cluster-authentication-operator: add external-oidc conformance periodics

Run the complete conformance suite except External OIDC tests (covered
by other jobs) and any tests that depend on the OAuth stack (e.g. APIs)
as the OAuth components do not exist in External OIDC.

Author: liouk

ci-operator/config/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21__periodics.yaml

@@ -338,6 +338,41 @@ tests:
       TEST_SKIPS: \[OCPFeatureGate:ExternalOIDC\]
       TEST_SUITE: openshift/auth/external-oidc
     workflow: openshift-e2e-aws-single-node
+- as: e2e-aws-external-oidc-conformance-parallel-techpreview
+  interval: 24h
+  steps:
+    cluster_profile: aws-3
+    env:
+      FEATURE_SET: TechPreviewNoUpgrade
+      TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth
+        access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\] authorization
+        TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-cli\]
+        templates process \[apigroup:template.openshift.io\]\[Skipped:Disconnected\]
+        \[Suite:openshift\/conformance\/parallel\]\|\[sig-auth\]\[Feature:Authentication\]
+        TestFrontProxy should succeed \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\]
+        templateinstance security tests \[apigroup:authorization.openshift.io\]\[apigroup:template.openshift.io\]
+        should pass security tests \[apigroup:route.openshift.io\] \[Suite:openshift\/conformance\/parallel\]\|\[sig-devex\]\[Feature:Templates\]
+        templateinstance impersonation tests \[apigroup:user.openshift.io\]\[apigroup:authorization.openshift.io\]
+      TEST_SUITE: openshift/conformance/parallel
+    workflow: idp-external-oidc-keycloak-aws
+  timeout: 8h0m0s
+- as: e2e-aws-external-oidc-conformance-serial-techpreview
+  interval: 24h
+  steps:
+    cluster_profile: aws-3
+    env:
+      FEATURE_SET: TechPreviewNoUpgrade
+      TEST_ARGS: --disable-monitor=legacy-test-framework-invariants
+      TEST_SKIPS: ExternalOIDC\|\[Feature:OAuthServer\]\|\[Feature:RoleBindingRestrictions\]\|oauth-apiserver\|\[apigroup:oauth.openshift.io\]\|\[apigroup:user.openshift.io\]\|OAuth
+        access token\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]\[Serial\] authorization
+        TestAuthorizationResourceAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-auth\]\[Feature:OpenShiftAuthorization\]
+        authorization TestAuthorizationSubjectAccessReview should succeed \[apigroup:authorization.openshift.io\]\|\[sig-devex\]\[Feature:Templates\]
+        templateinstance impersonation tests \[apigroup:user.openshift.io\]\[apigroup:authorization.openshift.io\]\|\[sig-api-machinery\]
+        API data in etcd should be stored at the correct location and version for
+        all resources \[Serial\]
+      TEST_SUITE: openshift/conformance/serial
+    workflow: idp-external-oidc-keycloak-aws
+  timeout: 8h0m0s
 zz_generated_metadata:
   branch: release-4.21
   org: openshift

ci-operator/jobs/openshift/cluster-authentication-operator/openshift-cluster-authentication-operator-release-4.21-periodics.yaml

@@ -72,6 +72,156 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    timeout: 8h0m0s
+  extra_refs:
+  - base_ref: release-4.21
+    org: openshift
+    repo: cluster-authentication-operator
+  interval: 24h
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-3
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.21"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-external-oidc-conformance-parallel-techpreview
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    timeout: 8h0m0s
+  extra_refs:
+  - base_ref: release-4.21
+    org: openshift
+    repo: cluster-authentication-operator
+  interval: 24h
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-3
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.21"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-serial-techpreview
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-external-oidc-conformance-serial-techpreview
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   decorate: true