From 673e37c713ca2ee5083443b3ac296911b9037c75 Mon Sep 17 00:00:00 2001 From: Jan Bouska Date: Fri, 9 Jan 2026 15:50:31 +0100 Subject: [PATCH] fix: clone from releaseBranch if possible, derivate release info from FBC otherwise --- .../base/project/base/ocp/v4.16/patch.yaml | 4 +- .../base/project/base/ocp/v4.17/patch.yaml | 4 +- .../base/project/base/ocp/v4.18/patch.yaml | 4 +- .../base/project/base/ocp/v4.19/patch.yaml | 4 +- .../base/project/base/ocp/v4.20/patch.yaml | 6 +- .../overlay/rhtas-operator/patch/e2e.yaml | 4 +- pipelines/integration-test/operator-dast.yaml | 37 +- .../integration-test/operator-upgrade.yaml | 47 +- .../policy-controller-operator-e2e.yaml | 2 - pipelines/integration-test/rhtas-fbc-e2e.yaml | 454 ++++++++++++++++++ .../integration-test/rhtas-operator-e2e.yaml | 399 ++------------- stepactions/integration-test/install-tas.yaml | 7 +- .../integration-test/derive-release-info.yaml | 95 ++++ .../install-operator-from-fbc-olm-v1.yaml | 3 + .../install-operator-from-fbc.yaml | 5 + tasks/integration-test/operator-e2e.yaml | 105 ++++ tasks/integration-test/parse-metadata.yaml | 42 +- tasks/integration-test/sigstore-e2e.yaml | 150 ++++++ 18 files changed, 938 insertions(+), 434 deletions(-) create mode 100644 pipelines/integration-test/rhtas-fbc-e2e.yaml create mode 100644 tasks/integration-test/derive-release-info.yaml create mode 100644 tasks/integration-test/operator-e2e.yaml create mode 100644 tasks/integration-test/sigstore-e2e.yaml diff --git a/konflux-configs/base/project/base/ocp/v4.16/patch.yaml b/konflux-configs/base/project/base/ocp/v4.16/patch.yaml index a296c919..fcf0ee02 100644 --- a/konflux-configs/base/project/base/ocp/v4.16/patch.yaml +++ b/konflux-configs/base/project/base/ocp/v4.16/patch.yaml @@ -47,7 +47,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun @@ -80,7 +80,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipeline diff --git a/konflux-configs/base/project/base/ocp/v4.17/patch.yaml b/konflux-configs/base/project/base/ocp/v4.17/patch.yaml index 97185153..df96ef48 100644 --- a/konflux-configs/base/project/base/ocp/v4.17/patch.yaml +++ b/konflux-configs/base/project/base/ocp/v4.17/patch.yaml @@ -47,7 +47,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun @@ -80,7 +80,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipeline diff --git a/konflux-configs/base/project/base/ocp/v4.18/patch.yaml b/konflux-configs/base/project/base/ocp/v4.18/patch.yaml index cc1b053c..fe5b906d 100644 --- a/konflux-configs/base/project/base/ocp/v4.18/patch.yaml +++ b/konflux-configs/base/project/base/ocp/v4.18/patch.yaml @@ -47,7 +47,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun @@ -80,7 +80,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipeline diff --git a/konflux-configs/base/project/base/ocp/v4.19/patch.yaml b/konflux-configs/base/project/base/ocp/v4.19/patch.yaml index 713b7c51..35e14db7 100644 --- a/konflux-configs/base/project/base/ocp/v4.19/patch.yaml +++ b/konflux-configs/base/project/base/ocp/v4.19/patch.yaml @@ -47,7 +47,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun @@ -80,7 +80,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipeline diff --git a/konflux-configs/base/project/base/ocp/v4.20/patch.yaml b/konflux-configs/base/project/base/ocp/v4.20/patch.yaml index 77cda1e3..fc7d2ebf 100644 --- a/konflux-configs/base/project/base/ocp/v4.20/patch.yaml +++ b/konflux-configs/base/project/base/ocp/v4.20/patch.yaml @@ -47,7 +47,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun @@ -80,7 +80,7 @@ - name: revision value: main - name: pathInRepo - value: pipelines/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipeline @@ -138,6 +138,6 @@ - name: revision value: main - name: pathInRepo - value: pipelines/integration-test/rhtas-operator-e2e.yaml + value: pipelines/integration-test/rhtas-fbc-e2e.yaml resolver: git resourceKind: pipelinerun diff --git a/konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml b/konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml index 0723d5dc..80132032 100644 --- a/konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml +++ b/konflux-configs/base/project/overlay/rhtas-operator/patch/e2e.yaml @@ -13,7 +13,7 @@ - description: runs the integration test for a group Snapshot name: group params: - - name: branch + - name: releaseBranch value: "{{.branch}}" resolverRef: params: @@ -45,6 +45,8 @@ value: "true" - name: KEYCLOAK_DISTRIBUTION value: "rhbk" + - name: releaseBranch + value: "{{.branch}}" resolverRef: params: - name: url diff --git a/pipelines/integration-test/operator-dast.yaml b/pipelines/integration-test/operator-dast.yaml index e59c237b..057277ac 100644 --- a/pipelines/integration-test/operator-dast.yaml +++ b/pipelines/integration-test/operator-dast.yaml @@ -28,17 +28,36 @@ spec: resolver: git params: - name: url - value: https://github.com/securesign/pipelines.git + value: https://github.com/konflux-ci/tekton-integration-catalog - name: revision value: main - name: pathInRepo - value: tasks/integration-test/parse-metadata.yaml + value: tasks/test-metadata/0.3/test-metadata.yaml params: - name: SNAPSHOT value: $(params.SNAPSHOT) - - name: clone-operator-source-code + - name: release-info runAfter: - parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/derive-release-info.yaml + params: + - name: package-name + value: "rhtas-operator" + - name: fbc-image + value: "$(tasks.parse-metadata.results.container-image)" + - name: ocp-version + value: $(params.OCP_VERSION) + - name: clone-operator-source-code + runAfter: + - release-info taskRef: params: - name: name @@ -50,9 +69,9 @@ spec: resolver: bundles params: - name: url - value: $(tasks.parse-metadata.results.operator-url) + value: "https://github.com/securesign/secure-sign-operator.git" - name: revision - value: $(tasks.parse-metadata.results.operator-revision) + value: "$(tasks.release-info.results.release-branch)" - name: subdirectory value: "operator" workspaces: @@ -188,7 +207,7 @@ spec: timeout: "0h10m0s" runAfter: - provision-cluster - - parse-metadata + - release-info taskRef: resolver: git params: @@ -204,7 +223,9 @@ spec: - name: clusterName value: "$(tasks.provision-cluster.results.clusterName)" - name: fbcImage - value: "$(tasks.parse-metadata.results.image)" + value: "$(tasks.parse-metadata.results.container-image)" + - name: installChannel + value: "$(tasks.release-info.results.channel)" - name: prepare-tests runAfter: - install-operator-from-fbc @@ -288,8 +309,6 @@ spec: value: $(workspaces.source-code.path)/operator - name: tas-namespace value: "$(params.TAS_DEPLOY_NAMESPACE)" - - name: OIDC_HOST - value: "$(steps.install-keycloak.results.oidc-hostname)" - name: OIDC_ISSUER_URL value: "$(steps.install-keycloak.results.oidc-issuer-url)" # FULCIO DAST testing diff --git a/pipelines/integration-test/operator-upgrade.yaml b/pipelines/integration-test/operator-upgrade.yaml index 54c597b4..1747af41 100644 --- a/pipelines/integration-test/operator-upgrade.yaml +++ b/pipelines/integration-test/operator-upgrade.yaml @@ -20,8 +20,6 @@ spec: default: "4.19" - name: TAS_DEPLOY_NAMESPACE default: "tas-e2e" - - name: branch - default: main workspaces: - name: work tasks: @@ -30,19 +28,36 @@ spec: resolver: git params: - name: url - value: https://github.com/securesign/pipelines.git + value: https://github.com/konflux-ci/tekton-integration-catalog - name: revision - value: $(params.branch) + value: main - name: pathInRepo - value: tasks/integration-test/parse-metadata.yaml + value: tasks/test-metadata/0.3/test-metadata.yaml params: - name: SNAPSHOT value: $(params.SNAPSHOT) - - name: branch - value: $(params.branch) - - name: clone-operator-source-code + - name: release-info runAfter: - parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/derive-release-info.yaml + params: + - name: package-name + value: "rhtas-operator" + - name: fbc-image + value: "$(tasks.parse-metadata.results.container-image)" + - name: ocp-version + value: $(params.OCP_VERSION) + - name: clone-operator-source-code + runAfter: + - release-info taskRef: params: - name: name @@ -54,9 +69,9 @@ spec: resolver: bundles params: - name: url - value: $(tasks.parse-metadata.results.operator-url) + value: "https://github.com/securesign/secure-sign-operator.git" - name: revision - value: $(tasks.parse-metadata.results.operator-revision) + value: "$(tasks.release-info.results.release-branch)" - name: subdirectory value: "operator" workspaces: @@ -243,7 +258,7 @@ spec: - name: url value: https://github.com/securesign/pipelines.git - name: revision - value: $(params.branch) + value: main - name: pathInRepo value: stepactions/integration-test/install-keycloak.yaml params: @@ -253,8 +268,6 @@ spec: value: "$(steps.get-kubeconfig.results.kubeconfig)" - name: workdir value: "$(workspaces.source-code.path)/operator" - - name: branch - value: $(params.branch) - name: run-operator-upgrade runAfter: - prepare-tests @@ -302,7 +315,9 @@ spec: - name: TEST_BASE_CATALOG value: "registry.redhat.io/redhat/redhat-operator-index:v$(params.OCP_VERSION)" - name: TEST_TARGET_CATALOG - value: "$(tasks.parse-metadata.results.image)" + value: "$(tasks.parse-metadata.results.container-image)" + - name: TEST_UPGRADE_CHANNEL + value: "$(tasks.release-info.results.channel)" volumeMounts: - name: credentials mountPath: /credentials @@ -332,11 +347,9 @@ spec: - name: url value: https://github.com/securesign/pipelines.git - name: revision - value: $(params.branch) + value: main - name: pathInRepo value: stepactions/integration-test/process-go-test-results.yaml params: - name: test_output_file value: $(workspaces.source-code.path)/dump/operator-upgrade/test-result.json - - name: branch - value: $(params.branch) diff --git a/pipelines/integration-test/policy-controller-operator-e2e.yaml b/pipelines/integration-test/policy-controller-operator-e2e.yaml index e9c0d8a5..22c088eb 100644 --- a/pipelines/integration-test/policy-controller-operator-e2e.yaml +++ b/pipelines/integration-test/policy-controller-operator-e2e.yaml @@ -293,8 +293,6 @@ spec: value: $(workspaces.source-code.path)/tas-operator - name: tas-namespace value: "$(params.TAS_DEPLOY_NAMESPACE)" - - name: OIDC_HOST - value: "$(steps.install-keycloak.results.oidc-hostname)" - name: OIDC_ISSUER_URL value: "$(steps.install-keycloak.results.oidc-issuer-url)" - name: install-operator-from-bundle diff --git a/pipelines/integration-test/rhtas-fbc-e2e.yaml b/pipelines/integration-test/rhtas-fbc-e2e.yaml new file mode 100644 index 00000000..65c7465a --- /dev/null +++ b/pipelines/integration-test/rhtas-fbc-e2e.yaml @@ -0,0 +1,454 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: operator-e2e- +spec: + workspaces: + - name: work + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + pipelineSpec: + params: + - name: SNAPSHOT + - name: OCP_VERSION + default: "4.19" + - name: OLMv1 + default: "false" + - name: FIPS_ENABLED + default: "false" + - name: KEYCLOAK_DISTRIBUTION + description: "Which Keycloak build to install rhsso or rhbk" + default: "rhsso" + workspaces: + - name: work + description: Shared workspace for pipeline tasks + tasks: + - name: parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog + - name: revision + value: main + - name: pathInRepo + value: tasks/test-metadata/0.3/test-metadata.yaml + params: + - name: SNAPSHOT + value: $(params.SNAPSHOT) + - name: release-info + runAfter: + - parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/derive-release-info.yaml + params: + - name: package-name + value: "rhtas-operator" + - name: fbc-image + value: "$(tasks.parse-metadata.results.container-image)" + - name: ocp-version + value: $(params.OCP_VERSION) + - name: clone-operator-source-code + runAfter: + - release-info + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1 + - name: kind + value: task + resolver: bundles + params: + - name: url + value: "https://github.com/securesign/secure-sign-operator.git" + - name: revision + value: "$(tasks.release-info.results.release-branch)" + - name: subdirectory + value: "operator" + workspaces: + - name: output + workspace: work + - name: clone-e2e-test-source-code + runAfter: + - release-info + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1 + - name: kind + value: task + resolver: bundles + params: + - name: url + value: https://github.com/securesign/sigstore-e2e + - name: revision + value: "$(tasks.release-info.results.release-branch)" + - name: subdirectory + value: "sigstore-e2e" + workspaces: + - name: output + workspace: work + - name: provision-eaas-space + taskRef: + resolver: bundles + params: + - name: name + value: eaas-provision-space + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-eaas-provision-space:0.1-4e4fa7355a6a51083954408e7e3b647e3bddb8d8 + - name: kind + value: task + params: + - name: ownerName + value: $(context.pipelineRun.name) + - name: ownerUid + value: $(context.pipelineRun.uid) + - name: provision-cluster + runAfter: + - provision-eaas-space + taskSpec: + results: + - name: clusterName + value: "$(steps.create-cluster.results.clusterName)" + steps: + - name: pick-version + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-latest-openshift-version-by-prefix/0.1/eaas-get-latest-openshift-version-by-prefix.yaml + params: + - name: prefix + value: "$(params.OCP_VERSION)" + - name: create-cluster + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-create-ephemeral-cluster-hypershift-aws/0.1/eaas-create-ephemeral-cluster-hypershift-aws.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: version + value: "$(steps.pick-version.results.version)" + - name: instanceType + value: m5.large + - name: timeout + value: 60m + - name: fips + value: "$(params.FIPS_ENABLED)" + - name: imageContentSources + value: | + - source: registry.redhat.io/rhtas/rhtas-operator-bundle + mirrors: + - quay.io/securesign/rhtas-operator-bundle + - quay.io/securesign/rhtas-operator-bundle-v1-0 + - quay.io/securesign/rhtas-operator-bundle-v1-1 + - quay.io/securesign/rhtas-operator-bundle-v1-2 + - quay.io/securesign/rhtas-operator-bundle-v1-3 + - source: registry.redhat.io/rhtas/rhtas-rhel9-operator + mirrors: + - quay.io/securesign/rhtas-operator + - quay.io/securesign/rhtas-operator-v1-0 + - quay.io/securesign/rhtas-operator-v1-1 + - quay.io/securesign/rhtas-operator-v1-2 + - quay.io/securesign/rhtas-operator-v1-3 + - source: registry.redhat.io/rhtas/trillian-logsigner-rhel9 + mirrors: + - quay.io/securesign/trillian-logsigner + - source: registry.redhat.io/rhtas/trillian-logserver-rhel9 + mirrors: + - quay.io/securesign/trillian-logserver + - source: registry.redhat.io/rhtas/trillian-database-rhel9 + mirrors: + - quay.io/securesign/trillian-database + - source: registry.redhat.io/rhtas/fulcio-rhel9 + mirrors: + - quay.io/securesign/fulcio-server + - source: registry.redhat.io/rhtas/trillian-redis-rhel9 + mirrors: + - quay.io/securesign/trillian-redis + - source: registry.redhat.io/rhtas/rekor-server-rhel9 + mirrors: + - quay.io/securesign/rekor-server + - source: registry.redhat.io/rhtas/rekor-search-ui-rhel9 + mirrors: + - quay.io/securesign/rekor-search-ui + - source: registry.redhat.io/rhtas/rekor-backfill-redis-rhel9 + mirrors: + - quay.io/securesign/rekor-backfill-redis + - source: registry.redhat.io/rhtas/rekor-monitor-rhel9 + mirrors: + - quay.io/securesign/rekor-monitor + - source: registry.redhat.io/rhtas/tuf-server-rhel9 + mirrors: + - quay.io/securesign/scaffold-tuf-server + - source: registry.redhat.io/rhtas/certificate-transparency-rhel9 + mirrors: + - quay.io/securesign/certificate-transparency-go + - source: registry.redhat.io/rhtas/client-server-cg-rhel9 + mirrors: + - quay.io/securesign/cli-client-server-cg + - source: registry.redhat.io/rhtas/client-server-re-rhel9 + mirrors: + - quay.io/securesign/client-server-re + - source: registry.redhat.io/rhtas/segment-reporting-rhel9 + mirrors: + - quay.io/securesign/segment-backup-job + - source: registry.redhat.io/rhtas/timestamp-authority-rhel9 + mirrors: + - quay.io/securesign/timestamp-authority + - source: registry.redhat.io/rhtas/createtree-rhel9 + mirrors: + - quay.io/securesign/trillian-createtree + - source: registry.redhat.io/rhtas/client-server-rhel9 + mirrors: + - quay.io/securesign/client-server + - source: registry.redhat.io/rhtas/tuffer-rhel9 + mirrors: + - quay.io/securesign/tuffer + - name: install-operator-from-fbc + timeout: "0h5m0s" + runAfter: + - provision-cluster + - release-info + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/install-operator-from-fbc.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: fbcImage + value: "$(tasks.parse-metadata.results.container-image)" + - name: installChannel + value: "$(tasks.release-info.results.channel)" + when: + - input: $(params.OLMv1) + operator: notin + values: ["true"] + - name: install-operator-from-fbc-olmv1 + timeout: "0h5m0s" + runAfter: + - provision-cluster + - parse-metadata + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/install-operator-from-fbc-olm-v1.