Add CNCF Kubernetes conformance step-registry components (openshift#73714)

This adds reusable step-registry components for running the official
CNCF Kubernetes conformance test suite using hydrophone, suitable for
generating k8s-conformance submissions for OpenShift Dedicated.

Components created:
- openshift-conformance-kubernetes-build: Compiles hydrophone binary
- openshift-conformance-kubernetes: Runs conformance tests
- osd-ccs-aws-k8s-conformance: Complete OSD AWS workflow

The implementation uses a two-step pattern where the build step
produces the hydrophone binary in SHARED_DIR, and the test step
retrieves and executes it against a provisioned cluster.

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Author: cblecker

ci-operator/step-registry/openshift/k8s-conformance/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - cblecker
+  - wgordon17
+reviewers:
+  - cblecker
+  - wgordon17

ci-operator/step-registry/openshift/k8s-conformance/build/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/openshift/k8s-conformance/build/openshift-k8s-conformance-build-commands.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+GOBIN="${SHARED_DIR}" go install sigs.k8s.io/hydrophone@latest

ci-operator/step-registry/openshift/k8s-conformance/build/openshift-k8s-conformance-build-ref.metadata.json

@@ -0,0 +1,13 @@
+{
+	"path": "openshift/k8s-conformance/build/openshift-k8s-conformance-build-ref.yaml",
+	"owners": {
+		"approvers": [
+			"cblecker",
+			"wgordon17"
+		],
+		"reviewers": [
+			"cblecker",
+			"wgordon17"
+		]
+	}
+}

ci-operator/step-registry/openshift/k8s-conformance/build/openshift-k8s-conformance-build-ref.yaml

@@ -0,0 +1,14 @@
+ref:
+  as: openshift-k8s-conformance-build
+  from_image:
+    namespace: openshift
+    name: release
+    tag: rhel-9-release-golang-1.24-openshift-4.20
+  commands: openshift-k8s-conformance-build-commands.sh
+  resources:
+    requests:
+      cpu: "1"
+      memory: 1Gi
+  documentation: |-
+    Builds the hydrophone binary (CNCF conformance test runner) and installs it
+    to SHARED_DIR for use by subsequent test steps.

ci-operator/step-registry/openshift/k8s-conformance/openshift-k8s-conformance-commands.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# Handle proxy for disconnected environments
+if test -f "${SHARED_DIR}/proxy-conf.sh"; then
+    # shellcheck disable=SC1091
+    source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
+# Get Kubernetes version from cluster
+K8S_VERSION=$(oc version -ojson | jq -r '.serverVersion.gitVersion | sub("[\\+].*"; "")')
+echo "Detected Kubernetes version: ${K8S_VERSION}"
+
+# Count unschedulable nodes (masters, control-plane, infra)
+UNSCHEDULABLE_NODE_COUNT=$(oc get nodes -ojson | jq --raw-output '
+  [ .items[].metadata | select (
+    .labels."node-role.kubernetes.io/master" == "" or
+    .labels."node-role.kubernetes.io/control-plane" == "" or
+    .labels."node-role.kubernetes.io/infra" == ""
+  ) | .name ] | length')
+echo "Unschedulable node count: ${UNSCHEDULABLE_NODE_COUNT}"
+
+# Allow permissive SCCs for conformance tests
+oc adm policy add-scc-to-group privileged system:authenticated system:serviceaccounts
+oc adm policy add-scc-to-group anyuid system:authenticated system:serviceaccounts
+
+# Run conformance tests
+echo "Starting CNCF Kubernetes conformance tests..."
+"${SHARED_DIR}/hydrophone" \
+  --conformance \
+  --conformance-image "registry.k8s.io/conformance:${K8S_VERSION}" \
+  --extra-args="--allowed-not-ready-nodes=${UNSCHEDULABLE_NODE_COUNT}" \
+  --output-dir "${ARTIFACT_DIR}"

ci-operator/step-registry/openshift/k8s-conformance/openshift-k8s-conformance-ref.metadata.json

@@ -0,0 +1,13 @@
+{
+	"path": "openshift/k8s-conformance/openshift-k8s-conformance-ref.yaml",
+	"owners": {
+		"approvers": [
+			"cblecker",
+			"wgordon17"
+		],
+		"reviewers": [
+			"cblecker",
+			"wgordon17"
+		]
+	}
+}

ci-operator/step-registry/openshift/k8s-conformance/openshift-k8s-conformance-ref.yaml

@@ -0,0 +1,15 @@
+ref:
+  as: openshift-k8s-conformance
+  from: cli
+  cli: latest
+  commands: openshift-k8s-conformance-commands.sh
+  timeout: 14400s
+  grace_period: 10m
+  resources:
+    requests:
+      cpu: "1"
+      memory: 1Gi
+  documentation: |-
+    Runs the official CNCF Kubernetes conformance test suite using hydrophone.
+    Expects the hydrophone binary to be present in SHARED_DIR (from build step).
+    Generates results suitable for k8s-conformance repository submissions.

ci-operator/step-registry/osd-ccs/aws/k8s-conformance/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - cblecker
+  - wgordon17
+reviewers:
+  - cblecker
+  - wgordon17

ci-operator/step-registry/osd-ccs/aws/k8s-conformance/osd-ccs-aws-k8s-conformance-workflow.metadata.json

@@ -0,0 +1,13 @@
+{
+	"path": "osd-ccs/aws/k8s-conformance/osd-ccs-aws-k8s-conformance-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"cblecker",
+			"wgordon17"
+		],
+		"reviewers": [
+			"cblecker",
+			"wgordon17"
+		]
+	}
+}