows-byoh-destroy/build-log.txt, nothing is destroyed. That will leave orphan resources on the cloud platforms.

jianlinliu · 2026-01-21T08:06:38Z

ci-operator/step-registry/windows/byoh/destroy/windows-byoh-destroy-commands.sh

+cd "${WORK_DIR}" || exit 1
+
+# Detect platform for terraform directory
+PLATFORM=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.type}" | tr '[:upper:]' '[:lower:]' 2>/dev/null || echo "unknown")


For the destroy part, we should not rely on the cluster too much, if the cluster got broken during testing, the following destroy would not happen, that would leave orphan resources on platforms.

This adds step-registry components and chains for provisioning Windows nodes via BYOH (Bring Your Own Host) using terraform-windows-provisioner. Changes: - Add windows-byoh-provision step (uses terraform-windows-provisioner) - Add windows-byoh-destroy step with cloud CLI fallback mechanism - Update all winc chains to include BYOH provisioning as mandatory step - Add deprovision chains to destroy BYOH nodes before cluster teardown - Add platform "none" (UPI AWS) chain for Windows BYOH - Export instance info in WMCO BYOH format for e2e tests - Use upi-installer image for cloud CLI access (aws, gcloud, az) Platform coverage: - AWS IPI (MachineSet + BYOH) - Azure IPI (MachineSet + BYOH) - GCP IPI (MachineSet + BYOH) - vSphere IPI (MachineSet + BYOH) - Nutanix IPI (MachineSet + BYOH) - AWS UPI platform "none" (BYOH only) Destroy fallback mechanism: When Terraform state is unavailable, the destroy step uses cloud CLI to find and delete instances by name pattern, preventing orphaned instances that could block cluster network deletion. BYOH is now the default Windows node provisioning method for all Windows Container CI testing.

openshift-ci-robot · 2026-01-21T09:24:17Z

[REHEARSALNOTIFIER]
@rrasouli: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-openshift-tests-private-main-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.23-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.22-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.20-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.19-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.17-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.16-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.13-debug-winc-aws-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-main-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.23-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.22-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.20-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.19-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.18-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.17-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.16-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.13-debug-winc-azure-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-main-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.23-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.22-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Registry content changed
pull-ci-openshift-openshift-tests-private-release-4.20-debug-winc-gcp-ipi	openshift/openshift-tests-private	presubmit	Registry content changed

A total of 99 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

The debug-winc-* rehearsal jobs fail with 'manifest unknown' error when trying to pull the tests-private image from the internal registry. This fix adds tests-private as a base_image (imported from ci namespace) for releases 4.20-4.23 where the config doesn't build this image itself. Versions 4.17-4.19 already build tests-private in their images section, so they don't need this base_image entry. This allows debug-winc jobs to reference stable:tests-private without ImagePullBackOff errors. Fixes: openshift#71002 (comment)

openshift-ci · 2026-01-21T09:27:43Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rrasouli
Once this PR has been reviewed and has the lgtm label, please assign jianlinliu, mansikulkarni96 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rrasouli · 2026-01-21T09:30:50Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-aws-ipi-ovn-winc-f14

openshift-ci-robot · 2026-01-21T09:30:53Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