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: fbcImage + value: "$(tasks.parse-metadata.results.container-image)" + - name: installChannel + value: "$(tasks.release-info.results.channel)" + when: + - input: "$(params.OLMv1)" + operator: in + values: ["true"] + - name: prepare-tests + runAfter: + # run after either one + - install-operator-from-fbc + - install-operator-from-fbc-olmv1 + - clone-operator-source-code + workspaces: + - name: source-code + workspace: work + taskSpec: + results: + - name: oidc-hostname + type: string + value: "$(steps.install-keycloak.results.oidc-hostname)" + - name: oidc-issuer-url + type: string + value: "$(steps.install-keycloak.results.oidc-issuer-url)" + volumes: + - name: credentials + emptyDir: { } + workspaces: + - name: source-code + steps: + - name: get-kubeconfig + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: "$(tasks.provision-cluster.results.clusterName)" + - name: credentials + value: credentials + - name: install-keycloak + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/install-keycloak.yaml + params: + - name: credentials + value: credentials + - name: KUBECONFIG + value: "$(steps.get-kubeconfig.results.kubeconfig)" + - name: workdir + value: "$(workspaces.source-code.path)/operator" + - name: keycloak-distribution + value: "$(params.KEYCLOAK_DISTRIBUTION)" + - name: download-binaries + workspaces: + - name: work + workspace: work + taskSpec: + workspaces: + - name: work + steps: + - name: get-tuftool + image: registry.redhat.io/rhtas/tuftool-rhel9:1.3.0 + script: | + mkdir -p $(workspaces.work.path)/binaries + cp /usr/bin/tuftool $(workspaces.work.path)/binaries/ + - name: get-cosign + image: registry.redhat.io/rhtas/cosign-rhel9:1.3.0 + script: | + mkdir -p $(workspaces.work.path)/binaries + cp /usr/local/bin/cosign $(workspaces.work.path)/binaries/ + - name: run-operator-e2e + runAfter: + - prepare-tests + - download-binaries + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/operator-e2e.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: $(tasks.provision-cluster.results.clusterName) + - name: oidcHostname + value: $(tasks.prepare-tests.results.oidc-hostname) + - name: oidc-issuer-url + value: $(tasks.prepare-tests.results.oidc-issuer-url) + - name: fips-enabled + value: "$(params.FIPS_ENABLED)" + workspaces: + - name: source-code + workspace: work + - name: run-tas-e2e + runAfter: + - prepare-tests + - clone-e2e-test-source-code + workspaces: + - name: source-code + workspace: work + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/sigstore-e2e.yaml + computeResources: + limits: + memory: 8Gi + requests: + memory: 2Gi + cpu: '1' + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: $(tasks.provision-cluster.results.clusterName) + - name: oidcHostname + value: $(tasks.prepare-tests.results.oidc-hostname) + - name: oidc-issuer-url + value: $(tasks.prepare-tests.results.oidc-issuer-url) + finally: + - name: secure-push-test-dump + workspaces: + - name: dump + workspace: work + taskSpec: + workspaces: + - name: dump + volumes: + - name: push-creds + secret: + secretName: securesign-test-dump-oci + steps: + - name: oci-push + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/secure-push-oci/0.1/secure-push-oci.yaml + params: + - name: oci-ref + value: "quay.io/securesign/test-dump-oci:$(context.pipelineRun.name)" + - name: credentials-volume-name + value: push-creds + - name: oci-tag-expiration + value: 1d + - name: workdir-path + value: $(workspaces.dump.path)/dump diff --git a/pipelines/integration-test/rhtas-operator-e2e.yaml b/pipelines/integration-test/rhtas-operator-e2e.yaml index 9e146cc7..a40f10b2 100644 --- a/pipelines/integration-test/rhtas-operator-e2e.yaml +++ b/pipelines/integration-test/rhtas-operator-e2e.yaml @@ -17,12 +17,8 @@ spec: - name: SNAPSHOT - name: OCP_VERSION default: "4.19" - - name: TAS_DEPLOY_NAMESPACE - default: tas-e2e - - name: branch + - name: releaseBranch default: "main" - - name: OLMv1 - default: "false" - name: FIPS_ENABLED default: "false" - name: KEYCLOAK_DISTRIBUTION @@ -59,9 +55,9 @@ spec: resolver: bundles params: - name: url - value: $(tasks.parse-metadata.results.operator-url) + value: $(tasks.parse-metadata.results.git-url) - name: revision - value: $(tasks.parse-metadata.results.operator-revision) + value: $(tasks.parse-metadata.results.git-revision) - name: subdirectory value: "operator" workspaces: @@ -83,7 +79,7 @@ spec: - name: url value: https://github.com/securesign/sigstore-e2e - name: revision - value: $(tasks.parse-metadata.results.tas-e2e-version) + value: "$(params.releaseBranch)" - name: subdirectory value: "sigstore-e2e" workspaces: @@ -235,122 +231,15 @@ spec: - name: clusterName value: "$(tasks.provision-cluster.results.clusterName)" - name: bundleImage - value: "$(tasks.parse-metadata.results.image)" - # use CEL regexp once it moves from alpha (see https://tekton.dev/docs/pipelines/pipelines/#use-cel-expression-in-whenexpression) - when: - - input: "$(tasks.parse-metadata.results.component)" - operator: in - values: [ "rhtas-operator-bundle", "rhtas-operator-bundle-v1-1", "rhtas-operator-bundle-v1-2", "rhtas-operator-bundle-v1-3" ] - - name: install-operator-from-image - runAfter: - - provision-cluster - - parse-metadata - - clone-operator-source-code - taskRef: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: tasks/integration-test/install-operator-from-image.yaml - params: - - name: eaasSpaceSecretRef - value: $(tasks.provision-eaas-space.results.secretRef) - - name: clusterName - value: "$(tasks.provision-cluster.results.clusterName)" - - name: operatorImage - value: "$(tasks.parse-metadata.results.image)" - - name: resourcesPath - value: "$(workspaces.source-code.path)/operator/config/env/openshift" - workspaces: - - name: source-code - workspace: work - # use CEL regexp once it moves from alpha (see https://tekton.dev/docs/pipelines/pipelines/#use-cel-expression-in-whenexpression) - when: - - input: "$(tasks.parse-metadata.results.component)" - operator: in - values: [ "rhtas-operator", "rhtas-operator-v1-1", "rhtas-operator-v1-2", "rhtas-operator-v1-3" ] - - name: install-operator-from-fbc - timeout: "0h5m0s" - runAfter: - - provision-cluster - - parse-metadata - taskRef: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: tasks/integration-test/install-operator-from-fbc.yaml - params: - - name: eaasSpaceSecretRef - value: $(tasks.provision-eaas-space.results.secretRef) - - name: clusterName - value: "$(tasks.provision-cluster.results.clusterName)" - - name: fbcImage - value: "$(tasks.parse-metadata.results.image)" - # replace with cel regexp once enabled https://issues.redhat.com/browse/KFLUXSPRT-1833 - when: - - input: $(params.OLMv1) - operator: notin - values: ["true"] - - input: "$(tasks.parse-metadata.results.component)" - operator: in - values: [ - "fbc-v4-20", "fbc-v4-19", "fbc-v4-18", "fbc-v4-17", "fbc-v4-16", "fbc-v4-15", - "fbc-v4-19-v1-2", "fbc-v4-18-v1-2", "fbc-v4-17-v1-2", "fbc-v4-16-v1-2", "fbc-v4-15-v1-2", - "fbc-v4-18-v1-1", "fbc-v4-17-v1-1", "fbc-v4-16-v1-1", "fbc-v4-15-v1-1"] - - name: install-operator-from-fbc-olmv1 - timeout: "0h5m0s" - runAfter: - - provision-cluster - - parse-metadata - taskRef: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: tasks/integration-test/install-operator-from-fbc.yaml - params: - - name: eaasSpaceSecretRef - value: $(tasks.provision-eaas-space.results.secretRef) - - name: clusterName - value: "$(tasks.provision-cluster.results.clusterName)" - - name: fbcImage - value: "$(tasks.parse-metadata.results.image)" - # replace with cel regexp once enabled https://issues.redhat.com/browse/KFLUXSPRT-1833 - when: - - input: "$(params.OLMv1)" - operator: in - values: ["true"] - - input: "$(tasks.parse-metadata.results.component)" - operator: in - values: ["fbc-v4-20"] + value: "$(tasks.parse-metadata.results.container-image)" - name: prepare-tests runAfter: - # run after either one - - install-operator-from-image - install-operator-from-bundle - - install-operator-from-fbc - - install-operator-from-fbc-olmv1 - clone-operator-source-code workspaces: - name: source-code workspace: work - params: - - name: branch - value: $(params.branch) taskSpec: - params: - - name: branch - description: Branch name for git operations results: - name: oidc-hostname type: string @@ -358,18 +247,6 @@ spec: - name: oidc-issuer-url type: string value: "$(steps.install-keycloak.results.oidc-issuer-url)" - - name: fulcio-url - type: string - value: "$(steps.install-tas.results.fulcio-url)" - - name: tsa-url - type: string - value: "$(steps.install-tas.results.tsa-url)" - - name: tuf-url - type: string - value: "$(steps.install-tas.results.tuf-url)" - - name: rekor-url - type: string - value: "$(steps.install-tas.results.rekor-url)" volumes: - name: credentials emptyDir: { } @@ -434,90 +311,29 @@ spec: runAfter: - prepare-tests - download-binaries + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/operator-e2e.yaml + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: $(tasks.provision-cluster.results.clusterName) + - name: oidcHostname + value: $(tasks.prepare-tests.results.oidc-hostname) + - name: oidc-issuer-url + value: $(tasks.prepare-tests.results.oidc-issuer-url) + - name: fips-enabled + value: "$(params.FIPS_ENABLED)" workspaces: - name: source-code workspace: work - taskSpec: - results: - - name: TEST_OUTPUT - description: "Full JSON summary of test results" - volumes: - - name: credentials - emptyDir: { } - workspaces: - - name: source-code - steps: - - name: get-kubeconfig - ref: - resolver: git - params: - - name: url - value: https://github.com/konflux-ci/build-definitions.git - - name: revision - value: main - - name: pathInRepo - value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml - params: - - name: eaasSpaceSecretRef - value: $(tasks.provision-eaas-space.results.secretRef) - - name: clusterName - value: "$(tasks.provision-cluster.results.clusterName)" - - name: credentials - value: credentials - - name: execute-operator-e2e - onError: continue - image: registry.redhat.io/ubi9/go-toolset:1.24@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193 - env: - - name: OIDC_HOST - value: "$(tasks.prepare-tests.results.oidc-hostname)" - - name: OIDC_ISSUER_URL - value: "$(tasks.prepare-tests.results.oidc-issuer-url)" - - name: KUBECONFIG - value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" - - name: CI - value: "true" - - name: FIPS_ENABLED - value: "$(params.FIPS_ENABLED)" - volumeMounts: - - name: credentials - mountPath: /credentials - workingDir: $(workspaces.source-code.path)/operator - script: | - #!/bin/sh - set +e -o pipefail - - mkdir -p $(workspaces.source-code.path)/dump/operator-e2e/ - - export PATH="$PATH:$(workspaces.source-code.path)/binaries" - openssl s_client -connect $OIDC_HOST:443 > /tmp/ssl.cert - export SSL_CERT_FILE=/tmp/ssl.cert - go mod vendor - make generate - - TAGS="integration" - if [[ "$FIPS_ENABLED" == "true" ]]; then - TAGS="fips,integration" - fi - - go test -p 1 ./test/e2e/... -tags="$TAGS" -timeout 60m -json > $(workspaces.source-code.path)/dump/operator-e2e/test-result.json - - cp test/**/k8s-dump-*.tar.gz $(workspaces.source-code.path)/dump/operator-e2e/ || echo "no test dump files found" - - securityContext: - runAsUser: 0 - - name: process-test-results - ref: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: stepactions/integration-test/process-go-test-results.yaml - params: - - name: test_output_file - value: $(workspaces.source-code.path)/dump/operator-e2e/test-result.json - name: run-tas-e2e runAfter: - prepare-tests @@ -525,147 +341,30 @@ spec: workspaces: - name: source-code workspace: work - taskSpec: - results: - - name: TEST_OUTPUT - description: "Full JSON summary of test results" - volumes: - - name: credentials - emptyDir: { } - workspaces: - - name: source-code - steps: - - name: get-kubeconfig - ref: - resolver: git - params: - - name: url - value: https://github.com/konflux-ci/build-definitions.git - - name: revision - value: main - - name: pathInRepo - value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml - params: - - name: eaasSpaceSecretRef - value: $(tasks.provision-eaas-space.results.secretRef) - - name: clusterName - value: "$(tasks.provision-cluster.results.clusterName)" - - name: credentials - value: credentials - - name: install-tas - ref: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: stepactions/integration-test/install-tas.yaml - params: - - name: credentials - value: credentials - - name: KUBECONFIG - value: "$(steps.get-kubeconfig.results.kubeconfig)" - - name: workdir - value: $(workspaces.source-code.path)/operator - - name: tas-namespace - value: "$(params.TAS_DEPLOY_NAMESPACE)" - - name: OIDC_HOST - value: "$(tasks.prepare-tests.results.oidc-hostname)" - - name: OIDC_ISSUER_URL - value: "$(tasks.prepare-tests.results.oidc-issuer-url)" - - name: push-test-image - image: quay.io/konflux-ci/buildah-task:latest@sha256:5c5eb4117983b324f932f144aa2c2df7ed508174928a423d8551c4e11f30fbd9 - results: - - name: image - type: string - securityContext: - capabilities: - add: - - SETFCAP - computeResources: - limits: - memory: 8Gi - requests: - memory: 2Gi - cpu: '1' - script: | - #!