ROSAENG-60057: Add alert silence pre/post steps for production FVT

[dustman9000]

Summary

• Adds rosa-e2e-silence-alerts (pre) and rosa-e2e-unsilence-alerts (post) step registry refs
• Pre-step creates regex-based alertmanager silences on all production RHOBS cells via the new gateway silence API
• Post-step expires the silences after the job completes
• Uses existing OIDC client credentials (same auth pattern as telemetry collection)
• Wired into the weekly cs-rosa-hcp-ad-production-main FVT job

Context: Production FVT clusters (cs-ci-longname-*) were triggering RHOBS alerts and paging on-call SREs. This automates the silence/unsilence lifecycle through the gateway API.

Test plan

• Verified RHOBS gateway silence API works (POST create, GET list, DELETE expire) on stage
• pj-rehearse validates the production FVT job with silence steps
• Verify next Monday production FVT run creates/expires silences

Jira: https://redhat.atlassian.net/browse/ROSAENG-60057

Summary by CodeRabbit

This PR extends OpenShift CI’s ROSA production FVT workflow to automatically silence RHOBS Alertmanager alerts during the Functional Verification Test run, then reliably expire those silences afterward.

What’s Changing

• The weekly ocm-fvt-periodic-cs-rosa-hcp-ad-production-main job now includes step hooks:

  • Pre-steps
    • rosa-e2e-record-start-time
    • rosa-e2e-silence-alerts: creates regex-based RHOBS gateway Alertmanager silences across all configured production (or staging) RHOBS cell endpoints for the job duration.
  • Post-step
    • rosa-e2e-unsilence-alerts: expires the created silences by reading saved silence IDs.

• The job sets allow_best_effort_post_steps: true so the unsilence post-step runs even if the main FVT job fails.

Implementation Details

• New step registry: rosa-e2e-silence-alerts

  • Runs rosa-e2e-silence-alerts-commands.sh in the ocp/4.18:cli image.
  • Mounts production OIDC client credentials at /usr/local/rhobs-oidc.
  • Supports RHOBS_ENV = production (default) or staging to select the appropriate RHOBS cell gateway URLs.
  • Authenticates via OIDC client-credentials to call the RHOBS gateway silence creation API.
  • Creates silences with:
    • matcher regex (SILENCE_MATCHER_NAME default _id, SILENCE_MATCHER_VALUE default cs-ci-.*, isRegex=true, isEqual=true)
    • startsAt/endsAt computed in UTC using SILENCE_DURATION_HOURS (default 6)
    • createdBy: "rosa-ci-prow"
    • comment including ROSAENG-60057 and a job/PR URL when available
  • Writes created IDs to ${SHARED_DIR}/silence-ids as CELL|SILENCE_ID for later cleanup.
  • If token acquisition fails, it exits successfully (silences may expire naturally); per-cell create failures are logged and the script continues.

• New step registry: rosa-e2e-unsilence-alerts

  • Runs rosa-e2e-unsilence-alerts-commands.sh in the ocp/4.18:cli image.
  • Mounts the same production OIDC credentials and uses client-credentials auth.
  • If ${SHARED_DIR}/silence-ids is missing/empty, it exits successfully.
  • For each CELL|SILENCE_ID, it sends an HTTP DELETE to the RHOBS gateway silence endpoint to expire the silence.
  • If token acquisition fails, it exits successfully to avoid blocking cleanup semantics.

Ownership/Registry Updates

• Adds/updates OWNERS and step reference metadata for the new silence-alerts and unsilence-alerts step registries.

[openshift-ci-robot]

@dustman9000: This pull request references ROSAENG-60057 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds rosa-e2e-silence-alerts (pre) and rosa-e2e-unsilence-alerts (post) step registry refs
• Pre-step creates regex-based alertmanager silences on all production RHOBS cells via the new gateway silence API
• Post-step expires the silences after the job completes
• Uses existing OIDC client credentials (same auth pattern as telemetry collection)
• Wired into the weekly cs-rosa-hcp-ad-production-main FVT job

Context: Production FVT clusters (cs-ci-longname-*) were triggering RHOBS alerts and paging on-call SREs. This automates the silence/unsilence lifecycle through the gateway API.

Test plan

• Verified RHOBS gateway silence API works (POST create, GET list, DELETE expire) on stage
• pj-rehearse validates the production FVT job with silence steps
• Verify next Monday production FVT run creates/expires silences

Jira: https://redhat.atlassian.net/browse/ROSAENG-60057

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c0f824e5-b7bc-4c17-8246-045d42dde62d

📥 Commits

Reviewing files that changed from the base of the PR and between 85a5aec and ebcf5ff.

