ACM-34234: build(cli): rename hcp archives to include OS and arch in filename

[yiraeChristineKim]

What this PR does / why we need it

Each platform archive was previously named hcp.tar.gz regardless of OS/arch, causing filename collisions when Konflux derives the release artifact name from the component and archive name (the filename field is no longer used).

Archives are now named hcp-<os>-<arch>.tar.gz and written flat into ./bin/, producing:

• hcp-linux-amd64.tar.gz
• hcp-linux-arm64.tar.gz
• hcp-linux-ppc64le.tar.gz
• hcp-linux-s390x.tar.gz
• hcp-darwin-amd64.tar.gz
• hcp-darwin-arm64.tar.gz
• hcp-windows-amd64.tar.gz
• hcp-windows-arm64.tar.gz

References:

• Konflux release data MR: https://gitlab.cee.redhat.com/releng/konflux-release-data/-/merge_requests/18358#note_21658264
• Jira: https://redhat.atlassian.net/browse/ACM-34234

Which issue(s) this PR fixes

Fixes ACM-34234

Special notes for your reviewer

N/A

Checklist

• The code I'm writing is tested
• Testing instructions provided below OR it's sufficiently covered by existing tests
• Documentation added/updated if necessary

How to test

Build the Containerfile.cli image and verify the resulting /opt/app-root/src/ directory contains flat hcp-<os>-<arch>.tar.gz files with no OS/arch subdirectories.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Improved artifact packaging and cleanup in the build process for more efficient distribution.

[openshift-ci-robot]

@yiraeChristineKim: This pull request references ACM-34234 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it

Each platform archive was previously named hcp.tar.gz regardless of OS/arch, causing filename collisions when Konflux derives the release artifact name from the component and archive name (the filename field is no longer used).

Archives are now named hcp-<os>-<arch>.tar.gz and written flat into ./bin/, producing:

• hcp-linux-amd64.tar.gz
• hcp-linux-arm64.tar.gz
• hcp-linux-ppc64le.tar.gz
• hcp-linux-s390x.tar.gz
• hcp-darwin-amd64.tar.gz
• hcp-darwin-arm64.tar.gz
• hcp-windows-amd64.tar.gz
• hcp-windows-arm64.tar.gz

References:

• Konflux release data MR: https://gitlab.cee.redhat.com/releng/konflux-release-data/-/merge_requests/18358#note_21658264
• Jira: https://redhat.atlassian.net/browse/ACM-34234

Which issue(s) this PR fixes

Fixes ACM-34234

Special notes for your reviewer

N/A

Checklist

• The code I'm writing is tested
• Testing instructions provided below OR it's sufficiently covered by existing tests
• Documentation added/updated if necessary

How to test

Build the Containerfile.cli image and verify the resulting /opt/app-root/src/ directory contains flat hcp-<os>-<arch>.tar.gz files with no OS/arch subdirectories.

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8d0aa1ff-97d1-4a66-9388-88d996a2a64f

📥 Commits

Reviewing files that changed from the base of the PR and between 8e05ad6 and 54af174.

📒 Files selected for processing (1)

• Containerfile.cli

---

📝 Walkthrough

Walkthrough

The change refactors the builder stage in Containerfile.cli to restructure how release binaries are packaged into tarballs. The Linux packaging loop now outputs tarballs directly to ./bin/ instead of creating nested directory structures. The Darwin and Windows packaging loop is similarly adjusted to tar from a flat directory structure and output directly to ./bin/ with naming pattern hcp-${OS}-${ARCH}.tar.gz. The cleanup step is updated to remove intermediate OS/arch subdirectories using find with depth constraints, instead of deleting files by pattern, ensuring only the final .tar.gz artifacts remain.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: renaming archives to include OS and arch in the filename, which directly matches the primary objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Sampled Ginkgo test files show stable, descriptive test names without dynamic values like fmt.Sprintf, UUIDs, timestamps, or pod names.
Test Structure And Quality	✅ Passed	Custom check not applicable: PR modifies only Containerfile.cli; all test files are newly added, not modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Containerfile.cli, a container build configuration file. No deployment manifests, operator code, or controllers are added/modified. No scheduling constraints introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only Containerfile.cli (a Docker build configuration), not Ginkgo e2e tests. The check for IPv6/disconnected network compatibility is not applicable to non-test files.
No-Weak-Crypto	✅ Passed	PR contains only Containerfile.cli changes for archive naming/packaging—no weak crypto algorithms, custom crypto, or secret comparisons are present.
Container-Privileges	✅ Passed	Containerfile.cli contains no privileged directives (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation). Changes only affect archive packaging logic.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposed in logs. Tar verbose output lists the ./hcp binary filename only; COMMIT_HASH ARG is never logged; no passwords, tokens, keys, or PII found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.68%. Comparing base (8e05ad6) to head (54af174).
⚠️ Report is 149 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8649   +/-   ##
=======================================
  Coverage   40.68%   40.68%           
=======================================
  Files         755      755           
  Lines       93368    93368           
=======================================
  Hits        37985    37985           
  Misses      52649    52649           
  Partials     2734     2734           