/bin/sh - IMAGE=ttl.sh/test-$(date +%Y%m%d%H%M%S%N):latest - printf "%s" "$IMAGE" > "$(step.results.image.path)" - buildah pull alpine:latest - buildah tag alpine:latest $IMAGE - buildah push $IMAGE - - name: prepare-tas-e2e - image: registry.redhat.io/openshift4/ose-cli - volumeMounts: - - name: credentials - mountPath: /credentials - env: - - name: KUBECONFIG - value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" - - name: TASNAMESPACE - value: "$(params.TAS_DEPLOY_NAMESPACE)" - - name: OIDC_ISSUER_URL - value: "$(tasks.prepare-tests.results.oidc-issuer-url)" - workingDir: $(workspaces.source-code.path)/sigstore-e2e - script: | - oc project $TASNAMESPACE - ./tas-env-variables.sh > .env - - name: execute-tas-e2e - image: registry.redhat.io/ubi9/go-toolset:1.24@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193 - computeResources: - limits: - memory: 4Gi - requests: - memory: 512Mi - volumeMounts: - - name: credentials - mountPath: /credentials - onError: continue - env: - - name: OIDC_HOST - value: "$(tasks.prepare-tests.results.oidc-hostname)" - - name: KUBECONFIG - value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" - - name: CLI_STRATEGY - value: "openshift" - - name: TARGET_IMAGE_NAME - value: "$(steps.push-test-image.results.image)" - - name: MANUAL_IMAGE_SETUP - value: "true" - workingDir: $(workspaces.source-code.path)/sigstore-e2e - script: | - #!/bin/bash - set -x - echo "Add certificate to ca-bundle.crt" - openssl s_client -connect "$OIDC_HOST:443" -showcerts /tmp/ssl.cert - sed -ni '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' /tmp/ssl.cert - cat /tmp/ssl.cert >> /etc/pki/tls/certs/ca-bundle.crt - - echo "Run tests" - mkdir -p $(workspaces.source-code.path)/dump/sigstore-e2e - set -o allexport && source ./.env && set +o allexport - go mod vendor - # exclude UI and benchmark tests - go test -v $(go list ./test/... | grep -v rekorsearchui | grep -v benchmark) --ginkgo.v -json \ - > $(workspaces.source-code.path)/dump/sigstore-e2e/test-result.json - securityContext: - runAsUser: 0 - - name: process-test-results - ref: - resolver: git - params: - - name: url - value: https://github.com/securesign/pipelines.git - - name: revision - value: main - - name: pathInRepo - value: stepactions/integration-test/process-go-test-results.yaml - params: - - name: test_output_file - value: $(workspaces.source-code.path)/dump/sigstore-e2e/test-result.json + taskRef: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: tasks/integration-test/sigstore-e2e.yaml + computeResources: + limits: + memory: 8Gi + requests: + memory: 2Gi + cpu: '1' + params: + - name: eaasSpaceSecretRef + value: $(tasks.provision-eaas-space.results.secretRef) + - name: clusterName + value: $(tasks.provision-cluster.results.clusterName) + - name: oidcHostname + value: $(tasks.prepare-tests.results.oidc-hostname) + - name: oidc-issuer-url + value: $(tasks.prepare-tests.results.oidc-issuer-url) finally: - name: secure-push-test-dump workspaces: diff --git a/stepactions/integration-test/install-tas.yaml b/stepactions/integration-test/install-tas.yaml index 946b436b..96c0ea02 100644 --- a/stepactions/integration-test/install-tas.yaml +++ b/stepactions/integration-test/install-tas.yaml @@ -20,9 +20,6 @@ spec: - name: tas-namespace description: Namespace in which the TAS is created. type: string - - name: OIDC_HOST - description: OIDC hostname (keycloak) - type: string - name: OIDC_ISSUER_URL description: Trusted artifact signer issuer url type: string @@ -42,15 +39,13 @@ spec: value: "$(params.workdir)" - name: TASNAMESPACE value: "$(params.tas-namespace)" - - name: OIDC_HOST - value: "$(params.OIDC_HOST)" - name: OIDC_ISSUER_URL value: "$(params.OIDC_ISSUER_URL)" script: | cd $WORKDIR sed -i "s#https://your-oidc-issuer-url#$OIDC_ISSUER_URL#" config/samples/rhtas_v1alpha1_securesign.yaml sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml - oc create ns $TASNAMESPACE + oc create ns $TASNAMESPACE || true oc create -f config/samples/rhtas_v1alpha1_securesign.yaml -n $TASNAMESPACE sleep 1 oc wait --for=condition=Ready securesign/securesign-sample --timeout=9m -n $TASNAMESPACE diff --git a/tasks/integration-test/derive-release-info.yaml b/tasks/integration-test/derive-release-info.yaml new file mode 100644 index 00000000..55479b3f --- /dev/null +++ b/tasks/integration-test/derive-release-info.yaml @@ -0,0 +1,95 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: derive-release-info +spec: + description: | + The task derive the release info (patch/new version) creating diff on the graph.yaml file. + results: + - name: channel + - name: release-branch + params: + - name: package-name + - name: fbc-image + - name: ocp-version + - name: ocp-catalog-image + default: registry.redhat.io/redhat/redhat-operator-index + steps: + - name: test-metadata + image: quay.io/redhat-appstudio/konflux-test:v1.4.31 + env: + - name: PKG_NAME + value: $(params.package-name) + script: | + #!/bin/bash + set -eo pipefail + + opm render $(params.ocp-catalog-image):v$(params.ocp-version) -o yaml > raw-catalog.yaml + yq -r --arg pkg "$PKG_NAME" '. | select(.package == $pkg and .schema == "olm.channel") | .name + ": " + ([.entries[].name] | sort | .