OCPBUGS-90545: Fix leaked s3 buckets by ipi-aws-post-disconnected

[mdbooth]

openshift-e2e-aws-disconnected calls ipi-aws-pre-disconnected and ipi-aws-post-disconnected. ipi-aws-pre-disconnected provisions an s3 bucket for the bastionhost, but ipi-aws-post-disconnected does not call aws-deprovision-s3buckets to clean it up, so it leaks.

Subsequent runs of the job against the same PR re-use a namespace. As the buckets use the namespace in the name, this also means the second run in a PR will fail due to the name collision.

This change fixes the leak by adding the missing cleanup step. It also tolerates a pre-existing bucket owned by us and re-uses it, cleaning it up after the run.

Summary by CodeRabbit

This pull request fixes a resource leak in the AWS disconnected CI/CD workflow for OpenShift cluster testing. The issue occurs when the openshift-e2e-aws-disconnected job runs multiple times in the same namespace—S3 buckets created during the pre-disconnected setup phase were never being cleaned up, causing name collisions on subsequent test runs.

Changes made:

1. S3 bucket reuse and tolerance (aws-provision-bastionhost-commands.sh):

   • Modified the bastion host provisioning script to check if an S3 bucket already exists and is accessible using aws s3api head-bucket before attempting to create a new one
   • If the bucket already exists (likely a leaked bucket from a prior run), it is reused instead of causing a failure
   • The bucket name is still recorded in the cleanup list for proper deprovisioning

2. Added S3 bucket deprovisioning step (ipi-aws-post-disconnected-chain.yaml):

   • Added the aws-deprovision-s3buckets step to the post-disconnected cleanup chain
   • This step now executes during cleanup, reading the bucket list and properly deleting S3 buckets that were created or reused during the test run
   • Positioned before user/policy and verification cleanup steps in the cleanup sequence

The fix addresses both immediate symptom relief (allowing bucket reuse) and root cause elimination (ensuring proper cleanup), preventing the accumulation of orphaned S3 resources in AWS accounts across multiple test runs.

[openshift-ci-robot]

@mdbooth: This pull request references Jira Issue OCPBUGS-90545, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

openshift-e2e-aws-disconnected calls ipi-aws-pre-disconnected and ipi-aws-post-disconnected. ipi-aws-pre-disconnected provisions an s3 bucket for the bastionhost, but ipi-aws-post-disconnected does not call aws-deprovision-s3buckets to clean it up, so it leaks.

Subsequent runs of the job against the same PR re-use a namespace. As the buckets use the namespace in the name, this also means the second run in a PR will fail due to the name collision.

This change fixes the leak by adding the missing cleanup step. It also tolerates a pre-existing bucket owned by us and re-uses it, cleaning it up after the run.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 05cdd20b-9ec7-4a44-a608-5ed4fdeec694

📥 Commits

Reviewing files that changed from the base of the PR and between b8e6ed2 and b1814dc.

📒 Files selected for processing (2)

• ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh
• ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml

---

Walkthrough

The bastion-host provisioning script gains a conditional S3 bucket check (head-bucket) that reuses an existing accessible bucket instead of always calling s3 mb. The disconnected IPI post-chain adds aws-deprovision-s3buckets as an explicit cleanup step before the existing user/policy and verification deprovisioning steps.