📒 Files selected for processing (9)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml
• ci-operator/step-registry/rosa/e2e/silence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-commands.sh
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.metadata.json
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-commands.sh
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.metadata.json
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.yaml

✅ Files skipped from review due to trivial changes (3)

• ci-operator/step-registry/rosa/e2e/unsilence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/silence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (6)

• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.yaml
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.metadata.json
• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-commands.sh
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-commands.sh

---

Walkthrough

Two new CI step-registry steps are introduced: rosa-e2e-silence-alerts (a pre-step that POSTs Alertmanager silences to all RHOBS cells and saves their IDs) and rosa-e2e-unsilence-alerts (a post-step that DELETEs those silences). Both steps are then wired into the existing ROSA HCP production job config.

Changes

Alert Silence/Unsilence Workflow

Layer / File(s)	Summary
Silence-alerts pre-step implementation ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-commands.sh, ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml, ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.metadata.json, ci-operator/step-registry/rosa/e2e/silence-alerts/OWNERS	New step that loads RHOBS OIDC credentials from the mounted rhobs-oidc-production secret, fetches an access token via client-credentials flow with fallback issuer URL, computes a UTC time window based on SILENCE_DURATION_HOURS, constructs a Prow job URL from PR-related environment variables, POSTs a JSON silence payload to each configured RHOBS cell endpoint with matcher criteria and embedding the job URL in the comment field, parses silenceID from each response, appends CELL|silenceID pairs to ${SHARED_DIR}/silence-ids for later cleanup, and reports the count of successfully created silences across all cells. Configurable via environment variables: RHOBS_ENV, SILENCE_MATCHER_NAME, SILENCE_MATCHER_VALUE, and SILENCE_DURATION_HOURS.
Unsilence-alerts post-step implementation ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-commands.sh, ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.yaml, ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.metadata.json, ci-operator/step-registry/rosa/e2e/unsilence-alerts/OWNERS	New post-step that reads the persisted ${SHARED_DIR}/silence-ids file populated by rosa-e2e-silence-alerts, obtains an OIDC token using the same client-credentials flow and credential mount, iterates over each CELL|SILENCE_ID record, issues HTTP DELETE calls to expire each silence via the RHOBS gateway API with a 10-second timeout, and reports the count of successfully expired silences. Exits gracefully (allowing silences to expire naturally) if the silence file is missing, empty, or if token retrieval fails.
CI job pre/post hook wiring ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml	Sets allow_best_effort_post_steps: true on the ocm-fvt-periodic-cs-rosa-hcp-ad-production-main job configuration, adds rosa-e2e-record-start-time and rosa-e2e-silence-alerts as pre-step references, and adds rosa-e2e-unsilence-alerts as a post-step reference to complete the silence lifecycle around the main job execution.

Sequence Diagram

sequenceDiagram
  rect rgba(100, 149, 237, 0.5)
    Note over SilenceScript,RHOBS: Pre-step: rosa-e2e-silence-alerts
    participant SilenceScript as rosa-e2e-silence-alerts
    participant OIDC as OIDC Token Endpoint
    participant RHOBS as RHOBS Cell
    SilenceScript->>SilenceScript: Load RHOBS_ENV config
    SilenceScript->>OIDC: POST client_credentials
    OIDC-->>SilenceScript: access_token
    loop For each RHOBS cell
      SilenceScript->>RHOBS: POST /api/metrics/v1/hcp/am/api/v2/silences
      RHOBS-->>SilenceScript: {silenceID}
      SilenceScript->>SilenceScript: Append CELL|silenceID to SHARED_DIR
    end
  end
  rect rgba(144, 238, 144, 0.5)
    Note over Job: Main job execution
    participant Job as ocm-fvt-periodic-cs-rosa-hcp-ad-production-main
    Job->>Job: Run test steps
  end
  rect rgba(255, 165, 0, 0.5)
    Note over UnsilenceScript,RHOBS: Post-step: rosa-e2e-unsilence-alerts
    participant UnsilenceScript as rosa-e2e-unsilence-alerts
    UnsilenceScript->>UnsilenceScript: Read SHARED_DIR/silence-ids
    alt File exists and not empty
      UnsilenceScript->>OIDC: POST client_credentials
      OIDC-->>UnsilenceScript: access_token
      loop For each CELL|SILENCE_ID
        UnsilenceScript->>RHOBS: DELETE /api/metrics/v1/hcp/am/api/v2/silences/{SILENCE_ID}
        RHOBS-->>UnsilenceScript: 200 OK
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm

Suggested reviewers

• ravitri
• jfrazierredhat
• gdbranco
• lucasponce

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding alert silence pre/post steps (rosa-e2e-silence-alerts and rosa-e2e-unsilence-alerts) for production FVT, which is the primary focus of all changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests. It only adds CI step registry definitions (YAML), Bash scripts, and configuration files—no Go test code with test names to evaluate.
Test Structure And Quality	✅ Passed	This PR adds CI operator configuration and Bash shell scripts for alert silencing automation. No Ginkgo test code is present, making the test structure and quality check inapplicable.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests; only CI infrastructure (bash scripts, YAML configs, OWNERS files). Check for e2e test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI infrastructure scripts and step registry configs, not Ginkgo e2e tests. No It(), Describe(), Context(), or When() patterns found.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI job step definitions and scripts, not deployment manifests or operator code. No scheduling constraints, pod affinity, node selectors, or topology-related constructs are introduced.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is not applicable. The PR introduces only CI infrastructure (YAML configs, bash scripts, JSON metadata, and OWNERS files) with no Go test binaries or OTE code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests (It(), Describe(), Context(), etc.). It only adds CI infrastructure files (YAML configs, Bash scripts, OWNERS files) for managing alert silences, which are...
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found. The scripts properly handle OIDC tokens an...
Container-Privileges	✅ Passed	No privileged container configurations found. The new step registry YAML files contain no security context settings, capability escalation, or host access configurations.
No-Sensitive-Data-In-Logs	✅ Passed	Scripts use secure credential handling with proper error redirection; no passwords, tokens, API keys, PII, or sensitive data are logged in any echo/print statements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml (1)

69-69: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix standalone redirection syntax.

Line 69 uses a standalone redirection without a command, which shellcheck flags as SC2188. While many shells accept this, it's non-portable and should be written with an explicit no-op command.

🔧 Proposed fix

-> "${SHARED_DIR}/silence-ids"
+: > "${SHARED_DIR}/silence-ids"

Alternatively, use true > or echo -n >.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml`
at line 69, The standalone redirection syntax on line 69 of
rosa-e2e-silence-alerts-ref.yaml is flagged as SC2188 by shellcheck and is
non-portable. Replace the standalone redirection with an explicit no-op command
followed by the redirection operator, such as using `true >` or `echo -n >` to
make the syntax portable across different shells while maintaining the same
behavior.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml`:
- Around line 31-39: After modifying the
openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml configuration
file to add allow_best_effort_post_steps and update the pre and post step
references, you must run the `make update` command in the repository root to
regenerate the downstream Prow job definitions and metadata artifacts. This
ensures that all generated configurations stay synchronized with the source CI
operator configuration changes.

In
`@ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml`:
- Line 12: The timeout field in the rosa-e2e-silence-alerts step is set too low
at 2m0s to accommodate the sequential RHOBS cell requests. Increase the timeout
value from 2m0s to either 3m or 5m to provide adequate margin for the 9
sequential curl requests (each with up to 10-second max-time) plus OIDC token
acquisition and JSON parsing overhead. Consider using 5m as a safe value similar
to the collect-cs-telemetry step, or a minimum of 3m if a tighter constraint is
preferred.

In
`@ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-commands.sh`:
- Around line 28-41: The while loop on line 28 uses a colon as the IFS delimiter
to split CELL and SILENCE_ID, but since CELL is a URL containing colons (e.g.,
https://...), the read command incorrectly splits on all colons rather than just
the separator between CELL and SILENCE_ID, causing malformed DELETE requests on
line 35. Change the IFS delimiter from colon to a character that won't appear in
URLs, such as a pipe character, and update the corresponding separator in the
input file to match so that CELL and SILENCE_ID are parsed correctly.

---

Outside diff comments:
In
`@ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml`:
- Line 69: The standalone redirection syntax on line 69 of
rosa-e2e-silence-alerts-ref.yaml is flagged as SC2188 by shellcheck and is
non-portable. Replace the standalone redirection with an explicit no-op command
followed by the redirection operator, such as using `true >` or `echo -n >` to
make the syntax portable across different shells while maintaining the same
behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1a66ed23-289a-4987-a435-9f987d0d71fe

📥 Commits

Reviewing files that changed from the base of the PR and between b854cd1 and 04292e7.

📒 Files selected for processing (9)

• ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__ocm-fvt-rosa-hcp-production.yaml
• ci-operator/step-registry/rosa/e2e/silence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-commands.sh
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.metadata.json
• ci-operator/step-registry/rosa/e2e/silence-alerts/rosa-e2e-silence-alerts-ref.yaml
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/OWNERS
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-commands.sh
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.metadata.json
• ci-operator/step-registry/rosa/e2e/unsilence-alerts/rosa-e2e-unsilence-alerts-ref.yaml

[dustman9000]

/pj-rehearse ack

[openshift-merge-bot]

@dustman9000: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@dustman9000: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@dustman9000: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-online-rosa-e2e-main-ocm-fvt-rosa-hcp-production-ocm-fvt-periodic-cs-rosa-hcp-ad-production-main	N/A	periodic	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[bmeng]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bmeng, dustman9000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-online/rosa-e2e/OWNERS [bmeng,dustman9000]
• ci-operator/step-registry/rosa/e2e/OWNERS [bmeng,dustman9000]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dustman9000]

/pj-rehearse ack

[openshift-merge-bot]

@dustman9000: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.