ROSAENG-6811: Allow Gangway pod_spec_options.envs to override step parameters

[dustman9000]

Summary

When Gangway triggers a periodic job with pod_spec_options.envs, those env vars are appended to the ci-operator pod. However, ci-operator builds step container envs from its YAML config (TestEnvironment map), not from os.Getenv(). Runtime env overrides from Gangway never reach step containers.

This PR adds a check to generateParams in pkg/steps/multi_stage/gen.go: after checking the config env value, check os.Getenv for the same parameter name. If set, the pod-level env var takes precedence.

Safety: Only env vars matching declared step parameter names (from the step ref env list) are considered. Arbitrary pod env vars cannot leak into steps.

Use case: SAPM promotion pipelines trigger Prow periodic jobs via Gangway to run operator e2e tests. Different OCM environments need different OCM_LOGIN_ENV values. Without this change, each combination needs a separate periodic job. With it, one periodic per operator is sufficient.

Test plan

• Existing tests pass (go test ./pkg/steps/multi_stage/...)
• Verify with a Gangway-triggered periodic that passes OCM_LOGIN_ENV=integration via pod_spec_options.envs

Jira: https://redhat.atlassian.net/browse/ROSAENG-6811

Summary

This PR changes ci-operator's multi-stage step parameter resolution so pod-level environment variables (e.g., those injected via Gangway's pod_spec_options.envs) can override step parameter values when the env var name matches a declared step parameter.

What Changed

• generateParams in pkg/steps/multi_stage/gen.go now checks os.Getenv for each step parameter name after computing the parameter value from defaults and step-configured envs. If a non-empty pod env var exists for that parameter name, its value is used instead.
• A unit test (TestGenerateParamsEnvOverride) in pkg/steps/multi_stage/gen_test.go verifies that:
  • a pod env var overrides both the step config env and the parameter default,
  • step config env is used when the pod env var is absent,
  • an empty pod env var does not override a parameter default.

Practical Impact for CI Users / Operators

ci-operator jobs triggered via Gangway can now pass runtime environment overrides (for example OCM_LOGIN_ENV) through pod_spec_options.envs and have those values reach step containers without changing ci-operator YAML. This enables scenarios like SAPM promotion pipelines that use Gangway to trigger periodic jobs across multiple environments without creating separate periodic jobs for each environment.

Component Affected

• Component: ci-operator (multi-stage step parameter generation)
• Behavioral change: step parameter value precedence now includes process/pod environment variables (but only for names declared as step parameters).

Safety & Scope

• Only env vars whose names match declared step parameter names are considered; arbitrary pod envs are not propagated.
• Change surface is minimal (small code addition in generateParams) and includes a focused unit test.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@dustman9000: This pull request references ROSAENG-6811 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

When Gangway triggers a periodic job with pod_spec_options.envs, those env vars are appended to the ci-operator pod's environment. However, ci-operator builds step container envs from its YAML config (TestEnvironment map), not from os.Getenv(). This means runtime env overrides from Gangway never reach step containers.

This PR adds a 3-line change to generateParams in pkg/steps/multi_stage/gen.go: after checking the config env value, check os.Getenv for the same parameter name. If set, the pod-level env var takes precedence.

Safety: Only env vars that match declared step parameter names (from the step ref's env list are considered. Arbitrary pod env vars like or cannot leak into steps.

Use case: SAPM promotion pipelines trigger Prow periodic jobs via Gangway to run operator e2e tests. Different OCM environments (integration vs staging) require different values. Without this change, each env/cluster-type combination needs a separate periodic job. With this change, one periodic per operator is sufficient.

Change

Test plan

• Existing tests pass (ok github.com/openshift/ci-tools/pkg/steps/multi_stage 1.251s)
• Verify with a Gangway-triggered periodic that passes via

Jira: https://redhat.atlassian.net/browse/ROSAENG-6811
EOF
)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5376df86-3fb3-45a0-baac-b7864b9987e6

📥 Commits

Reviewing files that changed from the base of the PR and between 1807274 and 8260e95.

📒 Files selected for processing (2)

• pkg/steps/multi_stage/gen.go
• pkg/steps/multi_stage/gen_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/steps/multi_stage/gen.go

---

📝 Walkthrough

Walkthrough

The PR adds environment variable parameter override capability to the multi-stage step parameter generation. The os package is imported, and generateParams now checks os.Getenv(env.Name) for each parameter, using non-empty process env values to override computed values.

Changes

Environment Variable Parameter Override

Layer / File(s)	Summary
Parameter override from environment variables pkg/steps/multi_stage/gen.go, pkg/steps/multi_stage/gen_test.go	Import os and extend generateParams to consult os.Getenv(env.Name) and use a non-empty process env value to override the value derived from s.env or env.Default. Add TestGenerateParamsEnvOverride to validate pod env > config > default precedence and that empty-string pod env does not override.