Changes

S3 Bucket Lifecycle

Layer / File(s)	Summary
Conditional S3 bucket creation and deprovisioning chain ci-operator/step-registry/aws/provision/bastionhost/aws-provision-bastionhost-commands.sh, ci-operator/step-registry/ipi/aws/post/disconnected/ipi-aws-post-disconnected-chain.yaml	Provisioning script checks head-bucket and reuses an existing accessible bucket before falling back to s3 mb; the post-chain inserts aws-deprovision-s3buckets before the user/policy and verification cleanup steps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing leaked S3 buckets in the AWS post-disconnected provisioning workflow by adding a cleanup step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies CI infrastructure files (bash script and YAML config), not Ginkgo test files. The check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code—only shell scripts and YAML CI/CD configuration files. Custom check for test structure/quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests. It only modifies a bash script and a YAML configuration file for AWS resource management in CI/CD infrastructure. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It modifies AWS infrastructure provisioning scripts and CI workflow chain configuration files, which are outside the scope of the SNO test compatibility c...
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are CI infrastructure scripts in ci-operator/step-registry/, not deployment manifests, operator code, or controllers. No scheduling constraints or workload topology configuration is introdu...
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI infrastructure files (bash script and YAML config), not OTE binary or Go test code. The check is inapplicable to non-test infrastructure code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests (It(), Describe(), Context(), When()) are added in this PR. Changes are to bash scripts and YAML CI configuration only.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the modified files.
Container-Privileges	✅ Passed	PR contains no Kubernetes manifests or container specs with privileged settings. Files are bash scripts and step registry chain definitions without security context configurations.
No-Sensitive-Data-In-Logs	✅ Passed	The PR introduces conditional S3 bucket reuse logic and adds a deprovisioning step. New logging (line 133) only exposes bucket names, which are public identifiers. No passwords, tokens, API keys, P...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@mdbooth: This pull request references Jira Issue OCPBUGS-90545, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

openshift-e2e-aws-disconnected calls ipi-aws-pre-disconnected and ipi-aws-post-disconnected. ipi-aws-pre-disconnected provisions an s3 bucket for the bastionhost, but ipi-aws-post-disconnected does not call aws-deprovision-s3buckets to clean it up, so it leaks.

Subsequent runs of the job against the same PR re-use a namespace. As the buckets use the namespace in the name, this also means the second run in a PR will fail due to the name collision.

This change fixes the leak by adding the missing cleanup step. It also tolerates a pre-existing bucket owned by us and re-uses it, cleaning it up after the run.

Summary by CodeRabbit

This pull request fixes a resource leak in the AWS disconnected CI/CD workflow for OpenShift cluster testing. The issue occurs when the openshift-e2e-aws-disconnected job runs multiple times in the same namespace—S3 buckets created during the pre-disconnected setup phase were never being cleaned up, causing name collisions on subsequent test runs.

Changes made:

1. S3 bucket reuse and tolerance (aws-provision-bastionhost-commands.sh):

• Modified the bastion host provisioning script to check if an S3 bucket already exists and is accessible using aws s3api head-bucket before attempting to create a new one
• If the bucket already exists (likely a leaked bucket from a prior run), it is reused instead of causing a failure
• The bucket name is still recorded in the cleanup list for proper deprovisioning

2. Added S3 bucket deprovisioning step (ipi-aws-post-disconnected-chain.yaml):

• Added the aws-deprovision-s3buckets step to the post-disconnected cleanup chain
• This step now executes during cleanup, reading the bucket list and properly deleting S3 buckets that were created or reused during the test run
• Positioned before user/policy and verification cleanup steps in the cleanup sequence

The fix addresses both immediate symptom relief (allowing bucket reuse) and root cause elimination (ensuring proper cleanup), preventing the accumulation of orphaned S3 resources in AWS accounts across multiple test runs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mdbooth: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-rh-ecosystem-edge-recert-main-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-main-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-main-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.22-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.22-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.22-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.21-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.21-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.21-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.20-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.20-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.20-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.19-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.19-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.19-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.18-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.18-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.18-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.16-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.16-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.16-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.14-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.14-e2e-aws-ovn-single-node-recert-parallel	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.14-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-v0-e2e-aws-ovn-single-node-recert-serial	rh-ecosystem-edge/recert	presubmit	Registry content changed

A total of 1303 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mdbooth]

/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mdbooth]

/pj-rehearse

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mdbooth]

Confirmed by checking the logs that s3 bucket creation and cleanup worked correctly in all the above jobs. The DR tests failed for unrelated reasons I'm not going in to.

