adding cluster claim

[JoaoFula]

and changing getting kubeconfig, base url and password

Summary by CodeRabbit

• Chores
  • Switched integration tests to ephemeral cluster provisioning and updated pipeline ordering to use the new provision/deprovision flow.
• Tests
  • Rewired end-to-end tests to receive cluster credentials (kubeconfig and admin password) via secrets; adjusted test startup and resource-gathering to use the new credential flow.

[coderabbitai]

Warning

Review limit reached

@JoaoFula, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0b8cf1e6-cf1f-4616-b79b-65a4a4346fd7

📥 Commits

Reviewing files that changed from the base of the PR and between d634be1 and b662fe7.

📒 Files selected for processing (1)

• .tekton/integration-tests/lightspeed-console-pre-commit.yaml

📝 Walkthrough

Walkthrough

Pipeline now provisions an ephemeral cluster via provision-ephemeral-cluster, passes its credentials secretRef into ols-e2e-tests (which writes kubeconfig and derives BASE_URL), updates resource-gather inputs, and finalizes with deprovision-ephemeral-cluster.

Changes

Ephemeral cluster provisioning migration

Layer / File(s)	Summary
New ephemeral cluster provisioning task .tekton/integration-tests/lightspeed-console-pre-commit.yaml	Replaced provision-cluster with provision-ephemeral-cluster (taskRef changed, clusterClaim payload added) and updated pipeline ordering.
Test task dependency and credential wiring .tekton/integration-tests/lightspeed-console-pre-commit.yaml	Rewired ols-e2e-tests to run after provision-ephemeral-cluster; added clusterCredentialsSecretRef parameter wired from provision-ephemeral-cluster.results.secretRef.
Credential parameter and script integration .tekton/integration-tests/lightspeed-console-pre-commit.yaml	run-e2e-tests now sources KUBECONFIG_VALUE and PASSWORD_VALUE from the provided credentials secret via secretKeyRef, writes kubeconfig to /credentials/kubeconfig, computes BASE_URL via oc using that file, uses the injected PASSWORD_VALUE for login, and updates gather-cluster-resources kubeconfig usage.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• kyoto

Suggested labels

lgtm

Poem

🐰 I swapped an old cluster for one that flies,
secrets tucked safe where ephemeral skies arise,
written to disk so oc can find its way,
tests hop in and greet the new cluster's day,
a tiny rabbit cheers the pipeline's bright surprise.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'adding cluster claim' is vague and generic, using non-descriptive phrasing that doesn't clearly convey the scope or nature of the changes made to the pipeline configuration.	Revise the title to be more specific and descriptive, such as 'Replace provision-cluster with provision-ephemeral-cluster in integration test pipeline' to better reflect the main architectural change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joaofula for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• .tekton/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/integration-tests/lightspeed-console-pre-commit.yaml (1)

233-243: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: oc command used before it's downloaded.

Line 234 executes oc --kubeconfig to compute BASE_URL, but the oc client isn't downloaded until lines 240-243. The Playwright image does not include the OpenShift CLI. This will fail with "command not found".

Move the oc download before computing BASE_URL, or move the BASE_URL computation after the download.