[-1])' raw-catalog.yaml | sort > released.yaml + + opm render $(params.fbc-image) -o yaml > raw-catalog.yaml + yq -r --arg pkg "$PKG_NAME" '. | select(.package == $pkg and .schema == "olm.channel") | .name + ": " + ([.entries[].name] | sort | .[-1])' raw-catalog.yaml | sort > candidate.yaml + + echo -e "Candidate graph:" + cat candidate.yaml + + echo -e "\nReleased graph:" + cat released.yaml + + #sdiff return 1 if files differs + DIFF=$(sdiff -s released.yaml candidate.yaml || true) + DIFF=$(echo "$DIFF" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//') + + + echo -e "\nGraph diff:\n$DIFF\n\n" + + if [ -z "$DIFF" ]; then + echo "No graph changes detected." + exit 0 + fi + + CHANNEL="stable" + BRANCH="main" + + # Categorize using sdiff symbols + UPDATES=$(echo "$DIFF" | grep "|" || true) + ADDITIONS=$(echo "$DIFF" | grep ">" || true) + REMOVALS=$(echo "$DIFF" | grep "<" || true) + + # 2. Define logic via Priority + if echo "$UPDATES" | grep -q "^stable:"; then + echo "Identified: Stable channel upgrade." + + [[ -n "$ADDITIONS" ]] && echo -e "\tNOTE: New channels detected: $(echo "$ADDITIONS" | xargs)" + [[ -n "$REMOVALS" ]] && echo -e "\tNOTE: Channels removed: $(echo "$REMOVALS" | xargs)" + + elif echo "$UPDATES" | grep -q "^stable-v"; then + echo "Identified: Patch release detected." + + # Strict check: patches shouldn't usually come with additions/removals + if [[ -n "$ADDITIONS" || -n "$REMOVALS" ]]; then + echo "Error: Unexpected additions or removals during a PATCH release." + exit 1 + fi + + # Extract channel from the left side + CHANNEL=$(echo "$UPDATES" | cut -d':' -f1 | xargs) + BRANCH="release-${CHANNEL#stable-v}" + + elif [[ $(echo "$ADDITIONS" | wc -l) -eq 1 ]] && [[ -z "$UPDATES" ]]; then + echo "Identified: Single new channel addition. Do not forget to update the `stable` channel" + exit 1 + else + echo "Error: Ambiguous changes detected (Multiple updates or unexpected removals)." + exit 1 + fi + + echo "Final Selection: Channel=$CHANNEL, Branch=$BRANCH" + echo -n "$CHANNEL" > "$(results.channel.path)" + echo -n "$BRANCH" > "$(results.release-branch.path)" + resources: + requests: + memory: "1Gi" + cpu: "500m" + limits: + memory: "2Gi" # OPM load the whole index into memory; Red Hat Index is huge; it needs a space diff --git a/tasks/integration-test/install-operator-from-fbc-olm-v1.yaml b/tasks/integration-test/install-operator-from-fbc-olm-v1.yaml index 807be89b..528bc690 100644 --- a/tasks/integration-test/install-operator-from-fbc-olm-v1.yaml +++ b/tasks/integration-test/install-operator-from-fbc-olm-v1.yaml @@ -53,6 +53,9 @@ spec: - name: credentials mountPath: /credentials script: | + #!/bin/bash + set -ex + if ! oc get namespace "$(params.namespace)" > /dev/null 2>&1; then oc new-project "$(params.namespace)" echo "Project $(params.namespace) created." diff --git a/tasks/integration-test/install-operator-from-fbc.yaml b/tasks/integration-test/install-operator-from-fbc.yaml index a5092647..ec6c255d 100644 --- a/tasks/integration-test/install-operator-from-fbc.yaml +++ b/tasks/integration-test/install-operator-from-fbc.yaml @@ -57,6 +57,11 @@ spec: - name: credentials mountPath: /credentials script: | + #!/bin/bash + set -ex + + oc new-project "$(params.namespace)" || true + oc create -f - < /tmp/ssl.cert + export SSL_CERT_FILE=/tmp/ssl.cert + + go mod vendor + make generate + + TAGS="integration" + if [[ "$FIPS_ENABLED" == "true" ]]; then + TAGS="fips,integration" + fi + + + go test -p 1 ./test/e2e/... -tags="$TAGS" -timeout 30m -json > $(workspaces.source-code.path)/dump/operator-e2e/test-result.json + + cp test/**/k8s-dump-*.tar.gz $(workspaces.source-code.path)/dump/operator-e2e/ || echo "no test dump files found" + securityContext: + runAsUser: 0 + - name: process-test-results + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/process-go-test-results.yaml + params: + - name: test_output_file + value: $(workspaces.source-code.path)/dump/operator-e2e/test-result.json diff --git a/tasks/integration-test/parse-metadata.yaml b/tasks/integration-test/parse-metadata.yaml index bd848313..99a9be0a 100644 --- a/tasks/integration-test/parse-metadata.yaml +++ b/tasks/integration-test/parse-metadata.yaml @@ -8,26 +8,17 @@ spec: description: "Stores information about the event type that indicates if a job is running for a Pull Request or Push event" - name: application-name description: "Stores information about the Konflux application that the Snapshot was created for." - - name: component + - name: component-name description: "Stores information about the Konflux component that was built." - - name: image + - name: container-image description: "Stores information about the component's container that was built in case of the component-type Snapshot." - name: git-url description: "Stores information about the component's source url." - name: git-revision description: "Stores information about the component's source revision." - - name: operator-url - description: "Stores information about the rhtas-operator source url." - - name: operator-revision - description: "Stores information about the rhtas-operator's source revision." - - name: tas-e2e-version - description: "Stores the E2E test branch version derived from application name." params: - name: SNAPSHOT description: The JSON string of the Snapshot under test - - name: TAS_E2E_VERSION - description: The E2E test branch version to use (derived automatically if not provided) - default: "main" steps: - name: test-metadata image: quay.io/redhat-appstudio/konflux-test:stable @@ -70,25 +61,6 @@ spec: GIT_REVISION=$(jq -r --arg component_name "${COMPONENT_NAME}" '.components[] | select(.name | startswith($component_name)) | .source.git.revision' <<< "${SNAPSHOT}") fi - - if [[ "$COMPONENT_NAME" =~ ^rhtas-operator.