new CI jobs for assisted-chat

- local dev presubmit job for assisted-chat
- periodic check for eval-test

Author: zszabo-rh

ci-operator/config/rh-ecosystem-edge/assisted-chat/rh-ecosystem-edge-assisted-chat-main.yaml

@@ -3,6 +3,10 @@ base_images:
     name: assisted-chat-img
     namespace: edge-infrastructure
     tag: assisted-service-mcp
+  nested-podman:
+    name: nested-podman
+    namespace: ci
+    tag: latest
 build_root:
   image_stream_tag:
     name: release
@@ -13,6 +17,17 @@ images:
   to: rh-ecosystem-edge-assisted-chat-install
 - dockerfile_path: test/prow/Dockerfile
   to: rh-ecosystem-edge-assisted-chat-test
+- dockerfile_literal: |
+    FROM nested-podman
+    USER root
+    RUN dnf install -y make git jq fzf python3.11 python3.11-pip && \
+        ln -sf /usr/bin/python3.11 /usr/local/bin/python && \
+        python3.11 -m pip install --no-cache-dir yq uv git+https://github.com/lightspeed-core/lightspeed-evaluation.git#subdirectory=lsc_agent_eval && \
+        dnf clean all
+    COPY . .
+    USER 1000
+  from: nested-podman
+  to: assisted-chat-nested
 promotion:
   to:
   - name: assisted-chat-img
@@ -48,6 +63,30 @@ tests:
       ASSISTED_CHAT_TEST: rh-ecosystem-edge-assisted-chat-test
       ASSISTED_MCP_IMG: assisted-service-mcp
     workflow: rh-ecosystem-edge-assisted-chat
+- always_run: true
+  as: eval-test-periodic
+  cluster_claim:
+    architecture: amd64
+    cloud: aws
+    owner: rh-ecosystem-edge
+    product: ocp
+    timeout: 1h0m0s
+    version: "4.17"
+  cron: 0 2 * * *
+  steps:
+    allow_best_effort_post_steps: true
+    dependencies:
+      ASSISTED_CHAT_IMG: rh-ecosystem-edge-assisted-chat-install
+      ASSISTED_CHAT_TEST: rh-ecosystem-edge-assisted-chat-test
+      ASSISTED_MCP_IMG: assisted-service-mcp
+    workflow: rh-ecosystem-edge-assisted-chat
+- as: local-development
+  capabilities:
+  - nested-podman
+  nested_podman: true
+  optional: true
+  steps:
+    workflow: rh-ecosystem-edge-assisted-chat-local-development
 zz_generated_metadata:
   branch: main
   org: rh-ecosystem-edge

ci-operator/jobs/rh-ecosystem-edge/assisted-chat/rh-ecosystem-edge-assisted-chat-main-periodics.yaml

@@ -0,0 +1,68 @@
+periodics:
+- agent: kubernetes
+  cluster: build05
+  cron: 0 2 * * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: main
+    org: rh-ecosystem-edge
+    repo: assisted-chat
+  labels:
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-rh-ecosystem-edge-assisted-chat-main-eval-test-periodic
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=eval-test-periodic
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/hive-hive-credentials
+        name: hive-hive-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: hive-hive-credentials
+      secret:
+        secretName: hive-hive-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/rh-ecosystem-edge/assisted-chat/rh-ecosystem-edge-assisted-chat-main-presubmits.yaml

@@ -125,3 +125,67 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build02
+    context: ci/prow/local-development
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      capability/nested-podman: nested-podman
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-rh-ecosystem-edge-assisted-chat-main-local-development
+    optional: true
+    rerun_command: /test local-development
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=local-development
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )local-development,?($|\s.*)

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/OWNERS

@@ -0,0 +1 @@
+# Fetched from https://github.com/rh-ecosystem-edge/assisted-chat root OWNERS 