Proposed fix: move BASE_URL computation after oc download

              echo "$KUBECONFIG_VALUE" > /credentials/kubeconfig
-              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
              echo "COMMIT_SHA: ${COMMIT_SHA}"
-              echo "BASE_URL: ${BASE_URL}"
              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
              echo "---------------------------------------------"
              wget --no-verbose -O oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
                  && tar -xvzf oc.tar.gz \
                  && chmod +x kubectl oc \
                  && mv oc kubectl /usr/local/bin/
              echo "---------------------------------------------"
+              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
+              echo "BASE_URL: ${BASE_URL}"
+              echo "---------------------------------------------"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
233 - 243, The script computes BASE_URL using the oc binary (oc --kubeconfig
"$KUBECONFIG_PATH") before downloading/installing oc, causing a "command not
found" error; fix by moving the oc download/install block (the wget/tar/chmod/mv
sequence that installs kubectl and oc) to run before the export BASE_URL line
(or alternatively defer the export BASE_URL until after installation), ensuring
the oc client is available when computing BASE_URL using
KUBECONFIG_PATH/KUBECONFIG_VALUE.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 271-273: The LOGIN_PASSWORD is hardcoded to "placeholder" causing
auth failures; update the pipeline to read the real password from the secret
output exposed by the debug-secret-keys step and assign it to LOGIN_PASSWORD
(use the PASSWORD_VALUE variable referenced in the TODO) instead of the
placeholder. Locate the environment export for LOGIN_PASSWORD in the pre-commit
task and wire it to the secret output (or the pipeline/step result named by
debug-secret-keys) so LOGIN_PASSWORD is set from PASSWORD_VALUE at runtime
rather than a hardcoded string.
- Around line 40-49: The pipeline task block for provision-ephemeral-cluster is
using the wrong key; replace the top-level ref: block with taskRef: (keeping the
same resolver and params) so the task declaration matches how
eaas-provision-space is referenced; specifically update the
provision-ephemeral-cluster task block to use taskRef (with resolver: git and
the same url/revision/pathInRepo params) instead of ref.

---

Outside diff comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 233-243: The script computes BASE_URL using the oc binary (oc
--kubeconfig "$KUBECONFIG_PATH") before downloading/installing oc, causing a
"command not found" error; fix by moving the oc download/install block (the
wget/tar/chmod/mv sequence that installs kubectl and oc) to run before the
export BASE_URL line (or alternatively defer the export BASE_URL until after
installation), ensuring the oc client is available when computing BASE_URL using
KUBECONFIG_PATH/KUBECONFIG_VALUE.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9fbf07ee-9043-4c22-b2fa-b20e46bbefcb

📥 Commits

Reviewing files that changed from the base of the PR and between f62f15c and db6e7dd.

📒 Files selected for processing (1)

• .tekton/integration-tests/lightspeed-console-pre-commit.yaml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/integration-tests/lightspeed-console-pre-commit.yaml (1)

233-243: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Install oc before the first route lookup.

Line 234 invokes oc before Lines 240-243 download it, so this step can fail before the install block ever runs. Move the client setup ahead of the BASE_URL lookup.

Proposed fix

             script: |
               echo "$KUBECONFIG_VALUE" > /credentials/kubeconfig
-              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
-              echo "COMMIT_SHA: ${COMMIT_SHA}"
-              echo "BASE_URL: ${BASE_URL}"
-              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
-              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
-              echo "---------------------------------------------"
               wget --no-verbose -O oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
                   && tar -xvzf oc.tar.gz \
                   && chmod +x kubectl oc \
                   && mv oc kubectl /usr/local/bin/
+              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
+              echo "COMMIT_SHA: ${COMMIT_SHA}"
+              echo "BASE_URL: ${BASE_URL}"
+              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
+              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
               echo "---------------------------------------------"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
233 - 243, The script sets BASE_URL using the oc command before oc is installed,
which can fail; move the oc client installation block (the wget/tar/chmod/mv
steps that download and install oc/kubectl) to run before the export
BASE_URL=... line so oc is available when you run oc --kubeconfig
"$KUBECONFIG_PATH" get route console -n openshift-console -o go-template
--template="{{.spec.host}}"; keep the KUBECONFIG write (echo "$KUBECONFIG_VALUE"
> /credentials/kubeconfig) in place and ensure KUBECONFIG_PATH is exported
before calling oc.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 233-243: The script sets BASE_URL using the oc command before oc
is installed, which can fail; move the oc client installation block (the
wget/tar/chmod/mv steps that download and install oc/kubectl) to run before the
export BASE_URL=... line so oc is available when you run oc --kubeconfig
"$KUBECONFIG_PATH" get route console -n openshift-console -o go-template
--template="{{.spec.host}}"; keep the KUBECONFIG write (echo "$KUBECONFIG_VALUE"
> /credentials/kubeconfig) in place and ensure KUBECONFIG_PATH is exported
before calling oc.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 14f7b0e5-c695-4a9f-83cd-d34bd00c6b82

📥 Commits

Reviewing files that changed from the base of the PR and between db6e7dd and b998cfa.