Flag	Coverage Δ
cmd-support	34.70% <ø> (ø)
cpo-hostedcontrolplane	41.80% <ø> (ø)
cpo-other	41.39% <ø> (ø)
hypershift-operator	50.81% <ø> (ø)
other	31.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[yiraeChristineKim]

/ok-to-test

[bryan-cox]

/area ci-tooling

[bryan-cox]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, yiraeChristineKim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[celebdor]

/retest-required

[yiraeChristineKim]

@bryan-cox Could you rerun the konflux? I cannot rerun this

[bryan-cox]

/retest

[csrwng]

/lgtm
/verified later @yiraeChristineKim

[openshift-ci-robot]

@csrwng: This PR has been marked to be verified later by @yiraeChristineKim.

Details

In response to this:

/lgtm
/verified later @yiraeChristineKim

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[yiraeChristineKim]

/test

[yiraeChristineKim]

/test all

[bryan-cox]

@yiraeChristineKim tests won't pass atm. There is a CI infra issue - https://redhat-internal.slack.com/archives/CBN38N3MW/p1781197595898369?thread_ts=1781107246.787989&cid=CBN38N3MW

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 0b33006 and 2 for PR HEAD 54af174 in total

[yiraeChristineKim]

@bryan-cox This is not urgent PR so let me wait tmr Thanks!

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 1f7deb5 and 1 for PR HEAD 54af174 in total

[bryan-cox]

/retest

[bryan-cox]

@bryan-cox This is not urgent PR so let me wait tmr Thanks!

@yiraeChristineKim they said its fixed now 🤞🏻

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 39f04eb and 0 for PR HEAD 54af174 in total

[openshift-merge-bot]

/hold

Revision 54af174 was retested 3 times: holding

[yiraeChristineKim]

/retest

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2065480803692843008 | Cost: $3.3447574999999996 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[bryan-cox]

/test e2e-aws

[yiraeChristineKim]

@bryan-cox Can we override this?

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
• Build ID: 2066501496576413696
• Target: e2e-aws
• Cluster: build01
• Start Time: 2026-06-15T12:42:05Z
• End Time: 2026-06-15T14:55:58Z
• Result: 623 tests, 30 skipped, 5 failures (2 distinct failures + 3 parent rollups)

Test Failure Analysis

Error

failed to wait for DaemonSet global-pull-secret-syncer to be ready: context deadline exceeded
  msg: "failed to wait for DaemonSet global-pull-secret-syncer to be ready: context deadline exceeded"
  err: context.deadlineExceededError{}

daemonsets.apps "kubelet-config-verifier" already exists (409 Conflict — cascading failure)

Summary

The TestCreateCluster/Main/EnsureGlobalPullSecret test failed because the global-pull-secret-syncer DaemonSet on the hosted cluster was stuck at 2/3 pods ready for the entire 20-minute timeout (1205s) after a pull secret update triggered a DaemonSet rollout (generation 2→4). One of the three pods (one per AZ: us-east-1a, us-east-1b, us-east-1c) never became ready during the inline wait. Notably, when the next sub-test checked the same DaemonSet 40 seconds later, it found all 3/3 pods ready — confirming the issue was a transient pod scheduling or readiness delay on one hosted cluster worker node, not a permanent failure. A second cascading failure occurred when the Check_if_the_config.json_is_correct_in_all_of_the_nodes sub-test tried to create a kubelet-config-verifier DaemonSet that already existed (left behind by the timed-out sub-test). This failure is unrelated to PR #8649, which only modifies Containerfile.cli to rename HCP CLI archive filenames — it touches no test code, cluster logic, or pull secret handling.