rrasouli · 2026-01-21T10:50:15Z

/pj-rehearse pull-ci-openshift-openshift-tests-private-main-debug-winc-gcp-ipi

openshift-ci-robot · 2026-01-21T10:50:18Z

@rrasouli: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-01-21T11:38:00Z

@rrasouli: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/openshift-tests-private/release-4.20/debug-winc-aws-ipi	`a3d792d`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.20-debug-winc-aws-ipi`
ci/rehearse/openshift/openshift-tests-private/release-4.17/debug-winc-nutanix-ipi	`b2a7a17`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.17-debug-winc-nutanix-ipi`
ci/rehearse/openshift/openshift-tests-private/release-4.21/debug-winc-azure-ipi	`18d8b73`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-azure-ipi`
ci/rehearse/openshift/openshift-tests-private/release-4.21/debug-winc-aws-ipi	`18d8b73`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-aws-ipi`
ci/rehearse/openshift/openshift-tests-private/release-4.21/debug-winc-vsphere-ipi	`18d8b73`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-vsphere-ipi`
ci/rehearse/openshift/openshift-tests-private/release-4.21/debug-winc-gcp-ipi	`18d8b73`	link	unknown	`/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.21-debug-winc-gcp-ipi`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot requested review from gpei and jianlinliu November 4, 2025 10:24

rrasouli force-pushed the add-windows-byoh-prow-ci branch from d471ef0 to b64fb51 Compare November 4, 2025 10:40

rrasouli force-pushed the add-windows-byoh-prow-ci branch from b64fb51 to 230c4c4 Compare November 5, 2025 09:14

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 230c4c4 to c0e09b8 Compare November 5, 2025 10:24

rrasouli force-pushed the add-windows-byoh-prow-ci branch from c0e09b8 to 20c6c58 Compare November 5, 2025 10:37

rrasouli changed the title ~~Add Windows BYOH provisioning support to Prow CI~~ [WIP] Add Windows BYOH provisioning support to Prow CI Nov 5, 2025

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 5, 2025

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 20c6c58 to 31234c7 Compare November 5, 2025 12:41

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 31234c7 to 6316a1a Compare November 5, 2025 14:25

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 961b089 to 4a12503 Compare January 20, 2026 15:12

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 4a12503 to 18d8b73 Compare January 20, 2026 15:24

jianlinliu reviewed Jan 21, 2026

View reviewed changes

rrasouli force-pushed the add-windows-byoh-prow-ci branch from 18d8b73 to 8ae42c2 Compare January 21, 2026 09:21

rrasouli mentioned this pull request Jan 21, 2026

Fix debug-winc jobs by adding tests-private base image for 4.20-4.23 #73778

Merged

openshift-merge-bot bot closed this in 52bdc0d Jan 21, 2026

rrasouli mentioned this pull request Jan 21, 2026

Add Windows BYOH provisioning support to Prow CI #73785

Closed

jianlinliu mentioned this pull request Jan 26, 2026

Add Windows BYOH provisioning support to step-registry #73920

Open

Add Windows BYOH provisioning support to Prow CI #71002

Add Windows BYOH provisioning support to Prow CI #71002

Uh oh!

Conversation

rrasouli commented Nov 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Add Windows BYOH Provisioning Support to Prow CI

Overview

Changes

New Step-Registry Components

1. Windows BYOH Steps (windows/byoh/)

2. Deprovision Chains (All Platforms)

3. Updated Provision Chains (All Platforms)

4. Updated Workflows (All Platforms)

5. New Platform "None" Chain and Workflow

Platform Coverage

How It Works

Provision Step Flow

Destroy Step Flow

Integration with WMCO Tests

Configuration

Default Values

Platform-Specific Settings

Testing

Example Test Workflow

Test Results

Updates

Dependencies

The provisioner is a standalone tool with:

Container Image

Migration Path

Future Work

Files Changed

Related

Preview

Uh oh!

rrasouli commented Nov 4, 2025

Uh oh!

openshift-ci-robot commented Nov 4, 2025

Uh oh!

openshift-ci-robot commented Nov 4, 2025

Uh oh!

rrasouli commented Nov 4, 2025

Uh oh!

openshift-ci-robot commented Nov 4, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Nov 5, 2025

Uh oh!

rrasouli commented Nov 5, 2025

Uh oh!

openshift-ci-robot commented Jan 20, 2026

Uh oh!

rrasouli commented Jan 20, 2026

Uh oh!

rrasouli commented Nov 4, 2025 •

edited

Loading

jianlinliu Jan 21, 2026 •

edited

Loading