📒 Files selected for processing (1)

• .tekton/integration-tests/lightspeed-console-pre-commit.yaml

[JoaoFula]

/retest

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/integration-tests/lightspeed-console-pre-commit.yaml (1)

210-221: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Install oc before computing BASE_URL in run-e2e-tests
.tekton/integration-tests/lightspeed-console-pre-commit.yaml runs export BASE_URL=...$(oc ...) before the script downloads/installs oc (the wget/tar/chmod/mv block occurs later). With Tekton’s default script preamble (/bin/sh + set -e), the step will fail immediately when oc isn’t already on PATH. Move the oc install block above the BASE_URL export.

Proposed fix

             script: |
+              #!/bin/bash
+              set -euo pipefail
               echo "$KUBECONFIG_VALUE" > /credentials/kubeconfig
-              export BASE_URL=https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template="{{.spec.host}}")
-              echo "COMMIT_SHA: ${COMMIT_SHA}"
-              echo "BASE_URL: ${BASE_URL}"
-              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
-              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
-              echo "---------------------------------------------"
               wget --no-verbose -O oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
                   && tar -xvzf oc.tar.gz \
                   && chmod +x kubectl oc \
                   && mv oc kubectl /usr/local/bin/
+              export BASE_URL="https://$(oc --kubeconfig "$KUBECONFIG_PATH" get route console -n openshift-console -o go-template --template='{{.spec.host}}')"
+              echo "COMMIT_SHA: ${COMMIT_SHA}"
+              echo "BASE_URL: ${BASE_URL}"
+              echo "CONSOLE_IMAGE: ${CONSOLE_IMAGE}"
+              echo "KUBECONFIG_PATH: ${KUBECONFIG_PATH}"
+              echo "---------------------------------------------"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
210 - 221, The step computes BASE_URL by running the oc command in the export
BASE_URL=... line before installing oc (the wget/tar/chmod/mv block), causing
the script to fail if oc is not on PATH; move the oc install block (the wget
--no-verbose ... && tar -xvzf oc.tar.gz && chmod +x kubectl oc && mv oc kubectl
/usr/local/bin/) above the line that exports BASE_URL so oc is available when
running oc --kubeconfig "$KUBECONFIG_PATH" get route console -n
openshift-console -o go-template --template="{{.spec.host}}".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 343-347: The finally deprovision step currently consumes
$(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimName) and
$(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimNamespace)
which are only written after full readiness, so teardown can be skipped on
provision failure; fix this by ensuring the claim identifiers are emitted
immediately after the oc create step: either update the
provision-ephemeral-cluster task to set testPlatformClusterClaimName and
testPlatformClusterClaimNamespace as TaskResults right after the oc create
(before waiting for readiness) or split out the create into its own task that
publishes those results and have the finally deprovision consume those early
results instead (referencing provision-ephemeral-cluster,
testPlatformClusterClaimName, testPlatformClusterClaimNamespace and the finally
deprovision task).

---

Outside diff comments:
In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml:
- Around line 210-221: The step computes BASE_URL by running the oc command in
the export BASE_URL=... line before installing oc (the wget/tar/chmod/mv block),
causing the script to fail if oc is not on PATH; move the oc install block (the
wget --no-verbose ... && tar -xvzf oc.tar.gz && chmod +x kubectl oc && mv oc
kubectl /usr/local/bin/) above the line that exports BASE_URL so oc is available
when running oc --kubeconfig "$KUBECONFIG_PATH" get route console -n
openshift-console -o go-template --template="{{.spec.host}}".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 63136b02-84d5-41c6-a60c-15c7b227c48c

📥 Commits

Reviewing files that changed from the base of the PR and between d3cbab5 and d634be1.