---

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 16 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (16 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: allowing environment variable overrides from pod_spec_options.envs to reach step parameters through generateParams.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	os.Getenv() returns only a string (never an error), so no error handling is required. Pointer dereferences are guarded with nil checks. No ignored errors or unhandled error cases found.
Test Coverage For New Features	✅ Passed	New test TestGenerateParamsEnvOverride validates the os.Getenv() override logic in generateParams, testing precedence rules and edge cases. The test would fail without the implementation.
Stable And Deterministic Test Names	✅ Passed	The new test TestGenerateParamsEnvOverride is a standard Go test with a stable, deterministic name. The Ginkgo check is inapplicable since no Ginkgo tests were added.
Test Structure And Quality	✅ Passed	Test uses t.Setenv for cleanup, tests single behavior (env precedence), includes failure messages, and avoids cluster ops. Custom check is for Ginkgo; not applicable.
Microshift Test Compatibility	✅ Passed	The PR adds only a standard Go unit test (TestGenerateParamsEnvOverride), not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests, so it does not apply here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds a standard Go unit test, not Ginkgo e2e tests; check only applies to new Ginkgo e2e tests (It(), Describe(), Context(), etc.).
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies ci-operator step parameter generation logic only. No deployment manifests, pod affinity, node selectors, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The PR changes contain only environment variable reading logic in a regular function and test function; no stdout writes, print statements, or logging to stdout detected in the modified code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only a standard Go unit test (TestGenerateParamsEnvOverride), not Ginkgo e2e tests. Check targets Ginkgo e2e tests specifically and is not applicable here.
No-Weak-Crypto	✅ Passed	No weak cryptographic operations detected. Changes only involve environment variable precedence handling via os.Getenv; no crypto algorithms, custom implementations, or secret comparisons are present.
Container-Privileges	✅ Passed	PR modifies only Go source files with environment variable logic. No K8s manifests, privilege escalation settings, or security-sensitive configurations added.
No-Sensitive-Data-In-Logs	✅ Passed	The generateParams function reads env vars via os.Getenv and passes them to pod specs without any logging. No values are logged, printed, or exposed in error messages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dustman9000
Once this PR has been reviewed and has the lgtm label, please assign hector-vido for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/steps/multi_stage/gen.go (1)

404-420: ⚡ Quick win

Document the parameter resolution order.

The function now implements a three-tier parameter resolution with specific precedence: os.Getenv (pod env vars) > s.env (test config) > Default. This non-obvious priority order should be documented to help maintainers understand the override behavior, especially since pod env vars now take precedence over test configuration.

📝 Suggested documentation

+// generateParams resolves step parameters using a three-tier priority system:
+// 1. Process environment variables (os.Getenv) - highest priority, enables Gangway pod_spec_options.envs overrides
+// 2. Test environment config (s.env) - from ci-operator config TestEnvironment
+// 3. Parameter default values (env.Default) - lowest priority fallback
+// Only parameters explicitly declared in the step's Environment list are considered.
 func (s *multiStageTestStep) generateParams(env []api.StepParameter) []coreapi.EnvVar {
 	var ret []coreapi.EnvVar

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/multi_stage/gen.go` around lines 404 - 420, Update the
documentation/comment for the function generateParams to explicitly state the
parameter resolution precedence: values from os.Getenv(env.Name)
(pod/environment variables) override values in s.env (test configuration), which
in turn override env.Default; mention the exact symbols used (generateParams,
s.env, os.Getenv, env.Default/env.Name) and indicate that returned
coreapi.EnvVar uses the chosen value so reviewers and maintainers understand the
three-tier override behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/steps/multi_stage/gen.go`:
- Around line 414-416: Add a unit test in package pkg/steps/multi_stage (e.g.,
TestEnvVarOverridePrecedence) that exercises the StepParameter resolution logic
around os.Getenv(env.Name): create a StepParameter with a Name and Default,
prepare s.env with a different value, then use t.Setenv to set that environment
variable to a non-empty value and assert the resolver returns the t.Setenv value
(env var wins over s.env and env.Default); also add a subcase where t.Setenv
sets the variable to the empty string and assert the resolver falls back to
s.env or env.Default (empty env var should not override). Locate the resolver
invocation near the code that references env.Name, s.env[env.Name], and
env.Default in gen.go to call the same function/path you test.

---

Nitpick comments:
In `@pkg/steps/multi_stage/gen.go`:
- Around line 404-420: Update the documentation/comment for the function
generateParams to explicitly state the parameter resolution precedence: values
from os.Getenv(env.Name) (pod/environment variables) override values in s.env
(test configuration), which in turn override env.Default; mention the exact
symbols used (generateParams, s.env, os.Getenv, env.Default/env.Name) and
indicate that returned coreapi.EnvVar uses the chosen value so reviewers and
maintainers understand the three-tier override behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a7cf3cf1-0224-4d24-ba41-acfc259d59d6

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6e7b8 and 1807274.

📒 Files selected for processing (1)

• pkg/steps/multi_stage/gen.go

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci]

@dustman9000: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.