Root Cause

Primary failure: Transient DaemonSet rollout delay (flaky test)

The EnsureGlobalPullSecret test performs the following steps:

1. Patches the management-cluster pull secret with a dummy auth entry
2. Waits for the pull secret to propagate to the guest cluster's openshift-config/pull-secret and kube-system/original-pull-secret
3. Creates a kubelet-config-verifier DaemonSet
4. Waits for several DaemonSets (ovnkube-node, global-pull-secret-syncer, konnectivity-agent, kubelet-config-verifier) to become ready

The pull secret update triggers the global-pull-secret-syncer DaemonSet to roll out new pods (generation bumped from 2 to 4). During this rollout, one of the three pods (across 3 AZs) failed to reach Ready status within the 20-minute context deadline. The DaemonSet was persistently at 2/3 pods ready — 368 log lines repeated this status.

The subsequent sub-test Wait_for_critical_DaemonSets_to_be_ready_-_first_check succeeded in 40 seconds, confirming the third pod eventually became ready. This indicates a transient issue — likely a slow node, temporary resource pressure, or pod scheduling delay on one hosted cluster worker node during the DaemonSet rollout.

Cascading failure: kubelet-config-verifier AlreadyExists

The Check_if_the_config.json_is_correct_in_all_of_the_nodes sub-test attempted to create a kubelet-config-verifier DaemonSet but received a 409 Conflict (AlreadyExists). This DaemonSet was already created by the timed-out When_management-cluster... sub-test at globalps.go:209. The test code does not clean up this resource between sub-tests, causing the cascading failure.

Relationship to PR #8649: None

PR #8649 (ACM-34234: build(cli): rename hcp archives to include OS and arch in filename) only modifies Containerfile.cli. It changes archive naming conventions in the CLI container build. It does not modify any test code, cluster configuration, pull secret logic, or DaemonSet behavior.

Recommendations

1. Retry the job — This is a transient/flaky test failure unrelated to the PR's changes. A rerun should pass.

2. File a flake issue for TestCreateCluster/Main/EnsureGlobalPullSecret — The When_management-cluster... sub-test has an inherent race: it waits for the global-pull-secret-syncer DaemonSet rollout inline with a context deadline, but the rollout can take longer than the timeout on slow nodes. The fact that the next sub-test (Wait_for_critical_DaemonSets_to_be_ready_-_first_check) passes 40 seconds later proves the timeout is just barely insufficient.

3. Fix the cascading failure — The kubelet-config-verifier DaemonSet created in the When_management-cluster... sub-test is not cleaned up before Check_if_the_config.json_is_correct_in_all_of_the_nodes tries to create it. The test should either use CreateOrUpdate semantics or delete the DaemonSet in cleanup/defer.

4. Consider increasing the DaemonSet readiness timeout — The 20-minute timeout for a 3-node DaemonSet rollout seems generous, but if one node is temporarily unresponsive (e.g., during kernel updates, kubelet restart), it can easily be exceeded.

Evidence

Evidence	Detail
PR #8649 changed files	Containerfile.cli only — no test/cluster code changes
Primary failure	global-pull-secret-syncer DaemonSet stuck at 2/3 pods ready for 1205s (20 min timeout)
DaemonSet rollout trigger	Pull secret patch caused generation bump from 2 → 4
Hosted cluster topology	3 NodePools (us-east-1a/1b/1c), each with 1 replica = 3 worker nodes
"2/3 pods ready" log count	368 repeated log lines from util.go:2290
Subsequent check passed	Wait_for_critical_DaemonSets_to_be_ready_-_first_check passed in 40s (line 3319)
DaemonSet became 3/3	Confirmed at line 3328: DaemonSet global-pull-secret-syncer ready: 3/3 pods
Cascading failure	kubelet-config-verifier DaemonSet 409 AlreadyExists at globalps.go:211
Test results	623 tests, 30 skipped, 5 failures (2 distinct + 3 parent rollups)
All failures in	TestCreateCluster/Main/EnsureGlobalPullSecret subtree only

---

[yiraeChristineKim]

/test e2e-aws

[bryan-cox]

/hold cancel