📒 Files selected for processing (1)

• .tekton/integration-tests/lightspeed-console-pre-commit.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the pipeline section around the cited lines
FILE=".tekton/integration-tests/lightspeed-console-pre-commit.yaml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '320,380p'

# 2) Find where provision-ephemeral-cluster is declared/used and where cleanup/finally happens
echo
echo "== Lines mentioning provision-ephemeral-cluster =="
rg -n "provision-ephemeral-cluster" "$FILE" || true

echo
echo "== Search for finally/cleanup blocks in the same file =="
rg -n "(finally:|cleanup:|deprovision|deprovisioning|delete|remove)" "$FILE" || true

# 3) Locate the deprovision task and how it consumes the claim name/namespace
echo
echo "== Search for deprovision tasks and consumed result names =="
rg -n "testPlatformClusterClaimName|testPlatformClusterClaimNamespace" "$FILE" || true
rg -n "deprovision|deprovision-ephemeral|delete.*claim|delete.*TestPlatform|Cluster claim" "$FILE" || true

Repository: openshift/lightspeed-console

Length of output: 206

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".tekton/integration-tests/lightspeed-console-pre-commit.yaml"
echo "== File: $FILE =="

if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

awk 'NR>=320 && NR<=380 {printf "%6d\t%s\n", NR, $0}' "$FILE"

echo
echo "== Lines mentioning provision-ephemeral-cluster =="
rg -n "provision-ephemeral-cluster" "$FILE" || true

echo
echo "== Search for finally/cleanup blocks in the same file =="
rg -n "(finally:|cleanup:|deprovision|deprovisioning|delete|remove)" "$FILE" || true

echo
echo "== Search for deprovision tasks and consumed result names =="
rg -n "testPlatformClusterClaimName|testPlatformClusterClaimNamespace" "$FILE" || true
rg -n "deprovision|provision-ephemeral|delete.*claim|delete.*TestPlatform|Cluster claim" "$FILE" || true

Repository: openshift/lightspeed-console

Length of output: 3293

---

🌐 Web query:

konflux-tasks provision-ephemeral-cluster 0.1 provision-ephemeral-cluster.yaml testPlatformClusterClaimName when set

💡 Result:

The provision-ephemeral-cluster task (version 0.1) in the openshift/konflux-tasks repository is designed to facilitate ephemeral cluster provisioning for integration tests in the OpenShift CI environment [1][2][3]. When executed, this task orchestrates the creation of a TestPlatformCluster object, which triggers the provisioning of an EphemeralCluster [1][4]. Regarding the testPlatformClusterClaimName parameter: 1. Function: While specific task definitions in the openshift/konflux-tasks repository use various parameters to manage cluster provisioning (such as cluster profiles and workflow specifications), testPlatformClusterClaimName is used to specify the name of the TestPlatformCluster claim resource [1][2]. 2. Behavior when set: When this parameter is explicitly set, the task uses the provided value as the name for the TestPlatformCluster resource created during the pipeline execution [1][4]. This allows users to control the naming of the underlying orchestration resource, which is beneficial for tracking, debugging, or managing specific test scenarios within the Konflux pipeline tenant namespace [1][5]. 3. Workflow Context: The provision-ephemeral-cluster task automates the interaction with the TestPlatform/Crossplane infrastructure [1][3]. By setting the claim name, the resulting ephemeral cluster infrastructure is linked to that specific resource name, enabling the task to subsequently poll for, retrieve, and output the cluster kubeconfig required for further testing steps in the pipeline [1]. For detailed usage, it is recommended to review the task definition directly in the GitHub repository at https://github.com/openshift/konflux-tasks, as configuration parameters may evolve [3]. If further assistance is required, the TestPlatform team is reachable via the #forum-ocp-testplatform channel on the OpenShift Slack [3].