The capi disconnected job still seems to have a problem, but it started before the s3 problem. I'm continuing to work on it, but I think we should merge this now anyway.

/pj-rehearse ack

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[mdbooth]

/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

[openshift-merge-bot]

@mdbooth: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[miyadav]

/approve

[mdbooth]

/assign patrickdillon

[patrickdillon]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth, miyadav, patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/aws/OWNERS [patrickdillon]
• ci-operator/step-registry/ipi/aws/post/disconnected/OWNERS [mdbooth,patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@mdbooth: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/openshift-tests-private/release-5.1/debug-disasterrecovery-aws-ipi	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-openshift-tests-private-release-5.1-debug-disasterrecovery-aws-ipi
ci/rehearse/openshift/openshift-tests-private/release-4.22/debug-disasterrecovery-aws-ipi	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.22-debug-disasterrecovery-aws-ipi
ci/rehearse/openshift/openshift-tests-private/release-5.0/debug-disasterrecovery-aws-ipi	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-openshift-tests-private-release-5.0-debug-disasterrecovery-aws-ipi
ci/rehearse/openshift/openshift-tests-private/main/debug-disasterrecovery-aws-ipi	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-openshift-tests-private-main-debug-disasterrecovery-aws-ipi
ci/rehearse/openshift/openshift-tests-private/release-4.23/debug-disasterrecovery-aws-ipi	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-openshift-tests-private-release-4.23-debug-disasterrecovery-aws-ipi
ci/rehearse/openshift/cluster-capi-operator/main/e2e-aws-capi-disconnected-techpreview	b1814dc	link	unknown	/pj-rehearse pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@mdbooth: Jira Issue OCPBUGS-90545: All pull requests linked via external trackers have merged:

• openshift/release#80814

Jira Issue OCPBUGS-90545 has been moved to the MODIFIED state.

Details

In response to this:

openshift-e2e-aws-disconnected calls ipi-aws-pre-disconnected and ipi-aws-post-disconnected. ipi-aws-pre-disconnected provisions an s3 bucket for the bastionhost, but ipi-aws-post-disconnected does not call aws-deprovision-s3buckets to clean it up, so it leaks.

Subsequent runs of the job against the same PR re-use a namespace. As the buckets use the namespace in the name, this also means the second run in a PR will fail due to the name collision.

This change fixes the leak by adding the missing cleanup step. It also tolerates a pre-existing bucket owned by us and re-uses it, cleaning it up after the run.

Summary by CodeRabbit

This pull request fixes a resource leak in the AWS disconnected CI/CD workflow for OpenShift cluster testing. The issue occurs when the openshift-e2e-aws-disconnected job runs multiple times in the same namespace—S3 buckets created during the pre-disconnected setup phase were never being cleaned up, causing name collisions on subsequent test runs.

Changes made:

1. S3 bucket reuse and tolerance (aws-provision-bastionhost-commands.sh):

• Modified the bastion host provisioning script to check if an S3 bucket already exists and is accessible using aws s3api head-bucket before attempting to create a new one
• If the bucket already exists (likely a leaked bucket from a prior run), it is reused instead of causing a failure
• The bucket name is still recorded in the cleanup list for proper deprovisioning

2. Added S3 bucket deprovisioning step (ipi-aws-post-disconnected-chain.yaml):

• Added the aws-deprovision-s3buckets step to the post-disconnected cleanup chain
• This step now executes during cleanup, reading the bucket list and properly deleting S3 buckets that were created or reused during the test run
• Positioned before user/policy and verification cleanup steps in the cleanup sequence

The fix addresses both immediate symptom relief (allowing bucket reuse) and root cause elimination (ensuring proper cleanup), preventing the accumulation of orphaned S3 resources in AWS accounts across multiple test runs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.