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-commands.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+set -euo pipefail
+
+# Read credentials from mounted secrets (set both if present)
+GEM_KEY=""; if [ -d /var/run/secrets/gemini ]; then for f in /var/run/secrets/gemini/*; do if [ -f "$f" ]; then GEM_KEY="$(cat "$f")"; break; fi; done; fi
+VJSON=""; if [ -d /var/run/secrets/vertex ]; then VJSON="$(ls /var/run/secrets/vertex/service_account 2>/dev/null | head -n1)" || true; fi
+if [ -n "$GEM_KEY" ]; then export GEMINI_API_KEY="$GEM_KEY"; fi
+if [ -n "$VJSON" ]; then export GOOGLE_APPLICATION_CREDENTIALS="$VJSON"; fi
+
+# Ensure ocm is available
+export PATH="${HOME}/.local/bin:${PATH}"
+if ! command -v ocm >/dev/null 2>&1; then \
+  mkdir -p "${HOME}/.local/bin" && \
+  curl -sSL -o "${HOME}/.local/bin/ocm" "https://github.com/openshift-online/ocm-cli/releases/latest/download/ocm-linux-amd64" && \
+  chmod +x "${HOME}/.local/bin/ocm"; \
+fi
+
+# OCM auth: support either raw JWT token or client credentials
+OCM_TOKEN_VALUE="${OCM_TOKEN:-}" || true
+if [ -z "$OCM_TOKEN_VALUE" ] && [ -d /var/run/secrets/sso-ci ]; then \
+  FIRST_FILE=$(ls -1 /var/run/secrets/sso-ci/* 2>/dev/null | head -n1 || true); \
+  if [ -n "$FIRST_FILE" ] && [ -f "$FIRST_FILE" ]; then OCM_TOKEN_VALUE="$(cat "$FIRST_FILE" 2>/dev/null || true)"; fi; \
+fi
+# If token looks like a JWT (has two dots), login with --token; otherwise try client credentials
+if [ -n "$OCM_TOKEN_VALUE" ] && echo "$OCM_TOKEN_VALUE" | grep -qE '^[^\.]+\.[^\.]+\.[^\.]+$'; then \
+  ocm login --token "$OCM_TOKEN_VALUE" >/dev/null 2>&1 || true; \
+else \
+  CID_FILE=$(ls -1 /var/run/secrets/sso-ci/*id* 2>/dev/null | head -n1 || true); \
+  CSEC_FILE=$(ls -1 /var/run/secrets/sso-ci/*secret* 2>/dev/null | head -n1 || true); \
+  CLIENT_ID=""; CLIENT_SECRET=""; \
+  if [ -n "$CID_FILE" ] && [ -f "$CID_FILE" ]; then CLIENT_ID="$(cat "$CID_FILE" 2>/dev/null || true)"; fi; \
+  if [ -n "$CSEC_FILE" ] && [ -f "$CSEC_FILE" ]; then CLIENT_SECRET="$(cat "$CSEC_FILE" 2>/dev/null || true)"; fi; \
+  if [ -n "$CLIENT_ID" ] && [ -n "$CLIENT_SECRET" ]; then \
+    ocm login --client-id "$CLIENT_ID" --client-secret "$CLIENT_SECRET" >/dev/null 2>&1 || true; \
+  fi; \
+fi
+# Obtain access token if possible
+if [ -z "${OCM_TOKEN:-}" ]; then \
+  export OCM_TOKEN="$(ocm token 2>/dev/null || true)"; \
+fi
+
+# Repo prep
+git submodule update --init --recursive
+# .env setup
+if [ ! -f .env ] && [ -f .env.template ]; then cp .env.template .env; fi
+if [ -n "${GEMINI_API_KEY:-}" ]; then \
+  if grep -q '^GEMINI_API_KEY=' .env 2>/dev/null; then sed -i "s/^GEMINI_API_KEY=.*/GEMINI_API_KEY=${GEMINI_API_KEY//\//\\/}/" .env; else echo "GEMINI_API_KEY=${GEMINI_API_KEY}" >> .env; fi; \
+fi
+# Do not write GOOGLE_APPLICATION_CREDENTIALS into .env; pod uses a fixed in-container path
+
+# Ensure config dir exists
+mkdir -p config
+
+# If Vertex creds path provided, copy it to the path expected by pod subPath mount
+if [ -n "${GOOGLE_APPLICATION_CREDENTIALS:-}" ] && [ -f "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then \
+  cp -f "${GOOGLE_APPLICATION_CREDENTIALS}" config/vertex-credentials.json; \
+fi
+
+# Podman auth
+if [ -f /etc/pull-secret/.dockerconfigjson ]; then mkdir -p ${HOME}/.config/containers && cp /etc/pull-secret/.dockerconfigjson ${HOME}/.config/containers/auth.json; fi
+
+# Generate config
+make generate || echo "make generate failed or interactive; proceeding with shim"
+if [ -n "${GEMINI_API_KEY:-}" ] && [ -z "${GOOGLE_APPLICATION_CREDENTIALS:-}" ]; then \
+  mkdir -p config && [ -s config/vertex-credentials.json ] || printf '{}' > config/vertex-credentials.json; \
+fi
+
+# Create a fake cert.pem file to satisfy the build
+touch /etc/pki/consumer/cert.pem
+
+# Run workflow
+make build-images
+make run &
+
+# Readiness wait with timeout (up to 90s)
+BASE_URL="http://localhost:8090"
+for i in $(seq 1 18); do \
+  if curl -sS --max-time 5 "${BASE_URL}/healthz" >/dev/null 2>&1; then echo "service ready"; break; fi; \
+  sleep 5; \
+  if [ "$i" -eq 18 ]; then echo "service failed to become ready in time"; fi; \
+done
+
+# Non-interactive sample query (guarded by token and readiness)
+if [ -n "${OCM_TOKEN:-}" ]; then \
+  MODELS_JSON=$(curl -sS --max-time 10 -H "Authorization: Bearer ${OCM_TOKEN}" "${BASE_URL}/v1/models" || true); \
+  SEL=$(echo "$MODELS_JSON" | jq -r '.models[] | select(.model_type=="llm") | "\(.provider_resource_id)|\(.provider_id)"' | head -n1 || true); \
+  MODEL_NAME=$(echo "$SEL" | cut -d'|' -f1); MODEL_PROVIDER=$(echo "$SEL" | cut -d'|' -f2); \
+  if [ -n "$MODEL_NAME" ] && [ -n "$MODEL_PROVIDER" ]; then \
+    curl -sS --max-time 15 -H "Authorization: Bearer ${OCM_TOKEN}" "${BASE_URL}/v1/query" --json '{"model":"'"$MODEL_NAME"'","provider":"'"$MODEL_PROVIDER"'","query":"hello"}' >/dev/null || true; \
+  fi; \
+fi
+
+# Proceed to evaluation
+make test-eval 
+
+# Stop the pod
+make stop