Citations:

• 1: https://docs.ci.openshift.org/architecture/ephemeral-cluster-konflux/
• 2: https://konflux-ci.dev/docs/testing/integration/third-parties/openshift-ci/
• 3: https://github.com/openshift/konflux-tasks
• 4: openshift/ci-docs@3cbfd49
• 5: https://konflux-ci.dev/architecture/ADR/0042-provisioning-ephemeral-openshift-clusters/

---

🌐 Web query:

konflux-tasks deprovision-ephemeral-cluster 0.1 deprovision-ephemeral-cluster.yaml testPlatformClusterClaimName testPlatformClusterClaimNamespace params

💡 Result:

The deprovision-ephemeral-cluster task (version 0.1) is a Tekton task provided by the openshift/konflux-tasks repository, designed to initiate the teardown of an ephemeral cluster that was provisioned within the OpenShift CI environment [1][2]. This task should be used in conjunction with the provision-ephemeral-cluster task. It is recommended, and considered a best practice, to include the deprovision-ephemeral-cluster task within the finally stanza of your Konflux pipeline to ensure that it executes regardless of whether the preceding test steps succeeded or failed [1]. Configuration: To use this task in your pipeline, you must pass the cluster claim details as parameters. These are typically derived from the results of the provision-ephemeral-cluster task [1]. The required parameters are: - testPlatformClusterClaimName: The name of the ephemeral cluster claim, typically populated from $(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimName) [1]. - testPlatformClusterClaimNamespace: The namespace of the ephemeral cluster claim, typically populated from $(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimNamespace) [1]. Example usage in a pipeline definition: finally: - name: deprovision-ephemeral-cluster taskRef: resolver: git params: - name: url value: https://github.com/openshift/konflux-tasks - name: revision value: main - name: pathInRepo value: tasks/deprovision-ephemeral-cluster/0.1/deprovision-ephemeral-cluster.yaml params: - name: testPlatformClusterClaimName value: $(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimName) - name: testPlatformClusterClaimNamespace value: $(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimNamespace) Once executed, the task triggers the deprovisioning process by setting the.spec.tearDownCluster stanza to true on the relevant EphemeralCluster object, signaling the ephemeral cluster reconciler to destroy the cluster [3][4].

Citations:

• 1: https://konflux-ci.dev/docs/testing/integration/third-parties/openshift-ci/
• 2: https://github.com/openshift/konflux-tasks
• 3: https://docs.ci.openshift.org/architecture/ephemeral-cluster-konflux/
• 4: openshift/ci-docs@3cbfd49

---

🌐 Web query:

Tekton pipeline finally task skipped when referencing results not initialized tasks.results

💡 Result:

In Tekton Pipelines, if a finally task references a result from a non-finally task that was skipped (due to a when expression) or failed (and did not initialize the result), the finally task will be automatically skipped [1][2]. When this occurs, the following behavior is observed: 1. Skipping the Finally Task: The controller evaluates the finally task before execution. Because the required result is missing (uninitialized), the finally task is added to the list of skippedTasks in the PipelineRun status [1][2]. 2. Pipeline Completion: The pipeline will continue executing any remaining finally tasks that do not depend on the missing result [1][2]. 3. Final Pipeline Status: The overall PipelineRun will typically exit with a status of Completed rather than Succeeded when finally tasks are skipped in this manner [1][3]. This design is intentional to prevent the accidental execution of tasks dependent on data that was never produced [4][2]. To avoid this, you can structure your pipeline to handle potential missing results, such as by using default values if supported or by designing your tasks to always produce a result (e.g., using a dummy value) even if they are skipped or fail [5][1]. Top results: [1][2][3]

Citations:

• 1: https://tekton.dev/docs/pipelines/pipelines/
• 2: https://github.com/tektoncd/community/blob/main/teps/0004-task-results-in-final-tasks.md
• 3: https://tekton.dev/vault/pipelines-v1.0.x-lts/pipelines/
• 4: Finally tasks should be triggered in case of missing results tektoncd/pipeline#4438
• 5: Finally task is skipped when dependent on results from a failed task tektoncd/pipeline#4118