* ]]; then - OPERATOR_URL=$GIT_URL - OPERATOR_REVISION=$GIT_REVISION - else - #use default values - OPERATOR_URL="https://github.com/securesign/secure-sign-operator.git" - OPERATOR_REVISION="main" - fi - - # Derive TAS E2E version from application name - if [[ "$APPLICATION_NAME" =~ operator-v([0-9]+)-([0-9]+) ]]; then - MAJOR_VERSION="${BASH_REMATCH[1]}" - MINOR_VERSION="${BASH_REMATCH[2]}" - TAS_E2E_VERSION="release-${MAJOR_VERSION}.${MINOR_VERSION}" - else - TAS_E2E_VERSION="main" - fi - # Log declared environment variables echo "Snapshot metadata:" echo " SNAPSHOT: ${SNAPSHOT}" @@ -98,17 +70,11 @@ spec: echo " IMAGE: ${IMAGE}" echo " GIT_URL: ${GIT_URL}" echo " GIT_REVISION: ${GIT_REVISION}" - echo " OPERATOR_URL: ${OPERATOR_URL}" - echo " OPERATOR_REVISION: ${OPERATOR_REVISION}" - echo " TAS_E2E_VERSION: ${TAS_E2E_VERSION}" # Write each environment variable to its respective results: echo -n "${EVENT_TYPE}" > $(results.test-event-type.path) echo -n "${APPLICATION_NAME}" > $(results.application-name.path) - echo -n "${COMPONENT_NAME}" > $(results.component.path) - echo -n "${IMAGE}" > $(results.image.path) + echo -n "${COMPONENT_NAME}" > $(results.component-name.path) + echo -n "${IMAGE}" > $(results.container-image.path) echo -n "${GIT_URL}" > $(results.git-url.path) echo -n "${GIT_REVISION}" > $(results.git-revision.path) - echo -n "${OPERATOR_URL}" > $(results.operator-url.path) - echo -n "${OPERATOR_REVISION}" > $(results.operator-revision.path) - echo -n "${TAS_E2E_VERSION}" > $(results.tas-e2e-version.path) diff --git a/tasks/integration-test/sigstore-e2e.yaml b/tasks/integration-test/sigstore-e2e.yaml new file mode 100644 index 00000000..50c98171 --- /dev/null +++ b/tasks/integration-test/sigstore-e2e.yaml @@ -0,0 +1,150 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: run-tas-e2e +spec: + description: "Deploys TAS, pushes a test image, and executes Sigstore E2E tests." + params: + - name: eaasSpaceSecretRef + type: string + description: "Secret reference for EaaS space" + - name: clusterName + type: string + description: "Name of the ephemeral cluster" + - name: oidcHostname + type: string + description: "The hostname for the OIDC provider" + - name: oidc-issuer-url + type: string + description: "Trusted artifact signer issuer url" + - name: TAS_DEPLOY_NAMESPACE + type: string + default: "trusted-artifact-signer" + description: "Namespace where TAS is deployed" + workspaces: + - name: source-code + description: "Workspace containing operator and sigstore-e2e code" + results: + - name: TEST_OUTPUT + description: "Full JSON summary of test results" + volumes: + - name: credentials + emptyDir: {} + steps: + - name: get-kubeconfig + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/build-definitions.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml + params: + - name: eaasSpaceSecretRef + value: $(params.eaasSpaceSecretRef) + - name: clusterName + value: "$(params.clusterName)" + - name: credentials + value: credentials + + - name: install-tas + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/install-tas.yaml + params: + - name: credentials + value: credentials + - name: KUBECONFIG + value: "$(steps.get-kubeconfig.results.kubeconfig)" + - name: workdir + value: $(workspaces.source-code.path)/operator + - name: tas-namespace + value: "$(params.TAS_DEPLOY_NAMESPACE)" + - name: OIDC_ISSUER_URL + value: "$(params.oidc-issuer-url)" + - name: push-test-image + image: quay.io/konflux-ci/buildah-task:latest@sha256:5c5eb4117983b324f932f144aa2c2df7ed508174928a423d8551c4e11f30fbd9 + results: + - name: image + securityContext: + capabilities: + add: ["SETFCAP"] + script: | + #!/bin/sh + IMAGE=ttl.sh/test-$(date +%Y%m%d%H%M%S%N):latest + printf "%s" "$IMAGE" > "$(step.results.image.path)" + buildah pull alpine:latest + buildah tag alpine:latest $IMAGE + buildah push $IMAGE + - name: prepare-tas-e2e + image: registry.redhat.io/openshift4/ose-cli + volumeMounts: + - name: credentials + mountPath: /credentials + env: + - name: KUBECONFIG + value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" + - name: TASNAMESPACE + value: "$(params.TAS_DEPLOY_NAMESPACE)" + - name: OIDC_ISSUER_URL + value: "$(params.oidc-issuer-url)" + workingDir: $(workspaces.source-code.path)/sigstore-e2e + script: | + oc project $TASNAMESPACE + ./tas-env-variables.sh > .env + - name: execute-tas-e2e + image: registry.redhat.io/ubi9/go-toolset:1.24@sha256:84286c7555df503df0bd3acb86fe2ad50af82a07f35707918bb0fad312fdc193 + volumeMounts: + - name: credentials + mountPath: /credentials + onError: continue + env: + - name: OIDC_HOST + value: "$(params.oidcHostname)" + - name: KUBECONFIG + value: "/credentials/$(steps.get-kubeconfig.results.kubeconfig)" + - name: CLI_STRATEGY + value: "openshift" + - name: TARGET_IMAGE_NAME + value: "$(steps.push-test-image.results.image)" + - name: MANUAL_IMAGE_SETUP + value: "true" + workingDir: $(workspaces.source-code.path)/sigstore-e2e + script: | + #!/bin/bash + set -x + echo "Add certificate to ca-bundle.crt" + openssl s_client -connect "$OIDC_HOST:443" -showcerts /tmp/ssl.cert + sed -ni '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' /tmp/ssl.cert + cat /tmp/ssl.cert >> /etc/pki/tls/certs/ca-bundle.crt + + echo "Run tests" + mkdir -p $(workspaces.source-code.path)/dump/sigstore-e2e + set -o allexport && source ./.env && set +o allexport + go mod vendor + # exclude UI and benchmark tests + go test -v $(go list ./test/... | grep -v rekorsearchui | grep -v benchmark) --ginkgo.v -json \ + > $(workspaces.source-code.path)/dump/sigstore-e2e/test-result.json + securityContext: + runAsUser: 0 + - name: process-test-results + ref: + resolver: git + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/integration-test/process-go-test-results.yaml + params: + - name: test_output_file + value: $(workspaces.source-code.path)/dump/sigstore-e2e/test-result.json