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-ref.metadata.json

@@ -0,0 +1,4 @@
+{
+	"path": "rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-ref.yaml",
+	"owners": {}
+}

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-ref.yaml

@@ -0,0 +1,22 @@
+ref:
+  as: rh-ecosystem-edge-assisted-chat-local-development
+  from: assisted-chat-nested
+  cli: latest
+  commands: rh-ecosystem-edge-assisted-chat-local-development-commands.sh
+  credentials:
+  - namespace: test-credentials
+    name: assisted-chat-gemini-api-key
+    mount_path: /var/run/secrets/gemini
+  - namespace: test-credentials
+    name: assisted-chat-vertex-service-account
+    mount_path: /var/run/secrets/vertex
+  - namespace: test-credentials
+    name: assisted-chat-sso-ci
+    mount_path: /var/run/secrets/sso-ci
+  resources:
+    requests:
+      cpu: 1000m
+      memory: 1Gi
+  grace_period: 30s
+  documentation: |
+    Runs assisted-chat local development validation with nested Podman. 

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-workflow.metadata.json

@@ -0,0 +1,4 @@
+{
+	"path": "rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-workflow.yaml",
+	"owners": {}
+}

ci-operator/step-registry/rh-ecosystem-edge/assisted-chat/local-development/rh-ecosystem-edge-assisted-chat-local-development-workflow.yaml

@@ -0,0 +1,7 @@
+workflow:
+  as: rh-ecosystem-edge-assisted-chat-local-development
+  steps:
+    test:
+    - ref: rh-ecosystem-edge-assisted-chat-local-development
+  documentation: |
+    Workflow to run assisted-chat local development validation in CI.