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

provision_url="https://raw.githubusercontent.com/openshift/konflux-tasks/main/tasks/provision-ephemeral-cluster/0.1/provision-ephemeral-cluster.yaml"
deprovision_url="https://raw.githubusercontent.com/openshift/konflux-tasks/main/tasks/deprovision-ephemeral-cluster/0.1/deprovision-ephemeral-cluster.yaml"

echo "== Fetching upstream provision task =="
curl -fsSL "$provision_url" -o /tmp/provision-ephemeral-cluster.yaml

echo "== Fetching upstream deprovision task =="
curl -fsSL "$deprovision_url" -o /tmp/deprovision-ephemeral-cluster.yaml

echo
echo "== Grep relevant result names in provision task =="
rg -n "testPlatformClusterClaim(Name|Namespace)|claimName|claim namespace|ClaimName|ClaimNamespace" /tmp/provision-ephemeral-cluster.yaml

echo
echo "== Show provision task sections around result assignments =="
# Narrow to blocks likely to set results
rg -n "result:|results:|$" /tmp/provision-ephemeral-cluster.yaml | head -n 50 || true
# Show any script/steps that mention these keys
rg -n "testPlatformClusterClaim(Name|Namespace)" -n /tmp/provision-ephemeral-cluster.yaml || true

echo
echo "== Show where oc create / wait-for-ready happens (context) =="
rg -n "oc create|TestPlatformCluster|wait|Ready|ClusterReady|until|sleep|oc get" /tmp/provision-ephemeral-cluster.yaml

echo
echo "== Deprovision: how it consumes claim params =="
rg -n "testPlatformClusterClaim(Name|Namespace)" /tmp/deprovision-ephemeral-cluster.yaml

Repository: openshift/lightspeed-console

Length of output: 4746

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

prov=/tmp/provision-ephemeral-cluster.yaml
deprov=/tmp/deprovision-ephemeral-cluster.yaml

echo "== Provision: context around result writes (lines ~200-255) =="
awk 'NR>=180 && NR<=270 {printf "%6d\t%s\n", NR, $0}' "$prov"

echo
echo "== Provision: context around oc create + created claim (lines ~280-330) =="
awk 'NR>=270 && NR<=340 {printf "%6d\t%s\n", NR, $0}' "$prov"

echo
echo "== Provision: where outputs are declared (params/results section) =="
awk 'NR>=120 && NR<=180 {printf "%6d\t%s\n", NR, $0}' "$prov"

echo
echo "== Deprovision: full relevant script (search for tearDown) =="
rg -n "tearDown|TestPlatformCluster|EphemeralCluster|testPlatformClusterClaimName|testPlatformClusterClaimNamespace" "$deprov"
echo
echo "== Deprovision: context around those references =="
awk 'NR>=1 && NR<=220 {printf "%6d\t%s\n", NR, $0}' "$deprov" | sed -n '1,220p'

Repository: openshift/lightspeed-console

Length of output: 11989

---

🌐 Web query:

Tekton TEPS 0004 "task results in final tasks" uninitialized result finally task skippedTasks

💡 Result:

In Tekton, the behavior where a finally task is skipped due to an uninitialized result is a design feature governed by TEP-0004 [1][2]. When a finally task consumes a result from a non-finally (DAG) task, the Tekton pipeline controller attempts to resolve that result before executing the finally task [3][4]. If the preceding task fails, is skipped, or otherwise does not initialize the required result, the dependent finally task is automatically included in the list of skippedTasks [1][3]. This causes the pipeline to exit with a status of completion rather than success [3][4]. This design was intended to prevent accidental execution of cleanup or notification tasks when the data they require to function properly is missing [5]. To address this behavior, several developments have occurred: - Failing Tasks Producing Results: Since Tekton Pipelines v0.48.0, it is possible for a task to produce results even if it fails, which can help ensure that finally tasks have the necessary data to execute [5]. - When Expressions: Users can use when expressions in finally tasks to check the status of preceding tasks (e.g., $(tasks..status)) and conditionally execute the finally task even if the result is unavailable, or provide a fallback mechanism [6][7]. - Validation Errors: In some versions, improper referencing of results from skipped tasks (particularly within the finally section itself) could trigger validation errors like invalid pipelineresults, which are distinct from the expected skipped task behavior [8]. If you are experiencing unexpected skips, ensure that the preceding tasks are configured to handle failures gracefully (e.g., ensuring critical results are initialized regardless of step success) or use when expressions to define the logic for your finally tasks based on task status [6][7][5].

Citations:

• 1: https://github.com/tektoncd/community/blob/main/teps/0004-task-results-in-final-tasks.md
• 2: consuming task results in finally tektoncd/pipeline#3242
• 3: https://tekton.dev/vault/pipelines-v1.0.x-lts/pipelines/
• 4: tektoncd/pipeline@2788d0d
• 5: Finally tasks should be triggered in case of missing results tektoncd/pipeline#4438
• 6: https://hackmd.io/-gbYDmS2S0m9-xDWWG9oVg
• 7: Finally task is skipped when dependent on results from a failed task tektoncd/pipeline#4118
• 8: Pipeline failing with "invalid pipelineresults" when referencing results of skipped tasks tektoncd/pipeline#6139

---

🌐 Web query:

site:tekton.dev "finally" "skippedTasks" "results" pipelineRun Completed rather than Succeeded

💡 Result:

In Tekton, a PipelineRun with a final status of Completed instead of Succeeded indicates that the pipeline completed its execution successfully, but one or more tasks within the pipeline were skipped (for example, due to when expressions evaluating to false) [1][2]. The PipelineRun status reflects the overall execution outcome: - Succeeded: All tasks completed successfully, and no tasks were skipped [1][2]. - Completed: All tasks completed successfully (or were appropriately skipped), but the pipeline execution included at least one skipped task [1][2]. If a pipeline includes finally tasks, the status logic incorporates both the main tasks and the finally tasks [1][2]: - If one or more tasks in the main section are skipped, but all other tasks (including finally tasks) finish successfully, the PipelineRun status will be Completed [1][3]. - If any task fails—either in the main section or the finally section—the PipelineRun will typically result in a Failed status [1][2]. Additionally, if a finally task is forced into the list of skipped tasks (for example, because it relies on a result from a failed or skipped main task), the pipeline will exit with a status of Completed instead of Succeeded, provided no other failures occurred [1][3].

Citations:

• 1: https://tekton.dev/docs/pipelines/pipelines/
• 2: https://tekton.dev/vault/pipelines-main/pipelines/
• 3: https://tekton.dev/vault/pipelines-v1.0.x-lts/pipelines/

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".tekton/integration-tests/lightspeed-console-pre-commit.yaml"
echo "== File excerpt around provision-ephemeral-cluster task params (lines ~1-220) =="
awk 'NR>=1 && NR<=220 {printf "%6d\t%s\n", NR, $0}' "$FILE" | sed -n '120,190p'

Repository: openshift/lightspeed-console

Length of output: 3339

---

Don’t gate cleanup on success-only provision results.

In .tekton/integration-tests/lightspeed-console-pre-commit.yaml (lines 343-347), the finally deprovision task consumes $(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimName/Namespace). Upstream provision-ephemeral-cluster only writes those results after the TestPlatformCluster is both Ready=True and ClusterReady=True; if it times out/fails after oc create but before readiness, the results are never initialized, and Tekton will skip the finally task—so teardown won’t run and the TestPlatformCluster claim can leak. (provision-ephemeral-cluster, TEP-0004)

Update the cleanup path to use claim identifiers available immediately after oc create, or change the upstream provision-ephemeral-cluster task to emit testPlatformClusterClaimName / testPlatformClusterClaimNamespace right after creating the claim.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/integration-tests/lightspeed-console-pre-commit.yaml around lines
343 - 347, The finally deprovision step currently consumes
$(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimName) and
$(tasks.provision-ephemeral-cluster.results.testPlatformClusterClaimNamespace)
which are only written after full readiness, so teardown can be skipped on
provision failure; fix this by ensuring the claim identifiers are emitted
immediately after the oc create step: either update the
provision-ephemeral-cluster task to set testPlatformClusterClaimName and
testPlatformClusterClaimNamespace as TaskResults right after the oc create
(before waiting for readiness) or split out the create into its own task that
publishes those results and have the finally deprovision consume those early
results instead (referencing provision-ephemeral-cluster,
testPlatformClusterClaimName, testPlatformClusterClaimNamespace and the finally
deprovision task).